General
-
Target
14db90c83f43d96505e48dc86efa5c57be8474fc993f00fb7d14d5ba4e21c341.zip
-
Size
338KB
-
Sample
240402-qv5vpabh44
-
MD5
3c3f596fac386be70f7865aa69f0ac8c
-
SHA1
79aed8ad3321df1eb5f129ea2763d87090e4fd99
-
SHA256
0e24e53172ce33a41b18241c180ec91f13e475d3301aeba2587f7efb30d434eb
-
SHA512
ca8352f394076e3194fe73e0ccd098656db35c6c8a414da60ef24a89c5326089ea3ebdf2bd0013d021a897882d143de0b6115c24b66a27f5d6cd6f7f29e507a1
-
SSDEEP
6144:oVi3hIGw9qxZn2XWYwAiDejrdulTCYd6tiKecP+Qzh2FAmdzg:oVi3iGwUR2XU5+0xC86oNc5mHdzg
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\AI0gkKN_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .CAdBcCbdd
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjU5NC1xK0d6MGkwaE84WmgyRzZCN29NYzFXdU04VjVtM0ZHc2k2R2VyZjhVQnppeWFqQkRzOVhyTytnR2hBbGhvWi85ay9wWlJydk1rU2lSNUJuY2FRdTlxeDNRTmpoVGlUQmJoM0ZwQ211MWltZFFCcnJmS0FZbnJiN3UwUzYwQ3hrNG5xYzd3RjRPdFNZZTVIZ1RLZzZFNnVBc1JPdWlsU0liVHdHSmNYZ3hPWmllOXJXMG5PL3RnelNPMWxuYlFYcUorcFIvQVp2SjNWTkJyT21JTzc3R1V4d1Y2L2YvQVEvK1NNKzRza0FLNURHMEFSK2lmb2wxaEZGOHNaNWs2WkNkTVlZYm5USVljOVZHazdOK0R4UUp3Y21YWnV1WlIySzlZUUJyaW5ZNTN0bEdtcGJnNDkxd3lGdDFaU1lhUjUrYlkvWkEwWEh3WXcyY3BTdTVrcjBjU3VERDg3U1QvTmJqOUV2WEt2azFwZXdzOHNhU2NrVkZMQlZHZzA2WllpcUJBSW5UcS96RW92bkc0c3pyd3htQS9kaEo3OEZaN0tGT0lpZnovdFNMSzBzbjUvZ1hPTjhnL0dxZllVNE51SVpkT3k5RmswNnlkUVB4K2hUZmtnZ0lFK1dsYStWVW9vdWdJK2U4SHlWTFZHMVp3ZzJ5QkMraE4reVVJWk5LMzREb3NnYTMyellHNXFOVXRONnJwZy9tYTVCOW96bjlySXNyK2NYR2NtUXpBbjRQb0h1NWlCZUhnS0R0Y3pkaFdwL25qSW83cHFsaTNXV2RGd1FBdlAyMmtXSG5CMjl1OEtYZjQzbjVRcHBJQ0FFZnJYWC93V1FRZTJrVXhXU0xCTTNwY3J1bGx3OE4yVVJLa1hzaDFIWE5DZVZGK1BkWTF2ai83MHJrcERPOTNQdm1RUHZrdkdQQ3Z5RzJxeVN2Tm52WnJVdWVHTnpaNG1GUE5kalcwL0t2S3h6MHZ3aFM3WGlEbDkyMHMzNDNDM2VPNGpacUFVcE4vTmlDWlhDcTFZQkMxeGxyZE9YK1JlVnUvSnovbkJZYWU0VDVlbDFqNm1HK3ZlQ0Z0MVFBUW0xMDdCL0I3bXNGM0hSL2ZsckpBbDFlZjlxZUhaNk00VlFJVWNkOTJMcmh2OW53L2VSQnc4VUl2YTBmSHB0S2F2UjhwSk9GVGhrOUhoYUsrYUJjSktXZFdzQWt2N0FGWkVzWFpyTG90ZXlxYUROV2R6enk0VVNmM204Z0RBWmd3am4rMjNzclorSjl0ZTMvSTdxSTZ3Y2t1WDVuc1drNm1TN0FsT2pxUm0ycm1JSzhPV01zK3lUUUg0MW5SSzdWaTlZQW11aVJMa1lXaVU0Z1dIZHlCdm9XNHNPZmVXMUJleDFqZ3BNT3dkeTRWVVhTT2k5a1FaR1VTRlhmSDMxR1AyU3pqQVo3Mm5KVVljL2tmcnBka05QazNWTENaRW5uajNCUG9RRFdUTTBYd205OHNXb1hwaHkwbEVMM2RnSkVDeEN3dXMyVWY0T1U1YWh6cmpGNE0rNG9kMGhpc1VscTBkd0VTSmhvMWxjZE5CZnhQZGdtcXNaajg4eFpTcHZTc0F5K2ZoU25pWHVYYlI1NnYvQ0xMOS9TZitYaFk3S2Q3YWozLzhQQ3RKbEx3THdtZkZRQWk3N1h6MTBVemczdkMzZzd3RDVBTlg5QUJHVEhoa01NeTh5QmFVVFNDV3NXQXBBRTJ1WUM2cmF2OUNjUGZRZHBJZkszV2FDS0tQdVJadmduNk51MXlYdXB5bnJNbXgwUFhiRng1Y1F6Wlo5MGlqOVBGallWY2xmbTFHdWl3SS9VbURLZm9GNE1CMFozV1JRVXhxenNtUjhZajQrSnBKRDd0bFVFVis3bW84TmtkdXFFZ05qOUQvb3NPNC9Xb3Y1ZjlLSFFZT0h4UjhPVzlKY2RMeG9Kc3ptYmhUNjRLZkVydUcreXVoU3BONHpXTlp2c0c1T29sZWI2bW5rOVpVbGFweTh5YjlmVGY3eDZ4UTQ2Uk9GM3dxQzh1ZVU4eEp5Qy96SUlUZlFrM0hKaDB3Vk50UjF1OEtiOEYzaVBpSFJoaThEZ2xSdU5WcHoyc1kxWjdWL3pyai9sMjdHbldXV1Z1K0VFRGsrSlgzelh6Q2ZJRGhDSXpBTWQxdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
XQc
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Documents\AI0gkKN_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .CAdBcCbdd
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjU5NC1xK0d6MGkwaE84WmgyRzZCN29NYzFXdU04VjVtM0ZHc2k2R2VyZjhVQnppeWFqQkRzOVhyTytnR2hBbGhvWi85ay9wWlJydk1rU2lSNUJuY2FRdTlxeDNRTmpoVGlUQmJoM0ZwQ211MWltZFFCcnJmS0FZbnJiN3UwUzYwQ3hrNG5xYzd3RjRPdFNZZTVIZ1RLZzZFNnVBc1JPdWlsU0liVHdHSmNYZ3hPWmllOXJXMG5PL3RnelNPMWxuYlFYcUorcFIvQVp2SjNWTkJyT21JTzc3R1V4d1Y2L2YvQVEvK1NNKzRza0FLNURHMEFSK2lmb2wxaEZGOHNaNWs2WkNkTVlZYm5USVljOVZHazdOK0R4UUp3Y21YWnV1WlIySzlZUUJyaW5ZNTN0bEdtcGJnNDkxd3lGdDFaU1lhUjUrYlkvWkEwWEh3WXcyY3BTdTVrcjBjU3VERDg3U1QvTmJqOUV2WEt2azFwZXdzOHNhU2NrVkZMQlZHZzA2WllpcUJBSW5UcS96RW92bkc0c3pyd3htQS9kaEo3OEZaN0tGT0lpZnovdFNMSzBzbjUvZ1hPTjhnL0dxZllVNE51SVpkT3k5RmswNnlkUVB4K2hUZmtnZ0lFK1dsYStWVW9vdWdJK2U4SHlWTFZHMVp3ZzJ5QkMraE4reVVJWk5LMzREb3NnYTMyellHNXFOVXRONnJwZy9tYTVCOW96bjlySXNyK2NYR2NtUXpBbjRQb0h1NWlCZUhnS0R0Y3pkaFdwL25qSW83cHFsaTNXV2RGd1FBdlAyMmtXSG5CMjl1OEtYZjQzbjVRcHBJQ0FFZnJYWC93V1FRZTJrVXhXU0xCTTNwY3J1bGx3OE4yVVJLa1hzaDFIWE5DZVZGK1BkWTF2ai83MHJrcERPOTNQdm1RUHZrdkdQQ3Z5RzJxeVN2Tm52WnJVdWVHTnpaNG1GUE5kalcwL0t2S3h6MHZ3aFM3WGlEbDkyMHMzNDNDM2VPNGpacUFVcE4vTmlDWlhDcTFZQkMxeGxyZE9YK1JlVnUvSnovbkJZYWU0VDVlbDFqNm1HK3ZlQ0Z0MVFBUW0xMDdCL0I3bXNGM0hSL2ZsckpBbDFlZjlxZUhaNk00VlFJVWNkOTJMcmh2OW53L2VSQnc4VUl2YTBmSHB0S2F2UjhwSk9GVGhrOUhoYUsrYUJjSktXZFdzQWt2N0FGWkVzWFpyTG90ZXlxYUROV2R6enk0VVNmM204Z0RBWmd3am4rMjNzclorSjl0ZTMvSTdxSTZ3Y2t1WDVuc1drNm1TN0FsT2pxUm0ycm1JSzhPV01zK3lUUUg0MW5SSzdWaTlZQW11aVJMa1lXaVU0Z1dIZHlCdm9XNHNPZmVXMUJleDFqZ3BNT3dkeTRWVVhTT2k5a1FaR1VTRlhmSDMxR1AyU3pqQVo3Mm5KVVljL2tmcnBka05QazNWTENaRW5uajNCUG9RRFdUTTBYd205OHNXb1hwaHkwbEVMM2RnSkVDeEN3dXMyVWY0T1U1YWh6cmpGNE0rNG9kMGhpc1VscTBkd0VTSmhvMWxjZE5CZnhQZGdtcXNaajg4eFpTcHZTc0F5K2ZoU25pWHVYYlI1NnYvQ0xMOS9TZitYaFk3S2Q3YWozLzhQQ3RKbEx3THdtZkZRQWk3N1h6MTBVemczdkMzZzd3RDVBTlg5QUJHVEhoa01NeTh5QmFVVFNDV3NXQXBBRTJ1WUM2cmF2OUNjUGZRZHBJZkszV2FDS0tQdVJadmduNk51MXlYdXB5bnJNbXgwUFhiRng1Y1F6Wlo5MGlqOVBGallWY2xmbTFHdWl3SS9VbURLZm9GNE1CMFozV1JRVXhxenNtUjhZajQrSnBKRDd0bFVFVis3bW84TmtkdXFFZ05qOUQvb3NPNC9Xb3Y1ZjlLSFFZT0h4UjhPVzlKY2RMeG9Kc3ptYmhUNjRLZkVydUcreXVoU3BONHpXTlp2c0c1T29sZWI2bW5rOVpVbGFweTh5YjlmVGY3eDZ4UTQ2Uk9GM3dxQzh1ZVU4eEp5Qy96SUlUZlFrM0hKaDB3Vk50UjF1OEtiOEYzaVBpSFJoaThEZ2xSdU5WcHoyc1kxWjdWL3pyai9sMjdHbldXV1Z1K0VFRGsrSlgzelh6Q2ZJRGhDSXpBTWQxdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
N3DtQj
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Pictures\AI0gkKN_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .CAdBcCbdd
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjU5NC1xK0d6MGkwaE84WmgyRzZCN29NYzFXdU04VjVtM0ZHc2k2R2VyZjhVQnppeWFqQkRzOVhyTytnR2hBbGhvWi85ay9wWlJydk1rU2lSNUJuY2FRdTlxeDNRTmpoVGlUQmJoM0ZwQ211MWltZFFCcnJmS0FZbnJiN3UwUzYwQ3hrNG5xYzd3RjRPdFNZZTVIZ1RLZzZFNnVBc1JPdWlsU0liVHdHSmNYZ3hPWmllOXJXMG5PL3RnelNPMWxuYlFYcUorcFIvQVp2SjNWTkJyT21JTzc3R1V4d1Y2L2YvQVEvK1NNKzRza0FLNURHMEFSK2lmb2wxaEZGOHNaNWs2WkNkTVlZYm5USVljOVZHazdOK0R4UUp3Y21YWnV1WlIySzlZUUJyaW5ZNTN0bEdtcGJnNDkxd3lGdDFaU1lhUjUrYlkvWkEwWEh3WXcyY3BTdTVrcjBjU3VERDg3U1QvTmJqOUV2WEt2azFwZXdzOHNhU2NrVkZMQlZHZzA2WllpcUJBSW5UcS96RW92bkc0c3pyd3htQS9kaEo3OEZaN0tGT0lpZnovdFNMSzBzbjUvZ1hPTjhnL0dxZllVNE51SVpkT3k5RmswNnlkUVB4K2hUZmtnZ0lFK1dsYStWVW9vdWdJK2U4SHlWTFZHMVp3ZzJ5QkMraE4reVVJWk5LMzREb3NnYTMyellHNXFOVXRONnJwZy9tYTVCOW96bjlySXNyK2NYR2NtUXpBbjRQb0h1NWlCZUhnS0R0Y3pkaFdwL25qSW83cHFsaTNXV2RGd1FBdlAyMmtXSG5CMjl1OEtYZjQzbjVRcHBJQ0FFZnJYWC93V1FRZTJrVXhXU0xCTTNwY3J1bGx3OE4yVVJLa1hzaDFIWE5DZVZGK1BkWTF2ai83MHJrcERPOTNQdm1RUHZrdkdQQ3Z5RzJxeVN2Tm52WnJVdWVHTnpaNG1GUE5kalcwL0t2S3h6MHZ3aFM3WGlEbDkyMHMzNDNDM2VPNGpacUFVcE4vTmlDWlhDcTFZQkMxeGxyZE9YK1JlVnUvSnovbkJZYWU0VDVlbDFqNm1HK3ZlQ0Z0MVFBUW0xMDdCL0I3bXNGM0hSL2ZsckpBbDFlZjlxZUhaNk00VlFJVWNkOTJMcmh2OW53L2VSQnc4VUl2YTBmSHB0S2F2UjhwSk9GVGhrOUhoYUsrYUJjSktXZFdzQWt2N0FGWkVzWFpyTG90ZXlxYUROV2R6enk0VVNmM204Z0RBWmd3am4rMjNzclorSjl0ZTMvSTdxSTZ3Y2t1WDVuc1drNm1TN0FsT2pxUm0ycm1JSzhPV01zK3lUUUg0MW5SSzdWaTlZQW11aVJMa1lXaVU0Z1dIZHlCdm9XNHNPZmVXMUJleDFqZ3BNT3dkeTRWVVhTT2k5a1FaR1VTRlhmSDMxR1AyU3pqQVo3Mm5KVVljL2tmcnBka05QazNWTENaRW5uajNCUG9RRFdUTTBYd205OHNXb1hwaHkwbEVMM2RnSkVDeEN3dXMyVWY0T1U1YWh6cmpGNE0rNG9kMGhpc1VscTBkd0VTSmhvMWxjZE5CZnhQZGdtcXNaajg4eFpTcHZTc0F5K2ZoU25pWHVYYlI1NnYvQ0xMOS9TZitYaFk3S2Q3YWozLzhQQ3RKbEx3THdtZkZRQWk3N1h6MTBVemczdkMzZzd3RDVBTlg5QUJHVEhoa01NeTh5QmFVVFNDV3NXQXBBRTJ1WUM2cmF2OUNjUGZRZHBJZkszV2FDS0tQdVJadmduNk51MXlYdXB5bnJNbXgwUFhiRng1Y1F6Wlo5MGlqOVBGallWY2xmbTFHdWl3SS9VbURLZm9GNE1CMFozV1JRVXhxenNtUjhZajQrSnBKRDd0bFVFVis3bW84TmtkdXFFZ05qOUQvb3NPNC9Xb3Y1ZjlLSFFZT0h4UjhPVzlKY2RMeG9Kc3ptYmhUNjRLZkVydUcreXVoU3BONHpXTlp2c0c1T29sZWI2bW5rOVpVbGFweTh5YjlmVGY3eDZ4UTQ2Uk9GM3dxQzh1ZVU4eEp5Qy96SUlUZlFrM0hKaDB3Vk50UjF1OEtiOEYzaVBpSFJoaThEZ2xSdU5WcHoyc1kxWjdWL3pyai9sMjdHbldXV1Z1K0VFRGsrSlgzelh6Q2ZJRGhDSXpBTWQxdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
jBKFkvjdJ
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Documents\N3DtQ_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .CAaBcdcAEc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjU5NC04ZDFMNzRBRmFVdFFPd3hycUFpUVFuRXVHMUNWbEl5bFMzQnppemtUSm9qaVFOR240QU9EM2ZLSDRWeVhVYlJVZVQ4SE1yUXNBdTZOMGd3SE5MR1Jjc1ZDMUUzTEFwRUZ5aVMvZ245ZTFva0FTYTlMbzZxUDdyTzhoQ2NlRUtySitVWXBwRFZZNWZWMDZyM1NaSzRhRWozeWtHM2xLTkVGaFQzUGw2TTBteUJFWFl6Y1dKai9tZzR5SXpQUGo5WFJudWFaZUo2RDdablo4VHpUSE5RU1NnbXlpOTRQUGJXa1lBWWhSQWxpQWd0eG1sTVlhMDRFQlhLOWdYM09xUHZIWGY4MU56bDA3RVJkemFqOWY5RDkwR2pydWhqQ1NFMzg1RmNrL05OR2huajQ4bkF2SFRWdjBFNDNwUEVtMzlSQkloZTVZL25laVBJV1phRkxBUFQ1dGttYW9NbUdNUFdnb3dEMW11TXhUK2VjS25NRWt5UFBCdHdjNk81UUVZRlNiNGVUYm5hOFlFeUdXUmkxYUYzR3Qva25zek4vR29kVHRuOFVzUEVsMyttNEw0eDRSTDUybExac3U4U21zNUc4VldKNVdmdFRVREh1QllhK0dFL0NqSmc5NkU1dlI0ZDBrYzlESGkxTEZqS0lUazVFSnZ5UFNmYnF6dG5FNHUzL2lJV3ZHT1REd1JkR20rZ0lrNFRGczFBSEQydmp1MGpJbFNQVlRnRHpIUWQ1d05TcGlJRlJaQXNHK3FMTjVJaHB1ZFkySGRnbHA3c2dWa04vM0tUY2tsQlJJcUVralFtcTlGV0NrYkR6Yk5VZ0FKZUVYYnNmOTNqQStkbjVia2xtVUhTWkdoemFER0xaaEJ2NWF4TUdqTzdzUU1yRGQ3c0lmOEFaV2JkaU9CamlnNldPbi90emtFbHRFZXVleG9DNUtrdjh5TkdKOEdUWEpnVmpUbUxQdmNwRGprbjRaNUYxZ3pkdUI3bFo2a1NFQmt0b0UySVFBTEZjM0YzdU1UeXRFN29DdGNVc1BVcWZsOUhhaUhBYUhKTVVxNmJDc1hKS1JiTVBaUXNYSXhIWFN2cmdyZHBtTUNaQWNyc09UVFM2bno0YVluVlFNdlc3Tkh1MUxhVGxVVW9wcUVUZFpka1YwWUoreDhVU05FcnkybHp6bFBHRXhQRzQ2LzR6K0R4TjRpeWNOQlMzMHF4VnpGemM5UUhyUHBESHUyU2hHMHg4cGZOL3NkTkRTelJYYk11djE0RVRYcS9icXM5QWxNZFo4TEpWek1hUXU0RjlSMkgzc1l5NjZuekp5aTJubW45aHB4VFlVWHJOY1hUV0hZRXY3UFpiOWR1Y3pCeWNUSjZ6STlXUkxVYWZWQkNEWTFRSUgxcExRN0ZxTWlaOHYrQ1UzL1o0QmNZeFJmOEFZdHg5MEgzTFRCaW8vM2Z2Q0ZxTGR3a0NQWHBqZjlJQnh0WU5TTksvdXJlYTBSdG9mTk9jT3pYTjN3cjllUEN0ZjNhNkw4ZmtmQVdSZGZVekZIUXkzWmtGcXFsS3ZvTjdNcVVNV01adlJGZzFFMlFnREN4aXdBZWczMHZDT3YvcVY0Q2hQeXNHby8yRmJKY2E5R25JZUJCaFE5blZZeW4vNS92bWZNNUllc1dsWHNsTFd1TmhiT0dHc05tTzdNRXFUVlp4bklyWGlIbEVvSHdzZ2VEbmcxRXdETzY3NGF5YVNlYTFsS1V3NFNLOVpQaUZ2YStHT2NNTGRqZW5TRDNGRFE5OGNEZ2JFZlMzK3pHQ0ZjQkpQNVBJekR0QjVlaThjWEJuaFpIejlNNlRwL0NQcEpJa2Y0RHFYZzBlemZZSUQ2YStMNkNhQjZYS0ExSWdwRWtubGloVTNMVXRBSFdOWHNSL01RQUlZNXFIZjhXRU1tL0VQdnRUN1hyWGZpSmVoWDhXRlBKd3NGYmkrUW9Ka1UxUmRYamRHT1JFWUgvT09PMmVQS3dqLzA2SFhHY2M3YnhuK0tpaEY5QkFZMzdGcExVWnpEK1YxR0MyUHVwVGNSOUJvaWI2d3VUVGx3ZDhGOUpSeVI5TXVKRllnZ3RtS2Zob056bGZtYksyeXVRb2JZbk05TDJxNFhtN0Zkb1haWmx6QVhUWS9maXh0aEE3cC9hM0pFMDZzdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
jBKFkvjdJ
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Desktop\N3DtQ_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .CAaBcdcAEc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjU5NC04ZDFMNzRBRmFVdFFPd3hycUFpUVFuRXVHMUNWbEl5bFMzQnppemtUSm9qaVFOR240QU9EM2ZLSDRWeVhVYlJVZVQ4SE1yUXNBdTZOMGd3SE5MR1Jjc1ZDMUUzTEFwRUZ5aVMvZ245ZTFva0FTYTlMbzZxUDdyTzhoQ2NlRUtySitVWXBwRFZZNWZWMDZyM1NaSzRhRWozeWtHM2xLTkVGaFQzUGw2TTBteUJFWFl6Y1dKai9tZzR5SXpQUGo5WFJudWFaZUo2RDdablo4VHpUSE5RU1NnbXlpOTRQUGJXa1lBWWhSQWxpQWd0eG1sTVlhMDRFQlhLOWdYM09xUHZIWGY4MU56bDA3RVJkemFqOWY5RDkwR2pydWhqQ1NFMzg1RmNrL05OR2huajQ4bkF2SFRWdjBFNDNwUEVtMzlSQkloZTVZL25laVBJV1phRkxBUFQ1dGttYW9NbUdNUFdnb3dEMW11TXhUK2VjS25NRWt5UFBCdHdjNk81UUVZRlNiNGVUYm5hOFlFeUdXUmkxYUYzR3Qva25zek4vR29kVHRuOFVzUEVsMyttNEw0eDRSTDUybExac3U4U21zNUc4VldKNVdmdFRVREh1QllhK0dFL0NqSmc5NkU1dlI0ZDBrYzlESGkxTEZqS0lUazVFSnZ5UFNmYnF6dG5FNHUzL2lJV3ZHT1REd1JkR20rZ0lrNFRGczFBSEQydmp1MGpJbFNQVlRnRHpIUWQ1d05TcGlJRlJaQXNHK3FMTjVJaHB1ZFkySGRnbHA3c2dWa04vM0tUY2tsQlJJcUVralFtcTlGV0NrYkR6Yk5VZ0FKZUVYYnNmOTNqQStkbjVia2xtVUhTWkdoemFER0xaaEJ2NWF4TUdqTzdzUU1yRGQ3c0lmOEFaV2JkaU9CamlnNldPbi90emtFbHRFZXVleG9DNUtrdjh5TkdKOEdUWEpnVmpUbUxQdmNwRGprbjRaNUYxZ3pkdUI3bFo2a1NFQmt0b0UySVFBTEZjM0YzdU1UeXRFN29DdGNVc1BVcWZsOUhhaUhBYUhKTVVxNmJDc1hKS1JiTVBaUXNYSXhIWFN2cmdyZHBtTUNaQWNyc09UVFM2bno0YVluVlFNdlc3Tkh1MUxhVGxVVW9wcUVUZFpka1YwWUoreDhVU05FcnkybHp6bFBHRXhQRzQ2LzR6K0R4TjRpeWNOQlMzMHF4VnpGemM5UUhyUHBESHUyU2hHMHg4cGZOL3NkTkRTelJYYk11djE0RVRYcS9icXM5QWxNZFo4TEpWek1hUXU0RjlSMkgzc1l5NjZuekp5aTJubW45aHB4VFlVWHJOY1hUV0hZRXY3UFpiOWR1Y3pCeWNUSjZ6STlXUkxVYWZWQkNEWTFRSUgxcExRN0ZxTWlaOHYrQ1UzL1o0QmNZeFJmOEFZdHg5MEgzTFRCaW8vM2Z2Q0ZxTGR3a0NQWHBqZjlJQnh0WU5TTksvdXJlYTBSdG9mTk9jT3pYTjN3cjllUEN0ZjNhNkw4ZmtmQVdSZGZVekZIUXkzWmtGcXFsS3ZvTjdNcVVNV01adlJGZzFFMlFnREN4aXdBZWczMHZDT3YvcVY0Q2hQeXNHby8yRmJKY2E5R25JZUJCaFE5blZZeW4vNS92bWZNNUllc1dsWHNsTFd1TmhiT0dHc05tTzdNRXFUVlp4bklyWGlIbEVvSHdzZ2VEbmcxRXdETzY3NGF5YVNlYTFsS1V3NFNLOVpQaUZ2YStHT2NNTGRqZW5TRDNGRFE5OGNEZ2JFZlMzK3pHQ0ZjQkpQNVBJekR0QjVlaThjWEJuaFpIejlNNlRwL0NQcEpJa2Y0RHFYZzBlemZZSUQ2YStMNkNhQjZYS0ExSWdwRWtubGloVTNMVXRBSFdOWHNSL01RQUlZNXFIZjhXRU1tL0VQdnRUN1hyWGZpSmVoWDhXRlBKd3NGYmkrUW9Ka1UxUmRYamRHT1JFWUgvT09PMmVQS3dqLzA2SFhHY2M3YnhuK0tpaEY5QkFZMzdGcExVWnpEK1YxR0MyUHVwVGNSOUJvaWI2d3VUVGx3ZDhGOUpSeVI5TXVKRllnZ3RtS2Zob056bGZtYksyeXVRb2JZbk05TDJxNFhtN0Zkb1haWmx6QVhUWS9maXh0aEE3cC9hM0pFMDZzdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
6nwc58VR9MlTv
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
Size
775KB
-
MD5
7fc5a1aafb84705745dba65e2a178217
-
SHA1
0825e3b2115c9053563a307402e32d28056223a7
-
SHA256
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
SHA512
b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
-
SSDEEP
24576:TCsB9+OXLpMePfI8TgmBTCDqEbOpPtpFhPxfq:56OXLpMePfzVTCD7gPtLh5fq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2