MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d
SHA3-384 hash: feea6ae4d248c3b93a0f31b5f2dd08280ad00b6a7220cea1ac5c3d11faeba002ee3d102b5b0c32c9107261e1d8d84ba5
SHA1 hash: 91f073a86e47fd09c27b856b975f1ce4df9e6646
MD5 hash: 40ecf3b9627783b858f342b765f91780
humanhash: whiskey-robin-twelve-nineteen
File name:SecuriteInfo.com.Trojan.Siggen29.65231.29631.18210
Download: download sample
Signature Heodo
Create hunting rule
File size:265'216 bytes
First seen:2025-06-04 17:55:53 UTC
Last seen:2025-06-04 18:30:45 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 993e3fcbcab0ffdde9d950113c2f613b (1 x Heodo)
ssdeep 6144:ds7Pz6MhtyuqCxevrwP4fJ8JIiI9Npm62mvFsQk3z8:d0q04h8vIjpm6TY8
TLSH T18D449D42B981D0B6C55F00352029D36AAB3E76104791CEEBE7D09CB94E7B3D18A35B7E
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter SecuriteInfoCom
Tags:dll Emotet Heodo

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'252
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7353/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68408a1507b5e8c1cfe4b866
Tags:
shellcode virus agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd hacktool lolbin microsoft_visual_cc
Link:
https://www.filescan.io/uploads/684088db2d1d8b12425eb1e1/reports/e2ba1318-e8ed-4ea6-b7fd-0ad3fd4f5d03/overview
Verdict:
Malicious
Labled as:
RiskWare[RiskTool]/Agentb
Link:
https://www.hybrid-analysis.com/sample/2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/66e9de5b-f30a-4a13-9b84-e5c50fa6e85e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1706333
Signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1706333 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 04/06/2025 Architecture: WINDOWS Score: 56 38 Multi AV Scanner detection for submitted file 2->38 40 Joe Sandbox ML detected suspicious sample 2->40 9 loaddll32.exe 1 2->9         started        process3 signatures4 44 Suspicious powershell command line found 9->44 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 2 other processes 9->19 process5 signatures6 21 rundll32.exe 12->21         started        46 Suspicious powershell command line found 14->46 24 powershell.exe 12 14->24         started        26 powershell.exe 12 17->26         started        28 conhost.exe 19->28         started        process7 signatures8 42 Suspicious powershell command line found 21->42 30 powershell.exe 12 21->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process9 process10 36 conhost.exe 30->36         started       
Score:
46%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 14:52:21 UTC
File Type:
PE (Dll)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=feduqbyb2xgywpyvo4lf2woggio5c4vnnymos3wmpok4m7soiugq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250604-wh8cyack2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d
MD5 hash:
40ecf3b9627783b858f342b765f91780
SHA1 hash:
91f073a86e47fd09c27b856b975f1ce4df9e6646
Link:
https://www.unpac.me/results/dc7d3c19-b396-4c61-8153-9f97f1a70a17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Emotet
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Emotet
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll 2907480701d5cd8b3f1577165d59c6321dd172ad6e18e96ecc7b95c67e4e450d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558249/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7353/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider

Comments