netwalker | d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

General

Target

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
Size

76KB
Sample

201109-x2verda51j
MD5

604e4eeb6966e6285d9cef769feca7ca
SHA1

0c21972f5299b944d808e7572249a97ad6312f0e
SHA256

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
SHA512

5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4

Score

10^/10

Malware Config

Extracted

Path

C:\77D077-Readme.txt

Ransom Note

++++++++++++++++++++++++++++++++++++++++++++++NetWalker Ransomware++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 77d077. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokbiglock@cock.li 2.koktiktok@tuta.io Be sure to include your personal code in the letter: {key_77d077:EQAAADc3RDA3Ny1SZWFkbWUudHh0IgAAAC5tYWlsdG9ba29rYm lnbG9ja0Bjb2NrLmxpXS43N2QwNzdZqB4bgLwo7vZgUzMqM4x+ 8rhp1gZ2INkiP32PnALIZ1wg2VozxUQ1AgfhlT0ECy9jGAxWbT C+0COeIT7YJI3+EISZmmDWTqeH9xtK5W3arfmBsZaT7OL9ZrPM KL3YKCRy317BJ5fAogE8wV78pD7x}

Emails

1.kokbiglock@cock.li

2.koktiktok@tuta.io

Extracted

Path

C:\Users\Admin\Downloads\39FD23-Readme.txt

Ransom Note

++++++++++++++++++++++++++++++++++++++++++++++NetWalker Ransomware++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 39fd23. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokbiglock@cock.li 2.koktiktok@tuta.io Be sure to include your personal code in the letter: {key_39fd23:EQAAADM5RkQyMy1SZWFkbWUudHh0IgAAAC5tYWlsdG9ba29rYm lnbG9ja0Bjb2NrLmxpXS4zOWZkMjNZqB4bTX8S5AlNHyRZ1Yg1 3FJzDKwRjBlSE6b0XgSFlfR3VBbvTJ8K4klof4FYMXbuBGKHQM u3DtBne6356tvOrWvXgpB4+NuvLt2jy9OXluehnBNBy2NUHlyh fkpRI2jzjQknKfnpc3Mboa3DzVjk}

Emails

1.kokbiglock@cock.li

2.koktiktok@tuta.io

Targets

- Target
  
  d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
- Size
  
  76KB
- MD5
  
  604e4eeb6966e6285d9cef769feca7ca
- SHA1
  
  0c21972f5299b944d808e7572249a97ad6312f0e
- SHA256
  
  d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
- SHA512
  
  5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4
Score

10^/10

netwalker persistence ransomware
- Detected Netwalker Ransomware
  Detected unpacked Netwalker executable.
- Netwalker Ransomware
  Ransomware family with multiple versions. Also known as MailTo.
  ransomware netwalker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Adds Run key to start application
  persistence
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2