2017-11-30 - NECURS BOTNET MALSPAM PUSHES GLOBEIMPOSTER RANSOMWARE

ASSOCIATED FILES:

 

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

IMAGES


Shown above:  Example of an email from the 1st wave of malspam.

 


Shown above:  Example of an email from the 2nd wave of malspam.

 


Shown above:  One of the attached 7-zip archives and extracted VBS file.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Example of the HTTP GET request for the GlobeImposter ranosmware binary.

 


Shown above:  Examples of encrypted files on an infected Windows host.

 


Shown above:  Decryption instructions from the HTML file dropped on the infected Windows host.

 


Shown above:  GlobeImposter decryptor shows ransom payment as 0.102 Bitcoin ($1,000).

 


Shown above:  Artifact found in the user's AppData\Local\Temp directory.

 

INDICATORS

EMAIL DATA:

 

SHA256 HASHES FOR THE ATTACHMENTS

 

SHA256 HASHES FOR THE EXTRACTED VBS FILES:

 

URLS FROM THE VBS FILES TO RETRIEVE GLOBEIMPOSTER RANSOMWARE:

 

POST-INFECTION TRAFFIC AFTER RUNNING A VBS FILE/CHECKING DECRYPTION INSTRUCTIONS:

 

GLOBEIMPOSTER RANSOMWARE EXECUTABLES:

 

OTHER INFORMATION:

 

FINAL NOTES

Once again, here are the associated files:

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.