MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Avaddon


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46
SHA3-384 hash: 6cd145630a0a078cdf6ec895a7d93610e8950f1666da88d2bfbb7fcb6347b68219294650b63ae67859539b92ce2c4d95
SHA1 hash: 51d85210c2f621ca14d92a8375ee24d62f9d7f44
MD5 hash: 275e4a63fc63c995b3e0d464919f211b
humanhash: stream-four-failed-eighteen
File name:Avaddon Ransomware
Download: download sample
Signature Avaddon
Create hunting rule
File size:736'608 bytes
First seen:2020-09-01 13:27:29 UTC
Last seen:2020-09-01 14:54:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ebcba21b169b4d31880471f7ee399c34 (1 x Avaddon)
ssdeep 12288:OR8hjUV679Aa4Auw3gveB17cOT1WHWEQTe0udkuHgCNU7SY/qgjjmJ/:quK679Aa4Auw3gveB1TGWEQSzXY/tjq/
Threatray 12 similar samples on MalwareBazaar
TLSH 5CF49E317D82C077E46A41304E98A7B594BEF8724B320DDB67C86B1D5E706E26E31A73
Reporter JAMESWT_WT
Tags:Avaddon Gold Stroy SP Z O O

Code Signing Certificate

Organisation:DigiCert High Assurance EV Root CA
Issuer:DigiCert High Assurance EV Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 02AC5C266A0B409B8F0B79F2AE462577
Intelligence: 204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Launching a service
Creating a file
Enabling the 'hidden' option for recently created files
Changing a file
Connection attempt
Reading critical registry keys
Network activity
Blocking the User Account Control
Deleting volume shadow copies
Creating a file in the mass storage device
Stealing user critical data
Encrypting user's files
Result
Threat name:
Avaddon
Create hunting rule
Detection:
malicious
Classification:
rans.spre
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/456621
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Writes many files with high entropy
Yara detected Avaddon Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280693 Sample: Avaddon Ransomware Startdate: 01/09/2020 Architecture: WINDOWS Score: 80 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Avaddon Ransomware 2->43 45 2 other signatures 2->45 7 Avaddon Ransomware.exe 502 65 2->7         started        process3 file4 31 C:\Users\user\Desktop\...\MQAWXUYAIK.docx, data 7->31 dropped 33 C:\Users\user\Desktop\MQAWXUYAIK.xlsx, data 7->33 dropped 35 C:\Users\user\Desktop\MNULNCRIYC.pdf, data 7->35 dropped 37 93 other malicious files 7->37 dropped 47 Deletes shadow drive data (may be related to ransomware) 7->47 49 Spreads via windows shares (copies files to share folders) 7->49 51 Modifies existing user documents (likely ransomware behavior) 7->51 11 WMIC.exe 1 7->11         started        13 WMIC.exe 1 7->13         started        15 WMIC.exe 1 7->15         started        17 3 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46/
Threat name:
Win32.Ransomware.Avaddon
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 17:33:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsk2ruia64gq7p2k6fhikkvbbc63by3nwqcuyp3awnivqgfhd5da._file
Verdict:
unknown
Similar samples:
01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993
Avaddon
0f081ea4e30ca05fc2977235bf239992b17fa9968b58b001990e4539f0899269
Avaddon
692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8
Avaddon
75adf0d7e708b54f8debec4767e2ba3cc52cdf0264a8d6545865d4c7ae7352d0
Avaddon
7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
Avaddon
b74e722c4a7b85d49e9c25991528d742161a1ae76c860e001868b1918dc66222
Avaddon
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc
Avaddon
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf
Avaddon
f5123e1fe20922f1e236abdc7aa90f98056ffef585bc4a2c1b93cfd2dd2736a0
Avaddon
fa4626e2c5984d7868a685c5102530bd8260d0b31ef06d2ce2da7636da48d2d6
Avaddon
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware evasion trojan persistence
Link:
https://tria.ge/reports/200901-9h5c62jr3e/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Interacts with shadow copies
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Windows directory
Modifies service
Modifies service
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Modifies extensions of user files
Modifies extensions of user files
Deletes shadow copies
Deletes shadow copies
UAC bypass
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Avaddon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54009/

Comments