Overview

overview

10

Static

static

10

9f8f217060...d3.exe

windows7-x64

10

9f8f217060...d3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3

  • Size

    762KB

  • Sample

    240315-qwqr6ahf21

  • MD5

    763217378a83acd3712728a51bec6862

  • SHA1

    62b23d984ba0539b263bf929847a6f79ed7e5a89

  • SHA256

    9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3

  • SHA512

    d566ac0460aa76ea63d49308690dc6f8113bc5f811a1862218d09f92bffbeaee1b6e9771766f8b8e23b34a2026f80c1fe9dcb0d39f2aca3f267e75e24b63b486

  • SSDEEP

    12288:wovdmyrrMXMNK+A+JLxkpheaiTOYqLNMhL3q/Pn75K1/LnBuueiFZMmmk3:woQEY+A+JLxcheaiTOYI+xOPn75+D/ZL

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\wPhf8_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDEBDcceAD You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTIyMy1RczFkUW5RM0ZIS3B6M3N2SUdCN3ZTMytINlZZV1JWS3lHbHFFYkE2RW5TRnB4dG1VbC9PeGUzdy9XRVpVUE1EdjEvaHRRR2ZBd0NHOVk1SFV0SWZqVVphTkNUcFRuQUhCSVpMMUk5cW5PbVJvSWN1YllFYVpkOHR0RXpWMTM1d1cycVJ3a1RtYVdhRFpETGE1Mkx6Z2g3Nm01K0xLTWMzREpHVHB5WXc3ZEt5YzR6R0ZLbVFpUVNZeFR3VElQajhKUGVQQXUreHpHdzVXenYzOG9jbGxibzBGY0hUZWZ1enhXci9vNXQ1cWxEZVVQcUVkMDY3UE4rUCtqTUdHQytITHh3VEo2THVEQjRvQ2YwSmUzWTg0bndCc0J1YzN0RmxkbkhqTWRINHZJa25GdjlUdE92Si90SFBvLzQwYlYzSXMycWh2eXo4MmthMVlqaXFId1BRRDdOYnJyWFFPN0VUSjhHMnBKbDZWclQwOFp6MlBQZ3Jzei84Ylg5VGUzRHMwTlc1bHorSUNUMnhvcFpmN25yazVuWk5iMUFMRFk2T2xINWRJVk56Znl5UVJmMWRMekpueHVEQ2ZXcVEwQVlLcmxkTVpHS0U1cGNaN0VnbDlTS1NFWXlzNFluZ0hjZC8yVktKOVFYR2NLZmRrUERsUG9rcWFGYXVqekxDWStHS3lkUWtRZzlsaFRNQmxWend3V3NPbkEzKzFUK1JXWjJyUXR0elJvNlMzNklmZDFmeTEwbUJ4R0xHenQrRUo3b0QvazhXVGdTVzQrTzg4SUpTbWlQdlNIRXc2R1NNUGJLWE5iMUFqa3o1RmRkODlXb2VJa2FlUEg5dFdrTnlYMkU5cklZMTR2YnM4ZmRpSDRQZmx1RzJoczhiZDVUaWd5dVErWndUWmVDOVdUd1JBdDdlbXRQRUZlN2tMRjc3dmJVanFwL0h4b2VRSFd3ckhGRTBOd2FmNEtna2RGOTNXZ0YzWlozNUU2bGwxMHZRS0xpSEZWbzRWU3ZjaE4ybGdFcXFvRkxTdmNTbjk3M0F1Yy9QWFZoSEE1MnFWWHhtVWJzK1o3cE9TbTJMaUxJb3BCdmQ5K2NiZ2N6N01FbzJGTzlmTjdqREIzZFJUMGk5Rk5zNGY5NFdNUEdxNDlqb3hJTWQ5NVdFc1BFaUdXQUdoMDJFL3BndEltaG4zRTE1SE5rNlJGU0pWTHNjTHBMK0xpTkR2dklsSXRJUkNhRDRJc2QyME9ERWVxckxHUmZNc0NwTGNralZaR20zcjMrWkVwVnM2cUdBTXROc01MSk14a0l5bUNXcHFrdDk0Nk1TSk5SQkVnc2lwS2lPV242cy9DSFBjMi90MFloODFoM0dwTjY0a1AralRFRkRjU0dseTdERnI1UGw4Q1J5R2lReDZkU1ZvencyUE5paUViVGpYRkNsb2gwcHFManI3cmdLMjVwQkVKUWN2WC81NkV6NGsxZ0pObFlsZUlNZzc1WFJwY2xFMHV4YjY1QUN3NDFmRzYwbW1RdDB0azJHVzdWcnVWY2NjUmFVWFlhZ1d1L2RFb1NvS05ubGtIRzIxRXRSM250b05hektSc1lKSGQzZWVuZUt4S21ublZ1TXdWNUtRc2VPM1ZGQm9mSE8xR0xEeGNYRjVUa3RPWTh5d1Z2emcxZjZtQ1R5ZzlYdlJSR0tsNmsxZU1Rb0o3UllRb1hpOFdkQ1Q0WVBXWmdDRjFMRmN0U1VNY3Q0dndjR2RSRlh0RDNpbWxzS3Y5TmZJRW5KblNLYWt1Yy8vZmVQL2V2ZkczSGNCcXQwcnMxV3B1UEZIQ21YbmFXQ0JlZ0ZsNDkwSy83eGJpLzhkOUpCeGRoaWtSdisvM25FV1h3My9lVkdjcGN1Rnc2anVuTG00L0NHRFJreDdpOGFoaXhLNnlmSURiKytXeXdPUHZUZEFXUVd3d1A2YkdpUXVjNElxb2Rkc1kwcjdsYTc2QnNpaHZOMWhWNEhnaTlhdWt5cnM1TW9LMFh2ekdaSEI5ZWJONXBsaTZpNW1KSlRMNDljaHRPU0l0anMrRDZYSUtrMGJhOUNUR3RHWEJCVm55M0dHOUI2SjYzc2FaUGZ6UGZRcksva0g0Z00wSVRPL0hOS0NzMmRzK3NPWVlHelQ3a2czRWVTYWhrU2FvWThlUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * m1I2T4lyQCypULfVADfzrRhx
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\wPhf8_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDEBDcceAD You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTIyMy1RczFkUW5RM0ZIS3B6M3N2SUdCN3ZTMytINlZZV1JWS3lHbHFFYkE2RW5TRnB4dG1VbC9PeGUzdy9XRVpVUE1EdjEvaHRRR2ZBd0NHOVk1SFV0SWZqVVphTkNUcFRuQUhCSVpMMUk5cW5PbVJvSWN1YllFYVpkOHR0RXpWMTM1d1cycVJ3a1RtYVdhRFpETGE1Mkx6Z2g3Nm01K0xLTWMzREpHVHB5WXc3ZEt5YzR6R0ZLbVFpUVNZeFR3VElQajhKUGVQQXUreHpHdzVXenYzOG9jbGxibzBGY0hUZWZ1enhXci9vNXQ1cWxEZVVQcUVkMDY3UE4rUCtqTUdHQytITHh3VEo2THVEQjRvQ2YwSmUzWTg0bndCc0J1YzN0RmxkbkhqTWRINHZJa25GdjlUdE92Si90SFBvLzQwYlYzSXMycWh2eXo4MmthMVlqaXFId1BRRDdOYnJyWFFPN0VUSjhHMnBKbDZWclQwOFp6MlBQZ3Jzei84Ylg5VGUzRHMwTlc1bHorSUNUMnhvcFpmN25yazVuWk5iMUFMRFk2T2xINWRJVk56Znl5UVJmMWRMekpueHVEQ2ZXcVEwQVlLcmxkTVpHS0U1cGNaN0VnbDlTS1NFWXlzNFluZ0hjZC8yVktKOVFYR2NLZmRrUERsUG9rcWFGYXVqekxDWStHS3lkUWtRZzlsaFRNQmxWend3V3NPbkEzKzFUK1JXWjJyUXR0elJvNlMzNklmZDFmeTEwbUJ4R0xHenQrRUo3b0QvazhXVGdTVzQrTzg4SUpTbWlQdlNIRXc2R1NNUGJLWE5iMUFqa3o1RmRkODlXb2VJa2FlUEg5dFdrTnlYMkU5cklZMTR2YnM4ZmRpSDRQZmx1RzJoczhiZDVUaWd5dVErWndUWmVDOVdUd1JBdDdlbXRQRUZlN2tMRjc3dmJVanFwL0h4b2VRSFd3ckhGRTBOd2FmNEtna2RGOTNXZ0YzWlozNUU2bGwxMHZRS0xpSEZWbzRWU3ZjaE4ybGdFcXFvRkxTdmNTbjk3M0F1Yy9QWFZoSEE1MnFWWHhtVWJzK1o3cE9TbTJMaUxJb3BCdmQ5K2NiZ2N6N01FbzJGTzlmTjdqREIzZFJUMGk5Rk5zNGY5NFdNUEdxNDlqb3hJTWQ5NVdFc1BFaUdXQUdoMDJFL3BndEltaG4zRTE1SE5rNlJGU0pWTHNjTHBMK0xpTkR2dklsSXRJUkNhRDRJc2QyME9ERWVxckxHUmZNc0NwTGNralZaR20zcjMrWkVwVnM2cUdBTXROc01MSk14a0l5bUNXcHFrdDk0Nk1TSk5SQkVnc2lwS2lPV242cy9DSFBjMi90MFloODFoM0dwTjY0a1AralRFRkRjU0dseTdERnI1UGw4Q1J5R2lReDZkU1ZvencyUE5paUViVGpYRkNsb2gwcHFManI3cmdLMjVwQkVKUWN2WC81NkV6NGsxZ0pObFlsZUlNZzc1WFJwY2xFMHV4YjY1QUN3NDFmRzYwbW1RdDB0azJHVzdWcnVWY2NjUmFVWFlhZ1d1L2RFb1NvS05ubGtIRzIxRXRSM250b05hektSc1lKSGQzZWVuZUt4S21ublZ1TXdWNUtRc2VPM1ZGQm9mSE8xR0xEeGNYRjVUa3RPWTh5d1Z2emcxZjZtQ1R5ZzlYdlJSR0tsNmsxZU1Rb0o3UllRb1hpOFdkQ1Q0WVBXWmdDRjFMRmN0U1VNY3Q0dndjR2RSRlh0RDNpbWxzS3Y5TmZJRW5KblNLYWt1Yy8vZmVQL2V2ZkczSGNCcXQwcnMxV3B1UEZIQ21YbmFXQ0JlZ0ZsNDkwSy83eGJpLzhkOUpCeGRoaWtSdisvM25FV1h3My9lVkdjcGN1Rnc2anVuTG00L0NHRFJreDdpOGFoaXhLNnlmSURiKytXeXdPUHZUZEFXUVd3d1A2YkdpUXVjNElxb2Rkc1kwcjdsYTc2QnNpaHZOMWhWNEhnaTlhdWt5cnM1TW9LMFh2ekdaSEI5ZWJONXBsaTZpNW1KSlRMNDljaHRPU0l0anMrRDZYSUtrMGJhOUNUR3RHWEJCVm55M0dHOUI2SjYzc2FaUGZ6UGZRcksva0g0Z00wSVRPL0hOS0NzMmRzK3NPWVlHelQ3a2czRWVTYWhrU2FvWThlUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 99uOoHYlGoguqmoXLE5aYcqUT1d
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\OvtlQeYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aBdaEDCeec You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTIyMy00SkVCeC9VMitMNS95cVBMUHpCNXlWd1hPK1pSbFJMYVVkZ0lxTVNsaUNnejExaXdxNC9wN1A4aWpwUTNmTjlUOTNLRzRjZm5Qc2RFNVIrRUFkeU56Yk9INlBqSkhlUHE3R2RZdXBFcHp5dzdEQ1o1NTI2NVR6clhYQnl6MDRwcS85VGFraUlJSHRQOHVDdjlsa3Z6cHo5ZkpYNTAza0FpdG1DdGtFc2FUT1d0bmNFMnlKVDJWZGhVVnZsdTBYVXpyZXZqOHpuUVl2Q283d1V4R2lMSHMzanloanR4bVdXQ21qbmZONmVIRFhQcG9iSGNKcVY0bVVtMlp0dHZjT05MZ2xxVjQxSXFDL0RJV3ZrLytuWVdzQThleVhWVjNINU9yRGtmM29QUTZIY0V5dW5LcE5QZkxSNzRLYnVUWWZxbW5ITmlHK1Arc2JKbGFqOXNON2d5Z3I2amtKaTFKelJyczNRdEZGRGVkRDhxYW52SG9HbzBmc2tWTGFQQXZGNzJHcnY4S21KTlRyRjJWSXc3THluR0dUR2Y3aHE3ODhsa29xNTgzbFQyWDc4cTlnaEJmZ01aZ0ZMbVhWYkIwMDhodXNxS3plT0JWN1ZjZko1VmdpUEdIQ3AvN0N0TkgwZyswYlhPUjlPYytYNGFDazBCSUQ0dDZNVE85eFFDN3pSck1NZmpPc2tBeXBmYVA0M2Y2cVA2WG9CaUxwTmVZcWlvM3czKzl4WnRjWmpTeEI2VFpNRHZtNEFmLzFkbDdFSUlhYzJScHlMNzlram8vK0FVM05EWmdzSTVHTHY4d2pCdVhLSW5hcUpHUFh2akQvQmhxK2VrNHFCMDNoVmRiTHoveHM2Sm9FVVZScEVSa3pSMUt4TWpia3JoUDY0TWhWS0tUcDM4ZjVZbkF6WmpVRGJaTHdTclJzRm1pVmgzSEl5Z1NUYW5rYWliRytIQ2RNYTFldWExSk5JcGY0V2FHMlg1M2ROMHhWa3V1eWNsbjJYaU8xclBLM05YK05oaE1MbTRwZjZNNWh3eE43ZlpxOUdPbEFBOG9GRHo5eVh3eHV6TEtIb215RlVDL053MWw5d2RxWlJrb0hPTGlwZWIwa0t3VjhwMWFOZEhMeE5kalgwY1k4ejFsUGdrWjliKzg4NytPSzdNVXZuMUNCc2c4VDJoMVlaREVDc2R5VkhhM1lnazNLZ0k3ZllQcFFhMjFYUFVVN3BYYmZ4VXVFcldTQXZUQTduUExxeFJqc3VQU2lsYldBYWJZeGxwV3hVTXNpUlkvdlZNWHUvMWZqcVJFY0J1VklzU3Jwc0JyV0V5ZVg0R081bVMvUFd6cEptUUU0WGZtNDVrYkJQdUFMQWdYMzdGNUVvYkxGbFliaU1iKzhObm5LSXlUR2kwUnUveXl0WE90L1RvQlpQVHVkSk90MzlyWC9UV2xzdk41WndMZjlSTlJCLzBOSWlDU1IrdFB6NktuVTZPa3prb2ZxWUhsY1J5bXFGcTkrZlJRc3VIOHIyUEdwY1poTW9LcEk3TzBucUJocEROUlJXNlhVREN3U0tJV29Zbm5vSHJNQUpOQjJtRWtXNFFKK01WU3ZCN0NxelU5eEVWL3gyblh5SllLajMxZG9LQmtkd05rMUZFMy91ODh1RE5DbTEwS2Q2bm1ETllPUGozeXA5ZjQrZi9IclFzTlVrRmNad1BmU08zK05BS2ZWUVdHRHI4R2xrOXlKVW9MeDZtSEl4T3cycTVqMldWbnJKOUlRbktja25aQTJIRDR4YnR4NDlwUi8veHVGNS82N3h6V0xqVmFYY1Y2SnpwY0hEZ3EyQWZLQmxKcXo1blNGMnArb24yT2xjdG15RXFuY091N2daU1ROSVl1dVhpZWl0b3hDRDAyQTI5ZS82TzJKd29RZklHcnh1WXN6Um4xandZRXc3clIySFpwK3VlS0JhZU5sbHhnbW9lTzlid1ZPdXZ6bEJqVnVVQmRReEYwVE82bUloR3J1UHlnSTZRM0o2ZTlzT0Jpb3B0ZXNWUzg4ZEdPRHhrVlBUSXRYOTRra3FoejlnZ2Y1ZXkxcFgrSXNkQUtBNUxiaXE1WlZadDhwWTIxaTVXQ3RtQWdpYmdOYzY0dHVKczN5NlQwajRsejJvckxuS3d0Q2VBOGVzUFJWdWFWQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * mz2jE7E
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\OvtlQeYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aBdaEDCeec You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTIyMy00SkVCeC9VMitMNS95cVBMUHpCNXlWd1hPK1pSbFJMYVVkZ0lxTVNsaUNnejExaXdxNC9wN1A4aWpwUTNmTjlUOTNLRzRjZm5Qc2RFNVIrRUFkeU56Yk9INlBqSkhlUHE3R2RZdXBFcHp5dzdEQ1o1NTI2NVR6clhYQnl6MDRwcS85VGFraUlJSHRQOHVDdjlsa3Z6cHo5ZkpYNTAza0FpdG1DdGtFc2FUT1d0bmNFMnlKVDJWZGhVVnZsdTBYVXpyZXZqOHpuUVl2Q283d1V4R2lMSHMzanloanR4bVdXQ21qbmZONmVIRFhQcG9iSGNKcVY0bVVtMlp0dHZjT05MZ2xxVjQxSXFDL0RJV3ZrLytuWVdzQThleVhWVjNINU9yRGtmM29QUTZIY0V5dW5LcE5QZkxSNzRLYnVUWWZxbW5ITmlHK1Arc2JKbGFqOXNON2d5Z3I2amtKaTFKelJyczNRdEZGRGVkRDhxYW52SG9HbzBmc2tWTGFQQXZGNzJHcnY4S21KTlRyRjJWSXc3THluR0dUR2Y3aHE3ODhsa29xNTgzbFQyWDc4cTlnaEJmZ01aZ0ZMbVhWYkIwMDhodXNxS3plT0JWN1ZjZko1VmdpUEdIQ3AvN0N0TkgwZyswYlhPUjlPYytYNGFDazBCSUQ0dDZNVE85eFFDN3pSck1NZmpPc2tBeXBmYVA0M2Y2cVA2WG9CaUxwTmVZcWlvM3czKzl4WnRjWmpTeEI2VFpNRHZtNEFmLzFkbDdFSUlhYzJScHlMNzlram8vK0FVM05EWmdzSTVHTHY4d2pCdVhLSW5hcUpHUFh2akQvQmhxK2VrNHFCMDNoVmRiTHoveHM2Sm9FVVZScEVSa3pSMUt4TWpia3JoUDY0TWhWS0tUcDM4ZjVZbkF6WmpVRGJaTHdTclJzRm1pVmgzSEl5Z1NUYW5rYWliRytIQ2RNYTFldWExSk5JcGY0V2FHMlg1M2ROMHhWa3V1eWNsbjJYaU8xclBLM05YK05oaE1MbTRwZjZNNWh3eE43ZlpxOUdPbEFBOG9GRHo5eVh3eHV6TEtIb215RlVDL053MWw5d2RxWlJrb0hPTGlwZWIwa0t3VjhwMWFOZEhMeE5kalgwY1k4ejFsUGdrWjliKzg4NytPSzdNVXZuMUNCc2c4VDJoMVlaREVDc2R5VkhhM1lnazNLZ0k3ZllQcFFhMjFYUFVVN3BYYmZ4VXVFcldTQXZUQTduUExxeFJqc3VQU2lsYldBYWJZeGxwV3hVTXNpUlkvdlZNWHUvMWZqcVJFY0J1VklzU3Jwc0JyV0V5ZVg0R081bVMvUFd6cEptUUU0WGZtNDVrYkJQdUFMQWdYMzdGNUVvYkxGbFliaU1iKzhObm5LSXlUR2kwUnUveXl0WE90L1RvQlpQVHVkSk90MzlyWC9UV2xzdk41WndMZjlSTlJCLzBOSWlDU1IrdFB6NktuVTZPa3prb2ZxWUhsY1J5bXFGcTkrZlJRc3VIOHIyUEdwY1poTW9LcEk3TzBucUJocEROUlJXNlhVREN3U0tJV29Zbm5vSHJNQUpOQjJtRWtXNFFKK01WU3ZCN0NxelU5eEVWL3gyblh5SllLajMxZG9LQmtkd05rMUZFMy91ODh1RE5DbTEwS2Q2bm1ETllPUGozeXA5ZjQrZi9IclFzTlVrRmNad1BmU08zK05BS2ZWUVdHRHI4R2xrOXlKVW9MeDZtSEl4T3cycTVqMldWbnJKOUlRbktja25aQTJIRDR4YnR4NDlwUi8veHVGNS82N3h6V0xqVmFYY1Y2SnpwY0hEZ3EyQWZLQmxKcXo1blNGMnArb24yT2xjdG15RXFuY091N2daU1ROSVl1dVhpZWl0b3hDRDAyQTI5ZS82TzJKd29RZklHcnh1WXN6Um4xandZRXc3clIySFpwK3VlS0JhZU5sbHhnbW9lTzlid1ZPdXZ6bEJqVnVVQmRReEYwVE82bUloR3J1UHlnSTZRM0o2ZTlzT0Jpb3B0ZXNWUzg4ZEdPRHhrVlBUSXRYOTRra3FoejlnZ2Y1ZXkxcFgrSXNkQUtBNUxiaXE1WlZadDhwWTIxaTVXQ3RtQWdpYmdOYzY0dHVKczN5NlQwajRsejJvckxuS3d0Q2VBOGVzUFJWdWFWQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 88e6ZKXjdf
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\OvtlQeYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aBdaEDCeec You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTIyMy00SkVCeC9VMitMNS95cVBMUHpCNXlWd1hPK1pSbFJMYVVkZ0lxTVNsaUNnejExaXdxNC9wN1A4aWpwUTNmTjlUOTNLRzRjZm5Qc2RFNVIrRUFkeU56Yk9INlBqSkhlUHE3R2RZdXBFcHp5dzdEQ1o1NTI2NVR6clhYQnl6MDRwcS85VGFraUlJSHRQOHVDdjlsa3Z6cHo5ZkpYNTAza0FpdG1DdGtFc2FUT1d0bmNFMnlKVDJWZGhVVnZsdTBYVXpyZXZqOHpuUVl2Q283d1V4R2lMSHMzanloanR4bVdXQ21qbmZONmVIRFhQcG9iSGNKcVY0bVVtMlp0dHZjT05MZ2xxVjQxSXFDL0RJV3ZrLytuWVdzQThleVhWVjNINU9yRGtmM29QUTZIY0V5dW5LcE5QZkxSNzRLYnVUWWZxbW5ITmlHK1Arc2JKbGFqOXNON2d5Z3I2amtKaTFKelJyczNRdEZGRGVkRDhxYW52SG9HbzBmc2tWTGFQQXZGNzJHcnY4S21KTlRyRjJWSXc3THluR0dUR2Y3aHE3ODhsa29xNTgzbFQyWDc4cTlnaEJmZ01aZ0ZMbVhWYkIwMDhodXNxS3plT0JWN1ZjZko1VmdpUEdIQ3AvN0N0TkgwZyswYlhPUjlPYytYNGFDazBCSUQ0dDZNVE85eFFDN3pSck1NZmpPc2tBeXBmYVA0M2Y2cVA2WG9CaUxwTmVZcWlvM3czKzl4WnRjWmpTeEI2VFpNRHZtNEFmLzFkbDdFSUlhYzJScHlMNzlram8vK0FVM05EWmdzSTVHTHY4d2pCdVhLSW5hcUpHUFh2akQvQmhxK2VrNHFCMDNoVmRiTHoveHM2Sm9FVVZScEVSa3pSMUt4TWpia3JoUDY0TWhWS0tUcDM4ZjVZbkF6WmpVRGJaTHdTclJzRm1pVmgzSEl5Z1NUYW5rYWliRytIQ2RNYTFldWExSk5JcGY0V2FHMlg1M2ROMHhWa3V1eWNsbjJYaU8xclBLM05YK05oaE1MbTRwZjZNNWh3eE43ZlpxOUdPbEFBOG9GRHo5eVh3eHV6TEtIb215RlVDL053MWw5d2RxWlJrb0hPTGlwZWIwa0t3VjhwMWFOZEhMeE5kalgwY1k4ejFsUGdrWjliKzg4NytPSzdNVXZuMUNCc2c4VDJoMVlaREVDc2R5VkhhM1lnazNLZ0k3ZllQcFFhMjFYUFVVN3BYYmZ4VXVFcldTQXZUQTduUExxeFJqc3VQU2lsYldBYWJZeGxwV3hVTXNpUlkvdlZNWHUvMWZqcVJFY0J1VklzU3Jwc0JyV0V5ZVg0R081bVMvUFd6cEptUUU0WGZtNDVrYkJQdUFMQWdYMzdGNUVvYkxGbFliaU1iKzhObm5LSXlUR2kwUnUveXl0WE90L1RvQlpQVHVkSk90MzlyWC9UV2xzdk41WndMZjlSTlJCLzBOSWlDU1IrdFB6NktuVTZPa3prb2ZxWUhsY1J5bXFGcTkrZlJRc3VIOHIyUEdwY1poTW9LcEk3TzBucUJocEROUlJXNlhVREN3U0tJV29Zbm5vSHJNQUpOQjJtRWtXNFFKK01WU3ZCN0NxelU5eEVWL3gyblh5SllLajMxZG9LQmtkd05rMUZFMy91ODh1RE5DbTEwS2Q2bm1ETllPUGozeXA5ZjQrZi9IclFzTlVrRmNad1BmU08zK05BS2ZWUVdHRHI4R2xrOXlKVW9MeDZtSEl4T3cycTVqMldWbnJKOUlRbktja25aQTJIRDR4YnR4NDlwUi8veHVGNS82N3h6V0xqVmFYY1Y2SnpwY0hEZ3EyQWZLQmxKcXo1blNGMnArb24yT2xjdG15RXFuY091N2daU1ROSVl1dVhpZWl0b3hDRDAyQTI5ZS82TzJKd29RZklHcnh1WXN6Um4xandZRXc3clIySFpwK3VlS0JhZU5sbHhnbW9lTzlid1ZPdXZ6bEJqVnVVQmRReEYwVE82bUloR3J1UHlnSTZRM0o2ZTlzT0Jpb3B0ZXNWUzg4ZEdPRHhrVlBUSXRYOTRra3FoejlnZ2Y1ZXkxcFgrSXNkQUtBNUxiaXE1WlZadDhwWTIxaTVXQ3RtQWdpYmdOYzY0dHVKczN5NlQwajRsejJvckxuS3d0Q2VBOGVzUFJWdWFWQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * VklxuWJ3THjua
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Targets

    • Target

      9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3

    • Size

      762KB

    • MD5

      763217378a83acd3712728a51bec6862

    • SHA1

      62b23d984ba0539b263bf929847a6f79ed7e5a89

    • SHA256

      9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3

    • SHA512

      d566ac0460aa76ea63d49308690dc6f8113bc5f811a1862218d09f92bffbeaee1b6e9771766f8b8e23b34a2026f80c1fe9dcb0d39f2aca3f267e75e24b63b486

    • SSDEEP

      12288:wovdmyrrMXMNK+A+JLxkpheaiTOYqLNMhL3q/Pn75K1/LnBuueiFZMmmk3:woQEY+A+JLxcheaiTOYI+xOPn75+D/ZL

    Score
    10/10
    avaddonevasionransomwaretrojan

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (187) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks