Overview

overview

10

Static

static

10

c14dd4a083...28.exe

windows7-x64

10

c14dd4a083...28.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    40576b188c2853918f92214fb710a51a374dc2d502fccdb99931803e3812fbe3

  • Size

    199KB

  • Sample

    240417-qlg29shb64

  • MD5

    50e24a93beca40d77fbe0ae893f80297

  • SHA1

    d5d4172d5152eb2a80ea9002543462bb3173672b

  • SHA256

    40576b188c2853918f92214fb710a51a374dc2d502fccdb99931803e3812fbe3

  • SHA512

    e650a52ea252ea4303ab8be67d2813b88c10537939262b6e276573c47560c726890fb348a30ad48a4e5dec91281aa6136dd043f730b8bb1570db6b6a5741281a

  • SSDEEP

    6144:VcdxsPORHEzKZuxFDeivEfezTMn6V0pcIWhuJZQhQ:YeOqzKMxFDe2jzInWIW8JZiQ

Score
10/10
avaddonransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * npUIN2Iu1EoNPJZrHSkGTbsF6
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * AS58iE5hrqWwmjDtSyArAG1GSYpEN
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * W
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * MCo
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\vncx2_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdABBABDAE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1RMkY1anR2TmpTdXNGay9iSTZEVWx0M3ZGZGU5VWhFWTVROGUzcFM0WWF6bW9WWk15QUVqK2tWaTVnNDZ1VnYyUUVDVHFwcTJUN3l5RVpRaHo2UGNMNkxtZ2N6aS9qblRwbEtiNURiWFFOQ1hwVGJtVHYzcDY4MHRvSHRWcHpYMHoyYmFxSmxhMUlpT1JpZ3VkcVNXOVBGQVY4bXQxOXZxTktoRlNQS2I4MXBEVGZYcGVHMFkrR3VsZ2dZajZ5QlF6dldOakdZR2lWMko5T2gvM3U0NGhCU0dWRVRLYXkwdUtjTDRzYVRqWGJZaFJjQkhJYndhSFh3N1VGVEwreXM5WVFBNDR2MEw2RWhBeEhnb1BYY3NkcFZyN1pXNkFHU2tQL0xUUGFPU0thRGVDUHJaaXBuWFFIbWlmY29zN3VuanFocmVRR3haVWZXaXZyeEhqZ3FjdEo3VkhvUlRvTUxRdXp2VUtVSENuNzZvRDExdDA2UWdTWGdpSXBMUlh0RDhwUFlFSXZhOWgwTDJLcUp2MUM5UzRaM1Z1cC9pcHJ6bytZbGM3dmRIcThEZi9Idk53dEtKRG5tRUhhSVloRTdvVWxVWDJablAxSnVRWWY1WVVRZWFqUDI3cVMrSTQxL1lPNGRiemJvelFLaTlYMEttZjdSM3dIZGtGZ2NQVDdha2J0V3pCSkxoSUdBRUppQ3luUExpMFZUanp3bXV5S3ZFZytTNit5Z0tvK29GMC9nQWRqRnJWMER6Nlc0cHFGSWtNcW9kS1doTlI5RTZGZWpadVJhT21WQVFyVHRRUlZDTDR2K1ZnUnl6Y1JPQmNZUDQzTHJFbW12ekxzcUh3VmxzcTZvU2REMFpXcFpvS0o0czNkbjlEMFZCMndnOHdiNG9aSVJmUUd0Z05RdTNPcVg4eC8rK1pvMVQ0RnZqVVROVXdqSDlBS3ZaY212Wm9nOUNaRFcwODdhZnJ0d21MVUlVWWJ4N0t2QU9BZ0c2TS9lS1NaRG80NjJldE4vZ0JSRGJjTGVya3VCZ0cxdFFEWjRzVVdqWkw2K3NzdnVmaVhteng3NWY3aC9Id28vWk9uQmVJOVJEWGduZFdCMHBVU3VqaEZEbTJQaWZ0OFVZOVdUZWtqV1JTc0RQYis0bTJ6SzFVR1JENUx0OEJMaW9seTRJVGthS2JkYmtMSUdaOHFWMGtsc1lIcjNiMXdOYm91NktveUp3emdKTFFLMGxIYXpsZHhhdGNVNE1IQ1pjWFFPbjA4M0V4Y2VyRCtWUWo1REIyZ3VzbVpwQXZ5Vlh5YWdBUEx4bE9pVjl3SjArQmFRZDFSTUhWaUxVdWJUUVRNL0FsVGkyUm1nVU5hOWNlUGwzay9XYlpxbzN4VDBiL3RIemZzNzQ2b0NzTjZObTZTVEZ4dXlzT2xzdnF4MHdOaGZlL2xNSHJkUWxwQVJxY3hrWDdHd2dWcXNJeHFsdVBibDNteFh2c1dBOXRjWEFOTGZ2YmRpZkp1bnFUOXc4eWs2SmRrYlYyOXNRUU53aC8rVTRQQ2ZRT0tBaC9pNkRzaGVaQWlsQkorODFjbmhHUE5NTytpazNQNWpNbDh4dXM4VFpKT0RkaC9yTDlwV3dFZWt5a2NuNVA2U2RLQ3QwZ3ZTY2Mrc0RBY0xXRVhxcnBBSnBqNkVnM0cvWjJKaENGZi9uZVJuZkN0MlJLVFkwY05ibS9RTXZpN3JUbEFOOGp4NHBpUGZ6Rk1wakVhYk01T3ZlcTlrVHl6VkxPbjJTUlhSZml4UXVLaksyaDNYNFZwT2JlWTFsQ3RUS2tMcStleVFkMmlQbW5FcG5vQjZZU3AyR0QyVk1qaXFIZm9JNGlOc2hQUFY0LzRXZFFDNHd3Sk1CNkhaMjg3QVNiOU9ub3RvajdVQ3paSmk2Q0dOUVcreFFkRTQ5NVc2d0phL1dMNWx3YlNoTFkwSFdVWUMvMGt2WHh5cjRBbzVnNHZLa2VoYXVFanFnWldNMEdsODUyUVBJNkgwMVQ2OFplSGZCaXoyOWI1UTN4Rng1ZjlERFdZUTg0S3Y4REdiZ2diaXRXTmxaN2ZRamZmd29yT2p4dHJmMFNCNlRST1R0TnlxWGEwbnpUbUg1MUlDY3FEYlJOaUZFVEtUb0pHc0d4d1hEaDdtU2I4a0dJZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * V9QX2
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\vncx2_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdABBABDAE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1RMkY1anR2TmpTdXNGay9iSTZEVWx0M3ZGZGU5VWhFWTVROGUzcFM0WWF6bW9WWk15QUVqK2tWaTVnNDZ1VnYyUUVDVHFwcTJUN3l5RVpRaHo2UGNMNkxtZ2N6aS9qblRwbEtiNURiWFFOQ1hwVGJtVHYzcDY4MHRvSHRWcHpYMHoyYmFxSmxhMUlpT1JpZ3VkcVNXOVBGQVY4bXQxOXZxTktoRlNQS2I4MXBEVGZYcGVHMFkrR3VsZ2dZajZ5QlF6dldOakdZR2lWMko5T2gvM3U0NGhCU0dWRVRLYXkwdUtjTDRzYVRqWGJZaFJjQkhJYndhSFh3N1VGVEwreXM5WVFBNDR2MEw2RWhBeEhnb1BYY3NkcFZyN1pXNkFHU2tQL0xUUGFPU0thRGVDUHJaaXBuWFFIbWlmY29zN3VuanFocmVRR3haVWZXaXZyeEhqZ3FjdEo3VkhvUlRvTUxRdXp2VUtVSENuNzZvRDExdDA2UWdTWGdpSXBMUlh0RDhwUFlFSXZhOWgwTDJLcUp2MUM5UzRaM1Z1cC9pcHJ6bytZbGM3dmRIcThEZi9Idk53dEtKRG5tRUhhSVloRTdvVWxVWDJablAxSnVRWWY1WVVRZWFqUDI3cVMrSTQxL1lPNGRiemJvelFLaTlYMEttZjdSM3dIZGtGZ2NQVDdha2J0V3pCSkxoSUdBRUppQ3luUExpMFZUanp3bXV5S3ZFZytTNit5Z0tvK29GMC9nQWRqRnJWMER6Nlc0cHFGSWtNcW9kS1doTlI5RTZGZWpadVJhT21WQVFyVHRRUlZDTDR2K1ZnUnl6Y1JPQmNZUDQzTHJFbW12ekxzcUh3VmxzcTZvU2REMFpXcFpvS0o0czNkbjlEMFZCMndnOHdiNG9aSVJmUUd0Z05RdTNPcVg4eC8rK1pvMVQ0RnZqVVROVXdqSDlBS3ZaY212Wm9nOUNaRFcwODdhZnJ0d21MVUlVWWJ4N0t2QU9BZ0c2TS9lS1NaRG80NjJldE4vZ0JSRGJjTGVya3VCZ0cxdFFEWjRzVVdqWkw2K3NzdnVmaVhteng3NWY3aC9Id28vWk9uQmVJOVJEWGduZFdCMHBVU3VqaEZEbTJQaWZ0OFVZOVdUZWtqV1JTc0RQYis0bTJ6SzFVR1JENUx0OEJMaW9seTRJVGthS2JkYmtMSUdaOHFWMGtsc1lIcjNiMXdOYm91NktveUp3emdKTFFLMGxIYXpsZHhhdGNVNE1IQ1pjWFFPbjA4M0V4Y2VyRCtWUWo1REIyZ3VzbVpwQXZ5Vlh5YWdBUEx4bE9pVjl3SjArQmFRZDFSTUhWaUxVdWJUUVRNL0FsVGkyUm1nVU5hOWNlUGwzay9XYlpxbzN4VDBiL3RIemZzNzQ2b0NzTjZObTZTVEZ4dXlzT2xzdnF4MHdOaGZlL2xNSHJkUWxwQVJxY3hrWDdHd2dWcXNJeHFsdVBibDNteFh2c1dBOXRjWEFOTGZ2YmRpZkp1bnFUOXc4eWs2SmRrYlYyOXNRUU53aC8rVTRQQ2ZRT0tBaC9pNkRzaGVaQWlsQkorODFjbmhHUE5NTytpazNQNWpNbDh4dXM4VFpKT0RkaC9yTDlwV3dFZWt5a2NuNVA2U2RLQ3QwZ3ZTY2Mrc0RBY0xXRVhxcnBBSnBqNkVnM0cvWjJKaENGZi9uZVJuZkN0MlJLVFkwY05ibS9RTXZpN3JUbEFOOGp4NHBpUGZ6Rk1wakVhYk01T3ZlcTlrVHl6VkxPbjJTUlhSZml4UXVLaksyaDNYNFZwT2JlWTFsQ3RUS2tMcStleVFkMmlQbW5FcG5vQjZZU3AyR0QyVk1qaXFIZm9JNGlOc2hQUFY0LzRXZFFDNHd3Sk1CNkhaMjg3QVNiOU9ub3RvajdVQ3paSmk2Q0dOUVcreFFkRTQ5NVc2d0phL1dMNWx3YlNoTFkwSFdVWUMvMGt2WHh5cjRBbzVnNHZLa2VoYXVFanFnWldNMEdsODUyUVBJNkgwMVQ2OFplSGZCaXoyOWI1UTN4Rng1ZjlERFdZUTg0S3Y4REdiZ2diaXRXTmxaN2ZRamZmd29yT2p4dHJmMFNCNlRST1R0TnlxWGEwbnpUbUg1MUlDY3FEYlJOaUZFVEtUb0pHc0d4d1hEaDdtU2I4a0dJZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * LIXtroCI
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\vncx2_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdABBABDAE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1RMkY1anR2TmpTdXNGay9iSTZEVWx0M3ZGZGU5VWhFWTVROGUzcFM0WWF6bW9WWk15QUVqK2tWaTVnNDZ1VnYyUUVDVHFwcTJUN3l5RVpRaHo2UGNMNkxtZ2N6aS9qblRwbEtiNURiWFFOQ1hwVGJtVHYzcDY4MHRvSHRWcHpYMHoyYmFxSmxhMUlpT1JpZ3VkcVNXOVBGQVY4bXQxOXZxTktoRlNQS2I4MXBEVGZYcGVHMFkrR3VsZ2dZajZ5QlF6dldOakdZR2lWMko5T2gvM3U0NGhCU0dWRVRLYXkwdUtjTDRzYVRqWGJZaFJjQkhJYndhSFh3N1VGVEwreXM5WVFBNDR2MEw2RWhBeEhnb1BYY3NkcFZyN1pXNkFHU2tQL0xUUGFPU0thRGVDUHJaaXBuWFFIbWlmY29zN3VuanFocmVRR3haVWZXaXZyeEhqZ3FjdEo3VkhvUlRvTUxRdXp2VUtVSENuNzZvRDExdDA2UWdTWGdpSXBMUlh0RDhwUFlFSXZhOWgwTDJLcUp2MUM5UzRaM1Z1cC9pcHJ6bytZbGM3dmRIcThEZi9Idk53dEtKRG5tRUhhSVloRTdvVWxVWDJablAxSnVRWWY1WVVRZWFqUDI3cVMrSTQxL1lPNGRiemJvelFLaTlYMEttZjdSM3dIZGtGZ2NQVDdha2J0V3pCSkxoSUdBRUppQ3luUExpMFZUanp3bXV5S3ZFZytTNit5Z0tvK29GMC9nQWRqRnJWMER6Nlc0cHFGSWtNcW9kS1doTlI5RTZGZWpadVJhT21WQVFyVHRRUlZDTDR2K1ZnUnl6Y1JPQmNZUDQzTHJFbW12ekxzcUh3VmxzcTZvU2REMFpXcFpvS0o0czNkbjlEMFZCMndnOHdiNG9aSVJmUUd0Z05RdTNPcVg4eC8rK1pvMVQ0RnZqVVROVXdqSDlBS3ZaY212Wm9nOUNaRFcwODdhZnJ0d21MVUlVWWJ4N0t2QU9BZ0c2TS9lS1NaRG80NjJldE4vZ0JSRGJjTGVya3VCZ0cxdFFEWjRzVVdqWkw2K3NzdnVmaVhteng3NWY3aC9Id28vWk9uQmVJOVJEWGduZFdCMHBVU3VqaEZEbTJQaWZ0OFVZOVdUZWtqV1JTc0RQYis0bTJ6SzFVR1JENUx0OEJMaW9seTRJVGthS2JkYmtMSUdaOHFWMGtsc1lIcjNiMXdOYm91NktveUp3emdKTFFLMGxIYXpsZHhhdGNVNE1IQ1pjWFFPbjA4M0V4Y2VyRCtWUWo1REIyZ3VzbVpwQXZ5Vlh5YWdBUEx4bE9pVjl3SjArQmFRZDFSTUhWaUxVdWJUUVRNL0FsVGkyUm1nVU5hOWNlUGwzay9XYlpxbzN4VDBiL3RIemZzNzQ2b0NzTjZObTZTVEZ4dXlzT2xzdnF4MHdOaGZlL2xNSHJkUWxwQVJxY3hrWDdHd2dWcXNJeHFsdVBibDNteFh2c1dBOXRjWEFOTGZ2YmRpZkp1bnFUOXc4eWs2SmRrYlYyOXNRUU53aC8rVTRQQ2ZRT0tBaC9pNkRzaGVaQWlsQkorODFjbmhHUE5NTytpazNQNWpNbDh4dXM4VFpKT0RkaC9yTDlwV3dFZWt5a2NuNVA2U2RLQ3QwZ3ZTY2Mrc0RBY0xXRVhxcnBBSnBqNkVnM0cvWjJKaENGZi9uZVJuZkN0MlJLVFkwY05ibS9RTXZpN3JUbEFOOGp4NHBpUGZ6Rk1wakVhYk01T3ZlcTlrVHl6VkxPbjJTUlhSZml4UXVLaksyaDNYNFZwT2JlWTFsQ3RUS2tMcStleVFkMmlQbW5FcG5vQjZZU3AyR0QyVk1qaXFIZm9JNGlOc2hQUFY0LzRXZFFDNHd3Sk1CNkhaMjg3QVNiOU9ub3RvajdVQ3paSmk2Q0dOUVcreFFkRTQ5NVc2d0phL1dMNWx3YlNoTFkwSFdVWUMvMGt2WHh5cjRBbzVnNHZLa2VoYXVFanFnWldNMEdsODUyUVBJNkgwMVQ2OFplSGZCaXoyOWI1UTN4Rng1ZjlERFdZUTg0S3Y4REdiZ2diaXRXTmxaN2ZRamZmd29yT2p4dHJmMFNCNlRST1R0TnlxWGEwbnpUbUg1MUlDY3FEYlJOaUZFVEtUb0pHc0d4d1hEaDdtU2I4a0dJZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * hu9GBVU51aZ
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Targets

    • Target

      c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

    • Size

      483KB

    • MD5

      53717dc73f61b0f9551cb62d6fca2e4a

    • SHA1

      1ca9304e86632b147852767c85c57e08bdfc8855

    • SHA256

      c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028

    • SHA512

      ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552

    • SSDEEP

      12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

    Score
    10/10
    avaddonransomware

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (207) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks