MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12ad53db934aa45f53a314088667adea61422a8158e3e974f6fb586c6f6852ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12ad53db934aa45f53a314088667adea61422a8158e3e974f6fb586c6f6852ef
SHA3-384 hash: 4c674fd3f4a0222636c8e5d88cb9a2a0a5dbdbb25e65f6556d0a88609e54ee29c64957d84f6058f949a2fea0ee105098
SHA1 hash: 28b83a5e8a91ae30d1f5456213d90df4aa933db7
MD5 hash: 17807fcf4889824fd9cee42e49133071
humanhash: beryllium-florida-pennsylvania-march
File name:l62635.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:307'338 bytes
First seen:2020-04-30 07:37:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a0ba8e4b5bd326b11c33332fd335281 (1 x Heodo)
ssdeep 6144:nACRBt2dm/TyQZSrL5QuiAlCgXqotPup/7UXl6f:qQZSrnLCeupo
Threatray 189 similar samples on MalwareBazaar
TLSH 7864AE2135C1C073D5A7017689DEC7B977B6FD025FB1968F7B943B0EAE342928A35282
Reporter jarumlus
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Emotet-7461198-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2019-12-13 07:02:03 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckwvhw4tjksf6u5dcqeimz5n5jquekubldr6s5hw7nmgy33iklxq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
009a744e1e9bf38a9a578be15442b25070aae17ffba3613ca1d1f629a44a4f23
Heodo
035a69580d783b6027b9d5a6f088bfcc1c296921e923a6793aae6bc972c294d6
Heodo
181a79a35af190ce05e5bac09e23d8670c247db0b55f465ff2af8c834e984ed6
Heodo
2aed441feb0d38c4c21858e907fb45a10a75f33c53158c64c67e85bab1e621c5
Heodo
60d8175e0a4a6e115ed79800717cc27bd3e8d8b88af2f81823623c1b3fead089
Heodo
92e12063000f62cec43e02f8aea606dc535b5138a27085bf80678efdb1ca1e9b
Heodo
ab5dc331127be64fb5120501c03de22a819a9ad88d8e17a8cc04e709900e4f6e
Heodo
ac2327f210643de38481941d82d7dddcdf00af04546849e465856cb8451241ee
Heodo
e3c4521c113245a96b4d4ebbfbbe894a891bdcb8e165dacc0dc29e733e37f431
Heodo
f3f0f8469aae4354a97974161df582e87dfeaccf59706e182aa9fe527aa72c47
Heodo
+ 179 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Emotet
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Emotet in memory
Reference:internal research
Rule name:MAL_Emotet_Jan20_1
Create hunting rule
Author:Florian Roth
Description:Detects Emotet malware
Reference:https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Rule name:win_emotet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments