avoslocker | 2f4c48af21206e7be9d0a59ebd7ced2b5f2638dad52f76389adb5317fddf9a2e

Sharing

General

Target

RNSM00482.7z
Size

27.9MB
Sample

240915-13lf5avdne
MD5

9bf6d6ed36fbce36dfa9c23d594d677b
SHA1

c922fcf9bc1dcbf8bbd992acd4834a8110e40477
SHA256

2f4c48af21206e7be9d0a59ebd7ced2b5f2638dad52f76389adb5317fddf9a2e
SHA512

ed422d7e350246861d7ff2d56cd86f925233a5682686517f73e645cccc4ea2dd146a78811dc9389872ec0bd8c7bc2327a8f37fed905f0b8c48c4b5655076f9b7
SSDEEP

786432:uD9Xo4F/hdhUY+mF9nb5QTqEtTH+3+U5Pe2n1GlBINEyFnx:qYu5dO3yJ5QTtTHq+2f9dx

Score

10^/10

Malware Config

Extracted

Family

djvu

http://securebiz.org/fhsgtsspen6/get.php

Attributes

extension
.tisc
offline_id
uFHwN7bjwCkJEeUg8JHISzLqrwudidH8XsPzHDt1
payload_url
http://znpst.top/dl/build2.exe

http://securebiz.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1JwFK5rT39 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0336gSd743d

rsa_pubkey.plain

Extracted

Path

C:\Users\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Message from agent: Your clients files downloaded from your network and publish on our blog just in 3 day if you fail to pay the $135,000 in 3 days. Your ID: e3000da7b506c32094bbcd168f4047c1d5e05ef06cdde8f5d5a7faa4023fc506

URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Extracted

Path

C:\Read Me.TXT

Ransom Note

8888888b. 888 888 Y88b 888 888 888 888 888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 8888888P" d8P Y8b d88" 888 d8P Y8b d8P Y8b 888 "888 "88b d8P Y8b 888P" 888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 888 T88b "Y8888 "Y88888 "Y8888 "Y8888 888 888 888 "Y8888 888 Made by Cerebrate - Dread Forums TOR [http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/] [Q1] What happened, I cannot open my files and they have an odd extension? [A1] Your files have been encrypted by Redeemer, a new ransomware operation. [Q2] Is there any way to recover my files? [A2] Yes, you can recover your files. This will however cost you money in XMR (Monero). [Q3] Is there any any way to recover my files without paying? [A3] Without paying it is impossible your files. Redeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security. Without a proper key, you will never regain access to your files. [Q4] What is XMR (Monero)? [A4] It is a privacy oriented cryptocurrency. You can learn more about Monero on getmonero.org. You can view ways to purchase it on www.monero.how/how-to-buy-monero. [Q5] How will I decrypt my files? [A5] Follow the general instructions: -1. Buy 20 XMR. -2. Contact [email protected] and send the following key: -----BEGIN REDEEMER PUBLIC KEY----- MzUndiRYV+e8g3gHPa9XoJTl8lk67EWZN/7k3enqLXEg9gzK53 uefBCVyOZtGWEpJ9E86ieElygcWCljyw9lvnuELxma34Nc2amh OjNHxdV1i5Oa5i/+SaHsbsxb5C4GwBfM2YKjt9OvlpMHPvAOQv /z42gTaJs7k2seo8gMdtR/5ohhISnn9a209hdmnpNqfW++094B rahBD0cQxPmCGb5S1N/HWZzajD4MxYHUJNYSlmU3BCZ2Tripj9 BSoMfxnBruhMeXV2Wol0guKLEpxuXN2nN2tPpdBZ72tfmXitT9 UAENpqAwPNraEs+fsQduR2P3wV9pdtKGpnhzUohGUDapT1+Ffx gEYrqmP5L2BxwANj+Fk6tUcrO7WVzRrhJkMBgg1RbIAanxL49N er9HMsMIC9dQXTABux8zWJCVTIHXsiiqfA9BqGeq7TdSxA2t/j bQQYmjD6GY33vhcB4wZlrqoGekaM3ZIQHzPuAjWcyur/T5kuF/ PLWKaHnhVfksTvKVfDJ5c5D3BJemWczG9OS2RpAQbdSZ+gS9er SoYc7LiQaHwgbJ7iL+Xua3/Jh75id7ulXJRTxGm7Z76US1yvL6 +VRdPvrWU4B7dSyyp222cv3+CZEwit9g1lVcnAokS5q7o82Fmr NLbKSoO7m/Fa4lOSbMYTUvT6qQlUFKtQ2wJg== -----END REDEEMER PUBLIC KEY----- -3. You will receive an XMR address where you will need to pay the requested amount of Monero. -4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal.

Emails

[email protected]

Extracted

Path

F:\Program Files\FoxitReader\bin\!! READ ME !!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here [email protected] reserve [email protected] jabber [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. If we do not receive a message from you within three days, we regard this as a refusal to negotiate. Check our platform: http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/ * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Do not stop process of encryption, because partial encryption cannot be decrypted.

Emails

[email protected]

URLs

http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Targets

- Target
  
  RNSM00482.7z
- Size
  
  27.9MB
- MD5
  
  9bf6d6ed36fbce36dfa9c23d594d677b
- SHA1
  
  c922fcf9bc1dcbf8bbd992acd4834a8110e40477
- SHA256
  
  2f4c48af21206e7be9d0a59ebd7ced2b5f2638dad52f76389adb5317fddf9a2e
- SHA512
  
  ed422d7e350246861d7ff2d56cd86f925233a5682686517f73e645cccc4ea2dd146a78811dc9389872ec0bd8c7bc2327a8f37fed905f0b8c48c4b5655076f9b7
- SSDEEP
  
  786432:uD9Xo4F/hdhUY+mF9nb5QTqEtTH+3+U5Pe2n1GlBINEyFnx:qYu5dO3yJ5QTtTHq+2f9dx
Score

10^/10

avoslocker chaos djvu gandcrab mafiaware666 tofsee urelas aspackv2 backdoor discovery evasion execution persistence ransomware trojan upx
- Avoslocker Ransomware
  Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
  ransomware avoslocker
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Detect MafiaWare666 ransomware
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- Modifies WinLogon for persistence
  persistence
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Clears Windows event logs
  evasion ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Sets desktop wallpaper using registry
  ransomware
behavioral1