MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11b0828c5a801601481d6c56e1092e975785339e754f86356e56c605fd46a39c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	11b0828c5a801601481d6c56e1092e975785339e754f86356e56c605fd46a39c
SHA3-384 hash:	c6c99f9bfcff103482296cc6088f5fff061b1cceec96c29bec2af19006bb36330071ec9aabf714a1c4ab55b6946f6f05
SHA1 hash:	970ee3f2dd29efdee093b62480f6eafd8c0cdf56
MD5 hash:	50161b56f68990f9874809e53778237f
humanhash:	illinois-emma-winner-magazine
File name:	emotet_exe_e2_11b0828c5a801601481d6c56e1092e975785339e754f86356e56c605fd46a39c_2020-09-28__163442._exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	217'088 bytes
First seen:	2020-09-28 16:35:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e728e1ece211ddd66341af31047f3736 (37 x Heodo)
ssdeep	3072:oKdoleKfKf1S7KI9wzET3ksCc08z9ltq/SGhJisRT8lusvwdoym:oKdlKfKs7KI9wolCcjXGms+FvY
Threatray	7'823 similar samples on MalwareBazaar
TLSH	B524AE21F0D1C4F2C62A41754C8B5EA44A36FC394B61ABE7D358BE1E2A357C2197B31E
Reporter	Cryptolaemus1
Tags:	Emotet epoch2 exe Heodo

Cryptolaemus1

Emotet epoch2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/66492/

Detection(s):

PUA.Win.Packer.Armadillo-65

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt

Sending an HTTP POST request

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/11b0828c5a801601481d6c56e1092e975785339e754f86356e56c605fd46a39c/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-28 16:37:08 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cgyifdc2qalacsa5nrloccjos5lykm46ovhymnlok3dal7kguooa._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

trojan banker family:emotet

Link:

https://tria.ge/reports/200928-4q9flx5yta/

Behaviour

Suspicious behavior: EnumeratesProcesses

Emotet Payload

Emotet

Malware Config

C2 Extraction:

38.18.235.242:80
5.196.108.189:8080
121.124.124.40:7080
104.236.246.93:8080
113.61.66.94:80
120.150.60.189:80
91.211.88.52:7080
47.144.21.12:443
108.46.29.236:80
139.162.108.71:8080
134.209.36.254:8080
139.59.60.244:8080
66.65.136.14:80
76.175.162.101:80
174.106.122.139:80
95.213.236.64:8080
174.45.13.118:80
50.35.17.13:80
209.141.54.221:8080
87.106.139.101:8080
96.249.236.156:443
176.111.60.55:8080
85.96.199.93:80
87.106.136.232:8080
97.82.79.83:80
185.94.252.104:443
79.98.24.39:8080
142.112.10.95:20
5.196.74.210:8080
94.1.108.190:443
24.137.76.62:80
121.7.127.163:80
37.139.21.175:8080
213.196.135.145:80
83.169.36.251:8080
24.179.13.119:80
137.59.187.107:8080
181.169.34.190:80
139.130.242.43:80
42.200.107.142:80
140.186.212.146:80
74.208.45.104:8080
188.219.31.12:80
105.186.233.33:80
93.147.212.206:80
194.187.133.160:443
61.19.246.238:443
85.152.162.105:80
5.39.91.110:7080
71.72.196.159:80
24.43.99.75:80
139.162.60.124:8080
124.41.215.226:80
67.10.155.92:80
109.74.5.95:8080
78.187.156.31:80
195.7.12.8:80
187.49.206.134:80
123.176.25.234:80
157.245.99.39:8080
78.188.106.53:443
94.200.114.161:80
94.23.237.171:443
104.251.33.179:80
68.252.26.78:80
75.139.38.211:80
103.86.49.11:8080
62.75.141.82:80
172.104.97.173:8080
79.137.83.50:443
110.142.236.207:80
162.241.242.173:8080
78.24.219.147:8080
91.146.156.228:80
118.83.154.64:443
216.139.123.119:80
121.7.31.214:80
181.169.235.7:80
139.99.158.11:443
172.91.208.86:80
46.105.131.79:8080
104.131.11.150:443
110.145.77.103:80
82.80.155.43:80
168.235.67.138:7080
50.91.114.38:80
137.119.36.33:80
203.153.216.189:7080
37.187.72.193:8080
24.43.32.186:80
130.0.132.242:80
80.241.255.202:8080
220.245.198.194:80
190.240.194.77:443
89.216.122.92:80
1.221.254.82:80
104.131.44.150:8080
62.30.7.67:443

Unpacked files

SH256 hash:

11b0828c5a801601481d6c56e1092e975785339e754f86356e56c605fd46a39c

MD5 hash:

50161b56f68990f9874809e53778237f

SHA1 hash:

970ee3f2dd29efdee093b62480f6eafd8c0cdf56

Link:

https://www.unpac.me/results/4e833b26-0d5e-479a-9a08-c92cccd0b544/

SH256 hash:

ddaf2f537d9990939f13561fd0cacecba82ff33bcab81ab14750b143480d758e

MD5 hash:

d6ed9c74a7a0426c5aa7a1e71297f948

SHA1 hash:

6ed7c292a367efa3984dca34fcb2a6fdd9a2a5d1

Detections:

win_emotet_a2

Link:

https://www.unpac.me/results/4e833b26-0d5e-479a-9a08-c92cccd0b544/

Parent samples :

f7fdd9e119be2a89e6125240942fa7c51655eab26984553642e7f3f09b84eba3
be581b8f741c40517e1e06f826dfbc50508548f0079dc93e4574928c49e79770
97cc3b09a454986a2d2f9a051edcafc3791044a46a89f5165ebe3795c68b6701
a3381d9f84e64e598f0399458e10aa4dcab7fdaa1eb49cad9ff87c9bdaedf627
11b0828c5a801601481d6c56e1092e975785339e754f86356e56c605fd46a39c
b9b90d0335095994de345bc1f902e2575c4709a78b308e2b5fc28b1a7d071e21
f196d1dd7a9684ad3195e73e052a69f0c1c8ee9a2a05d2610c8dc7f0b8697814
5c603779ddb34aee7ba1284215fdc22556da3af9eb9dd86016fc1aa187827a54
0007e938052e444208feef8729dfbccf28120fd63299e8d331582be49b4041be
b39a1f7f6f44ed5332dd8832a687d313fa02720f541181d5a56c18b25be2fd90
382ed1f7732043b8202449de4e2585528674cd7cc0c6151e89f985544b291dab
cc60071ff9ebf0a997980520523d890f9200e537edcfbcbed1c161b29abdd7ca
ff2a7ed97925176b98b1f9eb9baeba5c11ddc0f5d50d9551ec717e6842e4dc75
fca09c7ed3e6d3693f09245217cc263ff476344bbba891c9d85572fdf1dc22de
a9abd3dfc1de323a8e33791a84338f01728f556fcb94cc60f7b7603ea12496f2
245dfd172c487147badefbe8248001575e12b80319437c763ad03c781030a046
e3af37320b212a84847a6abcfff43d792aafdc197411fec0a910748858d3705f
fcffa553a7c165a4058382b8bd9251290de1cfe5e12c78aa4050036cc692ad31
bb22b3f1e2d1cc2c2ed4eb14c741415f2d3a3c5923d0fafe3f1c5e577f7480b6
161857c1917f8d6aa6110cb84c5a3d99f254d8ed5a2c87e2d280190c376302a3
da3e1ac580953015290a1a6b869ed74d703b0a976d158f01b3edae432830ef7f
bc67a4019261e3958727e2c4de486f07b63ef599a09791a648f0380e2bf4f0e6
b9f971c84e2868501bc68b45f13ec7cd225ce9a573935c9819fad5f7b5d7a087
2868f1586a9a142149897cd4c37aa85352e267f0bbdbbde6af9f62e1e68a98b3
984c5b627aa7abccddd70f1f83bf53635c8ddcf92057f535c9f88dd7bb352a89
c7713351d5cef0184c0607f03d4a988ae532ab079c9229420aa31fee3edd61c3
0b129286d964920f4d73a62e3b3af00d9fe542d87f00daecf2572fcc3f8825ea
f832c8138cf70f5beaeb5eba62f53f8bf7bc213dd42db2f4c8b35dfbad32d906

SH256 hash:

0a32dcab122aa2ca720b6af9b5b4d3064c2de7dc139d025f9dba621ae00c9676

MD5 hash:

88c2ebe882e8ac9fb0d1dc4bfd9c01c5

SHA1 hash:

a25db6ef3ed9d7ce87da566314364164052c03f9

Detections:

win_emotet_a2

Link:

https://www.unpac.me/results/4e833b26-0d5e-479a-9a08-c92cccd0b544/

Parent samples :

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/11b0828c5a801601481d6c56e1092e975785339e754f86356e56c605fd46a39c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_sisfader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator