netwalker | 61d26a517d9a6dfaa47a65828a244f122d89e565dd86a2a6ac860aa95d9304a4

General

Target

61d26a517d9a6dfaa47a65828a244f122d89e565dd86a2a6ac860aa95d9304a4
Size

73KB
Sample

201109-krl9pgwnjs
MD5

f1bee8af811ef6353430fc5ac6f09f98
SHA1

7550ad4cc606d4cd6f853360e5a13dfebb5d79a5
SHA256

61d26a517d9a6dfaa47a65828a244f122d89e565dd86a2a6ac860aa95d9304a4
SHA512

ae871dfd7eff648e2a1551cdd04a7261f08028c9500cd6a4ae1d4fe01a6918a847e520615f07285d7eb4615e9874fa983aad21e43c64549ecea8816ce6cd4438

Score

10^/10

Malware Config

Extracted

Path

C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\FF0E70-Readme.txt

Ransom Note

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion ff0e70. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_ff0e70:EQAAAEZGMEU3MC1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLmZmMGU3MBbhG6+N/wIJ/R2aGJWsFAkQ HYZ/L4Ef/3qps6YX+PU3e+YmndflJR8TNnqLSJs+wcxs+XDx+5 OK2hEj/N6hNu3cJFeI4OUa4KpRx0Cvn+HNeKWMb6ZSvkdGhLsX y8yHU6kjTh1fwpiwSB5VYo+r69k=}

Emails

1.kokoklock@cock.li

2.pabpabtab@tuta.io

Extracted

Path

C:\odt\903BA5-Readme.txt

Ransom Note

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 903ba5. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokoklock@cock.li 2.pabpabtab@tuta.io Be sure to include your personal code in the letter: {key_903ba5:EQAAADkwM0JBNS1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLjkwM2JhNRbhG6+0t8yNWGszvIHXslvU gWjpSs1QqF8zgDHKvJf+PaITBsXeZV0QKhoiIRp+aCknCLy5Kx HB4HCnYWJku8w9oSuhaqjuE3+4S3Zk7DAhDByBeV0g+5lBXdG2 HMm8M4iA9o8S3SNVwFMmk76DuJ4=}

Emails

1.kokoklock@cock.li

2.pabpabtab@tuta.io

Targets

- Target
  
  61d26a517d9a6dfaa47a65828a244f122d89e565dd86a2a6ac860aa95d9304a4
- Size
  
  73KB
- MD5
  
  f1bee8af811ef6353430fc5ac6f09f98
- SHA1
  
  7550ad4cc606d4cd6f853360e5a13dfebb5d79a5
- SHA256
  
  61d26a517d9a6dfaa47a65828a244f122d89e565dd86a2a6ac860aa95d9304a4
- SHA512
  
  ae871dfd7eff648e2a1551cdd04a7261f08028c9500cd6a4ae1d4fe01a6918a847e520615f07285d7eb4615e9874fa983aad21e43c64549ecea8816ce6cd4438
Score

10^/10

netwalker persistence ransomware
- Detected Netwalker Ransomware
  Detected unpacked Netwalker executable.
- Netwalker Ransomware
  Ransomware family with multiple versions. Also known as MailTo.
  ransomware netwalker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Adds Run key to start application
  persistence
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2