MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d062adc4478b2c95f98fec038fe559eff9fa60ce98d05d257f37c00a9026d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	06d062adc4478b2c95f98fec038fe559eff9fa60ce98d05d257f37c00a9026d6
SHA3-384 hash:	eb2e50ba88643216006840aa343a3e1b09b77358bfeed7d78cb9bd7cc80d3218b0c9af64fa966b5efd90bae5bbb541a5
SHA1 hash:	47fcea03f1282fe6f0c2eb2b779b560a6a2bfe33
MD5 hash:	cba021c98d236d6ae1182dbd264e2843
humanhash:	eleven-enemy-grey-sink
File name:	Z43QqCJhBm9skjJ.exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	1'074'176 bytes
First seen:	2021-08-03 20:40:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:btvMG0H/d38K64JoImGS+15jUXhIi2bU:GGK64Jn5IXKV
Threatray	6'679 similar samples on MalwareBazaar
TLSH	T117358D30B9C4CA1AE15F473A8FDF60208BFCFA223572D7E46DE522B94505B61D8742DA
Reporter	GovCERT_CH
Tags:	Emotet exe Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

994

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Z43QqCJhBm9skjJ.exe

Verdict:

Malicious activity

Analysis date:

2021-08-03 20:43:07 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/991d88ae-6a3b-4b53-86da-fb30c0ca1c0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176190/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL

Win.Packed.Pwsx-9882860-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7d6dfa53-4f6a-4441-aa9d-d042f8f5b39b

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/06d062adc4478b2c95f98fec038fe559eff9fa60ce98d05d257f37c00a9026d6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-29 02:47:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

34 of 46 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a3igfloei6fszfpzr7wahd7flhx7t6taz2mnaxjfp434acuqe3la._file

Verdict:

malicious

Label(s):

formbook

Heodo

2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e

Heodo

3a4677dc6f14f38983af15458b11d5f92e71dea8d5cd0e5b263c50d211a72621

Heodo

4cf933c9f31b4e3dae8002043c64a401f91a228adeadfbca9b172b3333f1be6b

Heodo

6c60876d91087cbd176ff5419577f2b3315b2d3a9d9c6d11a06b95ea10d5311f

Heodo

e59a1d022c6c4f0cc7d23689004e65ea7f1f940adef98cf891a008dd9d7f66d9

Heodo

ec5f4dcc08f293334a46654b279444c6c128608c6af38a4139a5b28503954219

Heodo

+ 6'669 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat suricata

Link:

https://tria.ge/reports/210803-sehgmnjgkn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

CustAttr .NET packer

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.panyu-qqbaby.com/weni/

Unpacked files

SH256 hash:

6f54cee217deaf54bd3f9c1a2169f437a7eee29309f87232ce46032eca3b1363

MD5 hash:

550970889e4325645c8671d69bf96a91

SHA1 hash:

35673655771636cd80db6fcc2714bee15d6156b1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/48d77863-ae32-466e-9462-acc111ca751f/

Parent samples :

4cf933c9f31b4e3dae8002043c64a401f91a228adeadfbca9b172b3333f1be6b
2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e
3a4677dc6f14f38983af15458b11d5f92e71dea8d5cd0e5b263c50d211a72621
e59a1d022c6c4f0cc7d23689004e65ea7f1f940adef98cf891a008dd9d7f66d9
06e6b50f2a956f1fff285d4717f7dc33af56f8f08255f744cbd0eba9b0fe82e9
38e4be0b1612a87858ee40b6c9eebd264d02e4488a34c3f1269ca385b01d1b20
ec5f4dcc08f293334a46654b279444c6c128608c6af38a4139a5b28503954219
6c60876d91087cbd176ff5419577f2b3315b2d3a9d9c6d11a06b95ea10d5311f
b07a33b6e6d8007b04f1f4a78cd8be773506bbf6b60ed0227665188d57e82a15
77d33d0e8b91781213a971ebc2e6abe4191bf2c28ff0ede19b07db092f590dff
06d062adc4478b2c95f98fec038fe559eff9fa60ce98d05d257f37c00a9026d6
4ca6a48021d7d442d9311b158691b1f219576d7d37a99f64741463659903ad4c

SH256 hash:

48627b514be2cc8b1f64f80fd7aac89adf4c2498df46f42fb1ca26ac94bbc413

MD5 hash:

0d375301c76884823a9a9ebf733d5c6f

SHA1 hash:

55dae301ccbc9f1b538fda33e676bc3b2df1b1bf

Link:

https://www.unpac.me/results/48d77863-ae32-466e-9462-acc111ca751f/

SH256 hash:

370fba6fc744313a2032139b510a10928fbfeb790c00d59cfb6745756ddb98d0

MD5 hash:

8809087804f9c6987a3366bae2fab59b

SHA1 hash:

4dbc33c91888bfce2404d0379b5a783d1d846f1e

Link:

https://www.unpac.me/results/48d77863-ae32-466e-9462-acc111ca751f/

SH256 hash:

97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438

MD5 hash:

68463851c0e6fe7a254c99fae763d454

SHA1 hash:

4587a5371d88c296a0184fe47ee0c5245b187127

Link:

https://www.unpac.me/results/48d77863-ae32-466e-9462-acc111ca751f/

SH256 hash:

06d062adc4478b2c95f98fec038fe559eff9fa60ce98d05d257f37c00a9026d6

MD5 hash:

cba021c98d236d6ae1182dbd264e2843

SHA1 hash:

47fcea03f1282fe6f0c2eb2b779b560a6a2bfe33

Link:

https://www.unpac.me/results/48d77863-ae32-466e-9462-acc111ca751f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/06d062adc4478b2c95f98fec038fe559eff9fa60ce98d05d257f37c00a9026d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Heodo

exe 06d062adc4478b2c95f98fec038fe559eff9fa60ce98d05d257f37c00a9026d6

(this sample)

Dropped by

Heodo

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/176190/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample