{
	"id": "919fff5c-d924-47dc-9599-410cd2d405f4",
	"created_at": "2026-04-06T00:14:25.867073Z",
	"updated_at": "2026-04-10T03:21:01.308865Z",
	"deleted_at": null,
	"sha1_hash": "96d90f2592db0c974743aef24ef885a1b5a5d48a",
	"title": "Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2144727,
	"plain_text": "Ransomware news: GlobeImposter gets a facelift, GandCrab is still\r\nout there\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-02 12:42:14 UTC\r\nIntroduction\r\nI recently found a wave of malicious spam (malspam) that started as early as Monday 2018-03-05 at 18:28 UTC\r\nand lasted through at least Tuesday 2018-03-06 at 14:44 UTC.  This wave of malspam had Word documents as file\r\nattachments, and these Word docs had macros designed to infect Windows hosts with ransomware.  When I\r\nchecked Monday evening, I infected one of my lab hosts with GlobeImposter ransomware.  When I checked\r\nTuesday morning, I saw GandCrab ransomware.\r\nThis is interesting, because in 2018, I've seen very few examples of mass-distribution malspam pushing\r\nransomware.  So far in 2018, such malspam has been pushing mostly information stealers, backdoors, and\r\ncryptocurrency miners.  So it's always noteworthy when I find something like this.\r\nToday's diary examines this wave of malspam, the infection traffic, and associated indicators.\r\nShown above:  Flow chart for an infection from this malspam.\r\nThe emails\r\nhttps://isc.sans.edu/diary/23417\r\nPage 1 of 9\n\nPatterns for these emails were consistent, but I couldn't match them to a specific campaign.  Sending addresses,\r\nsubject lines, email headers, and message text were all varied.  The only consistent part of this malspam was the\r\nWord document attachments, which were all named \" Resume.doc\" with a space before the first letter.  And even\r\nthen, each attachment had a different file hash.\r\nShown above:  Screenshot from the spreadsheet tracker with 24 email samples.\r\nShown above:  Screenshot from one of the emails.\r\nThe attachments\r\nThe attachments were typical Word documents with malicious macros.  They work similar to malicious macros\r\nseen in other malspam campaigns, using Powershell to retrieve a malware binary to infect a vulnerable Windows\r\nhost.\r\nhttps://isc.sans.edu/diary/23417\r\nPage 2 of 9\n\nShown above:  One of the attached Word documents.\r\nThe traffic\r\nInfection traffic from Monday evening showed indicators of GlobeImposter ransomware.  After the macro used\r\nPowershell to retrieve the ransomware binary from a server at 198.100.119.11, I saw an HTTP request to\r\npsoeiras.net for an IP address check.  The URL to psoeiras.net was similar to what I've documented before with\r\nGlobeImposter ransomware infections.\r\nShown above:  Traffic from an infection filtered in Wireshark on Monday evening (US time).\r\nWhen I checked again Tuesday morning, I saw the same URL to 198.100.119.11 for a ransomware binary \r\nHowever, this time, the follow-up HTTP request for the IP address check went to nomoreransom.coin, with\r\nfollow-up DNS queries for nomoreransom.bit and gandcrab.bit.  These domains are typical for what I've\r\npreviously documented with GandCrab ransomware.\r\nhttps://isc.sans.edu/diary/23417\r\nPage 3 of 9\n\nShown above:  Traffic from an infection filtered in Wireshark on Tuesday morning (US time).\r\nForensics on an infected Windows host\r\nThe GandCrab ransomware sample didn't encrypt any files on my lab host, but the GlobeImposter binary did.  All\r\nfiles encrypted by the GlobeImposter sample used a .gif file extension.  Previous samples of GlobeImposter I'd\r\ntested in December 2017 used Read__ME.html for the decryption instructions, but this 2018 sample used\r\nRead__ME.txt.  The GlobeImposter decryptor seen through my Tor browser had a visual upgrade with a nice\r\nbackground image, but it still had the same basic setup as before.\r\nShown above:  Encrypted files on a Windows host infected with GlobeImposter.\r\nhttps://isc.sans.edu/diary/23417\r\nPage 4 of 9\n\nShown above:  GlobeImposter decryption instructions.\r\nhttps://isc.sans.edu/diary/23417\r\nPage 5 of 9\n\nShown above:  GlobeImposter decryptor viewed on a Tor browser.\r\nThe GlobeImposter infection stayed persistent on my infected lab host through the Windows registry.  Like many\r\nmalware samples I've seen, this one used the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry\r\nkey.  However, the binary used for persistence was not the same binary used during the initial infection.  The\r\npersistent binary for this GlobeImposter infection was only 22,528 bytes.\r\nhttps://isc.sans.edu/diary/23417\r\nPage 6 of 9\n\nShown above:  Malware made persistent on my host infected with GlobeImposter.\r\nIndicators\r\nSee below for a list of URLs, domains, and file hashes associated with this malspam.\r\nSHA256 hashes for all attachments named \" Resume.doc\":\r\n02d9a2643082ee6751472cfbe4760a3d9afb00a263c698eca3b748d012fcb66a\r\n05ec663bd1c8521f48affc6dfebf0a6fe410711b70096b5c4be2bac37c7f262b\r\n4027d8bad7ae8b5f2a88f414417ced73a50ee5fa0d60bf4d5395dc8953037b3c\r\n43d2c9efb6cc5907f7c04c719e83c3404b629bbf849c83fb053b6f23ddf84d81\r\n4b4ade15d6ed8eba53d1064170dee191e07da1baafeeecc3b8fdb4803a44a628\r\n50994124ce7d6ebc5b59b29e4278eb78997726d8e6cb902a8ccc437e4fda1a6d\r\n5490b18af502fa3a576ff5612eefff34dd75edd7bd567519f2b25da1d885de60\r\n56e6c1521070d58e525bad12d222c04952676c4b0d77136c9720a3263f9c557f\r\n6242c95fed475bc708c49b2bb7ad292f43d42fbcbd0b68502db01ea4a44ae656\r\n63f070add2cd6b6a6c212c82f1003b35fd45c4ae8787a2da2ec9e16c5e16c0e5\r\n69e706c4ddcd8ea4e9f0745e5bdcef760b0e553549bf26526ef51746244f292c\r\nhttps://isc.sans.edu/diary/23417\r\nPage 7 of 9\n\n6a193b0362506748a165b320f72bcd2d149760d66f287bc2271f30328a11181e\r\n72d18a2df77c75fc3949f34c37e0339039a211e2086fab5c92d2b41064fb5030\r\n75e92c7e36ff1cac3cff5b11426916d64b7956022cb668f4f675f3f2fc0e7fe7\r\n767b6094e57e940540192fceb1fe31c8311588d998d6f71a4099623fec0d5488\r\n92e56ae3f7f014ae8f348e0dc6c2a68936dc878d56e4c9b777202a9000fd6899\r\n9d41bb0167c7a19d69be0eb29920054e9b8cfa132a89129b31ecaa3338887e1d\r\na77afbcc935a6c0290e0a290f10913f343be31d955ce7f2f2446e605a0d89165\r\na84730972266ee371c8a5b9906102842f9834b6bd36413f8e15808aa79d1c136\r\na96c1911b31beaa2d6fedc654fb568e0ee82160d439e4ac38d53c24a441b0436\r\nb8ccfed35c590ab7bb1fd619eb085905515fde9c6dff7f592b391a516f8cc52a\r\ncb32fc84a036ab47b60569b3fdc718de9858555b349c90e188a8b7cd4602a264\r\nee6b7d944abaec4cb3bc2780489f81d337724164d76c2056d37cc225ea57a6d5\r\nThe following are malware samples retrieved from my infected lab hosts:\r\nSHA256 hash:  61bed70b1568fce8dc67c91bab1884027631bdf2c8b8ba63d54ce32d7e429a76\r\nFile size:  223,744 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\41097.exe\r\nFile description:  GandCrab ransomware\r\nSHA256 hash:  d6535b7caf79cc9b624e5f8878aa1d8717bdd84778fde47caad4ed75e322ef97\r\nFile size:  867,840 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\41097.exe\r\nFile description:  GlobeImposter ransomware\r\nSHA256 hash:  41056643ee135ac0fce3237d69b32370102887b22c0250e2e0b515b25f525183\r\nFile size:  22,528 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\wmon32.exe\r\nFile description:  Executable persistent for the GlobeImposter ransomware infection\r\nThe following are URLs and domains associated with these infections:\r\n198.100.119.11 port 80 - 198.100.119.11 - GET /d1.jpg?rnd=53171   (returned ransomware binaries)\r\n74.220.219.67 port 80 - psoeiras.net - GET /count.php?nu=103   (IP address check from GlobeImposter)\r\n66.171.248.178 port 80 - nomoreransom.coin - GET /   (IP address check from GandCrab)\r\nnomoreransom.bit   (domain associated with GandCrab)\r\ngandcrab.bit   (domain associated with GandCrab)\r\nhxxp://djfl3vltmo36vure.onion/sdlskglkehhr   (GlobeImposter decryptor)\r\nFinal words\r\nAlthough ransomware is down compared to last year, every once in a while we still see a wave of malspam like\r\nthis, pushing recent ransomware families seen in prior mass-distribution campaigns.  So far in 2018,\r\nGlobeImposter and GandCrab are the only ones I've seen in mass-distribution malspam.  However, these recent\r\nsamples don't seem to be any more dangerous now than they were before.\r\nhttps://isc.sans.edu/diary/23417\r\nPage 8 of 9\n\nAs always, properly-administered Windows hosts are unlikely to get infected.  To infect their computers, users\r\nwould have to ignore multiple warnings to retrieve and activate the malicious Word document, which includes\r\nbypassing Protected View.  System administrators and the technically inclined can also implement best practices\r\nlike Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.\r\nPcap and malware samples for today's diary can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/23417\r\nhttps://isc.sans.edu/diary/23417\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/23417"
	],
	"report_names": [
		"23417"
	],
	"threat_actors": [],
	"ts_created_at": 1775434465,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/96d90f2592db0c974743aef24ef885a1b5a5d48a.pdf",
		"text": "https://archive.orkl.eu/96d90f2592db0c974743aef24ef885a1b5a5d48a.txt",
		"img": "https://archive.orkl.eu/96d90f2592db0c974743aef24ef885a1b5a5d48a.jpg"
	}
}