Mailto (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker

VTCollection

There is no description at this point.

References

2022-03-31 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-02-11 ⋅ Github (0x00-0x7f) ⋅ Sadia Bashir
Netwalker: from Powershell reflective loader to injected dll
Mailto

2022-02-08 ⋅ FBI ⋅ FBI
Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins
Mailto

2022-02-08 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
NetWalker ransomware affiliate sentenced to 80 months in prison
Mailto

2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil

2021-09-03 ⋅ Seguranca Informatica ⋅ Pedro Tavares
Netwalker ransomware full analysis
Mailto

2021-07-09 ⋅ The Record ⋅ Catalin Cimpanu
Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil

2021-06-10 ⋅ ZEIT Online ⋅ Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Von Kai Biermann, Zachary Kamel
On the Trail of the Internet Extortionists
Emotet Mailto

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk

2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2021-03-05 ⋅ Blackberry ⋅ Codi Starks, Kevin Finnigin
ZeroLogon to Ransomware
Mailto

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-17 ⋅ YouTube (AGDC Services) ⋅ AGDC Services
How Malware Can Resolve APIs By Hash
Emotet Mailto

2021-02-16 ⋅ Cybereason ⋅ Tom Fakterman
Cybereason vs. NetWalker Ransomware
Mailto

2021-02-11 ⋅ CrowdStrike ⋅ Radu Vlad
Press #1 to Play: A Look Into eCrime Menu-style Toolkits
Mailto CIRCUS SPIDER

2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk

2021-01-27 ⋅ Department of Justice ⋅ Department of Justice
Department of Justice Launches Global Action Against NetWalker Ransomware
Mailto

2021-01-27 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Arrest, Seizures Tied to Netwalker Ransomware
Mailto

2021-01-27 ⋅ Department of Justice ⋅ Department of Justice
INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime
Mailto

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-06 ⋅ ⋅ Cert-AgID ⋅ Incident Reponse Team
Netwalker Ransomware
Mailto

2020-10-27 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Enel Group hit by ransomware again, Netwalker demands $14 million
Mailto

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake

2020-09-08 ⋅ Lopqto's Adventures ⋅ Hamidreza Babaee
Automated dynamic import resolving using binary emulation
Mailto

2020-09-03 ⋅ ZenGo ⋅ Tal Be'ery
The Bitcoin Ransomware Detective Strikes Again: The UCSF Case
Mailto

2020-09-01 ⋅ Cisco Talos ⋅ Caitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk

2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-08-03 ⋅ McAfee ⋅ ATR Operational Intelligence Team
Take a “NetWalk” on the Wild Side
Mailto

2020-08-01 ⋅ Temple University ⋅ CARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-28 ⋅ FBI ⋅ FBI
Indicators Associated with Netwalker Ransomware
Mailto

2020-06-26 ⋅ USCF ⋅ USCF
Update on IT Security Incident at UCSF
Mailto

2020-06-10 ⋅ CrowdStrike ⋅ CrowdStrike
CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto CIRCUS SPIDER

2020-06-05 ⋅ Github (DanusMinimus) ⋅ Dan Lisichkin
Zero2Auto - Netwalker Walk through
Mailto

2020-05-28 ⋅ BleepingComputer ⋅ Ionut Ilascu
Michigan State University network breached in ransomware attack
Mailto

2020-05-27 ⋅ SophosLabs ⋅ Andrew Brandt, Gabor Szappanos
Netwalker ransomware tools give insight into threat actor
Mailto

2020-05-19 ⋅ zero2auto ⋅ Vitali Kremez
Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto

2020-05-19 ⋅ Advanced Intelligence ⋅ Advanced Intelligence, Bridgit Sullivan, Daniel Frey
NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto

2020-05-18 ⋅ Trend Micro ⋅ Karen Victor
Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto

2020-05-14 ⋅ tccontre Blog ⋅ tcontre
Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto

2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood

2020-04-10 ⋅ Trustwave ⋅ Joshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto

2020-04-08 ⋅ ⋅ INCIBE-CERT ⋅ INCIBE
Ransomware NetWalker: análisis y medidas preventivas
Mailto

2020-04-08 ⋅ Trustwave ⋅ Joshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto

2020-03-31 ⋅ Trustwave ⋅ Joshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part One of Three
Mailto

2020-03-21 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto

2020-02-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto

2019-09-05 ⋅ ⋅ ID Ransomware ⋅ Andrew Ivanov
Netwalker Ransomware
Mailto

Yara Rules

[TLP:WHITE] win_mailto_auto (20251219 | Detects win.mailto.)

rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.mailto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 e8???????? 56 ffb42498050000 8d8424e8010000 50 }
            // n = 6, score = 400
            //   57                   | push                edi
            //   e8????????           |                     
            //   56                   | push                esi
            //   ffb42498050000       | push                dword ptr [esp + 0x598]
            //   8d8424e8010000       | lea                 eax, [esp + 0x1e8]
            //   50                   | push                eax

        $sequence_1 = { 8bce d1ee 83e101 f7d9 81e12083b8ed 33ce 8bd1 }
            // n = 7, score = 400
            //   8bce                 | mov                 ecx, esi
            //   d1ee                 | shr                 esi, 1
            //   83e101               | and                 ecx, 1
            //   f7d9                 | neg                 ecx
            //   81e12083b8ed         | and                 ecx, 0xedb88320
            //   33ce                 | xor                 ecx, esi
            //   8bd1                 | mov                 edx, ecx

        $sequence_2 = { 7434 a1???????? 8d048504000000 50 ff35???????? e8???????? 83c408 }
            // n = 7, score = 400
            //   7434                 | je                  0x36
            //   a1????????           |                     
            //   8d048504000000       | lea                 eax, [eax*4 + 4]
            //   50                   | push                eax
            //   ff35????????         |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_3 = { b938000000 8d3c32 2bca 33c0 8bd1 c1e902 f3ab }
            // n = 7, score = 400
            //   b938000000           | mov                 ecx, 0x38
            //   8d3c32               | lea                 edi, [edx + esi]
            //   2bca                 | sub                 ecx, edx
            //   33c0                 | xor                 eax, eax
            //   8bd1                 | mov                 edx, ecx
            //   c1e902               | shr                 ecx, 2
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_4 = { 47 ff742418 897c2420 6a03 e8???????? 8bf0 }
            // n = 6, score = 400
            //   47                   | inc                 edi
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   897c2420             | mov                 dword ptr [esp + 0x20], edi
            //   6a03                 | push                3
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_5 = { 83c614 ff36 e8???????? 83c404 8d7620 83ed01 75ee }
            // n = 7, score = 400
            //   83c614               | add                 esi, 0x14
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d7620               | lea                 esi, [esi + 0x20]
            //   83ed01               | sub                 ebp, 1
            //   75ee                 | jne                 0xfffffff0

        $sequence_6 = { 8d4010 0f104406f0 660fefc1 0f1140f0 83e901 75eb }
            // n = 6, score = 400
            //   8d4010               | lea                 eax, [eax + 0x10]
            //   0f104406f0           | movups              xmm0, xmmword ptr [esi + eax - 0x10]
            //   660fefc1             | pxor                xmm0, xmm1
            //   0f1140f0             | movups              xmmword ptr [eax - 0x10], xmm0
            //   83e901               | sub                 ecx, 1
            //   75eb                 | jne                 0xffffffed

        $sequence_7 = { 6a00 6a02 ffd0 85c0 0f8517020000 53 55 }
            // n = 7, score = 400
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   0f8517020000         | jne                 0x21d
            //   53                   | push                ebx
            //   55                   | push                ebp

        $sequence_8 = { 0f1f4000 8b840c54030000 01440c0c 8b840c58030000 11440c10 8b840c5c030000 01440c14 }
            // n = 7, score = 400
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8b840c54030000       | mov                 eax, dword ptr [esp + ecx + 0x354]
            //   01440c0c             | add                 dword ptr [esp + ecx + 0xc], eax
            //   8b840c58030000       | mov                 eax, dword ptr [esp + ecx + 0x358]
            //   11440c10             | adc                 dword ptr [esp + ecx + 0x10], eax
            //   8b840c5c030000       | mov                 eax, dword ptr [esp + ecx + 0x35c]
            //   01440c14             | add                 dword ptr [esp + ecx + 0x14], eax

        $sequence_9 = { d1ea 83e101 f7d9 81e12083b8ed 33ca 8bd1 d1e9 }
            // n = 7, score = 400
            //   d1ea                 | shr                 edx, 1
            //   83e101               | and                 ecx, 1
            //   f7d9                 | neg                 ecx
            //   81e12083b8ed         | and                 ecx, 0xedb88320
            //   33ca                 | xor                 ecx, edx
            //   8bd1                 | mov                 edx, ecx
            //   d1e9                 | shr                 ecx, 1

    condition:
        7 of them and filesize < 180224
}

[TLP:WHITE] win_mailto_w0 (20210224 | Detects the Netwalker ransomware)

rule win_mailto_w0 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281747" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $salsaconst = "expand 32-byte kexpand 16-byte k" 
        $ins_getapi = {55 8b ec a1 ?? ?? ?? ?? 5d c3} 
        $ins_crc32 = {25 20 83 b8 ed 33 d0} 
        $ins_push1137 = {68 39 05 00 00 68 69 7a 00 00} 
        $ins_rc4 = {8b 45 ( e? | f? ) 83 c0 01 33 d2 b9 00 01 00 00 f7 f1 89 55} 
        $in_c25519 = {6a 00 68 41 db 01 00} 
    condition: 
        3 of them
}

[TLP:WHITE] win_mailto_w1 (20210224 | Detects the Netwalker ransomware)

rule win_mailto_w1 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281748" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $ = "namesz" fullword 
        $ = "crmask" fullword 
        $ = "idsz" fullword 
        $ = "lend" fullword 
        $ = "lfile" fullword 
        $ = "mpk" fullword 
        $ = "namesz" fullword 
        $ = "pspath" fullword 
        $ = "rwsz" fullword 
        $ = "spsz" fullword 
        $ = "svcwait" fullword 
        $ = "unlocker" fullword 
        $ = "onion1" fullword 
    condition: 10 of them
}

Download all Yara Rules

Mailto Propose Change

References

Yara Rules

Mailto