Overview

overview

10

Static

static

9

b756980ef1...5N.exe

windows7-x64

10

b756980ef1...5N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe

  • Size

    282KB

  • Sample

    241125-s7aw7azqdr

  • MD5

    e553d54a06009595a4ae269e9c96cbe0

  • SHA1

    e762481794fa9096f4229f2eddfe0266bfc9f7ac

  • SHA256

    b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435

  • SHA512

    dba51a50f1b94ab8a7da9f0401993ba336b623afbbe9320a09f69fa89390889edca32bf237a9cc9f0b78e181790bbee005b43fc633feefc389bc4bc757f602b9

  • SSDEEP

    3072:uvgIGSgSWSQ2qobyyBPgKlBkqdX2z6oXo:SgIGSgpSQ2J7PLlBkYXxoY

Score
10/10
netwalkercryptonedefense_evasiondiscoveryexecutionimpactpackerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Libraries\A58086-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .a58086 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_a58086: I7IoeZEwWgVvJatHTyf665lcPBornBuFVODepI/H7wCfxStWz7 hQytm8QfdFqIi76BSFNKxz5q97ijuHf3VqM95IrZbsseYH41Zj AhYvfgl5wwq5mqIAajDxfc0EzkWK4LtbMI9UaCYDF+h3hBr9M9 r62cXviql8QVn7T5tiFr35kxnhHvjfzuQXuxHnOZ1v8jSPfsaY krTT2AUbxszzwdFVPKnUk48FsAxJHuErcr9x4ZgysEWhxBxenw uisEGvcuHbL9DkWNb1Z5IBcS3gazyfy0Jy4E99xw==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft\Edge\316108-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .316108 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_316108: eyPo33hq1FM9D+9KB3xpf78IV4zHlaBWJQMWm8bS8zETFrsQCM +5sQcaWUZSz+GsoPUI9lROd5Ly4AVXODAkwT3FzT3/EiVa41Zj AixraDWA0yF/AR89e/jdWoDCg8VkUxW8HEGm8iNghNhMNlBGst LinBCPhMWk7ohr1+VtYfsAcY1Ao5yDZ6fuabx+U1qiCY74j41l GYt7yTSCWnOTfWZB7wY4NE9PwiByvJjbsGNRe+e9yGDlfye6CV hEK3R3CoTvNKb/53ATipgyP7CgRo/2dfO4Btg6iQ==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

    • Target

      b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435N.exe

    • Size

      282KB

    • MD5

      e553d54a06009595a4ae269e9c96cbe0

    • SHA1

      e762481794fa9096f4229f2eddfe0266bfc9f7ac

    • SHA256

      b756980ef12f8abd3cc6c78f4b1574b58e46c83c3353de10750dcde161b35435

    • SHA512

      dba51a50f1b94ab8a7da9f0401993ba336b623afbbe9320a09f69fa89390889edca32bf237a9cc9f0b78e181790bbee005b43fc633feefc389bc4bc757f602b9

    • SSDEEP

      3072:uvgIGSgSWSQ2qobyyBPgKlBkqdX2z6oXo:SgIGSgpSQ2J7PLlBkYXxoY

    Score
    10/10
    netwalkerdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Detected Netwalker Ransomware

      Detected unpacked Netwalker executable.

    • Netwalker Ransomware

      Ransomware family with multiple versions. Also known as MailTo.

      ransomwarenetwalker

    • Netwalker family

      netwalker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (7446) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks