netwalker | 06b8638fdd478672cfe140221233cacfae6d2890446a5c57c8b1317a27d2a036

Sharing

Copy URL

Twitter E-mail

General

Target

06b8638fdd478672cfe140221233cacfae6d2890446a5c57c8b1317a27d2a036
Size

331KB
MD5

9aa3089af134627ef48b178db606268a
SHA1

1348d76072280a489cc8d6a15aeb3617b59585ba
SHA256

06b8638fdd478672cfe140221233cacfae6d2890446a5c57c8b1317a27d2a036
SHA512

bbd57a9a08287c6b27a656d0d2eb60f5aefd0bdf49d104652128eb044c4756469cd5968a2e4bb68e6fb935daa1d08719f61113eb7e25701ae630fc475446fc89
SSDEEP

6144:87J3yBRHu27k3VH1XaZdkVyzZP0z5NfmkNn0fEDZfBTbgOv:r3O73J1MdkV8P0FVnB0fsTbgM

Score

10^/10

cryptone packer netwalker

Malware Config

Signatures

Detected Netwalker Ransomware 1 IoCs
Detected unpacked Netwalker executable.

Processes:

resource yara_rule

sample netwalker_ransomware
Netwalker family
netwalker
CryptOne packer 1 IoCs
Detects CryptOne packer defined in NCC blogpost.
cryptone packer

Processes:

resource yara_rule

sample cryptone

resource	yara_rule
sample	netwalker_ransomware

resource	yara_rule
sample	cryptone

Files

06b8638fdd478672cfe140221233cacfae6d2890446a5c57c8b1317a27d2a036
.exe windows x86

2099ac0ab4d14e16e81e0d123e2f1fcb

Code Sign

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetErrorMode
LoadLibraryA
GetProcAddress
VirtualAlloc
GetModuleHandleW
lstrlenW
lstrcmpA
WriteProcessMemory
WriteFile
WideCharToMultiByte
WaitForSingleObject
WaitForMultipleObjectsEx
VirtualQueryEx
VirtualQuery
VirtualProtectEx
VirtualProtect
VirtualFree
UnmapViewOfFile
TerminateThread
TerminateProcess
SystemTimeToFileTime
SuspendThread
Sleep
SizeofResource
SetThreadPriority
SetThreadContext
SetThreadAffinityMask
SetPriorityClass
SetLastError
SetFilePointer
SetEvent
ResumeThread
ResetEvent
ReleaseSemaphore
ReleaseMutex
ReadProcessMemory
ReadFile
QueryPerformanceFrequency
QueryPerformanceCounter
PulseEvent
OutputDebugStringW
OpenProcess
OpenMutexW
OpenFileMappingA
OpenEventA
MultiByteToWideChar
MulDiv
MapViewOfFile
LockResource
LocalFree
LocalAlloc
LoadResource
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalSize
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomW
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomW
GetWindowsDirectoryA
GetWindowsDirectoryW
GetVolumeInformationA
GetVersionExA
GetVersionExW
GetVersion
GetTickCount
GetThreadPriority
GetThreadLocale
GetThreadContext
GetTempPathW
GetTempFileNameW
GetSystemTime
GetSystemInfo
GetSystemDirectoryA
GetSystemDirectoryW
GetStartupInfoW
GetProcessVersion
GetProcessAffinityMask
GetPriorityClass
GetModuleHandleA
GetModuleFileNameA
GetModuleFileNameW
GetLogicalDrives
GetLastError
GetFileSize
GetFileAttributesA
GetFileAttributesW
GetExitCodeThread
GetExitCodeProcess
GetDriveTypeW
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetCommandLineA
FreeResource
InterlockedIncrement
InterlockedDecrement
FreeLibrary
FormatMessageA
FormatMessageW
FlushFileBuffers
FindResourceA
FindResourceW
FindNextFileW
FindFirstFileA
FindFirstFileW
FindClose
FileTimeToDosDateTime
ExitProcess
EnumResourceNamesW
EnterCriticalSection
DuplicateHandle
DisconnectNamedPipe
DeleteCriticalSection
CreateThread
CreateSemaphoreW
CreateNamedPipeW
CreateMutexA
CreateMutexW
CreateFileMappingA
CreateFileMappingW
CreateFileA
CreateFileW
CreateEventA
CreateEventW
ConnectNamedPipe
CompareStringW
CloseHandle
CancelIo
FindAtomA
EnumResourceLanguagesA
FindNextVolumeA
SetNamedPipeHandleState
GetDateFormatA
UnregisterWaitEx
GetTimeZoneInformation
GetConsoleTitleW
BackupWrite
SetTapePosition
VerLanguageNameA
SetInformationJobObject
GetProcessIoCounters
ConvertThreadToFiber
TransmitCommChar

user32

GetMessagePos
CharNextA
LoadIconA
LoadCursorFromFileA
CloseWindow
IsClipboardFormatAvailable
GetWindowTextLengthA
GetTopWindow
IsWindowEnabled
LoadCursorFromFileW
IsIconic
DestroyIcon
DestroyWindow
GetMessageTime
GetOpenClipboardWindow
IsCharAlphaNumericW
GetListBoxInfo
IsCharLowerA
GetDoubleClickTime
GetClipboardData
GetClipboardOwner
WindowFromPoint
WaitForInputIdle
TranslateMessage
SystemParametersInfoW
AnimateWindow
ShowWindow
ShowOwnedPopups
SetWindowRgn
SetWindowPos
SetWindowPlacement
SetWindowLongW
SetTimer
SetScrollInfo
SetRect
SetPropA
SetParent
SetForegroundWindow
SetCursorPos
SetClipboardData
SetClassLongW
SendNotifyMessageW
SendMessageTimeoutA
SendMessageTimeoutW
SendMessageCallbackA
SendMessageA
SendMessageW
ScrollWindow
RemovePropA
ReleaseDC
RegisterWindowMessageW
RegisterClipboardFormatW
PtInRect
PostThreadMessageA
PostMessageA
PostMessageW
OffsetRect
MsgWaitForMultipleObjects
LoadImageW
LoadIconW
LoadCursorW
LoadBitmapW
KillTimer
IsZoomed
IsWindowVisible
IsWindowUnicode
IsWindow
InvalidateRect
InsertMenuW
InflateRect
GetWindowThreadProcessId
GetWindowRect
GetWindowPlacement
GetWindowLongW
GetUserObjectInformationW
GetThreadDesktop
GetSystemMetrics
GetSystemMenu
GetSysColor
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMessageW
GetMenu
GetKeyState
GetForegroundWindow
GetDC
GetCursorPos
GetClientRect
GetClassNameA
GetClassLongW
GetAsyncKeyState
FrameRect
FindWindowExA
FindWindowExW
FindWindowW
EnumWindows
EnumThreadWindows
EnableWindow
EnableMenuItem
DrawTextW
DrawMenuBar
DrawFrameControl
DrawFocusRect
DispatchMessageW
DefWindowProcW
CreateIconFromResource
ChildWindowFromPointEx
CharUpperBuffW
CharUpperW
CharNextExA
CharLowerBuffW
CharLowerW
BringWindowToTop
AttachThreadInput
AdjustWindowRectEx
GrayStringA
GetWindowTextW
DdeInitializeA
SetDlgItemInt
IsCharAlphaW
OemToCharA
CheckDlgButton
InsertMenuItemA
SetKeyboardState
ChangeMenuW
ImpersonateDdeClientWindow
GetMenuDefaultItem
EnumChildWindows
IsCharAlphaNumericA
SetCapture
DdeConnect
RegisterShellHookWindow
GetCaretBlinkTime
IMPSetIMEW
SetActiveWindow
GetMenuBarInfo
CharUpperBuffA
DefDlgProcA
DdeQueryStringA
EndMenu
UnloadKeyboardLayout
CharNextW
SetMenu
GetCaretPos
GetComboBoxInfo
SendMessageCallbackW
LoadKeyboardLayoutW
DdePostAdvise
GetWindowModuleFileNameA
DdeQueryConvInfo
ValidateRect
ReuseDDElParam
SetFocus
IsChild
GetFocus
FillRect
EndPaint
BeginPaint

gdi32

GetStockObject
CreateCompatibleDC
GetObjectType
RealizePalette
GetMapMode
GetFontLanguageInfo
GetROP2
TranslateCharsetInfo
TextOutW
StrokePath
StretchDIBits
StretchBlt
StartPage
StartDocW
SetWindowOrgEx
SetWindowExtEx
SetViewportExtEx
SetTextJustification
SetTextCharacterExtra
SetTextColor
SetTextAlign
SetStretchBltMode
SetMapMode
SetBrushOrgEx
SetBkMode
SetBkColor
SetAbortProc
SelectPalette
SelectObject
SelectClipRgn
PtInRegion
PatBlt
MoveToEx
LineTo
GetWindowOrgEx
GetWindowExtEx
GetViewportExtEx
GetTextMetricsW
GetTextExtentPointW
GetTextExtentPoint32W
GetTextExtentExPointW
GetSystemPaletteEntries
GetPaletteEntries
GetObjectW
GetNearestPaletteIndex
GetDeviceCaps
GetDIBits
GetClipRgn
GetBrushOrgEx
GdiFlush
FillRgn
ExtTextOutW
ExtCreateRegion
ExtCreatePen
EndPath
EndPage
EndDoc
DeleteObject
DeleteDC
DPtoLP
CreateRoundRectRgn
CreateRectRgnIndirect
CreateRectRgn
CreatePolygonRgn
CreatePalette
CreateICW
CreateFontIndirectW
CreateEllipticRgnIndirect
CreateDIBitmap
CreateDIBSection
CreateDCW
CreateCompatibleBitmap
CreateBitmap
CombineRgn
CloseFigure
BitBlt
BeginPath
AbortDoc
ResetDCW
SetDIBits
AddFontResourceA
UnrealizeObject
FlattenPath
GdiGetLocalBrush
GdiEntry14
PolyPolyline
GetStretchBltMode
GetObjectA
AnimatePalette
EngCreateDeviceSurface
GetDCOrgEx
GetRegionData
CreateFontIndirectExA
GetKerningPairs
CreateEnhMetaFileW
SetLayoutWidth
DeleteEnhMetaFile
GdiReleaseDC
PATHOBJ_bEnum
GdiAlphaBlend
PATHOBJ_vGetBounds
FillPath
GdiIsMetaFileDC
GdiInitializeLanguagePack
RestoreDC
SetICMProfileW
CreateColorSpaceA
GetTextCharsetInfo
ArcTo
EngQueryEMFInfo
EngAssociateSurface
CreateColorSpaceW
EudcLoadLinkW
FONTOBJ_cGetGlyphs
PolyTextOutA
UpdateColors
EngStretchBltROP
SaveDC
IntersectClipRect
GetClipBox
ExcludeClipRect
CreateSolidBrush

advapi32

RegOpenKeyA
RegQueryValueExA
SetSecurityDescriptorDacl
RegUnLoadKeyW
RegOpenKeyExA
RegLoadKeyW
RegCloseKey
OpenProcessToken
LookupAccountSidA
LookupAccountSidW
InitializeSecurityDescriptor
GetTokenInformation
GetLengthSid
GetUserNameW
GetKernelObjectSecurity
CryptSetProvParam
CryptGetProvParam
CryptDestroyHash
CryptSignHashA
CryptSetHashParam
CryptCreateHash
CryptImportKey
CryptExportKey
CryptReleaseContext
CryptDestroyKey
CryptGetUserKey
CryptAcquireContextA
CryptDecrypt
RegQueryValueExW
RegOpenKeyW

shell32

SHGetFileInfoA
ShellExecuteW
Shell_NotifyIconW
DragQueryFileW
DragFinish
SHGetFolderPathA
SHGetFolderPathW
SHGetSpecialFolderLocation
SHGetPathFromIDListA
SHGetPathFromIDListW
SHCreateDirectoryExA
SHFileOperation
ExtractIconExW
SHAppBarMessage
SHGetIconOverlayIndexW
SHGetDataFromIDListA
SHBrowseForFolder

ole32

CreateStreamOnHGlobal
OleUninitialize
CoTaskMemFree
CoCreateInstance
CoUninitialize
CoInitialize
GetHGlobalFromStream
CoCreateGuid

shlwapi

StrStrW
StrCmpNIA

comctl32

ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetIcon
ImageList_ReplaceIcon
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
InitializeFlatSB
FlatSB_SetScrollProp
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_GetScrollPos
FlatSB_GetScrollInfo

Sections

.text
Size: 243KB - Virtual size: 243KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 291B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 50KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2099ac0ab4d14e16e81e0d123e2f1fcb

Code Sign

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

shlwapi

comctl32

Sections

.text Size: 243KB - Virtual size: 243KB

.rdata Size: 512B - Virtual size: 291B

.data Size: 50KB - Virtual size: 51KB

.rsrc Size: 36KB - Virtual size: 35KB

.text
Size: 243KB - Virtual size: 243KB

.rdata
Size: 512B - Virtual size: 291B

.data
Size: 50KB - Virtual size: 51KB

.rsrc
Size: 36KB - Virtual size: 35KB