General
-
Target
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
-
Size
570KB
-
Sample
220521-b36dvschg5
-
MD5
4cb6d61ad2425bede38804cc18113e01
-
SHA1
faa8c450493e4ac9fdd95bed030dc2051da6c6b6
-
SHA256
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
-
SHA512
318461bddb899f0883a54c2a3cd9814aa5a789d0f2aab0b64f340ea36256536350bfbc971f36c76dc929efbdbd6227dbb815a7a447322f806fb721f3e6ae8f24
Static task
static1
Behavioral task
behavioral1
Sample
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\Users\Admin\Contacts\buziFcJU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\buziFcJU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\buziFcJU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links\buziFcJU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\buziFcJU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Recorded TV\Sample Media\buziFcJU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\odt\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
-
Size
570KB
-
MD5
4cb6d61ad2425bede38804cc18113e01
-
SHA1
faa8c450493e4ac9fdd95bed030dc2051da6c6b6
-
SHA256
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
-
SHA512
318461bddb899f0883a54c2a3cd9814aa5a789d0f2aab0b64f340ea36256536350bfbc971f36c76dc929efbdbd6227dbb815a7a447322f806fb721f3e6ae8f24
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Payload
-
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-