avaddon

Sharing

Copy URL Twitter E-mail

General

Target

e6bb11bd2ed0c75d444d2f130bc5fa874ab62d25938a1d58fa1445f2172d97a1
Size

2.0MB
Sample

240316-ev1eesde59
MD5

d41105ad13c1d5b27ba804a8f476b5be
SHA1

f82f46077bdbd0c65c1adf777ffcd9c299393f0d
SHA256

e6bb11bd2ed0c75d444d2f130bc5fa874ab62d25938a1d58fa1445f2172d97a1
SHA512

b22f718545455f1558b002e555e6ddace068072d822045be3eb4115c0968352351692495875ca3f9a6c25cdd1510fbc25e969327626ff0029238fd6c4ca0eb67
SSDEEP

49152:p6Qi5LbV60l14gNb3fXzxaZttFkp/ylZo7r/AjKLjq748k9k:di5LbTlugb3UZtjsf8Ky7Y9k

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCbeEEDeb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzk5LVlXWUhUditJNGpvVURxYnJ3YXducXc1Y0R3cGduUWU2R3NTRXN5SXd5ek1vRWhmaEg3d1lXL2V5aU5lTTlEMStQZ3YrSSt1b1g5cWp4cGlTdE56eWZsOXhybU1CZExHaTdoOGxiNG5QUTQrZjc2MDJ4UnF1MkVUazVvaEhma0JoOGsrb2ZBSkhEUk9TZkV2a09lek9La0hPWXI3SUFRdFU0MVdQWlM5dytRbEh1TWd4Uk5lZ2lOOHhVMWtTWDNOczRwWjI3RUJ6T2ZoNUZWRkNxMm50NktCZ09Ec0RQaHNwNXNtY28vUkU4VU9IaWg0ZXFMc1BLWnl2YjYwRjZBV2RSbU9uQ2NsU1U1TlgzelN2TnNmVkZXaVVyc3ZCYnNjd2E3K3FSZEtRTmFXZkJWOURQNEdsUFRML0ZiMVJqcTZrTTdZQUFxVUl3bTA2VkdqMmxtUHZ4TWxyamVjWlFJeXpVSnlQSmNyTWUrcVZCTlhLOHFQb28waCs0eENEempiOVFLMW02QnQ4TGtxRFhIY2Yvdm5FVS9NRTdhVHh5cmJoZWtlb1dTTDc0eVZFWlozbTRSQlA4d0puaGhLd3h1enVTL3BJekNIS25KZkxJWDlib0ZlemlIdUVtaHVzMGxIakg0TStLL2dUdjBhdXZRQmlSemt3QThXc0FWR2cyVCtlejFrcWR2K25UeXkxNFJJU3NiZnNQSmZVK01mbTZBb1oxMGFkdXgxdHlST1pYTzQ1eTVHcitMbkRpdEhWSmw2NkdGWFB3Y3V3dXV2allFblkwbHlIR3Y5dEw1VkdqbUZvcWF5bmt0aGFHRHhRSGxNMDFtVlo4S3JrZ2RWUWh3L0htdDJQM3pQU0JkMm1SbWw2UXlJODVhZHBZNERoYnNiczB2d3dsRm83K2t1TWJlYzI2TXBvT1V6ajI4OGtDNlR3Rlh0QUUzeWI1Z1RLK1docGhrRTFpWXZicng3RVM1Tlp1YWlDVXJ6UnlWWHV4M3dxQlRycCtHZW4rOURIb1JOdVMyM0x5TTJqcEtzWWVRWFVPTTdKRitRQVF2YTJPd29TOHoxcEp2c2VLd2FiaU9TUXpXQkV3V1NNbytMVHlsYy9SUXh3bmF3ZmJqNlE1UmdjakVzSFFjeWRiZENtTzhDcDJLMjNFaDhSUTMvR2VLbm1KZW9LemowYXlDNW5Lc1B0YVFWalQ5aXY3UFVaZ2FOUmdqcGdXdHk1QUlFbzQxOXdMRXM0WmJ0TDJkZ01sV0RrVE84OGNaVXhla2JHWXZKTEh6bUZrd2xwUDFIRlBzdmw2VkFZWUZETll2Y0ZtYlRob3VUTG51bGV6VzVLcmFzeGRwQStXbkFPV1Uya2ZFYmd4QVNoYkxOZkpyWFNhYjhBMjBJa3E2c2FzaXRqWDFoRDFIRVkrTkVIWHBLWGo2d25ieGY1TGtjRkowajVaU0ZYSVdYMnRSNmRqQ1ZMMFFlcHg3aUtZNnhScjhtZ2wrd3Fqa0E5bkRhREpRSXFMZlZNTmE2eVhxTjcwT20ya09zZ2ZISnZRdFhNN1A4d2hKY0QvN3NFN1ZmSWhmZXVNNUV1Q1hIUmVTSTVma28raFRnT1lwSWs5UjZHUVRaY2p5TlhobjJNS00vWFZXbjdSc1hDZHZsNWVSTFFrbmI2N0RwNW9UUVBPeHhGZjhPNHdxcUF3aGNaMTF6ZlVJS0lDeXByNUt6bHdua0E3dU00OHFzNHFIN3RrV3VmTTdDak9LanlLZUpqNHlBZWVWTHJwcTU1RjhKejltY1kwcnU5ZXVXWld1bHI2V2E1eUJjMldkYzZJY1p0cGQ2SzAwSnFrV0NHM3d2bHo0a2ZuU1VsamUrdGZhZS9rb0ZOa3VRS2FtUHlVbitKaEFBZTZKUHNWNG1XeG5rTGdoNkJLTWN1bEQrRWMxeVJTejROTEpkWFI1aVZNVnMzLytma0VnVkdJaFY0TFlpdld4cU5PLzBvWjlleTVqY3pBOTBFYVFlR09TY2ZPbXhIVzRJbjgxdHBEcm1KdkJNdGVkUTNvejA0TGV6c2JZSUJiYjdQeVFPTWJIVS9CR0pSYmluQVd6TFg1S3hjUkhTb1oxOEVBVlI2OFVyQVZyeDQrT0VOTG9QOVA5SWlCVGVTcW1ZRS9qZy9wZUlmYlhNT2ozRmYrK0lDNC9TZFloU1hjd0tVbWd0Q3p0RVB5RlMxUnN0QURNenovd2RH -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * qsj1YVb

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\MSN Websites\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Default\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\FCcKFEK_readme.txt

Family

avaddon

Ransom Note

URLs

http://avaddonbotrxmuyl.onion

Targets

- Target
  
  e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
- Size
  
  2.1MB
- MD5
  
  ccede1200a6e8eff54a358fa1e6d119a
- SHA1
  
  e62fbe82dc5c1efbdecfd94791e023002d3c178b
- SHA256
  
  e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf
- SHA512
  
  d4c7e45c2f509e43b521bfbcd67474ef271fa12088f7a57794ba866cdd41ddd3e9ee8fc776b31dd0a0811e62542b813e97c0f3404f4e416066c1338193f7f6c7
- SSDEEP
  
  49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aun:QDB8XQqDXf+D9FG1dp9m5fb37zsf+yn
Score

10^/10

avaddon evasion ransomware trojan
- Avaddon
  Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
  ransomware avaddon
- Avaddon payload
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (192) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2