SYMBOLCOMMON_NAMEaka. SYNONYMS
win.globeimposter (Back to overview)

GlobeImposter

URLhaus      

There is no description at this point.

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2018-03-07InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Gandcrab GlobeImposter
2018-01-16enSiloAlon Hadar
@online{hadar:20180116:globeimposter:6a2afda, author = {Alon Hadar}, title = {{GlobeImposter Ransomware}}, date = {2018-01-16}, organization = {enSilo}, url = {https://blog.ensilo.com/globeimposter-ransomware-technical}, language = {English}, urldate = {2019-07-09} } GlobeImposter Ransomware
GlobeImposter
2018-01-15AcronisAcronis Security
@online{security:20180115:globeimposter:b5ca4e4, author = {Acronis Security}, title = {{GlobeImposter ransomware: A holiday gift from the Necurs botnet}}, date = {2018-01-15}, organization = {Acronis}, url = {https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet}, language = {English}, urldate = {2020-01-13} } GlobeImposter ransomware: A holiday gift from the Necurs botnet
GlobeImposter
2017-12-22Bleeping ComputerLawrence Abrams
@online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway
GlobeImposter
2017-08-10PhishLabsAmanda Kline
@online{kline:20170810:globe:382859f, author = {Amanda Kline}, title = {{Globe Imposter Ransomware Makes a New Run}}, date = {2017-08-10}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run}, language = {English}, urldate = {2020-01-07} } Globe Imposter Ransomware Makes a New Run
GlobeImposter
2017-08-05FortinetXiaopeng Zhang
@online{zhang:20170805:analysis:8c21b07, author = {Xiaopeng Zhang}, title = {{Analysis of New GlobeImposter Ransomware Variant}}, date = {2017-08-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant}, language = {English}, urldate = {2019-11-22} } Analysis of New GlobeImposter Ransomware Variant
GlobeImposter
Yara Rules
[TLP:WHITE] win_globeimposter_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_globeimposter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0ff4d0 0f6e6604 0ff4e0 0f6e7608 0ff4f0 0f6e7e0c }
            // n = 6, score = 700
            //   0ff4d0               | pmuludq             mm2, mm0
            //   0f6e6604             | movd                mm4, dword ptr [esi + 4]
            //   0ff4e0               | pmuludq             mm4, mm0
            //   0f6e7608             | movd                mm6, dword ptr [esi + 8]
            //   0ff4f0               | pmuludq             mm6, mm0
            //   0f6e7e0c             | movd                mm7, dword ptr [esi + 0xc]

        $sequence_1 = { 45 8364241000 8d442410 50 6880000000 8d44241c }
            // n = 6, score = 700
            //   45                   | inc                 ebp
            //   8364241000           | and                 dword ptr [esp + 0x10], 0
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   6880000000           | push                0x80
            //   8d44241c             | lea                 eax, [esp + 0x1c]

        $sequence_2 = { 43 85d2 7e18 8d4e7c 8b41fc 3b01 }
            // n = 6, score = 700
            //   43                   | inc                 ebx
            //   85d2                 | test                edx, edx
            //   7e18                 | jle                 0x1a
            //   8d4e7c               | lea                 ecx, [esi + 0x7c]
            //   8b41fc               | mov                 eax, dword ptr [ecx - 4]
            //   3b01                 | cmp                 eax, dword ptr [ecx]

        $sequence_3 = { 8b450c 99 33c2 c745f401000000 }
            // n = 4, score = 700
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   99                   | cdq                 
            //   33c2                 | xor                 eax, edx
            //   c745f401000000       | mov                 dword ptr [ebp - 0xc], 1

        $sequence_4 = { 48 8bfb 2bf8 89442414 }
            // n = 4, score = 700
            //   48                   | dec                 eax
            //   8bfb                 | mov                 edi, ebx
            //   2bf8                 | sub                 edi, eax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_5 = { 5e 5b 5f 5d 83c420 c20c00 }
            // n = 6, score = 700
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   83c420               | add                 esp, 0x20
            //   c20c00               | ret                 0xc

        $sequence_6 = { 7e0e 8d4678 8928 41 8d4014 3b4e6c }
            // n = 6, score = 700
            //   7e0e                 | jle                 0x10
            //   8d4678               | lea                 eax, [esi + 0x78]
            //   8928                 | mov                 dword ptr [eax], ebp
            //   41                   | inc                 ecx
            //   8d4014               | lea                 eax, [eax + 0x14]
            //   3b4e6c               | cmp                 ecx, dword ptr [esi + 0x6c]

        $sequence_7 = { 7505 6ac4 58 eb2f }
            // n = 4, score = 700
            //   7505                 | jne                 7
            //   6ac4                 | push                -0x3c
            //   58                   | pop                 eax
            //   eb2f                 | jmp                 0x31

        $sequence_8 = { 8d0445ffffffff 8945f0 8d45fc 8945f8 8d45f0 50 }
            // n = 6, score = 700
            //   8d0445ffffffff       | lea                 eax, [eax*2 - 1]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_9 = { ff15???????? 85c0 7405 3975fc 7405 6afe 58 }
            // n = 7, score = 700
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   3975fc               | cmp                 dword ptr [ebp - 4], esi
            //   7405                 | je                  7
            //   6afe                 | push                -2
            //   58                   | pop                 eax

    condition:
        7 of them and filesize < 327680
}
Download all Yara Rules