MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e
SHA3-384 hash: 5bff8744a1735a2f2fabe34f91a6af9b73153239717bdd7489fe135e96827898b4cf5ab29da12e6f52bff0a060b569f9
SHA1 hash: f1ec21533913c7e920b1468e031515aa5d7d49db
MD5 hash: 378ab6b716c4b7ff4259b241493c52ad
humanhash: pizza-lamp-connecticut-asparagus
File name:emotet_exe_e2_307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e_2021-01-20__104348.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:350'552 bytes
First seen:2021-01-20 10:43:53 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash af263152594d80bd9c18d0a70e4d94ec (26 x Heodo)
ssdeep 3072:C/GZgCBD0JqvjYGRKbGUUtvAMdg6Ygpr7kL2LWsFzMFruztyr1Bg:OGSkDgqvPRKib6+g8rtLWFcEpK
Threatray 162 similar samples on MalwareBazaar
TLSH C874ADEAB8FBA455C78DE6716BD52DB6A9334F73028E91313F502ACD03935CC2AD2445
Reporter Cryptolaemus1
Tags:Emotet epoch2 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch2 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113052/
Detection(s):
SecuriteInfo.com.BScope.Trojan.Chanitor.20989.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e/
Threat name:
Win32.Trojan.EmotetCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 10:44:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
037143220c32fd581f41b3482b8e8b0e6b9e3eeb92d6ff5f87499b7af1d2fac7
Heodo
0fc2bd6c36ebf467b2be07937840c74feb36ea30bdd8a1974bb649b4c963d864
Heodo
3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e
Heodo
3f2eac9d8623f529318d7e748517b6b8180c759ae2b22c4b65dae314873a30c2
Heodo
4a6f406df2dfa5f94d8cadb9e6cadad59ab199bb9b651a4f59156cd70213d424
Heodo
696410ae0652a74ab95af0a965d5f72bd96986f12872b0191aa64f294e677131
Heodo
83198be4669f5283f38179838cf092c6200efb9e487d26544d7655347c00d091
Heodo
9e5fff4db7bf61fcc2c9fa976883fcaeaeae0ff5c3c3e0bb8fc4a0e6a8e67d19
Heodo
aa3a402496061e154d3ff37896727c38a9d06bcf85a5954f8ba553cbdc21c9a1
Heodo
ab674578eade52588b33cdbc21dbfdcb420a55c527422285ee43634d7edfc256
Heodo
+ 152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210120-6d1tla33ex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Unpacked files
SH256 hash:
1a386b0367efd575f7e51126910cac97a7747bd51d4a42d815706e7eceb85f71
MD5 hash:
ac802ddf89ba088df81bd959e4e55f9e
SHA1 hash:
c6906bb581b0ecc99b7e74c67996ebf6d16087a4
Detections:
win_emotet_a2
Create hunting rule
Link:
https://www.unpac.me/results/2f7f3b83-cf88-46fa-b81d-6d230a76e57a/
Parent samples :
3f2eac9d8623f529318d7e748517b6b8180c759ae2b22c4b65dae314873a30c2
3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e
ab674578eade52588b33cdbc21dbfdcb420a55c527422285ee43634d7edfc256
696410ae0652a74ab95af0a965d5f72bd96986f12872b0191aa64f294e677131
307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e
a94583bbbe3f7ca9993305896e49c8e76e498ba618e27930282327bdd793bc5a
0b8ad413449454dd85f7a79c7600387658fb0e3e5b1b5ad8ab7119175551f819
SH256 hash:
307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e
MD5 hash:
378ab6b716c4b7ff4259b241493c52ad
SHA1 hash:
f1ec21533913c7e920b1468e031515aa5d7d49db
Link:
https://www.unpac.me/results/2f7f3b83-cf88-46fa-b81d-6d230a76e57a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Locky
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_emotet_a2
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113052/

Comments