6059871321227264.zip

General
Target

6059871321227264.zip

Size

190KB

Sample

210701-whrbsf8996

Score
10 /10
MD5

d670333be42dfb91a9a031e1693d6efe

SHA1

53c0eabf5541f8be14107f3e18b53ba1ad8d8828

SHA256

a20a1cd9fa52d3f6bc62b6b629df2273d1c579f0fffce69d2bc64895c692fb19

SHA512

3d6c025431632dc5eba4fe6a7feb5ba4fa24892717f02b123c96ba1989dc866d4d931f097da270b774404dea5b4b7d6df3db1b12879431f084b6676a679221af

Malware Config

Extracted

Path C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\HOW TO DECRYPT FILES.txt
Ransom Note
Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails

zucano@tuta.io

Wallets

1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd

Extracted

Path C:\F43E65-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Users\Admin\Favorites\Microsoft Websites\F43E65-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\F43E65-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .f43e65 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_f43e65: tFP0GSPudA3wtSInAhscvfzXvpX+8l2ijkOL436d3tzEe10FjP SVcGJfsY0ZiP4PzLUEDVdW1wZrykXNUE35iuIGga5wkVoW41Zj ArOjnCI4pLwFkRozDKvyJlBLfroH/ys0CblD0uaY5H3xze4CUd vRlHUDGSOodkUK0pbNjgHm0u2isc40hOk80O4cN0JorA+qzsgb Jgo+i8ncEYB4pVRVYf6vODuPONo2DANhMT9I3Vhuohs2d/TXA/ quUK7xZ8FT7TuCvYxC6E3toGAYAPfnBJuugw4rlA==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\odt\65E5C4-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\65E5C4-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Users\Admin\Documents\65E5C4-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Users\Admin\AppData\Roaming\65E5C4-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .65e5c4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_65e5c4: w6D5n2kfpY6auhEDHXKSb/H/BOWM6WgEc6FfMBSdkMHXBvE1+Y IOGK/LM5d2q3t2qdnE9ta80pfo5O0Hojoo5eUNwFPkZgZT41Zj AnZdnTbsw8Bo6Qmp3TehmsE7NwY86dFaHxMbGBzvJJ6raSx8Lf 4CCFqQILx8mtuOdkwTwabcCPCL4IVjnRZ+SCY7zDG7dSv5GNhp 4T4u9ba2AscYYwOLOVM01nme36p2GMdTRKkD/SUb48OlFegcDL MIhXJyzXfyUOf2uNs7JH45m3tZG+Hy7wqzOmuRew==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets
Target

155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23

MD5

568db4e58977f0795730755b16c80b07

Filesize

4MB

Score
10/10
SHA1

23231aea7dcc02eaab9c2f248bbd949d1770db8c

SHA256

155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23

SHA512

a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88

Tags

Signatures

  • Drops file in Drivers directory

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Drops desktop.ini file(s)

  • Drops file in System32 directory

Related Tasks

Target

8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97

MD5

7ee92bcaa1305c7964a993e7f1c3761c

Filesize

208KB

Score
10/10
SHA1

6351e156b5fe1d3ae91fec6eb367782b1373111c

SHA256

8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97

SHA512

3b5114e9b3e53ac7711df9fa5ad3dc66ce309ade04768cd334f1e1f1b311a9c36f43e6cf167d338e94116ee08dc686c0a000064a40bb2913e1e8b6b8b143c387

Tags

Signatures

  • Drops file in Drivers directory

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Drops desktop.ini file(s)

  • Drops file in System32 directory

Related Tasks

Target

9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6

MD5

5e7d419747ee589f724a80d9ac8b7186

Filesize

66KB

Score
10/10
SHA1

b91e9178b054811312c83f3d81cc4153d2fa38ba

SHA256

9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6

SHA512

bdd91c5551df4a3adbe56ebcf2045cad1ed924627c16236ef7579ee73974c3d784a0fc2624ecb143912315231c9565854294d021d01549f61140efe1ec2b6c23

Tags

Signatures

  • Netwalker Ransomware

    Description

    Ransomware family with multiple versions. Also known as MailTo.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

Related Tasks

Target

a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06

MD5

65eec80b04f4b8da236e7b9f8627e5e2

Filesize

79KB

Score
10/10
SHA1

47aba918cf1ef166a9868c74003496cf419e6290

SHA256

a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06

SHA512

b5c45d833fc86e42c340b08d630218fde1f816bb36c3a5920553bddf8f2acd1b6951eb402dff5e82add7f623b76e6ee5414fbdaa293df0579776fc5cad62fbd9

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Tasks