General
-
Target
0a9cbecc1a52d73e36d8852d261cf5e2cd9d62b52c2020ef4edf147d9500fbcf
-
Size
329KB
-
Sample
240417-qldpvaaf7z
-
MD5
cf5ae38c826a431ca697b5995ce66ab2
-
SHA1
4c323c7ccb242eb32429992a7b881d0b3d30c720
-
SHA256
0a9cbecc1a52d73e36d8852d261cf5e2cd9d62b52c2020ef4edf147d9500fbcf
-
SHA512
f9467188a841bdb3314352b48e1fc17e994583072e8b20fe08cdf8f003101a9517880ebedc43b46b2a335909f3f76e03cf17cd59cfc3d8f5aac736c56820a64c
-
SSDEEP
6144:OH5GSPNgSiUu7DhsNmvQUKGxg/CNKzb7iMCO6OJ71GgqGF8fsJTMYjXAvs3iB:OZGOgSiUu7DhdQUi6omA713/J4YjXIs4
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\SqdPDw0R_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .aDdbebabEB
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC15WDJZSFB3Y0dCcWI1VE53TU50TWZENDc0bHBQVy8vWXcrRitnNm9HNEF4UUVjdTF5QkhSYjhhUnRDbWlVUVlTWXhEWEM5b0QraXFyTHRIelk1RFVnSUdWQnI2aEc4WEtyTGpWZDhqL0Y2cUN0dVNoNWg0RjVlTnhJNTNuaEZ6Z0c2L051TGhjR2lld0xOWXVaNG5wcjZVMG1jeFU0OE5JOURKTW5JcnZOeVhOa3M0aThnTmR3dUdnM2lVMzRUZmJKbXVMQjQ1Z0Y0SmJSdTMyQ3FaajRiVUFXU29QRDZNbWpaeDNYaWdwbUJFQjZTY09hUGRaSWlhN3o0ckxpS3A2YVY2cWdVaVFKdnN3VGdIclRJaW4yMlM1dHNJRE5RM0VBdGJIalVJenVvZmVQSnk5YUVVNXNJdUd6OVVpdUF2WDRYUDJWc2xNbHZ0VTZhMlZtVWVoay94Wk9CVUxVVWplU0R4aXVuN3pMelJJMkpSRTVmMkFuZWpnbTBNaVJ1SnRiTVhBN1hiaVNhS0QzY1FCWTVNQUduY1ByN09zd0dobDJ3cFBGYkh4RlFwdzA4N2ZZWWhVb3dhR0ZCQlE1SmlROThIOWRHdjNSbzIwRm5Na3U2SmNWY2twQ3Rlb0liSXBvR2ZhVzZhVC9wcGpLbHJoY3pBSEkxUTZlbXVDWEQ2TUQ4MHdkSVNKL0NpY29SaStkcEYwZk5WMmhld1UzRjZXSXNlblpjcmtFMFljbVgzOEpFOEl3RnlMUU1QbTNFMnNvOG1NbFRsa05HcDBZanprdVNzdkc0M3Y3eWVhN2U3MmpEMHVDYVZnTXpIQnQ5SVhsY09sazhRN09PYmQzcWw5YlZYQTZJSjVzdWdSYUF1SHhzTmlGZjdwNG9mL1J3MnJvNjhrZ0M1VzZQem1FVWZLME5WUWNuQUZZY1p5UGx1dVY3V3ZhZzF3bDRaYVliREI4N09LUUlJNW8wSjFlSjZkbUNDRDFEL0hjUTV6MUZaaytSRDJ2RGpZUUtRem4rUklRT0lZTC9qUW9aeVlxSzZidVJFQ1IwYjhWazZTMkphc1l3MmtJUEtvMmxkcUNTT1YvMkE0OHNyMzJrWThtMlpzZWNocFNwUjJ1LzBYb2YwMyszS29udmlmL1BzdGdMTCsyTWJOcnlQd0RVN0dac1JNSW4zNjZCVUZRSjNKbVMzN3BEYjFtcEpMS050OUxuVmpON3RiNWJ1K0h6dHhGcUJKTGJWZnpVMWFWQko5RFVtcDE3S0pnS3dPa0Jwa2NHeHh4d3l2eTRZdFBPV2Q5blVyT2FQaC9JWjkzbGtTbFcrakhvWTUrQ2paVWdNc2JqbHIySlE1RUxCSnNGSnNYSlhyMU1nMS84NG9DMTRuZk8vQ25STkFWdmhMbGNNR21Neitjc0pWa1JZL1pqczVXSFlOVTlhc2M0L1NLY0xnVGFIVnQ5RS9oclAvaGNNb0JNaldublpaZXpjMGpoNUREWWNrQkQraXZMZzJDS3J2RzhMUDJ5Si8rendUaVcwOTF4bVorUDNpQWV4OVpvWGs4ZGJOR01pL25XRVpVVHkvS2FiTzUxNDBDa0pLVEZtbXFnelMrNWRrSStaRmhpTlJTdEdWLzBZWTJCYi9TSno0UE9DeHdrS2pnNHp1MW1RTlgxbUpKNWdXVHdUL3dxSmZBYWJTTTZYVUJ2WTFQekZvbmxDNENkNXhvcy92L1JhUUhReWR3SmxrOGRHUitNUmR6TUtFa0V1Q2lzaVh3ZHhRT0NhaGhJMDArL0pwYzJ2L29wUm1DTVcyVXFqTm1OZlkzS3Jwb0ZVZGFucWhKSkpiVTlNay9pMEJtcHk3WStBNWVsRS9FOUZxNEN1M1dtVWs1Y1ZoWGtmU0l2YUFmVlNxQWx2YzhHaElqd3BBcnJHT0lIQmNmekNUeHN5WGtWZm00amJRVWVVMWlWZjI2azExZ2lrRERYTFNMM3BXVHM1WUdJbndQS0RKcnpjSExxRjBDZHZoMDNBc0N1RGVpUjIwbWd0Tys1ZzIzWjNYOVkwMlFJamd4aWs2TC9waStabTNhOWpCMXF0RWtwcmFXcDllWjBsUHRuY2lrY3ZSbFRNWlg5STVMU1A1OCtyOTRtMlAvQVpJMWhadEZnUmF3MFAra0ltb25iNklwUT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
oyF
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Desktop\SqdPDw0R_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .aDdbebabEB
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC15WDJZSFB3Y0dCcWI1VE53TU50TWZENDc0bHBQVy8vWXcrRitnNm9HNEF4UUVjdTF5QkhSYjhhUnRDbWlVUVlTWXhEWEM5b0QraXFyTHRIelk1RFVnSUdWQnI2aEc4WEtyTGpWZDhqL0Y2cUN0dVNoNWg0RjVlTnhJNTNuaEZ6Z0c2L051TGhjR2lld0xOWXVaNG5wcjZVMG1jeFU0OE5JOURKTW5JcnZOeVhOa3M0aThnTmR3dUdnM2lVMzRUZmJKbXVMQjQ1Z0Y0SmJSdTMyQ3FaajRiVUFXU29QRDZNbWpaeDNYaWdwbUJFQjZTY09hUGRaSWlhN3o0ckxpS3A2YVY2cWdVaVFKdnN3VGdIclRJaW4yMlM1dHNJRE5RM0VBdGJIalVJenVvZmVQSnk5YUVVNXNJdUd6OVVpdUF2WDRYUDJWc2xNbHZ0VTZhMlZtVWVoay94Wk9CVUxVVWplU0R4aXVuN3pMelJJMkpSRTVmMkFuZWpnbTBNaVJ1SnRiTVhBN1hiaVNhS0QzY1FCWTVNQUduY1ByN09zd0dobDJ3cFBGYkh4RlFwdzA4N2ZZWWhVb3dhR0ZCQlE1SmlROThIOWRHdjNSbzIwRm5Na3U2SmNWY2twQ3Rlb0liSXBvR2ZhVzZhVC9wcGpLbHJoY3pBSEkxUTZlbXVDWEQ2TUQ4MHdkSVNKL0NpY29SaStkcEYwZk5WMmhld1UzRjZXSXNlblpjcmtFMFljbVgzOEpFOEl3RnlMUU1QbTNFMnNvOG1NbFRsa05HcDBZanprdVNzdkc0M3Y3eWVhN2U3MmpEMHVDYVZnTXpIQnQ5SVhsY09sazhRN09PYmQzcWw5YlZYQTZJSjVzdWdSYUF1SHhzTmlGZjdwNG9mL1J3MnJvNjhrZ0M1VzZQem1FVWZLME5WUWNuQUZZY1p5UGx1dVY3V3ZhZzF3bDRaYVliREI4N09LUUlJNW8wSjFlSjZkbUNDRDFEL0hjUTV6MUZaaytSRDJ2RGpZUUtRem4rUklRT0lZTC9qUW9aeVlxSzZidVJFQ1IwYjhWazZTMkphc1l3MmtJUEtvMmxkcUNTT1YvMkE0OHNyMzJrWThtMlpzZWNocFNwUjJ1LzBYb2YwMyszS29udmlmL1BzdGdMTCsyTWJOcnlQd0RVN0dac1JNSW4zNjZCVUZRSjNKbVMzN3BEYjFtcEpMS050OUxuVmpON3RiNWJ1K0h6dHhGcUJKTGJWZnpVMWFWQko5RFVtcDE3S0pnS3dPa0Jwa2NHeHh4d3l2eTRZdFBPV2Q5blVyT2FQaC9JWjkzbGtTbFcrakhvWTUrQ2paVWdNc2JqbHIySlE1RUxCSnNGSnNYSlhyMU1nMS84NG9DMTRuZk8vQ25STkFWdmhMbGNNR21Neitjc0pWa1JZL1pqczVXSFlOVTlhc2M0L1NLY0xnVGFIVnQ5RS9oclAvaGNNb0JNaldublpaZXpjMGpoNUREWWNrQkQraXZMZzJDS3J2RzhMUDJ5Si8rendUaVcwOTF4bVorUDNpQWV4OVpvWGs4ZGJOR01pL25XRVpVVHkvS2FiTzUxNDBDa0pLVEZtbXFnelMrNWRrSStaRmhpTlJTdEdWLzBZWTJCYi9TSno0UE9DeHdrS2pnNHp1MW1RTlgxbUpKNWdXVHdUL3dxSmZBYWJTTTZYVUJ2WTFQekZvbmxDNENkNXhvcy92L1JhUUhReWR3SmxrOGRHUitNUmR6TUtFa0V1Q2lzaVh3ZHhRT0NhaGhJMDArL0pwYzJ2L29wUm1DTVcyVXFqTm1OZlkzS3Jwb0ZVZGFucWhKSkpiVTlNay9pMEJtcHk3WStBNWVsRS9FOUZxNEN1M1dtVWs1Y1ZoWGtmU0l2YUFmVlNxQWx2YzhHaElqd3BBcnJHT0lIQmNmekNUeHN5WGtWZm00amJRVWVVMWlWZjI2azExZ2lrRERYTFNMM3BXVHM1WUdJbndQS0RKcnpjSExxRjBDZHZoMDNBc0N1RGVpUjIwbWd0Tys1ZzIzWjNYOVkwMlFJamd4aWs2TC9waStabTNhOWpCMXF0RWtwcmFXcDllWjBsUHRuY2lrY3ZSbFRNWlg5STVMU1A1OCtyOTRtMlAvQVpJMWhadEZnUmF3MFAra0ltb25iNklwUT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
faMctp
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Documents\RwNRD_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
oi0
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Documents\RwNRD_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
Bqbo06
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Downloads\RwNRD_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
XTjBLIJ1PP
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\RwNRD_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
ObK1fU6pF1tb9
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
-
Size
775KB
-
MD5
0b486fe0503524cfe4726a4022fa6a68
-
SHA1
297dea71d489768ce45d23b0f8a45424b469ab00
-
SHA256
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
-
SHA512
f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
SSDEEP
24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2