Overview

overview

10

Static

static

3

208c45f500...41.exe

windows7-x64

10

208c45f500...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    208c45f500c299bc4ebd80d1e230cc41.exe

  • Size

    402KB

  • MD5

    208c45f500c299bc4ebd80d1e230cc41

  • SHA1

    1c0b42efd324cab1625423b5634ee4b67ad62ac5

  • SHA256

    97820cf8de59555d2d333ac724c6a72c610b8c537f35139ebb1a5a362e68f789

  • SHA512

    d34d6ffcb4751f0a5391fd08cd6c78ceb6bdcc9c4346b28cd8c0e00a1ab810e1990dd752b70852aaed73738c888e6d0d73485c1e58582e8d0aedc106551e2637

  • SSDEEP

    12288:L5rxhWsTDzB6BybYxl+xX4VpMDEvqXHRAS0uayw4HUsNI4j:L5rxhW6PB6BybYxlWX/DEv4eNw

Score
10/10
avoslockerransomware

Malware Config

Extracted

Path

C:\MSOCache\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note
Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Message from agent: Data from HIBSSERV1118 was exfiltrated. This data will be leaked if we can't get a word back from you in 3 days. Your ID: 2aa81efb15920446a7e920d80afd1e9397a787295456bd5518c1f096345e61e1
URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Renames multiple (84) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\208c45f500c299bc4ebd80d1e230cc41.exe
    "C:\Users\Admin\AppData\Local\Temp\208c45f500c299bc4ebd80d1e230cc41.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\GET_YOUR_FILES_BACK.txt
    Filesize

    1KB

    MD5

    0454a42a44d0ac06b736c1c8ea701738

    SHA1

    7b32fec0e0063f0f9cf7b10aa7aa88e04be6d049

    SHA256

    bb344c93d0894b33ec20752eebb8917e79df6d92d4be5c9c9610e596e6df26a7

    SHA512

    1a6f8d5b58cb5cc93350341d72a0a83dd86531e528155f51961aea3e94d17cb8a58513efd7b616af3ac2dffb4ed074fe3a0b150551d5f4540f269b86d00026f5

    Download Submit