MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Avaddon


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365
SHA3-384 hash: 465aa58d254c25b03a4b90822e619b9acb97fabd97055f167d208881e0ade160ae6f2692c5eb2a7aa010728a98002785
SHA1 hash: 7020b4d9e700b697d507a61bffea12c9475a23d2
MD5 hash: 6ff1ca648505fe8bea6b4a26616b9722
humanhash: california-washington-batman-five
File name:6ff1ca648505fe8bea6b4a26616b9722.exe
Download: download sample
Signature Avaddon
Create hunting rule
File size:5'045'776 bytes
First seen:2020-09-25 13:15:29 UTC
Last seen:2020-09-25 13:48:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1ea5fd53e7480d5e00ebc689ced94b3 (6 x Avaddon)
ssdeep 98304:zDAjjvoF+Cp+/bbbbp7FO1gTL9M5gmoZHOoOVsHalI:zuvAObbbbp78+VwzV0alI
Threatray 4 similar samples on MalwareBazaar
TLSH 35365CE5B525A1CFD29E07B4E1DACE42982E43F4C7210843B85C757E6FA2CC219D7E29
Reporter abuse_ch
Tags:Avaddon exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Avaddon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65826/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.32315.6242.270.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Launching a process
Launching a service
Enabling the 'hidden' option for recently created files
Changing a file
Reading critical registry keys
Connection attempt
Network activity
Blocking the User Account Control
Deleting volume shadow copies
Creating a file in the mass storage device
Stealing user critical data
Encrypting user's files
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475138
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
Machine Learning detection for sample
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 290019 Sample: 1jDJSj4RjD.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 41 cdn.onenote.net 2->41 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 3 other signatures 2->51 8 1jDJSj4RjD.exe 502 44 2->8         started        signatures3 process4 dnsIp5 43 api.myip.com 104.31.66.68, 443, 49737 CLOUDFLARENETUS United States 8->43 33 C:\Users\user\Desktop\LIJDSFKJZG.pdf, data 8->33 dropped 35 C:\Users\user\Desktop\...\VWDFPKGDUF.pdf, data 8->35 dropped 37 C:\Users\user\Desktop\LFOPODGVOH.docx, data 8->37 dropped 39 95 other malicious files 8->39 dropped 53 Query firmware table information (likely to detect VMs) 8->53 55 Deletes shadow drive data (may be related to ransomware) 8->55 57 Spreads via windows shares (copies files to share folders) 8->57 59 4 other signatures 8->59 13 WMIC.exe 1 8->13         started        15 WMIC.exe 1 8->15         started        17 WMIC.exe 1 8->17         started        19 3 other processes 8->19 file6 signatures7 process8 process9 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 10:37:17 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pn6bmntxi3x6owb24rrdlmxqmlheiybn3kmqzgqru4ynmgny2nsq._file
Verdict:
malicious
Similar samples:
692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8
Avaddon
6ad2831339a2a6fc8d140c8718cf38fabef9915409bd32cd86221b515b4be629
Avaddon
99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab
Avaddon
b74e722c4a7b85d49e9c25991528d742161a1ae76c860e001868b1918dc66222
Avaddon
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware evasion persistence trojan
Link:
https://tria.ge/reports/200925-1y9zvfhx3e/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Modifies service
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Modifies extensions of user files
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
UAC bypass
Unpacked files
SH256 hash:
7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365
MD5 hash:
6ff1ca648505fe8bea6b4a26616b9722
SHA1 hash:
7020b4d9e700b697d507a61bffea12c9475a23d2
Detections:
win_avaddon_w0
Create hunting rule
Link:
https://www.unpac.me/results/72ee81f6-06a3-45af-8cc7-0bc67dbb45a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Avaddon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Avaddon

Executable exe 7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/65826/
  
URLhaus
https://urlhaus.abuse.ch/url/408718/
  
Delivery method
Distributed via web download

Comments