MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45171981ac23dcb7e90dd9a3ce07415720be92815bcd2ccfe51e716d736eab3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45171981ac23dcb7e90dd9a3ce07415720be92815bcd2ccfe51e716d736eab3e
SHA3-384 hash: 0e6e5759f3943399ecbc3953047289532e81416b6daf87ba9676505ad5ab81e86bca69bade1ee40aee84ff1b55239cbc
SHA1 hash: a8495760f9910e89d63a96498da1b9f61652b8da
MD5 hash: ad3d0b53f8eb6b05ee9623b16a7e0f30
humanhash: cup-failed-wisconsin-kansas
File name:agreement-inovice.pdf.lnk
Download: download sample
Signature Heodo
Create hunting rule
File size:2'974 bytes
First seen:2026-06-10 10:38:47 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 48:8EOWQ576M/xwa1yTATSd08XuH+cyDCK1CCXv3yNYYk:8EBQ5763aUTATBGuevDrv4YY
TLSH T1BA512F562AED1330E37A8D7788F696518533BC6AED664B1E01840BCC2C53601EC31F7B
Magika lnk
Reporter smica83
Tags:Emotet Heodo lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
Link:
https://research.acce.ciphertechsolutions.com/results/3bb9e41d-b4ee-4c6c-9c70-96171ac019ae/
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Lnk.Downloader.HTAAgent-9989400-0
Create hunting rule

TwinWave.EmoIllFollowYouIntoTheDarkOrAtLeastIntoLNK.M2.20220425.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADayDownloaders.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.SilverChairs4SilverBacks.20221114.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a293eec34eaf30d8ce4770a
Tags:
dropper virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin masquerade opendir
Link:
https://www.filescan.io/uploads/6a293ee7bf16337e43bfb8d3/reports/c3879983-0e40-45b7-a70c-733c48173979/overview
Verdict:
Malicious
Labled as:
Exploit.Lnk
Link:
https://www.hybrid-analysis.com/sample/45171981ac23dcb7e90dd9a3ce07415720be92815bcd2ccfe51e716d736eab3e
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1925766
Signature
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Curl Download And Execute Combination
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45171981ac23dcb7e90dd9a3ce07415720be92815bcd2ccfe51e716d736eab3e/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-09 12:57:45 UTC
File Type:
Binary
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iulrtanmepolp2in3gr44b2bk4ql5eublpgszt7fdzyw243ovm7a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/260610-mp9pxaaw8j/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45171981ac23dcb7e90dd9a3ce07415720be92815bcd2ccfe51e716d736eab3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Heodo

Shortcut (lnk) lnk 45171981ac23dcb7e90dd9a3ce07415720be92815bcd2ccfe51e716d736eab3e

(this sample)

Executable exe f172d154f601af56ada841bef80e738f3e528cd5a5fc5f4b84260160d46a1ceb

  
Dropping
SHA256 f172d154f601af56ada841bef80e738f3e528cd5a5fc5f4b84260160d46a1ceb
  
Dropping
MD5 e5a05d4f738bd8a98689fb9fd847ce37

Comments