{
	"id": "c1fc235c-7dfc-405d-84a6-572fec8ad3ae",
	"created_at": "2026-04-06T00:12:55.016261Z",
	"updated_at": "2026-04-10T13:11:28.03185Z",
	"deleted_at": null,
	"sha1_hash": "df19e4d3f18b8c389900656e605805bba4656a14",
	"title": "NetWalker Ransomware in 1 Hour - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1137674,
	"plain_text": "NetWalker Ransomware in 1 Hour - The DFIR Report\r\nBy editor\r\nPublished: 2020-08-31 · Archived: 2026-04-05 14:21:18 UTC\r\nThe threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using\r\nProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes before using PsExec to run the\r\nNetWalker ransomware payload on all Domain joined systems. The entire intrusion took ~1 hour.\r\nWhat is NetWalker?\r\nNetWalker, as a ransomware strain, first appeared in August 2019. In its initial version, the ransomware\r\nwent by the name of Mailto but rebranded to NetWalker towards the end of 2019.\r\nThe ransomware operates as a closed-access RaaS — a ransomware-as-a-service portal. Other hacker\r\ngangs sign up and go through a vetting process, after which they are granted access to a web portal\r\nwhere they can build custom versions of the ransomware.\r\nThe distribution is left to these second-tier gangs, known as affiliates, and each group deploys it as they\r\nsee fit.\r\nCatalin Cimpanu – https://www.zdnet.com/article/netwalker-ransomware-gang-has-made-25-million-since-march-2020/\r\nFor more info on NetWalker check out the following posts:\r\nhttps://threatpost.com/netwalker-ransomware-29m-march/158036/\r\nhttps://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf\r\nExploitation\r\nWe saw multiple RDP logins around the time of the attack but we believe 198.181.163[.]103 (possibly IPVanish\r\nVPN) to be the source of this intrusion. We will include other IPs that logged into the honeypot on this day in the\r\nIOCs section.\r\nThe threat actor logged in using the DomainName\\Administrator account.\r\nCommand \u0026 Control\r\nc37.ps1 was dropped and run about 16 minutes after initial login. There didn’t appear to be any network\r\nconnections made while running this script which makes us wonder if the script works or not.\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 1 of 10\n\nThe script is heavily obfuscated but still looks like Cobalt Strike. When we uploaded the script to VT, Thor said it\r\nmay also contain Windshield or SplinterRAT.\r\nc37.ps1 has a very low detection rate even after 7+ days.\r\nMinutes later they ran c37.exe, which copies itself to a temp directory and then stops. This binary includes Neshta\r\nas well as many capabilities as seen below:\r\ncapa\r\nAfter further analysis and a comment from @GaborSzappanos, we were able to confirm that both of these are\r\nindeed Cobalt Strike and connect to 173.232.146[.]37 over 443.\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 2 of 10\n\nThe Cobalt Strike server at 173.232.146.37 is using the default cert (146473198) and oddly enough could not be\r\nMiTM. We tried to MiTM this connection multiple times and kept getting an error stating SSL session did not\r\nauthentication successfully.\r\nWe attempted to run c37.ps1 and c37.exe in a few sandboxes and none of them captured the network traffic which\r\ntells us that these Beacons include sandbox evasion techniques. Here are a couple runs –\r\nhttps://capesandbox.com/analysis/54494/ https://app.any.run/tasks/4524fb0c-8e17-4255-8582-35b0e206ff3f/\r\nhttps://capesandbox.com/analysis/54493/\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 3 of 10\n\nThe c37.exe binary includes shared code from Neshta, poison, BazarBackdoor, XMRig and a large portion from\r\nCobaltStrike according to Intezer.\r\nDiscovery\r\nAdFind was dropped alongside a script named adf.bat. We’ve seen this script in the past and wrote about it here.\r\nWe can see from these lnk files that they opened a few of the txt files output by AdFind. We can also see that\r\ndomains.txt and ips.log were opened minutes after AdFind being run.\r\nLECmd – Tool by EricZimmerman\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 4 of 10\n\nA few minutes after AdFind was run, a command prompt was opened and the following commands were either\r\ncopy and pasted slowly or manually typed.\r\nnltest /dclist:\r\nnet group \"Domain Computers\" /DOMAIN\r\nnet groups \"Enterprise Admins\" /domain\r\nnet user Administrator\r\nShortly after that, a script named pcr.bat was dropped and executed.\r\nThis script pings a list of hostnames (domains.txt) and writes the output to ips.log. The ping command they use\r\nsends one ping and forces IPv4. This domains.txt file most likely came from the above AdFind command using\r\nthe domainlist parameter.\r\nCredential Access\r\nMimikatz was dropped and then a minute later procdump64.exe was dropped. The threat actors then used\r\nProcdump to dump lsass using the following command:\r\nprocdump64.exe -ma lsass.exe lsass.dmp\r\nThis procdump64 binary appears to be compiled with Delphi and does not match known hashes. It appears the\r\nthreat actors rolled their own but included the original instructions.\r\nMimikatz was run about a minute later.\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 5 of 10\n\nLateral Movement\r\nThe threat actor RDPed into a Domain Controller (DC) after dumping credentials. Shortly after accessing the DC\r\nthey dropped ip.list.txt, P100119.ps1, and PsExec.\r\nThe threat actor was now ready to execute it’s objective.\r\nObjectives\r\nThe threat actor used PsExec to mount a share on all systems as the Domain Administrator and then execute the\r\nransomware payload using PowerShell. NetWalker was delivered to all online Domain joined systems in the\r\nhoneypot via the below command:\r\nC:\\psexec.exe @ip-list.txt -d cmd /c “(net use q: /delete /y \u0026; net use q: \\\\DomainController\\DomainName\r\n/user:DomainName\\administrator ThisWasThePassword \u0026; powershell -ExecutionPolicy ByPass -NoLogo -\r\nNoProfile -windowstyle hidden -NoExit -File q:\\P100119.ps1”\r\nAfter the PowerShell script runs you are left with the following ransom note.\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 6 of 10\n\nThe NetWalker operators asked for $50k within 7 days or $100k after. They were talked down to $35k after the\r\ntime expired.\r\nTimeline\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 7 of 10\n\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nDetections\r\nET POLICY PsExec service created\r\nPsExec Service Start –\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_psexesvc_start.yml\r\nSuspicious Use of Procdump –\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_procdump.yml\r\nMimikatz Use –\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 8 of 10\n\nDetects AdFind usage from our case:\r\ntitle: AdFind Recon\r\ndescription: Threat Actor using AdFind for reconnaissance.\r\nauthor: The DFIR Report\r\ndate: 2019/8/2\r\nreferences:\r\n- https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\r\ntags:\r\n- attack.remote_system_discovery\r\n- attack.T1018\r\nlogsource:\r\ncategory: process_creation\r\nproduct: windows\r\ndetection:\r\nselection_1:\r\nCommandLine|contains:\r\n- adfind -f objectcategory=computer\r\nselection_2:\r\nCommandLine|contains:\r\n- adfind -gcb -sc trustdmp\r\ncondition: selection_1 or selection_2\r\nfalsepositives:\r\n- Legitimate Administrator using tool for Active Directory querying\r\nlevel: medium\r\nstatus: experimental\r\nYara rule for Mimikatz https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar\r\nIOCs\r\nhttps://misppriv.circl.lu/events/view/73574\r\nhttps://otx.alienvault.com/pulse/5f4c3eb15ea4e24eb5b43a49\r\nc37.ps1 8e030188e0d03654d5e7a7738a9d6a9a e0a37d0c26b351b789caffc8c90b968269982d 5536be48e4eac81ad77ae\r\nc37.exe 531c0c5e943863b00c7157c05603113a caa18377e764a3a27c715b3d69ba2258ee4eb0b2 4f7dd00a005caf046dd\r\nadf.bat 96e1849976d90425e74f075ed6bf8c30 1296a1f8887753ef87910b544727de76ce2adcc5 e56d45628f0c2bda30a\r\nmimikatz.exe 5af5e3426926e551ed3acc5bea45eac6 e24a174fff19d873df0fa5eddd9ec534617ed9d7 f743c0849d69b5\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 9 of 10\n\npcr.bat 81c965ff526e7afd73c91543fee381a3 b9b83b17fd6d89807dcab7772b1416fa90ca4b0e ae431797c551c20fe2f\r\nP100119.ps1 0d890fc8e761b764ba3a04af07197e20 21c0ed7abaafbfd14c777aa370f397e4351654a6 5ae06a8d117e876\r\nprocdump64.exe 3b447099ca280dabd22d36f84ebfd3bb 49fd831a738b21ee0a1b3b62cd15801abe8c32d5 6a511d4178d6\r\nYara – embedded_win_api – A non-Windows executable contains win32 API functions names – Author: nex\r\nRDP logins on the day of the intrusion\r\n184.58.243.205\r\n173.239.199.73\r\n176.126.85.39\r\n198.181.163.103\r\n141.98.81.191\r\n93.179.69.154\r\n173.232.146.37\r\ninternal case 1003\r\nSource: https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nhttps://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/"
	],
	"report_names": [
		"netwalker-ransomware-in-1-hour"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df19e4d3f18b8c389900656e605805bba4656a14.pdf",
		"text": "https://archive.orkl.eu/df19e4d3f18b8c389900656e605805bba4656a14.txt",
		"img": "https://archive.orkl.eu/df19e4d3f18b8c389900656e605805bba4656a14.jpg"
	}
}