MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ccba1278a0362b0ac00fd948f9e69f30bf511b4137c4672672103e93f07c4e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ccba1278a0362b0ac00fd948f9e69f30bf511b4137c4672672103e93f07c4e8
SHA3-384 hash: 27698761fa5240753fd0f9da6612ef57a929a465a11e8422377736f4bb197fc1a60b2812b38a7fc65c1fd1e33c2bb1e8
SHA1 hash: d5f53ccad05a91a1118b9a8ac5b6a00d42692373
MD5 hash: 50f5baaea85fe51d80622f6f3c4761c8
humanhash: bravo-foxtrot-ack-red
File name:50f5baaea85fe51d80622f6f3c4761c8
Download: download sample
Signature Heodo
Create hunting rule
File size:540'160 bytes
First seen:2021-12-25 00:30:24 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b5dc9ad96b513c24df30cb14bee2b2dd (28 x Heodo)
ssdeep 6144:GRQUWntghU/R+WtlgxTGZE7AeZ5V3Mi8oRifx/7/AOkcNlQ+jOUTWolWVS/NeCcS:OUtghUkiKiZkAeZ5V3doKb+iQVsV0/
Threatray 408 similar samples on MalwareBazaar
TLSH T1C7B4C001F6C1D077C12E0430262ED73A4A3A7D749B2899EB93D49A7F4E706C15E35EAE
Reporter zbetcheckin
Tags:32 dll Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216284/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.51189.12278.26942.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61c6664f4ab5c44cbf500be8/reports/a2f7bf20-fe5b-4e80-9021-c29bc73a054a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60ce21fd-cf1e-403d-b126-f4bbb5e0a248
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/912610
Signature
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to detect virtualization through RDTSC time measurements
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545088 Sample: tT2dpIlT2P.dll Startdate: 25/12/2021 Architecture: WINDOWS Score: 84 42 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->42 44 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->44 46 34 other IPs or domains 2->46 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Emotet 2->58 60 2 other signatures 2->60 9 loaddll32.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 66 Tries to detect virtualization through RDTSC time measurements 9->66 19 rundll32.exe 2 9->19         started        23 cmd.exe 1 9->23         started        25 regsvr32.exe 9->25         started        29 2 other processes 9->29 68 Changes security center settings (notifications, updates, antivirus, firewall) 12->68 27 MpCmdRun.exe 1 12->27         started        50 127.0.0.1 unknown unknown 14->50 signatures6 process7 dnsIp8 48 192.168.2.1 unknown unknown 19->48 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->62 31 rundll32.exe 19->31         started        33 rundll32.exe 23->33         started        64 Tries to detect virtualization through RDTSC time measurements 25->64 36 rundll32.exe 25->36         started        38 conhost.exe 27->38         started        signatures9 process10 signatures11 52 Tries to detect virtualization through RDTSC time measurements 33->52 40 rundll32.exe 33->40         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ccba1278a0362b0ac00fd948f9e69f30bf511b4137c4672672103e93f07c4e8/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-12-25 00:31:15 UTC
File Type:
PE (Dll)
Extracted files:
4
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
0ac2fdc7eafedabd548779b5ec11851a4a187aac2e617866777c74fcf69fd05b
Heodo
3e0264ecc96315b8cf68b4d034b71cdfca47225e6c446230b5240eec73592084
Heodo
5083a010eebcbbdec77ae2c8ed79ce145b4a8fe5e8a06b188142ee6d2c38a431
Heodo
525cad864e0ca1450fc2e30caefab55372398cff8f5f3822566022ee0a652345
Heodo
5f775497d95f169059a3c452d95d048401a55d7d5b1effb23d4f1b83c64f3944
Heodo
93b1961778134365674fc33819dd1335abb484359f5dbe896f718bc7795035c8
Heodo
b140ad3a0432fac19b1bfe11fafd26ce5d07b4c78b99e36810f27eca3917ff8b
Heodo
b2bd03106cf484e043b77f2331a503d474a7b75e0f41c3564c8da4cd038a21a5
Heodo
d54070b0b5a697330cc4da2a712d3f299f4468dca0175b9bc426231ea82ceb6f
Heodo
e2d02ddcea53a61af2ead95c33b8d5f861d19a608bdc42beec14e326e9e9ce01
Heodo
+ 398 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211225-at3e6sfgd8/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
424747dd51211c0b5ac05f0c5207a8c7037f42c3a249f1223124c187eba266f0
MD5 hash:
a42526956dd3dc9db9e30ff1d91135fc
SHA1 hash:
3b3615d0c8659a216c29865743d47819aa44bd89
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/454186a3-e855-476e-8e56-7d5191065d60/
SH256 hash:
0ccba1278a0362b0ac00fd948f9e69f30bf511b4137c4672672103e93f07c4e8
MD5 hash:
50f5baaea85fe51d80622f6f3c4761c8
SHA1 hash:
d5f53ccad05a91a1118b9a8ac5b6a00d42692373
Link:
https://www.unpac.me/results/454186a3-e855-476e-8e56-7d5191065d60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ccba1278a0362b0ac00fd948f9e69f30bf511b4137c4672672103e93f07c4e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll 0ccba1278a0362b0ac00fd948f9e69f30bf511b4137c4672672103e93f07c4e8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1918599/
Cape
Cape
https://www.capesandbox.com/analysis/216284/

Comments