MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e
SHA3-384 hash: 2abd6b70de8e713cd6a59e560d668ea11b842c80029785a349d406a2413147cb8c728ce919e1e188793931b3ef2ddb28
SHA1 hash: 017f801e6d7580ce4420baefcb5014f00519b64b
MD5 hash: 83cac99e2fd8eb7a0d1716a96a1ef94e
humanhash: hotel-high-ack-mountain
File name:emotet_exe_e2_3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e_2021-01-20__104348.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:350'552 bytes
First seen:2021-01-20 10:43:52 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash af263152594d80bd9c18d0a70e4d94ec (26 x Heodo)
ssdeep 3072:X/GZgCBD0JqvjYGRKbGUUtvAMdg6Ygpr7kL2LWsFzMFruztyr1Bg:vGSkDgqvPRKib6+g8rtLWFcEpK
Threatray 240 similar samples on MalwareBazaar
TLSH 2474ADEAB8FBA455C78DE6716BD52DB6A9334F73028EA1313F502ACD03935CC2AD2541
Reporter Cryptolaemus1
Tags:Emotet epoch2 exe Heodo

Code Signing Certificate

Organisation:FRVFMPRLNIMAMSUIMT
Issuer:FRVFMPRLNIMAMSUIMT
Algorithm:sha1WithRSA
Valid from:Jan 18 11:37:09 2021 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: -675FB15FA1756B65B277F2FEC986B20D
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: EAFE1C9E2CD2D33CEB4D7FAF3AE5B5434C75869B93896F8163076CD03B3B9A11
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Cryptolaemus1
Emotet epoch2 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113049/
Detection(s):
SecuriteInfo.com.BScope.Trojan.Chanitor.13422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e/
Threat name:
Win32.Trojan.EmotetCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 10:44:07 UTC
File Type:
PE (Dll)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjpmauzajmq6famiwbr7bdo7exmpc6gzoqng3c5fk74l5azpckpa._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
037143220c32fd581f41b3482b8e8b0e6b9e3eeb92d6ff5f87499b7af1d2fac7
Heodo
0fc2bd6c36ebf467b2be07937840c74feb36ea30bdd8a1974bb649b4c963d864
Heodo
307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e
Heodo
3f2eac9d8623f529318d7e748517b6b8180c759ae2b22c4b65dae314873a30c2
Heodo
696410ae0652a74ab95af0a965d5f72bd96986f12872b0191aa64f294e677131
Heodo
83198be4669f5283f38179838cf092c6200efb9e487d26544d7655347c00d091
Heodo
9e5fff4db7bf61fcc2c9fa976883fcaeaeae0ff5c3c3e0bb8fc4a0e6a8e67d19
Heodo
aa3a402496061e154d3ff37896727c38a9d06bcf85a5954f8ba553cbdc21c9a1
Heodo
ab674578eade52588b33cdbc21dbfdcb420a55c527422285ee43634d7edfc256
Heodo
cdb34f43d85a8a663d7e1d21b250a81c905a4101e4736fc27fa36bafa35121c8
Heodo
+ 230 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210120-6kfpldmya6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Unpacked files
SH256 hash:
1a386b0367efd575f7e51126910cac97a7747bd51d4a42d815706e7eceb85f71
MD5 hash:
ac802ddf89ba088df81bd959e4e55f9e
SHA1 hash:
c6906bb581b0ecc99b7e74c67996ebf6d16087a4
Detections:
win_emotet_a2
Create hunting rule
Link:
https://www.unpac.me/results/2a6a60f5-3cce-4d76-8ef7-ce656635655f/
Parent samples :
3f2eac9d8623f529318d7e748517b6b8180c759ae2b22c4b65dae314873a30c2
3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e
ab674578eade52588b33cdbc21dbfdcb420a55c527422285ee43634d7edfc256
696410ae0652a74ab95af0a965d5f72bd96986f12872b0191aa64f294e677131
307ca3ed1dc0600ff059947ec050b510ae5b2a51ddd307abd791b3fc99b83d1e
a94583bbbe3f7ca9993305896e49c8e76e498ba618e27930282327bdd793bc5a
0b8ad413449454dd85f7a79c7600387658fb0e3e5b1b5ad8ab7119175551f819
SH256 hash:
3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e
MD5 hash:
83cac99e2fd8eb7a0d1716a96a1ef94e
SHA1 hash:
017f801e6d7580ce4420baefcb5014f00519b64b
Link:
https://www.unpac.me/results/2a6a60f5-3cce-4d76-8ef7-ce656635655f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Locky
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a5ec053204b21e28188b063f08ddf25d8f178d9741a6d8ba557f8be832f129e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_emotet_a2
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113049/

Comments