IRSdeclaration‮cod.exe

General
Target

IRSdeclaration‮cod.exe

Size

282KB

Sample

201015-d11m2zjdgs

Score
10 /10
MD5

fe3fd53ddc7c229b1150d970a05947c0

SHA1

3abeddbbbd29310290955cc7c1a895550c92ab96

SHA256

c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72

SHA512

8b94e67f48f90d7a0e463a7623ba6f87a5f4108f33587c8f579f29aa3c9b0a22f7e134470824d25dccb552bfc868b18cd3f05ef09aaceef2bab6984c21f203b4

Malware Config

Extracted

Path C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\FD6F5D-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .fd6f5d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_fd6f5d: l/Fk05gcV+GUCD0bIg74onLdc73bTB+ghYzoOM0ZflBrMzLu5v kpJgWgMRHgrxJjbeMMAeLd5IOLqdZsGGy8UhMYDlQFiNVv41Zj AnXAqEjZ8Oh8YjoNP8jnZUX15sWv5bzR1agHdKgTgy2ewzcErN bj3a1GUySmish9GBUpQrFNit8yElCXlv3BAf1Gl/qP4hIzZByi IXxk+WIarjMQXdGJEoolV2MtDSCl4e2QD68L7o74z05Z6qD4Gu +MUXV+mvfVfOpwNM3QsgkN/hJ2SvaatSnhQVteXA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\FD6F5D-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .fd6f5d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_fd6f5d: l/Fk05gcV+GUCD0bIg74onLdc73bTB+ghYzoOM0ZflBrMzLu5v kpJgWgMRHgrxJjbeMMAeLd5IOLqdZsGGy8UhMYDlQFiNVv41Zj AnXAqEjZ8Oh8YjoNP8jnZUX15sWv5bzR1agHdKgTgy2ewzcErN bj3a1GUySmish9GBUpQrFNit8yElCXlv3BAf1Gl/qP4hIzZByi IXxk+WIarjMQXdGJEoolV2MtDSCl4e2QD68L7o74z05Z6qD4Gu +MUXV+mvfVfOpwNM3QsgkN/hJ2SvaatSnhQVteXA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .fd6f5d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_fd6f5d: l/Fk05gcV+GUCD0bIg74onLdc73bTB+ghYzoOM0ZflBrMzLu5v kpJgWgMRHgrxJjbeMMAeLd5IOLqdZsGGy8UhMYDlQFiNVv41Zj AnXAqEjZ8Oh8YjoNP8jnZUX15sWv5bzR1agHdKgTgy2ewzcErN bj3a1GUySmish9GBUpQrFNit8yElCXlv3BAf1Gl/qP4hIzZByi IXxk+WIarjMQXdGJEoolV2MtDSCl4e2QD68L7o74z05Z6qD4Gu +MUXV+mvfVfOpwNM3QsgkN/hJ2SvaatSnhQVteXA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .fd6f5d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_fd6f5d: l/Fk05gcV+GUCD0bIg74onLdc73bTB+ghYzoOM0ZflBrMzLu5v kpJgWgMRHgrxJjbeMMAeLd5IOLqdZsGGy8UhMYDlQFiNVv41Zj AnXAqEjZ8Oh8YjoNP8jnZUX15sWv5bzR1agHdKgTgy2ewzcErN bj3a1GUySmish9GBUpQrFNit8yElCXlv3BAf1Gl/qP4hIzZByi IXxk+WIarjMQXdGJEoolV2MtDSCl4e2QD68L7o74z05Z6qD4Gu +MUXV+mvfVfOpwNM3QsgkN/hJ2SvaatSnhQVteXA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\FD6F5D-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .fd6f5d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_fd6f5d: l/Fk05gcV+GUCD0bIg74onLdc73bTB+ghYzoOM0ZflBrMzLu5v kpJgWgMRHgrxJjbeMMAeLd5IOLqdZsGGy8UhMYDlQFiNVv41Zj AnXAqEjZ8Oh8YjoNP8jnZUX15sWv5bzR1agHdKgTgy2ewzcErN bj3a1GUySmish9GBUpQrFNit8yElCXlv3BAf1Gl/qP4hIzZByi IXxk+WIarjMQXdGJEoolV2MtDSCl4e2QD68L7o74z05Z6qD4Gu +MUXV+mvfVfOpwNM3QsgkN/hJ2SvaatSnhQVteXA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .fd6f5d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_fd6f5d: l/Fk05gcV+GUCD0bIg74onLdc73bTB+ghYzoOM0ZflBrMzLu5v kpJgWgMRHgrxJjbeMMAeLd5IOLqdZsGGy8UhMYDlQFiNVv41Zj AnXAqEjZ8Oh8YjoNP8jnZUX15sWv5bzR1agHdKgTgy2ewzcErN bj3a1GUySmish9GBUpQrFNit8yElCXlv3BAf1Gl/qP4hIzZByi IXxk+WIarjMQXdGJEoolV2MtDSCl4e2QD68L7o74z05Z6qD4Gu +MUXV+mvfVfOpwNM3QsgkN/hJ2SvaatSnhQVteXA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\5138E8-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\5138E8-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Program Files\5138E8-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets
Target

IRSdeclaration‮cod.exe

MD5

fe3fd53ddc7c229b1150d970a05947c0

Filesize

282KB

Score
10 /10
SHA1

3abeddbbbd29310290955cc7c1a895550c92ab96

SHA256

c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72

SHA512

8b94e67f48f90d7a0e463a7623ba6f87a5f4108f33587c8f579f29aa3c9b0a22f7e134470824d25dccb552bfc868b18cd3f05ef09aaceef2bab6984c21f203b4

Tags

Signatures

  • Netwalker Ransomware

    Description

    Ransomware family with multiple versions. Also known as MailTo.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Modifies service

    Tags

    TTPs

    Modify Registry Modify Existing Service

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Privilege Escalation
                Tasks