MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b518cfe6a22ca7192d11da1e377a546e70856dccb14278c884ed971806c29f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	2b518cfe6a22ca7192d11da1e377a546e70856dccb14278c884ed971806c29f1
SHA3-384 hash:	e48c60d1540e5e7594c4c57e5208ce4b91c651a91b088c9c240301b2fb79d7100696a827b1d3ba7aa8a1016d9850da7b
SHA1 hash:	1d3a0ce052d30c9acba26a94e65d6b8a47d0c256
MD5 hash:	4439214c6307d58594eefc9ce57f81c2
humanhash:	xray-mexico-bakerloo-harry
File name:	Buchhalt_15_09_2020_0656660167.doc
Download:	download sample
Signature	Heodo Create hunting rule
File size:	159'117 bytes
First seen:	2020-09-15 20:26:31 UTC
Last seen:	Never
File type:	doc
MIME type:	application/msword
ssdeep	1536:CJ0ZsWTJ0ZsWirdi1Ir77zOH98Wj2gpngR+a9QQ54LW0cK:5rfrzOH98ipgE+qDcK
TLSH	3BF3960A26D1994EF33A4E3027D9AAE91856DCF44D8C4467328CBB157737B40E9E1BF8
Reporter	GovCERT_CH
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.AutoExecSeparateWays.20200818.UNOFFICIAL

SecuriteInfo.com.VB.Trojan.VBA.Agent.BHH.UNOFFICIAL

TwinWave.EvilDoc.WelcomeBackEmotetThatsWhyTheyCallItWindowPain.2020717.UNOFFICIAL

TwinWave.EvilDoc.EmotetCROCryLittleSister.20200720.UNOFFICIAL

TwinWave.EvilDoc.EmotetARCROClubbedToDeathKurayamino.20200904.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

DNS request

Creating a file

Creating a process from a recently created file

Moving a file to the Windows subdirectory

Creating a service

Connection attempt

Deleting a recently created file

Possible injection to a system process

Enabling autorun for a service

Launching a process by exploiting the app vulnerability

Sending an HTTP GET request to an infection source

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/2b518cfe6a22ca7192d11da1e377a546e70856dccb14278c884ed971806c29f1/

Threat name:

Document-Word.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-15 10:01:44 UTC

AV detection:

26 of 48 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fniyz7tkelfhdewrdwq6g55fi3tqqvw4zmkcpdeij3mxdadmfhyq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/200915-kad8yh5xpe/

Behaviour

Suspicious Office macro

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2b518cfe6a22ca7192d11da1e377a546e70856dccb14278c884ed971806c29f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Heodo

doc 2b518cfe6a22ca7192d11da1e377a546e70856dccb14278c884ed971806c29f1

(this sample)

Dropped by

Heodo

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample