MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989
SHA3-384 hash: add08ec3be10358c567a82c3686897d4e77709b98af8899d609613363d0382d9735eac6184cee7d60a77c4979f5ede59
SHA1 hash: 76bf3a742f006eacbf948423b5154b9344b839da
MD5 hash: 6aec6aee754419c449358e21fc5cadea
humanhash: mike-quebec-vermont-avocado
File name:ZlvFNj.dat
Download: download sample
Signature Heodo
Create hunting rule
File size:1'091'083 bytes
First seen:2021-07-22 00:03:05 UTC
Last seen:2021-07-22 00:59:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 11816731f87952ce23da086b67eb30cb (20 x Vidar, 2 x BazaLoader, 1 x Heodo)
ssdeep 12288:yS7oCiYqlAOsxk8wf5HUyDKpLHNPXo3gawdCaBSPZC1XZxWjT4lYJ:roCsnEkHxD4Tdo3GIyX2T4lYJ
Threatray 215 similar samples on MalwareBazaar
TLSH T129354A55BCE104BAC13BF2314896A2A1F6327C6943316BD71F8165BA1AB4BD03A3D7DC
Reporter Anonymous
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
2
# of downloads :
694
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Stolen Images Evidence.zip
Verdict:
Suspicious activity
Analysis date:
2021-07-20 15:48:54 UTC
Tags:
loader
Link:
https://app.any.run/tasks/44470730-363d-45a0-8ec3-291e3ee0cd93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173196/
Detection(s):
SecuriteInfo.com.Variant.Bulz.569826.1587.9414.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
BazaLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/819846
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected BazaLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 00:04:04 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
35b236fbe87c82a8481485fcf00f3a08749e7a7b49bb2adbd6729c72906a1a60
Heodo
5090fa74f83368086c1d197dcd28e51f8b36cd5d2c18e9a964d925a445ea0066
Heodo
5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d
Heodo
6c710694d270db91b550daf3177622514d2444e7484fb7a16aa2651cc20eb981
Heodo
82c4c174ad1822ac3c1a55b2e08e9987a9be2294f46508318e50f70566beab5c
Heodo
8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738
Heodo
a27fa7724da938df040a3e535f2be9cec4d6d93bd4f2e5ec2ba79560f84cb69c
Heodo
ab1e662e687e0293800456f457071b61b659f4b247583ecfcda1a6584a0b16dd
Heodo
+ 205 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210722-ddb7rhhaax/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies registry key
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Unpacked files
SH256 hash:
2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989
MD5 hash:
6aec6aee754419c449358e21fc5cadea
SHA1 hash:
76bf3a742f006eacbf948423b5154b9344b839da
Link:
https://www.unpac.me/results/ec84800d-b8f6-4a63-82ff-22cf8066bb45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173196/

Comments