MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16396d41017e0ebd40c5ffdfac19de892d0205b5fc8c194025a7c7034f6f0844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16396d41017e0ebd40c5ffdfac19de892d0205b5fc8c194025a7c7034f6f0844
SHA3-384 hash: e5772e28f683cce1fc07a864bcc528e76aad7c109d1fd75fef5b0a9a8052ee5999d54b04f15618a62e215d34488f7b31
SHA1 hash: 1417fffe39eb18e3347e2ae93f2d10f37817bddf
MD5 hash: 2b5810b3c35c511302eb24d88f9e7f80
humanhash: south-five-queen-colorado
File name:emotet_exe_e2_16396d41017e0ebd40c5ffdfac19de892d0205b5fc8c194025a7c7034f6f0844_2020-08-14__212718._exe
Download: download sample
Signature Heodo
Create hunting rule
File size:917'504 bytes
First seen:2020-08-14 21:27:26 UTC
Last seen:2020-08-14 23:15:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d531e0bdfe60bebaea5a1721e80e7e4 (64 x Heodo)
ssdeep 12288:6ZlyqwEmkmauSVd2R3R0EcX0euXBQsGsU3z431xVB:wm6whk90Blye1T
Threatray 7'776 similar samples on MalwareBazaar
TLSH DB159C6233D5C436D6F212724945C63862A7BD101F3666C72BF43F5E3A389C69E363A2
Reporter Cryptolaemus1
Tags:Emotet epoch2 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch2 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46156/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/431026
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 267869 Sample: _212718._exe Startdate: 16/08/2020 Architecture: WINDOWS Score: 68 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Yara detected Emotet 2->30 7 _212718.exe 2 2->7         started        10 svchost.exe 2->10         started        12 svchost.exe 1 1 2->12         started        15 8 other processes 2->15 process3 dnsIp4 32 Drops executables to the windows directory (C:\Windows) and starts them 7->32 34 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->34 17 KBDRU.exe 12 7->17         started        36 Changes security center settings (notifications, updates, antivirus, firewall) 10->36 20 MpCmdRun.exe 1 10->20         started        26 127.0.0.1 unknown unknown 12->26 signatures5 process6 dnsIp7 24 75.139.38.211, 49717, 80 CHARTER-20115US United States 17->24 22 conhost.exe 20->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16396d41017e0ebd40c5ffdfac19de892d0205b5fc8c194025a7c7034f6f0844/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 21:29:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy4w2qibpyhl2qgf77p2ygo6rewqebnv7sgbsqbfu7dqgt3pbbca._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
054727c798107448870912ab7ce52f1f0a906945382e32ae5a00d04841c998e6
Heodo
12de7314799fb58572853dc339cf3eedb18e3b4588743c92fe6268b859cfcae6
Heodo
597b583b732a22bb4a107c2bb1a58a53d80cbfcd360579a25235bdaab91dd6f6
Heodo
b4f366883c5e033b0d0fef91989637c460a083f98927ee3a6b9fb03260cc4b8d
Heodo
b9d80c13d1e834afe4cfb8c9377f01696c5b84b6ba457319a830077ff4c76c66
Heodo
be00535adacad7e0628421d01f890d12041b9664dea8e2a53c7a983132ebc47b
Heodo
c11ed0aea10fa328006b7009a5142502b7394621ee72eea7860948062e274dcd
Heodo
f2e620e6fe5ff019a8fdc884e9cad8b8e0b1aa821d27f4e0ce2c2669667a758d
Heodo
ffcecfae7f6c856079f095bb842c0a70e4a5cbfc82df8aecdedcf051297f4d51
Heodo
fffe60b7e60bf14d40eb6ac3a91a053dd2910e4b8561faada8e96e02019d5181
Heodo
+ 7'766 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/200814-cxhzh767tx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Emotet Payload
Emotet
Malware Config
C2 Extraction:
75.139.38.211:80
69.30.203.214:8080
67.205.85.243:8080
190.160.53.126:80
183.101.175.193:80
137.59.187.107:8080
168.235.67.138:7080
209.143.35.232:80
180.92.239.110:8080
167.86.90.214:8080
85.66.181.138:80
95.213.236.64:8080
83.169.36.251:8080
157.245.99.39:8080
79.98.24.39:8080
70.167.215.250:8080
93.51.50.171:8080
174.102.48.180:80
24.179.13.119:80
41.60.200.34:80
188.83.220.2:443
91.211.88.52:7080
24.43.99.75:80
47.144.21.12:443
37.187.72.193:8080
104.131.44.150:8080
199.101.86.142:8080
116.203.32.252:8080
85.152.162.105:80
83.110.223.58:443
78.24.219.147:8080
62.75.141.82:80
152.168.248.128:443
157.147.76.151:80
24.137.76.62:80
121.124.124.40:7080
62.138.26.28:8080
173.62.217.22:443
107.185.211.16:80
103.86.49.11:8080
113.160.130.116:8443
72.12.127.184:443
181.211.11.242:80
204.197.146.48:80
176.111.60.55:8080
104.236.246.93:8080
97.82.79.83:80
74.208.45.104:8080
87.106.136.232:8080
209.141.54.221:8080
169.239.182.217:8080
110.145.77.103:80
222.214.218.37:4143
165.165.171.160:8080
47.146.117.214:80
139.59.60.244:8080
203.153.216.189:7080
5.196.74.210:8080
37.139.21.175:8080
201.173.217.124:443
47.153.182.47:80
2.58.16.85:7080
109.116.214.124:443
200.41.121.90:80
95.179.229.244:8080
142.105.151.124:443
5.39.91.110:7080
185.94.252.104:443
189.212.199.126:443
109.74.5.95:8080
37.70.8.161:80
190.55.181.54:443
61.19.246.238:443
74.120.55.163:80
85.105.205.77:8080
181.230.116.163:80
104.131.11.150:443
81.2.235.111:8080
203.117.253.142:80
24.233.112.152:80
47.146.32.175:80
76.27.179.47:80
87.106.139.101:8080
46.105.131.79:8080
139.130.242.43:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16396d41017e0ebd40c5ffdfac19de892d0205b5fc8c194025a7c7034f6f0844

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet
Rule name:win_emotet_a2
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/46156/

Comments