MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87
SHA3-384 hash:	3975efaf9610b1a66983e5d84224feef348000834278afbc0d2746eda43ff742a9267e4881afb8d8e34d677b5721d23a
SHA1 hash:	8d37dcf97ee34334720e463c1755f8b93aab6770
MD5 hash:	a465ed53f399676c102178196831c584
humanhash:	maryland-wisconsin-summer-august
File name:	44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87
Download:	download sample
Signature	Heodo Create hunting rule
File size:	180'224 bytes
First seen:	2020-11-10 11:20:43 UTC
Last seen:	2024-07-24 13:39:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6c9c8f23ce71425b6f969f0805741369 (29 x Heodo)
ssdeep	3072:n/m2qIL9C/sjzaWhT+F2TpIJRkEaGTBvSWAQEvOQ1:n/JqIL8/ET+kT8Rb0o
TLSH	5504BFD27B489571E47BEE75ACB5AA58A23AFCB44F20D04B22903E9E9C73781D530707
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-9761329-0

Win.Packed.Generic-9761669-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-10 11:23:44 UTC

AV detection:

30 of 48 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=isx54ktewb7davqjoto424nybla4ylbdvubwcgz6wysievuopsdq._file

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch2 banker trojan

Link:

https://tria.ge/reports/201110-hsy67k8xn6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Emotet Payload

Emotet

Malware Config

C2 Extraction:

75.80.124.4:80
134.209.36.254:8080
104.156.59.7:8080
120.138.30.150:8080
107.5.122.110:80
195.251.213.56:80
91.211.88.52:7080
79.98.24.39:8080
75.139.38.211:80
82.225.49.121:80
162.241.242.173:8080
94.1.108.190:443
85.105.205.77:8080
181.169.34.190:80
24.179.13.119:80
139.59.67.118:443
82.80.155.43:80
50.91.114.38:80
93.147.212.206:80
153.232.188.106:80
46.105.131.79:8080
42.200.107.142:80
61.92.17.12:80
140.186.212.146:80
78.24.219.147:8080
87.106.139.101:8080
188.219.31.12:80
104.131.11.150:443
62.30.7.67:443
201.173.217.124:443
203.153.216.189:7080
172.91.208.86:80
5.39.91.110:7080
94.200.114.161:80
95.179.229.244:8080
157.245.99.39:8080
174.102.48.180:443
104.32.141.43:80
24.137.76.62:80
74.208.45.104:8080
185.94.252.104:443
220.245.198.194:80
153.177.101.120:443
37.139.21.175:8080
200.114.213.233:8080
84.39.182.7:80
109.74.5.95:8080
194.187.133.160:443
120.150.60.189:80
156.155.166.221:80
110.145.77.103:80
5.196.74.210:8080
95.213.236.64:8080
103.86.49.11:8080
94.23.216.33:80
139.59.60.244:8080
219.74.18.66:443
62.75.141.82:80
61.19.246.238:443
24.43.99.75:80
174.45.13.118:80
121.7.127.163:80
78.187.156.31:80
50.35.17.13:80
79.137.83.50:443
139.130.242.43:80
74.134.41.124:80
37.187.72.193:8080
110.5.16.198:80
124.41.215.226:80
89.216.122.92:80
200.123.150.89:443
97.82.79.83:80
139.99.158.11:443
104.236.246.93:8080
169.239.182.217:8080
203.117.253.142:80
85.152.162.105:80
168.235.67.138:7080
104.131.44.150:8080
83.169.36.251:8080
87.106.136.232:8080
121.124.124.40:7080
187.161.206.24:80
137.119.36.33:80
209.141.54.221:8080
94.23.237.171:443
213.196.135.145:80
1.221.254.82:80
176.111.60.55:8080
68.188.112.97:80
47.144.21.12:443
137.59.187.107:8080
139.162.108.71:8080
74.120.55.163:80

Unpacked files

SH256 hash:

44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87

MD5 hash:

a465ed53f399676c102178196831c584

SHA1 hash:

8d37dcf97ee34334720e463c1755f8b93aab6770

Link:

https://www.unpac.me/results/fc1a8dbe-6065-4c3d-accb-7599a10859c5/

SH256 hash:

90485e67e2c1999dd6cfa067be25669e731f9343af357410bc070a3e3ed4cdfe

MD5 hash:

e1b3413b004714b6ff1869cf51607b7e

SHA1 hash:

0af3b9e9ad7dea6534378df2c3fff27981fed3ec

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/fc1a8dbe-6065-4c3d-accb-7599a10859c5/

Parent samples :

c7a0860ee664eaeab54ab9ab75017dfab8a44a175ec69008ccd1ca9f59662371
9e7a917c10eebffc6b4fdc7d356017fadd2723841b8e184f65864a1c45a27c46
f287d12d151a7405ea088f87e08816aacccde00f8545117ae947ac907a29a82d
042d119b38d7de0c8e67b3439ef1be53aa7e7e177991f6def874f33cd6855e1e
44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87
0835278865ced6ce9cc09287f5f3b02d8e53afd8aedcee1067245778df01f0c4
40e7b38d478f950088705cd95e218c758baf3b2fd3a8b6cacf48695939bca271
b4c7b003dee75e3b75cb0160bd7bc897daa76ce088fc192cd10bea62eba1c160
36933bf00dd8d9640272c1d2efa951bb15ab02dc927b7378e81dbe070358363e
51430227c7c12c3e2125f025fe72475b925610e2091829b667d153caeddc27b6
96249e4dcc867688aa8473856262e89012dbdf8a5f67d1975a4e8995fd8ff69e

SH256 hash:

4eb270c00658e4a5996bfdca97b0a27390217a0c12985f94934e14f7e8a22dc2

MD5 hash:

ddb76c99a5cbd03c899b8fd87e39e416

SHA1 hash:

58ec4d88abd81a01b79717585c677825ba97b594

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/fc1a8dbe-6065-4c3d-accb-7599a10859c5/

Parent samples :

44afde2a64b07e30560974ddcd71b80ac1cc2c23ad03611b3eb62482568e7c87
96249e4dcc867688aa8473856262e89012dbdf8a5f67d1975a4e8995fd8ff69e

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample