MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae
SHA3-384 hash:	18605653e11d5e2f8dad8b0e74035e6188beef20363979f5d9f727883625da0ac76e13b1c1c3cf6f03c874663972a68b
SHA1 hash:	1158b27db357ba36fc3922d0f85d7be3ab3f3aa7
MD5 hash:	2c177c13a67a7a8ce5e2c5a0312e3223
humanhash:	lithium-undress-hot-west
File name:	emotet_exe_e2_2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae_2021-01-13__000248.exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	275'456 bytes
First seen:	2021-01-13 00:02:53 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	d48a3c0bea3c0fa80a2948dd59606aad (29 x Heodo)
ssdeep	6144:dq+NGSgrt4j+TaOxXZaiMUALR+R1DileeUAFubxGJnWo:dlNdktK5OxJa0ALR+R1DbeaCnWo
Threatray	353 similar samples on MalwareBazaar
TLSH	EC44DF227653DD33F5F900FC66A58B8A60567E741F40A88373D0CF9A8C359E2992B71B
Reporter	Cryptolaemus1
Tags:	Emotet epoch2 exe Heodo

Cryptolaemus1

Emotet epoch2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/114501/

Detection(s):

SecuriteInfo.com.Generic.mg.3665fadcc0fe07cd.29906.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-01-13 00:03:10 UTC

AV detection:

8 of 46 (17.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fp76lzimcauzunsjb4gavn3mjmy2zpirdzjgqs5rihi3yjtusoxa._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210113-s4avbm8ffa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Unpacked files

SH256 hash:

8f95a660585e89651cd86e7009854796e5e80d10d1c92bfc4407224f19232b0a

MD5 hash:

a9ba7bad59b3d757b11a6f9805e63b00

SHA1 hash:

f10c709fe920efe25cdd0a7dab9b94b576cdd6d6

Detections:

win_emotet_a2

Link:

https://www.unpac.me/results/5bd5ecac-955d-4e76-85dd-63d582fb7ed5/

Parent samples :

4a91efce913eb758fc2fc521d9d3aa03435dca6f31042d3238a2ba4fa9c3d44a
a3b948cc2e1c902db955949ac2c3cc3a00f25567aa37c9360291c0665511678c
2884a74d210bff9f00180cedb8a3cf72e98e9fb60fe2ddb8013742c06ed90c79
2b823ea04a168a3a411f13be07a3d21ecf77e5eb302eeb1df81eba1bf2db1716
b797ee02a6076e9a2616e29fa028f7ab9e2c2a4462b52e23ce7c764ea08cc60f
4fb7e283f5630ce8de93b622997d2acc8069a2d65d59986d966d1808cf3c17fa
2b862fcde61fb767e7166dd5203838b5a95cb75537674c3e432075cb8dcf2777
76231385c6db0d69c09bab8e16b956be0b94fe07db8a2e10d9ab54b5a44d0030
385ecef52dace3b401a7ed4acb4ef99bfc7f881683045900f6af54af1bfc57f4
300ab17eb7b6f16d701bc4233a47ab0b6e344742107893a2dd956d5b26d5a24d
abd66f959299dfdc80648d5c11bc94f491176951eebfd2ecffa311487489199d
e6ec70418c0896839b13b04b2308298bfd5c71e5543de240bb1fb9e24cf7c9ac
2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae
487262f1db45bf66acd95a2cce3c9ebe9750c80645ce4268199e34361fe1fdfd
7aed3fe2d0743ca0f167a3029bc9f6d2a2efca22fc97ef085234513788859c09
c5e97cf63b4f5f443c475101a9331a130f4d479399a52cfac24d1bcfa9d78c15
b98d0bd4a8fa89906859f378ea7b924c554443f633bcafc84b0e85c06bed8eb3
f357249f8bdc0335708c70854c7e2dbe8b3230b5e7c83590eeb75295dea62dab
13b82d8845824e603b72a51176ca27f9b8f808006e5f5c6d08e3a9118299fa57
1a0dbe107464310b9edcf3f39d2b63b3a7e2b93fca51422515483aabf9f92cb8
abbca19344bd039c31963fb2c2239a104e36c46c27f44400648675d3d2e86a80
af2ff1cce0750b515e034bd482bd2b486fc82d2839257ea0693709801c8903a5
e7c52c484acf172e7e1e1af87523e97f16ce890ab584219d3a4fcf52949ae632

SH256 hash:

2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae

MD5 hash:

2c177c13a67a7a8ce5e2c5a0312e3223

SHA1 hash:

1158b27db357ba36fc3922d0f85d7be3ab3f3aa7

Link:

https://www.unpac.me/results/5bd5ecac-955d-4e76-85dd-63d582fb7ed5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_emotet_a2 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/114501/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample