MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0948d6f1da468b0ed049e41de8909d4bee0243e363e56249b437ce0a76c09ad4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0948d6f1da468b0ed049e41de8909d4bee0243e363e56249b437ce0a76c09ad4
SHA3-384 hash: 38bf0912d112c3350e0a17fef9f89d325ee258687abd1d2aa849aff01d36605ec1588dda8e910349a41f24b79d606941
SHA1 hash: c11ec556ee69ec608c43b08726d520e420830319
MD5 hash: 63afca355abcf7d95cd450d66f05f633
humanhash: magazine-solar-triple-salami
File name:36FXyyYVPI3113ZBV.dll
Download: download sample
Signature Heodo
Create hunting rule
File size:339'800 bytes
First seen:2021-01-13 07:09:27 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d24ea093f730eb04f422e17ed4d6e03b (30 x Heodo)
ssdeep 3072:S1yTPwsRxtUR+7Jl/c8Mf5SqohUuJXtQOo2ZpJSG:HPwKnz4fe2mtQWZpUG
Threatray 346 similar samples on MalwareBazaar
TLSH 3C74695AB453D8A1CE89A7366E4A1E6797569E1D0281C436DB43DD0180B323CFFEAF31
Reporter JAMESWT_WT
Tags:Emotet Heodo

Code Signing Certificate

Organisation:ZQXOHKFERNOYWBBZLP
Issuer:ZQXOHKFERNOYWBBZLP
Algorithm:sha1WithRSA
Valid from:Dec 16 09:16:56 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: 34C05534B4F5D19145FCEA0EE8687F95
Thumbprint Algorithm:SHA256
Thumbprint: 912EF8F5655AF95D6D180995DDE0BFB4B7DF9344786F1AE0FE984CC9CACE475B
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111687/
Detection(s):
SecuriteInfo.com.Drixed-FJZ08FDFE1CA632.22216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0948d6f1da468b0ed049e41de8909d4bee0243e363e56249b437ce0a76c09ad4/
Threat name:
Win32.Trojan.Drixed
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 04:30:59 UTC
File Type:
PE (Dll)
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfenn4o2i2fq5ucj4qo6ree5jpxaeq7dmpswesnug7hau5watlka._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
2057b1c272cca18b84d820801257555faf68c282de7009a9a6eda9012fdb7e9b
Heodo
6541580253433e76eea2fdfa5fa2e02a703ee53e8550cbc779a506566e92628c
Heodo
8e49e91421b46aa7b6f566d39f5855600e21a6122260c180483bb82dcb3f5458
Heodo
958af16e38cd619acb45b7932c15c6e03a0b68b4eb04e40f91d5313ca0943761
Heodo
95c32e94bdb89c25d54fbf5881e5f992b3c5f8771d250e5b722cada230090527
Heodo
b0302de91474c8a312810c1537eedc0fc7622d5ebaeb52eaaeeea805840ad17c
Heodo
d76937a5b03506941a1b1342dc79c568dfb10f54d894fd93626745881e218dc5
Heodo
f623d86a38b063646077f6bd197b00e07b8ccfbf8696424a01c1fb27d4e0427c
Heodo
f93544c3fd1fbbcc9f0eca7960234a7d3ca56787410d8273ccb0aa42f2103e53
Heodo
fead1cbbdd218fb7a8eec59c05c87febed5a6d77a944acab5b97ae806750e8b9
Heodo
+ 336 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210113-g978lskkfs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Unpacked files
SH256 hash:
0948d6f1da468b0ed049e41de8909d4bee0243e363e56249b437ce0a76c09ad4
MD5 hash:
63afca355abcf7d95cd450d66f05f633
SHA1 hash:
c11ec556ee69ec608c43b08726d520e420830319
Link:
https://www.unpac.me/results/e1621092-1247-467e-bbae-46971a4407d7/
SH256 hash:
10d4a8a0c8e73927b2f715868c1f658073ae5b834b46025499f8c3f3bdc6dfe5
MD5 hash:
5b319d23c5ffa95bf8e0118b8554fef9
SHA1 hash:
694018f379aab8f4757f5b6faa13cff720e5309f
Detections:
win_emotet_a2
Create hunting rule
Link:
https://www.unpac.me/results/e1621092-1247-467e-bbae-46971a4407d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0948d6f1da468b0ed049e41de8909d4bee0243e363e56249b437ce0a76c09ad4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll 0948d6f1da468b0ed049e41de8909d4bee0243e363e56249b437ce0a76c09ad4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/111687/
  
URLhaus
https://urlhaus.abuse.ch/url/955628/
  
Delivery method
Distributed via web download

Comments