MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c
SHA3-384 hash:	365fba2160ee6c644daa99aaa92c02f30cfb8d427ff6670ee7526a4494730f4a340041e41945fa69e782a5edadb09fd0
SHA1 hash:	c0ff465eb0b6ccc0f3a36bb593ced7453736a750
MD5 hash:	8d925c0da257436438893e6fe7ce2f4f
humanhash:	hamper-purple-eighteen-fanta
File name:	sample
Download:	download sample
Signature	Heodo Create hunting rule
File size:	348'504 bytes
First seen:	2022-08-01 11:40:55 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	de3ae5fdd8a570c86ac164493e1298ec (35 x Heodo)
ssdeep	3072:KRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2F5j8eFMWP:Eq1sFAwgwmBv3wnIgG4oAYxvU54e/P
Threatray	1'249 similar samples on MalwareBazaar
TLSH	T1D274BE699A8BC049CF0E3AB06BA32D67D5326F9D67843173F6512D0901B3EFD2AD540E
TrID	32.1% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	Anonymous
Tags:	dll Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

379

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295550/

Detection(s):

Win.Malware.Emotet-9823769-0

Win.Packed.Emotet-9824001-0

Win.Malware.Emotet-9824002-0

Win.Packed.Emotet-9824043-0

Win.Packed.Emotet-9824053-0

Win.Packed.Emotet-9824054-0

Win.Packed.Emotet-9824062-0

Win.Packed.Emotet-9824065-0

Win.Packed.Emotet-9824066-0

Win.Packed.Emotet-9824288-0

Win.Packed.Emotet-9824314-0

Win.Packed.Emotet-9824335-0

Win.Packed.Emotet-9824400-0

Win.Packed.Emotet-9824405-0

Win.Packed.Emotet-9824438-0

Win.Packed.Emotet-9824471-0

Win.Packed.Emotet-9824474-0

Win.Packed.Emotet-9824488-0

Win.Packed.Emotet-9824496-0

Win.Packed.Emotet-9824501-0

Win.Packed.Emotet-9824527-0

Win.Packed.Emotet-9824567-0

Win.Packed.Emotet-9824577-0

Win.Packed.Emotet-9824596-0

Win.Packed.Emotet-9824621-0

Win.Packed.Emotet-9824666-0

Win.Packed.Emotet-9824667-0

Win.Packed.Emotet-9824673-0

Win.Packed.Emotet-9824731-0

Win.Packed.Emotet-9824964-0

Win.Packed.Emotet-9824980-0

Win.Packed.Emotet-9825115-0

Win.Packed.Emotet-9825125-0

Win.Packed.Emotet-9825156-0

Win.Packed.Emotet-9825157-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

emotet greyware overlay

Link:

https://www.filescan.io/uploads/62e7bc0d6336465f2a00f85d/reports/5bf591cd-865d-4706-9e08-2452ed551ba7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2117c8bc-e16d-4d8b-88ae-cd119792547d

Result

Threat name:

Emotet

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1044116

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c/

Threat name:

Win32.Trojan.EmotetCrypt

Status:

Malicious

First seen:

2021-02-05 13:41:50 UTC

File Type:

PE (Dll)

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=czeiujn7l3z3wohro3yyio72x7ckhuf65sa7jlaecdhxqvv4o56a._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch3 banker trojan

Link:

https://tria.ge/reports/220801-ntewrsfhc3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Emotet

Malware Config

C2 Extraction:

255.84.4.173:0

Unpacked files

SH256 hash:

14729322706c3836fe6ad2192c14580979795f8fa5f93f07846da044fdc51768

MD5 hash:

0f38bdb11961452ba17721802f7b9924

SHA1 hash:

710afda6fe43b407810784efd1432f14106b06fc

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/4cf10d68-9163-4dc2-8693-947da62bcc55/

Parent samples :

a87f1ac10a182aeb3a0563304677987ace7a75bd9a20b36bedf5eeb6d8731a4e
a9a9b8109dd7968cdaefb5db416a65321d9d80dc913bf809a188c2b9ce1c3635
4578506be1d90c71e135b65cb5fd8397d985bd38f12b062c87c0251fce48f45f
1fe2cf5f670607df5430851670d43844a5584353aa33cd2851e9022a8b5fbcf7
63dee1fab3a93522db37546f5dfd010643d08eeaeaa3dcd6fc3ca879085969fa
dce59e74b1ed9fcb4218c6fa4b4c103b1d164a723a6c718931813834d99fb4f3
3a0faf58520c86149bd75e4eb8600684d6c6ce786b64daba9be9c81fffeca623
a2f9428a872cf04fd04db255e12e809c19feb21c8de0d36a09a842736630a786
e23f6eac070763290086f79db63d6e97af5886c3a8e5a733d7b70de2e24f61a5
16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c

SH256 hash:

16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c

MD5 hash:

8d925c0da257436438893e6fe7ce2f4f

SHA1 hash:

c0ff465eb0b6ccc0f3a36bb593ced7453736a750

Link:

https://www.unpac.me/results/4cf10d68-9163-4dc2-8693-947da62bcc55/

Malware family:

Emotet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/16488a25bf5e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_709d547a2f09d39c4c2334983f2cbf50 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295550/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample