SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker
VTCollection    

There is no description at this point.

References
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-11Github (0x00-0x7f)Sadia Bashir
Netwalker: from Powershell reflective loader to injected dll
Mailto
2022-02-08FBIFBI
Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins
Mailto
2022-02-08Bleeping ComputerSergiu Gatlan
NetWalker ransomware affiliate sentenced to 80 months in prison
Mailto
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-03Seguranca InformaticaPedro Tavares
Netwalker ransomware full analysis
Mailto
2021-07-09The RecordCatalin Cimpanu
Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-06-10ZEIT OnlineAstrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Von Kai Biermann, Zachary Kamel
On the Trail of the Internet Extortionists
Emotet Mailto
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-18Bleeping ComputerIonut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-18The RecordCatalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-05BlackberryCodi Starks, Kevin Finnigin
ZeroLogon to Ransomware
Mailto
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17YouTube (AGDC Services)AGDC Services
How Malware Can Resolve APIs By Hash
Emotet Mailto
2021-02-16CybereasonTom Fakterman
Cybereason vs. NetWalker Ransomware
Mailto
2021-02-11CrowdStrikeRadu Vlad
Press #1 to Play: A Look Into eCrime Menu-style Toolkits
Mailto CIRCUS SPIDER
2021-02-11CTI LEAGUECTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-01-27Department of JusticeDepartment of Justice
Department of Justice Launches Global Action Against NetWalker Ransomware
Mailto
2021-01-27KrebsOnSecurityBrian Krebs
Arrest, Seizures Tied to Netwalker Ransomware
Mailto
2021-01-27Department of JusticeDepartment of Justice
INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime
Mailto
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-06Cert-AgIDIncident Reponse Team
Netwalker Ransomware
Mailto
2020-10-27Bleeping ComputerIonut Ilascu
Enel Group hit by ransomware again, Netwalker demands $14 million
Mailto
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-29MicrosoftMicrosoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-08Lopqto's AdventuresHamidreza Babaee
Automated dynamic import resolving using binary emulation
Mailto
2020-09-03ZenGoTal Be'ery
The Bitcoin Ransomware Detective Strikes Again: The UCSF Case
Mailto
2020-09-01Cisco TalosCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-03McAfeeATR Operational Intelligence Team
Take a “NetWalk” on the Wild Side
Mailto
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-28FBIFBI
Indicators Associated with Netwalker Ransomware
Mailto
2020-06-26USCFUSCF
Update on IT Security Incident at UCSF
Mailto
2020-06-10CrowdStrikeCrowdStrike
CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto CIRCUS SPIDER
2020-06-05Github (DanusMinimus)Dan Lisichkin
Zero2Auto - Netwalker Walk through
Mailto
2020-05-28BleepingComputerIonut Ilascu
Michigan State University network breached in ransomware attack
Mailto
2020-05-27SophosLabsAndrew Brandt, Gabor Szappanos
Netwalker ransomware tools give insight into threat actor
Mailto
2020-05-19zero2autoVitali Kremez
Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto
2020-05-19Advanced IntelligenceAdvanced Intelligence, Bridgit Sullivan, Daniel Frey
NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto
2020-05-18Trend MicroKaren Victor
Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto
2020-05-14tccontre Blogtcontre
Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-10TrustwaveJoshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto
2020-04-08INCIBE-CERTINCIBE
Ransomware NetWalker: análisis y medidas preventivas
Mailto
2020-04-08TrustwaveJoshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto
2020-03-31TrustwaveJoshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part One of Three
Mailto
2020-03-21Bleeping ComputerLawrence Abrams
Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto
2020-02-05Bleeping ComputerLawrence Abrams
Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto
2019-09-05ID RansomwareAndrew Ivanov
Netwalker Ransomware
Mailto
Yara Rules
[TLP:WHITE] win_mailto_auto (20260504 | Detects win.mailto.)
rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.mailto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 e8???????? 83c40c 85c0 75e7 5f 5e }
            // n = 7, score = 400
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   75e7                 | jne                 0xffffffe9
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { 68dee412a3 56 894134 e8???????? 8b0d???????? 689a8f3aca 56 }
            // n = 7, score = 400
            //   68dee412a3           | push                0xa312e4de
            //   56                   | push                esi
            //   894134               | mov                 dword ptr [ecx + 0x34], eax
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   689a8f3aca           | push                0xca3a8f9a
            //   56                   | push                esi

        $sequence_2 = { 5e 85c9 890f 5b 0f95c0 5f c3 }
            // n = 7, score = 400
            //   5e                   | pop                 esi
            //   85c9                 | test                ecx, ecx
            //   890f                 | mov                 dword ptr [edi], ecx
            //   5b                   | pop                 ebx
            //   0f95c0               | setne               al
            //   5f                   | pop                 edi
            //   c3                   | ret                 

        $sequence_3 = { c744246474000000 e8???????? 8d4c2414 51 56 8b4030 ffd0 }
            // n = 7, score = 400
            //   c744246474000000     | mov                 dword ptr [esp + 0x64], 0x74
            //   e8????????           |                     
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   8b4030               | mov                 eax, dword ptr [eax + 0x30]
            //   ffd0                 | call                eax

        $sequence_4 = { e8???????? 83c444 6a00 6841db0100 ffb424b0000000 ffb424b0000000 e8???????? }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c444               | add                 esp, 0x44
            //   6a00                 | push                0
            //   6841db0100           | push                0x1db41
            //   ffb424b0000000       | push                dword ptr [esp + 0xb0]
            //   ffb424b0000000       | push                dword ptr [esp + 0xb0]
            //   e8????????           |                     

        $sequence_5 = { 23c8 8bc1 c1e01a 29442420 8b442424 03c1 89442424 }
            // n = 7, score = 400
            //   23c8                 | and                 ecx, eax
            //   8bc1                 | mov                 eax, ecx
            //   c1e01a               | shl                 eax, 0x1a
            //   29442420             | sub                 dword ptr [esp + 0x20], eax
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   03c1                 | add                 eax, ecx
            //   89442424             | mov                 dword ptr [esp + 0x24], eax

        $sequence_6 = { eb08 e8???????? 8b4048 8d4c2410 51 ffd0 880437 }
            // n = 7, score = 400
            //   eb08                 | jmp                 0xa
            //   e8????????           |                     
            //   8b4048               | mov                 eax, dword ptr [eax + 0x48]
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   880437               | mov                 byte ptr [edi + esi], al

        $sequence_7 = { 33d0 03743c2c 8bc3 03742424 83c704 c1c802 33d0 }
            // n = 7, score = 400
            //   33d0                 | xor                 edx, eax
            //   03743c2c             | add                 esi, dword ptr [esp + edi + 0x2c]
            //   8bc3                 | mov                 eax, ebx
            //   03742424             | add                 esi, dword ptr [esp + 0x24]
            //   83c704               | add                 edi, 4
            //   c1c802               | ror                 eax, 2
            //   33d0                 | xor                 edx, eax

        $sequence_8 = { 8d2c8d00000000 23e9 8b4c2430 81f1ffffff03 f7d1 8bc1 8bdd }
            // n = 7, score = 400
            //   8d2c8d00000000       | lea                 ebp, [ecx*4]
            //   23e9                 | and                 ebp, ecx
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   81f1ffffff03         | xor                 ecx, 0x3ffffff
            //   f7d1                 | not                 ecx
            //   8bc1                 | mov                 eax, ecx
            //   8bdd                 | mov                 ebx, ebp

        $sequence_9 = { ffb424d0000000 89442430 ffb424d0000000 89542438 e8???????? 6a00 6841db0100 }
            // n = 7, score = 400
            //   ffb424d0000000       | push                dword ptr [esp + 0xd0]
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   ffb424d0000000       | push                dword ptr [esp + 0xd0]
            //   89542438             | mov                 dword ptr [esp + 0x38], edx
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6841db0100           | push                0x1db41

    condition:
        7 of them and filesize < 180224
}
[TLP:WHITE] win_mailto_w0   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w0 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281747" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $salsaconst = "expand 32-byte kexpand 16-byte k" 
        $ins_getapi = {55 8b ec a1 ?? ?? ?? ?? 5d c3} 
        $ins_crc32 = {25 20 83 b8 ed 33 d0} 
        $ins_push1137 = {68 39 05 00 00 68 69 7a 00 00} 
        $ins_rc4 = {8b 45 ( e? | f? ) 83 c0 01 33 d2 b9 00 01 00 00 f7 f1 89 55} 
        $in_c25519 = {6a 00 68 41 db 01 00} 
    condition: 
        3 of them
}
[TLP:WHITE] win_mailto_w1   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w1 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281748" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $ = "namesz" fullword 
        $ = "crmask" fullword 
        $ = "idsz" fullword 
        $ = "lend" fullword 
        $ = "lfile" fullword 
        $ = "mpk" fullword 
        $ = "namesz" fullword 
        $ = "pspath" fullword 
        $ = "rwsz" fullword 
        $ = "spsz" fullword 
        $ = "svcwait" fullword 
        $ = "unlocker" fullword 
        $ = "onion1" fullword 
    condition: 10 of them
}
Download all Yara Rules