MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52dc6da720ff69d8dea66a117fb1fd57e7db0366ec7f55b05cce18f6a3477cc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Maldoc score: 13

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	52dc6da720ff69d8dea66a117fb1fd57e7db0366ec7f55b05cce18f6a3477cc8
SHA3-384 hash:	1801de70541be98e759213152833b58d0f0f5d340ce462de8702c0bb0ff61daecdde98ad90996210171939922675d364
SHA1 hash:	90ec8f973776074eba7df0aa36471677c875f585
MD5 hash:	e66571325545211f2e2df5e755b65775
humanhash:	colorado-island-dakota-connecticut
File name:	Information#381141749.doc
Download:	download sample
Signature	Heodo Create hunting rule
File size:	239'616 bytes
First seen:	2020-10-27 14:47:36 UTC
Last seen:	Never
File type:	doc
MIME type:	application/msword
ssdeep	3072:kcsCVf4h8MgjMjVn6UCLPFqjHsQoxOtxQtiU0ZnR8HFRPhMKZFwqxRy9g:qHhL95ljMPeKTMK0MRy9
TLSH	0B340899B180BD5AFA924E300D8BEEBA71176C503D0AC7C764EA77FB58739749AD3100
Reporter	cocaman
Tags:	doc Emotet Heodo

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 13

Application name is Microsoft Office Word

Office document is in OLE format

Office document contains VBA Macros

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Document_open	Runs when the Word or Publisher document is opened
Suspicious	Create	May execute file or a system command through WMI
Suspicious	showwindow	May hide the application
Suspicious	CreateObject	May create an OLE object
Suspicious	ChrW	May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.VBS.Obfus-153.UNOFFICIAL

TwinWave.EvilDoc.EMOCROCreateRomanticWarrior.20200916.UNOFFICIAL

TwinWave.EvilDoc.EmotetWindowNotGonnaTakeIt.20201026.UNOFFICIAL

TwinWave.EvilDoc.EmotetKillerQueen.20201026.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

DNS request

Sending an HTTP GET request

Creating a file

Launching a process

Bypassing of proactive protection methods using Windows Management Instrumentation (WMI)

Launching a process by exploiting the app vulnerability

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/52dc6da720ff69d8dea66a117fb1fd57e7db0366ec7f55b05cce18f6a3477cc8/

Threat name:

Document-Word.Trojan.Heuristic

Status:

Malicious

First seen:

2020-10-27 14:49:22 UTC

File Type:

Document

Extracted files:

AV detection:

16 of 48 (33.33%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=klog3jza75u5rxvgniix7mp5k7t5wa3g5r7vlmc4zympni2hptea._file

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet discovery evasion loader trojan

Link:

https://tria.ge/reports/201027-917e9hfxta/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Drops file in System32 directory

Checks installed software on the system

Checks whether UAC is enabled

Loads dropped DLL

Blacklisted process makes network request

Dridex Loader

Dridex

Process spawned unexpected child process

Malware Config

C2 Extraction:

85.207.13.169:443
74.207.242.13:1688
176.58.101.200:49160
164.132.75.129:3388

Dropper Extraction:

http://projectstudio.com.pl/
http://portfolio.angela-mathis.com/
http://custom.robi2.hu/
https://cisrs.in/home4/myclonr9/cisrs.in/resources//
http://b15.robi2.hu/
https://puzzle.altosaxplayer.com/
http://mayhutchankhong.tv/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/52dc6da720ff69d8dea66a117fb1fd57e7db0366ec7f55b05cce18f6a3477cc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_Heodo_doc_20200916 Create hunting rule
Author:	abuse.ch
Description:	Detects Heodo DOC

Rule name:	ach_Heodo_doc_gen_2 Create hunting rule
Author:	abuse.ch
Description:	Detects Heodo (aka Emotet) DOC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample