Overview

overview

10

Static

static

9

aee5f89896...17.exe

windows7-x64

10

aee5f89896...17.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe

  • Size

    282KB

  • Sample

    241124-2w7w8azpcn

  • MD5

    38f3d7cdc3ec83dfd3b8309b569481bc

  • SHA1

    4398b03f857a45af838f0d2b8094a367708c0968

  • SHA256

    aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17

  • SHA512

    14d6d4c611a910c5e9b83c58f42acdee9dd69356066dabdef7386d5c8dc67ab9e153f2e906097f44324babfbf8c5ea0b7156c0befeecb39eaf639fefa24c0858

  • SSDEEP

    3072:uvgIGSgSWSQ2qobyyBPgKlBkqdX2z6oXo:SgIGSgpSQ2J7PLlBkYXxoY

Score
10/10
netwalkercryptonedefense_evasiondiscoveryexecutionimpactpackerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\MSBuild\BA3AAF-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .ba3aaf -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_ba3aaf: kPowKQX10aXt/INXPlQa2DQsbQ541dhNK7Ng0ivZViSJ5L/JiE cVUFLPYQoS6aQT3buiJXAbR1FkeHYfl9HT2G5jbnvIxExR41Zj AiU7RZyEAfvOsFbFIs+WUNrVSHkf8eQY8Hxyj4DkWlQugZAucv Z63VZOTYp3t0E/d1JScMa6wbdDvUNlb7o/UlQb+7o80SfdRL1x x43ImJbrBn7PQ2At5NLG+RzsLsAyEFq3dGfvk9tUBEtThwbxbk hUFaLvFcBYVuH4uJj2g4TURz/8morbvD9I8kZb1Q==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CA3D36-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .ca3d36 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_ca3d36: VicDL0xHv5eIKjwAgKOjRGx/mCoF/KoDA8QbjoQvhNnLcD7a7/ 8RnjTrh0/VS84eiMq5UzKlTbNVg3MeQUh/vm/IhdUznLZb41Zj Aif/rxN0s5agA/E2vRo0u6g5wIPjiDgafqR6Q6I8j1d6Px9Qkd 1zMfJl92RKa1WVaGxpnYOsEb1A7/cWipsR1XiutzXmgKWahlnj NJhh9CetMx0kNvaBOylxNdWI+JXOE8AAg3iEsRMQpiPugto2b5 N6/8sTKiVBfpAxDHNgQSdBzIRa7AvG294sx5mY2Q==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

    • Target

      aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe

    • Size

      282KB

    • MD5

      38f3d7cdc3ec83dfd3b8309b569481bc

    • SHA1

      4398b03f857a45af838f0d2b8094a367708c0968

    • SHA256

      aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17

    • SHA512

      14d6d4c611a910c5e9b83c58f42acdee9dd69356066dabdef7386d5c8dc67ab9e153f2e906097f44324babfbf8c5ea0b7156c0befeecb39eaf639fefa24c0858

    • SSDEEP

      3072:uvgIGSgSWSQ2qobyyBPgKlBkqdX2z6oXo:SgIGSgpSQ2J7PLlBkYXxoY

    Score
    10/10
    netwalkerdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Detected Netwalker Ransomware

      Detected unpacked Netwalker executable.

    • Netwalker Ransomware

      Ransomware family with multiple versions. Also known as MailTo.

      ransomwarenetwalker

    • Netwalker family

      netwalker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (7385) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks