GlobeImposter ransomware: A holiday gift from the Necurs botnet
Tags
attack-pattern: Data Botnet - T1583.005 Botnet - T1584.005 Javascript - T1059.007 Server - T1583.004 Server - T1584.004 Software - T1592.002
Show in Graph
Common Information
Type Value
UUID d0b261f7-927e-464a-9cf8-8a6c1a008edc
Fingerprint 9552a818b60e9654
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 15, 2018, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline GlobeImposter ransomware: A holiday gift from the Necurs botnet
Title GlobeImposter ransomware: A holiday gift from the Necurs botnet
Detected Hints/Tags/Attributes 46/1/25
Source URLs
Redirection Url
Details Source https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet
URL Provider
Details Provider Source level domain
Details acronis.com www.acronis.com
Attributes
Details Type #Events CTI Value
Details Domain 285 
microsoft.net
Details Domain 5 
n224ezvhg4sgyamb.onion
Details Domain 20 
www.nomoreransom.org
Details File 1 
nsr3.tmp
Details File 57 
system.dll
Details File 1 
%temp%\nsp4.tmp
Details File 4 
picture.png
Details File 4 
read___me.html
Details File 345 
vssadmin.exe
Details File 23 
'wevtutil.exe
Details File 95 
wevtutil.exe
Details File 4 
sup.php
Details File 5 
open.php
Details File 4 
decryption-tools.html
Details md5 1 
2ca016fa98dd5227625befe9edfaba98
Details md5 1 
3f176d1ee13b0d7d6bd92e1c7a0b9bae
Details md5 1 
eba731947245c854d71341a41de88260
Details sha256 1 
ae09c984df6e74640b3271eadb5dd7c65fde806235b2cda478e0efa9129c09e7
Details IPv4 1 
137.254.120.31
Details IPv4 1 
74.220.219.67
Details Url 2 
http://n224ezvhg4sgyamb.onion/sup.php
Details Url 1 
http://n224ezvhg4sgyamb.onion/open.php
Details Url 3 
https://www.nomoreransom.org/en/decryption-tools.html
Details Windows Registry Key 15 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Details Windows Registry Key 19 
HKEY_CURRENT_USER\Software\Microsoft\Terminal