avaddon

Sharing

Copy URL

Twitter E-mail

General

Target

cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
Size

2.1MB
Sample

221005-sqyxpaefg8
MD5

bc52d18853a6b575d319692ae8f90fd7
SHA1

882b07d029ba27a64f442fa0e3047775667c2957
SHA256

cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
SHA512

de425b379f3a25be5df229a00ddf255e938a655595c50c5322b6d38ca7bb52abc611f4b74dbb1d8afe8121f36a9644ed8375de949e58286132f1c45be09fc8b3
SSDEEP

49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aue:QDB8XQqDXf+D9FG1dp9m5fb37zsf+ye

Score

10^/10

Malware Config

Extracted

Path

C:\odt\9hRxxz_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .badbAdabC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzk5LStBU3JEM3E5cXZhRXJXNENldnJyZFIwbHppVHpQZW1PanZMZVVIL0xSQW1UUURyVkZEanEzRERVdUIrUE95cHNaZnZWOHJkc2VuOTdQeXRTdWxndDlzT0NVeXpFZCs2cEtHL0tIc0haZFBIbEN1Z3VvYXVqTGJhN05DZGJ3ZG5uYjR2d3k3ODhrcndkVzI1QnF6R0FXOEhMaS9BNkJGYjNBV1BjSGFEQmdNdCtKNm5Pb3BnNVRhTXBHaWU0c3pZbVQ3eGRUMko4byt6amxoK2pIanFmdmxNNVJLbDZ0MzJEbUhyOFRnQUhrcWhURWRRTTUrOERXNnk3QWdPa0VZaXorWXlRaklzb0gwZGw3b3FGTkZPL200TVNIN3NZWm0reGk1K1loNGxoeVdqdDJ1Z3FEQ0lGS3A1MXZNelBqb3VTMFJBRE1WYXp5R2Zkc2JRSTVWcVFxMEVhbm5uaXliZDFQRk1jV0JVR1NPeTlLZ1F5b3pBN2l2bnQ2SjNvelZwYklFdDJWYlYxVGkxMGFOTHk4TVBMWSs5OFJTZ0pvOSs4TXJVTTlJdjlva1A4Y3NjY2hrdnZKZXNyNzJzNUJhNDRGdWdlRkNQL3RIdGxBUzlhOWkwenc1Q2FrTGtTZmR4Sjh2TkgrM29rMjdQakpaaUI3OXM0YUxuWC9GaGYwYTE4RlpTSmFlQnd2TFNIVzRubm0xYmp3cGNSRFpvTlcrT2R6LzlBdGkrOXlVVkMzMkk2Z0FuV082cmFXTVQxZSsvMGZrNmZDeFk1dHZkTzYrZzhsL3AvNHdnOXhLL2NGMm5jSVAvN0lXbllvZUQ3bGJENTBUVTVveGdKdkNKVzNNYnlCc1c5TVVwbCtkaFJod0NOdmdwVW5sWEdWdXR6Rnl1d21YY1VaSE9mT1VpaFFwWkZNUmRCYXdmSWFibVpERCtkLzJLejdCZ1lqT21Sazkyb0p1OVZJQTVlcDFuZE5LdjB6OXE2NkJuaEFNdU5OYUN2bUx5dEVWSnhxaHZGQzBsNkIyL1EySDE0L2ZzbUVobDBhellqR0VpZTluTWNkNDBlb1gzVURnMEhqclpsVDdUWmVDak0xWnkzK1ROYkRlMUJySFVIMDRjRE5XU3lsdDU5ZUZmR3hUbk5EUXg4Y3lVcTk2a09BVVRDVXdqMU90cmh5ZDZoaWlZMTN4OUgvOTNxdW9PaVNzMkVqdWs1THpWTnVVeEZ6dUg3blcvZUFpVG9OSDlOdmdaY1EvRkxrV21RVS9ZemFCYlRFU0oyTGxYTFlodUs2ZjM5VUdDbGdQWWpzam9CekxIOGRVZjZ4UFZXdldKYmxzZEJ4R2RmNjVMYWRYRy9oSkViaEh6cnc2bkJUZWJTc1JUMysyVVJseGM5RUthN1RUVU1QNWtJekQraXdGS2Y4ZkhTdVV6Q0R1UkFkVnVuWHdiNlhJcGNBMTQranBhWVY3bFZwNUtlOWJoQjJNZUdrWTVBZG1VYzhjTXVCUUplTkFLVEFyenRFMDdBZ0dvS0R3VjhTYjhUZ1dub0xNcDh4M1JhNEJEOHlqOHFNYStkdm1KQmJMbEkzN0g5dDY4WTJiN2I5ZTlZNlBTNlFLb1ZxY1BaYjQwd3R1Q0hVMW0zbWx3Y2VUdURrOG0vVFd1ZTdoRFhvV3Fpd2k1U294eXpSQXFJa1NWZW8xTDJ3OFZnK0ZlaFkrT3ZUZ0hFK0c1ODREamd2RGt5TksrZDJTYU14Y0ZwRG0xN0lZN1VnWWNLa3ptamFKVmIrV2VUdkU3Z2FCQnIwZnlaVkJFVTdVYzBJRUlpUzdpdW1qT1gzZkpDakRkR3YvaVFLY3lnR0NLeW55ejg1MWJQSGUrOTIrN2RnWlR1ZWtQTDJydkdmNGRxTWpjZjJnMkFRbnNQSWpIanRsN2MvaXBwR3ZxWmUvWDl6YzA4NURVYVV2NVhMTG42TGxxdjY1d25aMEdTWW14UDJ1WWVRb2lTMTdkRUJmT1NadHpnTjNHbjZmelJrV001ZjUxMDZkME9JU0UxNmk1OTNzVHVQeFdrdmVSRFZDeWhSNkpxTDhzdzF4UlBFSUNkTmRRVXFaM2pnZzFjdlEvbVR6ckx3YTFBWmdETDFqekZmZ3FOUXgxQ0QzbGQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 43cQ7gLGTbwOSx4NGkxN7BQcDY

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\9hRxxz_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\9hRxxz_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\9hRxxz_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\9hRxxz_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Searches\9hRxxz_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Targets

- Target
  
  cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
- Size
  
  2.1MB
- MD5
  
  bc52d18853a6b575d319692ae8f90fd7
- SHA1
  
  882b07d029ba27a64f442fa0e3047775667c2957
- SHA256
  
  cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
- SHA512
  
  de425b379f3a25be5df229a00ddf255e938a655595c50c5322b6d38ca7bb52abc611f4b74dbb1d8afe8121f36a9644ed8375de949e58286132f1c45be09fc8b3
- SSDEEP
  
  49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aue:QDB8XQqDXf+D9FG1dp9m5fb37zsf+ye
Score

10^/10

avaddon evasion ransomware trojan
- Avaddon
  Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
  ransomware avaddon
- Avaddon payload
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1