MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e3f0cba76c76de6beb1d7782576c1913d7a5ec9e471a36bac04827d26b0185d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	2e3f0cba76c76de6beb1d7782576c1913d7a5ec9e471a36bac04827d26b0185d
SHA3-384 hash:	01cf24e5f2c73e79d51e8a297a86078324e87b0439c2e0986a11d3e5e7f7817b556e2eb45935b15818f9244e890293c8
SHA1 hash:	d929ce7609439667831a31ce8c97c71c6e498470
MD5 hash:	745a18500452206f2cef963f2effe9d8
humanhash:	nitrogen-oklahoma-mississippi-mars
File name:	構造図.doc
Download:	download sample
Signature	Heodo Create hunting rule
File size:	156'471 bytes
First seen:	2020-09-24 10:35:59 UTC
Last seen:	2020-09-24 12:38:59 UTC
File type:	doc
MIME type:	application/msword
ssdeep	1536:hAkT3yRFGEv0QtKPaOtMPAquK1gLadmpsHkkyeY+tB445TEgrO3jSWAg83tle1Zv:022TWTogk079THcpOu5UZ+aEu1
TLSH	71E3F40FE6C9E942D712817689F9FFE92CA16C6676094D7A300EFF2F1AF7111C606684
Reporter	GovCERT_CH
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.WelcomeBackEmotetThatsWhyTheyCallItWindowPain.2020717.UNOFFICIAL

TwinWave.EvilDoc.EMOCROCreateRomanticWarrior.20200916.UNOFFICIAL

Doc.Dropper.EmotetOfficeWizard0920-9764982-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

DNS request

Creating a file

Creating a process from a recently created file

Moving a file to the Windows subdirectory

Creating a service

Connection attempt

Sending an HTTP POST request

Deleting a recently created file

Possible injection to a system process

Enabling autorun for a service

Launching a process by exploiting the app vulnerability

Sending an HTTP GET request to an infection source

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/2e3f0cba76c76de6beb1d7782576c1913d7a5ec9e471a36bac04827d26b0185d/

Threat name:

Script-Macro.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-24 10:37:05 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fy7qzotwy5w6npvr254ck5wbse6xuxwj4ry2g25masbh2jvqdboq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/200924-lhp8xmphqx/

Behaviour

Suspicious Office macro

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e3f0cba76c76de6beb1d7782576c1913d7a5ec9e471a36bac04827d26b0185d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.