MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ba51d1b588084107221072d294bf51f863dac279d940254c420f3140caf02c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 3


Intelligence 3 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ba51d1b588084107221072d294bf51f863dac279d940254c420f3140caf02c5
SHA3-384 hash: 5359efe9df47a14ca7356a2dceae8045e47ff80a05f4020d54415a4bc6095cf473cb6d331890b3d34030fec1432c794b
SHA1 hash: ff824f97c9f7c187ee3a699499ba6744c54c91fb
MD5 hash: 5033d7e35a2c49d98ab1412ac480fe80
humanhash: steak-washington-kansas-island
File name:3ba51d1b588084107221072d294bf51f863dac279d940254c420f3140caf02c5
Download: download sample
Signature Heodo
Create hunting rule
File size:115'033 bytes
First seen:2020-03-23 16:56:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1df7572c6cf3efa6ad8316c79e646710 (1 x Heodo)
ssdeep 1536:EKa8RxGrBqq8IBn5hf3LP+wzvuxaIqGTuuwvHikkHChLgJ48oiuhNoB8EQVK8FMl:S60CwzvuxaId6thElOeTQM8FMaJp2v
Threatray 43 similar samples on MalwareBazaar
TLSH F7B3E02267FE1E02FC2256300791A6B459BF7E37DF308587E940B52E1939B528EBA705
Reporter Marco_Ramilli
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Emotet
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Emotet in memory
Reference:internal research
Rule name:MAL_Emotet_Jan20_1
Create hunting rule
Author:Florian Roth
Description:Detects Emotet malware
Reference:https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Rule name:win_emotet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe 3ba51d1b588084107221072d294bf51f863dac279d940254c420f3140caf02c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/254764/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA

Comments