MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa4626e2c5984d7868a685c5102530bd8260d0b31ef06d2ce2da7636da48d2d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Avaddon


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa4626e2c5984d7868a685c5102530bd8260d0b31ef06d2ce2da7636da48d2d6
SHA3-384 hash: 220e91799ad2e532b16b13913187f6e7f946aa94af42276e4b11fd7c72aac1a661fd14879ffcbb620f057bd8f21d1c1b
SHA1 hash: b3c597060abc20d3b3291f8b5252a3834d49b92f
MD5 hash: 6c660f960daac148be75427c712d0134
humanhash: bacon-early-cup-video
File name:wtava.exe
Download: download sample
Signature Avaddon
Create hunting rule
File size:1'143'808 bytes
First seen:2020-06-21 06:09:17 UTC
Last seen:2020-06-26 05:44:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 84789fed28ecdb34d8ea466d9386a4ec (2 x Avaddon)
ssdeep 24576:du13Ii3FoHjrdVIxpxJbpvR+h8O+DB8lll7IbbbbpcMs:du3IDHjrdVIxpxhe8O68Ll7IbbbbpcM
Threatray 73 similar samples on MalwareBazaar
TLSH 69357D7DB4E3C436D62000B49998E3B5992EA5F1CB3104C3BBCC5A4A1BB56D1AA375F3
Reporter cocaman
Tags:Avaddon exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12336/
Detection(s):
SecuriteInfo.com.Win32.Heri.28980.16498.UNOFFICIAL
Create hunting rule

Result
Threat name:
Avaddon
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/376850
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 240551 Sample: wtava.exe Startdate: 22/06/2020 Architecture: WINDOWS Score: 92 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Avaddon Ransomware 2->50 52 May check the online IP address of the machine 2->52 54 2 other signatures 2->54 7 wtava.exe 413 47 2->7         started        12 wtava.exe 2->12         started        14 wtava.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 46 api.myip.com 104.31.66.68, 443, 49715 unknown United States 7->46 38 C:\Users\user\AppData\Roaming\...\wtava.exe, PE32 7->38 dropped 40 C:\Users\user\Desktop\...\DVWHKMNFNN.xlsx, data 7->40 dropped 42 C:\Users\user\Desktop\...\UMMBDNEQBN.pdf, data 7->42 dropped 44 2 other malicious files 7->44 dropped 56 Deletes shadow drive data (may be related to ransomware) 7->56 58 Spreads via windows shares (copies files to share folders) 7->58 60 Disables UAC (registry) 7->60 64 2 other signatures 7->64 18 WMIC.exe 1 7->18         started        20 WMIC.exe 1 7->20         started        22 WMIC.exe 1 7->22         started        24 3 other processes 7->24 62 Multi AV Scanner detection for dropped file 12->62 file5 signatures6 process7 process8 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started       
Gathering data
Threat name:
Win32.Ransomware.Avaddon
Create hunting rule
Status:
Malicious
First seen:
2020-06-21 00:37:52 UTC
File Type:
PE (Exe)
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jdcnywftbgxq2fgqxcrajjqxwbgbuftd3yg2lhc3j3dnwsi2lla._file
Verdict:
unknown
Similar samples:
01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993
Avaddon
0f081ea4e30ca05fc2977235bf239992b17fa9968b58b001990e4539f0899269
Avaddon
692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8
Avaddon
6ad2831339a2a6fc8d140c8718cf38fabef9915409bd32cd86221b515b4be629
Avaddon
75adf0d7e708b54f8debec4767e2ba3cc52cdf0264a8d6545865d4c7ae7352d0
Avaddon
7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
Avaddon
b74e722c4a7b85d49e9c25991528d742161a1ae76c860e001868b1918dc66222
Avaddon
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc
Avaddon
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf
Avaddon
f5123e1fe20922f1e236abdc7aa90f98056ffef585bc4a2c1b93cfd2dd2736a0
Avaddon
+ 63 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence evasion trojan ransomware
Link:
https://tria.ge/reports/200624-yg6rf8xa12/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
System policy modification
Suspicious use of WriteProcessMemory
Modifies service
Adds Run entry to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Drops desktop.ini file(s)
Executes dropped EXE
Deletes shadow copies
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
X
https://twitter.com/1ZRR4H/status/1274576923251834880
Cape
Cape
https://www.capesandbox.com/analysis/12336/

Comments