Malware sandboxing report by Hatching Triage

General

Target

6059871321227264.zip
Size

190KB
Sample

210701-whrbsf8996
MD5

d670333be42dfb91a9a031e1693d6efe
SHA1

53c0eabf5541f8be14107f3e18b53ba1ad8d8828
SHA256

a20a1cd9fa52d3f6bc62b6b629df2273d1c579f0fffce69d2bc64895c692fb19
SHA512

3d6c025431632dc5eba4fe6a7feb5ba4fa24892717f02b123c96ba1989dc866d4d931f097da270b774404dea5b4b7d6df3db1b12879431f084b6676a679221af

Score

10^/10

Malware Config

Extracted

Path	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\HOW TO DECRYPT FILES.txt
Ransom Note	Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails	zucano@tuta.io zucano@tuta.io
Wallets	1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd

Extracted

Path	C:\F43E65-Readme.txt
Family	netwalker
Ransom Note	Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs	http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path	C:\Users\Admin\Favorites\Microsoft Websites\F43E65-Readme.txt
Family	netwalker
Ransom Note	Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs	http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\F43E65-Readme.txt
Family	netwalker
Ransom Note	Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs	http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path	C:\odt\65E5C4-Readme.txt
Family	netwalker
Ransom Note	Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs	http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path	C:\65E5C4-Readme.txt
Family	netwalker
Ransom Note	Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs	http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path	C:\Users\Admin\Documents\65E5C4-Readme.txt
Family	netwalker
Ransom Note	Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs	http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path	C:\Users\Admin\AppData\Roaming\65E5C4-Readme.txt
Family	netwalker
Ransom Note	Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs	http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

- Target
  
  155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23
- Size
  
  4MB
- MD5
  
  568db4e58977f0795730755b16c80b07
- SHA1
  
  23231aea7dcc02eaab9c2f248bbd949d1770db8c
- SHA256
  
  155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23
- SHA512
  
  a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88
Score

10^/10

persistence ransomware spyware stealer
- Drops file in Drivers directory
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97
- Size
  
  208KB
- MD5
  
  7ee92bcaa1305c7964a993e7f1c3761c
- SHA1
  
  6351e156b5fe1d3ae91fec6eb367782b1373111c
- SHA256
  
  8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97
- SHA512
  
  3b5114e9b3e53ac7711df9fa5ad3dc66ce309ade04768cd334f1e1f1b311a9c36f43e6cf167d338e94116ee08dc686c0a000064a40bb2913e1e8b6b8b143c387
Score

10^/10

persistence ransomware spyware stealer
- Drops file in Drivers directory
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6
- Size
  
  66KB
- MD5
  
  5e7d419747ee589f724a80d9ac8b7186
- SHA1
  
  b91e9178b054811312c83f3d81cc4153d2fa38ba
- SHA256
  
  9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6
- SHA512
  
  bdd91c5551df4a3adbe56ebcf2045cad1ed924627c16236ef7579ee73974c3d784a0fc2624ecb143912315231c9565854294d021d01549f61140efe1ec2b6c23
Score

10^/10

netwalker ransomware spyware stealer
- Netwalker Ransomware
  Ransomware family with multiple versions. Also known as MailTo.
  ransomware netwalker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5 behavioral6
- Target
  
  a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06
- Size
  
  79KB
- MD5
  
  65eec80b04f4b8da236e7b9f8627e5e2
- SHA1
  
  47aba918cf1ef166a9868c74003496cf419e6290
- SHA256
  
  a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06
- SHA512
  
  b5c45d833fc86e42c340b08d630218fde1f816bb36c3a5920553bddf8f2acd1b6951eb402dff5e82add7f623b76e6ee5414fbdaa293df0579776fc5cad62fbd9
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral7 behavioral8

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Inhibit System Recovery

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Drops file in Drivers directory

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Drivers directory

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Netwalker Ransomware

Deletes shadow copies

Modifies extensions of user files

Deletes itself

Reads user/profile data of web browsers

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8