MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01d6ff441bfbf065fe9cc4a6ab5de658cfacfb46467eee4cf55441cbadf6e28c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	01d6ff441bfbf065fe9cc4a6ab5de658cfacfb46467eee4cf55441cbadf6e28c
SHA3-384 hash:	7545e201fd13d754018244a17afa850c2aaab8f0f1589c7536d251e4dd55c1c095bf7b7295cc52dffbb364df0a8e91f1
SHA1 hash:	fbc0221979aad4631d301bcd8e331c4399fdfde8
MD5 hash:	f232e278f50de52e6202c18f1d9711e7
humanhash:	bluebird-fix-fillet-california
File name:	f232e278f50de52e6202c18f1d9711e7.dll
Download:	download sample
Signature	Heodo Create hunting rule
File size:	851'456 bytes
First seen:	2023-01-19 18:46:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	798e6079d39138e42206393ec3b9626d (9 x Heodo)
ssdeep	24576:F16TffbuFta+9ZeTKu7imuEnESFZqnUZ:+ffSFtBYTKuD8U
Threatray	3'607 similar samples on MalwareBazaar
TLSH	T1F0055B71B26C41F9E05A953885534A45EEB13CA35BE293CB52D1E63E1F33BD2CA39321
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	cccc8cccdaa292dc (27 x Heodo)
Reporter	Anonymous
Tags:	dll Emotet exe Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PACK_764.xls

Verdict:

Malicious activity

Analysis date:

2022-05-25 05:00:37 UTC

Tags:

macros loader

Link:

https://app.any.run/tasks/3c1030d2-0899-4215-9646-25222be4539f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/354688/

Detection(s):

Win.Trojan.Generickdz-9966388-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a service

Launching a process

Moving of the original file

Enabling autorun for a service

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/61568/overview

Behaviour

MalwareBazaar

CheckScreenResolution

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

2/10

Confidence:

67%

Tags:

greyware keylogger shell32.dll

Link:

https://www.filescan.io/uploads/63c9902789bd67c10fd8acff/reports/933605bf-2d0b-4b92-9560-69f3ea9d1c76/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/9771b17f-c7c1-42e4-ad34-786846aae7ea

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/01d6ff441bfbf065fe9cc4a6ab5de658cfacfb46467eee4cf55441cbadf6e28c/

Threat name:

Win64.Trojan.Emotet

Status:

Malicious

First seen:

2022-05-24 14:29:43 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

30 of 39 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ahlp6ra37pygl7u4ystkwxpgldh2z62giz7o4thvkra4xlpw4kga._file

Verdict:

malicious

Label(s):

emotet

Heodo

24c01e2ef72c8091f60272a8adaa25bf1be3bc4c2bea84b48e14b685375d640e

Heodo

5214e190695058fcf3fe3158d4186f7742a0625b314ce1b8efbeb938ea3ee0b1

Heodo

6e175ca3031f6140953f5222e06f962874cf6b64509e375928b446dae0028251

Heodo

9c9b1c804d2665318c52fd60323a0500ea8be01916129a083d9cc4ea75538257

Heodo

a30a9915d16eaa06d6ac23e804773e27277ddb453841d8888027fb0021281daa

Heodo

c0dea9678b4b59aab273d11d7c2c35b66e89d9760b1772485863be4823315e7d

Heodo

+ 3'597 additional samples on MalwareBazaar

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch5 banker trojan

Link:

https://tria.ge/reports/230119-xe665sdh21/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Emotet

Malware Config

C2 Extraction:

194.9.172.107:8080
66.42.57.149:443
165.22.73.229:8080
202.29.239.162:443
104.248.225.227:8080
54.38.242.185:443
103.133.214.242:8080
78.47.204.80:443
210.57.209.142:8080
103.41.204.169:8080
118.98.72.86:443
88.217.172.165:8080
87.106.97.83:7080
85.25.120.45:8080
195.77.239.39:8080
37.44.244.177:8080
36.67.23.59:443
160.16.143.191:7080
54.38.143.246:7080
159.69.237.188:443
68.183.93.250:443
54.37.228.122:443
190.90.233.66:443
37.59.209.141:8080
178.62.112.199:8080
59.148.253.194:443
196.44.98.190:8080
202.28.34.99:8080
78.46.73.125:443
51.68.141.164:8080
207.148.81.119:8080
93.104.209.107:8080
185.148.168.220:8080
103.85.95.4:8080
62.171.178.147:8080
175.126.176.79:8080
134.122.119.23:8080
202.134.4.210:7080
116.124.128.206:8080
45.71.195.104:8080
110.235.83.107:7080
103.56.149.105:8080
68.183.91.111:8080
5.56.132.177:8080
195.154.146.35:443
217.182.143.207:443
54.37.106.167:8080
85.214.67.203:8080
188.225.32.231:4143
103.42.58.120:7080
139.196.72.155:8080

Unpacked files

SH256 hash:

d10532fad2167d45896c040159171013baeb5fdc21cafaa3b1f2e0198627f0b4

MD5 hash:

2802f0bced9b13160edbfcc7d413c453

SHA1 hash:

810cbe09b3be7e492f48818eed419a63e96b9bbc

Detections:

win_emotet_auto

win_emotet_a3

Link:

https://www.unpac.me/results/b6664043-f046-42f5-9635-caeee9016c59/

Parent samples :

6c1cc7cf188b7ae8031f285e68309338a5ee093c78389c12517009d3dcbfcf54
690624925c1f2d52a91e6f8a4c8068ade73cade97204ba6923d19281db55159b
cbac69eb9d98e0e0ed2ad91268c02799fa9639d3d5f7aebd2fa1cb66014cea0b
ccd79d82d9a93189fbdac71436ce482676e5bda8d4f24900787c39973ebc25d2
6103dac2d025226570a980aa4d8bc2ff41a0b8eb6106cc27b0f666fc8bf51960
0d64a56784916d7239c45e57c9bb27596a9df36f6ae63395d7a7ff0f082d7210
a2ad6520683d4d66c0100873cb7dffeda1b0c8da01ce36135fefa086ce31a49b
01d6ff441bfbf065fe9cc4a6ab5de658cfacfb46467eee4cf55441cbadf6e28c
e5814a69cfe5a5be2f62f738ea5511f1604bce81c2acaca550b134d794c9e2d0

SH256 hash:

01d6ff441bfbf065fe9cc4a6ab5de658cfacfb46467eee4cf55441cbadf6e28c

MD5 hash:

f232e278f50de52e6202c18f1d9711e7

SHA1 hash:

fbc0221979aad4631d301bcd8e331c4399fdfde8

Link:

https://www.unpac.me/results/b6664043-f046-42f5-9635-caeee9016c59/

Malware family:

Emotet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/01d6ff441bfb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01d6ff441bfbf065fe9cc4a6ab5de658cfacfb46467eee4cf55441cbadf6e28c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win64_emotet_unpacked Create hunting rule
Author:	Rony (r0ny_123)

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/2208001/

Cape

https://www.capesandbox.com/analysis/354688/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample