SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker

There is no description at this point.

References
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-10-27Bleeping ComputerIonut Ilascu
@online{ilascu:20201027:enel:cd901d2, author = {Ionut Ilascu}, title = {{Enel Group hit by ransomware again, Netwalker demands $14 million}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/}, language = {English}, urldate = {2020-10-29} } Enel Group hit by ransomware again, Netwalker demands $14 million
Mailto
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-09-08Lopqto's AdventuresHamidreza Babaee
@online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } Automated dynamic import resolving using binary emulation
Mailto
2020-09-03ZenGoTal Be'ery
@online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } The Bitcoin Ransomware Detective Strikes Again: The UCSF Case
Mailto
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-03McAfeeATR Operational Intelligence Team
@online{team:20200803:take:74e0288, author = {ATR Operational Intelligence Team}, title = {{Take a “NetWalk” on the Wild Side}}, date = {2020-08-03}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/}, language = {English}, urldate = {2020-08-14} } Take a “NetWalk” on the Wild Side
Mailto
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-28FBIFBI
@techreport{fbi:20200728:indicators:7dada00, author = {FBI}, title = {{Indicators Associated with Netwalker Ransomware}}, date = {2020-07-28}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-2.pdf}, language = {English}, urldate = {2020-10-05} } Indicators Associated with Netwalker Ransomware
Mailto
2020-06-26USCFUSCF
@online{uscf:20200626:update:6f5b3ca, author = {USCF}, title = {{Update on IT Security Incident at UCSF}}, date = {2020-06-26}, organization = {USCF}, url = {https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf}, language = {English}, urldate = {2020-08-18} } Update on IT Security Incident at UCSF
Mailto
2020-06-10CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto
2020-06-05Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200605:zero2auto:ecc4713, author = {Dan Lisichkin}, title = {{Zero2Auto - Netwalker Walk through}}, date = {2020-06-05}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/}, language = {English}, urldate = {2020-06-08} } Zero2Auto - Netwalker Walk through
Mailto
2020-05-28BleepingComputerIonut Ilascu
@online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } Michigan State University network breached in ransomware attack
Mailto
2020-05-27SophosLabsGabor Szappanos, Andrew Brandt
@online{szappanos:20200527:netwalker:941731e, author = {Gabor Szappanos and Andrew Brandt}, title = {{Netwalker ransomware tools give insight into threat actor}}, date = {2020-05-27}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/}, language = {English}, urldate = {2020-05-29} } Netwalker ransomware tools give insight into threat actor
Mailto
2020-05-19Advanced IntelligenceAdvanced Intelligence, Bridgit Sullivan, Daniel Frey
@online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto
2020-05-19zero2autoVitali Kremez
@online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto
2020-05-18Trend MicroKaren Victor
@online{victor:20200518:netwalker:91f6d65, author = {Karen Victor}, title = {{Netwalker Fileless Ransomware Injected via Reflective Loading}}, date = {2020-05-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/}, language = {English}, urldate = {2020-05-20} } Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto
2020-05-14tccontre Blogtcontre
@online{tcontre:20200514:netwalker:eabf178, author = {tcontre}, title = {{Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]}}, date = {2020-05-14}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html}, language = {English}, urldate = {2020-05-19} } Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-10TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto
2020-04-08TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto
2020-04-08INCIBE-CERTINCIBE
@online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } Ransomware NetWalker: análisis y medidas preventivas
Mailto
2020-03-31TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part One of Three
Mailto
2020-03-21Bleeping ComputerLawrence Abrams
@online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto
2020-02-05Bleeping ComputerLawrence Abrams
@online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto
2019-09-05ID RansomwareAndrew Ivanov
@online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } Netwalker Ransomware
Mailto
Yara Rules
[TLP:WHITE] win_mailto_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4c2440 51 6a0f 8b4074 53 ffd0 8b7c2440 }
            // n = 7, score = 400
            //   8d4c2440             | lea                 ecx, [esp + 0x40]
            //   51                   | push                ecx
            //   6a0f                 | push                0xf
            //   8b4074               | mov                 eax, dword ptr [eax + 0x74]
            //   53                   | push                ebx
            //   ffd0                 | call                eax
            //   8b7c2440             | mov                 edi, dword ptr [esp + 0x40]

        $sequence_1 = { 747a 8bf2 89542414 89542410 }
            // n = 4, score = 400
            //   747a                 | je                  0x7c
            //   8bf2                 | mov                 esi, edx
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   89542410             | mov                 dword ptr [esp + 0x10], edx

        $sequence_2 = { 57 33ff 85f6 0f843e010000 8b5c2414 }
            // n = 5, score = 400
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   85f6                 | test                esi, esi
            //   0f843e010000         | je                  0x144
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]

        $sequence_3 = { 0f84d0000000 c60009 e8???????? 8d4c2414 51 8b407c ffd0 }
            // n = 7, score = 400
            //   0f84d0000000         | je                  0xd6
            //   c60009               | mov                 byte ptr [eax], 9
            //   e8????????           |                     
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   51                   | push                ecx
            //   8b407c               | mov                 eax, dword ptr [eax + 0x7c]
            //   ffd0                 | call                eax

        $sequence_4 = { 83c408 3b7b10 72e5 8b4314 }
            // n = 4, score = 400
            //   83c408               | add                 esp, 8
            //   3b7b10               | cmp                 edi, dword ptr [ebx + 0x10]
            //   72e5                 | jb                  0xffffffe7
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]

        $sequence_5 = { e8???????? 83c40c 85c0 741a 8b4f14 56 51 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   741a                 | je                  0x1c
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   56                   | push                esi
            //   51                   | push                ecx

        $sequence_6 = { 57 6a20 e8???????? 8bf8 83c404 85ff 7429 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   85ff                 | test                edi, edi
            //   7429                 | je                  0x2b

        $sequence_7 = { 7508 84c0 0f8491000000 57 56 e8???????? 83c408 }
            // n = 7, score = 400
            //   7508                 | jne                 0xa
            //   84c0                 | test                al, al
            //   0f8491000000         | je                  0x97
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_8 = { 88461a 8bc3 c1f810 884e16 8bcd 88461b 8bc1 }
            // n = 7, score = 400
            //   88461a               | mov                 byte ptr [esi + 0x1a], al
            //   8bc3                 | mov                 eax, ebx
            //   c1f810               | sar                 eax, 0x10
            //   884e16               | mov                 byte ptr [esi + 0x16], cl
            //   8bcd                 | mov                 ecx, ebp
            //   88461b               | mov                 byte ptr [esi + 0x1b], al
            //   8bc1                 | mov                 eax, ecx

        $sequence_9 = { 8bc7 2bf7 b902000000 8d4010 0f104406f0 660fefc1 0f1140f0 }
            // n = 7, score = 400
            //   8bc7                 | mov                 eax, edi
            //   2bf7                 | sub                 esi, edi
            //   b902000000           | mov                 ecx, 2
            //   8d4010               | lea                 eax, [eax + 0x10]
            //   0f104406f0           | movups              xmm0, xmmword ptr [esi + eax - 0x10]
            //   660fefc1             | pxor                xmm0, xmm1
            //   0f1140f0             | movups              xmmword ptr [eax - 0x10], xmm0

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules