MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12cc979c1b38dd0da15645b463c2ad03fe2b5ad73b76cddd94b9fea746d5547c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12cc979c1b38dd0da15645b463c2ad03fe2b5ad73b76cddd94b9fea746d5547c
SHA3-384 hash: 50b7262869eeb2e984ce2e89eef88f48ab237977c41597a0c1a37995b66342f46abe103fab058a65db31cc9b08d37df7
SHA1 hash: 02c725105332ef46824d1fc7039fff8d4a264b18
MD5 hash: 6097fc2f6ff8ad43e8e0be3d797d4ec9
humanhash: chicken-arkansas-angel-south
File name:12cc979c1b38dd0da15645b463c2ad03fe2b5ad73b76cddd94b9fea746d5547c
Download: download sample
Signature Heodo
Create hunting rule
File size:12'652'544 bytes
First seen:2024-09-09 12:28:21 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:fws3V+aXws3V+2ws3V+Rws3V+ews3V+iws3V+Cws3V+:WauxkZV1
Threatray 87 similar samples on MalwareBazaar
TLSH T131D6232163FD4668E2FB0F35EC7E88B046367C91DA62C02E6355791D2A31F8589737B2
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:ConnectWise msi settleweddings-in

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66deea1b6b8536bde965e1d3
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive expand explorer installer lolbin packed remote rundll32 shell32
Link:
https://www.filescan.io/uploads/66deea174a2597249d52d332/reports/e0c71c51-5458-4d18-aa8f-81f4d0f1026a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/12cc979c1b38dd0da15645b463c2ad03fe2b5ad73b76cddd94b9fea746d5547c
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/12cc979c1b38dd0da15645b463c2ad03fe2b5ad73b76cddd94b9fea746d5547c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1507935
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507935 Sample: LUs0QaV4Ur.msi Startdate: 09/09/2024 Architecture: WINDOWS Score: 72 50 settleweddings.in 2->50 58 .NET source code references suspicious native API functions 2->58 60 Contains functionality to hide user accounts 2->60 62 AI detected suspicious sample 2->62 64 Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution 2->64 8 ScreenConnect.ClientService.exe 2 5 2->8         started        12 msiexec.exe 93 50 2->12         started        15 msiexec.exe 6 2->15         started        signatures3 process4 dnsIp5 52 settleweddings.in 94.156.65.19, 49705, 8041 TERASYST-ASBG Bulgaria 8->52 66 Reads the Security eventlog 8->66 68 Reads the System eventlog 8->68 17 ScreenConnect.WindowsClient.exe 3 8->17         started        20 ScreenConnect.WindowsClient.exe 2 8->20         started        32 C:\...\ScreenConnect.WindowsClient.exe, PE32 12->32 dropped 34 C:\...\ScreenConnect.ClientService.exe, PE32 12->34 dropped 36 C:\...\ScreenConnect.WindowsClient.exe.config, XML 12->36 dropped 40 9 other files (none is malicious) 12->40 dropped 70 Enables network access during safeboot for specific services 12->70 22 msiexec.exe 12->22         started        24 msiexec.exe 1 12->24         started        26 msiexec.exe 12->26         started        38 C:\Users\user\AppData\Local\...\MSIB74D.tmp, PE32 15->38 dropped file6 signatures7 process8 signatures9 54 Creates files in the system32 config directory 17->54 56 Contains functionality to hide user accounts 17->56 28 rundll32.exe 8 22->28         started        process10 file11 42 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 28->42 dropped 44 C:\...\ScreenConnect.InstallerActions.dll, PE32 28->44 dropped 46 C:\Users\user\...\ScreenConnect.Core.dll, PE32 28->46 dropped 48 Microsoft.Deployme...indowsInstaller.dll, PE32 28->48 dropped 72 Contains functionality to hide user accounts 28->72 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12cc979c1b38dd0da15645b463c2ad03fe2b5ad73b76cddd94b9fea746d5547c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=clgjpha3hdoq3ikwiw2ghqvnap7cwwwxhn3m3xmuxh7korwvkr6a._file
Verdict:
suspicious
Similar samples:
4add51cd45b7fd60dbbd612c464438ae9a0a80e0f7f40b5b6cc4a00a10b916ea
Heodo
4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53
Heodo
666aa713579df90134c83e3297eba42dd7d0d35bb343b9cd94af0793e8f8a0ab
Heodo
77a4f959f19592757a9c5f50c0f6187370d35fec575de6c034c94ce88042823b
Heodo
9ebc018a2f3fe77b5355c2d9508133505d7ef55f251f13a175615dbf81e26fe9
Heodo
af0c898ab09223b4adb394e52928c835d144106ea382dd21418ae707687e4f76
Heodo
f9614e9eaab14e34fbda545a83841868278c31638167707029de3ec8240a8991
Heodo
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/240909-pnx1tsxflq/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Checks processor information in registry
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Enumerates connected drives
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/821453c4-b675-4322-ada7-9be50632e8d3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12cc979c1b38dd0da15645b463c2ad03fe2b5ad73b76cddd94b9fea746d5547c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments