MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWalker

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9
SHA3-384 hash:	4e331555b7def9c33ad244b660f60ea4308e143a141aa19d303e7aa6ab7aef10d71bd164b129d7200e8b4d561c8f952f
SHA1 hash:	24d2abc132f1337f3bf2dd582efb00e5ac911161
MD5 hash:	ab8d59aba3dc3c4be755255eca51d879
humanhash:	connecticut-sad-idaho-edward
File name:	46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin
Download:	download sample
Signature	NetWalker Create hunting rule
File size:	70'656 bytes
First seen:	2020-08-21 01:11:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e82dd51b077167be63c004bed23d0c1e (40 x NetWalker, 2 x GuLoader, 1 x ShikataGaNai)
ssdeep	1536:QuCWRxL7hbUiQfovePbUU+hhOZuIWiFp+ZfaBZebC33O+BlKHpc:rCWf7VJQfmePbvkhOZu1iFBBZebC3RlV
Threatray	43 similar samples on MalwareBazaar
TLSH	02636B83F682C2B0D98656F96BFFF37E08725D14977989C3CB521C41E9348E2593A31A
Reporter	Dashowl
Tags:	NetWalker

Intelligence

File Origin

# of uploads :

# of downloads :

2'036

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49423/

Detection(s):

Win.Ransomware.Netwalker-7671868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Deleting a system file

Sending a UDP request

Creating a process with a hidden window

Changing a file

Creating a file

Modifying an executable file

Moving a file to the Program Files subdirectory

Creating a file in the Program Files subdirectories

Moving a recently created file

Reading critical registry keys

Enabling the 'hidden' option for recently created files

Creating a window

Deleting volume shadow copies

Creating a file in the mass storage device

Encrypting user's files

Result

Threat name:

Netwalker

Detection:

malicious

Classification:

rans

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/442975

Signature

Antivirus / Scanner detection for submitted sample

Deletes shadow drive data (may be related to ransomware)

Machine Learning detection for sample

May disable shadow drive data (uses vssadmin)

Multi AV Scanner detection for submitted file

Yara detected Netwalker ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9/

Threat name:

Win32.Ransomware.NetWalker

Status:

Malicious

First seen:

2020-07-15 18:56:31 UTC

AV detection:

42 of 48 (87.50%)

Threat level:

5/5

Verdict:

unknown

NetWalker

167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49

NetWalker

29aef790399029029e0443455d72a8b928854a0706f2e211ae7a03bba0e3d4f4

NetWalker

4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677

NetWalker

84b8dbafd5cd64fb300b30bf943430a18f34cad3f0d8f7251d34354fea85aab2

NetWalker

8f06645838d3d75e44d4527e2928c71af0a7214254867379359eb3e46109cbde

NetWalker

a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d

NetWalker

b2d68a79a621c3f9e46f9df52ed19b8fec22c3cf5f4e3d8630a2bc68fd43d2ee

NetWalker

c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010

NetWalker

f298725e197f974b7a8407c5d79114a4ac322c573813d543141ccf1d9119dd8b

NetWalker

+ 33 additional samples on MalwareBazaar

Result

Malware family:

mailto_hamlampampom

Score:

10/10

Tags:

ransomware persistence family:mailto_hamlampampom spyware

Link:

https://tria.ge/reports/200821-rv8hadas9n/

Behaviour

Interacts with shadow copies

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Modifies service

Deletes itself

Reads user/profile data of web browsers

Modifies extensions of user files

Deletes shadow copies

MailTo (Hamlampampom Variant)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptolocker

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	netwalker_ransomware Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Netwalker ransomware
Reference:	https://www.ccn-cert.cni.es/comunicacion-eventos/comunicados-ccn-cert/9802-publicado-un-informe-de-codigo-danino-sobre-netwalker.html

Rule name:	win_mailto_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/49423/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample