- First seen: August 2019
- Aliases: Mailto
- Samples:
- f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be | windows | ransom | ps1
- 2c245db9fb9b2c6e84832662dda3dfff3c6b21128d9fec115f5b989fb090841d | windows | ransom | pe
- e8c5c0b70d45a5dc80d678ed7102abf9882efb9cbc2cff20f171d60d5205051d | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 5348403 bytes |
| CRC32 | 0xfa800fe8 |
| MD5 | b1f0093b89561c6123070165bd2261e2 |
| SHA1 | aac57162dc1311f07a869f7163bd30e0d62dcc0e |
| SHA256 | f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be |
| SHA512 | 637b40a33fc8e5d478128242f621ceefcb158b1d411898fbf4bb2e7352fd214befd58c308297108d631d5b4e4b44f953ac51676b02ef20e8de9dc122ef0ba797 |
| Ssdeep | 24576:3lWHR7hoxn6yTYo1oc8UcMIh/MuwL+zn4ltC3O+wXCwNLaLRcfIAM1Bq9p0IQWwS:l |
| Magic | ASCII text, with very long lines, with no line terminators |
| Packer | Text: format: plain text |
| TrID | Warning: file seems to be plain text/ASCII TrID is best suited to analyze binary files! Unknown! |
+ Avast: clean
- Avira: VBS/PShell.KT
- Bitdefender: Trojan.Ransom.GenericKD.43121546
+ Clamav: clean
- Comodo: Malware
- Drweb: Trojan.Encoder.31757
- Eset: Win64/Filecoder.Netwalker.A
- Fsecure: Malware.VBS/PShell.KT
- Kaspersky: HEUR:Trojan.PowerShell.Generic
- Mcafee: PS/Netwalker.b
- Sophos: Troj/PS-BH
- Symantec: Trojan.Gen.NPE
+ Trendmicro: clean
- Windefender: Ransom:PowerShell/NetWalker!MTB| Property | Value |
|---|---|
| Size | 95744 bytes |
| CRC32 | 0x78602d97 |
| MD5 | bc96c744bd66ddfaa79d467b757b8628 |
| SHA1 | a379f9e04708d773a2dec897166780b026f4c4ea |
| SHA256 | 2c245db9fb9b2c6e84832662dda3dfff3c6b21128d9fec115f5b989fb090841d |
| SHA512 | 5bd8b0c6196d5bf6b207921832b627119c7b37bb442afb110dc496a3ca28b1bbec471a0be9bc6dcdadfefed0cf392e55f4287d54d99ba96d9bfe1406e2bc4324 |
| Ssdeep | 1536:Cd9plbWL68q1Ril+VapFQvM8U9appp2AmRgnUchvxVbnp2hoTowLNT:CdnJSMRiaaDYM8U9agAFnB/nTUwLNT |
| Magic | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| Packer | PE+(64): linker: unknown(14.16)[DLL64] |
| TrID | 20.3% (.ICL) Windows Icons Library (generic) (2059/9) 20.0% (.EXE) OS/2 Executable (generic) (2029/13) 19.9% (.EXE) Clipper DOS Executable (2018/12) 19.8% (.EXE) Generic Win/DOS Executable (2002/3) 19.7% (.EXE) DOS Executable Generic (2000/1) |
+ Avast: clean
+ Avira: clean
- Bitdefender: Gen:Variant.Ulise.106690
+ Clamav: clean
- Comodo: Malware
- Drweb: Trojan.Encoder.31767
- Eset: Win64/Filecoder.Netwalker.A
- Fsecure: Heuristic.HEUR/AGEN.1302344
- Kaspersky: Trojan-Ransom.Win32.Mailto.ak
- Mcafee: Ransom-netwalker.a
+ Sophos: clean
- Symantec: Trojan Horse
+ Trendmicro: clean
- Windefender: Ransom:Win32/NetWalker.MX!MTB| Property | Value |
|---|---|
| Size | 58368 bytes |
| CRC32 | 0xb39e63d6 |
| MD5 | de61b852cadac6afe307652b187ca5df |
| SHA1 | fa02c1d394bc150d8a62d3f991d0fdc042ee9724 |
| SHA256 | e8c5c0b70d45a5dc80d678ed7102abf9882efb9cbc2cff20f171d60d5205051d |
| SHA512 | 5da0764645ac063ca588302f83a74336a0d9f2ca99aebe82e07770d8ed218c48ca69605c582a26abaf4aedcbb2616be04e6bb58cf20da3566decfcc5457d9fee |
| Ssdeep | 1536:q/p3iomPDwdh6/7pR4c21buIT9pv3NQdqzQJowLNHB:q/hibLIh6/7pj21buA9pv9QewLNH |
| Magic | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| Packer | PE: linker: unknown(14.16)[DLL32] |
| TrID | 27.0% (.EXE) Win32 Executable (generic) (4505/5/1) 12.4% (.EXE) Win16/32 Executable Delphi generic (2072/23) 12.3% (.ICL) Windows Icons Library (generic) (2059/9) 12.1% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Clipper DOS Executable (2018/12) |
+ Avast: clean
- Avira: HEUR/AGEN.1020216
- Bitdefender: Gen:Variant.Ransom.NetWalker.27
- Clamav: Win.Ransomware.Netwalker-9848582-0
- Comodo: Malware
- Drweb: Trojan.Encoder.32721
- Eset: Win32/Filecoder.NetWalker.E
- Fsecure: Heuristic.HEUR/AGEN.1302415
- Kaspersky: HEUR:Trojan-Ransom.Win32.Mailto.vho
+ Mcafee: clean
+ Sophos: clean
- Symantec: Trojan Horse
+ Trendmicro: clean
- Windefender: Ransom:Win32/NetWalker!MTB- https://blogs.blackberry.com/en/2020/07/blackberry-spark-stops-netwalker-fileless-ransomware
- https://lopqto.me/posts/automated-dynamic-import-resolving
- https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf
- https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/
- https://www.acronis.com/en-sg/cyber-protection-center/posts/netwalker-leverages-obfuscated-powershell-to-start-c-injector1/
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/
- https://www.trendmicro.com/en_au/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/
- https://www.varonis.com/blog/netwalker-ransomware
- https://zero2auto.com/2020/05/19/netwalker-re/
- https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
- https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/