MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203
SHA3-384 hash: 95d24919acfc090a69d9825a1455bebb5682e93403e119ac2a5509f366b22e67de05b1a5ec69e2f7f4bca9af19d464d9
SHA1 hash: 232258201e20b9b256a64987227148095aa2954b
MD5 hash: acbbc946a9441b52cc8cd84292977931
humanhash: moon-crazy-mississippi-florida
File name:INV 2022-04-22_1538, US.doc.lnk
Download: download sample
Signature Heodo
Create hunting rule
File size:3'728 bytes
First seen:2022-04-22 21:49:05 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 48:88r4ablfVt7cfvWOOLbbfFrcMPGJv3yxhsqTNkTBMF4EEPC6FqfJrwy0H:88r4o4uLfhzGNuhs6N22F7ACXfaTH
TLSH T16F71D89E24013790FA17097AE822F20D872679F19CF4EB39B4BD978A131528478D1E3E
Reporter malware_traffic
Tags:Emotet Heodo lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
439
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
File Type:
LNK File
Link:
https://app.docguard.net/082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun cmd cmd.exe evasive findstr.exe masquerade wscript
Link:
https://www.filescan.io/uploads/6263230cba81efdb4005b179/reports/df7c5ebb-99b4-4ff6-bfee-02e1c9281813/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203/
Threat name:
Win32.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 19:46:04 UTC
File Type:
Binary
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bawvsnjhdk7vqqm7wxu55a4znpjpqqavfxszll5h2chexgfr2ibq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220422-1pw1pscfdl/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Archive_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies archive (compressed) files in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:MSOffice_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Microsoft Office artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments