MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA3-384 hash: 4bb3e7042affcea1350f9cb02669c4d69d5bcddc2702925cfe83725f2806a4fb33340fb7913ec0f2550080dd5b0781aa
SHA1 hash: 33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
MD5 hash: 69f900118f985990f488121cd1cf5e2b
humanhash: equal-pip-carolina-eight
File name:6cda346f63d0573b10b068df355b53abd1abe75427db0925244d94a8.msi
Download: download sample
Signature Heodo
Create hunting rule
File size:9'617'408 bytes
First seen:2023-10-23 21:05:31 UTC
Last seen:2023-10-23 21:34:45 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO
Threatray 13 similar samples on MalwareBazaar
TLSH T16EA633317984853BE64E0532D6EA8F206A7EAD241710D1CFBF54B2FC59B02D279363A7
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter r3dbU7z
Tags:DarkGate Emotet Heodo msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
DarkGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455762/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-Spy.Win32.Xegumumune.gen.14021.31179.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug expand fingerprint hacktool installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/6536e03cc2a76fbfed32940f/reports/1990be26-10a3-4cd2-ab22-82ded3a37361/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
Result
Threat name:
DarkGate, MailPassView
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330851
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Deletes shadow drive data (may be related to ransomware)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Yara detected DarkGate
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1330851 Sample: 6cda346f63d0573b10b068df355... Startdate: 23/10/2023 Architecture: WINDOWS Score: 100 79 Found malware configuration 2->79 81 Antivirus detection for URL or domain 2->81 83 Yara detected DarkGate 2->83 85 6 other signatures 2->85 11 msiexec.exe 8 17 2->11         started        14 Autoit3.exe 2->14         started        17 msiexec.exe 5 2->17         started        process3 file4 65 C:\Windows\Installer\MSIA44C.tmp, PE32 11->65 dropped 19 msiexec.exe 5 11->19         started        107 Deletes shadow drive data (may be related to ransomware) 14->107 109 Contains functionality to modify clipboard data 14->109 21 cmd.exe 1 14->21         started        signatures5 process6 signatures7 24 windbg.exe 3 19->24         started        28 expand.exe 15 19->28         started        30 cmd.exe 19->30         started        32 2 other processes 19->32 93 Deletes shadow drive data (may be related to ransomware) 21->93 process8 file9 57 C:\tmpa\Autoit3.exe, PE32 24->57 dropped 99 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 24->99 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->101 103 Contains functionality to register a low level keyboard hook 24->103 105 Contains functionality to modify clipboard data 24->105 34 Autoit3.exe 10 24->34         started        59 C:\...\fedc6f2bebdc1246ac0acf0f65ee51e7.tmp, PE32 28->59 dropped 61 C:\...\f07adffd9e39b84d9029beb7a3a8fca7.tmp, PE32 28->61 dropped signatures10 process11 dnsIp12 67 185.130.227.202, 2351, 49163, 49164 HOSTKEY-ASNL Netherlands 34->67 55 C:\temp\AutoIt3.exe, PE32 34->55 dropped 87 Deletes shadow drive data (may be related to ransomware) 34->87 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->89 91 Contains functionality to modify clipboard data 34->91 39 cmd.exe 34->39         started        42 cmd.exe 7 34->42         started        45 rundll32.exe 34->45         started        file13 signatures14 process15 file16 95 Uses ping.exe to check the status of other devices and networks 39->95 47 PING.EXE 39->47         started        63 C:\ProgramData\ghacdhc\Autoit3.exe, PE32 42->63 dropped 97 Deletes shadow drive data (may be related to ransomware) 42->97 50 chrome.exe 4 45->50         started        signatures17 process18 dnsIp19 75 127.0.0.1 unknown unknown 47->75 77 239.255.255.250 unknown Reserved 50->77 52 chrome.exe 50->52         started        process20 dnsIp21 69 accounts.google.com 172.217.197.84, 443, 49203 GOOGLEUS United States 52->69 71 www.google.com 173.194.175.147, 443, 49208, 49253 GOOGLEUS United States 52->71 73 2 other IPs or domains 52->73
Score:
88%
Verdict:
Malware
File Type:
MSI
Link:
https://malprob.io/report/1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d63lrpwtuz7oiis7quwd3eh5fnrj6jkbvnbrws6u3hm7lo6sys3q._file
Verdict:
malicious
Similar samples:
143c1f6a1095fd6f63eae25d3b2cee9ba800c47b48279c8f7c62609118cc4299
Heodo
14971c780f7708a9ea2d139bb874b5ed8269c216d617598795b9d4a5da7176ef
Heodo
2c33166a74ba155a80bb28dcb1fa905ff8cce2dd19464d5784e863478facade5
Heodo
567d828dab1022eda84f90592d6d95e331e0f2696e79ed7d86ddc095bb2efdc8
Heodo
7081e4b1bffb4c839b937aa5938d83ca6a1dfbd0919917c54c829d8efc40ed34
Heodo
b79b536569c0060a834e4001289a6700692d67df58e644779fababf0df22fc75
Heodo
c12c6dd22bbdf170dffd8278facbb834c692c8f5b319e863097869fe94541ba5
Heodo
d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4
Heodo
+ 3 additional samples on MalwareBazaar
Result
Malware family:
darkgate
Create hunting rule
Score:
  10/10
Tags:
family:darkgate botnet:civilian1337 discovery stealer
Link:
https://tria.ge/reports/231023-zxqcfshd88/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.130.227.202
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1fb6b8bed3a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Microsoft Software Installer (MSI) msi 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/455762/

Comments