GlobeImposter (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.globeimposter (Back to overview)

GlobeImposter

aka: Fake Globe

VTCollection URLhaus

GlobeImposter is a ransomware application which is mainly distributed via "blank slate" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family.
This malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.

References

2023-03-08 ⋅ AhnLab ⋅ ASEC
GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP
GlobeImposter MedusaLocker

2023-02-15 ⋅ SentinelOne ⋅ Jim Walter
Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family
GlobeImposter

2021-12-28 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team
Cases of Lockis ransomware infection
GlobeImposter

2021-04-27 ⋅ CrowdStrike ⋅ Eben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER

2020-06-22 ⋅ ⋅ CERT-FR ⋅ CERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus

2020-01-17 ⋅ Secureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER

2018-08-30 ⋅ 360 Total Security ⋅ Elley
GlobeImposter which has more than 20 variants, is still wildly growing
GlobeImposter

2018-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Gandcrab GlobeImposter

2018-01-16 ⋅ enSilo ⋅ Alon Hadar
GlobeImposter Ransomware
GlobeImposter

2018-01-15 ⋅ Acronis ⋅ Acronis Security
GlobeImposter ransomware: A holiday gift from the Necurs botnet
GlobeImposter

2018-01-12 ⋅ Proofpoint ⋅ Proofpoint Staff
Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER

2018-01-01 ⋅ Group-IB ⋅ Group-IB
The evolution of ransomware and its distribution methods
GlobeImposter

2017-12-22 ⋅ Bleeping Computer ⋅ Lawrence Abrams
New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway
GlobeImposter

2017-08-10 ⋅ PhishLabs ⋅ Amanda Kline
Globe Imposter Ransomware Makes a New Run
GlobeImposter

2017-08-05 ⋅ Fortinet ⋅ Xiaopeng Zhang
Analysis of New GlobeImposter Ransomware Variant
GlobeImposter

2016-12-23 ⋅ Emsisoft
Emsisoft Decryptor for GlobeImposter
GlobeImposter

Yara Rules

[TLP:WHITE] win_globeimposter_auto (20260504 | Detects win.globeimposter.)

rule win_globeimposter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.globeimposter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e 5b 5f 5d 83c420 c20c00 }
            // n = 6, score = 600
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   83c420               | add                 esp, 0x20
            //   c20c00               | ret                 0xc

        $sequence_1 = { 8d8780000000 50 8d4f38 51 }
            // n = 4, score = 600
            //   8d8780000000         | lea                 eax, [edi + 0x80]
            //   50                   | push                eax
            //   8d4f38               | lea                 ecx, [edi + 0x38]
            //   51                   | push                ecx

        $sequence_2 = { 33db 8b7d04 85ff 7413 8b4508 8d04b8 83c0fc }
            // n = 7, score = 600
            //   33db                 | xor                 ebx, ebx
            //   8b7d04               | mov                 edi, dword ptr [ebp + 4]
            //   85ff                 | test                edi, edi
            //   7413                 | je                  0x15
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d04b8               | lea                 eax, [eax + edi*4]
            //   83c0fc               | add                 eax, -4

        $sequence_3 = { 0fd4cd 0f6e6f10 0fd4d5 0f7e4f08 0f73d120 0fd4cf 0f6e6f14 }
            // n = 7, score = 600
            //   0fd4cd               | paddq               mm1, mm5
            //   0f6e6f10             | movd                mm5, dword ptr [edi + 0x10]
            //   0fd4d5               | paddq               mm2, mm5
            //   0f7e4f08             | movd                dword ptr [edi + 8], mm1
            //   0f73d120             | psrlq               mm1, 0x20
            //   0fd4cf               | paddq               mm1, mm7
            //   0f6e6f14             | movd                mm5, dword ptr [edi + 0x14]

        $sequence_4 = { 42 58 3bd0 7ced 03f0 3bf8 }
            // n = 6, score = 600
            //   42                   | inc                 edx
            //   58                   | pop                 eax
            //   3bd0                 | cmp                 edx, eax
            //   7ced                 | jl                  0xffffffef
            //   03f0                 | add                 esi, eax
            //   3bf8                 | cmp                 edi, eax

        $sequence_5 = { 0f6e5f04 0fd4dc 0f6e6f08 0fd4ee 0f6e670c 0fd4fc }
            // n = 6, score = 600
            //   0f6e5f04             | movd                mm3, dword ptr [edi + 4]
            //   0fd4dc               | paddq               mm3, mm4
            //   0f6e6f08             | movd                mm5, dword ptr [edi + 8]
            //   0fd4ee               | paddq               mm5, mm6
            //   0f6e670c             | movd                mm4, dword ptr [edi + 0xc]
            //   0fd4fc               | paddq               mm7, mm4

        $sequence_6 = { 85c0 7505 6ac4 58 eb2f 56 ff750c }
            // n = 7, score = 600
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   6ac4                 | push                -0x3c
            //   58                   | pop                 eax
            //   eb2f                 | jmp                 0x31
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_7 = { 8bc3 33560c c1e810 8bca c1e908 23c7 23cf }
            // n = 7, score = 600
            //   8bc3                 | mov                 eax, ebx
            //   33560c               | xor                 edx, dword ptr [esi + 0xc]
            //   c1e810               | shr                 eax, 0x10
            //   8bca                 | mov                 ecx, edx
            //   c1e908               | shr                 ecx, 8
            //   23c7                 | and                 eax, edi
            //   23cf                 | and                 ecx, edi

        $sequence_8 = { 85ff 7452 8bef 8bf0 8b06 8d7604 0119 }
            // n = 7, score = 600
            //   85ff                 | test                edi, edi
            //   7452                 | je                  0x54
            //   8bef                 | mov                 ebp, edi
            //   8bf0                 | mov                 esi, eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d7604               | lea                 esi, [esi + 4]
            //   0119                 | add                 dword ptr [ecx], ebx

        $sequence_9 = { 2bf8 ff15???????? 03c7 50 ff15???????? 85c0 }
            // n = 6, score = 600
            //   2bf8                 | sub                 edi, eax
            //   ff15????????         |                     
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 327680
}

Download all Yara Rules

GlobeImposter Propose Change

References

Yara Rules

GlobeImposter