MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31cb0d7a224f16ec4e998140c4efde8ef752295b8a88080915f0bb2b49034bee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31cb0d7a224f16ec4e998140c4efde8ef752295b8a88080915f0bb2b49034bee
SHA3-384 hash: df796462c4588964e34325eaa7f2a887136e069dc6d31d4658984f4864ec89d5fe8fdc7ae1d2a4ce70121e383b6f6359
SHA1 hash: 602f7933c443765697bb178ca137f17f81856f0d
MD5 hash: 7baad56cc483132b8b9cb7a14722c3b1
humanhash: bravo-july-steak-nevada
File name:test.vbs
Download: download sample
Signature Heodo
Create hunting rule
File size:2'034 bytes
First seen:2022-02-23 03:39:50 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:G7GafbEucQ19ksqXXPCehEIYrd7IchPrR8Qcraj:aEucY97NtIYrVIiVz
Threatray 11'094 similar samples on MalwareBazaar
TLSH T1F34153A0B65C4778215A5AC5D1E7E85CD60B18D358287E2DB894A3EFD21CBF383B740A
Reporter ankit_anubhav
Tags:Emotet Heodo vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243528/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen80.21174.14559.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
50%
Tags:
cmd powershell
Link:
https://www.filescan.io/uploads/6215ac96a2660f3bb92bb9ca/reports/edf8a052-68bf-4b90-9e7f-45791b0c825f/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944450
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sigma detected: BlueMashroom DLL Load
Sigma detected: Regsvr32 Anomaly
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Regsvr32 Network Activity
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 576928 Sample: test.vbs Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 42 129.232.188.93 xneeloZA South Africa 2->42 44 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->44 46 41 other IPs or domains 2->46 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 Antivirus detection for URL or domain 2->60 62 8 other signatures 2->62 9 wscript.exe 1 2->9         started        13 regsvr32.exe 2->13         started        15 regsvr32.exe 2->15         started        signatures3 process4 dnsIp5 52 192.168.2.1 unknown unknown 9->52 70 VBScript performs obfuscated calls to suspicious functions 9->70 72 Wscript starts Powershell (via cmd or directly) 9->72 74 Obfuscated command line found 9->74 17 cmd.exe 1 9->17         started        19 powershell.exe 14 20 9->19         started        76 System process connects to network (likely due to code injection or exploit) 13->76 signatures6 process7 dnsIp8 24 regsvr32.exe 5 17->24         started        28 conhost.exe 17->28         started        48 wearsweetbomb.com 188.114.97.7, 49751, 80 CLOUDFLARENETUS European Union 19->48 50 188.114.96.7, 443, 49752 CLOUDFLARENETUS European Union 19->50 36 C:\ProgramData\oiphilfj.dll, PE32 19->36 dropped 64 Powershell drops PE file 19->64 30 conhost.exe 19->30         started        file9 signatures10 process11 file12 38 C:\Users\user\AppData\...\wzjwjz.wlk (copy), PE32 24->38 dropped 66 Drops PE files to the user root directory 24->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->68 32 regsvr32.exe 1 24->32         started        signatures13 process14 dnsIp15 40 175.107.196.192, 49755, 49758, 49777 CYBERNET-APCyberInternetServicesPvtLtdPK Pakistan 32->40 54 Creates an autostart registry key pointing to binary in C:\Windows 32->54 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31cb0d7a224f16ec4e998140c4efde8ef752295b8a88080915f0bb2b49034bee/
Threat name:
Script-WScript.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 20:56:41 UTC
File Type:
Text (VBS)
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghfq26rcj4loytuzqfamj366r33vekk3rkeaqciv6c5swsidjpxa._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
03a91327cb3dbefd8f2af383ec7b4247285d5715ab5a6811c7e28235048df4df
Heodo
1f62b32d5991c1873c8f6ace0279f537b5e6de1977bfc77e5d3e3543350f9a38
Heodo
2b6991b2a9e7cb496b7569860fc4fb3cd3e244885a6664b9a84e4e3a44fc70d9
Heodo
33213f7d20028e079babd2fc531dbb1408c1f558019bff532b09a0106d02aca0
Heodo
390bacb4d2f7b1ea7dbcfe01b7b5db7a41770e97a8f3a9f063ea0fc1d1f40a1f
Heodo
4af1deaa2afc385dd69b07dbf5abb4adea2437544de86deb97e79f7465d9fac7
Heodo
56ae59747577d9f4b974334739b0f1e881306e90019f94e4bd62637615bd67df
Heodo
ad8a5a71124d0c62bf326713c2049aacdd0ea57e2a7dd65574f47fdeab32ffde
Heodo
ae315d41a9794a122be329e6440af7109949e4119f1d250c9b1d7e9653a1d7a0
Heodo
b906b39e9ddd7c6f61692d7b97a23dbea2e1ae528bee188711fff3b0b77c9810
Heodo
+ 11'084 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch4 banker suricata trojan
Link:
https://tria.ge/reports/220223-d78qwsabbk/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Malware Config
C2 Extraction:
175.107.196.192:80
156.67.219.84:7080
159.8.59.82:8080
119.235.255.201:8080
31.24.158.56:8080
212.237.17.99:8080
45.118.135.203:7080
45.176.232.124:443
129.232.188.93:443
58.227.42.236:80
162.214.50.39:7080
176.104.106.96:8080
153.126.203.229:8080
162.243.175.63:443
138.185.72.26:8080
50.116.54.215:443
50.30.40.196:8080
178.79.147.66:8080
203.114.109.124:443
82.165.152.127:8080
79.172.212.216:8080
103.134.85.85:80
178.128.83.165:80
216.158.226.206:443
103.75.201.2:443
51.254.140.238:7080
45.142.114.231:8080
107.182.225.142:8080
81.0.236.90:443
46.55.222.11:443
164.68.99.3:8080
185.157.82.211:8080
131.100.24.231:80
212.24.98.99:8080
217.182.143.207:443
212.237.56.116:7080
45.118.115.99:8080
158.69.222.101:443
207.38.84.195:8080
41.76.108.46:8080
173.212.193.249:8080
103.75.201.4:443
195.154.133.20:443
110.232.117.186:8080
Dropper Extraction:
http://wearsweetbomb.com/wp-content/15zZybP1EXttxDK4JH/
https://1566xueshe.com/wp-includes/z92ZVqHH8/
http://mymicrogreen.mightcode.com/Fox-C/NWssAbNOJDxhs/
http://o2omart.co.in/infructuose/m4mgt2MeU/
http://mtc.joburg.org.za/-/GBGJeFxXWlNbABv2/
http://www.ama.cu/jpr/VVP/
http://actividades.laforetlanguages.com/wp-admin/dU8Ds/
https://dwwmaster.com/wp-content/1sR2HfFxQnkWuu/
https://edu-media.cn/wp-admin/0JAE/
https://iacademygroup.cl/office/G42LJPLkl/
https://znzhou.top/mode/0Qb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31cb0d7a224f16ec4e998140c4efde8ef752295b8a88080915f0bb2b49034bee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243528/

Comments