MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 376166ef80c5d8c1a77c5130be59a734854441e60da1c36de67923f13052a641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 376166ef80c5d8c1a77c5130be59a734854441e60da1c36de67923f13052a641
SHA3-384 hash: 5b8a8ba139e8af94dca26a3a492d7ffcd75062392e9f373a88820237fb6a9706c5437dc79f148068c25a15b954660d7f
SHA1 hash: 02d8fa8af819cf0d4a84a63a9f572a211df4f429
MD5 hash: 4b670f1f0792e1bd4f3440bf272425a0
humanhash: march-solar-indigo-six
File name:4b670f1f0792e1bd4f3440bf272425a0
Download: download sample
Signature Heodo
Create hunting rule
File size:745'472 bytes
First seen:2022-04-24 02:20:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57b460f7cd0fab28b120cd121cfb7f9f (36 x Heodo)
ssdeep 12288:aIabL1+x29hs+bDBLKhKmCKzTrj+i0I8PxiGhWzx+o8/NQfN7IT5p:XabLXhs7AZKzvjLT0hWzP8/yfRIT3
Threatray 234 similar samples on MalwareBazaar
TLSH T187F48D4BF77C84A6D16AC979C5639A8AE6717C454B71C34B4360FB3E6F337A05A2A300
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 30f8cce6e6f4e820 (35 x Heodo)
Reporter zbetcheckin
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266138/
Detection(s):
Win.Trojan.Zenpak-9946576-0
Create hunting rule

SecuriteInfo.com.generic.ml.15769.10988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/6264b41814dc6ebc1c872432/reports/1bd05845-5331-4554-a239-37d4a86be444/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/514edd02-ef5a-4ab4-b8bb-d999296962af
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981969
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 614456 Sample: GKngkkqOYV Startdate: 24/04/2022 Architecture: WINDOWS Score: 100 32 103.42.58.120 VNPT-AS-VNVNPTCorpVN Viet Nam 2->32 34 202.29.239.162 UNINET-AS-APUNINET-TH Thailand 2->34 36 45 other IPs or domains 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 6 other signatures 2->52 8 loaddll64.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 dnsIp5 17 regsvr32.exe 5 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        24 2 other processes 8->24 38 127.0.0.1 unknown unknown 10->38 40 192.168.2.1 unknown unknown 13->40 process6 signatures7 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 26 regsvr32.exe 17->26         started        30 rundll32.exe 20->30         started        process8 dnsIp9 42 68.183.91.111, 49747, 8080 DIGITALOCEAN-ASNUS United States 26->42 54 System process connects to network (likely due to code injection or exploit) 26->54 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/376166ef80c5d8c1a77c5130be59a734854441e60da1c36de67923f13052a641/
Threat name:
Win64.Trojan.Emotetcrypt
Create hunting rule
Status:
Malicious
First seen:
2022-04-24 02:21:12 UTC
File Type:
PE+ (Dll)
Extracted files:
53
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5qwn34ayxmmdj34keyl4wnhgscuiqpgbwq4g3pgper7cmcsuzaq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
297a118a1bc6946255fdb5ec70c5faa2717704a8ad1a439afa581606e3ae7c46
Heodo
3a899e08d8a76177b05b5215f9456b4466f14339a769392bd6dc0097b19517fd
Heodo
488e8dbf0995e031bc860660d90b9a79d99e05bbad2e9ae0764ca52bceffb640
Heodo
5ff2d65fadd7bdd9e8d23c1ce0a5de1a0fb96404f6171d4f2540ac6f8f2442fa
Heodo
71caab2fff56d8dc829f428f14d891eb6ee45185def0b0884a4af0216424ed38
Heodo
738109c172d12f55a5596101b07ff0a8200729a0c5c4170521656eae14cbd1b5
Heodo
8dea6adacdf2dc133a1891adbd5ad6399b684920406591092051d20a23b1d637
Heodo
b63af8852e719d6f55bce0bcd53553a2da3302a38c256b739b063f2ef3a3463e
Heodo
e8fd95df28832bddcb69c2686d82119e86e2e3b2ec72224351f713f9167d01a5
Heodo
ed34d9abab9b05ea1163f4b2e73c3afe60d84293fe7cc04aaf95775332bf8222
Heodo
+ 224 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch5 banker trojan
Link:
https://tria.ge/reports/220424-cs1ajafff5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Emotet
Malware Config
C2 Extraction:
68.183.91.111:8080
164.52.194.45:8080
202.29.239.162:443
54.38.143.246:7080
54.37.106.167:8080
185.148.168.220:8080
196.44.98.190:8080
175.126.176.79:8080
207.148.81.119:8080
37.59.209.141:8080
103.42.58.120:7080
54.37.228.122:443
68.183.93.250:443
66.42.57.149:443
45.71.195.104:8080
78.47.204.80:443
128.199.192.135:8080
195.154.146.35:443
118.98.72.86:443
116.124.128.206:8080
190.90.233.66:443
78.46.73.125:443
210.57.209.142:8080
203.153.216.46:443
103.82.248.59:7080
217.182.143.207:443
159.69.237.188:443
85.214.67.203:8080
194.9.172.107:8080
104.131.62.48:8080
51.68.141.164:8080
93.104.209.107:8080
103.41.204.169:8080
103.56.149.105:8080
103.133.214.242:8080
5.56.132.177:8080
59.148.253.194:443
85.25.120.45:8080
62.171.178.147:8080
37.44.244.177:8080
36.67.23.59:443
87.106.97.83:7080
54.38.242.185:443
139.196.72.155:8080
88.217.172.165:8080
202.28.34.99:8080
202.134.4.210:7080
195.77.239.39:8080
Unpacked files
SH256 hash:
376166ef80c5d8c1a77c5130be59a734854441e60da1c36de67923f13052a641
MD5 hash:
4b670f1f0792e1bd4f3440bf272425a0
SHA1 hash:
02d8fa8af819cf0d4a84a63a9f572a211df4f429
Link:
https://www.unpac.me/results/172a951e-38ff-4c9c-86af-d2d4b5d082a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/376166ef80c5d8c1a77c5130be59a734854441e60da1c36de67923f13052a641

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win64_emotet_unpacked
Create hunting rule
Rule name:myGozi
Create hunting rule
Rule name:pdb2
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe 376166ef80c5d8c1a77c5130be59a734854441e60da1c36de67923f13052a641

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2160228/
Cape
Cape
https://www.capesandbox.com/analysis/266138/

Comments


Avatar
zbet commented on 2022-04-24 02:20:24 UTC

url : hxxp://baykusoglu.com.tr/wp-admin/Y3sRBcOfZ34wg2sO/