Overview

overview

10

Static

static

10

ab.exe

windows7-x64

10

ab.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip

  • Size

    320KB

  • Sample

    240402-qeq2labb26

  • MD5

    8c84fda88098d9a2571e40731fb986a3

  • SHA1

    8e00bce3d98ea013e8f499ff2af1ec05851526a0

  • SHA256

    96779e567a562e3fd3006968adf4f69436271d32d662cffab3eaaa29a6a17975

  • SHA512

    b2223ac6d44d1e6785c3771f2a415e52ec98c34e9c0ab537ada5629eb3f2b350faae9bfb4c151ab6dad1dc78dcccb54a3309601ecc800ac9f995ee73c3e835a5

  • SSDEEP

    6144:elOQYjCy+Zlb9qa05gApWF4Jtlwm+zj/CNaxdDp1IYLD9xb4ppgOe1:elOjx+Db70/Wgwm38fDY66e1

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\CLkPQG0K_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cEdaAdEaC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1ib2hNcTI5M04rK3ZYOVBJcDZTSExDcDlzcldOUGlERld4S0FrcEdhZFRRZVkzRlk3TTVtMnYzSW1nS3ZyWFlEKytYbGVTTU81LzVVYXBFZ1BMdlh0VWh4MjE4QXdBK1BpZ2NlazJ0TUVYMVpQY3V4UTc2bGdscWJyWVlhK25ldFJNVkNxd0t1Sjg5MW5zWG02eHU4Ris0YnA2eWE5UFB5cUFsMUVPQzcyVUdoRjVLcXZRSE9DTjZwTWZWQllST0xIM3VONmphRUlPSk5aSjMreFRQbCt6enB1WStjWmtXYm5lNVJDMlJ5SEo2WnBNNGJZR0dndW9FYjBmdjR5cmdKeXIza0c5Z250MjZHbmpBZG51TjdyMmZ5ZWppYnZxTDhzbFNpT2hKSlNBWlZGVlpLdlNLNkNBbTV3TEE4SnZNSGRLNmpYa0NoVjVIQjZBeG9YT1BnYWppZ0JHRTcwMzNkTldjSFpKMWV0dFRWYW1aSVBqUU9QVWpKWEZJcHF0S0pPL3dMV09CSkNwZWplM05MZ2ZCZlJSUENZUE15K3p3bWxqczZJVjNsWmdGamtQVlVJUVI1bFQ5UUxuSEY5NFV5blErMk00aStlUTR4Y2VFa1FRUDREZnE2STZuWlZxWVhHcUxsSVh1TGtsTTY0YzNsQk9WdFRCS2JkY0pKSjZKdVZlR3V2bytKUm1idXdTMVRMdndxdlh1ZEplc3B1OTFqQnZIV3AvYXBHTGNwcjlFWVZMdEtDRXE4Zldlb25wOTN6dmVZNU03ZDl5ZDJIR0lUMmRIMWxYWXA0U1cwMzQ3QnlPSktXL1RtenJEM2pzK1RSVHppTGliLzRuemozT09lUXg0NVNlSDZydUExc0lqOEhLbjhjMEZsUkhkRGJScTh3WWpxaU9uTVFUZ2EraERhNmNDalRDblllckQxaDJtblFJNlZPU0RvYWxQQUdEeVkrWFFYcVMzZTBoTWs2dE1qbDdhQnNMcHVqQnFkWUR6RHRadUpMazhLeTZCdkpzc2xzcXgzK1AzcFBrczdFNWpLaDVVYUxNWWw5UVBudTVCeFhWSHdPUUxlTnkzQWJmRjZvQTZFd0dwaWl5RUxCYklvWFQrZTdyYXZWVTlIKzBlSXJVa1JLUWM3TVBYckMrMHpZcVdST0ZvUGhyZWdRWDR6RU1uUC95NlRCQ001dHZPU1d4aE1TVjdaZWNRSGc1NldjbVNLZnRCVVZuUndvME81NkpTaEo0SU1kL2hhRUMvQnFOVzBOTXRNMGQyTVI0RFl2WjFkMUtVaDlPTWlXcFIzUno0SVdVbTBwTmM4ckJuVjNKTVo2UmFNSkpyVEtNSUFDZEM3T0VOVndvNFl5bC9YTHUyZk8wT0U5UVlkcDJuU3FyeWVZNU8zc1FUTDJrT01YVVMwY2xOMXhCY0RFRXFwZGR5bExXNFFoMFlpKzJMMzNxZEtOTmZBMFpSd05VK2tnNlV2b0kwamVvcC9EY1RHdElKWUFVNFUrQWF1dXVzS0cwelp3eWc2V29FY2ZlRElZcTUyQzBVZTd4TkZvT2UwQ1l2MWJNWWRnbmIwRzFFWEphbVJDU3lyVDhyeEFWWUtocDBQeDZoQkxOZXV5RW03Z05HRzJEUURnaUxaMUo5SnhCSmdxMkVWM0s5dmQ3RDlzUUVVWjQwVy9aK2JvMUNXU0tnTUgyOWtra1hUd1ZiQlN6OTJEbWVGUGRGN0NjWEtvS3Irb2I1dmJNS21UTXlJVkFtbmtHK3ZXU0tpV1gwNWU2WUdFY1BBSlNVR290N2pRU0kzZHpaei9zT21nbzVVRDdVZkFvSlJJL0RneGVTQ3dnek95dHNIeFAzWUg2aURhT3JoVU1jcXVPSW9jN2dmeVlXaDgzZHJUZ1M0MUtpUHRIak4rb0VYSzRWRG1nSVdkVWFjd2RGYjRORjdIRmRDMkQvcEEzOWpHcVZoeTV3NDZTUjEvTzd4bG5VWE40UUZLc0VUTEhabDh3WlZSc0NiZytmRktEQ1dGckt0aE9oclRaNWpRdjlmcEdKblpsc0tXZ3pyd2N0YmNkRm1sVHJzclFmWjNDZ3FSaUQwZkhaWkpweG4vamRReGp3QVg1d3J2NUI1cXBQUTI4eEFuV29lalJoNXZ1d3lRU1d3ZU9mSEhQdGdZZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * YxsmlSmeGWJgJLpXPaCRvU9t2
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\CLkPQG0K_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cEdaAdEaC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1ib2hNcTI5M04rK3ZYOVBJcDZTSExDcDlzcldOUGlERld4S0FrcEdhZFRRZVkzRlk3TTVtMnYzSW1nS3ZyWFlEKytYbGVTTU81LzVVYXBFZ1BMdlh0VWh4MjE4QXdBK1BpZ2NlazJ0TUVYMVpQY3V4UTc2bGdscWJyWVlhK25ldFJNVkNxd0t1Sjg5MW5zWG02eHU4Ris0YnA2eWE5UFB5cUFsMUVPQzcyVUdoRjVLcXZRSE9DTjZwTWZWQllST0xIM3VONmphRUlPSk5aSjMreFRQbCt6enB1WStjWmtXYm5lNVJDMlJ5SEo2WnBNNGJZR0dndW9FYjBmdjR5cmdKeXIza0c5Z250MjZHbmpBZG51TjdyMmZ5ZWppYnZxTDhzbFNpT2hKSlNBWlZGVlpLdlNLNkNBbTV3TEE4SnZNSGRLNmpYa0NoVjVIQjZBeG9YT1BnYWppZ0JHRTcwMzNkTldjSFpKMWV0dFRWYW1aSVBqUU9QVWpKWEZJcHF0S0pPL3dMV09CSkNwZWplM05MZ2ZCZlJSUENZUE15K3p3bWxqczZJVjNsWmdGamtQVlVJUVI1bFQ5UUxuSEY5NFV5blErMk00aStlUTR4Y2VFa1FRUDREZnE2STZuWlZxWVhHcUxsSVh1TGtsTTY0YzNsQk9WdFRCS2JkY0pKSjZKdVZlR3V2bytKUm1idXdTMVRMdndxdlh1ZEplc3B1OTFqQnZIV3AvYXBHTGNwcjlFWVZMdEtDRXE4Zldlb25wOTN6dmVZNU03ZDl5ZDJIR0lUMmRIMWxYWXA0U1cwMzQ3QnlPSktXL1RtenJEM2pzK1RSVHppTGliLzRuemozT09lUXg0NVNlSDZydUExc0lqOEhLbjhjMEZsUkhkRGJScTh3WWpxaU9uTVFUZ2EraERhNmNDalRDblllckQxaDJtblFJNlZPU0RvYWxQQUdEeVkrWFFYcVMzZTBoTWs2dE1qbDdhQnNMcHVqQnFkWUR6RHRadUpMazhLeTZCdkpzc2xzcXgzK1AzcFBrczdFNWpLaDVVYUxNWWw5UVBudTVCeFhWSHdPUUxlTnkzQWJmRjZvQTZFd0dwaWl5RUxCYklvWFQrZTdyYXZWVTlIKzBlSXJVa1JLUWM3TVBYckMrMHpZcVdST0ZvUGhyZWdRWDR6RU1uUC95NlRCQ001dHZPU1d4aE1TVjdaZWNRSGc1NldjbVNLZnRCVVZuUndvME81NkpTaEo0SU1kL2hhRUMvQnFOVzBOTXRNMGQyTVI0RFl2WjFkMUtVaDlPTWlXcFIzUno0SVdVbTBwTmM4ckJuVjNKTVo2UmFNSkpyVEtNSUFDZEM3T0VOVndvNFl5bC9YTHUyZk8wT0U5UVlkcDJuU3FyeWVZNU8zc1FUTDJrT01YVVMwY2xOMXhCY0RFRXFwZGR5bExXNFFoMFlpKzJMMzNxZEtOTmZBMFpSd05VK2tnNlV2b0kwamVvcC9EY1RHdElKWUFVNFUrQWF1dXVzS0cwelp3eWc2V29FY2ZlRElZcTUyQzBVZTd4TkZvT2UwQ1l2MWJNWWRnbmIwRzFFWEphbVJDU3lyVDhyeEFWWUtocDBQeDZoQkxOZXV5RW03Z05HRzJEUURnaUxaMUo5SnhCSmdxMkVWM0s5dmQ3RDlzUUVVWjQwVy9aK2JvMUNXU0tnTUgyOWtra1hUd1ZiQlN6OTJEbWVGUGRGN0NjWEtvS3Irb2I1dmJNS21UTXlJVkFtbmtHK3ZXU0tpV1gwNWU2WUdFY1BBSlNVR290N2pRU0kzZHpaei9zT21nbzVVRDdVZkFvSlJJL0RneGVTQ3dnek95dHNIeFAzWUg2aURhT3JoVU1jcXVPSW9jN2dmeVlXaDgzZHJUZ1M0MUtpUHRIak4rb0VYSzRWRG1nSVdkVWFjd2RGYjRORjdIRmRDMkQvcEEzOWpHcVZoeTV3NDZTUjEvTzd4bG5VWE40UUZLc0VUTEhabDh3WlZSc0NiZytmRktEQ1dGckt0aE9oclRaNWpRdjlmcEdKblpsc0tXZ3pyd2N0YmNkRm1sVHJzclFmWjNDZ3FSaUQwZkhaWkpweG4vamRReGp3QVg1d3J2NUI1cXBQUTI4eEFuV29lalJoNXZ1d3lRU1d3ZU9mSEhQdGdZZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * O6T8afZR681EBmxZ477Z5fHuPPT5X
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\CLkPQG0K_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cEdaAdEaC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1ib2hNcTI5M04rK3ZYOVBJcDZTSExDcDlzcldOUGlERld4S0FrcEdhZFRRZVkzRlk3TTVtMnYzSW1nS3ZyWFlEKytYbGVTTU81LzVVYXBFZ1BMdlh0VWh4MjE4QXdBK1BpZ2NlazJ0TUVYMVpQY3V4UTc2bGdscWJyWVlhK25ldFJNVkNxd0t1Sjg5MW5zWG02eHU4Ris0YnA2eWE5UFB5cUFsMUVPQzcyVUdoRjVLcXZRSE9DTjZwTWZWQllST0xIM3VONmphRUlPSk5aSjMreFRQbCt6enB1WStjWmtXYm5lNVJDMlJ5SEo2WnBNNGJZR0dndW9FYjBmdjR5cmdKeXIza0c5Z250MjZHbmpBZG51TjdyMmZ5ZWppYnZxTDhzbFNpT2hKSlNBWlZGVlpLdlNLNkNBbTV3TEE4SnZNSGRLNmpYa0NoVjVIQjZBeG9YT1BnYWppZ0JHRTcwMzNkTldjSFpKMWV0dFRWYW1aSVBqUU9QVWpKWEZJcHF0S0pPL3dMV09CSkNwZWplM05MZ2ZCZlJSUENZUE15K3p3bWxqczZJVjNsWmdGamtQVlVJUVI1bFQ5UUxuSEY5NFV5blErMk00aStlUTR4Y2VFa1FRUDREZnE2STZuWlZxWVhHcUxsSVh1TGtsTTY0YzNsQk9WdFRCS2JkY0pKSjZKdVZlR3V2bytKUm1idXdTMVRMdndxdlh1ZEplc3B1OTFqQnZIV3AvYXBHTGNwcjlFWVZMdEtDRXE4Zldlb25wOTN6dmVZNU03ZDl5ZDJIR0lUMmRIMWxYWXA0U1cwMzQ3QnlPSktXL1RtenJEM2pzK1RSVHppTGliLzRuemozT09lUXg0NVNlSDZydUExc0lqOEhLbjhjMEZsUkhkRGJScTh3WWpxaU9uTVFUZ2EraERhNmNDalRDblllckQxaDJtblFJNlZPU0RvYWxQQUdEeVkrWFFYcVMzZTBoTWs2dE1qbDdhQnNMcHVqQnFkWUR6RHRadUpMazhLeTZCdkpzc2xzcXgzK1AzcFBrczdFNWpLaDVVYUxNWWw5UVBudTVCeFhWSHdPUUxlTnkzQWJmRjZvQTZFd0dwaWl5RUxCYklvWFQrZTdyYXZWVTlIKzBlSXJVa1JLUWM3TVBYckMrMHpZcVdST0ZvUGhyZWdRWDR6RU1uUC95NlRCQ001dHZPU1d4aE1TVjdaZWNRSGc1NldjbVNLZnRCVVZuUndvME81NkpTaEo0SU1kL2hhRUMvQnFOVzBOTXRNMGQyTVI0RFl2WjFkMUtVaDlPTWlXcFIzUno0SVdVbTBwTmM4ckJuVjNKTVo2UmFNSkpyVEtNSUFDZEM3T0VOVndvNFl5bC9YTHUyZk8wT0U5UVlkcDJuU3FyeWVZNU8zc1FUTDJrT01YVVMwY2xOMXhCY0RFRXFwZGR5bExXNFFoMFlpKzJMMzNxZEtOTmZBMFpSd05VK2tnNlV2b0kwamVvcC9EY1RHdElKWUFVNFUrQWF1dXVzS0cwelp3eWc2V29FY2ZlRElZcTUyQzBVZTd4TkZvT2UwQ1l2MWJNWWRnbmIwRzFFWEphbVJDU3lyVDhyeEFWWUtocDBQeDZoQkxOZXV5RW03Z05HRzJEUURnaUxaMUo5SnhCSmdxMkVWM0s5dmQ3RDlzUUVVWjQwVy9aK2JvMUNXU0tnTUgyOWtra1hUd1ZiQlN6OTJEbWVGUGRGN0NjWEtvS3Irb2I1dmJNS21UTXlJVkFtbmtHK3ZXU0tpV1gwNWU2WUdFY1BBSlNVR290N2pRU0kzZHpaei9zT21nbzVVRDdVZkFvSlJJL0RneGVTQ3dnek95dHNIeFAzWUg2aURhT3JoVU1jcXVPSW9jN2dmeVlXaDgzZHJUZ1M0MUtpUHRIak4rb0VYSzRWRG1nSVdkVWFjd2RGYjRORjdIRmRDMkQvcEEzOWpHcVZoeTV3NDZTUjEvTzd4bG5VWE40UUZLc0VUTEhabDh3WlZSc0NiZytmRktEQ1dGckt0aE9oclRaNWpRdjlmcEdKblpsc0tXZ3pyd2N0YmNkRm1sVHJzclFmWjNDZ3FSaUQwZkhaWkpweG4vamRReGp3QVg1d3J2NUI1cXBQUTI4eEFuV29lalJoNXZ1d3lRU1d3ZU9mSEhQdGdZZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * l
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\odt\6Rfgx_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .EdCDcaDBa You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1DcWJFLzh4aTRVRGViVGtXbTQ0MFM4VjFEY2phbFFTbkdoSjgwU1h0ZFVFVkJzTmFtM25PWEt5dnk2aFdUbFk2RkNGbHplSlpkcjNYTFkwc0JEOTdidGdMQUN1YlVNWllLK1VqdWJaZXV3Mkx3QzRNWmk0ODNLcmdXOWd5RUlRRitPT0p1cFhUNWN3TnhSNzVlU0U2VFRFQWdsZVFqWDQ4OW9zRlUwRkhqVTNWdkY4eXZqanVzV1lYOURzTzB5aEFvUHkxK2NzckNvVXFjQjFEdDdpZzkrVm9INjl2eVZiMlgzdFJrMlBMN1NPaWt4eEc2dUNrV2s5dXBYZUNRNXYxUGhlazZlWnFhVkFMKzVXeENRRUFNYS93Mkc2NmZlMlAzZ0ZsYXMwcUw3WVAxV0RBdGFSL2V6UE1EbDhUUmhFMDBtR2lVZmFqZmtXbXQ1SDNWRnYvZWFzOCt5SGVJaGtxZG1uY05VMFI1bHV2L21BZExYU2R0eXlPMVdUR051bC9qd2JkeWFNSVFxcTdVM3VIcE5DKzBaNThsVkZub3lmSnR6TnFpRTNEdkNWcFNDajlNU3UzblNyS1VaQTh4bDFUWGJCQnp2WFFmY1BtalpGb01ZZkIrNitncWMvSUFOQ0orY0hDSDJyY0RzMGJKYkE1cTl6QTRWMkMxRm5URVpCTzU4T2haYUlIekNDMlR6K3VSVkJuZWdrWlBxTTJqdVgyRDFtcG5hbk5PYnZwbnB2dzF4SG4vNEhVdElGdUJXZGIwRVVmelZVTzl0VFl3TnBwUHhXNjVlRFovUTA2WUJpdWZRN05MMXFnbVppRUJxV050eXRSdVhJT0RSL0FaWUxjcE1jTWxWY2hienFadnNWbjF2Qkl4Zk1rY0J3bDl4cmV4bnFJdFNmamxLNzUzbDFNN1V4TXhSMTdWRmo0R1VEWVNLZmtLZzQrSUhYanVzQUFnQ0NlV1l3WFpESEZlWkdxdXUyQmEvcm9ncWNaUUZYWHg5R3VnQ0dac0p6TEZMY2d3Njc3SjVodVhWVlV1R3c1Tm13RUkrYkRoemR3dW9XaUVPNGZPckpoZ3J1Z2lza25pZ0xkbm1Cbzl5dkZtQWlIRmNtRU82MDRvTWtPWHh2N05wNnhKRC9ET1hIVURqY2tyWG5HdUFPMkphNWtBL0kzRy9Zc09DQklzNWRJd2w2Qm5kQ3NjbjJzU2xvREdXS0dGci9KWUdDUDFpVENFVjFGRVBUZkhaWkFTYWpWY3VmU0RxMFRLa0hTYWczVTJkWm9jVys0TEhtbDZtM20vdWlDRDB5NFpkOGZ4RTdTZG9BQ0hyS3ZhZVBtcWNpWkdSdGQzbDBEZXZVNWl3WmxhckZrby9GY1J4QXhJc2hxZlIxbnBCSGI0L1JaTU0zWEdDeTM3L1ZkNHpoR0dnYU5wUEo4Wit2b0xTRG5qZDA1TlZWZ1BoUWYvdXppMUoyZVQyb1lNalRyVVhyYjUzazQ2TjRXQlNjS243OE5ockZJTFB5a201Z20zSmRodHpQQmhDZFY1eDc0L1JGQU5oQmNTWm5RM3ptaXJzRHE3R0pLaUUwYkhpVG8vdzVNVVRwUXZsVjRIeU5hRngxTVRzVVNhR0VhVG9aTDM3QmJzVmwrMFVod21vZzd2TTZMYjhjOE1YYmZ5U1p6MnArWTNjOUJvaVV6NEE2OXIzNU5rMWEwenkwTDJaM0FpRlZpQTZKRy9XK2Yrb29mbDJIQUdwVndHMDNMMkJHY2g4eFY0Vmt5emFuMTd5T0J2MTRHcFVaQjZQVUFxb0txWStPSXZtVWlkY2pNazRFRGVkK3NUelpZR2czR01rRUJKWTNncFMyUXBMb0wrOXo2NmNIMnYzbUM2aWFkL0xDMitFVUxRRVlraTdJd1ZCbEFIUi9XNGNDa0wvOWVzVjF3QUNhNWUzQzhKSWs0OGF0Z21MU3lVZjM4MUFMa05XM0xqdnRtNTNHZmZ1ZG84UXc0NjBKUjJiR0pQL2gzMWF2aHh6U2ExRzRCaXdWVllNdld6TkFoZ0NDWkJiazhsYW95S0tKMXJlaHMxejNUSkc1OHJURThvWVczYlAyVm9iR3liOEpBMU5xaXdFckhwQnB2ZmlqZ3BnZkxscGxyVnZhakdGM0NYem55TmVvcUo1MzZzZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * xZH2It0rP2DQdqhMeH6P2SACAIkAl
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\6Rfgx_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .EdCDcaDBa You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1DcWJFLzh4aTRVRGViVGtXbTQ0MFM4VjFEY2phbFFTbkdoSjgwU1h0ZFVFVkJzTmFtM25PWEt5dnk2aFdUbFk2RkNGbHplSlpkcjNYTFkwc0JEOTdidGdMQUN1YlVNWllLK1VqdWJaZXV3Mkx3QzRNWmk0ODNLcmdXOWd5RUlRRitPT0p1cFhUNWN3TnhSNzVlU0U2VFRFQWdsZVFqWDQ4OW9zRlUwRkhqVTNWdkY4eXZqanVzV1lYOURzTzB5aEFvUHkxK2NzckNvVXFjQjFEdDdpZzkrVm9INjl2eVZiMlgzdFJrMlBMN1NPaWt4eEc2dUNrV2s5dXBYZUNRNXYxUGhlazZlWnFhVkFMKzVXeENRRUFNYS93Mkc2NmZlMlAzZ0ZsYXMwcUw3WVAxV0RBdGFSL2V6UE1EbDhUUmhFMDBtR2lVZmFqZmtXbXQ1SDNWRnYvZWFzOCt5SGVJaGtxZG1uY05VMFI1bHV2L21BZExYU2R0eXlPMVdUR051bC9qd2JkeWFNSVFxcTdVM3VIcE5DKzBaNThsVkZub3lmSnR6TnFpRTNEdkNWcFNDajlNU3UzblNyS1VaQTh4bDFUWGJCQnp2WFFmY1BtalpGb01ZZkIrNitncWMvSUFOQ0orY0hDSDJyY0RzMGJKYkE1cTl6QTRWMkMxRm5URVpCTzU4T2haYUlIekNDMlR6K3VSVkJuZWdrWlBxTTJqdVgyRDFtcG5hbk5PYnZwbnB2dzF4SG4vNEhVdElGdUJXZGIwRVVmelZVTzl0VFl3TnBwUHhXNjVlRFovUTA2WUJpdWZRN05MMXFnbVppRUJxV050eXRSdVhJT0RSL0FaWUxjcE1jTWxWY2hienFadnNWbjF2Qkl4Zk1rY0J3bDl4cmV4bnFJdFNmamxLNzUzbDFNN1V4TXhSMTdWRmo0R1VEWVNLZmtLZzQrSUhYanVzQUFnQ0NlV1l3WFpESEZlWkdxdXUyQmEvcm9ncWNaUUZYWHg5R3VnQ0dac0p6TEZMY2d3Njc3SjVodVhWVlV1R3c1Tm13RUkrYkRoemR3dW9XaUVPNGZPckpoZ3J1Z2lza25pZ0xkbm1Cbzl5dkZtQWlIRmNtRU82MDRvTWtPWHh2N05wNnhKRC9ET1hIVURqY2tyWG5HdUFPMkphNWtBL0kzRy9Zc09DQklzNWRJd2w2Qm5kQ3NjbjJzU2xvREdXS0dGci9KWUdDUDFpVENFVjFGRVBUZkhaWkFTYWpWY3VmU0RxMFRLa0hTYWczVTJkWm9jVys0TEhtbDZtM20vdWlDRDB5NFpkOGZ4RTdTZG9BQ0hyS3ZhZVBtcWNpWkdSdGQzbDBEZXZVNWl3WmxhckZrby9GY1J4QXhJc2hxZlIxbnBCSGI0L1JaTU0zWEdDeTM3L1ZkNHpoR0dnYU5wUEo4Wit2b0xTRG5qZDA1TlZWZ1BoUWYvdXppMUoyZVQyb1lNalRyVVhyYjUzazQ2TjRXQlNjS243OE5ockZJTFB5a201Z20zSmRodHpQQmhDZFY1eDc0L1JGQU5oQmNTWm5RM3ptaXJzRHE3R0pLaUUwYkhpVG8vdzVNVVRwUXZsVjRIeU5hRngxTVRzVVNhR0VhVG9aTDM3QmJzVmwrMFVod21vZzd2TTZMYjhjOE1YYmZ5U1p6MnArWTNjOUJvaVV6NEE2OXIzNU5rMWEwenkwTDJaM0FpRlZpQTZKRy9XK2Yrb29mbDJIQUdwVndHMDNMMkJHY2g4eFY0Vmt5emFuMTd5T0J2MTRHcFVaQjZQVUFxb0txWStPSXZtVWlkY2pNazRFRGVkK3NUelpZR2czR01rRUJKWTNncFMyUXBMb0wrOXo2NmNIMnYzbUM2aWFkL0xDMitFVUxRRVlraTdJd1ZCbEFIUi9XNGNDa0wvOWVzVjF3QUNhNWUzQzhKSWs0OGF0Z21MU3lVZjM4MUFMa05XM0xqdnRtNTNHZmZ1ZG84UXc0NjBKUjJiR0pQL2gzMWF2aHh6U2ExRzRCaXdWVllNdld6TkFoZ0NDWkJiazhsYW95S0tKMXJlaHMxejNUSkc1OHJURThvWVczYlAyVm9iR3liOEpBMU5xaXdFckhwQnB2ZmlqZ3BnZkxscGxyVnZhakdGM0NYem55TmVvcUo1MzZzZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * J
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Targets

    • Target

      ab.bin

    • Size

      775KB

    • MD5

      0b486fe0503524cfe4726a4022fa6a68

    • SHA1

      297dea71d489768ce45d23b0f8a45424b469ab00

    • SHA256

      1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

    • SHA512

      f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

    • SSDEEP

      24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq

    Score
    10/10
    avaddonevasionransomwaretrojan

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (203) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks