avaddon

Sharing

Copy URL

Twitter E-mail

General

Target

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
Size

570KB
Sample

220521-b36dvschg5
MD5

4cb6d61ad2425bede38804cc18113e01
SHA1

faa8c450493e4ac9fdd95bed030dc2051da6c6b6
SHA256

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
SHA512

318461bddb899f0883a54c2a3cd9814aa5a789d0f2aab0b64f340ea36256536350bfbc971f36c76dc929efbdbd6227dbb815a7a447322f806fb721f3e6ae8f24

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\buziFcJU_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdCCbEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LWpDeXNTOG5WQzUzVW9MNEVzTjFpMU5mVnErY0YzT0o4ejdGT2h3ZjFhWGEraVJESXFWOW81Q2VDakFBRFFtNzFoczU0b3dON2J5ZHNvWVZwQ3ZsMGsxdHVDaHI0WmMwSkx1dVF1V2VKRDFiS1NPR09USVJ0bExQOXNreDZaTmZTcmRyTHplc3VkeTQrVzMrT0tYUENuanBLdDlDeHlneWJjNDB6aG03YUJ2SkdwWVpvN21tcFZWN2pDV1RLb0U0eXFzUmg0ckw3bFdJTDZadk1ueFVqRHczQUZLWTdjYldlblowWEV0aUNzaENKYlRRS3Q2VWUrUlNIakdZRTBXNXQweXU3QUpIZk9paHYvWEdoWUZOcHVlYk5Zc3hBSHZiRytjVzBQeHhZMjdpUHltTFkrRHdzem1ML1lNb3JpbWJLeFJHSHBzZm4yakRRRjg5OFdPeFd3cVg1SDhNNHoyWS9BbzZNd09xYzR4RVVIZmt0RmwvYTVQTWVOckUySmprbFJkSkRONG5pUHIwL1AyU3FmRVI4UVg2UXBrUXhGRFEwZmVtMEdzOWpsYUJzVTFCSVh6eXFXeHVuVlVZWGZ0Mzcvc3hqbVBGWENISGlpWnhnOVJ3Y2VibUg5QWI3TnV2UExYS01Ka05sbHBESFB2R3kwWW1iTW5sR3VmdXNMMi9DR2sxSjV3Z3V1QUdHb0JKNW56NmZNMEFwbU42ZzJEZUQ3Ymlrc3g0Y1hEK2ZYL0Erd1N2MTEzN2orQ3EvYjlXYXE1YkUrdnBGQ0UvcnZkVm9xUE53TFVtQmxKQ3pWSXVGai8rSTZUejFhNEczSkZ0aWJXVGs3S0h1elo4eG5KUTdBY0kyTVpJV2NQS2l4V2hRRjBLbVAwR0hTeHBlNmJ2OVZQdjArMS9yRDNUTERXOUZRWTArQlBJL3lxT2Nxa3dPOG5tUmxLUkVCTjFIb0tYcFlwallQZTJETDlBbFBzVVp2Vy82eXlzYUxzTmlNZng5L3R2YW1yWUxXRlA2NEZ1ZHd1MTZCcGJoVmJWUDRzQTU0TW5POHpqc2x0ZUlabFJPMUJ5ZnZ5bWhWUkU4SDVRL1lnaVV3Sm1Ka1hDa3Fyb1o1NzYySGYwWnBwSERxNGFPNFkrb0ZPRmRHSXNIejI1SmhiSVNOM0l3NStDcDU4dHJXM0pyWndTbUE3QzlBY0k2VThBb2RCYlZPNVZkK0ppRllZdThyU29NOW1kcERkMnpTSlF4WHRycUZLZUsrTE5QMTZMemdkdTRCU3RPUFNManFmSVhOQU80SHp6cTRicEJXa3E0SlNtMlJZTHYyQ3BpN0hnTSt6MTVvV1U4TmpGaWYvWU9hNG1tZWNRSFBabktRUXhFdzB4L1R4V2FEaWpqZlQ0M1FNbWtZSnE1dnFuQ2R6U3FMWkl3Wmp4SjlDMnFOL3VUR045QVNxSFJMNnNQZ25YalJzN0JwNzNHbEhOM0lYRkJ4RmVvVjd4T3RpaVFvWTVxV0RtS1BEZHNwVnlESEF4WU54VXJrS29jd3IzR2EyOUI5MEExWXRNNDV2TGlUdEtjeFVTbVgrZnUyRmZsT2JFSVRHZU95YWxmeGlpdmN2Zyt5ME01d0V2ZkxKV2J3dnFYRnRpNzlPdVlMR0l5S05JV0pLN29NbFg1RUpWKzZJV0dNN3dxa1BRRnVJcjAxSW1YbjZZaXoxMWlIMW0xRG1tNHJZcnM1Y3VGNW1POHllOWpGM1FRLzd1bU9kQjM3UHNCWGxkd0xBM3VvY1RmaFE3dE5uMFB5V09DZnBMMkxZNnpsQ1dPcVJsSzVXRTJmVW1NTzV6THUrNnQ2cFZqY0hDa0hqY3FnSVJEN053cHZTU2pJU0lYTSsvbnFKbTloTEo5TGRHNGRDVzJwcHIwSUFxSE5abm1Uekx6ZzlDbmhWL3V0aHlFY1dhcXE2REduS1RBcW13TUJBSk5wWGhKVTVsTFM0MDdyK3A0QnhPc1RkVlFRQ1FvZmlNSlZaYkkySm5kekZWRmRXZmhJdlVNcmEzZng4NWIrNU1VUVZCQkNmeStpaDA4eXI4NFFDQUFMM0RLSnVNbktQeUZLaDRLSkMzTGF1MUJnTGtVS1ExV0l3bGxSRXQ4Y1YwQjZ5R3I= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Ae2o47g4vU7G245dKovEEAa

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\buziFcJU_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\buziFcJU_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Links\buziFcJU_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Searches\buziFcJU_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Recorded TV\Sample Media\buziFcJU_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\odt\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * eq9bvQoFDcz6riHLPOOiL

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 0ykyGdbZ3EhBDfPNavJpWzu9

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NaMp4pONtqPk553PFRkxDA3ArlKb

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * n5HlPd3bl

URLs

http://avaddonbotrxmuyl.onion

Targets

- Target
  
  90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
- Size
  
  570KB
- MD5
  
  4cb6d61ad2425bede38804cc18113e01
- SHA1
  
  faa8c450493e4ac9fdd95bed030dc2051da6c6b6
- SHA256
  
  90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
- SHA512
  
  318461bddb899f0883a54c2a3cd9814aa5a789d0f2aab0b64f340ea36256536350bfbc971f36c76dc929efbdbd6227dbb815a7a447322f806fb721f3e6ae8f24
Score

10^/10

avaddon evasion ransomware suricata trojan
- Avaddon
  Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
  ransomware avaddon
- Avaddon Payload
- UAC bypass
  evasion trojan
- suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
  suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Deletion

T1107

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Avaddon Payload

UAC bypass

suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check

Deletes shadow copies

Modifies extensions of user files

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates connected drives

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2