SYMBOLCOMMON_NAMEaka. SYNONYMS
win.globeimposter (Back to overview)

GlobeImposter

URLhaus      

There is no description at this point.

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2018-03-07InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Gandcrab GlobeImposter
2018-01-16enSiloAlon Hadar
@online{hadar:20180116:globeimposter:6a2afda, author = {Alon Hadar}, title = {{GlobeImposter Ransomware}}, date = {2018-01-16}, organization = {enSilo}, url = {https://blog.ensilo.com/globeimposter-ransomware-technical}, language = {English}, urldate = {2019-07-09} } GlobeImposter Ransomware
GlobeImposter
2018-01-15AcronisAcronis Security
@online{security:20180115:globeimposter:b5ca4e4, author = {Acronis Security}, title = {{GlobeImposter ransomware: A holiday gift from the Necurs botnet}}, date = {2018-01-15}, organization = {Acronis}, url = {https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet}, language = {English}, urldate = {2020-01-13} } GlobeImposter ransomware: A holiday gift from the Necurs botnet
GlobeImposter
2017-12-22Bleeping ComputerLawrence Abrams
@online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway
GlobeImposter
2017-08-10PhishLabsAmanda Kline
@online{kline:20170810:globe:382859f, author = {Amanda Kline}, title = {{Globe Imposter Ransomware Makes a New Run}}, date = {2017-08-10}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run}, language = {English}, urldate = {2020-01-07} } Globe Imposter Ransomware Makes a New Run
GlobeImposter
2017-08-05FortinetXiaopeng Zhang
@online{zhang:20170805:analysis:8c21b07, author = {Xiaopeng Zhang}, title = {{Analysis of New GlobeImposter Ransomware Variant}}, date = {2017-08-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant}, language = {English}, urldate = {2019-11-22} } Analysis of New GlobeImposter Ransomware Variant
GlobeImposter
Yara Rules
[TLP:WHITE] win_globeimposter_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_globeimposter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 7805 6afc }
            // n = 4, score = 700
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7805                 | js                  7
            //   6afc                 | push                -4

        $sequence_1 = { 0fd4dc 0f6e6f08 0fd4ee 0f6e670c 0fd4fc 0f7e0f }
            // n = 6, score = 700
            //   0fd4dc               | paddq               mm3, mm4
            //   0f6e6f08             | movd                mm5, dword ptr [edi + 8]
            //   0fd4ee               | paddq               mm5, mm6
            //   0f6e670c             | movd                mm4, dword ptr [edi + 0xc]
            //   0fd4fc               | paddq               mm7, mm4
            //   0f7e0f               | movd                dword ptr [edi], mm1

        $sequence_2 = { 33ed 837c243020 57 8bfd }
            // n = 4, score = 700
            //   33ed                 | xor                 ebp, ebp
            //   837c243020           | cmp                 dword ptr [esp + 0x30], 0x20
            //   57                   | push                edi
            //   8bfd                 | mov                 edi, ebp

        $sequence_3 = { ffb63c010000 ff9638010000 85c0 7404 }
            // n = 4, score = 700
            //   ffb63c010000         | push                dword ptr [esi + 0x13c]
            //   ff9638010000         | call                dword ptr [esi + 0x138]
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6

        $sequence_4 = { 3919 1bdb 0101 f7db 3901 1bc0 83c104 }
            // n = 7, score = 700
            //   3919                 | cmp                 dword ptr [ecx], ebx
            //   1bdb                 | sbb                 ebx, ebx
            //   0101                 | add                 dword ptr [ecx], eax
            //   f7db                 | neg                 ebx
            //   3901                 | cmp                 dword ptr [ecx], eax
            //   1bc0                 | sbb                 eax, eax
            //   83c104               | add                 ecx, 4

        $sequence_5 = { 8b4604 40 8b4f04 3bc8 }
            // n = 4, score = 700
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   40                   | inc                 eax
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_6 = { 7408 8d8680bdffff eb02 33c0 5f }
            // n = 5, score = 700
            //   7408                 | je                  0xa
            //   8d8680bdffff         | lea                 eax, [esi - 0x4280]
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi

        $sequence_7 = { e8???????? 8b442410 014608 43 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   014608               | add                 dword ptr [esi + 8], eax
            //   43                   | inc                 ebx

        $sequence_8 = { 837e0800 7426 8bc5 c1e002 50 ff7608 53 }
            // n = 7, score = 700
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   7426                 | je                  0x28
            //   8bc5                 | mov                 eax, ebp
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   ff7608               | push                dword ptr [esi + 8]
            //   53                   | push                ebx

        $sequence_9 = { e9???????? 53 56 8b742434 8bc7 }
            // n = 5, score = 700
            //   e9????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b742434             | mov                 esi, dword ptr [esp + 0x34]
            //   8bc7                 | mov                 eax, edi

    condition:
        7 of them and filesize < 327680
}
Download all Yara Rules