Overview

overview

10

Static

static

10

e73b749260...f4.exe

windows7_x64

10

e73b749260...f4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4

  • Size

    758KB

  • Sample

    210113-y3e87wa59e

  • MD5

    3a6551daf5dab06e71c14026ee84fd03

  • SHA1

    cbb6763f76a926c2a0721664977fdbc6f205fff5

  • SHA256

    e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4

  • SHA512

    f092f2b791c6bf4d6817c5d325a1302a95da5336884fd91422aa446b8c918af439eee209009a18d36d81edee07b28055eae730efa834c9def40aef31bdc586a7

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\KhVy1_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bebCDAebEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA3OC14cW1FbzdOVnl6SVphUkhyc0h4QkJLcWxHK0U0RHZnSDIyUTFxUTlhTGZUNHZ3QzhydmxIdFpKUTR2UFE0L25SVFQ3VUlST0FDNytOeGtVTjRFWHI4WVd5OE82bkp5SitPUG9DUmFWMCtwYUVGSklJYmRmKzJwd0o4OVFrVmZ5eWZ2Tmd3eERCNXp0NklFVFZhQVZhREJRbWV6SW9VMGJTbEJ0RG1VUkVjTG1pSFhUcTBqdnM2a01EWWNxeFdYVTR5R0h5YXVQaU56TGNZZWxkenhzUXdUM01laFZjU0JJY3l0QTNCNWF6UWtMdldnZTlOSCtBWHoweFVXdElEeWNkREVOaVBKWHpndWNKVlNkS0ZaTVZFWVlVUFVkcnRUNEtzUE4ydEJvVzR6SFV3TU0yYUh5OExzd1VQbVBwMU5qcFUrVFZqZkJRdnNpNWVwdEthWnJwOTQxdTJNell3Q2FKOW1iV3dHZ0tlWkFVc1lFSG8xbnB0S1R0NDRWRW80ODNDUGxmUndML0VEOS9tY0pybWM2amtWKzZreFZIZUMzL2dZSi9ETUlydnlVcGxMRjRJNWRmcllDYmxpemJteEJKYXRvTWUrdGhmVkhHUHMzNmt1TWtBemRMZS9XVUlUTWF6Y3NZMDlKYStlemJpUldtdnFxYVR1YVNicHB2eEwveHhybHREVkVlZWtPTzlFWjMvMVhBZHVuQXY3SHdIbldCSGJFZEs2eEhoaU5YMDJ6N2lKRTVLeW1wM1d3S1J0d1ZOOUY5WTduUkkvWEh2cTR3QnE2d1JnWWpwTGhERkhzM1QzeDZaSWVTdzhEN1FBeWhrQWRxdnlCdGJRNUF4c0g4Q0hFeCt6MkZVZGJSVG4xYUJvSFJSQUhxVzdYelZVVk9wcEpRSlZ2Z1ZIdlRSdjR2MXE5V1E0UHRxUG0yNktISCtGTlowQlkzUlNFMEgzUTNSUkxtU2tnSzRVLzV0NUtlRjNmMVM0dkVVWmZOUDZHM1ZjK1BHQXpJOHR0ZTVNN0VTdnBOU2gzNFRSSlRjYlo2eTR4WDVITlFaUThDMXRscnM1R0ltNnRTTkJTanV6Nk9kV3hKZDZYZDYwd3N0eVVtdHJGNXRQTFJqUCtwNU1EZkRienZMSEpwcGpMbUwwNlFUMk1Ecnkwc2ROQitQN29MZ283amdmNUloVnMxY0FRTS96ZkF2KzBJUHNrZlV5QnErYm1lZm1xaXRHKzRCTHJMVVpuWFFsTGZHOTVHZHhIRkFSZU1rKzc2Mkk5T0o3SkdCbVdoNml5TWVQNnV0d1ZtU0hkTlpLMkxWQmFLdUR1bGxaYUM2WWNtM2dwaHkzWDBEQWVoeDk0MHlaRFpsM1BCUzNZd3ZiZ3pTdURpOWlSY3laSmxyc2FIck5LVlFSQXNqVG8wN2pNMDdPNkQvWXZHQXQ4R3JTcURyazRmSVcrWDZwNjNJS1MxSFoxMVdFRWZSa0Q1WHE1dkkxWVdZWFprd1loMzBnb3llTytKaEVLT2VsVlY1bTJWYWFNaU5xYWs0b01SaVFTY0xxeXNLZ1dIcDZuQURKOXVLaEhZTlBHWWRCK1Ryb3lMV0Jxd2JXVXRNeUhhVnhxeVVaN2JRS3pYRlVSOEdVWTlPbEhXRWs4ajZZWEs4Q1N2Ty84UHI1QmozQTVtNmRsejFsSENIL3JUNkk5d3E3TUg3Ukk3WFl5Z2IrTzF3MWF2N2tQKy9BSXpkbHpLQ0YzRFF3aGNtTFU3SWExcGRQYUtoYUxNKzIrMUQ3K2lCUFdBdE95LzVvRDZCSVV3TE9JUTBMUEpIc04weWs0QXhCT0dWajFZVlBlVlZ6eU9yWDI1L2ExL0NIQjMwMXQ4aUdMbG1SdnFXN3hRcCs3bEFQZFVzZVhzeFpJMGtCN1VrOWp5RDAxeHFveER4cHZUalkyVDBQZFJWOURuZUVjK1p0djFaVSt3Sm9RNmlMS1pmeEtRTi9PQk1UeHFaNEsxWTQ3a2Z1RkR4eWp2bGMvRUx1RnJhSEVNOStNaTNZQjREaTBiL3JRWmg4cGRsNUR2WE5uelNjV3ZUQXN5LzdNaS9sN2dQNUdEeHp3TmdkTWp0OCtPQ2dFPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * XREhAcbu9IJ9QfGSJZejyq
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\KhVy1_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bebCDAebEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA3OC14cW1FbzdOVnl6SVphUkhyc0h4QkJLcWxHK0U0RHZnSDIyUTFxUTlhTGZUNHZ3QzhydmxIdFpKUTR2UFE0L25SVFQ3VUlST0FDNytOeGtVTjRFWHI4WVd5OE82bkp5SitPUG9DUmFWMCtwYUVGSklJYmRmKzJwd0o4OVFrVmZ5eWZ2Tmd3eERCNXp0NklFVFZhQVZhREJRbWV6SW9VMGJTbEJ0RG1VUkVjTG1pSFhUcTBqdnM2a01EWWNxeFdYVTR5R0h5YXVQaU56TGNZZWxkenhzUXdUM01laFZjU0JJY3l0QTNCNWF6UWtMdldnZTlOSCtBWHoweFVXdElEeWNkREVOaVBKWHpndWNKVlNkS0ZaTVZFWVlVUFVkcnRUNEtzUE4ydEJvVzR6SFV3TU0yYUh5OExzd1VQbVBwMU5qcFUrVFZqZkJRdnNpNWVwdEthWnJwOTQxdTJNell3Q2FKOW1iV3dHZ0tlWkFVc1lFSG8xbnB0S1R0NDRWRW80ODNDUGxmUndML0VEOS9tY0pybWM2amtWKzZreFZIZUMzL2dZSi9ETUlydnlVcGxMRjRJNWRmcllDYmxpemJteEJKYXRvTWUrdGhmVkhHUHMzNmt1TWtBemRMZS9XVUlUTWF6Y3NZMDlKYStlemJpUldtdnFxYVR1YVNicHB2eEwveHhybHREVkVlZWtPTzlFWjMvMVhBZHVuQXY3SHdIbldCSGJFZEs2eEhoaU5YMDJ6N2lKRTVLeW1wM1d3S1J0d1ZOOUY5WTduUkkvWEh2cTR3QnE2d1JnWWpwTGhERkhzM1QzeDZaSWVTdzhEN1FBeWhrQWRxdnlCdGJRNUF4c0g4Q0hFeCt6MkZVZGJSVG4xYUJvSFJSQUhxVzdYelZVVk9wcEpRSlZ2Z1ZIdlRSdjR2MXE5V1E0UHRxUG0yNktISCtGTlowQlkzUlNFMEgzUTNSUkxtU2tnSzRVLzV0NUtlRjNmMVM0dkVVWmZOUDZHM1ZjK1BHQXpJOHR0ZTVNN0VTdnBOU2gzNFRSSlRjYlo2eTR4WDVITlFaUThDMXRscnM1R0ltNnRTTkJTanV6Nk9kV3hKZDZYZDYwd3N0eVVtdHJGNXRQTFJqUCtwNU1EZkRienZMSEpwcGpMbUwwNlFUMk1Ecnkwc2ROQitQN29MZ283amdmNUloVnMxY0FRTS96ZkF2KzBJUHNrZlV5QnErYm1lZm1xaXRHKzRCTHJMVVpuWFFsTGZHOTVHZHhIRkFSZU1rKzc2Mkk5T0o3SkdCbVdoNml5TWVQNnV0d1ZtU0hkTlpLMkxWQmFLdUR1bGxaYUM2WWNtM2dwaHkzWDBEQWVoeDk0MHlaRFpsM1BCUzNZd3ZiZ3pTdURpOWlSY3laSmxyc2FIck5LVlFSQXNqVG8wN2pNMDdPNkQvWXZHQXQ4R3JTcURyazRmSVcrWDZwNjNJS1MxSFoxMVdFRWZSa0Q1WHE1dkkxWVdZWFprd1loMzBnb3llTytKaEVLT2VsVlY1bTJWYWFNaU5xYWs0b01SaVFTY0xxeXNLZ1dIcDZuQURKOXVLaEhZTlBHWWRCK1Ryb3lMV0Jxd2JXVXRNeUhhVnhxeVVaN2JRS3pYRlVSOEdVWTlPbEhXRWs4ajZZWEs4Q1N2Ty84UHI1QmozQTVtNmRsejFsSENIL3JUNkk5d3E3TUg3Ukk3WFl5Z2IrTzF3MWF2N2tQKy9BSXpkbHpLQ0YzRFF3aGNtTFU3SWExcGRQYUtoYUxNKzIrMUQ3K2lCUFdBdE95LzVvRDZCSVV3TE9JUTBMUEpIc04weWs0QXhCT0dWajFZVlBlVlZ6eU9yWDI1L2ExL0NIQjMwMXQ4aUdMbG1SdnFXN3hRcCs3bEFQZFVzZVhzeFpJMGtCN1VrOWp5RDAxeHFveER4cHZUalkyVDBQZFJWOURuZUVjK1p0djFaVSt3Sm9RNmlMS1pmeEtRTi9PQk1UeHFaNEsxWTQ3a2Z1RkR4eWp2bGMvRUx1RnJhSEVNOStNaTNZQjREaTBiL3JRWmg4cGRsNUR2WE5uelNjV3ZUQXN5LzdNaS9sN2dQNUdEeHp3TmdkTWp0OCtPQ2dFPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * t3pYVpNDzu1Em5OUy64rf1eXe
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Links\KhVy1_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bebCDAebEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA3OC14cW1FbzdOVnl6SVphUkhyc0h4QkJLcWxHK0U0RHZnSDIyUTFxUTlhTGZUNHZ3QzhydmxIdFpKUTR2UFE0L25SVFQ3VUlST0FDNytOeGtVTjRFWHI4WVd5OE82bkp5SitPUG9DUmFWMCtwYUVGSklJYmRmKzJwd0o4OVFrVmZ5eWZ2Tmd3eERCNXp0NklFVFZhQVZhREJRbWV6SW9VMGJTbEJ0RG1VUkVjTG1pSFhUcTBqdnM2a01EWWNxeFdYVTR5R0h5YXVQaU56TGNZZWxkenhzUXdUM01laFZjU0JJY3l0QTNCNWF6UWtMdldnZTlOSCtBWHoweFVXdElEeWNkREVOaVBKWHpndWNKVlNkS0ZaTVZFWVlVUFVkcnRUNEtzUE4ydEJvVzR6SFV3TU0yYUh5OExzd1VQbVBwMU5qcFUrVFZqZkJRdnNpNWVwdEthWnJwOTQxdTJNell3Q2FKOW1iV3dHZ0tlWkFVc1lFSG8xbnB0S1R0NDRWRW80ODNDUGxmUndML0VEOS9tY0pybWM2amtWKzZreFZIZUMzL2dZSi9ETUlydnlVcGxMRjRJNWRmcllDYmxpemJteEJKYXRvTWUrdGhmVkhHUHMzNmt1TWtBemRMZS9XVUlUTWF6Y3NZMDlKYStlemJpUldtdnFxYVR1YVNicHB2eEwveHhybHREVkVlZWtPTzlFWjMvMVhBZHVuQXY3SHdIbldCSGJFZEs2eEhoaU5YMDJ6N2lKRTVLeW1wM1d3S1J0d1ZOOUY5WTduUkkvWEh2cTR3QnE2d1JnWWpwTGhERkhzM1QzeDZaSWVTdzhEN1FBeWhrQWRxdnlCdGJRNUF4c0g4Q0hFeCt6MkZVZGJSVG4xYUJvSFJSQUhxVzdYelZVVk9wcEpRSlZ2Z1ZIdlRSdjR2MXE5V1E0UHRxUG0yNktISCtGTlowQlkzUlNFMEgzUTNSUkxtU2tnSzRVLzV0NUtlRjNmMVM0dkVVWmZOUDZHM1ZjK1BHQXpJOHR0ZTVNN0VTdnBOU2gzNFRSSlRjYlo2eTR4WDVITlFaUThDMXRscnM1R0ltNnRTTkJTanV6Nk9kV3hKZDZYZDYwd3N0eVVtdHJGNXRQTFJqUCtwNU1EZkRienZMSEpwcGpMbUwwNlFUMk1Ecnkwc2ROQitQN29MZ283amdmNUloVnMxY0FRTS96ZkF2KzBJUHNrZlV5QnErYm1lZm1xaXRHKzRCTHJMVVpuWFFsTGZHOTVHZHhIRkFSZU1rKzc2Mkk5T0o3SkdCbVdoNml5TWVQNnV0d1ZtU0hkTlpLMkxWQmFLdUR1bGxaYUM2WWNtM2dwaHkzWDBEQWVoeDk0MHlaRFpsM1BCUzNZd3ZiZ3pTdURpOWlSY3laSmxyc2FIck5LVlFSQXNqVG8wN2pNMDdPNkQvWXZHQXQ4R3JTcURyazRmSVcrWDZwNjNJS1MxSFoxMVdFRWZSa0Q1WHE1dkkxWVdZWFprd1loMzBnb3llTytKaEVLT2VsVlY1bTJWYWFNaU5xYWs0b01SaVFTY0xxeXNLZ1dIcDZuQURKOXVLaEhZTlBHWWRCK1Ryb3lMV0Jxd2JXVXRNeUhhVnhxeVVaN2JRS3pYRlVSOEdVWTlPbEhXRWs4ajZZWEs4Q1N2Ty84UHI1QmozQTVtNmRsejFsSENIL3JUNkk5d3E3TUg3Ukk3WFl5Z2IrTzF3MWF2N2tQKy9BSXpkbHpLQ0YzRFF3aGNtTFU3SWExcGRQYUtoYUxNKzIrMUQ3K2lCUFdBdE95LzVvRDZCSVV3TE9JUTBMUEpIc04weWs0QXhCT0dWajFZVlBlVlZ6eU9yWDI1L2ExL0NIQjMwMXQ4aUdMbG1SdnFXN3hRcCs3bEFQZFVzZVhzeFpJMGtCN1VrOWp5RDAxeHFveER4cHZUalkyVDBQZFJWOURuZUVjK1p0djFaVSt3Sm9RNmlMS1pmeEtRTi9PQk1UeHFaNEsxWTQ3a2Z1RkR4eWp2bGMvRUx1RnJhSEVNOStNaTNZQjREaTBiL3JRWmg4cGRsNUR2WE5uelNjV3ZUQXN5LzdNaS9sN2dQNUdEeHp3TmdkTWp0OCtPQ2dFPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * kBwuq1A1pWjne122A6zyqCnY0k0nS
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\KhVy1_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bebCDAebEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA3OC14cW1FbzdOVnl6SVphUkhyc0h4QkJLcWxHK0U0RHZnSDIyUTFxUTlhTGZUNHZ3QzhydmxIdFpKUTR2UFE0L25SVFQ3VUlST0FDNytOeGtVTjRFWHI4WVd5OE82bkp5SitPUG9DUmFWMCtwYUVGSklJYmRmKzJwd0o4OVFrVmZ5eWZ2Tmd3eERCNXp0NklFVFZhQVZhREJRbWV6SW9VMGJTbEJ0RG1VUkVjTG1pSFhUcTBqdnM2a01EWWNxeFdYVTR5R0h5YXVQaU56TGNZZWxkenhzUXdUM01laFZjU0JJY3l0QTNCNWF6UWtMdldnZTlOSCtBWHoweFVXdElEeWNkREVOaVBKWHpndWNKVlNkS0ZaTVZFWVlVUFVkcnRUNEtzUE4ydEJvVzR6SFV3TU0yYUh5OExzd1VQbVBwMU5qcFUrVFZqZkJRdnNpNWVwdEthWnJwOTQxdTJNell3Q2FKOW1iV3dHZ0tlWkFVc1lFSG8xbnB0S1R0NDRWRW80ODNDUGxmUndML0VEOS9tY0pybWM2amtWKzZreFZIZUMzL2dZSi9ETUlydnlVcGxMRjRJNWRmcllDYmxpemJteEJKYXRvTWUrdGhmVkhHUHMzNmt1TWtBemRMZS9XVUlUTWF6Y3NZMDlKYStlemJpUldtdnFxYVR1YVNicHB2eEwveHhybHREVkVlZWtPTzlFWjMvMVhBZHVuQXY3SHdIbldCSGJFZEs2eEhoaU5YMDJ6N2lKRTVLeW1wM1d3S1J0d1ZOOUY5WTduUkkvWEh2cTR3QnE2d1JnWWpwTGhERkhzM1QzeDZaSWVTdzhEN1FBeWhrQWRxdnlCdGJRNUF4c0g4Q0hFeCt6MkZVZGJSVG4xYUJvSFJSQUhxVzdYelZVVk9wcEpRSlZ2Z1ZIdlRSdjR2MXE5V1E0UHRxUG0yNktISCtGTlowQlkzUlNFMEgzUTNSUkxtU2tnSzRVLzV0NUtlRjNmMVM0dkVVWmZOUDZHM1ZjK1BHQXpJOHR0ZTVNN0VTdnBOU2gzNFRSSlRjYlo2eTR4WDVITlFaUThDMXRscnM1R0ltNnRTTkJTanV6Nk9kV3hKZDZYZDYwd3N0eVVtdHJGNXRQTFJqUCtwNU1EZkRienZMSEpwcGpMbUwwNlFUMk1Ecnkwc2ROQitQN29MZ283amdmNUloVnMxY0FRTS96ZkF2KzBJUHNrZlV5QnErYm1lZm1xaXRHKzRCTHJMVVpuWFFsTGZHOTVHZHhIRkFSZU1rKzc2Mkk5T0o3SkdCbVdoNml5TWVQNnV0d1ZtU0hkTlpLMkxWQmFLdUR1bGxaYUM2WWNtM2dwaHkzWDBEQWVoeDk0MHlaRFpsM1BCUzNZd3ZiZ3pTdURpOWlSY3laSmxyc2FIck5LVlFSQXNqVG8wN2pNMDdPNkQvWXZHQXQ4R3JTcURyazRmSVcrWDZwNjNJS1MxSFoxMVdFRWZSa0Q1WHE1dkkxWVdZWFprd1loMzBnb3llTytKaEVLT2VsVlY1bTJWYWFNaU5xYWs0b01SaVFTY0xxeXNLZ1dIcDZuQURKOXVLaEhZTlBHWWRCK1Ryb3lMV0Jxd2JXVXRNeUhhVnhxeVVaN2JRS3pYRlVSOEdVWTlPbEhXRWs4ajZZWEs4Q1N2Ty84UHI1QmozQTVtNmRsejFsSENIL3JUNkk5d3E3TUg3Ukk3WFl5Z2IrTzF3MWF2N2tQKy9BSXpkbHpLQ0YzRFF3aGNtTFU3SWExcGRQYUtoYUxNKzIrMUQ3K2lCUFdBdE95LzVvRDZCSVV3TE9JUTBMUEpIc04weWs0QXhCT0dWajFZVlBlVlZ6eU9yWDI1L2ExL0NIQjMwMXQ4aUdMbG1SdnFXN3hRcCs3bEFQZFVzZVhzeFpJMGtCN1VrOWp5RDAxeHFveER4cHZUalkyVDBQZFJWOURuZUVjK1p0djFaVSt3Sm9RNmlMS1pmeEtRTi9PQk1UeHFaNEsxWTQ3a2Z1RkR4eWp2bGMvRUx1RnJhSEVNOStNaTNZQjREaTBiL3JRWmg4cGRsNUR2WE5uelNjV3ZUQXN5LzdNaS9sN2dQNUdEeHp3TmdkTWp0OCtPQ2dFPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 6
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\mWHhV_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bEADbcADDa You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA3OC0yVzRMazBORFBIbGVFQmVyMmVJeWpqY21RaDNMYno3a1Bic0RCaTlqK3dpampaVnJ6T3NaTmx5Tk1IbklsRDlwZkFFbGlrZEZmaGpjRGptU2hDYmZ4MFlXS2Uwc29HNUlxaEExZHBRN2tFYTJmbXhDTGg1dzJDdEVaVlFacjVtRXY4TW9NbGxZdFFmUmFkSmloRnZVMWhaSzdTb091K28xRmFiNnBGaVR3ZFRzeHdUOXFyMzFVb3AraVBzdzl2cU9UUUVvMW5lMFhaSEFTMUk1bHdBQ3VKTkRMWFVPWmZwN3hnVGQ1c2hFa2lVTmh0dVJyM3hCdXo1NUZLWmFUYlUyQitSZUJLOWh6V25yNjVLUTU3NXNTbzM1REpZR3hVaS9TczE4Z1FLMDJqc0ZnTE5WeHFsVzlvUWRzNFMvV2pNemhWV0hnMEN4ZVFQcjZidTJtTU9iN01vYU42RFlNSzdBR1ZzS0Jqa0RUVk9IUjh0KzRaZkZYcy9uR0t1SjY4YUs4VzZPajZNckh4YWN4TStDUHBmSnFSL2xSVy90R2tMRkFRenJsY3VLYmw2dnJpTU0yeHR5VnVjbXgyOUZSUVFHQzEvcENqamRBWmpaTlJXTEs4UXM4d2tWbVVLbmJGUThEdmd0MzQ3OG10MmlWTXAwNXdwNXl6UHI0Z1F5aWcyYXRUM3JEaTFaWm9Sdy9HSjlRWHloZFMxWnBTNzUwMWFOR2E2NEdsenBzZVF1dVVHQ2dWLzRVZVU1UzJtK3N3ZHE4clZoTUIyN1ZYR29wR2Z1dUJIQzUzUkNtSTgxOTFkSVhFOEtXTW5VTmJ6K2JqaTFsVUJ3Y2FxU29qMmJGNno0eXBwSG5nYlJKWmN6NnBpS0I2dlNMa2NucmlLZDFlVkF3WnRydDNSU0pHdEkzYURaL1YzNkRXS2NsUlE0bmFpbXNaZlBPRmpNWmhOZlhtcGFYRC95TnY5UGdWdjJMOE1neWtnM2RLSXpZYkZwM2VqVFEzd3lNRjB3aTZFVWpOb3NCb2JvVGpKSFRaL3gxdjlkd0lHekVFRm5weGF3RnJsUGM0S3Zac0VDUW04V2wvdWtSc2VvUC9KZXlrSlJYRTk3RG0vc1QyN3FKcnRrV3AwQjlKR0xUZ2lrL3dxdE9XYmc1d2pHUzc2ek5rL2hEbVF0bmpORGU1UFhUN0lmS01tb1NhSm1UMzZ5cnlTUGFTWWNmUGptRUozS243UFpabzZyeDBaVTVuSGJRR3FRNW1kRkFCdnVGcFBIY3FvcnI4ejNlbWZSTFJhaFZlaTI4Y1VjUVh2dytNbnJOS3o2MFE0UE5UNjNGT0lSdWRwckFiNnZjcVdzTllLK3dmeGkrWUg1eHhPT0J0S25EcjJzc0VGdDJackx4OVRDeVBWcmJUNWdHbHU5OHh6bUpFTmtvTU1uT0Q0ajU1SkhCQ2Y0Y3JQYVJLWXVIeHBrdUVHS3lwQjMzYWM2dktmMklSKzhMbHhXNFJ2SzEzc0FtdnJNU0I1Qy85ZDhwRXJZRjUyZzVWZDBNZEpVT1QxZVlXZVZsRTR6NElCT28rVTdJM0o4aUtQc3pHTlNlWFE5THI5RVYvSVpVV1RKOTdpbXRRR2FJV2ZJbENEOXJBY1lBTFVEeE95MzAyamVkdi8rV1MvYVRyWnRGYjRlcjh6OFRORWtTek5EMk9QdmF6NERkYW9XMkt0cGpkSzk3NkpvVXhZa0RFZ3c5dGlIK09KcFgyazBOQk5PT1h4SXVIVmZlMjYyWWpmRkhxU0g4QThzcEVCdFUyMFdaMjUrcTZBQk5PZ2t1bldqbGQvT0hOVER6QS9nY3NXd0lsTndGbmRTajM0NDhSbitSMzUwTUF4UGRqeWwrdkxlTEhRcjdxK1BBVGtKZFBubEl6Mkg4b2ZNdUNESHd4d2lMdUhySE85emR6OVM3d1FpZTVzUnhublpEeGk3ejBzZTgrMjVrVzIwczZlNm9Td3NNYTBiVlJNb0dMT1dobG5PaUsxVHB5Q2g5UlgxV0hjSDhxS0hBczRrRzd1a0VmTzlJNEpxNWt6aFNmWitXcGZHVXB3dnM0SkV5SkVMM2Ric1g3Y1BXT0tXb0xZPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * C1CeKrtR
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\mWHhV_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bEADbcADDa You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA3OC0yVzRMazBORFBIbGVFQmVyMmVJeWpqY21RaDNMYno3a1Bic0RCaTlqK3dpampaVnJ6T3NaTmx5Tk1IbklsRDlwZkFFbGlrZEZmaGpjRGptU2hDYmZ4MFlXS2Uwc29HNUlxaEExZHBRN2tFYTJmbXhDTGg1dzJDdEVaVlFacjVtRXY4TW9NbGxZdFFmUmFkSmloRnZVMWhaSzdTb091K28xRmFiNnBGaVR3ZFRzeHdUOXFyMzFVb3AraVBzdzl2cU9UUUVvMW5lMFhaSEFTMUk1bHdBQ3VKTkRMWFVPWmZwN3hnVGQ1c2hFa2lVTmh0dVJyM3hCdXo1NUZLWmFUYlUyQitSZUJLOWh6V25yNjVLUTU3NXNTbzM1REpZR3hVaS9TczE4Z1FLMDJqc0ZnTE5WeHFsVzlvUWRzNFMvV2pNemhWV0hnMEN4ZVFQcjZidTJtTU9iN01vYU42RFlNSzdBR1ZzS0Jqa0RUVk9IUjh0KzRaZkZYcy9uR0t1SjY4YUs4VzZPajZNckh4YWN4TStDUHBmSnFSL2xSVy90R2tMRkFRenJsY3VLYmw2dnJpTU0yeHR5VnVjbXgyOUZSUVFHQzEvcENqamRBWmpaTlJXTEs4UXM4d2tWbVVLbmJGUThEdmd0MzQ3OG10MmlWTXAwNXdwNXl6UHI0Z1F5aWcyYXRUM3JEaTFaWm9Sdy9HSjlRWHloZFMxWnBTNzUwMWFOR2E2NEdsenBzZVF1dVVHQ2dWLzRVZVU1UzJtK3N3ZHE4clZoTUIyN1ZYR29wR2Z1dUJIQzUzUkNtSTgxOTFkSVhFOEtXTW5VTmJ6K2JqaTFsVUJ3Y2FxU29qMmJGNno0eXBwSG5nYlJKWmN6NnBpS0I2dlNMa2NucmlLZDFlVkF3WnRydDNSU0pHdEkzYURaL1YzNkRXS2NsUlE0bmFpbXNaZlBPRmpNWmhOZlhtcGFYRC95TnY5UGdWdjJMOE1neWtnM2RLSXpZYkZwM2VqVFEzd3lNRjB3aTZFVWpOb3NCb2JvVGpKSFRaL3gxdjlkd0lHekVFRm5weGF3RnJsUGM0S3Zac0VDUW04V2wvdWtSc2VvUC9KZXlrSlJYRTk3RG0vc1QyN3FKcnRrV3AwQjlKR0xUZ2lrL3dxdE9XYmc1d2pHUzc2ek5rL2hEbVF0bmpORGU1UFhUN0lmS01tb1NhSm1UMzZ5cnlTUGFTWWNmUGptRUozS243UFpabzZyeDBaVTVuSGJRR3FRNW1kRkFCdnVGcFBIY3FvcnI4ejNlbWZSTFJhaFZlaTI4Y1VjUVh2dytNbnJOS3o2MFE0UE5UNjNGT0lSdWRwckFiNnZjcVdzTllLK3dmeGkrWUg1eHhPT0J0S25EcjJzc0VGdDJackx4OVRDeVBWcmJUNWdHbHU5OHh6bUpFTmtvTU1uT0Q0ajU1SkhCQ2Y0Y3JQYVJLWXVIeHBrdUVHS3lwQjMzYWM2dktmMklSKzhMbHhXNFJ2SzEzc0FtdnJNU0I1Qy85ZDhwRXJZRjUyZzVWZDBNZEpVT1QxZVlXZVZsRTR6NElCT28rVTdJM0o4aUtQc3pHTlNlWFE5THI5RVYvSVpVV1RKOTdpbXRRR2FJV2ZJbENEOXJBY1lBTFVEeE95MzAyamVkdi8rV1MvYVRyWnRGYjRlcjh6OFRORWtTek5EMk9QdmF6NERkYW9XMkt0cGpkSzk3NkpvVXhZa0RFZ3c5dGlIK09KcFgyazBOQk5PT1h4SXVIVmZlMjYyWWpmRkhxU0g4QThzcEVCdFUyMFdaMjUrcTZBQk5PZ2t1bldqbGQvT0hOVER6QS9nY3NXd0lsTndGbmRTajM0NDhSbitSMzUwTUF4UGRqeWwrdkxlTEhRcjdxK1BBVGtKZFBubEl6Mkg4b2ZNdUNESHd4d2lMdUhySE85emR6OVM3d1FpZTVzUnhublpEeGk3ejBzZTgrMjVrVzIwczZlNm9Td3NNYTBiVlJNb0dMT1dobG5PaUsxVHB5Q2g5UlgxV0hjSDhxS0hBczRrRzd1a0VmTzlJNEpxNWt6aFNmWitXcGZHVXB3dnM0SkV5SkVMM2Ric1g3Y1BXT0tXb0xZPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * YdJ0f4gFo85
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Targets

    • Target

      e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4

    • Size

      758KB

    • MD5

      3a6551daf5dab06e71c14026ee84fd03

    • SHA1

      cbb6763f76a926c2a0721664977fdbc6f205fff5

    • SHA256

      e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4

    • SHA512

      f092f2b791c6bf4d6817c5d325a1302a95da5336884fd91422aa446b8c918af439eee209009a18d36d81edee07b28055eae730efa834c9def40aef31bdc586a7

    Score
    10/10
    avaddonevasionransomwaretrojan

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon Ransomware

      ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

File Deletion

2
T1107

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks