Overview

overview

10

Static

static

1

RNSM00441.7z

windows10-2004-x64

10

Resubmissions

24-10-2024 20:28

241024-y8ymjashkr 10

24-10-2024 19:39

241024-ydabfsscpe 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00441.7z

  • Size

    53.5MB

  • Sample

    241024-y8ymjashkr

  • MD5

    1f07deb824d20334eca9d63413320f1f

  • SHA1

    56067bd17bbe30dfde1b4105924688227931f668

  • SHA256

    adc85b9fc63f672336e015658cfa59663940299f1c7e7cb3c867423606f85c5a

  • SHA512

    2aa3e8aa6df2a4832c22c92b4e8f78725296e201b777ffed0ef6ffccdd53f09eb82ec6e40b0e67cf9dfff869af156e6136832ddf9948d3a090c6bba977fd7bd4

  • SSDEEP

    1572864:PW+3Sr6Ioq3gdUBA1cE6K7HPLmgk3CRlTRCrwb9Zs3:PWSsoqwWAYCvnkyPlCrw9Zs3

Score
10/10
avaddonconticrimsonratgandcrabagilenetbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

crimsonrat

C2

107.175.1.103

Extracted

Path

C:\Program Files\Common Files\DESIGNER\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://24cduc2htewrcv37.onion/?ZQXPGDPQ 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://24cduc2htewrcv37.onion/?ZQXPGDPQ

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- FQ6C1V320lsGoEpDS1i4SFkTzLnOQ9vSXpwMwYdsE7CL2myTZeHVHuuqtzHQGOpB ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top/

Extracted

Path

C:\Users\Admin\3D Objects\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ARvYCcVKXzdOG1jPY6J2vGLV
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 13WuXpIeNbLTcxrRjcD9bvTWxFG
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Contacts\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NC7HL15RDD32VNVTP9eHm6c3KPUZAu
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * wYRrLdRs
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Jg3hgpEg4fuo
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\6iMSN88k_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdbaCDdddE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1PcHovSGJxMER6Y2c0Q1lwTDEyaGdtV2RTaGFxaVk4QXpBZFNSRzhrakdKSklzbG9WK0xCci9kVDcxcnpicU1GY21oUU44NVVjb0tLdHdrNmpVQmRma1prMEVsVXdsOERqdmYzdlBTSm55dFptdUpVT05CM0pXRnNYeWZMSm0zK2I0TGpvU0J0RmJNT3RETmxqbHowa3ZnNk1RZEE0dmVGT1Y5K2l5NWhwd0VZWnlEcGJ1TmFGTk1oN0FtazZqeEVDSWRpeTNSRm9rVGpTZUIvYmRFU1g5N1hjVEhUczc4MmNvY2dtb2diWVBqUHpDeFYwd0I1Wi80eEVhQ25ORStwWTJ4V084aFpGTVF5dWRRRWhNY0toaVJ1ZUtpbENYVkVnb3Vud3dicUZlNUQrczNQclJvcEJmNmZpNkIyd2ZjbnQvWlk2am1IRXlPcytBVWJZRDR6MDZCcW04NUZHN0lobFlmbE5NdnZvUStIcUc4RlhLS2hJeml2Yk5ONXFaR1l0K01Rb1NyV2k2cWFCY0J4ZmRkY2ltS0swZ0c0VnBUQXR0WFZTanZ4T00vSlg0M1dvdURKNTU5cWZIVmdWaTI5S1A2ODBzZDIvOVVSZkRYN095SVBXNXU2ZVk4VlpUSDlvTG1EUy9iQlBKSXFpdWVpUEhDVXA1TUpna0toSlBYMlRNTyt5SmNOZzJlMUFPMnlFNy9GQUhlMXc1R01WazFyelZXMitOcHVVUFFCcklVZERSMUxTVURlcDhTMGFranlEMHdpNXd0clB0T3RHelBUVHJ0a05EWXByKzNVR3ZteGIxM2dPNTJpZlY5elRlVFUyejJlYWtRbWZTaDBrYU1KVHA5dUowM2V6UFFla0VRU0V4dmNRclFrRmNwQTNON3lMQWNkZG12TUd0SzJkOURLd0pZRStVbjRIdk5ZMFBwVUQvam5jMTFLR2V1dWRranByQXVtdWZTdG93Q3dRSmU5WnVvWUFTbkU2NXduV0oxTFhlSDRpOWl4VDJjTzlkMWEvdmdCb3hrdk5FQTBBRFZFM1VCdFNySEs5Rk04V2Urc2dWcjlVOGpOWUNOVEtnTmNzaG9tZnNVUjJwOGMyMzBmMHc1VGFISVdHa3ZPcEJVbmZSenJseVNSbWdKSllvZks5cVFSTlNsWktacU9nRDd1RXFVN2k1TVZwQmZYRzExMDhqTSs2MkVTWW9NeVI0bDlRMHl5UnU0ZlVYRThsLzBrcHFlVzl6Y1dwSVdnQ295a0g1Uy8xczFtOHgxRWl4T1piaWVIU09zZEVISnVQcHJFSVBwdDRlWkhMK3VaaEVGU0xWYnh6M1p0SUgybE5LMnUvbjRJU2J1dk5BRFl4R051NGxiWkR4VmJYaG5Xd2RkVnpRRWlXdGIwY2d4M2NFZE9PT3B2QTBJV1BETlVMQnhxckxtNHFkUHIxL2g5aEp0YWtScEthUUV1RVBCTTJpNlpkTkpCbjduTnJCMFRxY2lEc2F6T0RnTHlITUQwSTYzeXhVZmZJUFdRUUdwaXpDK3hOb1hTTlIrSldUeHNrNXhyVW54V056cmJvUXNPNkZnczZnNDJrL3YweGdFK1hXQzNTVXhQd2EyUk9odHM0NmFkbFlGYXd0RWlTT0xPUUl2UXhsK0lZeEpQSmVaeGV6Y1Q2b1h6WkE2UzQ2Q0Y2WXZkWDNRQ3VtWk0yM1piaGsvVFoxUVpEampCa3ZiTk1UZTZYU3JmK1hwQzg5aFlza3g4dTRlbTVuZDVjTEVWZU84c0dOVUVHM0NvbUJKU1MxNENQazdDY3YyR2RqbmxaVTFFaW8yZW16T2RQUUtuL3crVVY3ci8rK0NRZmZpdWxld0w2Ym5kUHM2bjdqcE1lVGN6eWlFUm9DQnVEbit1YUtDMnAxZERSbmExQ2hvYktHYU00TWpTaXdlRzNtUUIxaGpwaFJ5TWZROWluQlBhZVJDUFZhNFV2R21DMXBtSzd6eGFpZUpNZ0V2TlhOMFRyUzVuWkRnWmNvbWFVZTFwTHlhRGJuY253cGxWem5SSXg3dHhadUlRNGJuZjhWczlHVm51UUlhODdrdGE4dFFJVG1nNW1Ob2I2VDNIcERENXhnT0tBWTlKNjR4WVU4elJQSFl6V1VSbW1iVU5jN0wvNFdiWGVKS1dMMk8yRFhtNkVhQVpMMkQ2NkE0aHlOMjA3VmtjZURLdEliVWNKVnhRR05OR2VWb0k4THFGWHlRUHBiUXRrYyt6UGc9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 9IA411XzuHcsKWB
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Targets

    • Target

      RNSM00441.7z

    • Size

      53.5MB

    • MD5

      1f07deb824d20334eca9d63413320f1f

    • SHA1

      56067bd17bbe30dfde1b4105924688227931f668

    • SHA256

      adc85b9fc63f672336e015658cfa59663940299f1c7e7cb3c867423606f85c5a

    • SHA512

      2aa3e8aa6df2a4832c22c92b4e8f78725296e201b777ffed0ef6ffccdd53f09eb82ec6e40b0e67cf9dfff869af156e6136832ddf9948d3a090c6bba977fd7bd4

    • SSDEEP

      1572864:PW+3Sr6Ioq3gdUBA1cE6K7HPLmgk3CRlTRCrwb9Zs3:PWSsoqwWAYCvnkyPlCrw9Zs3

    Score
    10/10
    avaddonconticrimsonratgandcrabagilenetbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojanupx

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon payload

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Disables service(s)

      evasionexecution

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (3859) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Tasks