MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
SHA3-384 hash: 5dac2f1f5a0c3838c96e0d0be157eebf73b6af4d04410df02a386776bfb044a4cb69a973574868201739e60dcd62bad0
SHA1 hash: f8e82cca5dbb430bafd16b516f6e97cdb754ba72
MD5 hash: 8e2bdd409a89cbb6b5eb424e9d1bda34
humanhash: november-echo-california-hot
File name:ExeFile (360).exe
Download: download sample
Signature Heodo
Create hunting rule
File size:536'576 bytes
First seen:2024-08-20 14:13:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59c9e75ee4eabfac7b59b8e95fe09e60 (58 x Heodo)
ssdeep 12288:pdZN7lYBPWkuaYWdm7/PC4ox9XUQz8h4RmAwV:pEKZWdm7/4UKmA
TLSH T13FB49E0675F1C0B6DA6251700EA7EB79A6F6EAA04E325AC733E4DF1D2D324C19736321
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
dhash icon b0b4fc7a8ed0c2c0 (1 x Heodo)
Reporter byMattii1234
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
emotet
Create hunting rule
ID:
1
File name:
ExeFile (360).exe
Verdict:
Malicious activity
Analysis date:
2024-08-20 17:03:12 UTC
Tags:
emotet
Link:
https://app.any.run/tasks/ed0c8083-2dfe-49d8-b058-2d8c0f8ec5bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Emotet-9763055-0
Create hunting rule

Win.Packed.Emotet-9763169-0
Create hunting rule

Win.Trojan.Generickdz-9803253-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c4a4c2e7ff3f5a063ba089
Tags:
Execution Generic Infostealer Other Stealth Trojan Emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto emotet epmicrosoft_visual_cc hook keylogger microsoft_visual_cc packed threat
Link:
https://www.filescan.io/uploads/66c4a4b1150fbf4bd6062b36/reports/c1009941-8f15-46ea-916e-bb582beff70f/overview
Verdict:
Malicious
Labled as:
Trojan.Emotet
Link:
https://www.hybrid-analysis.com/sample/297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60776d97-553b-4531-b932-091e31f85626
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495906
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-09-17 04:19:08 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ff2vnuhoqf4fecnoqrskf2dgkjy57mb3fuzbkmox3auaive3ktta._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch2 banker discovery trojan
Link:
https://tria.ge/reports/240820-rjq3tswdqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Emotet payload
Emotet
Malware Config
C2 Extraction:
74.219.172.26:80
134.209.36.254:8080
104.156.59.7:8080
120.138.30.150:8080
194.187.133.160:443
104.236.246.93:8080
74.208.45.104:8080
78.187.156.31:80
187.161.206.24:80
94.23.216.33:80
172.91.208.86:80
91.211.88.52:7080
50.91.114.38:80
200.123.150.89:443
121.124.124.40:7080
62.75.141.82:80
5.196.74.210:8080
24.137.76.62:80
85.105.205.77:8080
139.130.242.43:80
82.225.49.121:80
110.145.77.103:80
195.251.213.56:80
46.105.131.79:8080
87.106.136.232:8080
75.139.38.211:80
124.41.215.226:80
203.153.216.189:7080
162.241.242.173:8080
219.74.18.66:443
174.45.13.118:80
68.188.112.97:80
200.114.213.233:8080
213.196.135.145:80
61.92.17.12:80
61.19.246.238:443
219.75.128.166:80
120.150.60.189:80
123.176.25.234:80
1.221.254.82:80
137.119.36.33:80
94.23.237.171:443
74.120.55.163:80
62.30.7.67:443
104.131.11.150:443
139.59.67.118:443
209.141.54.221:8080
79.137.83.50:443
84.39.182.7:80
97.82.79.83:80
87.106.139.101:8080
94.1.108.190:443
37.187.72.193:8080
139.162.108.71:8080
93.147.212.206:80
74.134.41.124:80
103.86.49.11:8080
75.80.124.4:80
109.74.5.95:8080
153.232.188.106:80
168.235.67.138:7080
50.35.17.13:80
42.200.107.142:80
82.80.155.43:80
78.24.219.147:8080
24.43.99.75:80
107.5.122.110:80
156.155.166.221:80
83.169.36.251:8080
47.144.21.12:443
79.98.24.39:8080
181.169.34.190:80
139.59.60.244:8080
85.152.162.105:80
185.94.252.104:443
110.5.16.198:80
174.102.48.180:443
140.186.212.146:80
95.179.229.244:8080
104.32.141.43:80
169.239.182.217:8080
121.7.127.163:80
94.200.114.161:80
201.173.217.124:443
104.131.44.150:8080
137.59.187.107:8080
5.39.91.110:7080
203.117.253.142:80
157.245.99.39:8080
176.111.60.55:8080
95.213.236.64:8080
220.245.198.194:80
37.139.21.175:8080
89.216.122.92:80
139.99.158.11:443
24.179.13.119:80
188.219.31.12:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9e1f0b68-7131-4df7-aa32-45db159c6600
Unpacked files
SH256 hash:
02b283f8f67578c289c8ad4f95fd764cca9519206d122b99146ccba25e5e6b06
MD5 hash:
8e95a4938a85207f04052566b2151de8
SHA1 hash:
401929fd6fe95d70603617b0366045dc6314b9dc
Detections:
win_emotet_auto
Create hunting rule
win_grimagent_auto
Create hunting rule
win_emotet_a2
Create hunting rule
Win32_Trojan_Emotet
Create hunting rule
Link:
https://www.unpac.me/results/cc4f3f18-a7a1-4c5c-8e93-7ac9854c5a1e/
Parent samples :
c39670aa65416e30d64835f6287c93c5bbd5e5b8c659706127e9dfb0908c17c3
f4976750860815cd847cef259dac08613f7368b0c45775b75d0ad42358319e25
297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
SH256 hash:
d66a25e5890709e6ab2810217c7cdef1e930148de598d2db8147f5e5101669b0
MD5 hash:
f3b38a1578bf4534491102cebe181658
SHA1 hash:
0d86a9f4f34ded4369cc1155a8dee049a86b9c83
Detections:
win_emotet_auto
Create hunting rule
win_emotet_a2
Create hunting rule
Win32_Trojan_Emotet
Create hunting rule
Link:
https://www.unpac.me/results/cc4f3f18-a7a1-4c5c-8e93-7ac9854c5a1e/
Parent samples :
4d1eeb527a61391ddcf30b0f9d6d9f96369e0179c1e1a65da5da33a196a991d4
b469fd21c6a2af34f485098be41831392887e7c1badf3cd8fedca091602e422c
af2baae9c2d0cc13c93d7ffc9742c72a75abb88ff112260669d359bdd16dfd5b
6ef6194270ae0e1fc3491c92aeb626d40542a6902f82753cf12a83b06ef34a85
0ff6da5a803c6fa42bb993ee7477d72319d1ed602b3a4ea526871276fa6be7cf
84297eca133b53209d83ce5b50afc64116ab1cb046db045bedd0c3cf96d59740
4c053290dc39b5fa2c6a8f7c0d28d9818b0267e5e606a4ea8113721605f4783c
ad93ccea818cdb9fbd0b2c350d5c60156b1a1a9ea3d0eabf6a2825bf49715b72
9b8c025a3b71645b34d7d44ad601706be8ed1dd10bd45df3e5d8de462e7f5296
29d6028106223d8b329fc0598349edfccf6978139b9bb5cecd4e9d3eee8cc515
c39670aa65416e30d64835f6287c93c5bbd5e5b8c659706127e9dfb0908c17c3
85868672c22a1220455ebf8a35bc2172d8d00faf5fc2d99f1cd542eefdb31398
c12ea8beb36959a292bed7e5e29d4a3c4d633e968875f1c625e5c41af6a1f756
91ce0a29319a72848cef94c91664caa407eb72cbfa129a575695c3b53a5560ee
f7d41268ae9402041a098a1e710e00bd1f633d1cb551ef39f854a39b304b9c74
92ccd5054afafc78f8c9e9db48f3bb3037600005fa724e7d44e003d2ce58af26
6f7bc022f4d878171eb5186f9c7a5aaaa19394d7c9ac0ff66177f326cda6499f
06a3fa1d942e60b43b4b14d9a30009f40c72ab6b258c1d64853e7fc78ae25c4f
f9ef9d540edb55068ca57a15f9c71014325cce26d75d19d925ce45747bb14504
d7bd6ef066b39757e683dfe6de958db2cadab794ac1bc5ea32928acca30a2af9
0c573b64c78b81a5fbd8ac4574b50bf64a56a0adf9e2a148efc3fd3d819d2101
722fe2710bc6a2e184c133759cb3d05bd15fea384ae048d55ecbf2dff17052d8
55ef1dd21a4744c147e28170ab2b79e7e69c23f5c6b4945a0cc28070bee8f6a5
f4976750860815cd847cef259dac08613f7368b0c45775b75d0ad42358319e25
c2a1e1fa7e45e901842b7edceb52cb07a8fe2f9b951c575c5d3fcc7d58e0d4ab
13677433b09daacf40f142db2dafd554cb3a6e5341d1fabcfc993426dd8ab970
e924e2af885bfb445e80522adccbb24f42578e7709ca12abd216f0db69fae60f
46adc148ac17fb9fe7c864edc09f7710051083693421ddfad089eaf366488f61
297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
SH256 hash:
297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
MD5 hash:
8e2bdd409a89cbb6b5eb424e9d1bda34
SHA1 hash:
f8e82cca5dbb430bafd16b516f6e97cdb754ba72
Link:
https://www.unpac.me/results/cc4f3f18-a7a1-4c5c-8e93-7ac9854c5a1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe 297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/519283/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
SHELL_APIManipulates System ShellSHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
ADVAPI32.dll::GetFileSecurityA
KERNEL32.dll::MoveFileA
KERNEL32.dll::MoveFileExA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryA
ADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceA
ADVAPI32.dll::QueryServiceStatus
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::FindWindowA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments