General
-
Target
winbio.exe
-
Size
69KB
-
Sample
240225-qf8yssdc2z
-
MD5
2edbacd070d1949bb5d97d3a6e4e23f6
-
SHA1
761168968a1d951848a36ad428ee4d05153f1e01
-
SHA256
8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc
-
SHA512
a4b282b8c91124a6dc465573842a03b5fcf346af6e561eef66ea405fcb784251044e2f8a2c0a61cbb0e29f7efc02a71d131930b70e2c021978d00c0b3c38f344
-
SSDEEP
1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+MEYTb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3+
Behavioral task
behavioral1
Sample
winbio.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
winbio.exe
Resource
win10v2004-20240221-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\10BED9-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\ProgramData\Microsoft\User Account Pictures\1E9AE0-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Targets
-
-
Target
winbio.exe
-
Size
69KB
-
MD5
2edbacd070d1949bb5d97d3a6e4e23f6
-
SHA1
761168968a1d951848a36ad428ee4d05153f1e01
-
SHA256
8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc
-
SHA512
a4b282b8c91124a6dc465573842a03b5fcf346af6e561eef66ea405fcb784251044e2f8a2c0a61cbb0e29f7efc02a71d131930b70e2c021978d00c0b3c38f344
-
SSDEEP
1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+MEYTb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3+
Score10/10-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Renames multiple (7433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-