e3e75e15fd7f6a8233e33c8a8e127cee36706025451644cf8618a0876fd0e95f.bin

General
Target

e3e75e15fd7f6a8233e33c8a8e127cee36706025451644cf8618a0876fd0e95f.bin

Size

57KB

Sample

201109-nm293s1n1s

Score
10 /10
MD5

997f0ec7fcfa440d58443922651a2b0a

SHA1

6bd08ea17de7987451757b549984a443cf08b401

SHA256

e3e75e15fd7f6a8233e33c8a8e127cee36706025451644cf8618a0876fd0e95f

SHA512

c80320dc518936d88e283dc27a5cab5575d12f6c14af994ec79730aed31c61f89e631db1e04673a0dfa0ef8e56fd1ad4029def2210c3e0a3348c44cc6df11c1f

Malware Config

Extracted

Path C:\ProgramData\Microsoft\MF\F859A1-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f859a1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f859a1: U2wT2FxHbYnBsp9clCydICOMz0xHS9y9qxbwYTxSyUWHonPfMF 0JShF/VkyMO/vileP9Apd62n4brPnmwJQ/d/BaRVzkudYYQNnK oGuxqQefyAbdy1fIdlcNPaB7OcJJCHbVR7XqhD3SsjMRujUj3+ 42tCAnf8VScRw+fe5U2o2Et9sx/8+akPwc+qDQQVfZjUvbyYZJ IICir+oEIXTjFRoRqvZaOUA4GBWaH05Yy+nHnR2ct2xbezvCdu um9sUTOR9yaJM5K9VRwGS0o5+0XxQDHicS9xAGQg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Users\Admin\Desktop\F859A1-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f859a1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f859a1: U2wT2FxHbYnBsp9clCydICOMz0xHS9y9qxbwYTxSyUWHonPfMF 0JShF/VkyMO/vileP9Apd62n4brPnmwJQ/d/BaRVzkudYYQNnK oGuxqQefyAbdy1fIdlcNPaB7OcJJCHbVR7XqhD3SsjMRujUj3+ 42tCAnf8VScRw+fe5U2o2Et9sx/8+akPwc+qDQQVfZjUvbyYZJ IICir+oEIXTjFRoRqvZaOUA4GBWaH05Yy+nHnR2ct2xbezvCdu um9sUTOR9yaJM5K9VRwGS0o5+0XxQDHicS9xAGQg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f859a1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f859a1: U2wT2FxHbYnBsp9clCydICOMz0xHS9y9qxbwYTxSyUWHonPfMF 0JShF/VkyMO/vileP9Apd62n4brPnmwJQ/d/BaRVzkudYYQNnK oGuxqQefyAbdy1fIdlcNPaB7OcJJCHbVR7XqhD3SsjMRujUj3+ 42tCAnf8VScRw+fe5U2o2Et9sx/8+akPwc+qDQQVfZjUvbyYZJ IICir+oEIXTjFRoRqvZaOUA4GBWaH05Yy+nHnR2ct2xbezvCdu um9sUTOR9yaJM5K9VRwGS0o5+0XxQDHicS9xAGQg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f859a1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f859a1: U2wT2FxHbYnBsp9clCydICOMz0xHS9y9qxbwYTxSyUWHonPfMF 0JShF/VkyMO/vileP9Apd62n4brPnmwJQ/d/BaRVzkudYYQNnK oGuxqQefyAbdy1fIdlcNPaB7OcJJCHbVR7XqhD3SsjMRujUj3+ 42tCAnf8VScRw+fe5U2o2Et9sx/8+akPwc+qDQQVfZjUvbyYZJ IICir+oEIXTjFRoRqvZaOUA4GBWaH05Yy+nHnR2ct2xbezvCdu um9sUTOR9yaJM5K9VRwGS0o5+0XxQDHicS9xAGQg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\F859A1-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f859a1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f859a1: U2wT2FxHbYnBsp9clCydICOMz0xHS9y9qxbwYTxSyUWHonPfMF 0JShF/VkyMO/vileP9Apd62n4brPnmwJQ/d/BaRVzkudYYQNnK oGuxqQefyAbdy1fIdlcNPaB7OcJJCHbVR7XqhD3SsjMRujUj3+ 42tCAnf8VScRw+fe5U2o2Et9sx/8+akPwc+qDQQVfZjUvbyYZJ IICir+oEIXTjFRoRqvZaOUA4GBWaH05Yy+nHnR2ct2xbezvCdu um9sUTOR9yaJM5K9VRwGS0o5+0XxQDHicS9xAGQg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f859a1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f859a1: U2wT2FxHbYnBsp9clCydICOMz0xHS9y9qxbwYTxSyUWHonPfMF 0JShF/VkyMO/vileP9Apd62n4brPnmwJQ/d/BaRVzkudYYQNnK oGuxqQefyAbdy1fIdlcNPaB7OcJJCHbVR7XqhD3SsjMRujUj3+ 42tCAnf8VScRw+fe5U2o2Et9sx/8+akPwc+qDQQVfZjUvbyYZJ IICir+oEIXTjFRoRqvZaOUA4GBWaH05Yy+nHnR2ct2xbezvCdu um9sUTOR9yaJM5K9VRwGS0o5+0XxQDHicS9xAGQg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\odt\C52B64-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .c52b64 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c52ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==: ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\C52B64-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .c52b64 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c52ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==: ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .c52b64 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c52ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==: ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Users\Admin\Documents\C52B64-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .c52b64 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c52ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==: ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .c52b64 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c52ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==: ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .c52b64 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c52ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==: ePWGvYeIxnaFF8O4tLeMav7vqePYtqHcRFrQf7q3Trnk9/+LXN +wG1JWawUr5cSiBPVMzsGv9AS59SoRi7MW6o26Mjq9cRklQNnK oJM4LMt5EFnu18j0/wTWoz7dtKftQAwbd5M1zta0/1Ou5k1yqU PgvJZ6nIfKm1THKkSEjkKS6obJbPVIracin+mDsZ0OtBpxTFlk ubPphWLoKS3SiRP4y9+eNFqjqjv17gRAt9HCzL7iJ4smlShYVu pdALn0a548LKJs7eCdvLboiYe657pkNCl5mS36Hg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets
Target

e3e75e15fd7f6a8233e33c8a8e127cee36706025451644cf8618a0876fd0e95f.bin

MD5

997f0ec7fcfa440d58443922651a2b0a

Filesize

57KB

Score
10/10
SHA1

6bd08ea17de7987451757b549984a443cf08b401

SHA256

e3e75e15fd7f6a8233e33c8a8e127cee36706025451644cf8618a0876fd0e95f

SHA512

c80320dc518936d88e283dc27a5cab5575d12f6c14af994ec79730aed31c61f89e631db1e04673a0dfa0ef8e56fd1ad4029def2210c3e0a3348c44cc6df11c1f

Tags

Signatures

  • Netwalker Ransomware

    Description

    Ransomware family with multiple versions. Also known as MailTo.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10