General
-
Target
52091b36ce032ecf6cb6ada2b9d155f11eba11049b01148904a568466a02c413
-
Size
329KB
-
Sample
240417-qchbnsgf36
-
MD5
5898cf2cdfab9c1dcf40bea4d35a9e54
-
SHA1
c506e0675057c93edfde23cefa489e70a9ce9711
-
SHA256
52091b36ce032ecf6cb6ada2b9d155f11eba11049b01148904a568466a02c413
-
SHA512
87c273109a14ac3219a2d3bc8479ac6cd7389269df1be5578e4cb7ad9054f208a8ddc12d974f3f2d99c1a0f0ae17f3f24042b7ccbf1f9a11f33007808de29d1b
-
SSDEEP
6144:csyxfEDLQMEiYzJa78JKcHlmtmz1coYF2nzaM9VwijM+XMzUUz9lLDUaKpI:Cin3ExJvHlmtmz9YCaM9VjjPkUUzM7pI
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\FsAHe_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .bceacDdcAA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjcwMS0rSWlleUtLaGVNdng3NUVqOTNlaFVNY3B2NjFXbS9XbWc2OEZaVERhVEhteHVWTlNFQmJIUDl6MFByYVRnVVo3dGZRUUFMZGdvcUMvdzFrNVpMcDVXOEpaZDhqOEVFQ2xZZUN5U3oxNk96b2R3dUpzSjl5Kzc4eEtzKytBTDhjYUpObzhsbjE4UkM3c0xVODZZdWJON2RxL29WaXhESnZEVmNQOXBqVWdlZ2l5RVgwV0ZjaFU1YkEvTUV6K0ZEQ0VmQUQ2dU91SHI2emtZK1huYVJpN2poSUxYRlZWc1ZKK2pvM3NLVWVoQ0MvUVlqd20yYTVZNGQyaHRjUjdRUnJDUjQyMVhNZHZibC9Lc241ZHlsR3hwaVovM3NWVU9iM05CeGt1c3JORUZCMzlBOGlPYmlTS2VFYjJhYitYTzBFcnpMaExFUlJpRDVna2ZlMzdqRzRnekhOdVowclpvcVZvRzdSMmFlbTM4MlozWXpqSkprTFprK2h3aTcvc2gvMTVqQnhHK1VBOWlYMG1XT0U4K3ZXQ3dhb2FrSXpIQm1YdkJwcGVaTW0rbEtUNjU2Nm1PcTdsejU4NkhHMXZZWkZnTWNuSlI0WHNFM25TYmhralR5MWJqUGFWOWwrRXZkenRHeTlMVUI1ZWRLSElMM21Pbk11NmcyRThKQk9xVitDZk9aUmRJOUk3eGJIRjVEaXVGNWtCOXlMQWVpWGh3ODdOLzRzcmtVdVgwRkRnUmc0cFVWSHVua1ZGQWJOVFArTGVIbWZrYmhGQ2MwZFVOU3dHYXBhaVhvd3lFOFVMWC9MaVdOcXdxb3N2S21iRVI5S0VqOFd1VENjaHJ6NmgvZDNPdzBJNndVUi9RdW40SkVBOHFJSW5TWitZak5sTWpHUUZlMk1sSnNWQ2tVNVh2OU1BMFVUcVVvdWlQeEJicTZMZ1ZBOG1RN0pmb1o2VWJnT1NrblcyYUpqdlIvMGU1U0YydC96SncyeXdodHZqaVZ1U2Z4b1piQVc4djllMzNTS1h2VmZHK3RBMnVkWXpBYm5TdWtQa2pqZHQ0cCt5SDNDdmpFTEFxanZSVTY5TmpkdHRCK3dxd28rZ1RoZ2RhbTVQcnZSVStHYzM2Q0gwcld2Y25rd3FONUFtb2VVTVNIcUNMTk0zVEFGSFVlOGppNEo2Nk5JSjczYjNHb0dGeWRicW55TDYvYVBEalVkcStJKzZvbmx4MXhZN1FxbmFPNFVRc01XU2VFWUxaMlYrWEQ3Slp1RFF2bnNCNERzOHJUTEZyR3Q0ZVl5WXlla0NJQmpmU1pBWkc5dCtLVjkzRnU1c2grL0lPV2MyQ256b3BFS2JWcEROejE5V0pSUVR5QkdzSTNyd2swOUFEMm84ZDEwZnFUa3FiUmZaVFcxRVhSZWZodGFaRUd6SkUxWWhRQVZvTGRZNDZOcmxUMmFsNm05d2gyMTFwQWlyaGVZbVZnYUppWDF1Ky9HVkQ5RmdDZ0Y0ZzBCc1VUSGxaQmE5MndCQ0RiMTlCOXdLYlM3R2lpZXVQZWg2UFNOdHhjdUpreC9Db2lTZnZGelorTXMzT2VtTmlVakdRVnVMalZOc0wyZTlocmlsSTRvZEZhZVVSd2lDY2JwZ3FnVkt1bDdHMVgrMDN1WEt1bExKVERuUnR2ck5NTnBJZklCUjhnSjR6N3p6d0NJT3owdWhNZHNIcXBqWllYL0swSEx4MzFqdHpVR285a21CYWR5bk5rd2RUUlJXQkZLQ3pJUHoxQW9jM3RvVmMxazR2M0dmc2JtU013TnhwNitldG5kZytZQ3ZGTlBFbWdYdXRFQ01jaGFZVS9OOVBpUWpaTFI5UjlsbzlxTGFOaE1Kc21DaVdZckN4ZkN3TmF0b0JVSUxNbmN1dTYvZ1I1dWhxNndqRmdoUHRpdnFjZkFBSmU1QXllQ29sNTEyQ2QxZ2RzVlkvV0lNM3lRZGZZRDdtbW4rRGN4WVRDNkRWalFoTXlIMUEwbUdKV2pCdldmd2pReUR5UmtoZjEzNUZXSGNnb25aMmlzbmhrLy84NGxZQVlETUN1bG10SW4wdmRNN2hoYnJoZnJCTitkSEJqOGwxSXBpQ2wwWTB3aTE3d28rNTkvWUxDUUpCUG1SUGNrWnV6cVpIekJVK0xZeGpIZHNkQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
oEUr9Kf9Qjptv2tbMa9yF7
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Desktop\FsAHe_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .bceacDdcAA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjcwMS0rSWlleUtLaGVNdng3NUVqOTNlaFVNY3B2NjFXbS9XbWc2OEZaVERhVEhteHVWTlNFQmJIUDl6MFByYVRnVVo3dGZRUUFMZGdvcUMvdzFrNVpMcDVXOEpaZDhqOEVFQ2xZZUN5U3oxNk96b2R3dUpzSjl5Kzc4eEtzKytBTDhjYUpObzhsbjE4UkM3c0xVODZZdWJON2RxL29WaXhESnZEVmNQOXBqVWdlZ2l5RVgwV0ZjaFU1YkEvTUV6K0ZEQ0VmQUQ2dU91SHI2emtZK1huYVJpN2poSUxYRlZWc1ZKK2pvM3NLVWVoQ0MvUVlqd20yYTVZNGQyaHRjUjdRUnJDUjQyMVhNZHZibC9Lc241ZHlsR3hwaVovM3NWVU9iM05CeGt1c3JORUZCMzlBOGlPYmlTS2VFYjJhYitYTzBFcnpMaExFUlJpRDVna2ZlMzdqRzRnekhOdVowclpvcVZvRzdSMmFlbTM4MlozWXpqSkprTFprK2h3aTcvc2gvMTVqQnhHK1VBOWlYMG1XT0U4K3ZXQ3dhb2FrSXpIQm1YdkJwcGVaTW0rbEtUNjU2Nm1PcTdsejU4NkhHMXZZWkZnTWNuSlI0WHNFM25TYmhralR5MWJqUGFWOWwrRXZkenRHeTlMVUI1ZWRLSElMM21Pbk11NmcyRThKQk9xVitDZk9aUmRJOUk3eGJIRjVEaXVGNWtCOXlMQWVpWGh3ODdOLzRzcmtVdVgwRkRnUmc0cFVWSHVua1ZGQWJOVFArTGVIbWZrYmhGQ2MwZFVOU3dHYXBhaVhvd3lFOFVMWC9MaVdOcXdxb3N2S21iRVI5S0VqOFd1VENjaHJ6NmgvZDNPdzBJNndVUi9RdW40SkVBOHFJSW5TWitZak5sTWpHUUZlMk1sSnNWQ2tVNVh2OU1BMFVUcVVvdWlQeEJicTZMZ1ZBOG1RN0pmb1o2VWJnT1NrblcyYUpqdlIvMGU1U0YydC96SncyeXdodHZqaVZ1U2Z4b1piQVc4djllMzNTS1h2VmZHK3RBMnVkWXpBYm5TdWtQa2pqZHQ0cCt5SDNDdmpFTEFxanZSVTY5TmpkdHRCK3dxd28rZ1RoZ2RhbTVQcnZSVStHYzM2Q0gwcld2Y25rd3FONUFtb2VVTVNIcUNMTk0zVEFGSFVlOGppNEo2Nk5JSjczYjNHb0dGeWRicW55TDYvYVBEalVkcStJKzZvbmx4MXhZN1FxbmFPNFVRc01XU2VFWUxaMlYrWEQ3Slp1RFF2bnNCNERzOHJUTEZyR3Q0ZVl5WXlla0NJQmpmU1pBWkc5dCtLVjkzRnU1c2grL0lPV2MyQ256b3BFS2JWcEROejE5V0pSUVR5QkdzSTNyd2swOUFEMm84ZDEwZnFUa3FiUmZaVFcxRVhSZWZodGFaRUd6SkUxWWhRQVZvTGRZNDZOcmxUMmFsNm05d2gyMTFwQWlyaGVZbVZnYUppWDF1Ky9HVkQ5RmdDZ0Y0ZzBCc1VUSGxaQmE5MndCQ0RiMTlCOXdLYlM3R2lpZXVQZWg2UFNOdHhjdUpreC9Db2lTZnZGelorTXMzT2VtTmlVakdRVnVMalZOc0wyZTlocmlsSTRvZEZhZVVSd2lDY2JwZ3FnVkt1bDdHMVgrMDN1WEt1bExKVERuUnR2ck5NTnBJZklCUjhnSjR6N3p6d0NJT3owdWhNZHNIcXBqWllYL0swSEx4MzFqdHpVR285a21CYWR5bk5rd2RUUlJXQkZLQ3pJUHoxQW9jM3RvVmMxazR2M0dmc2JtU013TnhwNitldG5kZytZQ3ZGTlBFbWdYdXRFQ01jaGFZVS9OOVBpUWpaTFI5UjlsbzlxTGFOaE1Kc21DaVdZckN4ZkN3TmF0b0JVSUxNbmN1dTYvZ1I1dWhxNndqRmdoUHRpdnFjZkFBSmU1QXllQ29sNTEyQ2QxZ2RzVlkvV0lNM3lRZGZZRDdtbW4rRGN4WVRDNkRWalFoTXlIMUEwbUdKV2pCdldmd2pReUR5UmtoZjEzNUZXSGNnb25aMmlzbmhrLy84NGxZQVlETUN1bG10SW4wdmRNN2hoYnJoZnJCTitkSEJqOGwxSXBpQ2wwWTB3aTE3d28rNTkvWUxDUUpCUG1SUGNrWnV6cVpIekJVK0xZeGpIZHNkQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
ScNUo7tMa77o3clZh3E
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Music\FsAHe_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .bceacDdcAA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjcwMS0rSWlleUtLaGVNdng3NUVqOTNlaFVNY3B2NjFXbS9XbWc2OEZaVERhVEhteHVWTlNFQmJIUDl6MFByYVRnVVo3dGZRUUFMZGdvcUMvdzFrNVpMcDVXOEpaZDhqOEVFQ2xZZUN5U3oxNk96b2R3dUpzSjl5Kzc4eEtzKytBTDhjYUpObzhsbjE4UkM3c0xVODZZdWJON2RxL29WaXhESnZEVmNQOXBqVWdlZ2l5RVgwV0ZjaFU1YkEvTUV6K0ZEQ0VmQUQ2dU91SHI2emtZK1huYVJpN2poSUxYRlZWc1ZKK2pvM3NLVWVoQ0MvUVlqd20yYTVZNGQyaHRjUjdRUnJDUjQyMVhNZHZibC9Lc241ZHlsR3hwaVovM3NWVU9iM05CeGt1c3JORUZCMzlBOGlPYmlTS2VFYjJhYitYTzBFcnpMaExFUlJpRDVna2ZlMzdqRzRnekhOdVowclpvcVZvRzdSMmFlbTM4MlozWXpqSkprTFprK2h3aTcvc2gvMTVqQnhHK1VBOWlYMG1XT0U4K3ZXQ3dhb2FrSXpIQm1YdkJwcGVaTW0rbEtUNjU2Nm1PcTdsejU4NkhHMXZZWkZnTWNuSlI0WHNFM25TYmhralR5MWJqUGFWOWwrRXZkenRHeTlMVUI1ZWRLSElMM21Pbk11NmcyRThKQk9xVitDZk9aUmRJOUk3eGJIRjVEaXVGNWtCOXlMQWVpWGh3ODdOLzRzcmtVdVgwRkRnUmc0cFVWSHVua1ZGQWJOVFArTGVIbWZrYmhGQ2MwZFVOU3dHYXBhaVhvd3lFOFVMWC9MaVdOcXdxb3N2S21iRVI5S0VqOFd1VENjaHJ6NmgvZDNPdzBJNndVUi9RdW40SkVBOHFJSW5TWitZak5sTWpHUUZlMk1sSnNWQ2tVNVh2OU1BMFVUcVVvdWlQeEJicTZMZ1ZBOG1RN0pmb1o2VWJnT1NrblcyYUpqdlIvMGU1U0YydC96SncyeXdodHZqaVZ1U2Z4b1piQVc4djllMzNTS1h2VmZHK3RBMnVkWXpBYm5TdWtQa2pqZHQ0cCt5SDNDdmpFTEFxanZSVTY5TmpkdHRCK3dxd28rZ1RoZ2RhbTVQcnZSVStHYzM2Q0gwcld2Y25rd3FONUFtb2VVTVNIcUNMTk0zVEFGSFVlOGppNEo2Nk5JSjczYjNHb0dGeWRicW55TDYvYVBEalVkcStJKzZvbmx4MXhZN1FxbmFPNFVRc01XU2VFWUxaMlYrWEQ3Slp1RFF2bnNCNERzOHJUTEZyR3Q0ZVl5WXlla0NJQmpmU1pBWkc5dCtLVjkzRnU1c2grL0lPV2MyQ256b3BFS2JWcEROejE5V0pSUVR5QkdzSTNyd2swOUFEMm84ZDEwZnFUa3FiUmZaVFcxRVhSZWZodGFaRUd6SkUxWWhRQVZvTGRZNDZOcmxUMmFsNm05d2gyMTFwQWlyaGVZbVZnYUppWDF1Ky9HVkQ5RmdDZ0Y0ZzBCc1VUSGxaQmE5MndCQ0RiMTlCOXdLYlM3R2lpZXVQZWg2UFNOdHhjdUpreC9Db2lTZnZGelorTXMzT2VtTmlVakdRVnVMalZOc0wyZTlocmlsSTRvZEZhZVVSd2lDY2JwZ3FnVkt1bDdHMVgrMDN1WEt1bExKVERuUnR2ck5NTnBJZklCUjhnSjR6N3p6d0NJT3owdWhNZHNIcXBqWllYL0swSEx4MzFqdHpVR285a21CYWR5bk5rd2RUUlJXQkZLQ3pJUHoxQW9jM3RvVmMxazR2M0dmc2JtU013TnhwNitldG5kZytZQ3ZGTlBFbWdYdXRFQ01jaGFZVS9OOVBpUWpaTFI5UjlsbzlxTGFOaE1Kc21DaVdZckN4ZkN3TmF0b0JVSUxNbmN1dTYvZ1I1dWhxNndqRmdoUHRpdnFjZkFBSmU1QXllQ29sNTEyQ2QxZ2RzVlkvV0lNM3lRZGZZRDdtbW4rRGN4WVRDNkRWalFoTXlIMUEwbUdKV2pCdldmd2pReUR5UmtoZjEzNUZXSGNnb25aMmlzbmhrLy84NGxZQVlETUN1bG10SW4wdmRNN2hoYnJoZnJCTitkSEJqOGwxSXBpQ2wwWTB3aTE3d28rNTkvWUxDUUpCUG1SUGNrWnV6cVpIekJVK0xZeGpIZHNkQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
BN6DTWSTFLXRIyX9Y636wmFh3
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Public\Pictures\Sample Pictures\FsAHe_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .bceacDdcAA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjcwMS0rSWlleUtLaGVNdng3NUVqOTNlaFVNY3B2NjFXbS9XbWc2OEZaVERhVEhteHVWTlNFQmJIUDl6MFByYVRnVVo3dGZRUUFMZGdvcUMvdzFrNVpMcDVXOEpaZDhqOEVFQ2xZZUN5U3oxNk96b2R3dUpzSjl5Kzc4eEtzKytBTDhjYUpObzhsbjE4UkM3c0xVODZZdWJON2RxL29WaXhESnZEVmNQOXBqVWdlZ2l5RVgwV0ZjaFU1YkEvTUV6K0ZEQ0VmQUQ2dU91SHI2emtZK1huYVJpN2poSUxYRlZWc1ZKK2pvM3NLVWVoQ0MvUVlqd20yYTVZNGQyaHRjUjdRUnJDUjQyMVhNZHZibC9Lc241ZHlsR3hwaVovM3NWVU9iM05CeGt1c3JORUZCMzlBOGlPYmlTS2VFYjJhYitYTzBFcnpMaExFUlJpRDVna2ZlMzdqRzRnekhOdVowclpvcVZvRzdSMmFlbTM4MlozWXpqSkprTFprK2h3aTcvc2gvMTVqQnhHK1VBOWlYMG1XT0U4K3ZXQ3dhb2FrSXpIQm1YdkJwcGVaTW0rbEtUNjU2Nm1PcTdsejU4NkhHMXZZWkZnTWNuSlI0WHNFM25TYmhralR5MWJqUGFWOWwrRXZkenRHeTlMVUI1ZWRLSElMM21Pbk11NmcyRThKQk9xVitDZk9aUmRJOUk3eGJIRjVEaXVGNWtCOXlMQWVpWGh3ODdOLzRzcmtVdVgwRkRnUmc0cFVWSHVua1ZGQWJOVFArTGVIbWZrYmhGQ2MwZFVOU3dHYXBhaVhvd3lFOFVMWC9MaVdOcXdxb3N2S21iRVI5S0VqOFd1VENjaHJ6NmgvZDNPdzBJNndVUi9RdW40SkVBOHFJSW5TWitZak5sTWpHUUZlMk1sSnNWQ2tVNVh2OU1BMFVUcVVvdWlQeEJicTZMZ1ZBOG1RN0pmb1o2VWJnT1NrblcyYUpqdlIvMGU1U0YydC96SncyeXdodHZqaVZ1U2Z4b1piQVc4djllMzNTS1h2VmZHK3RBMnVkWXpBYm5TdWtQa2pqZHQ0cCt5SDNDdmpFTEFxanZSVTY5TmpkdHRCK3dxd28rZ1RoZ2RhbTVQcnZSVStHYzM2Q0gwcld2Y25rd3FONUFtb2VVTVNIcUNMTk0zVEFGSFVlOGppNEo2Nk5JSjczYjNHb0dGeWRicW55TDYvYVBEalVkcStJKzZvbmx4MXhZN1FxbmFPNFVRc01XU2VFWUxaMlYrWEQ3Slp1RFF2bnNCNERzOHJUTEZyR3Q0ZVl5WXlla0NJQmpmU1pBWkc5dCtLVjkzRnU1c2grL0lPV2MyQ256b3BFS2JWcEROejE5V0pSUVR5QkdzSTNyd2swOUFEMm84ZDEwZnFUa3FiUmZaVFcxRVhSZWZodGFaRUd6SkUxWWhRQVZvTGRZNDZOcmxUMmFsNm05d2gyMTFwQWlyaGVZbVZnYUppWDF1Ky9HVkQ5RmdDZ0Y0ZzBCc1VUSGxaQmE5MndCQ0RiMTlCOXdLYlM3R2lpZXVQZWg2UFNOdHhjdUpreC9Db2lTZnZGelorTXMzT2VtTmlVakdRVnVMalZOc0wyZTlocmlsSTRvZEZhZVVSd2lDY2JwZ3FnVkt1bDdHMVgrMDN1WEt1bExKVERuUnR2ck5NTnBJZklCUjhnSjR6N3p6d0NJT3owdWhNZHNIcXBqWllYL0swSEx4MzFqdHpVR285a21CYWR5bk5rd2RUUlJXQkZLQ3pJUHoxQW9jM3RvVmMxazR2M0dmc2JtU013TnhwNitldG5kZytZQ3ZGTlBFbWdYdXRFQ01jaGFZVS9OOVBpUWpaTFI5UjlsbzlxTGFOaE1Kc21DaVdZckN4ZkN3TmF0b0JVSUxNbmN1dTYvZ1I1dWhxNndqRmdoUHRpdnFjZkFBSmU1QXllQ29sNTEyQ2QxZ2RzVlkvV0lNM3lRZGZZRDdtbW4rRGN4WVRDNkRWalFoTXlIMUEwbUdKV2pCdldmd2pReUR5UmtoZjEzNUZXSGNnb25aMmlzbmhrLy84NGxZQVlETUN1bG10SW4wdmRNN2hoYnJoZnJCTitkSEJqOGwxSXBpQ2wwWTB3aTE3d28rNTkvWUxDUUpCUG1SUGNrWnV6cVpIekJVK0xZeGpIZHNkQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
1zh4oiFGbyF0AOfBDdUh7xNiQdI2
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Desktop\FsAHe_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BbAeaaEAeb
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjcwMS1pNnp5cHdTcjdFd012NDQ4UndtY3AxTUxqdjYzZDEvTnhlR1dhMUpPK0hiTjhROU1uNXlSKzZYaVFYc3pjL1JKbnhIcXl0VElKSGxwL0RxK0luWi83Q3YwLzFsaXhQd1ZNSXR1b0pHRzlqcWgxQnB0YVpYaDFPKzhoV0w0enhHdWNFemtDT3FYaHpWWFlaS09rSHk4eUIxZW00RlJRZHlXN0lzWHJQemx3T2pMQkxOdUcwQ1V5UURUWTIyV2RELzdYdSswQ2RQVFBkWVRWakk2TmpGTUFqQ295N0xCOVBUV3JjRzNWaGZQSEtSLyswMFdMMzlpVHIvVGZaOFFESUo3NGtXT1lJb3ZNOUxlMHg3VGw0QTR1RGdWYWFwbEp3MFNad1NDbHN2OXdValJhNFlXWkZFZ29mWUlNcTJ2QkxUaTlvaE9XWEdPY2xqVHVzVnhpYm92RTl1QjVRQmFmRWNQN1JrOEJ6ajJzK1A2TkY3VGwvblNGbHVlaWFua3kvd3NZeVFhdnFzb1FNN2IwbWgvdkViQW80NDJnVE5KL3lpelovMnRiY0RSU0NnMVJLWUh5MXl4NUVtbmlGdVZoKytCUWQrRXNZa0VOWHFRaEt1U1hWN2NmR0t5eDhBYk1oZGFhQU9ZdDBlZnFZREx5N25NU0grRVB5YWlYek8veWdJVTFMVEo1cFBkMzQySXRxM3ZiUTcyN0JZTDlaS002QXFuU0RlY09qNks2aW5wNElob0t3ZGtsQ1I4d3g2WkJrT3J6ZnJ6L1RGL25VK1pBU0o3Q01CVEluVERPSWxFeEVHY1orYlBZUEJKcVdzV3N3dll6cWQ0VUNYTkkvMVJoRjNHaHorNS9ZdytRNlViY3R4YnFRVkhFUmNUZDlWaEFNZ2lla1RzMFRLeVgzMXFQQXR6U3BJdVVrcnpVUUJaMFliNVFsM3VQRGl4UWduSithbGNtUkRsa0JvdVhNM1ZGbEoydktSeGY2NlJKM0NDSzRDMnpRRWRsVkYwWldCNklxSFVHcXFKODV1OTBRZW1hQ0pWZkV2OHFBVzhvTnZGNFdpRTVHa1VPWEkyV0xGTzZEczVwWTBjaWQvc2hTOXZNRnhRbytoR3JWOHV1ZGxyaG9qZjhDSEt4MkQ3SVVzanFic1M1SURncVpJZjlkRm93QmViS2tSZ1NsZjNiN1BrbXI2dU8weHJkalQ2dXNEYmJqM3h6RFUvMW0zdnhJbnFsS2JESHJsMGpwbDJjL3FSTFN6ZDRDZW9yYmhEeXBwZnE4Tlk2Q202Vzk4dkxLclVXOU5oRUZKMXpoNUhveWh4ZjhNOTNJaXBGNGo4eXNHYUNTVk1VOU5IeWtmYVJ3VUMrWnpuSG5hZW4vVS9yb0NTQVcwaGpha0VKRkY1Q2luSEN4RndSZ3phYmhsSUFqRlI5M3VpNWJmM0QxTWUrek1TYUN3S2xQQTJJemxKVGRVcnFsMDdhOUdvMmFQeDdkN0RWL2tlYzkwWm9Kem1lUEpBRjlpdzhDV1E2L2VpTktiSlVPTlBEWisvdlNGZUZLamd5biszRGZnNGxTZDNGLytSQlhwWWZuWkd5WDYydkoyOENaK1hIY2pkaHc1eW1hYTQ4Ty9KS3lMbDFnemlsRHZsRkZiN1dMWUZwMTRJMmRiNkpsckkya0toODhOYmNuZkF1UUxjbEFsTmtCTDlGZzRvL2MrMW42SVo0QkpIb1ZvUDA0Vi9kdnhaR0NTU1lmV2h5NnNiWm9WaWZsWUdVdzZLMG5ucCtRNUt1Qy9PN3dVcXZ5SnFzbWt6d01JdE1ES29ONjU4ZFduZFdxcVpPNjVlMDdnSHJON284aFI1RUlDeEFCYTYrRWRLY1hBNHRnaU43d2RoLzZTR2QxTTR0cUZKTUMxeHJIaVFLb2htVTcvMVh3NzV0ZDZxOHVZWHBSVlZSVEpKRExLcmN5Qk1rdzNmRTcrdko4V0tEKzF2ZkhTejRybWhBWDRaZysvNXB1SUxzaGVMZENsRC9EY3QrbkVHeGsyZzV2Ny8vVWd4cmd2VFh3bFFWcVBMRkVlaktoRjVrQzVOaldlVEErVk1YNzJZWjBzM0RrcVhRVzhYUFphdjZRaWgyaUhqRTJIOFJBWWRUYWdKZ1Y4dVpFZFVJbVJRakljWmpKMjdodz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
b0mdzv62kVPFhB7Zh3E
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Desktop\FsAHe_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BbAeaaEAeb
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjcwMS1pNnp5cHdTcjdFd012NDQ4UndtY3AxTUxqdjYzZDEvTnhlR1dhMUpPK0hiTjhROU1uNXlSKzZYaVFYc3pjL1JKbnhIcXl0VElKSGxwL0RxK0luWi83Q3YwLzFsaXhQd1ZNSXR1b0pHRzlqcWgxQnB0YVpYaDFPKzhoV0w0enhHdWNFemtDT3FYaHpWWFlaS09rSHk4eUIxZW00RlJRZHlXN0lzWHJQemx3T2pMQkxOdUcwQ1V5UURUWTIyV2RELzdYdSswQ2RQVFBkWVRWakk2TmpGTUFqQ295N0xCOVBUV3JjRzNWaGZQSEtSLyswMFdMMzlpVHIvVGZaOFFESUo3NGtXT1lJb3ZNOUxlMHg3VGw0QTR1RGdWYWFwbEp3MFNad1NDbHN2OXdValJhNFlXWkZFZ29mWUlNcTJ2QkxUaTlvaE9XWEdPY2xqVHVzVnhpYm92RTl1QjVRQmFmRWNQN1JrOEJ6ajJzK1A2TkY3VGwvblNGbHVlaWFua3kvd3NZeVFhdnFzb1FNN2IwbWgvdkViQW80NDJnVE5KL3lpelovMnRiY0RSU0NnMVJLWUh5MXl4NUVtbmlGdVZoKytCUWQrRXNZa0VOWHFRaEt1U1hWN2NmR0t5eDhBYk1oZGFhQU9ZdDBlZnFZREx5N25NU0grRVB5YWlYek8veWdJVTFMVEo1cFBkMzQySXRxM3ZiUTcyN0JZTDlaS002QXFuU0RlY09qNks2aW5wNElob0t3ZGtsQ1I4d3g2WkJrT3J6ZnJ6L1RGL25VK1pBU0o3Q01CVEluVERPSWxFeEVHY1orYlBZUEJKcVdzV3N3dll6cWQ0VUNYTkkvMVJoRjNHaHorNS9ZdytRNlViY3R4YnFRVkhFUmNUZDlWaEFNZ2lla1RzMFRLeVgzMXFQQXR6U3BJdVVrcnpVUUJaMFliNVFsM3VQRGl4UWduSithbGNtUkRsa0JvdVhNM1ZGbEoydktSeGY2NlJKM0NDSzRDMnpRRWRsVkYwWldCNklxSFVHcXFKODV1OTBRZW1hQ0pWZkV2OHFBVzhvTnZGNFdpRTVHa1VPWEkyV0xGTzZEczVwWTBjaWQvc2hTOXZNRnhRbytoR3JWOHV1ZGxyaG9qZjhDSEt4MkQ3SVVzanFic1M1SURncVpJZjlkRm93QmViS2tSZ1NsZjNiN1BrbXI2dU8weHJkalQ2dXNEYmJqM3h6RFUvMW0zdnhJbnFsS2JESHJsMGpwbDJjL3FSTFN6ZDRDZW9yYmhEeXBwZnE4Tlk2Q202Vzk4dkxLclVXOU5oRUZKMXpoNUhveWh4ZjhNOTNJaXBGNGo4eXNHYUNTVk1VOU5IeWtmYVJ3VUMrWnpuSG5hZW4vVS9yb0NTQVcwaGpha0VKRkY1Q2luSEN4RndSZ3phYmhsSUFqRlI5M3VpNWJmM0QxTWUrek1TYUN3S2xQQTJJemxKVGRVcnFsMDdhOUdvMmFQeDdkN0RWL2tlYzkwWm9Kem1lUEpBRjlpdzhDV1E2L2VpTktiSlVPTlBEWisvdlNGZUZLamd5biszRGZnNGxTZDNGLytSQlhwWWZuWkd5WDYydkoyOENaK1hIY2pkaHc1eW1hYTQ4Ty9KS3lMbDFnemlsRHZsRkZiN1dMWUZwMTRJMmRiNkpsckkya0toODhOYmNuZkF1UUxjbEFsTmtCTDlGZzRvL2MrMW42SVo0QkpIb1ZvUDA0Vi9kdnhaR0NTU1lmV2h5NnNiWm9WaWZsWUdVdzZLMG5ucCtRNUt1Qy9PN3dVcXZ5SnFzbWt6d01JdE1ES29ONjU4ZFduZFdxcVpPNjVlMDdnSHJON284aFI1RUlDeEFCYTYrRWRLY1hBNHRnaU43d2RoLzZTR2QxTTR0cUZKTUMxeHJIaVFLb2htVTcvMVh3NzV0ZDZxOHVZWHBSVlZSVEpKRExLcmN5Qk1rdzNmRTcrdko4V0tEKzF2ZkhTejRybWhBWDRaZysvNXB1SUxzaGVMZENsRC9EY3QrbkVHeGsyZzV2Ny8vVWd4cmd2VFh3bFFWcVBMRkVlaktoRjVrQzVOaldlVEErVk1YNzJZWjBzM0RrcVhRVzhYUFphdjZRaWgyaUhqRTJIOFJBWWRUYWdKZ1Y4dVpFZFVJbVJRakljWmpKMjdodz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
ScNUo7tMa77o3clZh3E
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
-
Size
775KB
-
MD5
117da2dd6fa24616f63eb43d5a15e5d3
-
SHA1
b4d70eecdef52ceef15f04a025d1ab08f193fb97
-
SHA256
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
-
SHA512
de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
SSDEEP
24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2