General

  • Target

    6059871321227264.zip

  • Size

    190KB

  • Sample

    210701-whrbsf8996

  • MD5

    d670333be42dfb91a9a031e1693d6efe

  • SHA1

    53c0eabf5541f8be14107f3e18b53ba1ad8d8828

  • SHA256

    a20a1cd9fa52d3f6bc62b6b629df2273d1c579f0fffce69d2bc64895c692fb19

  • SHA512

    3d6c025431632dc5eba4fe6a7feb5ba4fa24892717f02b123c96ba1989dc866d4d931f097da270b774404dea5b4b7d6df3db1b12879431f084b6676a679221af

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\HOW TO DECRYPT FILES.txt

Ransom Note Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails

zucano@tuta.io

Wallets

1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd

Extracted

Path

C:\F43E65-Readme.txt

Family

netwalker

Ransom Note Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\Favorites\Microsoft Websites\F43E65-Readme.txt

Family

netwalker

Ransom Note Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\F43E65-Readme.txt

Family

netwalker

Ransom Note Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\odt\65E5C4-Readme.txt

Family

netwalker

Ransom Note Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\65E5C4-Readme.txt

Family

netwalker

Ransom Note Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\Documents\65E5C4-Readme.txt

Family

netwalker

Ransom Note Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\AppData\Roaming\65E5C4-Readme.txt

Family

netwalker

Ransom Note Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

    • Target

      155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23

    • Size

      4MB

    • MD5

      568db4e58977f0795730755b16c80b07

    • SHA1

      23231aea7dcc02eaab9c2f248bbd949d1770db8c

    • SHA256

      155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23

    • SHA512

      a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88

    • Drops file in Drivers directory

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97

    • Size

      208KB

    • MD5

      7ee92bcaa1305c7964a993e7f1c3761c

    • SHA1

      6351e156b5fe1d3ae91fec6eb367782b1373111c

    • SHA256

      8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97

    • SHA512

      3b5114e9b3e53ac7711df9fa5ad3dc66ce309ade04768cd334f1e1f1b311a9c36f43e6cf167d338e94116ee08dc686c0a000064a40bb2913e1e8b6b8b143c387

    • Drops file in Drivers directory

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6

    • Size

      66KB

    • MD5

      5e7d419747ee589f724a80d9ac8b7186

    • SHA1

      b91e9178b054811312c83f3d81cc4153d2fa38ba

    • SHA256

      9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6

    • SHA512

      bdd91c5551df4a3adbe56ebcf2045cad1ed924627c16236ef7579ee73974c3d784a0fc2624ecb143912315231c9565854294d021d01549f61140efe1ec2b6c23

    • Netwalker Ransomware

      Ransomware family with multiple versions. Also known as MailTo.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06

    • Size

      79KB

    • MD5

      65eec80b04f4b8da236e7b9f8627e5e2

    • SHA1

      47aba918cf1ef166a9868c74003496cf419e6290

    • SHA256

      a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06

    • SHA512

      b5c45d833fc86e42c340b08d630218fde1f816bb36c3a5920553bddf8f2acd1b6951eb402dff5e82add7f623b76e6ee5414fbdaa293df0579776fc5cad62fbd9

    Score
    10/10
    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Initial Access

          Lateral Movement

            Privilege Escalation