MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 19


Intelligence 19 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d
SHA3-384 hash: 1a5fb76f0d415d2adfaaeaca6eaf264ae7f0dcc89fb891a47c632ad925a3ec0ea6dc950c804e1694601a889372c86e99
SHA1 hash: b6dfd92ebd45c3d6821d58939dc87663494a4f27
MD5 hash: be4ffb44533ad150883f5802b51e7773
humanhash: lion-oxygen-utah-april
File name:ExeFile (323).exe
Download: download sample
Signature Heodo
Create hunting rule
File size:649'728 bytes
First seen:2024-08-20 14:12:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8723dfe3046b2e6545d35e1fffd37d94 (65 x Heodo)
ssdeep 6144:K9H+NDxL6GMGj8kl7muvrxwpntVsOGx4QKZXPk1jXPUVvfY0MAJ1by718jRJGu:KJ+Nd6Gmujx3uXPk1Dsm0bH6WjRJG
Threatray 378 similar samples on MalwareBazaar
TLSH T196D46B13EF8CC071E15222B9DD07E6FA1658EF6879354E47BAD43B1BDA303D06429E1A
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon c4d02ad6d4d6d0a8 (1 x Heodo)
Reporter byMattii1234
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
emotet
Create hunting rule
ID:
1
File name:
ExeFile (323).exe
Verdict:
Malicious activity
Analysis date:
2024-08-20 17:35:15 UTC
Tags:
emotet stealer
Link:
https://app.any.run/tasks/d2a55a76-ae2e-40b2-935e-b2f026df7b4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Keylogger.Emotet-9759180-0
Create hunting rule

SecuriteInfo.com.Artemis023775D9B913.23266.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c4a4a0e7ff3f5a063b9fd0
Tags:
Execution Generic Infostealer Network Other Stealth Trojan Emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet epmicrosoft_visual_cc fingerprint keylogger keylogger microsoft_visual_cc threat
Link:
https://www.filescan.io/uploads/66c4a4899498a0e255aff7d1/reports/ebf1606d-b55c-41b9-bb01-281111fd5b18/overview
Verdict:
Malicious
Labled as:
Trojan.Emotet
Link:
https://www.hybrid-analysis.com/sample/32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce4e0934-96ea-4d4a-9883-bff20cb9f9c7
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495940
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-29 10:02:00 UTC
File Type:
PE (Exe)
Extracted files:
157
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gl6wusujlzcqoqzont75rxagky3ulnkfy2s4ntwzgs6sfgvgerwq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
09f8a42b72c8fd08de050e62348c0e6d785eccf5c0b0a954347478ff4194c92c
Heodo
10df9dc5c6aa8afbf7f7f9560cdcc9b573164a70c10197d0769024802350e6f0
Heodo
2f886dbbb38018eb649286f7ce71411612af542893665dc9a15a6162968c0f09
Heodo
3abbeefa4827879f783af9537f3a42dd70a92c1bed43de28583b37018f2b8bca
Heodo
49b24f6fc449c221d847e96dc05dd00a661aeb5fbcb9f6ae77eea6c0633303ee
Heodo
57cae1b73b5ac0a6e45828347f9db6a1671421a222f03e91dd9c231b4994ca50
Heodo
6531e27374794a93cc0ffc45aaf272e16e17138bb205ce29cf015404808575c9
Heodo
aaba8a30d1c77d489888656569a452a3d78b5be0323062c812f0670a9828973d
Heodo
b984f4f7320216f361cd6186586222abe979806a6e8d316404aa7092a7371acf
Heodo
d9b4102836a7eed70ec2259951d9ae8a550b3fd4e26e204cbf568b2444461395
Heodo
+ 368 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch1 banker discovery trojan
Link:
https://tria.ge/reports/240820-rjpvrszeqp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Emotet
Malware Config
C2 Extraction:
45.16.226.117:443
91.121.54.71:8080
209.236.123.42:8080
89.32.150.160:8080
45.161.242.102:80
37.52.87.0:80
137.74.106.111:7080
71.197.211.156:80
217.199.160.224:7080
186.70.127.199:8090
50.28.51.143:8080
190.115.18.139:8080
85.105.140.135:443
24.148.98.177:80
181.30.61.163:443
192.241.146.84:8080
185.94.252.27:443
77.238.212.227:80
185.94.252.12:80
190.147.137.153:443
45.33.77.42:8080
187.162.248.237:80
65.36.62.20:80
81.129.198.57:80
46.28.111.142:7080
192.241.143.52:8080
5.196.35.138:7080
73.213.208.163:80
24.135.1.177:80
190.6.193.152:8080
61.92.159.208:8080
212.174.55.22:443
217.13.106.14:8080
24.135.198.218:80
177.72.13.80:80
219.92.13.25:80
219.92.8.17:8080
70.32.84.74:8080
191.182.6.118:80
83.169.21.32:7080
152.169.22.67:80
45.173.88.33:80
67.247.242.247:80
177.73.0.98:443
82.76.111.249:443
72.135.200.124:80
110.142.219.51:80
178.79.163.131:8080
178.250.54.208:8080
199.203.62.165:80
149.62.173.247:8080
82.196.15.205:8080
138.97.60.141:7080
190.190.148.27:8080
190.128.173.10:80
191.99.160.58:80
72.167.223.217:8080
68.183.170.114:8080
206.15.68.237:443
189.2.177.210:443
70.32.115.157:8080
190.24.243.186:80
98.13.75.196:80
104.131.103.37:8080
2.47.112.152:80
111.67.12.221:8080
213.197.182.158:8080
114.109.179.60:80
77.90.136.129:8080
58.171.153.81:80
190.2.31.172:80
212.71.237.140:8080
181.129.96.162:8080
213.60.96.117:80
184.66.18.83:80
178.148.55.236:8080
186.103.141.250:443
12.162.84.2:8080
103.106.236.83:8080
188.2.217.94:80
172.104.169.32:8080
188.135.15.49:80
51.159.23.217:443
177.74.228.34:80
190.163.31.26:80
91.219.169.180:80
174.100.27.229:80
190.195.129.227:8090
189.131.57.131:80
68.183.190.199:8080
77.55.211.77:8080
95.9.180.128:80
87.106.46.107:8080
94.176.234.118:443
85.109.159.61:443
204.225.249.100:7080
51.255.165.160:8080
72.47.248.48:7080
170.81.48.2:80
104.131.41.185:8080
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/573ac821-22a9-49aa-ba1c-cd04ae7c3253
Unpacked files
SH256 hash:
bca1f759283ceaedf4d64f515c00d0ec53ad81b64339b9884c1197e047c2c63f
MD5 hash:
3f3a6e38b99c08e3cc8e4b642fe0063b
SHA1 hash:
9fac48df1ba4ff8d2c9a71b9989ca65601399e40
Detections:
win_emotet_auto
Create hunting rule
win_emotet_a2
Create hunting rule
Emotet
Create hunting rule
Link:
https://www.unpac.me/results/fa0a0810-926d-4ac3-85bd-85e96f2723be/
Parent samples :
2459a8fcfebbdd1b0d029d5aefbaba0754ed4029ed0e29d1d9d595c652abba6c
32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d
SH256 hash:
1180b193fa29b843abaa92ab7e1afd70e228c80ae9fb7c96e3a82e73bd4bba0d
MD5 hash:
db950c45bcfbacfefcf07b2ba9870a63
SHA1 hash:
7ab82523dfc45ddb95797ed86ee0f12c1a443d36
Link:
https://www.unpac.me/results/fa0a0810-926d-4ac3-85bd-85e96f2723be/
SH256 hash:
32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d
MD5 hash:
be4ffb44533ad150883f5802b51e7773
SHA1 hash:
b6dfd92ebd45c3d6821d58939dc87663494a4f27
Link:
https://www.unpac.me/results/fa0a0810-926d-4ac3-85bd-85e96f2723be/
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32fd6a4a895e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe 32fd6a4a895e4507432e6cffd8dc06563745b545c6a5c6ced934bd229aa6246d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/444533/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments