MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdc27f3312f4db0ce7b05834067f880340583938a7143f7b3a8ee442255bc19a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: fdc27f3312f4db0ce7b05834067f880340583938a7143f7b3a8ee442255bc19a
SHA3-384 hash: 7e2e2fd5a2b36db80882da1636419e94c86dbf2460319b96f6d9db137dfd6ab5b8fc7449e76292e86a453004a62a6e53
SHA1 hash: 775910375d34e8536bde0d9128cc6103d5049d6a
MD5 hash: a87e38f2d470c5c9862660e3fc3cf81f
humanhash: fanta-sixteen-video-earth
File name:File 072020.doc
Download: download sample
Signature Heodo
File size:176'221 bytes
First seen:2020-07-31 11:52:51 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 3072:u4PrXcuQuvpzm4bkiaMQgAlSWHtZX1XxqFks:HDRv1m4bnQgISqtZFXxqWs
TLSH BE04092030B3AC17E64226311CCACE5416EB6F131D47D22B774C7B6E5F36A606DBAA1D
Reporter @JAMESWT_MHT
Tags:Emotet Heodo

Intelligence


File Origin
# of uploads :
1
# of downloads :
35
Origin country :
IT IT
Mail intelligence
Geo location:
Global
Volume:
Low
Geo location:
IT Italy
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Emotet
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many randomly named variables
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious encrypted Powershell command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
PowerShell case anomaly found
Powershell drops PE file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Very long command line found
Yara detected Emotet
Yara detected Emotet Downloader
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255348 Sample: File 072020.doc Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 32 g.msn.com 2->32 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Malicious encrypted Powershell command line found 2->48 50 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->50 52 9 other signatures 2->52 8 powershell.exe 14 18 2->8         started        13 427.exe 2 2->13         started        15 svchost.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 40 irvingstudios.com 35.209.238.78, 49747, 80 GOOGLE-2US United States 8->40 42 www.leframe.com 64.90.40.69, 49745, 80 DREAMHOST-ASUS United States 8->42 28 C:\Users\user\427.exe, PE32 8->28 dropped 30 PowerShell_transcr....20200731222421.txt, UTF-8 8->30 dropped 54 Drops PE files to the user root directory 8->54 56 Creates processes via WMI 8->56 58 Powershell drops PE file 8->58 19 conhost.exe 8->19         started        60 Drops executables to the windows directory (C:\Windows) and starts them 13->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->62 21 Windows.Devices.SerialCommunication.exe 12 13->21         started        64 Changes security center settings (notifications, updates, antivirus, firewall) 15->64 24 MpCmdRun.exe 15->24         started        44 127.0.0.1 unknown unknown 17->44 file6 signatures7 process8 dnsIp9 34 114.109.179.60, 80 TRUE-AS-APTrueInternetCoLtdTH Thailand 21->34 36 185.94.252.13, 443, 49755 MEGASERVERS-DE Germany 21->36 38 8 other IPs or domains 21->38 26 conhost.exe 24->26         started        process10
Threat name:
Document-Word.Trojan.LEmoDldr
Status:
Malicious
First seen:
2020-07-31 10:40:50 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Behaviour
Suspicious Office macro
Threat name:
Legit
Score:
0.00

Yara Signatures


Rule name:ach_Heodo_doc_gen
Author:abuse.ch
Description:Detects Heodo DOC

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Word file doc fdc27f3312f4db0ce7b05834067f880340583938a7143f7b3a8ee442255bc19a

(this sample)

  
Delivery method
Distributed via web download

Comments