avaddon

Sharing

Copy URL

Twitter E-mail

General

Target

b6f83cc09345f058e475a34658a3a37a9ed5ee9227082c5726ad44570b83aa0f
Size

329KB
Sample

240417-qlk4xsaf8x
MD5

960c710f57ef27f1d2a88d00cefec852
SHA1

d1e52525621e67638d8e4d528018520d161ac2ff
SHA256

b6f83cc09345f058e475a34658a3a37a9ed5ee9227082c5726ad44570b83aa0f
SHA512

b2323eb0e54e751b019c176c29f85b4c2780529d1fd79377185bf4e26de95b7b955a305bfd2364e39fa9e897d3a55830286f88fd59cb24fab030ca518c0a12b5
SSDEEP

6144:R38S1pPKkIFGILvIGcUYuc1z6BEcqYTILTg4sVuk9P+6n+T3tJI8Njb1IPw:RMkodLgD9uc1zFjLW0k+6ni9Jtb1IPw

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\42k7W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cbBDadeEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1qamdJM29mVkNIQkNvNWR3VUdnZk1WQ0NONnhCdTRheXF6YW8wY3c4KzgwNk53ZjEzVnVZb1JDM1JINzJUUHpyZE1ueWlCQjlyWktabWQxQUxIQTVNcmNtNXE2MlJNTHM5VGJtc0lQSUZUSzJONUV3TXIxalhDNEI1N2F6bUlkOEZyYTgzQTc5M0hxZXdiODhXN1dXT294VWZKM0FzTnF0Sk4zYi9FQXpCWlV4bFVMWkk0UjdyN0xlNXk5STJhV0JRaFNiNy9CcVJvbkNGVzMxK2d3OTBjUzcxMWRZbk5nalNvNjgzWWYvZDR5QzlWdGdrSDlxWFkzbHdEeEU2VkZNajQ4WWZTZTNnTm1RWWpGK1dBc3cwY3BqWmt1Zk1LQk1CbDdWZnhFblhndzdlR0RWU2tNZHRVQzJQTzZ3WU9KV2NjWm9IQW1SSkNTN3dlR3BWTENTRXNWTnhYTkZNdGxsZEZwK2RiRGxHTWd3OHIyMzdycmo0MzlwMERSNDJDTG5pdjFuSDlkRkR6QUZWc011OVY5aVpqeTdaM05QOGxnVFFRQ0R2ZTJjWDQvR1ZaNGpsWjZSOHRUcnVPaXRQSnR4VTBvTndwZHhucDlmZDVHOGhzbEkxNDZXa3A2aWtBNnYxR3Q3ck1LNTl3emFLeElERkFneDl0VjUvY0xxUlFFNXVqcERqR1pUUnlwYldWenNUT3g3M0xYWHkvWHpnWks3ZGk0Ti8zdENZZUkzaUNraWtlcUY3Y3MrbWhyUGRNZDRRQXgzNW82TUlzWHpzRG42MHhVWS9heU1JWlF2elBrbzFsRDFPZVRhUXJjdUJBM0V4ZGh1UXRiRW56OHRrZjJFSFBKS0kvRysyWGhpSkcwb2JoOEF2N2lQRmNrZ2hsNUlRaGt5andsWUR1OVplZCtBSkpDK0FKV2oxTWdkamtvN0d6ZXVPdVFUaVQzL3ZIQ0VORUJKVEFvMWJPYVFEb0VBNFYzS2RqUzNaTko2U0dYMVFQbjg3VHZ6aFRVWVRwKzh4WTBuWmRMSlVwUFd3eWpyK3p6VWJiMXB2QkJ0VFlndWJ5WkN4UWVLeUs4eVVnM0pORkZ3a0lYOHBFOW53RU8vRm9lVHh2OTF2VFBLUzFHUU9sNHFERjBYWk8yb1ZmdlIvRlFBc0xmdDQ3ekFUcE1TUHFmZXdON21Ibmh5ajl3bzJialpZT3EyUkF5eEwyYkM0TWdJUVgwMlF3U2srTDIwL2k3ek5FNVAwbFhWV1Vta0J3QVN2Wmo1ZWxKS2h1cmduaXhLSXk3UnlpQy9sUk0xbDZENFE5aGxhS1YrR256azRpVmd5cFA2aHBrdC84VGU4SG1EWjMxWEZLWUhjdno4S25OU0g4NTY2aldyMTh5a3owWmxSWk42ZW1jZWdzQ3dzSVNzaFRsSXRZclZTOTJGK0w2bzRZYVR1ZzBUbHdTU0pHOFpKQW5EMUUwZXBUdGpBY1RxTjF1R0xXOGtBbnF4bDRFcG5Tandqdlg0UVptSTZHUWxxclUvb1piakRQTklSYXY1MXlWaSthR1NLS2VkMlhpNWZJcC9HQ3lCOGYzbXFYY25udkZlWm9YOEUrYXl2b2dYMDk1UGd0WGpycXRTR05ySG13NDE0TkpZL2Qrd3hEbmpMVUFodDlmdU5wUnBzWTJJL1dmQ1hOaHd5RVo1WEY0SitNMEFYNUR4K3BrNkljeS9tNWdOQmpkREJlcDZzbzJWN0pLVExidWNCTmxUeDRzWWlwRFZ1MkcwMFRkTW01SFFPdmlNV1ZGZTdaOU10ODJURHFMZzA4TzhUakhlejRxUy9Qb0ZBRHBpYzdleUd3aDZSZmxFL1ZRY3ZxR2Zicy93bVFtYXVQSGdnaDdwbzdvNWhJTE9aZmlXMGlPZllrVDR1TmxXYU1VWGYySStRdTRoNytZbWVIK2k4WkQ5MTZzb3I1T3hiS0VPSXJuSjJNNmp3UnNObGF3eHZsVzZRc2p5RkVlQkFZbC9RZXYvMUpiWUtLckh5K0NTVkdHYmNaVTZnRGdrd3pmaE1jcUxVbUlrc3FKaGYzTU5RQk9XakVDbFM4YjhQYm03L1NzckcyUXhPM3NFdmlUQlViNE1JM0RZdGk0bm9Ga3BTd28yU3FrVFZ2WjF3Yjh5ckFoeE9YdEkvZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * T1f3rVQdje8PxchPwFoD1cQyxey

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\42k7W_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\42k7W_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\MSN Websites\42k7W_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\42k7W_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\wY8RO_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BaCCeaacea You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC01dGp3RHZ1eTI0a2NIWkpzUGpqMzEzdzlFYW9zeGlBZXRCblF3NDd1Z1BxRzU0NHk0K09HazZmNm13aXZjNTZDOVVTUTZvZ2lmL1VNb1BNN0FjaGhQVTZzc2RNbm5mV25FdUxOR3BvOUJjNEZ3dk9STjZXT21ERkRhdnIrWUR5cHUxK2xJSDE3enc3QWk4aWJFd3ZidGdwcmdSS0RGdDJaMGpUNWpCaDRmMy9xMmdLNWhuUTdrcDI3R0Z2L0g1VkhoN01QS2syMlJ4SG10bHVFVGFIM3ErMUd3bU9xVFVuVHZqa054ek9KRElnbTRJcTNscFoxMktmZTNRV1BWTEM0RFZjS1VEL1dyTGZqalgwMmxsNmRZanhmMnRBZ29icEFCVFhXWDVYRVQyVkhLTkdDVWJleEljRXZMNEcvc3FxOXZRN2U3SjVJRjQ4QlZ0Rms5eUJuV1YvYlJKQjMvOU9ucUJUb2hQSllCeVl5OE1tL0s2TE52ZG5oTzNwSTlTNUtrYnI0czNxV05MNTE0dVA0ckFGN3RWYmc2R2xSalk2ZjhSZjVRaUp0ODVDa3g0MnY3N05JM1NvRGZpaXZydkxJTk9vRU5hTDhvMVdCUXdiQ0Z1am5mL1JqdGZEcXdPa0RLamp2QmVYUW5qR3BEUzM1emF1WFFIeUVJZ001NmsvSlBGVFQ2bU9jVWZ4ZWFTVDNSa3NYTFg2T2RrNmZBS213WWNlUjFoWUZuNFQ3N1c3Z2hpelVnMDY3MmgxVUV2MUxXTCtJT25aVjMwaVIxTUNXaWhkeHhtU3ppT3JDZFdMU2FqbytidHcvaWNrb2tSZkhFZitFUGtGU1ZqNWJJa0VCQWlTYVhpMTJSSSt1WStiVUo5YWFxSTdaNWc5T0xkTE1HTjRmbDB2QnY1Z3RpOCs4L1JHRXlrbjAzbWFZNGl5MzlxNVdnNnlqTndVS1lScis3K1Y3bnBJNUFRWU5ETHFxRVV0c2FpWG1ybWY0M2NIeWFQQ1hPQ1FFbTU2Z2FZMjdwNXJ5YkplK2pqVXp4cHlKU09NSHRkcjd3VGF4SjlaV3VBRXM1ZEJBSnlHb3M1b0VhK09mUzJ5RWU2cFY5QTFBcnFGU0M2eURoeG9TeDFHdXljZ1hjVEtUTTdLVjY1Y3dOeVhpUnJ0bWlISFBqZHJpcTl0ZE9RT2wvajVzU2k5dUdveDQ4NmVFb0VwWHlDSVM5bEZlRWJaZlN3eUpjSHk1RFFkTXY2U2k1ZTZTTnhkb1AzSzdWUHVZeUxHTHN5LzVKSEkrRkJHMjAwZEdQM3EyZWZ5RU1yU1Fpd25WSmtYaWpMMFNqVHBpekJBWjdJNVIvYnhzWE81ZUZ1bXU5UFFYVVA1Sm9tcDdTMlhpbEg2TDl3djdqaGNvc2ttVkE0cnFacE1yb0hMeCtmTWZVK0VKSnA1V2t1cXBUVEI3UkNoRVdPcFp1SVZjMWMrU2hPSFptbExhTkpGcE9hUjMwZUNCSWcxVTJOTXV1NUthc1hHeUkvREZQVmwydGQrQU15blpaOUM2VUwvYmlscEs0YVZqNHJGNjFEYmREVENsRU5LdDlVSzdvVjhRQ3RTdXFKYTRpaDNoNnF0eVdtZy9VWG1lQ21TTWNCWGcwZ2hGRU5WVmhSQ0l0MFo5NjdzRTBmUEpHRUFNeDZNcllrRHlBS1ZPN1U2OXJmVzM4UTJaaFZGOWo3bU1HdFJ2NmtFMXBVbE1sM2xsZ3Ixd1h0NVMwUlFxRGR2U2ZLSW8xQlBZdUtJY0RzbVNtRUUrbTkrK3ZZQnk3WFkydGpSbTFRZXU0Q1lqc3dYckFMaVFvRk1KSnZlMTV5Q1pVakF6elI5VHNkWlludDZHOWtWQ3BQaklUTU5OekNldG9FQXNjbktLMVJXMUtza2lLdFpEQW1OQ1FPODJXdWlLT2tjV2ZsZnRXdDdyK1E1bG51Rkk2cjZkcXhLSEdIb2tsNzVDTjJQeisvNm9PVDI1OG1ReVl2NUs4SmpEUXB4STdlelN2NWdrQ2FPOTgzQ0xNN2E3M0Ixbjlyb0hxU0hRREVIVU5EUlA5M1JCVjRZdURLS1d0d0FNenJ0RTRNb2ZqYlJGY29kb1BBWDdnTVlLWmo2YTZiRUNocThQc2pyak5TeEFWMHJQS1QrWDE0SXdRdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * IhjICvJ3PWnLUI1bffbg

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\wY8RO_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BaCCeaacea You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC01dGp3RHZ1eTI0a2NIWkpzUGpqMzEzdzlFYW9zeGlBZXRCblF3NDd1Z1BxRzU0NHk0K09HazZmNm13aXZjNTZDOVVTUTZvZ2lmL1VNb1BNN0FjaGhQVTZzc2RNbm5mV25FdUxOR3BvOUJjNEZ3dk9STjZXT21ERkRhdnIrWUR5cHUxK2xJSDE3enc3QWk4aWJFd3ZidGdwcmdSS0RGdDJaMGpUNWpCaDRmMy9xMmdLNWhuUTdrcDI3R0Z2L0g1VkhoN01QS2syMlJ4SG10bHVFVGFIM3ErMUd3bU9xVFVuVHZqa054ek9KRElnbTRJcTNscFoxMktmZTNRV1BWTEM0RFZjS1VEL1dyTGZqalgwMmxsNmRZanhmMnRBZ29icEFCVFhXWDVYRVQyVkhLTkdDVWJleEljRXZMNEcvc3FxOXZRN2U3SjVJRjQ4QlZ0Rms5eUJuV1YvYlJKQjMvOU9ucUJUb2hQSllCeVl5OE1tL0s2TE52ZG5oTzNwSTlTNUtrYnI0czNxV05MNTE0dVA0ckFGN3RWYmc2R2xSalk2ZjhSZjVRaUp0ODVDa3g0MnY3N05JM1NvRGZpaXZydkxJTk9vRU5hTDhvMVdCUXdiQ0Z1am5mL1JqdGZEcXdPa0RLamp2QmVYUW5qR3BEUzM1emF1WFFIeUVJZ001NmsvSlBGVFQ2bU9jVWZ4ZWFTVDNSa3NYTFg2T2RrNmZBS213WWNlUjFoWUZuNFQ3N1c3Z2hpelVnMDY3MmgxVUV2MUxXTCtJT25aVjMwaVIxTUNXaWhkeHhtU3ppT3JDZFdMU2FqbytidHcvaWNrb2tSZkhFZitFUGtGU1ZqNWJJa0VCQWlTYVhpMTJSSSt1WStiVUo5YWFxSTdaNWc5T0xkTE1HTjRmbDB2QnY1Z3RpOCs4L1JHRXlrbjAzbWFZNGl5MzlxNVdnNnlqTndVS1lScis3K1Y3bnBJNUFRWU5ETHFxRVV0c2FpWG1ybWY0M2NIeWFQQ1hPQ1FFbTU2Z2FZMjdwNXJ5YkplK2pqVXp4cHlKU09NSHRkcjd3VGF4SjlaV3VBRXM1ZEJBSnlHb3M1b0VhK09mUzJ5RWU2cFY5QTFBcnFGU0M2eURoeG9TeDFHdXljZ1hjVEtUTTdLVjY1Y3dOeVhpUnJ0bWlISFBqZHJpcTl0ZE9RT2wvajVzU2k5dUdveDQ4NmVFb0VwWHlDSVM5bEZlRWJaZlN3eUpjSHk1RFFkTXY2U2k1ZTZTTnhkb1AzSzdWUHVZeUxHTHN5LzVKSEkrRkJHMjAwZEdQM3EyZWZ5RU1yU1Fpd25WSmtYaWpMMFNqVHBpekJBWjdJNVIvYnhzWE81ZUZ1bXU5UFFYVVA1Sm9tcDdTMlhpbEg2TDl3djdqaGNvc2ttVkE0cnFacE1yb0hMeCtmTWZVK0VKSnA1V2t1cXBUVEI3UkNoRVdPcFp1SVZjMWMrU2hPSFptbExhTkpGcE9hUjMwZUNCSWcxVTJOTXV1NUthc1hHeUkvREZQVmwydGQrQU15blpaOUM2VUwvYmlscEs0YVZqNHJGNjFEYmREVENsRU5LdDlVSzdvVjhRQ3RTdXFKYTRpaDNoNnF0eVdtZy9VWG1lQ21TTWNCWGcwZ2hGRU5WVmhSQ0l0MFo5NjdzRTBmUEpHRUFNeDZNcllrRHlBS1ZPN1U2OXJmVzM4UTJaaFZGOWo3bU1HdFJ2NmtFMXBVbE1sM2xsZ3Ixd1h0NVMwUlFxRGR2U2ZLSW8xQlBZdUtJY0RzbVNtRUUrbTkrK3ZZQnk3WFkydGpSbTFRZXU0Q1lqc3dYckFMaVFvRk1KSnZlMTV5Q1pVakF6elI5VHNkWlludDZHOWtWQ3BQaklUTU5OekNldG9FQXNjbktLMVJXMUtza2lLdFpEQW1OQ1FPODJXdWlLT2tjV2ZsZnRXdDdyK1E1bG51Rkk2cjZkcXhLSEdIb2tsNzVDTjJQeisvNm9PVDI1OG1ReVl2NUs4SmpEUXB4STdlelN2NWdrQ2FPOTgzQ0xNN2E3M0Ixbjlyb0hxU0hRREVIVU5EUlA5M1JCVjRZdURLS1d0d0FNenJ0RTRNb2ZqYlJGY29kb1BBWDdnTVlLWmo2YTZiRUNocThQc2pyak5TeEFWMHJQS1QrWDE0SXdRdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * eJKeX76ME8VQMjfdffbg

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Targets

- Target
  
  0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
- Size
  
  775KB
- MD5
  
  2d2a5a22bc983829cfb4627a271fbd4e
- SHA1
  
  c0fc01350ae774f3817d71710d9a6e9adaba441f
- SHA256
  
  0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
- SHA512
  
  8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
- SSDEEP
  
  24576:+Csq9+OXLpMePfI8TgmBTCDqEbOpPtpFaoxfq:YxOXLpMePfzVTCD7gPtLa4fq
Score

10^/10

avaddon evasion ransomware trojan
- Avaddon
  Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
  ransomware avaddon
- Avaddon payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (208) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2