Overview

overview

10

Static

static

1

RNSM00384.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00384.7z

  • Size

    56.3MB

  • Sample

    241103-14pj6swfpl

  • MD5

    600e405b3ca30e918aee2044111b6721

  • SHA1

    5855b3ced8b01d2177820f653a3ad7acd371dc22

  • SHA256

    a54e2aa0abb5b97d433a8e8fd2bdb2f83c9bef02e2db1695483a8294238adf46

  • SHA512

    08bcf977e46a624600662af6b580651a4e9927c9f47670e331531a58990f9440b593c7f5c280736d0cf222830439c796389d7eba0d76bbab12b2bdb3c9fec3ef

  • SSDEEP

    1572864:DwJV/DpTapvVBlk01AL78kFRdtEPoSx34382/oMR:gV/JaZRkga39SxO82AO

Score
10/10
avaddongandcrabgluptebaquasarxoristbackdoorcredential_accessdefense_evasiondiscoverydropperevasionexecutionimpactloaderpersistenceransomwarespywarestealerthemidatrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    212121QWER

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\HYEOAMLLU-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HYEOAMLLU The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9fca77e1278df339 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIeReO7GMSFr2isB8Bt/5+IDk/GmgkwZRbJgQHgTpeLw3aHunKH2vrgmE7l47gt4HegrOEKvljLtt2TYePg/IU7SJHZw1goCW4nvg5j1fbIV/GR5BQmKg1w8/kY9kREYudaUox3rKAfx+QRMxPqPX2QOxq2e0uQXLJhdGcxMMuwVQcc1tOUsqPh/mW9y6sj0J+CLnyC1C7HSkq95foHG3GofoH2ADdY5JiIBtOuzsZUd5K4a6G37JR6rknUdtMtoaikH5aB5GUulOpMK3WQvdXwEvO1TJLPlqBLXPwXcRxGrgFlj/Iow61hyO0622BpzR2wzQ7Y7685N5ADmfXh0mhU2nyvxrv6BYuWbzoqwAAZsh2MET5I934Ode+zgFYYNgD/SIrGKzLPfTr23+VXmCfPuQXVRKURUmn5baiYd/hg45XzAVSUsR+Yrd+wRvHxJk9QzX4AVAcAfcTixgunyiR7x2s/GHr74KujfRkLgZlR3hHZX5FHJyC02FBg2QTCZGt7oLvDK40Y7EhX9pRgOc0a9BQgzaPlYqLwd1CubBMiTdUEtKF/NkLmIFflQUM52DGqO0/HGhMwWxYwByrtIYsaIr0bZ8LZT7+2FmZEHPLlgIkhCR34xVn0/g1Kbb0k7Y2wBBViI+wJB3xZ/K7N0sfS1T+kuubBPDYIatyOFnu1+ATD6c55BK7IlkkxlxWJ//CdMLXFhyvRDlSJUx6RJEiX/aD9/YI2iITDP8UkdhJCBsVJ/yyKrj3lpw2Lb4wAIusCYC18LSR4gw4kbQOROF9lAbiyNwTLj9JRj5fBvfCgX0Np4JDf5mh8CecdrRlyv65UOaW9XBW+iL2kJ7tm9HIs8kBZytEuTWOLW79p3MEbcH+K+E4oWFaO4qiBYLFhDWZLntQRlRUk0CtPuVtMZbaIBSCnG5Je201aecc5sOaETm9Ix6bfdPk8e11XgpQfKt1hJ1EYOjCqApYQcG7cd/kw4VcqLIMQW4Bk106AysW8sf2P3+aSvQ/oLft76vrOIANeRPyZfMoen1w37phrbOnsqM6S2aCSBBfScaHd+UnwHcs5KNA9Wqz63r5Y69VcV9JFoNo2irTLtVv2C7U3/jKlq8t75iKAkrRHXMRFTXqNfsweZRBdCEqaNgZ4CWu2JHTB+n0tr3aZkIbaCHJXumdBH7UqC8Etqz6ZlH25I9EFcF5/vExjMsxV6WMcZOOr8yVhwzduQfg9zqUTeo7uiG6vUDRtKS78uY1mzI4TnpUFlUu3SZ3tEuXTVzE+Nm8ASZhLWtWgnHxmvJaBQYI55cvmNArnpaFRIdcE49KYkRZOTd9iq7X+3bFKzFdAlrHpMWv7sQJ+9wzGa9iZHWRkzbib/z0tNalU0T9xU3zWzfKXJY807uIpVTc0PRxa+mHXshkj24nDqzqt3Yiwj069f8nyhA+jfxeFEKLnpj3zFucKKmxrSg/k0td6Yfq0i2anDHTkWbDiBic9qyxx9/ZJwI76ScyQd+ZouYixDhEDTMQmH8NmP+PmZNY7feLtVBCCqiJp9mYrQkupkeeEyvHMUy334gwxOSLSgjzm04mp+KnGvT70POMhYSxzPEhm6zCJp6M5jF2X2SSxEocwQ4sLAwo6U27H4lDTgJTkVIQoAb9u49Nb38XUUF0eSEzMGAn5OnrvWtoNsMHOZMYV1P0mxDYnK6jH1OqPQz9YU/V3o0gVs+lrmT0GCHQqKlpxiAyYq/AZarNZcvBukmQWUWfa9ZAfBhvs4hOEcLB92Xe7EEurHLbIrJkAKO2+N3KzHSAkIvyCZ6KhfOJNdLc9GdclIL39DUlzkdFWM05uyXM+FAgyitfqZYGPtfwe6lz8iXO3HB1oUGD9REG8hfPKHTziQmW8YbBmmBQ83NShUNnvKAUVo1mYyQL06zhU5HOe0AVjZdeMnVavqdoJppeNsKU8SyYfqqhZ0YD/N6UMhBayJTNz9SX6RXOgLLcf6SVdGVKldeiGD1rPb04v0JGwPwKBHUrwJuNy7ivqFMzzIxxpCmuqH8n4tYu3s7OC2pw4jonos8J6D/wo1/Q9TwvGREw2KsK2tWRlX2FYp1CxepwKKXBdUKtx6rgjsTAGqKjqk9L0puEI6hKKb9VRVAjMD6vRfqkABdi2ajak9eakfWzziL4S9W/UiFVC6mJHuny3TRRIUblbkUKfclkTPlkcBdDSvURfN1SNimQniI/CjFKB+2J5WrEAf9gjc5tCNrwrqDtYwkMzGr1c= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MnJMZDWAuqVqeDGRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNBbBndq/8Y5R+e3ZLHNmdaRi0eIP43yqvNmLLfjUKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoyqy8P1filXDmT7q54D+w6gTmwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyfSMBJ0C1n0/geR7exoErHT3CuHratdMPE+VL8ogLqkb9gmccDCV+LDFEc+sELTbnImaZUIrb4k0v1Gdc2TS06JZDEbFhoHmqBlwika+xMnGu3VDm7fKZfNiEp2dQJi5zlJfAroB7wU2qF+PdDh8q5K7QFljuV0oysnw41zSuvhBPw5/yUtuYcYrGEds ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/9fca77e1278df339

Extracted

Path

C:\Users\Admin\Desktop\00384\Setting\tvov5Gi3_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aAbDBDaCcc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVA5Y05OZEVQRW9IU014bmFEYkRYMlJSeStKTzRqcnFQRWUxVEsvUjA3RmFyZExLN2hpM1Bhb3g5MUV4THBuWTAyTVBsWlJhTEY0ZFE0ODhvclhPWXU2TytPdG1hV3lCU0djQjJDeERzV2ppQm1XM0V1WGVhN0dCa0JmT01xRGJBU2xGRFNybi9CRVJIa1pCektTSjk3LzZCdEFReEMvZkxOcDZxNHY2TjFSWSswOFRKeWg3dE15TSsvc1JFRitVQUZWclU1KzJtb1A2Q0JoWnFia2k0bUs0MUwwSEgyZEdqV3k4bUZVRm16bnJVT2tWVllNYzdEUFhqc1plOXhZQmlCeDhsYzNzdUh6ekVqWmVLSzIyamJsN3hOLzF6aHVobTY5Z0hscmZZVG95SDIwMlRiM1BIektjQlNUMG8xa0l0emU1SkhMMi9KUWdDL0x5UW1pYm9KS01EODlmaDJPQlUxVm5BZHd3T1ZZMUVsMHhmbkxxQVA4L1pKNldNbEJRdUJINEU0bmdkVXVaM1NjbE1iTHUrQUovZ3AxUWs2S0VUREJMcTZ0c2R0NU02WC82RWRBdkFNVlNXenRxNFlKVnExYlNXeEpDdEdxOVlaR251ZWRrODlpaDd6MUQxNFRaTEVpb0g1dXNGMWJ1U2lkVG9PWmhhTDUrcDY0K2wxL09DQnVjOUZEdUtkbXpzWE5Hb0NROE56bTdSVWRrLytNOFJtd2szTlVUK2RSZUZ6cE0wR1BFUWNETkpTNHlPN0tzNWZaUUhQWTB5cllnYWkrU3ZEL0pucFU1bVFIaUt5SG5vUllxNS8vTHF4dFdMQlZuT3dHRVB1R2l5MXozVmxURVN5SEF3ZSt4ZWQzTUFVbldRZW52Vko2c3BXL2MvWktHMFdVaHNBTTM2dmJ0WVRDZHZzcUNtSTg1RzN4OEErTXFvaW1FQUxURERoZmFmVmpHclYxYmI0bjdMNVQ3U0tMSVc0T1RleGU4Ni9rSUtrdXVKcUlCYW1MSWlvNWNvSGFQZjhQaGxHdUJBTyt0SlBLRFdscFlTMTV1eEszekdyQWg1a29rWkhkanE3SkZWWG5IUFFrWDUvSm1MbHAzRndXTEkyM25CbGxhdjgwWTdzWjk5QS9LY1V3Qm5LaEtQanY4TjdLM1ZVeURMNDdkZ0d3eDF1MTNXLzlLcnRuSTV3VUQ2dTNYQUFmZFZIQXErZUVMcHc3TVRwcmZEKzE1S044NXh6d3BYbkNFa3JiM056dzFLSm1ndE9ZQk9UU2hza0dFK0NwOHhpWjh1WmFUT2s0NkJ0S3d5MXlkOXFodGt2Y2dIY0RVOXV4amFEdHJDeFh5b1dmVWpmYUdYS2E1eER3M3JuSytzeldEZi90c1pOWWlJQktLS0lTaFhaNlp3V0dMcHFXRDc1KzJjQngzaERGQXUzWWVMUUxoL3JVa2MxQXBVT1Z4MElsSXlQOWNFRVBzTzhtRzBxRTVkNHJhMU9McCtpSEJPNWhDVHhVWWp0ZlNjL2xFbGp1UWhoYlJiQWFsVWVXTmFSQ013UTlid1JuVWRkVC9pSExGZWtSNjNGSUMwa3cyMGFFeGQybzBrZXhtV3RmNjV0K3dJdmFUdU9vNmtPLzBYb21FbjhQTjFnNlgvT21DYTNyUEp3MWF0R2UyQU5Dd0xMSTNYTXdoU25GT1pHUVd5WWZQU3RBeDhHY25hL3BhVklPZFlSWkZvOS9INURvaUJKdGJvcnlOZ2dESU1LZk5CRVZxczAvOWpuUGsveDRRV01pUDE4cG1wdkF5MEJhbC9ORCtyd2twVnpYQXFEUEl1VXUrd2NEVDJnS21xZGQzTld5UUs4ekVFaEpsUmwxSFB2R1pSMW1RUkphNTYra2NSYngrcVhxelN4SDhGUUMvZXJZejhNRXpMRUp1TFJqL1l5cENYYkRUNkx3UEQyYzl4bGxOVEd5T29OWHZTVkVDbVYwUml5MkJVQU0ra3hPVXVlRmJZTWdELzRmYWYrR3luTVoyWnVmN1Q2RmgxM1J3ZFpCcldqMi9TNDB0UVlucXo1d3o3UEgrTFdSNGtORVVWL1YrY2JjOFBFcmd5SXBybThmd1ZFOWM4bHorcjEyNHQ2VktPVDhnMHg0TWJ4cjZNMjZqUlhEaERyQW10SmRlaVV2L2V5V1pLSXh6T3NzOWU1NjNIUG5sSHkxQmljUUdmanFxeXhVVHFsS2dm -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ec4GEwhY8XRq2EgcvZGKvDUv99CEs
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\tvov5Gi3_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aAbDBDaCcc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVA5Y05OZEVQRW9IU014bmFEYkRYMlJSeStKTzRqcnFQRWUxVEsvUjA3RmFyZExLN2hpM1Bhb3g5MUV4THBuWTAyTVBsWlJhTEY0ZFE0ODhvclhPWXU2TytPdG1hV3lCU0djQjJDeERzV2ppQm1XM0V1WGVhN0dCa0JmT01xRGJBU2xGRFNybi9CRVJIa1pCektTSjk3LzZCdEFReEMvZkxOcDZxNHY2TjFSWSswOFRKeWg3dE15TSsvc1JFRitVQUZWclU1KzJtb1A2Q0JoWnFia2k0bUs0MUwwSEgyZEdqV3k4bUZVRm16bnJVT2tWVllNYzdEUFhqc1plOXhZQmlCeDhsYzNzdUh6ekVqWmVLSzIyamJsN3hOLzF6aHVobTY5Z0hscmZZVG95SDIwMlRiM1BIektjQlNUMG8xa0l0emU1SkhMMi9KUWdDL0x5UW1pYm9KS01EODlmaDJPQlUxVm5BZHd3T1ZZMUVsMHhmbkxxQVA4L1pKNldNbEJRdUJINEU0bmdkVXVaM1NjbE1iTHUrQUovZ3AxUWs2S0VUREJMcTZ0c2R0NU02WC82RWRBdkFNVlNXenRxNFlKVnExYlNXeEpDdEdxOVlaR251ZWRrODlpaDd6MUQxNFRaTEVpb0g1dXNGMWJ1U2lkVG9PWmhhTDUrcDY0K2wxL09DQnVjOUZEdUtkbXpzWE5Hb0NROE56bTdSVWRrLytNOFJtd2szTlVUK2RSZUZ6cE0wR1BFUWNETkpTNHlPN0tzNWZaUUhQWTB5cllnYWkrU3ZEL0pucFU1bVFIaUt5SG5vUllxNS8vTHF4dFdMQlZuT3dHRVB1R2l5MXozVmxURVN5SEF3ZSt4ZWQzTUFVbldRZW52Vko2c3BXL2MvWktHMFdVaHNBTTM2dmJ0WVRDZHZzcUNtSTg1RzN4OEErTXFvaW1FQUxURERoZmFmVmpHclYxYmI0bjdMNVQ3U0tMSVc0T1RleGU4Ni9rSUtrdXVKcUlCYW1MSWlvNWNvSGFQZjhQaGxHdUJBTyt0SlBLRFdscFlTMTV1eEszekdyQWg1a29rWkhkanE3SkZWWG5IUFFrWDUvSm1MbHAzRndXTEkyM25CbGxhdjgwWTdzWjk5QS9LY1V3Qm5LaEtQanY4TjdLM1ZVeURMNDdkZ0d3eDF1MTNXLzlLcnRuSTV3VUQ2dTNYQUFmZFZIQXErZUVMcHc3TVRwcmZEKzE1S044NXh6d3BYbkNFa3JiM056dzFLSm1ndE9ZQk9UU2hza0dFK0NwOHhpWjh1WmFUT2s0NkJ0S3d5MXlkOXFodGt2Y2dIY0RVOXV4amFEdHJDeFh5b1dmVWpmYUdYS2E1eER3M3JuSytzeldEZi90c1pOWWlJQktLS0lTaFhaNlp3V0dMcHFXRDc1KzJjQngzaERGQXUzWWVMUUxoL3JVa2MxQXBVT1Z4MElsSXlQOWNFRVBzTzhtRzBxRTVkNHJhMU9McCtpSEJPNWhDVHhVWWp0ZlNjL2xFbGp1UWhoYlJiQWFsVWVXTmFSQ013UTlid1JuVWRkVC9pSExGZWtSNjNGSUMwa3cyMGFFeGQybzBrZXhtV3RmNjV0K3dJdmFUdU9vNmtPLzBYb21FbjhQTjFnNlgvT21DYTNyUEp3MWF0R2UyQU5Dd0xMSTNYTXdoU25GT1pHUVd5WWZQU3RBeDhHY25hL3BhVklPZFlSWkZvOS9INURvaUJKdGJvcnlOZ2dESU1LZk5CRVZxczAvOWpuUGsveDRRV01pUDE4cG1wdkF5MEJhbC9ORCtyd2twVnpYQXFEUEl1VXUrd2NEVDJnS21xZGQzTld5UUs4ekVFaEpsUmwxSFB2R1pSMW1RUkphNTYra2NSYngrcVhxelN4SDhGUUMvZXJZejhNRXpMRUp1TFJqL1l5cENYYkRUNkx3UEQyYzl4bGxOVEd5T29OWHZTVkVDbVYwUml5MkJVQU0ra3hPVXVlRmJZTWdELzRmYWYrR3luTVoyWnVmN1Q2RmgxM1J3ZFpCcldqMi9TNDB0UVlucXo1d3o3UEgrTFdSNGtORVVWL1YrY2JjOFBFcmd5SXBybThmd1ZFOWM4bHorcjEyNHQ2VktPVDhnMHg0TWJ4cjZNMjZqUlhEaERyQW10SmRlaVV2L2V5V1pLSXh6T3NzOWU1NjNIUG5sSHkxQmljUUdmanFxeXhVVHFsS2dm -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * DUOqEX3
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

\Device\HarddiskVolume1\Boot\cs-CZ\HOW TO DECRYPT FILES.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2jkyb95pOj Price of private key and decrypt software is $500. Discount 50% available if you contact us first 72 hours, that's price for you is $130. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Our Telegram account: @restorefile Your Type Encrypt : asulo
URLs

https://we.tl/t-2jkyb95pOj

Extracted

Path

C:\Users\Admin\Desktop\tvov5Gi3_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aAbDBDaCcc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVA5Y05OZEVQRW9IU014bmFEYkRYMlJSeStKTzRqcnFQRWUxVEsvUjA3RmFyZExLN2hpM1Bhb3g5MUV4THBuWTAyTVBsWlJhTEY0ZFE0ODhvclhPWXU2TytPdG1hV3lCU0djQjJDeERzV2ppQm1XM0V1WGVhN0dCa0JmT01xRGJBU2xGRFNybi9CRVJIa1pCektTSjk3LzZCdEFReEMvZkxOcDZxNHY2TjFSWSswOFRKeWg3dE15TSsvc1JFRitVQUZWclU1KzJtb1A2Q0JoWnFia2k0bUs0MUwwSEgyZEdqV3k4bUZVRm16bnJVT2tWVllNYzdEUFhqc1plOXhZQmlCeDhsYzNzdUh6ekVqWmVLSzIyamJsN3hOLzF6aHVobTY5Z0hscmZZVG95SDIwMlRiM1BIektjQlNUMG8xa0l0emU1SkhMMi9KUWdDL0x5UW1pYm9KS01EODlmaDJPQlUxVm5BZHd3T1ZZMUVsMHhmbkxxQVA4L1pKNldNbEJRdUJINEU0bmdkVXVaM1NjbE1iTHUrQUovZ3AxUWs2S0VUREJMcTZ0c2R0NU02WC82RWRBdkFNVlNXenRxNFlKVnExYlNXeEpDdEdxOVlaR251ZWRrODlpaDd6MUQxNFRaTEVpb0g1dXNGMWJ1U2lkVG9PWmhhTDUrcDY0K2wxL09DQnVjOUZEdUtkbXpzWE5Hb0NROE56bTdSVWRrLytNOFJtd2szTlVUK2RSZUZ6cE0wR1BFUWNETkpTNHlPN0tzNWZaUUhQWTB5cllnYWkrU3ZEL0pucFU1bVFIaUt5SG5vUllxNS8vTHF4dFdMQlZuT3dHRVB1R2l5MXozVmxURVN5SEF3ZSt4ZWQzTUFVbldRZW52Vko2c3BXL2MvWktHMFdVaHNBTTM2dmJ0WVRDZHZzcUNtSTg1RzN4OEErTXFvaW1FQUxURERoZmFmVmpHclYxYmI0bjdMNVQ3U0tMSVc0T1RleGU4Ni9rSUtrdXVKcUlCYW1MSWlvNWNvSGFQZjhQaGxHdUJBTyt0SlBLRFdscFlTMTV1eEszekdyQWg1a29rWkhkanE3SkZWWG5IUFFrWDUvSm1MbHAzRndXTEkyM25CbGxhdjgwWTdzWjk5QS9LY1V3Qm5LaEtQanY4TjdLM1ZVeURMNDdkZ0d3eDF1MTNXLzlLcnRuSTV3VUQ2dTNYQUFmZFZIQXErZUVMcHc3TVRwcmZEKzE1S044NXh6d3BYbkNFa3JiM056dzFLSm1ndE9ZQk9UU2hza0dFK0NwOHhpWjh1WmFUT2s0NkJ0S3d5MXlkOXFodGt2Y2dIY0RVOXV4amFEdHJDeFh5b1dmVWpmYUdYS2E1eER3M3JuSytzeldEZi90c1pOWWlJQktLS0lTaFhaNlp3V0dMcHFXRDc1KzJjQngzaERGQXUzWWVMUUxoL3JVa2MxQXBVT1Z4MElsSXlQOWNFRVBzTzhtRzBxRTVkNHJhMU9McCtpSEJPNWhDVHhVWWp0ZlNjL2xFbGp1UWhoYlJiQWFsVWVXTmFSQ013UTlid1JuVWRkVC9pSExGZWtSNjNGSUMwa3cyMGFFeGQybzBrZXhtV3RmNjV0K3dJdmFUdU9vNmtPLzBYb21FbjhQTjFnNlgvT21DYTNyUEp3MWF0R2UyQU5Dd0xMSTNYTXdoU25GT1pHUVd5WWZQU3RBeDhHY25hL3BhVklPZFlSWkZvOS9INURvaUJKdGJvcnlOZ2dESU1LZk5CRVZxczAvOWpuUGsveDRRV01pUDE4cG1wdkF5MEJhbC9ORCtyd2twVnpYQXFEUEl1VXUrd2NEVDJnS21xZGQzTld5UUs4ekVFaEpsUmwxSFB2R1pSMW1RUkphNTYra2NSYngrcVhxelN4SDhGUUMvZXJZejhNRXpMRUp1TFJqL1l5cENYYkRUNkx3UEQyYzl4bGxOVEd5T29OWHZTVkVDbVYwUml5MkJVQU0ra3hPVXVlRmJZTWdELzRmYWYrR3luTVoyWnVmN1Q2RmgxM1J3ZFpCcldqMi9TNDB0UVlucXo1d3o3UEgrTFdSNGtORVVWL1YrY2JjOFBFcmd5SXBybThmd1ZFOWM4bHorcjEyNHQ2VktPVDhnMHg0TWJ4cjZNMjZqUlhEaERyQW10SmRlaVV2L2V5V1pLSXh6T3NzOWU1NjNIUG5sSHkxQmljUUdmanFxeXhVVHFsS2dm -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Z60C3jpm0z
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

F:\$RECYCLE.BIN\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9fca77e1278df339 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAALIFX0va330/3oi7nnzg+4w2RWktD90Ql5wa7vGYxsV54NLTDEnd7It4HtfZC9MiR67MURWSfDUsRvyaJjVHlLBNCjAbSud/mq2VErRHwZQQ5N7XhF4vF5dVBTHW+PoFx6oOGibUqgHZmp6Uxz/YKjOeIN7i7oH40FAGNsnG5RTRS0xiozJXjNWUFxybJ9nWi4ExnPKIG4iX3XbHTmxZkNfwuFBNtEKAnvZhVGA8Tct1FNhZnJQCSzc7dH95ZLvrH/znhK/2zNv4UvTeFgpwZGy1LrRDCsFhnz2HKmdWBo3guf32v3Yc88wAOIhfPuozZBCJz5EidWsmmAT+8zOwJ7PtYNDkc9ipoPaayFCcefNgjvFtdqSnTk+2thN2K3nonQIwjBWTmLFXyiWsUhu7Po4wB2FgBWacATSE1RPz41LMW/A2HSAPKpzhRWMu6HrdH8fuLkwynAHf5CuwBER4LWF+EF0ecwQnl3zl2pXPML24xCrkvVXCq/OVx8r6n1Crw4FfmOk97lWxqC319o0LbOhnC9wzkTkYqWmyxti8D1VrWBPRQAIoE9NJMqzb9viZX5S/X+g4pKVFN3tW8uDymYDvg8aw0zx1BT+y+6YjJ7XyYhcEbZJeB6VWyu2oH0nLW4Goi5pCUI/XN2q/ZfQnZMcX3fuu48qx2aOZmnaxaG+MsDXBwcMHn7cdVpAbH5yTE2xTngALTbdcdnYKBK7FtgyifM1FCMdSmc4KZ4SxmzaQ1+styH05xZuhSnHWkycC4cvNF205Ui/yKQ2bUSewuEV/1JsKf8vkq2aGp+9c2X1wcylcU3yFBfOo9Jazncz+RGkASpr0pY1CyCWXg737S421P1wr6NU1TxEl8cxMGTZKMBD6zl/7fk8oGzIZwwhGVfWiswn341oyexWH9w2QLyoB7Ztb8FXEe1fcPez/N9B3ZqIGtwWSeRh2lRf4B8qWZJB+/w/umPMUQAtJPK7bmMElpXV0xkJkWMZL0wVfBEBD0oO5eZ4tIqQVvhPpRu+a+u2rlYd/JtjLec02686D24KiIdF08B5cnY90OB7zdqrlz5KqaLXPV2g0yquWkEd5cDPf8dviSW8mLLI3rIj/VSvZrGmmOIXf7imKdonDb6ujg8VxF/RrF8TyHDqOJOyymbowuV11VSL0yMrN83jCZIoKoKqnRIT9mgpMA/o2HnYzlVpKZXj/VSzEYgFRHyPi496Ci6EnWqLeUS5moXq6GP1ZG/zV6T+fykubV9tLa8x+t/kvZev3jgxrFSZ7C9I/aG53HyBJ2CjnMtJtja1+wtul7fOxaV5m8jXbWsm4vvFEMBPzc+DDfGE2QKQxKcQVLvQabyZsGz8XKDG5lJe7+RDAy4rik8s2Y2zwzbEzpFZ1CdH6kW5PQqH+ubvo+D4WD/5vqqxWHoaXpj+edVzxe/a6Uo+Fc+Zr7jxhZgcq626xHGqFMVVPptLREfEqF8eYfJElO+OMoNNIY5etXLvP7u0JGzwESqGDm4vtiOFphB1iMxM9lCUcR2ZEiNGg/1j/RZDXKWcCY8p4dxafOJqyDyxTQmmynQ9NNaGLqEebsh5RZ/rZEdRvhTMH50mGRtYzWOHHRmUWU71bbjSxaWxzxJzoIuVTu/H6LiptKOCcO5Lzjfl6RT7JpDSH9j83dK8RocTYvpQdEJpNfyGFaYT3kczvH7nlrAmaYC8Vt1NVZawF6EXta6c5jxYCtzhrkQvwYHkWdJnjE3NXn6vTMwS6nxyFNzEoGEGL+uV53IyzlKjjL1QN5eLLF5rfko6JjEw5vfJ8A7Q2rl5rJpERQbx/EluFq/aj/WjPZiXNsE+3fK6iQos19DUnXVcLrAAfbOVvztsq0sOivoSOfHA16ZyGpQetmODJ7dsXQuPnd/wIU+4inzwAjHU+noRulc8fgv08A+Gu9n5F8OfhZVe0XjEA3L2kC04b2GAmxF+crtbu1PpzN6ekAoaAvSxU2qcNYIjHvPxJ/gTp5Kqr3L721AmZRQZCSOuoiBjR+S8rtJH087kXerhYTOyzokhiLcxHbHYHhBm6RFtbZK7+1uLpvinHt/ZGa8j9vNvG9FpYTQqZTQhH2xUmHK64GNEivxztsBeFP7B4ug1C83lO/UidwCu1Nc/aAdo40Q3x2LTruFzHGWuImFr/0y8Tvod2vpMQQ5UYs1UrZ060zwOt0odJixUtW0cNF4TQNHaeA0SCsp2NxD6d9DYtBEoYJ9QTGZy8hgT07QtJNLg= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQToJRs3YT7nZWqbfTTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6eLy/zU2QOshGtxYOVqCBiXtqhHeEY0b9ycR4tq4Mqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pARFF3vzLNuat1wUZOXQRRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC3KZBEuTtKkioBZVMB5H/HuwOBb+mRawP0IkRV6Du57PMzMP9PnYNh8kz6+xMReJtXf/fbj3WtuITXpleN9Qv9FRhY1KJ2rNgk2neLVYzjwtHfiL5TGExiWYEmrIOT7TbEgFwKc//izM+dDc38W5cffSUv3JpLfS8RB0NXb0DFtZxjWPfxwrBwnounsV5mNrglYqoOg== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/9fca77e1278df339

Extracted

Path

C:\Users\Admin\Desktop\tvov5Gi3_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aAbDBDaCcc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVA5Y05OZEVQRW9IU014bmFEYkRYMlJSeStKTzRqcnFQRWUxVEsvUjA3RmFyZExLN2hpM1Bhb3g5MUV4THBuWTAyTVBsWlJhTEY0ZFE0ODhvclhPWXU2TytPdG1hV3lCU0djQjJDeERzV2ppQm1XM0V1WGVhN0dCa0JmT01xRGJBU2xGRFNybi9CRVJIa1pCektTSjk3LzZCdEFReEMvZkxOcDZxNHY2TjFSWSswOFRKeWg3dE15TSsvc1JFRitVQUZWclU1KzJtb1A2Q0JoWnFia2k0bUs0MUwwSEgyZEdqV3k4bUZVRm16bnJVT2tWVllNYzdEUFhqc1plOXhZQmlCeDhsYzNzdUh6ekVqWmVLSzIyamJsN3hOLzF6aHVobTY5Z0hscmZZVG95SDIwMlRiM1BIektjQlNUMG8xa0l0emU1SkhMMi9KUWdDL0x5UW1pYm9KS01EODlmaDJPQlUxVm5BZHd3T1ZZMUVsMHhmbkxxQVA4L1pKNldNbEJRdUJINEU0bmdkVXVaM1NjbE1iTHUrQUovZ3AxUWs2S0VUREJMcTZ0c2R0NU02WC82RWRBdkFNVlNXenRxNFlKVnExYlNXeEpDdEdxOVlaR251ZWRrODlpaDd6MUQxNFRaTEVpb0g1dXNGMWJ1U2lkVG9PWmhhTDUrcDY0K2wxL09DQnVjOUZEdUtkbXpzWE5Hb0NROE56bTdSVWRrLytNOFJtd2szTlVUK2RSZUZ6cE0wR1BFUWNETkpTNHlPN0tzNWZaUUhQWTB5cllnYWkrU3ZEL0pucFU1bVFIaUt5SG5vUllxNS8vTHF4dFdMQlZuT3dHRVB1R2l5MXozVmxURVN5SEF3ZSt4ZWQzTUFVbldRZW52Vko2c3BXL2MvWktHMFdVaHNBTTM2dmJ0WVRDZHZzcUNtSTg1RzN4OEErTXFvaW1FQUxURERoZmFmVmpHclYxYmI0bjdMNVQ3U0tMSVc0T1RleGU4Ni9rSUtrdXVKcUlCYW1MSWlvNWNvSGFQZjhQaGxHdUJBTyt0SlBLRFdscFlTMTV1eEszekdyQWg1a29rWkhkanE3SkZWWG5IUFFrWDUvSm1MbHAzRndXTEkyM25CbGxhdjgwWTdzWjk5QS9LY1V3Qm5LaEtQanY4TjdLM1ZVeURMNDdkZ0d3eDF1MTNXLzlLcnRuSTV3VUQ2dTNYQUFmZFZIQXErZUVMcHc3TVRwcmZEKzE1S044NXh6d3BYbkNFa3JiM056dzFLSm1ndE9ZQk9UU2hza0dFK0NwOHhpWjh1WmFUT2s0NkJ0S3d5MXlkOXFodGt2Y2dIY0RVOXV4amFEdHJDeFh5b1dmVWpmYUdYS2E1eER3M3JuSytzeldEZi90c1pOWWlJQktLS0lTaFhaNlp3V0dMcHFXRDc1KzJjQngzaERGQXUzWWVMUUxoL3JVa2MxQXBVT1Z4MElsSXlQOWNFRVBzTzhtRzBxRTVkNHJhMU9McCtpSEJPNWhDVHhVWWp0ZlNjL2xFbGp1UWhoYlJiQWFsVWVXTmFSQ013UTlid1JuVWRkVC9pSExGZWtSNjNGSUMwa3cyMGFFeGQybzBrZXhtV3RmNjV0K3dJdmFUdU9vNmtPLzBYb21FbjhQTjFnNlgvT21DYTNyUEp3MWF0R2UyQU5Dd0xMSTNYTXdoU25GT1pHUVd5WWZQU3RBeDhHY25hL3BhVklPZFlSWkZvOS9INURvaUJKdGJvcnlOZ2dESU1LZk5CRVZxczAvOWpuUGsveDRRV01pUDE4cG1wdkF5MEJhbC9ORCtyd2twVnpYQXFEUEl1VXUrd2NEVDJnS21xZGQzTld5UUs4ekVFaEpsUmwxSFB2R1pSMW1RUkphNTYra2NSYngrcVhxelN4SDhGUUMvZXJZejhNRXpMRUp1TFJqL1l5cENYYkRUNkx3UEQyYzl4bGxOVEd5T29OWHZTVkVDbVYwUml5MkJVQU0ra3hPVXVlRmJZTWdELzRmYWYrR3luTVoyWnVmN1Q2RmgxM1J3ZFpCcldqMi9TNDB0UVlucXo1d3o3UEgrTFdSNGtORVVWL1YrY2JjOFBFcmd5SXBybThmd1ZFOWM4bHorcjEyNHQ2VktPVDhnMHg0TWJ4cjZNMjZqUlhEaERyQW10SmRlaVV2L2V5V1pLSXh6T3NzOWU1NjNIUG5sSHkxQmljUUdmanFxeXhVVHFsS2dm -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 8zJm3LChWqPo7EfM7Gh8
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\tvov5Gi3_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aAbDBDaCcc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LVA5Y05OZEVQRW9IU014bmFEYkRYMlJSeStKTzRqcnFQRWUxVEsvUjA3RmFyZExLN2hpM1Bhb3g5MUV4THBuWTAyTVBsWlJhTEY0ZFE0ODhvclhPWXU2TytPdG1hV3lCU0djQjJDeERzV2ppQm1XM0V1WGVhN0dCa0JmT01xRGJBU2xGRFNybi9CRVJIa1pCektTSjk3LzZCdEFReEMvZkxOcDZxNHY2TjFSWSswOFRKeWg3dE15TSsvc1JFRitVQUZWclU1KzJtb1A2Q0JoWnFia2k0bUs0MUwwSEgyZEdqV3k4bUZVRm16bnJVT2tWVllNYzdEUFhqc1plOXhZQmlCeDhsYzNzdUh6ekVqWmVLSzIyamJsN3hOLzF6aHVobTY5Z0hscmZZVG95SDIwMlRiM1BIektjQlNUMG8xa0l0emU1SkhMMi9KUWdDL0x5UW1pYm9KS01EODlmaDJPQlUxVm5BZHd3T1ZZMUVsMHhmbkxxQVA4L1pKNldNbEJRdUJINEU0bmdkVXVaM1NjbE1iTHUrQUovZ3AxUWs2S0VUREJMcTZ0c2R0NU02WC82RWRBdkFNVlNXenRxNFlKVnExYlNXeEpDdEdxOVlaR251ZWRrODlpaDd6MUQxNFRaTEVpb0g1dXNGMWJ1U2lkVG9PWmhhTDUrcDY0K2wxL09DQnVjOUZEdUtkbXpzWE5Hb0NROE56bTdSVWRrLytNOFJtd2szTlVUK2RSZUZ6cE0wR1BFUWNETkpTNHlPN0tzNWZaUUhQWTB5cllnYWkrU3ZEL0pucFU1bVFIaUt5SG5vUllxNS8vTHF4dFdMQlZuT3dHRVB1R2l5MXozVmxURVN5SEF3ZSt4ZWQzTUFVbldRZW52Vko2c3BXL2MvWktHMFdVaHNBTTM2dmJ0WVRDZHZzcUNtSTg1RzN4OEErTXFvaW1FQUxURERoZmFmVmpHclYxYmI0bjdMNVQ3U0tMSVc0T1RleGU4Ni9rSUtrdXVKcUlCYW1MSWlvNWNvSGFQZjhQaGxHdUJBTyt0SlBLRFdscFlTMTV1eEszekdyQWg1a29rWkhkanE3SkZWWG5IUFFrWDUvSm1MbHAzRndXTEkyM25CbGxhdjgwWTdzWjk5QS9LY1V3Qm5LaEtQanY4TjdLM1ZVeURMNDdkZ0d3eDF1MTNXLzlLcnRuSTV3VUQ2dTNYQUFmZFZIQXErZUVMcHc3TVRwcmZEKzE1S044NXh6d3BYbkNFa3JiM056dzFLSm1ndE9ZQk9UU2hza0dFK0NwOHhpWjh1WmFUT2s0NkJ0S3d5MXlkOXFodGt2Y2dIY0RVOXV4amFEdHJDeFh5b1dmVWpmYUdYS2E1eER3M3JuSytzeldEZi90c1pOWWlJQktLS0lTaFhaNlp3V0dMcHFXRDc1KzJjQngzaERGQXUzWWVMUUxoL3JVa2MxQXBVT1Z4MElsSXlQOWNFRVBzTzhtRzBxRTVkNHJhMU9McCtpSEJPNWhDVHhVWWp0ZlNjL2xFbGp1UWhoYlJiQWFsVWVXTmFSQ013UTlid1JuVWRkVC9pSExGZWtSNjNGSUMwa3cyMGFFeGQybzBrZXhtV3RmNjV0K3dJdmFUdU9vNmtPLzBYb21FbjhQTjFnNlgvT21DYTNyUEp3MWF0R2UyQU5Dd0xMSTNYTXdoU25GT1pHUVd5WWZQU3RBeDhHY25hL3BhVklPZFlSWkZvOS9INURvaUJKdGJvcnlOZ2dESU1LZk5CRVZxczAvOWpuUGsveDRRV01pUDE4cG1wdkF5MEJhbC9ORCtyd2twVnpYQXFEUEl1VXUrd2NEVDJnS21xZGQzTld5UUs4ekVFaEpsUmwxSFB2R1pSMW1RUkphNTYra2NSYngrcVhxelN4SDhGUUMvZXJZejhNRXpMRUp1TFJqL1l5cENYYkRUNkx3UEQyYzl4bGxOVEd5T29OWHZTVkVDbVYwUml5MkJVQU0ra3hPVXVlRmJZTWdELzRmYWYrR3luTVoyWnVmN1Q2RmgxM1J3ZFpCcldqMi9TNDB0UVlucXo1d3o3UEgrTFdSNGtORVVWL1YrY2JjOFBFcmd5SXBybThmd1ZFOWM4bHorcjEyNHQ2VktPVDhnMHg0TWJ4cjZNMjZqUlhEaERyQW10SmRlaVV2L2V5V1pLSXh6T3NzOWU1NjNIUG5sSHkxQmljUUdmanFxeXhVVHFsS2dm -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * USA9DQzAFk6r39
URLs

http://avaddonbotrxmuyl.onion

Targets

    • Target

      RNSM00384.7z

    • Size

      56.3MB

    • MD5

      600e405b3ca30e918aee2044111b6721

    • SHA1

      5855b3ced8b01d2177820f653a3ad7acd371dc22

    • SHA256

      a54e2aa0abb5b97d433a8e8fd2bdb2f83c9bef02e2db1695483a8294238adf46

    • SHA512

      08bcf977e46a624600662af6b580651a4e9927c9f47670e331531a58990f9440b593c7f5c280736d0cf222830439c796389d7eba0d76bbab12b2bdb3c9fec3ef

    • SSDEEP

      1572864:DwJV/DpTapvVBlk01AL78kFRdtEPoSx34382/oMR:gV/JaZRkga39SxO82AO

    Score
    10/10
    avaddongandcrabgluptebaquasarxoristbackdoorcredential_accessdefense_evasiondiscoverydropperevasionexecutionimpactloaderpersistenceransomwarespywarestealerthemidatrojanupx

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon family

      avaddon

    • Avaddon payload

    • Detected Xorist Ransomware

    • Disables service(s)

      evasionexecution

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba family

      glupteba

    • Glupteba payload

    • Modifies WinLogon for persistence

      persistence

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • UAC bypass

      evasiontrojan

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

    • Renames multiple (2482) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

7
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

3
T1490

Service Stop

1
T1489

Tasks