MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271
SHA3-384 hash:	80ccb5f802cf2676712a587a8ccac9b5e185e245203f050ab396c12ae9c7abfe9acc92864ac43c5d7e0ada17735d4ab5
SHA1 hash:	e2e3f757fc3fa4b4ba40c67253470292ff37a3fd
MD5 hash:	e6ef939c29581e72bec8a1e971ff42b4
humanhash:	shade-xray-earth-triple
File name:	40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271
Download:	download sample
Signature	Heodo Create hunting rule
File size:	106'615 bytes
First seen:	2020-11-13 15:26:37 UTC
Last seen:	2024-07-24 13:30:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	51dab3435ef06bd62833bbece05abee1 (103 x Heodo)
ssdeep	3072:q6WBHI7B7Yyw+SGXAhG3qzJL/lqf1TY6ZQ:7EHIN7w+NtfxYd
TLSH	21A3D032FFE14D48E492CA3F89B90A6D1E32F4E728A19527538C3D1C9D3BA05D96271D
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-9762013-0

Win.Trojan.Variadic-9762514-0

Win.Keylogger.Emotet-9762922-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-13 15:29:18 UTC

AV detection:

33 of 48 (68.75%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=idt3hdkhr6kqbcdqltmv4immowf26ozp2oulnswpjbuvson4ujyq._file

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch2 banker trojan

Link:

https://tria.ge/reports/201113-6c6rxsal4e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Emotet Payload

Emotet

Malware Config

C2 Extraction:

75.80.124.4:80
134.209.36.254:8080
104.156.59.7:8080
120.138.30.150:8080
107.5.122.110:80
195.251.213.56:80
91.211.88.52:7080
79.98.24.39:8080
75.139.38.211:80
82.225.49.121:80
162.241.242.173:8080
94.1.108.190:443
85.105.205.77:8080
181.169.34.190:80
24.179.13.119:80
139.59.67.118:443
82.80.155.43:80
50.91.114.38:80
93.147.212.206:80
153.232.188.106:80
46.105.131.79:8080
42.200.107.142:80
61.92.17.12:80
140.186.212.146:80
78.24.219.147:8080
87.106.139.101:8080
188.219.31.12:80
104.131.11.150:443
62.30.7.67:443
201.173.217.124:443
203.153.216.189:7080
172.91.208.86:80
5.39.91.110:7080
94.200.114.161:80
95.179.229.244:8080
157.245.99.39:8080
174.102.48.180:443
104.32.141.43:80
24.137.76.62:80
74.208.45.104:8080
185.94.252.104:443
220.245.198.194:80
153.177.101.120:443
37.139.21.175:8080
200.114.213.233:8080
84.39.182.7:80
109.74.5.95:8080
194.187.133.160:443
120.150.60.189:80
156.155.166.221:80
110.145.77.103:80
5.196.74.210:8080
95.213.236.64:8080
103.86.49.11:8080
94.23.216.33:80
139.59.60.244:8080
219.74.18.66:443
62.75.141.82:80
61.19.246.238:443
24.43.99.75:80
174.45.13.118:80
121.7.127.163:80
78.187.156.31:80
50.35.17.13:80
79.137.83.50:443
139.130.242.43:80
74.134.41.124:80
37.187.72.193:8080
110.5.16.198:80
124.41.215.226:80
89.216.122.92:80
200.123.150.89:443
97.82.79.83:80
139.99.158.11:443
104.236.246.93:8080
169.239.182.217:8080
203.117.253.142:80
85.152.162.105:80
168.235.67.138:7080
104.131.44.150:8080
83.169.36.251:8080
87.106.136.232:8080
121.124.124.40:7080
187.161.206.24:80
137.119.36.33:80
209.141.54.221:8080
94.23.237.171:443
213.196.135.145:80
1.221.254.82:80
176.111.60.55:8080
68.188.112.97:80
47.144.21.12:443
137.59.187.107:8080
139.162.108.71:8080
74.120.55.163:80

Unpacked files

SH256 hash:

40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271

MD5 hash:

e6ef939c29581e72bec8a1e971ff42b4

SHA1 hash:

e2e3f757fc3fa4b4ba40c67253470292ff37a3fd

Link:

https://www.unpac.me/results/955d8a96-94c0-4ee0-9603-0ab7dd01a496/

SH256 hash:

90485e67e2c1999dd6cfa067be25669e731f9343af357410bc070a3e3ed4cdfe

MD5 hash:

e1b3413b004714b6ff1869cf51607b7e

SHA1 hash:

0af3b9e9ad7dea6534378df2c3fff27981fed3ec

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/955d8a96-94c0-4ee0-9603-0ab7dd01a496/

Parent samples :

c7a0860ee664eaeab54ab9ab75017dfab8a44a175ec69008ccd1ca9f59662371
9e7a917c10eebffc6b4fdc7d356017fadd2723841b8e184f65864a1c45a27c46
f287d12d151a7405ea088f87e08816aacccde00f8545117ae947ac907a29a82d
042d119b38d7de0c8e67b3439ef1be53aa7e7e177991f6def874f33cd6855e1e
44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87
0835278865ced6ce9cc09287f5f3b02d8e53afd8aedcee1067245778df01f0c4
40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271
b4c7b003dee75e3b75cb0160bd7bc897daa76ce088fc192cd10bea62eba1c160
36933bf00dd8d9640272c1d2efa951bb15ab02dc927b7378e81dbe070358363e
51430227c7c12c3e2125f025fe72475b925610e2091829b667d153caeddc27b6
96249e4dcc867688aa8473856262e89012dbdf8a5f67d1975a4e8995fd8ff69e

SH256 hash:

553311771d14cf3f5a430ed3ea423591edfd610a94ae42fc0b683269b10c1335

MD5 hash:

b5d5292340bef6a96837200d8182ff85

SHA1 hash:

54bfcb41b0111b0a7906adedfdaf60a6edad4306

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/955d8a96-94c0-4ee0-9603-0ab7dd01a496/

Parent samples :

c7a0860ee664eaeab54ab9ab75017dfab8a44a175ec69008ccd1ca9f59662371
9e7a917c10eebffc6b4fdc7d356017fadd2723841b8e184f65864a1c45a27c46
f287d12d151a7405ea088f87e08816aacccde00f8545117ae947ac907a29a82d
042d119b38d7de0c8e67b3439ef1be53aa7e7e177991f6def874f33cd6855e1e
0835278865ced6ce9cc09287f5f3b02d8e53afd8aedcee1067245778df01f0c4
40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271
b4c7b003dee75e3b75cb0160bd7bc897daa76ce088fc192cd10bea62eba1c160
36933bf00dd8d9640272c1d2efa951bb15ab02dc927b7378e81dbe070358363e
51430227c7c12c3e2125f025fe72475b925610e2091829b667d153caeddc27b6

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample