SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker

There is no description at this point.

References
2020-08-03McAfeeATR Operational Intelligence Team
@online{team:20200803:take:74e0288, author = {ATR Operational Intelligence Team}, title = {{Take a “NetWalk” on the Wild Side}}, date = {2020-08-03}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/}, language = {English}, urldate = {2020-08-14} } Take a “NetWalk” on the Wild Side
Mailto
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-06-10CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto
2020-06-05Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200605:zero2auto:ecc4713, author = {Dan Lisichkin}, title = {{Zero2Auto - Netwalker Walk through}}, date = {2020-06-05}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/}, language = {English}, urldate = {2020-06-08} } Zero2Auto - Netwalker Walk through
Mailto
2020-05-28BleepingComputerIonut Ilascu
@online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } Michigan State University network breached in ransomware attack
Mailto
2020-05-27SophosLabsGabor Szappanos, Andrew Brandt
@online{szappanos:20200527:netwalker:941731e, author = {Gabor Szappanos and Andrew Brandt}, title = {{Netwalker ransomware tools give insight into threat actor}}, date = {2020-05-27}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/}, language = {English}, urldate = {2020-05-29} } Netwalker ransomware tools give insight into threat actor
Mailto
2020-05-19zero2autoVitali Kremez
@online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto
2020-05-19Advanced IntelligenceAdvanced Intelligence, Bridgit Sullivan, Daniel Frey
@online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto
2020-05-18Trend MicroKaren Victor
@online{victor:20200518:netwalker:91f6d65, author = {Karen Victor}, title = {{Netwalker Fileless Ransomware Injected via Reflective Loading}}, date = {2020-05-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/}, language = {English}, urldate = {2020-05-20} } Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto
2020-05-14tccontre Blogtcontre
@online{tcontre:20200514:netwalker:eabf178, author = {tcontre}, title = {{Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]}}, date = {2020-05-14}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html}, language = {English}, urldate = {2020-05-19} } Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-10TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto
2020-04-08TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto
2020-04-08INCIBE-CERTINCIBE
@online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } Ransomware NetWalker: análisis y medidas preventivas
Mailto
2020-03-31TrustwaveJoshua Deacon, Lloyd Macrohon
@online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } An In-depth Look at MailTo Ransomware, Part One of Three
Mailto
2020-03-21Bleeping ComputerLawrence Abrams
@online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto
2020-02-05Bleeping ComputerLawrence Abrams
@online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto
2019-09-05ID RansomwareAndrew Ivanov
@online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } Netwalker Ransomware
Mailto
Yara Rules
[TLP:WHITE] win_mailto_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4b10 85c9 743a 8b4314 85c0 7433 }
            // n = 6, score = 400
            //   8b4b10               | mov                 ecx, dword ptr [ebx + 0x10]
            //   85c9                 | test                ecx, ecx
            //   743a                 | je                  0x3c
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   85c0                 | test                eax, eax
            //   7433                 | je                  0x35

        $sequence_1 = { 8d4878 a1???????? ff3406 8b01 ffd0 8b0d???????? 47 }
            // n = 7, score = 400
            //   8d4878               | lea                 ecx, [eax + 0x78]
            //   a1????????           |                     
            //   ff3406               | push                dword ptr [esi + eax]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ffd0                 | call                eax
            //   8b0d????????         |                     
            //   47                   | inc                 edi

        $sequence_2 = { 55 8b6c240c 56 8b03 f7e8 57 894500 }
            // n = 7, score = 400
            //   55                   | push                ebp
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]
            //   56                   | push                esi
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   f7e8                 | imul                eax
            //   57                   | push                edi
            //   894500               | mov                 dword ptr [ebp], eax

        $sequence_3 = { 57 33ff 837c241cff 0f849d000000 8b742420 85f6 0f8491000000 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   837c241cff           | cmp                 dword ptr [esp + 0x1c], -1
            //   0f849d000000         | je                  0xa3
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   85f6                 | test                esi, esi
            //   0f8491000000         | je                  0x97

        $sequence_4 = { 8b44241c 5f c60100 8b4c241c }
            // n = 4, score = 400
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   5f                   | pop                 edi
            //   c60100               | mov                 byte ptr [ecx], 0
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_5 = { e8???????? 83c40c 85c0 741a 8b4f14 56 51 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   741a                 | je                  0x1c
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   56                   | push                esi
            //   51                   | push                ecx

        $sequence_6 = { 6800040000 ff7344 e8???????? 83c408 8944241c 85c0 }
            // n = 6, score = 400
            //   6800040000           | push                0x400
            //   ff7344               | push                dword ptr [ebx + 0x44]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   85c0                 | test                eax, eax

        $sequence_7 = { 8b4348 f7e8 0fa4c201 03c0 898590000000 899594000000 5d }
            // n = 7, score = 400
            //   8b4348               | mov                 eax, dword ptr [ebx + 0x48]
            //   f7e8                 | imul                eax
            //   0fa4c201             | shld                edx, eax, 1
            //   03c0                 | add                 eax, eax
            //   898590000000         | mov                 dword ptr [ebp + 0x90], eax
            //   899594000000         | mov                 dword ptr [ebp + 0x94], edx
            //   5d                   | pop                 ebp

        $sequence_8 = { 8bc6 33c2 c1c007 89842488000000 89442460 8bc5 3384249c000000 }
            // n = 7, score = 400
            //   8bc6                 | mov                 eax, esi
            //   33c2                 | xor                 eax, edx
            //   c1c007               | rol                 eax, 7
            //   89842488000000       | mov                 dword ptr [esp + 0x88], eax
            //   89442460             | mov                 dword ptr [esp + 0x60], eax
            //   8bc5                 | mov                 eax, ebp
            //   3384249c000000       | xor                 eax, dword ptr [esp + 0x9c]

        $sequence_9 = { 56 c744241c00000000 0f844e020000 8b6c243c 85ed 0f8442020000 8b742440 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   0f844e020000         | je                  0x254
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   85ed                 | test                ebp, ebp
            //   0f8442020000         | je                  0x248
            //   8b742440             | mov                 esi, dword ptr [esp + 0x40]

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules