netwalker | 60deeaf4df6f3ca05f445a72664c95dd6aa66584716253f7b86cef516e13016a

General

Target

2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto
Size

69KB
Sample

250128-bt2djssmbv
MD5

2e2f5fe8aba42ba7a4eb972e201be179
SHA1

5be60349686e59140f33a071c80405da8952ad30
SHA256

60deeaf4df6f3ca05f445a72664c95dd6aa66584716253f7b86cef516e13016a
SHA512

4039fd176206f7879a80aa9eaa0a338ac0f845ba1b446966c7577d367149f3163526aea143e5c68ed45ee6a22080431304a134b408464479c1b9140ab523db54
SSDEEP

1536:4xa8XQ408kLUiQKovO5bGU+hhOZuIWcz46ZOtByKbCKrQQipc:oa8XK8yJQKmO5bZkhOZu1cziByKbCk/

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\A4D0B4-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .a4d0b4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_a4d0b4: SCLvdvoA1y6R8ioWYO5A5MxRXWdstYL/77VC1EaKE9/95mocOh gUvOo5cMdFoPD6w5NTtCq7RPbwRoPm8x8waYcg84b/8G4MjQc1 +CDlB+AhjnJTxWPkB488nCFBQI0UcBY+AggTXGQUbZK1tlwFQg 3/DEWb9bqOOAi8dJe6PDeypNqPjIsgLkhdraW7ePXvbyR6ON3O Tsqh5So53s6SgzCUA3y12aymxUMwXs2Nt0ayo/XAEC98rt/zWs +OW2k+Hmr7/hlTVih0kaC84v2Etn5lIEb0yQ+evg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Public\Libraries\58C38E-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .58c38e -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_58c38e: V6q2kFWVUkpjYLVTpUpbnVI2FkC9pJQi03JtLTwdDV++LxmEPK dNy6HFYaHLk7dGynLZMPQaeB6OECrsIXoRp5P8aP7o8FczjQc1 +Arf9QMVe2TLJbiPQq1Jaf2tOMn2BNEd5FXaEfcLOAsF8BLwPn J8JHYg4yhqlnxoXOVQOSmg0kn1paCFXZJqsrv8fEFGcf6arsp3 BCTAhVTBPwEvbkjGNVNPjcA7hWCNgg5B1IEV0ExdMAQzKz60FR Sy6sbsAHdRii6/5SRjp3ECi0Z7R4tuHyRbV5GKtQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

- Target
  
  2025-01-28_2e2f5fe8aba42ba7a4eb972e201be179_mailto
- Size
  
  69KB
- MD5
  
  2e2f5fe8aba42ba7a4eb972e201be179
- SHA1
  
  5be60349686e59140f33a071c80405da8952ad30
- SHA256
  
  60deeaf4df6f3ca05f445a72664c95dd6aa66584716253f7b86cef516e13016a
- SHA512
  
  4039fd176206f7879a80aa9eaa0a338ac0f845ba1b446966c7577d367149f3163526aea143e5c68ed45ee6a22080431304a134b408464479c1b9140ab523db54
- SSDEEP
  
  1536:4xa8XQ408kLUiQKovO5bGU+hhOZuIWcz46ZOtByKbCKrQQipc:oa8XK8yJQKmO5bZkhOZu1cziByKbCk/
Score

10^/10

netwalker defense_evasion discovery execution impact ransomware spyware stealer
- Netwalker Ransomware
  Ransomware family with multiple versions. Also known as MailTo.
  ransomware netwalker
- Netwalker family
  netwalker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (7442) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2