SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mailto (Back to overview)

Mailto

aka: Koko Ransomware, NetWalker
VTCollection    

There is no description at this point.

References
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-11Github (0x00-0x7f)Sadia Bashir
Netwalker: from Powershell reflective loader to injected dll
Mailto
2022-02-08FBIFBI
Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins
Mailto
2022-02-08Bleeping ComputerSergiu Gatlan
NetWalker ransomware affiliate sentenced to 80 months in prison
Mailto
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-03Seguranca InformaticaPedro Tavares
Netwalker ransomware full analysis
Mailto
2021-07-09The RecordCatalin Cimpanu
Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-06-10ZEIT OnlineAstrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Von Kai Biermann, Zachary Kamel
On the Trail of the Internet Extortionists
Emotet Mailto
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-18Bleeping ComputerIonut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-18The RecordCatalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-05BlackberryCodi Starks, Kevin Finnigin
ZeroLogon to Ransomware
Mailto
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17YouTube (AGDC Services)AGDC Services
How Malware Can Resolve APIs By Hash
Emotet Mailto
2021-02-16CybereasonTom Fakterman
Cybereason vs. NetWalker Ransomware
Mailto
2021-02-11CrowdStrikeRadu Vlad
Press #1 to Play: A Look Into eCrime Menu-style Toolkits
Mailto CIRCUS SPIDER
2021-02-11CTI LEAGUECTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-01-27Department of JusticeDepartment of Justice
Department of Justice Launches Global Action Against NetWalker Ransomware
Mailto
2021-01-27KrebsOnSecurityBrian Krebs
Arrest, Seizures Tied to Netwalker Ransomware
Mailto
2021-01-27Department of JusticeDepartment of Justice
INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime
Mailto
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-06Cert-AgIDIncident Reponse Team
Netwalker Ransomware
Mailto
2020-10-27Bleeping ComputerIonut Ilascu
Enel Group hit by ransomware again, Netwalker demands $14 million
Mailto
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-29MicrosoftMicrosoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-08Lopqto's AdventuresHamidreza Babaee
Automated dynamic import resolving using binary emulation
Mailto
2020-09-03ZenGoTal Be'ery
The Bitcoin Ransomware Detective Strikes Again: The UCSF Case
Mailto
2020-09-01Cisco TalosCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-03McAfeeATR Operational Intelligence Team
Take a “NetWalk” on the Wild Side
Mailto
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-28FBIFBI
Indicators Associated with Netwalker Ransomware
Mailto
2020-06-26USCFUSCF
Update on IT Security Incident at UCSF
Mailto
2020-06-10CrowdStrikeCrowdStrike
CSIT-20081 : Technical Analysis Of The Netwalker Ransomware
Mailto CIRCUS SPIDER
2020-06-05Github (DanusMinimus)Dan Lisichkin
Zero2Auto - Netwalker Walk through
Mailto
2020-05-28BleepingComputerIonut Ilascu
Michigan State University network breached in ransomware attack
Mailto
2020-05-27SophosLabsAndrew Brandt, Gabor Szappanos
Netwalker ransomware tools give insight into threat actor
Mailto
2020-05-19zero2autoVitali Kremez
Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction
Mailto
2020-05-19Advanced IntelligenceAdvanced Intelligence, Bridgit Sullivan, Daniel Frey
NetWalker Ransomware Group Enters Advanced Targeting “Game”
Mailto
2020-05-18Trend MicroKaren Victor
Netwalker Fileless Ransomware Injected via Reflective Loading
Mailto
2020-05-14tccontre Blogtcontre
Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]
Mailto
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-10TrustwaveJoshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part Three of Three
Mailto
2020-04-08INCIBE-CERTINCIBE
Ransomware NetWalker: análisis y medidas preventivas
Mailto
2020-04-08TrustwaveJoshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part Two of Three
Mailto
2020-03-31TrustwaveJoshua Deacon, Lloyd Macrohon
An In-depth Look at MailTo Ransomware, Part One of Three
Mailto
2020-03-21Bleeping ComputerLawrence Abrams
Netwalker Ransomware Infecting Users via Coronavirus Phishing
Mailto
2020-02-05Bleeping ComputerLawrence Abrams
Mailto (NetWalker) Ransomware Targets Enterprise Networks
Mailto
2019-09-05ID RansomwareAndrew Ivanov
Netwalker Ransomware
Mailto
Yara Rules
[TLP:WHITE] win_mailto_auto (20230808 | Detects win.mailto.)
rule win_mailto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.mailto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 47 3bfb 7297 8b44241c 8930 8b442420 85c0 }
            // n = 7, score = 400
            //   47                   | inc                 edi
            //   3bfb                 | cmp                 edi, ebx
            //   7297                 | jb                  0xffffff99
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8930                 | mov                 dword ptr [eax], esi
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   85c0                 | test                eax, eax

        $sequence_1 = { 83c404 85f6 7429 85ed 7419 8b742414 }
            // n = 6, score = 400
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   7429                 | je                  0x2b
            //   85ed                 | test                ebp, ebp
            //   7419                 | je                  0x1b
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]

        $sequence_2 = { 8b442418 8938 8b44241c 85c0 7402 8930 }
            // n = 6, score = 400
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8938                 | mov                 dword ptr [eax], edi
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   8930                 | mov                 dword ptr [eax], esi

        $sequence_3 = { 55 56 57 8b7c2424 c744241400000000 85ff 7457 }
            // n = 7, score = 400
            //   55                   | push                ebp
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   85ff                 | test                edi, edi
            //   7457                 | je                  0x59

        $sequence_4 = { 85f6 0f8477010000 e8???????? 3b7014 0f8469010000 8b0d???????? 85c9 }
            // n = 7, score = 400
            //   85f6                 | test                esi, esi
            //   0f8477010000         | je                  0x17d
            //   e8????????           |                     
            //   3b7014               | cmp                 esi, dword ptr [eax + 0x14]
            //   0f8469010000         | je                  0x16f
            //   8b0d????????         |                     
            //   85c9                 | test                ecx, ecx

        $sequence_5 = { 8b08 ff5130 85c0 7822 ff74242c e8???????? }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff5130               | call                dword ptr [ecx + 0x30]
            //   85c0                 | test                eax, eax
            //   7822                 | js                  0x24
            //   ff74242c             | push                dword ptr [esp + 0x2c]
            //   e8????????           |                     

        $sequence_6 = { 897c242c 8bc8 89442420 c1f81a c1f91f 23c8 8bc1 }
            // n = 7, score = 400
            //   897c242c             | mov                 dword ptr [esp + 0x2c], edi
            //   8bc8                 | mov                 ecx, eax
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   c1f81a               | sar                 eax, 0x1a
            //   c1f91f               | sar                 ecx, 0x1f
            //   23c8                 | and                 ecx, eax
            //   8bc1                 | mov                 eax, ecx

        $sequence_7 = { 40 eb64 83ff01 7522 0fb6d1 bf02000000 83e203 }
            // n = 7, score = 400
            //   40                   | inc                 eax
            //   eb64                 | jmp                 0x66
            //   83ff01               | cmp                 edi, 1
            //   7522                 | jne                 0x24
            //   0fb6d1               | movzx               edx, cl
            //   bf02000000           | mov                 edi, 2
            //   83e203               | and                 edx, 3

        $sequence_8 = { 0fb6466b 884118 0fb6466f 88411c 0fb64652 884101 0fb64656 }
            // n = 7, score = 400
            //   0fb6466b             | movzx               eax, byte ptr [esi + 0x6b]
            //   884118               | mov                 byte ptr [ecx + 0x18], al
            //   0fb6466f             | movzx               eax, byte ptr [esi + 0x6f]
            //   88411c               | mov                 byte ptr [ecx + 0x1c], al
            //   0fb64652             | movzx               eax, byte ptr [esi + 0x52]
            //   884101               | mov                 byte ptr [ecx + 1], al
            //   0fb64656             | movzx               eax, byte ptr [esi + 0x56]

        $sequence_9 = { 0f84ef000000 6a20 e8???????? 83c404 89442410 85c0 }
            // n = 6, score = 400
            //   0f84ef000000         | je                  0xf5
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 180224
}
[TLP:WHITE] win_mailto_w0   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w0 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281747" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $salsaconst = "expand 32-byte kexpand 16-byte k" 
        $ins_getapi = {55 8b ec a1 ?? ?? ?? ?? 5d c3} 
        $ins_crc32 = {25 20 83 b8 ed 33 d0} 
        $ins_push1137 = {68 39 05 00 00 68 69 7a 00 00} 
        $ins_rc4 = {8b 45 ( e? | f? ) 83 c0 01 33 d2 b9 00 01 00 00 f7 f1 89 55} 
        $in_c25519 = {6a 00 68 41 db 01 00} 
    condition: 
        3 of them
}
[TLP:WHITE] win_mailto_w1   (20210224 | Detects the Netwalker ransomware)
rule win_mailto_w1 { 
    meta: 
        copyright = "(c) 2020 Crowdstrike Inc." 
        author = "Crowdstrike"
        description = "Detects the Netwalker ransomware" 
        reports = "CSIT-20081" 
        source = "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
        version = "202004281748" 
        last_modified = "2020-04-28" 
        malware_family = "Netwalker" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto"
        malpedia_rule_date = "20210224"
        malpedia_hash = ""
        malpedia_version = "20210224"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $ = "namesz" fullword 
        $ = "crmask" fullword 
        $ = "idsz" fullword 
        $ = "lend" fullword 
        $ = "lfile" fullword 
        $ = "mpk" fullword 
        $ = "namesz" fullword 
        $ = "pspath" fullword 
        $ = "rwsz" fullword 
        $ = "spsz" fullword 
        $ = "svcwait" fullword 
        $ = "unlocker" fullword 
        $ = "onion1" fullword 
    condition: 10 of them
}
Download all Yara Rules