MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0773745b0aa51960e3088ca2d947a03271ea86163bd635ece0bbe6a684832e4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	0773745b0aa51960e3088ca2d947a03271ea86163bd635ece0bbe6a684832e4d
SHA3-384 hash:	686ad5810636e82d56b85c04fb981988166a56bca6902f037bab8649b98b55665bc270228be71dc4d82a23688da835cf
SHA1 hash:	1f7d51f2188d581178a6c9e88af3dd527a981e49
MD5 hash:	1be3dae270436b3c6a2c1a9ed7a1df21
humanhash:	mississippi-sixteen-enemy-magazine
File name:	OTm.dll
Download:	download sample
Signature	Heodo Create hunting rule
File size:	230'400 bytes
First seen:	2020-12-21 22:02:23 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	2b4978c29a257ac610071bf1c90c32d5 (8 x Heodo)
ssdeep	3072:BODGgWX0R152rpYXLRdjwd6q7m8kjcV8fYPXm3qCvOjTYXdvbHTb+CzgGM3/:BZgTkrp4RE6q7xAcSA4pXdvjHlzFMP
Threatray	164 similar samples on MalwareBazaar
TLSH	0C348C11B60180B2F71E0B305842FAE0495D9E3D16E4E18FFA787E7A6D322939A7715F
Reporter	cyberswat4
Tags:	dll Emotet Heodo

cyberswat4

https://www.virustotal.com/gui/file/0773745b0aa51960e3088ca2d947a03271ea86163bd635ece0bbe6a684832e4d/detection

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108751/

Detection(s):

SecuriteInfo.com.Generic.mg.b26532aebcbdab36.21987.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/567762

Signature

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0773745b0aa51960e3088ca2d947a03271ea86163bd635ece0bbe6a684832e4d/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-12-21 15:30:32 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch1 banker trojan

Link:

https://tria.ge/reports/201221-racxmb797a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Emotet

Malware Config

C2 Extraction:

95.76.153.115:80
191.241.233.198:80
167.71.148.58:443
211.215.18.93:8080
1.234.65.61:80
60.93.23.51:80
51.15.7.145:80
190.24.243.186:80
190.64.88.186:443
186.146.13.184:443
177.85.167.10:80
59.148.253.194:8080
155.186.9.160:80
51.255.165.160:8080
149.202.72.142:7080
111.67.12.221:8080
185.183.16.47:80
111.67.12.222:8080
190.195.129.227:8090
71.58.233.254:80
104.131.41.185:8080
85.214.26.7:8080
1.226.84.243:8080
110.39.160.38:443
213.52.74.198:80
192.232.229.54:7080
172.104.169.32:8080
5.196.35.138:7080
137.74.106.111:7080
181.30.61.163:443
68.183.170.114:8080
45.16.226.117:443
168.121.4.238:80
190.251.216.100:80
46.101.58.37:8080
191.182.6.118:80
70.32.84.74:8080
77.78.196.173:443
103.236.179.162:80
181.120.29.49:80
50.28.51.143:8080
181.61.182.143:80
46.43.2.95:8080
209.236.123.42:8080
172.245.248.239:8080
188.135.15.49:80
122.201.23.45:443
177.23.7.151:80
68.183.190.199:8080
192.175.111.212:7080
201.75.62.86:80
191.223.36.170:80
202.79.24.136:443
105.209.235.113:8080
177.144.130.105:443
81.213.175.132:80
190.45.24.210:80
190.114.254.163:8080
217.13.106.14:8080
87.106.46.107:8080
45.184.103.73:80
138.97.60.141:7080
81.215.230.173:443
192.232.229.53:4143
80.15.100.37:80
178.211.45.66:8080
187.162.248.237:80
189.2.177.210:443
187.162.250.23:443
82.76.111.249:443
170.81.48.2:80
93.148.247.169:80
110.39.162.2:443
46.105.114.137:8080
113.163.216.135:80
70.32.115.157:8080
62.84.75.50:80
152.169.22.67:80
24.232.228.233:80
35.143.99.174:80
138.97.60.140:8080
83.169.21.32:7080
212.71.237.140:8080
188.225.32.231:7080
12.163.208.58:80
185.94.252.27:443
202.134.4.210:7080
177.144.130.105:8080
178.250.54.208:8080
197.232.36.108:80
12.162.84.2:8080
94.176.234.118:443
81.214.253.80:443

Unpacked files

SH256 hash:

0773745b0aa51960e3088ca2d947a03271ea86163bd635ece0bbe6a684832e4d

MD5 hash:

1be3dae270436b3c6a2c1a9ed7a1df21

SHA1 hash:

1f7d51f2188d581178a6c9e88af3dd527a981e49

Link:

https://www.unpac.me/results/436d2881-e69a-4370-9797-e6a27229d79f/

SH256 hash:

f567e145cf928879c13b51b84c057b82fc5727463bc2c976587fc96a2317efcb

MD5 hash:

db0519d8565a35ad1470150813f67602

SHA1 hash:

f3a612986982ec0e12ff2244139f6c65b413e8b8

Detections:

win_emotet_a2

Link:

https://www.unpac.me/results/436d2881-e69a-4370-9797-e6a27229d79f/

Parent samples :

6ced0d5b3e6fbe5b294e73fe587fc73cbbaf26a32c1abf92fe5c22c57c8a53f2
1acdc1855adbfd9c84fa7833e2b615feda3a4f37961846c93bac3354c8352d59
a9295c68b9e6ad169bc14d79108c45b78d1f57b781874677c19e1d6b627890e2
25d23fbf66df863c9be8595beb7ec421ba679123fbfe1d26e664d534c8c68081
0d1744fd830ffed23cac8e36d7a3b88c35ce34bc1ebe0c57388030a428f99730
b1c619f847f1fd13623002f9a616f3c2ea9d9ac8d1863ba541757549e64a059b
e9e16900388e0eb5009bfda3e9671afb04b8e3ed914db1bdde385c7eafca0e6d
43a81e80cbd931329625e031d6c04620d95b637406231bc935bf3921374d81de
b6a6bacf336d431977df6f95d1d71f22561314abbbb57867b954fc09cf718f60
d2bed66a02677c5f05becd6cf44cbf5307935dfe923dd80660dc7beee8d0430d
c6f7040194cbed0d34fc343d601fef1fc56c0efd381870519c7ca59f208d66a6
5eadfa4dd6b036fb7cc42f1c023fde4579c2d2ab49e4c84b93f6e207272b07b3
47b014bad2d24296b2d07b3f69a9ce0b7249d11097fc09044a34755ae7be7810
e9b5c069a0bb351288d1b3bd1d9894cc07e4287c139474e753b42441b486f6f3
bff93708db43d3d6449a7c41c9f193fd28333d1f06d7caa3f7af0442a6b531c6
ace5ddc10143a31cc2df2146715a6f06aabce2bc62283d744129cad0df6caf24
0773745b0aa51960e3088ca2d947a03271ea86163bd635ece0bbe6a684832e4d

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0773745b0aa51960e3088ca2d947a03271ea86163bd635ece0bbe6a684832e4d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/108751/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample