SYMBOLCOMMON_NAMEaka. SYNONYMS
win.avaddon (Back to overview)

Avaddon

Actor(s): RIDDLE SPIDER


Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

References
2021-07-22S2W LAB Inc.TALON
@online{talon:20210722:quick:7951b68, author = {TALON}, title = {{Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4}, language = {English}, urldate = {2021-07-26} } Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
Avaddon Hakbit
2021-06-16Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210616:rise:8cfe240, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{The Rise & Demise of Multi-Million Ransomware Business Empire}}, date = {2021-06-16}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire}, language = {English}, urldate = {2021-06-21} } The Rise & Demise of Multi-Million Ransomware Business Empire
Avaddon
2021-06-11The RecordCatalin Cimpanu
@online{cimpanu:20210611:cybercrime:dba57e7, author = {Catalin Cimpanu}, title = {{Cybercrime Featured Avaddon ransomware operation shuts down and releases decryption keys}}, date = {2021-06-11}, organization = {The Record}, url = {https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/}, language = {English}, urldate = {2021-06-21} } Cybercrime Featured Avaddon ransomware operation shuts down and releases decryption keys
Avaddon
2021-06-11Bleeping ComputerLawrence Abrams
@online{abrams:20210611:avaddon:0c89258, author = {Lawrence Abrams}, title = {{Avaddon ransomware shuts down and releases decryption keys}}, date = {2021-06-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/}, language = {English}, urldate = {2021-06-16} } Avaddon ransomware shuts down and releases decryption keys
Avaddon
2021-05-14The RecordCatalin Cimpanu
@online{cimpanu:20210514:darkside:2760169, author = {Catalin Cimpanu}, title = {{Darkside ransomware gang says it lost control of its servers & money a day after Biden threat}}, date = {2021-05-14}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/}, language = {English}, urldate = {2021-05-17} } Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
DarkSide Avaddon REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-08Australian Signals DirectorateAustralian Cyber Security Centre (ACSC)
@techreport{acsc:20210508:2021003:ac0c913, author = {Australian Cyber Security Centre (ACSC)}, title = {{2021-003: Ongoing campaign using Avaddon Ransomware}}, date = {2021-05-08}, institution = {Australian Signals Directorate}, url = {https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf}, language = {English}, urldate = {2021-05-11} } 2021-003: Ongoing campaign using Avaddon Ransomware
Avaddon
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-01SentinelOneJim Walter
@online{walter:20210401:avaddon:6735c18, author = {Jim Walter}, title = {{Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage}}, date = {2021-04-01}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/}, language = {English}, urldate = {2021-04-09} } Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage
Avaddon
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-09Javier Yuste, Sergio Pastrana
@techreport{yuste:20210209:avaddon:1bc8c3b, author = {Javier Yuste and Sergio Pastrana}, title = {{Avaddon ransomware: an in-depth analysis and decryption of infected systems}}, date = {2021-02-09}, institution = {}, url = {https://arxiv.org/pdf/2102.04796.pdf}, language = {English}, urldate = {2021-02-26} } Avaddon ransomware: an in-depth analysis and decryption of infected systems
Avaddon
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-26Medium s2wlabHyunmin Suh
@online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-24Bleeping ComputerLawrence Abrams
@online{abrams:20210124:another:23e31f7, author = {Lawrence Abrams}, title = {{Another ransomware (Avaddon) now uses DDoS attacks to force victims to pay}}, date = {2021-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/}, language = {English}, urldate = {2021-01-25} } Another ransomware (Avaddon) now uses DDoS attacks to force victims to pay
Avaddon
2021-01-11Twitter (@dk_samper)Dávid Kosť
@online{kos:20210111:initial:cfb0867, author = {Dávid Kosť}, title = {{Tweet on Initial access of Avaddon Ransomware group from an IR engagement}}, date = {2021-01-11}, organization = {Twitter (@dk_samper)}, url = {https://twitter.com/dk_samper/status/1348560784285167617}, language = {English}, urldate = {2021-01-21} } Tweet on Initial access of Avaddon Ransomware group from an IR engagement
Avaddon
2020-12-28SwanscanSwascan Cyber Incident Response Team, Pierguido Iezzi
@online{team:20201228:avaddon:df83aad, author = {Swascan Cyber Incident Response Team and Pierguido Iezzi}, title = {{Avaddon Ransomware: Incident Response Analysis}}, date = {2020-12-28}, organization = {Swanscan}, url = {https://www.swascan.com/it/avaddon-ransomware/}, language = {Italian}, urldate = {2021-01-21} } Avaddon Ransomware: Incident Response Analysis
Avaddon
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-26AWAKEAshish Gahlot
@online{gahlot:20201026:threat:7eeb763, author = {Ashish Gahlot}, title = {{Threat Hunting for Avaddon Ransomware}}, date = {2020-10-26}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Hunting for Avaddon Ransomware
Avaddon
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-07-08Trend MicroTrend Micro Threat Research Team
@online{team:20200708:ransomware:90c8636, author = {Trend Micro Threat Research Team}, title = {{Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted}}, date = {2020-07-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted}, language = {English}, urldate = {2020-07-30} } Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted
Avaddon
2020-07-01TG SoftTG Soft
@online{soft:20200701:cyberthreat:45d22d9, author = {TG Soft}, title = {{Cyber-Threat Report on the cyber attacks of June 2020 in Italy}}, date = {2020-07-01}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=568531345}, language = {Italian}, urldate = {2020-07-30} } Cyber-Threat Report on the cyber attacks of June 2020 in Italy
Avaddon ISFB
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky
2020-06-11Twitter (@Securityinbits)Security-in-Bits
@online{securityinbits:20200611:avaddon:b50486e, author = {Security-in-Bits}, title = {{Tweet on Avaddon ransomware with Python script for decrypting strings}}, date = {2020-06-11}, organization = {Twitter (@Securityinbits)}, url = {https://twitter.com/Securityinbits/status/1271065316903120902}, language = {English}, urldate = {2020-06-12} } Tweet on Avaddon ransomware with Python script for decrypting strings
Avaddon
2020-06-05HornetsecuritySecurity Lab
@online{lab:20200605:avaddon:399af6f, author = {Security Lab}, title = {{Avaddon: From seeking affiliates to in-the-wild in 2 days}}, date = {2020-06-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/}, language = {English}, urldate = {2020-06-08} } Avaddon: From seeking affiliates to in-the-wild in 2 days
Avaddon
2020-05-31ESET ResearchFacundo Muñoz
@online{muoz:20200531:ransomware:3549ba1, author = {Facundo Muñoz}, title = {{Ransomware Avaddon: principales características}}, date = {2020-05-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/}, language = {Spanish}, urldate = {2021-06-09} } Ransomware Avaddon: principales características
Avaddon
Yara Rules
[TLP:WHITE] win_avaddon_auto (20210616 | Detects win.avaddon.)
rule win_avaddon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.avaddon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660fd64140 33c9 895040 c7404407000000 66894830 8b0f 8b5704 }
            // n = 7, score = 200
            //   660fd64140           | movq                qword ptr [ecx + 0x40], xmm0
            //   33c9                 | xor                 ecx, ecx
            //   895040               | mov                 dword ptr [eax + 0x40], edx
            //   c7404407000000       | mov                 dword ptr [eax + 0x44], 7
            //   66894830             | mov                 word ptr [eax + 0x30], cx
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b5704               | mov                 edx, dword ptr [edi + 4]

        $sequence_1 = { 3975e8 7670 837dcc10 8d45b8 8d4da0 0f4345b8 }
            // n = 6, score = 200
            //   3975e8               | cmp                 dword ptr [ebp - 0x18], esi
            //   7670                 | jbe                 0x72
            //   837dcc10             | cmp                 dword ptr [ebp - 0x34], 0x10
            //   8d45b8               | lea                 eax, dword ptr [ebp - 0x48]
            //   8d4da0               | lea                 ecx, dword ptr [ebp - 0x60]
            //   0f4345b8             | cmovae              eax, dword ptr [ebp - 0x48]

        $sequence_2 = { 66660f1f840000000000 8b85ecfeffff 8d8d4cffffff 53 57 56 }
            // n = 6, score = 200
            //   66660f1f840000000000     | nop    word ptr [eax + eax]
            //   8b85ecfeffff         | mov                 eax, dword ptr [ebp - 0x114]
            //   8d8d4cffffff         | lea                 ecx, dword ptr [ebp - 0xb4]
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_3 = { e8???????? f7c600008000 7411 8d8d00feffff 81e6ffff7fff e8???????? f7c6???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   f7c600008000         | test                esi, 0x800000
            //   7411                 | je                  0x13
            //   8d8d00feffff         | lea                 ecx, dword ptr [ebp - 0x200]
            //   81e6ffff7fff         | and                 esi, 0xff7fffff
            //   e8????????           |                     
            //   f7c6????????         |                     

        $sequence_4 = { c7472400000000 8b7dec 8d55f0 8bcf e8???????? 8d4f04 e8???????? }
            // n = 7, score = 200
            //   c7472400000000       | mov                 dword ptr [edi + 0x24], 0
            //   8b7dec               | mov                 edi, dword ptr [ebp - 0x14]
            //   8d55f0               | lea                 edx, dword ptr [ebp - 0x10]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d4f04               | lea                 ecx, dword ptr [edi + 4]
            //   e8????????           |                     

        $sequence_5 = { e9???????? 8902 894204 894208 89420c 884210 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   8902                 | mov                 dword ptr [edx], eax
            //   894204               | mov                 dword ptr [edx + 4], eax
            //   894208               | mov                 dword ptr [edx + 8], eax
            //   89420c               | mov                 dword ptr [edx + 0xc], eax
            //   884210               | mov                 byte ptr [edx + 0x10], al

        $sequence_6 = { 8bec 8b4108 0faf4514 034510 0faf4104 03450c 0faf01 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   0faf4514             | imul                eax, dword ptr [ebp + 0x14]
            //   034510               | add                 eax, dword ptr [ebp + 0x10]
            //   0faf4104             | imul                eax, dword ptr [ecx + 4]
            //   03450c               | add                 eax, dword ptr [ebp + 0xc]
            //   0faf01               | imul                eax, dword ptr [ecx]

        $sequence_7 = { bf20000000 660f1f440000 84db 756f 57 68???????? ff35???????? }
            // n = 7, score = 200
            //   bf20000000           | mov                 edi, 0x20
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   84db                 | test                bl, bl
            //   756f                 | jne                 0x71
            //   57                   | push                edi
            //   68????????           |                     
            //   ff35????????         |                     

        $sequence_8 = { ff7018 ff15???????? 8d5e01 85f6 0f88a0000000 ff770c e8???????? }
            // n = 7, score = 200
            //   ff7018               | push                dword ptr [eax + 0x18]
            //   ff15????????         |                     
            //   8d5e01               | lea                 ebx, dword ptr [esi + 1]
            //   85f6                 | test                esi, esi
            //   0f88a0000000         | js                  0xa6
            //   ff770c               | push                dword ptr [edi + 0xc]
            //   e8????????           |                     

        $sequence_9 = { 0f8411010000 837f0400 0f8407010000 8b4f08 85c9 0f84fc000000 8b470c }
            // n = 7, score = 200
            //   0f8411010000         | je                  0x117
            //   837f0400             | cmp                 dword ptr [edi + 4], 0
            //   0f8407010000         | je                  0x10d
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]
            //   85c9                 | test                ecx, ecx
            //   0f84fc000000         | je                  0x102
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]

    condition:
        7 of them and filesize < 2343936
}
[TLP:WHITE] win_avaddon_w0   (20200902 | Detects Avaddon ransomware)
rule win_avaddon_w0 {
    meta:
        description = "Detects Avaddon ransomware"
        author = "@VK_Intel, modified by @r0ny_123"
        reference = "https://twitter.com/VK_Intel/status/1300944441390370819"
        tlp = "white"
        date = "2020-09-01"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20200902"
        malpedia_hash = ""
        malpedia_version = "20200902"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str0 = "rcid"
        $str1 = "hdd"
        $str2 = "lang"
        $cfg_parser = { 55 8b ec 6a ff 68 74 d8 46 00 64 ?? ?? ?? ?? ?? 50 81 ec 3c 02 00 00 a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 57 50 8d ?? ?? 64 ?? ?? ?? ?? ?? 8b f1 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 83 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 85 c0 0f ?? ?? ?? ?? ?? b9 10 00 00 00 c7 ?? ?? ?? ?? ?? ?? 3b c1 c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 50 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 83 f8 10 0f ?? ?? ?? ?? ?? 83 c0 f0 b9 20 00 00 00 3b c1 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 83 c0 10 8d ?? ?? 50 e8 ?? ?? ?? ?? c6 ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? f3 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ??}
        $crypt_imp_seq_0 = { 83 ?? ?? ?? 8b c7 c7 ?? ?? ?? ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 51 6a 00 6a 01 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 [3-6] 8b ?? ?? ff ?? ?? ?? ?? ?? 56 6a 00 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 [2-6] 83 ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 50 56 6a 01 6a 00 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? [0-3] 8d ?? ?? 50 6a 00 6a 00 ff ?? ?? 56 ff ?? ?? ff ?? ?? ?? ?? ?? }
    condition:
        uint16(0) == 0x5a4d and 1 of ($str*) and ($cfg_parser or $crypt_imp_seq_0)
}
Download all Yara Rules