MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AvosLocker


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78
SHA3-384 hash: ae529338f9e225c30284057a9f026e209077b4d27fe6d50fb095fc8f1e33353cf73c887aa597df6febdd44d668a1a5bc
SHA1 hash: 7bcd2d32a19c1ac7bd014dc9e64b806fdff5f5de
MD5 hash: 8da384b2427b8397a5934182c159c257
humanhash: tango-tennessee-pasta-black
File name:LABS.exe
Download: download sample
Signature AvosLocker
Create hunting rule
File size:826'880 bytes
First seen:2022-09-18 22:27:15 UTC
Last seen:2024-11-21 14:45:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6384241afa3b18e8b84aff69eaa01910 (5 x AvosLocker, 2 x Ransomare.AvosLocker)
ssdeep 12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYAu:u4s+oT+NXBLi0rjFXvyHBlb6CZa8
Threatray 2'563 similar samples on MalwareBazaar
TLSH T180058D317587E473C46100B19C7DB9AA9129BD350B355AC7A3D93B2DAABC2C10F32E5B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter 1ZRR4H
Tags:AvosLocker exe Ransomare.AvosLocker Ransomware

Intelligence

File Origin
# of uploads :
4
# of downloads :
525
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LABS.exe
Verdict:
Malicious activity
Analysis date:
2022-09-18 22:29:17 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/28196a18-420f-41ee-b6e9-400faf17e582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311141/
Detection(s):
Win.Ransomware.Deepscan-9938939-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
Moving a recently created file
Modifying an executable file
Changing a file
Creating a file in the Program Files subdirectories
Reading critical registry keys
Moving a file to the Program Files subdirectory
Launching a process
Creating a window
Creating a file in the mass storage device
Stealing user critical data
Deleting volume shadow copies
Preventing system recovery
Forced shutdown of a browser
Encrypting user's files
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38055/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware obfuscated ransomware
Link:
https://www.filescan.io/uploads/63279bae1ff34be845b638e0/reports/c8c4c3ca-3576-47c8-8e88-d30dc342883f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AvosLocker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0554b0b-fbe2-4f1c-8e84-ef45d8909916
Result
Threat name:
AvosLocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072585
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes the wallpaper picture
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Sigma detected: Delete shadow copy via WMIC
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected AvosLocker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 705127 Sample: LABS.exe Startdate: 19/09/2022 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus detection for URL or domain 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 6 other signatures 2->54 7 LABS.exe 1 2->7         started        11 notepad.exe 2->11         started        process3 file4 40 C:\...\DGCOUPON.DPV.avos2 (copy), DOS 7->40 dropped 42 C:\...\DGCAL.DPV.avos2 (copy), COM 7->42 dropped 44 C:\Program Files (x86)\...\DGCOUPON.DPV, DOS 7->44 dropped 46 175 other files (171 malicious) 7->46 dropped 56 Obfuscated command line found 7->56 58 Deletes shadow drive data (may be related to ransomware) 7->58 60 Uses bcdedit to modify the Windows boot settings 7->60 62 2 other signatures 7->62 13 cmd.exe 1 7->13         started        16 cmd.exe 1 7->16         started        18 powershell.exe 14 7->18         started        21 4 other processes 7->21 signatures5 process6 file7 66 May disable shadow drive data (uses vssadmin) 13->66 68 Deletes shadow drive data (may be related to ransomware) 13->68 70 Uses bcdedit to modify the Windows boot settings 13->70 23 WMIC.exe 1 13->23         started        25 vssadmin.exe 1 16->25         started        38 C:\Users\user\AppData\Local\...\287624302.png, PNG 18->38 dropped 27 reg.exe 1 18->27         started        30 rundll32.exe 18->30         started        32 powershell.exe 11 21->32         started        34 bcdedit.exe 7 1 21->34         started        36 bcdedit.exe 8 1 21->36         started        signatures8 process9 signatures10 64 Changes the wallpaper picture 27->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78/
Threat name:
Win32.Ransomware.AvosLocker
Create hunting rule
Status:
Malicious
First seen:
2022-09-18 22:28:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
32 of 40 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7duzxowmmkypokvbf5pzfy2wa75ahaviqh7eus4uo36gxb5ahr4a._file
Verdict:
malicious
Similar samples:
02cf1973b602797cce3fe7a5647eb7fd93ca84b6617984ce71eb2d7389fcb120
AvosLocker
14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9
AvosLocker
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
AvosLocker
47dca00b393f5db1a0842506125dda8ec426c699e22de2df32c95d65fb990893
AvosLocker
538da46bffb52cffd821cb51ebd76072b6775773df6113ac1e98edab0ca49a2a
AvosLocker
8befc91b605e2dd3ee8917f6e4b2ab943ec7900d257b704955c2defc0328b4d8
AvosLocker
d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
AvosLocker
+ 2'553 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion ransomware
Link:
https://tria.ge/reports/220918-2dm44aceg4/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Sets desktop wallpaper using registry
Drops desktop.ini file(s)
Enumerates connected drives
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e1341676-9c3d-4b09-80e1-6a414a2b8b74
Unpacked files
SH256 hash:
f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78
MD5 hash:
8da384b2427b8397a5934182c159c257
SHA1 hash:
7bcd2d32a19c1ac7bd014dc9e64b806fdff5f5de
Link:
https://www.unpac.me/results/4ad27cce-fdad-4d98-8c25-7ebf3125ed52/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8e99bbacc62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311141/

Comments