MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Avaddon


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf
SHA3-384 hash: 392104c23fd865a03f12a39aac07a17c638c13c654a593fe5fc218a28d6123f3d13b972ddd747cdab8d1806452e62057
SHA1 hash: e62fbe82dc5c1efbdecfd94791e023002d3c178b
MD5 hash: ccede1200a6e8eff54a358fa1e6d119a
humanhash: football-wolfram-tango-seventeen
File name:r.bin
Download: download sample
Signature Avaddon
Create hunting rule
File size:2'229'144 bytes
First seen:2020-07-30 11:59:35 UTC
Last seen:2020-08-04 11:37:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e5ac8ab7be27ac2d1c548e5589378b6 (11 x GuLoader, 6 x Stealc, 5 x RedLineStealer)
ssdeep 49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aun:QDB8XQqDXf+D9FG1dp9m5fb37zsf+yn
Threatray 43 similar samples on MalwareBazaar
TLSH E4A512C3F599304CF5EF433BB5EA4E25B6E22DA20D465A4161343F94BF32581A7C0B6A
Reporter vm001cn
Tags:Avaddon Ransomware

Intelligence

File Origin
# of uploads :
4
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35533/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a window
Blocking the User Account Control
Result
Threat name:
Avaddon
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403929
Signature
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
Found ransom note / readme
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Spreads via windows shares (copies files to share folders)
Writes many files with high entropy
Yara detected Avaddon Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 254289 Sample: r.bin Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 41 cdn.onenote.net 2->41 43 g.msn.com 2->43 45 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->45 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found ransom note / readme 2->53 55 Yara detected Avaddon Ransomware 2->55 57 4 other signatures 2->57 8 r.exe 502 79 2->8         started        signatures3 process4 dnsIp5 47 api.myip.com 104.31.67.68, 443, 49725 CLOUDFLARENETUS United States 8->47 49 192.168.2.1 unknown unknown 8->49 33 C:\Users\user\Desktop\...\ZGGKNSUKOP.xlsx, data 8->33 dropped 35 C:\Users\user\Desktop\PALRGUCVEH.docx, data 8->35 dropped 37 C:\Users\user\Desktop\...\BJZFPPWAPT.xlsx, data 8->37 dropped 39 86 other malicious files 8->39 dropped 59 Deletes shadow drive data (may be related to ransomware) 8->59 61 Spreads via windows shares (copies files to share folders) 8->61 63 Disables UAC (registry) 8->63 65 3 other signatures 8->65 13 WMIC.exe 1 8->13         started        15 WMIC.exe 1 8->15         started        17 WMIC.exe 1 8->17         started        19 3 other processes 8->19 file6 signatures7 process8 process9 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 12:01:04 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
38 of 48 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jhwtkuhhdiuxbnno2qxqpkrcifyw25em4mq7z6y7fvnffu4r7pq._file
Verdict:
suspicious
Similar samples:
2eafd2db3852f320398ef9bbbab1d291e52e75bba78e3fe21c0fbffe385ba865
Avaddon
45e9959441e6e30c4c7a4dd8b3d56b88ad09d2ad253851ea79be62ec9c1c8f68
Avaddon
62b0ea0e75b51f073364b7e5f82919866ecb9040e8ca78e147bf3fa24fefca5a
Avaddon
7ec599424a161fe942345c2336dd0cfb8c7d64e6e72b8e90efd999328b06cc04
Avaddon
88e03236b248d004923161c7928a1546cdffd0b6e8c30a22b1d49b05dca9b2da
Avaddon
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
Avaddon
aeb1bfcef382789091e72e2d6cae6e471123d0e8e7a5f39c64abf5a3d9a4eaa8
Avaddon
b4bbfec518b34f417680149af477857ce1a27aa23eaceb4eb99d62230e376ba9
Avaddon
c2a307a15f392b72cc51b12a1061c6ad7a2e76843754ee3d2e7b8ba0bc17e540
Avaddon
ec837014dcb222fd3780d0730e297c9a09786cc57a42a9da092c9199c1f9660b
Avaddon
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware persistence evasion trojan
Link:
https://tria.ge/reports/200730-cw5252s23j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
System policy modification
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Enumerates connected drives
Looks up external IP address via web service
Drops desktop.ini file(s)
Checks whether UAC is enabled
Drops desktop.ini file(s)
Looks up external IP address via web service
Enumerates connected drives
Modifies extensions of user files
Modifies extensions of user files
Deletes shadow copies
Deletes shadow copies
UAC bypass
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35533/

Comments