MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Avaddon


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259
SHA3-384 hash: e77bc9206aa11c6c7b98321111901c9bb97575d837eab17cceb70ef110eef6867021dff418bae6a772ef8c7fa1d4be72
SHA1 hash: a4d2dde718cc10d6ac12e4ec1f602a1050746aa5
MD5 hash: affa6575a3ff529c583fab38ff9f59e5
humanhash: twelve-alaska-ceiling-mars
File name:affa6575a3ff529c583fab38ff9f59e5.exe
Download: download sample
Signature Avaddon
Create hunting rule
File size:5'048'848 bytes
First seen:2020-09-25 13:15:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1ea5fd53e7480d5e00ebc689ced94b3 (6 x Avaddon)
ssdeep 98304:bw3OKBzMFxybbbbpNGWeEi4DtrRKm40djW1mGaHBad6s:bw3y6bbbbpNYwDdjW1zqEn
Threatray 3 similar samples on MalwareBazaar
TLSH F3365AE67647A1CFE05E0678D412CE42982C13F597218943FA6CB8FE7F72CE21687925
Reporter abuse_ch
Tags:Avaddon exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Avaddon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65822/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.2699.12055.11405.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Launching a service
Enabling the 'hidden' option for recently created files
Changing a file
Reading critical registry keys
Connection attempt
Network activity
Creating a window
Creating a process from a recently created file
Creating a process with a hidden window
Blocking the User Account Control
Deleting volume shadow copies
Stealing user critical data
Creating a file in the mass storage device
Enabling autorun by creating a file
Encrypting user's files
Result
Threat name:
Avaddon
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475142
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Writes many files with high entropy
Yara detected Avaddon Ransomware
Yara detected PersistenceViaHiddenTask
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290022 Sample: dC3DXuOdLv.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 6 other signatures 2->52 7 dC3DXuOdLv.exe 298 65 2->7         started        12 dC3DXuOdLv.exe 2->12         started        14 dC3DXuOdLv.exe 2->14         started        process3 dnsIp4 44 api.myip.com 104.31.67.68, 443, 49720 CLOUDFLARENETUS United States 7->44 36 C:\Users\user\AppData\...\dC3DXuOdLv.exe, PE32 7->36 dropped 38 C:\Users\user\Desktop\QvpIO_readme.txt, ASCII 7->38 dropped 40 C:\Users\user\Desktop\...\DQOFHVHTMG.docx, data 7->40 dropped 42 47 other malicious files 7->42 dropped 54 Query firmware table information (likely to detect VMs) 7->54 56 Deletes shadow drive data (may be related to ransomware) 7->56 58 Spreads via windows shares (copies files to share folders) 7->58 68 2 other signatures 7->68 16 WMIC.exe 1 7->16         started        18 WMIC.exe 1 7->18         started        20 WMIC.exe 1 7->20         started        22 3 other processes 7->22 60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->66 file5 signatures6 process7 process8 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 00:07:27 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7e7r5udjd55e2voede4zmno7uopzzrys7x2jrskxz5mjabfgjmq._file
Verdict:
malicious
Similar samples:
692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8
Avaddon
6ad2831339a2a6fc8d140c8718cf38fabef9915409bd32cd86221b515b4be629
Avaddon
b74e722c4a7b85d49e9c25991528d742161a1ae76c860e001868b1918dc66222
Avaddon
Result
Malware family:
avaddon
Create hunting rule
Score:
  10/10
Tags:
ransomware family:avaddon evasion trojan persistence
Link:
https://tria.ge/reports/200925-zq1lh9ggkx/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Modifies service
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
JavaScript code in executable
Looks up external IP address via web service
Checks BIOS information in registry
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Avaddon
Avaddon Ransomware
UAC bypass
Unpacked files
SH256 hash:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259
MD5 hash:
affa6575a3ff529c583fab38ff9f59e5
SHA1 hash:
a4d2dde718cc10d6ac12e4ec1f602a1050746aa5
Detections:
win_avaddon_w0
Create hunting rule
Link:
https://www.unpac.me/results/5299d539-a610-4e1c-96fb-7c62c890a19a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Avaddon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Avaddon

Executable exe c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/65822/
  
URLhaus
https://urlhaus.abuse.ch/url/408718/
  
Delivery method
Distributed via web download

Comments