Extracted

• • Target

    2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto

  • Size

    94KB

  • MD5

    efeb1be8bd41130cd7c545010d140afa

  • SHA1

    a056845be51604a73cac17479f04d9077c202e05

  • SHA256

    4fb90e7f4baa933ad69be3abb36dbb586dc86e6162d7ac70a504a0c8942ea798

  • SHA512

    291c73ba102104a365c6769b8b29451a3594b06fbe65fe0a8f45d613981bb4ded5e23331ec65148c0a67a90de8fd0cc2c8379909bd2916f1f72cb2ddc68f934a

  • SSDEEP

    1536:NQVlCPQRhNs3POdM0ty2XGe0W7Pbk3sPkO5M/Y8fGMNvgaNg:NQ3CPAC/YM0tyAGe0WDPx9MNvg8g

  Score

  10^/10

  netwalkerpersistenceransomware

  • Detected Netwalker Ransomware

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (566) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes itself

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2