avaddon

General

Target

RNSM00405.7z
Size

7.3MB
Sample

241028-zd42haxbjj
MD5

b1aad99a66608f32a66673ccd4d83ea5
SHA1

14b49720f6b52710fe881000c723ffc6a79b898d
SHA256

f9af4c12ac22ca9e1fc57a51895652c898d77379703c8204526af7252bd90d20
SHA512

01e5b8c9b62eadaa48df41a36f2a819b4c592989b34755a53b9d0e2f70916f079d5bbb982278c9cd469678ccbd325729a3c8ae45953b07fc4d92ebdda811deea
SSDEEP

196608:FHWFXjJypQ3mRUaWwGw11q5eRTmLk+F8pjFe/CBuc:FEzoeQTWA16eRyQPKqoc

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://tranpip.com/hoi/index.php

Extracted

Path

C:\Users\Admin\Desktop\mnBop_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcBCdCdDca You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- ODc3LXVqWjlMdmJLa3FpN3RzTjdFTzcwd3NqTWVRQ0gwTEhXV2NTd3hBWHZPbVUvM3RaSnZINWZZajR5SG9zWW1sR0hYbTB5d21odEV6WlovZVZ0eldRMUxuRW13S3QrVDZGbXJWUlZvUSsrWjMwOTcycmFJTit1M1VrQ3dQRE5Lc3pzWnMrRlpPUmsxVWpQOUtERGlJQ1I2ck5GWkEvdUJOVVhxZEU4OHcvdStFY3RTbG1Vd3pXUTJ6bU94MVVJdzJtVkFRZlhINnU3bnlyaUtEbnQ3OUFaYkROQTFXTGJvSDdiVUo2c0hrQW5HQk4xMW9LdngrNjIrUTduQjF0ZDJzbnBGL1Jpdk9vSGtvU0UrSTdYbGdxK1FETWJIRU1sYm1SQXpXODNtMmtWT3cvTFRpaGNWMWNzeHAwZWlrcGovcjVqRXgrbEVxU0o1ckxmeCtFSGdwejhJQXA4bW9LL2FSWm1iN0lRaFEyaUlJRW1uM0FmaTZvaFF6VUNiVDFtNTRzMDJZTzlUN2U5WUFGRkh3d0w2bjVLdGJJMjNrbVRjUEdqVHM4WHR6Q2NuUkJDYU1EemxDa3A4dnBhVUV0Ui94NFFLL25vQzVUQzNSNjNDcDhRNkFOR1ZmVnBnNXg1Vjc1L0NHcDRuUjc2R2lFQTVpejcxYUE2a0dLOGg2eGpPN0Z0cCtCNUFSZnNqQlZNNGVKK0Q1NUdrUGtVM005SDlkVjNoNHIweklTTE1pZy9nUnZ5ZEFmM0NhdVU0WTJBeEgyclZuVGJVR2xHaEJEZDE1UlVmc3lkTHJDRXRpQWU4aUFybExlUWVNcDlvZFV0T0pxMHgxbDJIUlZqeVFINkFwdWZqbHIrby9sbS80MjZwQjZFWU56V0pjSVV5MFY3N3hDa0JjdVNSVk5TOTVWMmJ6blpsT3Y5eWFuUk1uTnFCMHlMSlYvVWZBV0I3NVBQeFJESHk5ZmxGN3l5ZVJIL2gzdGR0VFZUOFdPeUxQMmVITWhTNVNhWVRNT0JpcDJkVDNZaXlUUzZkTlVEbDhQTEJQUHk2ZHBsUzBvbmlsMEkwRTc5YVNBampvV2x3SndiM3A3Y1dIL2xFM2d2V3hxRkt0V25JYXJvaDVnM1FVakpMM2NRNStpTmp2TE9PZGVIWlpkeld6T3lPSDk0WERmTThvL2x3TG1BeEJ6R0lxSXl5bzl5eDAvSDVnaDQ5cUZJUGlqeGJQakZoRFZDSnJRajBCbURTUlpyYnJwaVBCVDhvcFNVbHBhSGhKUmc0Yy84cFZvMGMvNmdWWDk2NHlwYjZITTVYS1U0YkMrRFlGWmRrRFl0NHViS0JkRDhJUzVvbXc2ZU5NN1ZTRXhLUStTQ214ZFlDcDB0dHBuSGZQeEs2cDZXSlVnU0libG0wQVdJcTVsSDVPYmp0QjJEUHRWQ3l5NG1kYWNMckdiRklSMk1oUk1mNi9aaVM2QVJUTGZTVDJMMk9JbUVUSkxaYTF1dVFFd0xiV21CYVhaczY4cnNVeHRUb3NqMkJpUkpiVDZJRUlidVBteTlFcVJhVnRBOUpQeGV2eVU1a1RLS1E2TG1DTXpEeEQxZzJEQnpGOGNiQkhlUUJyaUxtU05PeXN1S0RzWk9kKy9KblUrR0RnMXNQUENLcWc0TzNnVmRNNlRtYUxsSlRQNGR1UVBWc3d6b0ZPY2hiRVJrRmlkeVRuSUk1WHdXcnErR3JKK1JmR2loNGN6RUo5Y0FsNE43bmM1dlNlQU94QmRYVlk2eEZ4WitZT1RPWVczNVJ1L2FxSU00OEluSnRROWRWNCtVNmhLU3dtazFqRGZXbE4vM0Z5RTlZS3laME42M05ZamhtalJENXBJRkZmKy9QRWJiVW5ybGc3Z0xQL3VYSGFhUFc1M2lGL2E5ZXdVS1IvMkRxUmJSNWRzanVvdllqVmpHUTRlN3pxY0dNdkUvZVVrbnU1Q0ViclM3M3dNNU1PdkZsSHdFZnllcHVXYlhEU1FTRkRGbnJySWI0MWErdlF3Qm40bWJQZU9iODdsalRQUVZxR3BVa2I1VE5rL0s5V3hKWXBFMzFWejVRQUhaUnlNYmFUMUQyRFdHcW1kbnRmOEkvdi8rejgwa3FETHdqMHVHdWJzZ2xCMTBWeEtzd1dkeDFZZU0vYVNIVy9vRG1BPT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * HeQKeZVwwkQ72ATEtf

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\mnBop_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcBCdCdDca You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- ODc3LXVqWjlMdmJLa3FpN3RzTjdFTzcwd3NqTWVRQ0gwTEhXV2NTd3hBWHZPbVUvM3RaSnZINWZZajR5SG9zWW1sR0hYbTB5d21odEV6WlovZVZ0eldRMUxuRW13S3QrVDZGbXJWUlZvUSsrWjMwOTcycmFJTit1M1VrQ3dQRE5Lc3pzWnMrRlpPUmsxVWpQOUtERGlJQ1I2ck5GWkEvdUJOVVhxZEU4OHcvdStFY3RTbG1Vd3pXUTJ6bU94MVVJdzJtVkFRZlhINnU3bnlyaUtEbnQ3OUFaYkROQTFXTGJvSDdiVUo2c0hrQW5HQk4xMW9LdngrNjIrUTduQjF0ZDJzbnBGL1Jpdk9vSGtvU0UrSTdYbGdxK1FETWJIRU1sYm1SQXpXODNtMmtWT3cvTFRpaGNWMWNzeHAwZWlrcGovcjVqRXgrbEVxU0o1ckxmeCtFSGdwejhJQXA4bW9LL2FSWm1iN0lRaFEyaUlJRW1uM0FmaTZvaFF6VUNiVDFtNTRzMDJZTzlUN2U5WUFGRkh3d0w2bjVLdGJJMjNrbVRjUEdqVHM4WHR6Q2NuUkJDYU1EemxDa3A4dnBhVUV0Ui94NFFLL25vQzVUQzNSNjNDcDhRNkFOR1ZmVnBnNXg1Vjc1L0NHcDRuUjc2R2lFQTVpejcxYUE2a0dLOGg2eGpPN0Z0cCtCNUFSZnNqQlZNNGVKK0Q1NUdrUGtVM005SDlkVjNoNHIweklTTE1pZy9nUnZ5ZEFmM0NhdVU0WTJBeEgyclZuVGJVR2xHaEJEZDE1UlVmc3lkTHJDRXRpQWU4aUFybExlUWVNcDlvZFV0T0pxMHgxbDJIUlZqeVFINkFwdWZqbHIrby9sbS80MjZwQjZFWU56V0pjSVV5MFY3N3hDa0JjdVNSVk5TOTVWMmJ6blpsT3Y5eWFuUk1uTnFCMHlMSlYvVWZBV0I3NVBQeFJESHk5ZmxGN3l5ZVJIL2gzdGR0VFZUOFdPeUxQMmVITWhTNVNhWVRNT0JpcDJkVDNZaXlUUzZkTlVEbDhQTEJQUHk2ZHBsUzBvbmlsMEkwRTc5YVNBampvV2x3SndiM3A3Y1dIL2xFM2d2V3hxRkt0V25JYXJvaDVnM1FVakpMM2NRNStpTmp2TE9PZGVIWlpkeld6T3lPSDk0WERmTThvL2x3TG1BeEJ6R0lxSXl5bzl5eDAvSDVnaDQ5cUZJUGlqeGJQakZoRFZDSnJRajBCbURTUlpyYnJwaVBCVDhvcFNVbHBhSGhKUmc0Yy84cFZvMGMvNmdWWDk2NHlwYjZITTVYS1U0YkMrRFlGWmRrRFl0NHViS0JkRDhJUzVvbXc2ZU5NN1ZTRXhLUStTQ214ZFlDcDB0dHBuSGZQeEs2cDZXSlVnU0libG0wQVdJcTVsSDVPYmp0QjJEUHRWQ3l5NG1kYWNMckdiRklSMk1oUk1mNi9aaVM2QVJUTGZTVDJMMk9JbUVUSkxaYTF1dVFFd0xiV21CYVhaczY4cnNVeHRUb3NqMkJpUkpiVDZJRUlidVBteTlFcVJhVnRBOUpQeGV2eVU1a1RLS1E2TG1DTXpEeEQxZzJEQnpGOGNiQkhlUUJyaUxtU05PeXN1S0RzWk9kKy9KblUrR0RnMXNQUENLcWc0TzNnVmRNNlRtYUxsSlRQNGR1UVBWc3d6b0ZPY2hiRVJrRmlkeVRuSUk1WHdXcnErR3JKK1JmR2loNGN6RUo5Y0FsNE43bmM1dlNlQU94QmRYVlk2eEZ4WitZT1RPWVczNVJ1L2FxSU00OEluSnRROWRWNCtVNmhLU3dtazFqRGZXbE4vM0Z5RTlZS3laME42M05ZamhtalJENXBJRkZmKy9QRWJiVW5ybGc3Z0xQL3VYSGFhUFc1M2lGL2E5ZXdVS1IvMkRxUmJSNWRzanVvdllqVmpHUTRlN3pxY0dNdkUvZVVrbnU1Q0ViclM3M3dNNU1PdkZsSHdFZnllcHVXYlhEU1FTRkRGbnJySWI0MWErdlF3Qm40bWJQZU9iODdsalRQUVZxR3BVa2I1VE5rL0s5V3hKWXBFMzFWejVRQUhaUnlNYmFUMUQyRFdHcW1kbnRmOEkvdi8rejgwa3FETHdqMHVHdWJzZ2xCMTBWeEtzd1dkeDFZZU0vYVNIVy9vRG1BPT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 7n1AzmIGmM8gua7G5fEfI

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\mnBop_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcBCdCdDca You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- ODc3LXVqWjlMdmJLa3FpN3RzTjdFTzcwd3NqTWVRQ0gwTEhXV2NTd3hBWHZPbVUvM3RaSnZINWZZajR5SG9zWW1sR0hYbTB5d21odEV6WlovZVZ0eldRMUxuRW13S3QrVDZGbXJWUlZvUSsrWjMwOTcycmFJTit1M1VrQ3dQRE5Lc3pzWnMrRlpPUmsxVWpQOUtERGlJQ1I2ck5GWkEvdUJOVVhxZEU4OHcvdStFY3RTbG1Vd3pXUTJ6bU94MVVJdzJtVkFRZlhINnU3bnlyaUtEbnQ3OUFaYkROQTFXTGJvSDdiVUo2c0hrQW5HQk4xMW9LdngrNjIrUTduQjF0ZDJzbnBGL1Jpdk9vSGtvU0UrSTdYbGdxK1FETWJIRU1sYm1SQXpXODNtMmtWT3cvTFRpaGNWMWNzeHAwZWlrcGovcjVqRXgrbEVxU0o1ckxmeCtFSGdwejhJQXA4bW9LL2FSWm1iN0lRaFEyaUlJRW1uM0FmaTZvaFF6VUNiVDFtNTRzMDJZTzlUN2U5WUFGRkh3d0w2bjVLdGJJMjNrbVRjUEdqVHM4WHR6Q2NuUkJDYU1EemxDa3A4dnBhVUV0Ui94NFFLL25vQzVUQzNSNjNDcDhRNkFOR1ZmVnBnNXg1Vjc1L0NHcDRuUjc2R2lFQTVpejcxYUE2a0dLOGg2eGpPN0Z0cCtCNUFSZnNqQlZNNGVKK0Q1NUdrUGtVM005SDlkVjNoNHIweklTTE1pZy9nUnZ5ZEFmM0NhdVU0WTJBeEgyclZuVGJVR2xHaEJEZDE1UlVmc3lkTHJDRXRpQWU4aUFybExlUWVNcDlvZFV0T0pxMHgxbDJIUlZqeVFINkFwdWZqbHIrby9sbS80MjZwQjZFWU56V0pjSVV5MFY3N3hDa0JjdVNSVk5TOTVWMmJ6blpsT3Y5eWFuUk1uTnFCMHlMSlYvVWZBV0I3NVBQeFJESHk5ZmxGN3l5ZVJIL2gzdGR0VFZUOFdPeUxQMmVITWhTNVNhWVRNT0JpcDJkVDNZaXlUUzZkTlVEbDhQTEJQUHk2ZHBsUzBvbmlsMEkwRTc5YVNBampvV2x3SndiM3A3Y1dIL2xFM2d2V3hxRkt0V25JYXJvaDVnM1FVakpMM2NRNStpTmp2TE9PZGVIWlpkeld6T3lPSDk0WERmTThvL2x3TG1BeEJ6R0lxSXl5bzl5eDAvSDVnaDQ5cUZJUGlqeGJQakZoRFZDSnJRajBCbURTUlpyYnJwaVBCVDhvcFNVbHBhSGhKUmc0Yy84cFZvMGMvNmdWWDk2NHlwYjZITTVYS1U0YkMrRFlGWmRrRFl0NHViS0JkRDhJUzVvbXc2ZU5NN1ZTRXhLUStTQ214ZFlDcDB0dHBuSGZQeEs2cDZXSlVnU0libG0wQVdJcTVsSDVPYmp0QjJEUHRWQ3l5NG1kYWNMckdiRklSMk1oUk1mNi9aaVM2QVJUTGZTVDJMMk9JbUVUSkxaYTF1dVFFd0xiV21CYVhaczY4cnNVeHRUb3NqMkJpUkpiVDZJRUlidVBteTlFcVJhVnRBOUpQeGV2eVU1a1RLS1E2TG1DTXpEeEQxZzJEQnpGOGNiQkhlUUJyaUxtU05PeXN1S0RzWk9kKy9KblUrR0RnMXNQUENLcWc0TzNnVmRNNlRtYUxsSlRQNGR1UVBWc3d6b0ZPY2hiRVJrRmlkeVRuSUk1WHdXcnErR3JKK1JmR2loNGN6RUo5Y0FsNE43bmM1dlNlQU94QmRYVlk2eEZ4WitZT1RPWVczNVJ1L2FxSU00OEluSnRROWRWNCtVNmhLU3dtazFqRGZXbE4vM0Z5RTlZS3laME42M05ZamhtalJENXBJRkZmKy9QRWJiVW5ybGc3Z0xQL3VYSGFhUFc1M2lGL2E5ZXdVS1IvMkRxUmJSNWRzanVvdllqVmpHUTRlN3pxY0dNdkUvZVVrbnU1Q0ViclM3M3dNNU1PdkZsSHdFZnllcHVXYlhEU1FTRkRGbnJySWI0MWErdlF3Qm40bWJQZU9iODdsalRQUVZxR3BVa2I1VE5rL0s5V3hKWXBFMzFWejVRQUhaUnlNYmFUMUQyRFdHcW1kbnRmOEkvdi8rejgwa3FETHdqMHVHdWJzZ2xCMTBWeEtzd1dkeDFZZU0vYVNIVy9vRG1BPT0= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * UPcXKy44cyqEHXFIkC8nzp5Z

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Documents\!!!_READ_ME_09C70E4B_!!!.txt

Ransom Note

*************************************************************************************************************** HELLO Campari_Group ! If you reading this message, it means your network was PENETRATED and all of your files and data has been ENCRYPTED by R A G N A R L O C K E R ! *************************************************************************************************************** *YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL* (contact information you will find at the bottom of this notes) !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT Use any third-party or public Decryption software, it also may DAMAGE files. DO NOT Shutdown or Reset your system, it can DAMAGE files ------------------------------------- There is ONLY ONE possible way to get back your files - contact us via LIVE CHAT and pay for the special DECRYPTION KEY ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, to show that it Works. Don't waste your TIME, the link for contact us will be deleted if there is no contact made in closest time and you will NEVER restore your DATA. !!! HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ! WARNING ! ! Whole your International Corporate Network was fully COMPROMISED ! We have BREACHED your security perimeter and get access to every server of company's Network in different countries across all your international offices. So we has DOWNLOADED more than 2TB total volume of your PRIVATE SENSITIVE Data, including: -Accounting files, Banking Statements, Government letters, Licensing certificates -Confidential and/or Proprietary Business information, Celebrity Agreements, Clients and Employees Personal information (including Social Security Numbers, Addresses, Phone numbers and etc.) -Corporate Agreements and Contracts with distributors, importers, retailers, Non-Disclosure Agreements -Also we have your Private Corporate Correspondence, Emails and Workbooks, Marketing presentations, Audit reports and a lot of other Sensitive Information If NO Deal made than all your Data will be Published and/or Sold through an auction to any third-parties - There are some screenshots just as a proofs of what we got on you. (you can find more on Temporary Leak Page) Screenshots: https://prnt.sc/va9w5v https://prnt.sc/vam4mz https://prnt.sc/val3ll https://prnt.sc/vaa5kh https://prnt.sc/va9xdb https://prnt.sc/va9z18 https://prnt.sc/va9wwj https://prnt.sc/vaad5d ------------------------------------- Whole data that gathered from your private file-servers and directories could be SOLD to any third-parties and/or PUBLISHED in MASS MEDIA for BREAKING NEWS! Yours partners, clients and investors would be notified about the LEAK, the consequences of LEAK will have a DISASTROUS effect on your company's stock index and reputation. So better contact us ASAP to resolve this issue. If we make a Deal everything would be kept in Secret and all your Data will be Restored, so it is much cheaper and easier way for you to make deal with us, than to pay lawsuit expenses. You can take a look for some more examples of what we have, right now it's a private, temporary and hidden page. But it could be supplemented and become permanent and accessable for Public View if you decide NOT pay. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/?tfR4tkhpcE2pUg To view the page's content use password: WrNz8hSLai ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?8035A17A1e1cdaABB8BfDecEC0e94FA224C1Fc86D09C60540E56e972EDa7327c c) To visit TEMPORARY LEAK PAGE with your data on our News Blog, open this website : http://p6o7m73ujalhgkiv.onion/?tfR4tkhpcE2pUg ( password: WrNz8hSLai ) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---BEGIN RAGN KEY--- ODAzNUExN0ExZTFjZGFBQkI4QmZEZWNFQzBlOTRGQTIyNEMxRmM4NkQwOUM2MDU0MEU1NmU5NzJFRGE3MzI3Yw== ---END RAGN KEY--- ***********************************************************************************

URLs

https://prnt.sc/va9w5v

https://prnt.sc/vam4mz

https://prnt.sc/val3ll

https://prnt.sc/vaa5kh

https://prnt.sc/va9xdb

https://prnt.sc/va9z18

https://prnt.sc/va9wwj

https://prnt.sc/vaad5d

http://p6o7m73ujalhgkiv.onion/?tfR4tkhpcE2pUg

http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?8035A17A1e1cdaABB8BfDecEC0e94FA224C1Fc86D09C60540E56e972EDa7327c

Targets

- Target
  
  RNSM00405.7z
- Size
  
  7.3MB
- MD5
  
  b1aad99a66608f32a66673ccd4d83ea5
- SHA1
  
  14b49720f6b52710fe881000c723ffc6a79b898d
- SHA256
  
  f9af4c12ac22ca9e1fc57a51895652c898d77379703c8204526af7252bd90d20
- SHA512
  
  01e5b8c9b62eadaa48df41a36f2a819b4c592989b34755a53b9d0e2f70916f079d5bbb982278c9cd469678ccbd325729a3c8ae45953b07fc4d92ebdda811deea
- SSDEEP
  
  196608:FHWFXjJypQ3mRUaWwGw11q5eRTmLk+F8pjFe/CBuc:FEzoeQTWA16eRyQPKqoc
Score

10^/10

avaddon azorult gandcrab xorist backdoor bootkit defense_evasion discovery evasion execution impact infostealer persistence ransomware trojan vmprotect
- Avaddon
  Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
  ransomware avaddon
- Avaddon family
  avaddon
- Avaddon payload
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Detected Xorist Ransomware
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (1286) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Clears Network RDP Connection History and Configurations
  Remove evidence of malicious network connections to clean up operations traces.
  defense_evasion
- Downloads MZ/PE file
- Modifies service settings
  Alters the configuration of existing services.
  evasion
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1