File name:

netwalker.vbs

Full analysis: https://app.any.run/tasks/a8c787da-5593-4934-87c3-1c569c9e190f
Verdict: Malicious activity
Threats:

Netwalker is ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.

Malware Trends Tracker     >>>
Analysis date: May 13, 2020, 20:03:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
netwalker
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

5B80CBBDCB697C0B8EC26E6CF0FF305C

SHA1:

F26323676B7ED39590DDFEDD344B0CF605393598

SHA256:

AD8D379A4431CABD079A1C34ADD903451E11F06652FE28D3F3EDB6C469C43893

SSDEEP:

3072:AEe+n+jGECbFXc7tt8PWmMFqHGnxnMx/nbUArHxWNyEAWPRhNa:AEfT27MPWumxM+7N/AwM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Gpbo.exe (PID: 3844)

    • Deletes shadow copies

      • Gpbo.exe (PID: 3844)

    • Netwalker ransom note found

      • Gpbo.exe (PID: 3844)

    • Loads the Task Scheduler COM API

      • Gpbo.exe (PID: 3844)

    • Stealing of credential data

      • Gpbo.exe (PID: 3844)

    • Renames files like Ransomware

      • Gpbo.exe (PID: 3844)

    • Modifies files in Chrome extension folder

      • Gpbo.exe (PID: 3844)

    • NetWalker was detected

      • Gpbo.exe (PID: 3844)

    • Actions looks like stealing of personal data

      • Gpbo.exe (PID: 3844)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2124)
      • Gpbo.exe (PID: 3844)

    • Creates files like Ransomware instruction

      • Gpbo.exe (PID: 3844)

    • Reads the cookies of Google Chrome

      • Gpbo.exe (PID: 3844)

    • Creates files in the user directory

      • Gpbo.exe (PID: 3844)

    • Creates files in the program directory

      • Gpbo.exe (PID: 3844)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • Gpbo.exe (PID: 3844)

    • Dropped object may contain TOR URL's

      • Gpbo.exe (PID: 3844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start wscript.exe #NETWALKER gpbo.exe vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2124"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\netwalker.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3464C:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeGpbo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3844C:\Users\admin\AppData\Local\Temp\Gpbo.exeC:\Users\admin\AppData\Local\Temp\Gpbo.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WTV file converter
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\gpbo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
35
Read events
33
Write events
2
Delete events
0

Modification events

(PID) Process:(3844) Gpbo.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\0b1567bf
Operation:writeName:0b1567bf
Value:
8E40CB9B55B19A834D8F8AEB5C865BC3C42B2ECD10C7FF587C78159018398D789F90CC8215DCF08DFE3D0A67A8A93DCC5AA5086DEADA08A2EDC2AB2E67C58909BDE1D71D8A2895928A916C2876F196F2D6ED9D95B80999F7B74F9E328D8A9BF815125469DBB61C2E9F8618F0024D043CA1E121FAA17490722FFBF8C672B23402DD9779D6785CE8B514980C4A
(PID) Process:(3844) Gpbo.exeKey:HKEY_CURRENT_USER\Software\0b1567bf
Operation:writeName:0b1567bf
Value:
8E40CB9B55B19A834D8F8AEB5C865BC3C42B2ECD10C7FF587C78159018398D789F90CC8215DCF08DFE3D0A67A8A93DCC5AA5086DEADA08A2EDC2AB2E67C58909BDE1D71D8A2895928A916C2876F196F2D6ED9D95B80999F7B74F9E328D8A9BF815125469DBB61C2E9F8618F0024D043CA1E121FAA17490722FFBF8C672B23402DD9779D6785CE8B514980C4A
Executable files
20
Suspicious files
1 859
Text files
614
Unknown types
420

Dropped files

PID
Process
Filename
Type
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\Hx_1033_MValidator.Lcktext
MD5:B485167C5B0E59D47009A16F90FE2659
SHA256:DB44B8DB4F05D720EF1A57ABADEED0C164D47B17416C7DD7D136D8F10FBA91C9
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxHbinary
MD5:B7F09FBAD56D5F5EFC1F9C27A1155307
SHA256:ADEA49518D9D6E0B97B15E82D836DC2EE6B70DE4124F52F209C242C380D33658
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\MS.POWERPNT.14.3082.hxnbinary
MD5:22876E4374FA9F53A1E66AA3FA5B0C20
SHA256:AC72F09870D54BD6D8AC6284B90EDBF4FE14E681E0FDB7565D8B113AF80DBC2D
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\MS.EXCEL.14.1031.hxnbinary
MD5:9AEC403E2D810C46A433851DAFD4F097
SHA256:938DF888103D1DCEF554523A67943CA053CEB4E65899EA353745CDDDEE735E5A
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1031.hxnbinary
MD5:38061A5BD58F41E730B9F7AECF8887D2
SHA256:E656B20C05E1B9CA2144922DB899E44098868B4BEEDC3D73EDB03D03BBBA8D02
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxWbinary
MD5:88FE9929E8F8EC6729DB58A785562BEC
SHA256:B4BA3612D2C078E72D8000B89BD7F442EF0A3B1FAD81695CB61CE5615116EB59
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\MS.EXCEL.14.1042.hxnbinary
MD5:332CABC12302A454A6FB13D904965F6A
SHA256:97D8B1BB8D54E80FBE1D3B16408E4FA90B438939AF2D5C18C790E5BEC2757D3A
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\Hx_1033_MValidator.HxDbinary
MD5:31371546A653251985E3C91A36C9900E
SHA256:05744183D14D2331F53FADCD71865E5635E7745B1A3A4680AB3582C791C99656
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxnbinary
MD5:A0F37FD486B76044569BF172F641EC81
SHA256:8EDD97F24946D7493EBE0B57888446EBFC788D00F3A2F6DB82A35D19C570176A
3844Gpbo.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft Help\MS.POWERPNT.14.1049.hxnbinary
MD5:174A712B20646E7A54F51B43B634B364
SHA256:B10BE2DD86FBBB34107CB34591431B9CC262A59783A3870B2021A5AAEACF898F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
netwalker.vbs