Overview

overview

10

Static

static

10

cc95a8d100...46.exe

windows7-x64

10

cc95a8d100...46.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7ac245824e104b3720e96597b623e1fd22aeaec59dc379bc1c1d54103387fdd2

  • Size

    311KB

  • Sample

    240417-qlebdaaf71

  • MD5

    fa4e0df9018d327cc65d6cd9d0eccb1c

  • SHA1

    15515609a0b000bd397aa35e97328bbe3c53f75e

  • SHA256

    7ac245824e104b3720e96597b623e1fd22aeaec59dc379bc1c1d54103387fdd2

  • SHA512

    b12c256ebdd1bf32052e8470437b86d9e5c6c8b1e5b807d5901fe9653d4a5e42d4d0b96fc9406677a46182bfcc31ff46dd0cd2095ea52ba5b8f13edc027cf385

  • SSDEEP

    6144:oe281P7mpbrAsqU1T35qlVaoFoVI7hXp/SXSJ86gqwQaViAl1BFSpLfkGth:oyipnAsqKslVVhtSe8667ViAjBF6

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\ZfV6ho_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDcebBDaC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LWYwL2NpRTMrMlBPekl4RldZazNvLzRZdmNjWllKQUdQaVFNeWVPR2hVK0R3Nnh2b1RzaUNLOTRicm9ORDJEYXJwTzNaL0IrdEwvZFlPSCs5djFIa3M1Sm9KaDFiaTJ0RHFKTm9vOSsrMDZ6R0RPWTFmRTFqVlYyeHZxelI5Y0hhdWVMQTFLOU1KT3ZtaXpZeUx6M3ZJQ2NodGREMTdmdFhGSHBUWjM0ZndDUEFUNWxCM2JoY1ZpdHNtSGU0dUZCMGtDYUMyRkNnWHdaTjBjUjAyQzZjR1d5elNVL0pIU0RtU0JUK3Q0SjRwQUErTXBMdTcwbHhXS2MyWEVXUTVMeTZWc0loVGZlL3dORC9jOHAvYjBCbm9TdlNtUytrRUw0bTVSOVZGWndMYVRWOFE2RCtsV0RiQVIvMHBLRWJKbFdlVmZVOGp6QUdDSTYzMmJtZSt3NDNCNk1ndXFJT0tCcHlwQ3lXSVV4YzJyKzUyRjlVamFFTy9vTlFzMWlLcUZ2dUNaUXNBN3A1eGRtTWdtclpoR0Z0NU94T1c0bncrUVA0NmlqbngzL1BVUEhFNDhLNlZQR3FTdkJFbUl5MmxVekpRRzRKMVVydGJEZGhBWlVONUJ3Yys2OENDK0JuYlAvSjZ3TzVxY0g2MkY3TmZQM0JUVlFnN3lsYkxrbEFEQUZQTWlGRG5wSDJ4VEVyaEhrS05RZzNlTnlPdVdlSUlFeWpwcE9IUHh1c1ZTdEZjOC9ja3hMM1VNdHhMbEUwcWlUSEdrY3lBYVVjZnNqUkNhMUFQNEREeUcxZVhMKzBhMEYzU2xIS3U4NXNZNFNOaVJpZmoxZUdtNFFmQWpxWXgxQkV5eGt0ZTNqWUppVDkvWjgvQlFncU8xdHRiOEg2N3YxeGppeFdGZHY1NXlDTWhkcHRTbVE3c2MwdmpMSit4ZFJEcVFCdERqeC9SMjFhN05DV2g3VGxhMkx0cEhuT01wVEY1ZHNTckpXYTFUWGZ2aXpCTUZJK0VLc3JDN3dacWtVbkxLUnpCdkRtVHo4WnVndHRCZFY3MEhOTzBscHd2VXcwM0JYT0FqMUFvNStRa2JHRStudjZ5cTR2dkVlZlZCUVpCRzlNeEtkZi9LOTZCUDMxcHc4R3pRWEc3SitQTGhPbW53SHZKcy9iaWc4R3Blbi9TVjdScERjeGZuanVlaFhHbEhCUUZRWmRHa1ZNRVFCamNCL3RFRUhXcTVSUURiZXE3YjZOai9sd3hFMWlCbmtTL0syY1htR3VEZmxqN2VBdG9JdEw2TWpRR3NQZmhPM2NqVTg1elR5eFpoN2E4OXN1eHc4WGpqdEl4aXFjQXNlOE5rOHVaZXpJUzkzL1hDalJzR1F3cXoycEVuZzhVUjY3VWNJbHVzNjJDYTF3ejRVZnRrU2NEYVNVcEZLQXVSM0I4U01KbTdtNFVESjVxb1puaU40ZkFtMk94eENYZy91blptVCtwQzJCSlNGUTlxcEE1TjAzRndMVjFpUjhkMDhka28wZ1BnQ2RNQXJ5blBVY0RjbllHVXgxOHcyZ3o2SVFTRGNLRHNUc0hkZC8rTjR0QUIzNUI4YnRDM1g4ZmtBNys3OVRka3NxdlVrenUwQW9QZmpUWTJpbDd3eUQ0b2lZeHJhL2d2eERNaXZVYUNaQm9Yelg4RWpIVEJDU01wM1dnanNJYlJlZitlNUl2bGlpZWtuSXdESW5HUWp4L2FwcWtudDdtbGQzSy9PSGsxRGt6VnRCV1o3blBOSDNISzJ6cFE1aHJUQXhzMmNTcEhsd0VITHQvWUl6VjRLekxEZHdla056LzkzSHduWnZHbWkxcXhrRnp2WS84azh0VXV3NWhacVFXMlRpM2t1VFRuR21tWG84YWpHbUFHY3docWNQV1Q0OVM3RHJYNmRlRXRTemR3UjRZTGJmbFg1dllDd2lJMTNON0xkZHFjQnVva0hQR2dRcnJxdENYYjFYWmZrdEhsRkZUMVd2bzE5K3A3WllkL1NNQU5uMVpRd2pDb3orV1hzVU90U253MHVQRnN4Uy9mME9FRVNpL2VEVkRjTGcwdXpZdEVkbWNKU0FRalJkM0N3dlViWG5TMEFIVUxlbVFWRHY4RWFxVFVIcnp4V0w3bzZxNTRWQ1ZZdUpWYW8wVXIxRi93PT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 8
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Microsoft Websites\ZfV6ho_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDcebBDaC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LWYwL2NpRTMrMlBPekl4RldZazNvLzRZdmNjWllKQUdQaVFNeWVPR2hVK0R3Nnh2b1RzaUNLOTRicm9ORDJEYXJwTzNaL0IrdEwvZFlPSCs5djFIa3M1Sm9KaDFiaTJ0RHFKTm9vOSsrMDZ6R0RPWTFmRTFqVlYyeHZxelI5Y0hhdWVMQTFLOU1KT3ZtaXpZeUx6M3ZJQ2NodGREMTdmdFhGSHBUWjM0ZndDUEFUNWxCM2JoY1ZpdHNtSGU0dUZCMGtDYUMyRkNnWHdaTjBjUjAyQzZjR1d5elNVL0pIU0RtU0JUK3Q0SjRwQUErTXBMdTcwbHhXS2MyWEVXUTVMeTZWc0loVGZlL3dORC9jOHAvYjBCbm9TdlNtUytrRUw0bTVSOVZGWndMYVRWOFE2RCtsV0RiQVIvMHBLRWJKbFdlVmZVOGp6QUdDSTYzMmJtZSt3NDNCNk1ndXFJT0tCcHlwQ3lXSVV4YzJyKzUyRjlVamFFTy9vTlFzMWlLcUZ2dUNaUXNBN3A1eGRtTWdtclpoR0Z0NU94T1c0bncrUVA0NmlqbngzL1BVUEhFNDhLNlZQR3FTdkJFbUl5MmxVekpRRzRKMVVydGJEZGhBWlVONUJ3Yys2OENDK0JuYlAvSjZ3TzVxY0g2MkY3TmZQM0JUVlFnN3lsYkxrbEFEQUZQTWlGRG5wSDJ4VEVyaEhrS05RZzNlTnlPdVdlSUlFeWpwcE9IUHh1c1ZTdEZjOC9ja3hMM1VNdHhMbEUwcWlUSEdrY3lBYVVjZnNqUkNhMUFQNEREeUcxZVhMKzBhMEYzU2xIS3U4NXNZNFNOaVJpZmoxZUdtNFFmQWpxWXgxQkV5eGt0ZTNqWUppVDkvWjgvQlFncU8xdHRiOEg2N3YxeGppeFdGZHY1NXlDTWhkcHRTbVE3c2MwdmpMSit4ZFJEcVFCdERqeC9SMjFhN05DV2g3VGxhMkx0cEhuT01wVEY1ZHNTckpXYTFUWGZ2aXpCTUZJK0VLc3JDN3dacWtVbkxLUnpCdkRtVHo4WnVndHRCZFY3MEhOTzBscHd2VXcwM0JYT0FqMUFvNStRa2JHRStudjZ5cTR2dkVlZlZCUVpCRzlNeEtkZi9LOTZCUDMxcHc4R3pRWEc3SitQTGhPbW53SHZKcy9iaWc4R3Blbi9TVjdScERjeGZuanVlaFhHbEhCUUZRWmRHa1ZNRVFCamNCL3RFRUhXcTVSUURiZXE3YjZOai9sd3hFMWlCbmtTL0syY1htR3VEZmxqN2VBdG9JdEw2TWpRR3NQZmhPM2NqVTg1elR5eFpoN2E4OXN1eHc4WGpqdEl4aXFjQXNlOE5rOHVaZXpJUzkzL1hDalJzR1F3cXoycEVuZzhVUjY3VWNJbHVzNjJDYTF3ejRVZnRrU2NEYVNVcEZLQXVSM0I4U01KbTdtNFVESjVxb1puaU40ZkFtMk94eENYZy91blptVCtwQzJCSlNGUTlxcEE1TjAzRndMVjFpUjhkMDhka28wZ1BnQ2RNQXJ5blBVY0RjbllHVXgxOHcyZ3o2SVFTRGNLRHNUc0hkZC8rTjR0QUIzNUI4YnRDM1g4ZmtBNys3OVRka3NxdlVrenUwQW9QZmpUWTJpbDd3eUQ0b2lZeHJhL2d2eERNaXZVYUNaQm9Yelg4RWpIVEJDU01wM1dnanNJYlJlZitlNUl2bGlpZWtuSXdESW5HUWp4L2FwcWtudDdtbGQzSy9PSGsxRGt6VnRCV1o3blBOSDNISzJ6cFE1aHJUQXhzMmNTcEhsd0VITHQvWUl6VjRLekxEZHdla056LzkzSHduWnZHbWkxcXhrRnp2WS84azh0VXV3NWhacVFXMlRpM2t1VFRuR21tWG84YWpHbUFHY3docWNQV1Q0OVM3RHJYNmRlRXRTemR3UjRZTGJmbFg1dllDd2lJMTNON0xkZHFjQnVva0hQR2dRcnJxdENYYjFYWmZrdEhsRkZUMVd2bzE5K3A3WllkL1NNQU5uMVpRd2pDb3orV1hzVU90U253MHVQRnN4Uy9mME9FRVNpL2VEVkRjTGcwdXpZdEVkbWNKU0FRalJkM0N3dlViWG5TMEFIVUxlbVFWRHY4RWFxVFVIcnp4V0w3bzZxNTRWQ1ZZdUpWYW8wVXIxRi93PT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * V9QX2
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Default\ZfV6ho_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDcebBDaC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LWYwL2NpRTMrMlBPekl4RldZazNvLzRZdmNjWllKQUdQaVFNeWVPR2hVK0R3Nnh2b1RzaUNLOTRicm9ORDJEYXJwTzNaL0IrdEwvZFlPSCs5djFIa3M1Sm9KaDFiaTJ0RHFKTm9vOSsrMDZ6R0RPWTFmRTFqVlYyeHZxelI5Y0hhdWVMQTFLOU1KT3ZtaXpZeUx6M3ZJQ2NodGREMTdmdFhGSHBUWjM0ZndDUEFUNWxCM2JoY1ZpdHNtSGU0dUZCMGtDYUMyRkNnWHdaTjBjUjAyQzZjR1d5elNVL0pIU0RtU0JUK3Q0SjRwQUErTXBMdTcwbHhXS2MyWEVXUTVMeTZWc0loVGZlL3dORC9jOHAvYjBCbm9TdlNtUytrRUw0bTVSOVZGWndMYVRWOFE2RCtsV0RiQVIvMHBLRWJKbFdlVmZVOGp6QUdDSTYzMmJtZSt3NDNCNk1ndXFJT0tCcHlwQ3lXSVV4YzJyKzUyRjlVamFFTy9vTlFzMWlLcUZ2dUNaUXNBN3A1eGRtTWdtclpoR0Z0NU94T1c0bncrUVA0NmlqbngzL1BVUEhFNDhLNlZQR3FTdkJFbUl5MmxVekpRRzRKMVVydGJEZGhBWlVONUJ3Yys2OENDK0JuYlAvSjZ3TzVxY0g2MkY3TmZQM0JUVlFnN3lsYkxrbEFEQUZQTWlGRG5wSDJ4VEVyaEhrS05RZzNlTnlPdVdlSUlFeWpwcE9IUHh1c1ZTdEZjOC9ja3hMM1VNdHhMbEUwcWlUSEdrY3lBYVVjZnNqUkNhMUFQNEREeUcxZVhMKzBhMEYzU2xIS3U4NXNZNFNOaVJpZmoxZUdtNFFmQWpxWXgxQkV5eGt0ZTNqWUppVDkvWjgvQlFncU8xdHRiOEg2N3YxeGppeFdGZHY1NXlDTWhkcHRTbVE3c2MwdmpMSit4ZFJEcVFCdERqeC9SMjFhN05DV2g3VGxhMkx0cEhuT01wVEY1ZHNTckpXYTFUWGZ2aXpCTUZJK0VLc3JDN3dacWtVbkxLUnpCdkRtVHo4WnVndHRCZFY3MEhOTzBscHd2VXcwM0JYT0FqMUFvNStRa2JHRStudjZ5cTR2dkVlZlZCUVpCRzlNeEtkZi9LOTZCUDMxcHc4R3pRWEc3SitQTGhPbW53SHZKcy9iaWc4R3Blbi9TVjdScERjeGZuanVlaFhHbEhCUUZRWmRHa1ZNRVFCamNCL3RFRUhXcTVSUURiZXE3YjZOai9sd3hFMWlCbmtTL0syY1htR3VEZmxqN2VBdG9JdEw2TWpRR3NQZmhPM2NqVTg1elR5eFpoN2E4OXN1eHc4WGpqdEl4aXFjQXNlOE5rOHVaZXpJUzkzL1hDalJzR1F3cXoycEVuZzhVUjY3VWNJbHVzNjJDYTF3ejRVZnRrU2NEYVNVcEZLQXVSM0I4U01KbTdtNFVESjVxb1puaU40ZkFtMk94eENYZy91blptVCtwQzJCSlNGUTlxcEE1TjAzRndMVjFpUjhkMDhka28wZ1BnQ2RNQXJ5blBVY0RjbllHVXgxOHcyZ3o2SVFTRGNLRHNUc0hkZC8rTjR0QUIzNUI4YnRDM1g4ZmtBNys3OVRka3NxdlVrenUwQW9QZmpUWTJpbDd3eUQ0b2lZeHJhL2d2eERNaXZVYUNaQm9Yelg4RWpIVEJDU01wM1dnanNJYlJlZitlNUl2bGlpZWtuSXdESW5HUWp4L2FwcWtudDdtbGQzSy9PSGsxRGt6VnRCV1o3blBOSDNISzJ6cFE1aHJUQXhzMmNTcEhsd0VITHQvWUl6VjRLekxEZHdla056LzkzSHduWnZHbWkxcXhrRnp2WS84azh0VXV3NWhacVFXMlRpM2t1VFRuR21tWG84YWpHbUFHY3docWNQV1Q0OVM3RHJYNmRlRXRTemR3UjRZTGJmbFg1dllDd2lJMTNON0xkZHFjQnVva0hQR2dRcnJxdENYYjFYWmZrdEhsRkZUMVd2bzE5K3A3WllkL1NNQU5uMVpRd2pDb3orV1hzVU90U253MHVQRnN4Uy9mME9FRVNpL2VEVkRjTGcwdXpZdEVkbWNKU0FRalJkM0N3dlViWG5TMEFIVUxlbVFWRHY4RWFxVFVIcnp4V0w3bzZxNTRWQ1ZZdUpWYW8wVXIxRi93PT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * LIXtroCI
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\AS58i_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aBBcBDcBbB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LVJzcnRCR1gvalNtaVFVeHlna3VmWE5DeUUvUHROOHp3SXhSbmtDT004YnNxRHZRamVyR3hjdGswejIvMHdNaUh6OTJzYitmTGx3cUJCRHNLZE5XNjI3MGlwa0oxa1VLK25tekVydkUyZThwVWh1MmFLTWhOYmtWOUJGVG4xb2tlQ2xuLyt6S0JvOVNJSVBVbHpudDhlbHRoR0NmcUVXKzVXOFIyY2NHdFJEaTlPL3grNXcwY3I2NUFFeWVkdVZmbXBPUHozdEZ5bHY3RDJ3Q3Fic0R1V2c4bW00V3o5Z1IxVGlPRTArYWM1RGc2b1FoU1dhejFURklDTkhHREkxV3EzY28va1FCV05UN0FXVGVNMlFGQXMrdUhaRzNmOGRuOW9XSGc3T3pFRStVLzBMN0h6OXduc2JWQithRXdjTnZTd0RsQzRrVmtZNUpZTU1FSE9rWUhsc0xjWWcrZmhTZzlsZXhWQ1c0bTlEQjZZSmxGZng5dk5kamRhaDV0NzlDTXNFZk5Dd2t0N0h3Zlp1NXIvbC9HVTJCK3R6SVFEUmZueW1yS0h1WnhnZmJGZmQxUlZjMGhRVUV3YU1RMzF4MGZSYkZOOTI0ekMxZEI2aXoxeVpzNXQveTJ1RXZuMUVUVGQ2THJKam5VQUhQMFBUOCs0N1YzTXNPUUFmcmlwUFRnMUE5RmJNUElDY3NET1VHdXZsOXczclpqOVhOWGczVS9qMk1KTmlZdDBEU3RrOVcvUUNySU1yMnlJRGRoRm9xQmx3ZFgxQUg2QThvRm1jVU9mUENSVTR1L1ZlUjVzUjQ4aXJwMkRQdU82TzNPc0NZa2wrZTN0eXVHeVIvTmR1em5mYXhHaWpuenR1WnRqSFBZUnNiOHVyQWxWaFdNYktxS0pBTzVWRGs5eVZ2Nld6Q1hneGxvM1JueEg3bmY5RTFjMG9waFZVWEV1ZW4wUXNXZ3FoVEFpQjUvdzU3SHZpS011UEFBVnlHMkNuVXJhS2JxSDFydjIyQ2NyUHlMZG9xdzlrMXdRclJ6Q2ZCRWlrdVU2eTVTdzd1RU1TeXBseC8zVng2cUlmeXVMWENTc1dCSU5GS213bVdrWTlTc3Z6dldQSzBUS002WEVJS0liRkttKzB4RVNVb0daTDV6UDhIUTVQZW5RZVZiRUVUdHhpVFZDbUdFYU41aUwwUzZNcTNscnBtOUNRM0tkeDNxaHoxNHVZWVpJZkNPcVl3Y3FxK1U2UmwzTkxsWU1hN1ZJKzlpd2NGV0FEL0ZNUGFvWkJLUm9iNWZmNjJGUW5yVHlRd3pxNTVyTENTT1NpM1l4a2FaeXhFMGIxaEc2azJhb3JNVXdBSkh0MGpqZlFKQ1UvQkdqS0tuMENrUTUrV3MwbERjMzVQMWhXenoybVgvN1BicWF6bnhKUy9aYm5EeHVrSjJtNXdDNG5tR3F4ODU4S2xBSjFiZjBGT2d3Sm9rODVVRjRpbmRiU1lwZ0JaMG0wZjhobCsvN1pDZlVTdFZqNlh4bTk5dW5yUW1zanZrTmdGbFpkV0FHVXQrUTk4UEU4L1NmR1FGblBrZTlFOG9BS0hidmNPMUVDVUY3TDZCNE8veDVRdjdqZlNzYTl0cjJVanFJZWRMNlZpdlNlUWliSlJVdnlxYUQrMW9ESnJHSUJFTGhqOGw5QmxGNjZreFJKenBna3c5VTgva1IxWUpJbHhQMGI1OU1aUGxXU2kyeFJEV3R0OHlTbURMbkN3OGVjVlpQMjdEbk9adUFZenREREkzTGFQbmwvT0ljRXpGTDFYdTlieXZtUlBZaFJONW5GMkJ3TXlyZzZJbFpJWHN4R2djdm1rOVh1ZzgzaGhoVEVVNjRRSXRQUDd0VE9rUUNoM2ZzbStYcnVWd2hXcWtvYnF5SWpNblBnWGs4L3ZDNHZaNGNiSno5TlUrZWJnSTJzbmg1NGErOVVUWEFEMXE1RDRnS1laVmIvaGZOcVB6MVM4aS9XanF4QzZWcFhObXZuT3psakhqdGFKOXRsQmF0aEJmVFkvbU5nQTE2emozRTY0NWUvY0s3dThjcGJtMDRFcUZOVkIwVHcxK3dnNUFXd1FPTHlzNWJiMUlBN3RhUHpyamphN081eUJyTkZWSXBFMHV6VUpJUHNuTW92NDdkVkNRUUl4UE9RPT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * MCo
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\AS58i_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aBBcBDcBbB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LVJzcnRCR1gvalNtaVFVeHlna3VmWE5DeUUvUHROOHp3SXhSbmtDT004YnNxRHZRamVyR3hjdGswejIvMHdNaUh6OTJzYitmTGx3cUJCRHNLZE5XNjI3MGlwa0oxa1VLK25tekVydkUyZThwVWh1MmFLTWhOYmtWOUJGVG4xb2tlQ2xuLyt6S0JvOVNJSVBVbHpudDhlbHRoR0NmcUVXKzVXOFIyY2NHdFJEaTlPL3grNXcwY3I2NUFFeWVkdVZmbXBPUHozdEZ5bHY3RDJ3Q3Fic0R1V2c4bW00V3o5Z1IxVGlPRTArYWM1RGc2b1FoU1dhejFURklDTkhHREkxV3EzY28va1FCV05UN0FXVGVNMlFGQXMrdUhaRzNmOGRuOW9XSGc3T3pFRStVLzBMN0h6OXduc2JWQithRXdjTnZTd0RsQzRrVmtZNUpZTU1FSE9rWUhsc0xjWWcrZmhTZzlsZXhWQ1c0bTlEQjZZSmxGZng5dk5kamRhaDV0NzlDTXNFZk5Dd2t0N0h3Zlp1NXIvbC9HVTJCK3R6SVFEUmZueW1yS0h1WnhnZmJGZmQxUlZjMGhRVUV3YU1RMzF4MGZSYkZOOTI0ekMxZEI2aXoxeVpzNXQveTJ1RXZuMUVUVGQ2THJKam5VQUhQMFBUOCs0N1YzTXNPUUFmcmlwUFRnMUE5RmJNUElDY3NET1VHdXZsOXczclpqOVhOWGczVS9qMk1KTmlZdDBEU3RrOVcvUUNySU1yMnlJRGRoRm9xQmx3ZFgxQUg2QThvRm1jVU9mUENSVTR1L1ZlUjVzUjQ4aXJwMkRQdU82TzNPc0NZa2wrZTN0eXVHeVIvTmR1em5mYXhHaWpuenR1WnRqSFBZUnNiOHVyQWxWaFdNYktxS0pBTzVWRGs5eVZ2Nld6Q1hneGxvM1JueEg3bmY5RTFjMG9waFZVWEV1ZW4wUXNXZ3FoVEFpQjUvdzU3SHZpS011UEFBVnlHMkNuVXJhS2JxSDFydjIyQ2NyUHlMZG9xdzlrMXdRclJ6Q2ZCRWlrdVU2eTVTdzd1RU1TeXBseC8zVng2cUlmeXVMWENTc1dCSU5GS213bVdrWTlTc3Z6dldQSzBUS002WEVJS0liRkttKzB4RVNVb0daTDV6UDhIUTVQZW5RZVZiRUVUdHhpVFZDbUdFYU41aUwwUzZNcTNscnBtOUNRM0tkeDNxaHoxNHVZWVpJZkNPcVl3Y3FxK1U2UmwzTkxsWU1hN1ZJKzlpd2NGV0FEL0ZNUGFvWkJLUm9iNWZmNjJGUW5yVHlRd3pxNTVyTENTT1NpM1l4a2FaeXhFMGIxaEc2azJhb3JNVXdBSkh0MGpqZlFKQ1UvQkdqS0tuMENrUTUrV3MwbERjMzVQMWhXenoybVgvN1BicWF6bnhKUy9aYm5EeHVrSjJtNXdDNG5tR3F4ODU4S2xBSjFiZjBGT2d3Sm9rODVVRjRpbmRiU1lwZ0JaMG0wZjhobCsvN1pDZlVTdFZqNlh4bTk5dW5yUW1zanZrTmdGbFpkV0FHVXQrUTk4UEU4L1NmR1FGblBrZTlFOG9BS0hidmNPMUVDVUY3TDZCNE8veDVRdjdqZlNzYTl0cjJVanFJZWRMNlZpdlNlUWliSlJVdnlxYUQrMW9ESnJHSUJFTGhqOGw5QmxGNjZreFJKenBna3c5VTgva1IxWUpJbHhQMGI1OU1aUGxXU2kyeFJEV3R0OHlTbURMbkN3OGVjVlpQMjdEbk9adUFZenREREkzTGFQbmwvT0ljRXpGTDFYdTlieXZtUlBZaFJONW5GMkJ3TXlyZzZJbFpJWHN4R2djdm1rOVh1ZzgzaGhoVEVVNjRRSXRQUDd0VE9rUUNoM2ZzbStYcnVWd2hXcWtvYnF5SWpNblBnWGs4L3ZDNHZaNGNiSno5TlUrZWJnSTJzbmg1NGErOVVUWEFEMXE1RDRnS1laVmIvaGZOcVB6MVM4aS9XanF4QzZWcFhObXZuT3psakhqdGFKOXRsQmF0aEJmVFkvbU5nQTE2emozRTY0NWUvY0s3dThjcGJtMDRFcUZOVkIwVHcxK3dnNUFXd1FPTHlzNWJiMUlBN3RhUHpyamphN081eUJyTkZWSXBFMHV6VUpJUHNuTW92NDdkVkNRUUl4UE9RPT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * W
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\AS58i_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aBBcBDcBbB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LVJzcnRCR1gvalNtaVFVeHlna3VmWE5DeUUvUHROOHp3SXhSbmtDT004YnNxRHZRamVyR3hjdGswejIvMHdNaUh6OTJzYitmTGx3cUJCRHNLZE5XNjI3MGlwa0oxa1VLK25tekVydkUyZThwVWh1MmFLTWhOYmtWOUJGVG4xb2tlQ2xuLyt6S0JvOVNJSVBVbHpudDhlbHRoR0NmcUVXKzVXOFIyY2NHdFJEaTlPL3grNXcwY3I2NUFFeWVkdVZmbXBPUHozdEZ5bHY3RDJ3Q3Fic0R1V2c4bW00V3o5Z1IxVGlPRTArYWM1RGc2b1FoU1dhejFURklDTkhHREkxV3EzY28va1FCV05UN0FXVGVNMlFGQXMrdUhaRzNmOGRuOW9XSGc3T3pFRStVLzBMN0h6OXduc2JWQithRXdjTnZTd0RsQzRrVmtZNUpZTU1FSE9rWUhsc0xjWWcrZmhTZzlsZXhWQ1c0bTlEQjZZSmxGZng5dk5kamRhaDV0NzlDTXNFZk5Dd2t0N0h3Zlp1NXIvbC9HVTJCK3R6SVFEUmZueW1yS0h1WnhnZmJGZmQxUlZjMGhRVUV3YU1RMzF4MGZSYkZOOTI0ekMxZEI2aXoxeVpzNXQveTJ1RXZuMUVUVGQ2THJKam5VQUhQMFBUOCs0N1YzTXNPUUFmcmlwUFRnMUE5RmJNUElDY3NET1VHdXZsOXczclpqOVhOWGczVS9qMk1KTmlZdDBEU3RrOVcvUUNySU1yMnlJRGRoRm9xQmx3ZFgxQUg2QThvRm1jVU9mUENSVTR1L1ZlUjVzUjQ4aXJwMkRQdU82TzNPc0NZa2wrZTN0eXVHeVIvTmR1em5mYXhHaWpuenR1WnRqSFBZUnNiOHVyQWxWaFdNYktxS0pBTzVWRGs5eVZ2Nld6Q1hneGxvM1JueEg3bmY5RTFjMG9waFZVWEV1ZW4wUXNXZ3FoVEFpQjUvdzU3SHZpS011UEFBVnlHMkNuVXJhS2JxSDFydjIyQ2NyUHlMZG9xdzlrMXdRclJ6Q2ZCRWlrdVU2eTVTdzd1RU1TeXBseC8zVng2cUlmeXVMWENTc1dCSU5GS213bVdrWTlTc3Z6dldQSzBUS002WEVJS0liRkttKzB4RVNVb0daTDV6UDhIUTVQZW5RZVZiRUVUdHhpVFZDbUdFYU41aUwwUzZNcTNscnBtOUNRM0tkeDNxaHoxNHVZWVpJZkNPcVl3Y3FxK1U2UmwzTkxsWU1hN1ZJKzlpd2NGV0FEL0ZNUGFvWkJLUm9iNWZmNjJGUW5yVHlRd3pxNTVyTENTT1NpM1l4a2FaeXhFMGIxaEc2azJhb3JNVXdBSkh0MGpqZlFKQ1UvQkdqS0tuMENrUTUrV3MwbERjMzVQMWhXenoybVgvN1BicWF6bnhKUy9aYm5EeHVrSjJtNXdDNG5tR3F4ODU4S2xBSjFiZjBGT2d3Sm9rODVVRjRpbmRiU1lwZ0JaMG0wZjhobCsvN1pDZlVTdFZqNlh4bTk5dW5yUW1zanZrTmdGbFpkV0FHVXQrUTk4UEU4L1NmR1FGblBrZTlFOG9BS0hidmNPMUVDVUY3TDZCNE8veDVRdjdqZlNzYTl0cjJVanFJZWRMNlZpdlNlUWliSlJVdnlxYUQrMW9ESnJHSUJFTGhqOGw5QmxGNjZreFJKenBna3c5VTgva1IxWUpJbHhQMGI1OU1aUGxXU2kyeFJEV3R0OHlTbURMbkN3OGVjVlpQMjdEbk9adUFZenREREkzTGFQbmwvT0ljRXpGTDFYdTlieXZtUlBZaFJONW5GMkJ3TXlyZzZJbFpJWHN4R2djdm1rOVh1ZzgzaGhoVEVVNjRRSXRQUDd0VE9rUUNoM2ZzbStYcnVWd2hXcWtvYnF5SWpNblBnWGs4L3ZDNHZaNGNiSno5TlUrZWJnSTJzbmg1NGErOVVUWEFEMXE1RDRnS1laVmIvaGZOcVB6MVM4aS9XanF4QzZWcFhObXZuT3psakhqdGFKOXRsQmF0aEJmVFkvbU5nQTE2emozRTY0NWUvY0s3dThjcGJtMDRFcUZOVkIwVHcxK3dnNUFXd1FPTHlzNWJiMUlBN3RhUHpyamphN081eUJyTkZWSXBFMHV6VUpJUHNuTW92NDdkVkNRUUl4UE9RPT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 5wW43WkvjI
URLs

http://avaddonbotrxmuyl.onion

Targets

    • Target

      cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe

    • Size

      719KB

    • MD5

      275e4a63fc63c995b3e0d464919f211b

    • SHA1

      51d85210c2f621ca14d92a8375ee24d62f9d7f44

    • SHA256

      cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46

    • SHA512

      1723fb4a624859cb49f1d00100a44c5104a8a6ee4685b0e0988fa54f929dc7d70d171034577a17db2e6529d6c19b49d2ba023c4c98e9637f92981a3c1a5c9dac

    • SSDEEP

      12288:OR8hjUV679Aa4Auw3gveB17cOT1WHWEQTe0udkuHgCNU7SY/qgjjmJ/:quK679Aa4Auw3gveB1TGWEQSzXY/tjq/

    Score
    10/10
    avaddonevasionransomwaretrojan

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (179) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks