MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ef5c3a3663f87c4ea1ba982fec90b6e96c67d35ace85cb399223def5ad940e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	4ef5c3a3663f87c4ea1ba982fec90b6e96c67d35ace85cb399223def5ad940e4
SHA3-384 hash:	dcd93bb3670a372850d77a3c8fb3a09ab3a1a9e90c78c1eee56f470d1a1f4af5878d789528df208013afeacd490625a1
SHA1 hash:	af2b95eee83b781815ced84f7ad63677448cf1e1
MD5 hash:	40554374e689d07589cfd35d73fa0f17
humanhash:	september-mexico-princess-foxtrot
File name:	dc0ffef526ff25c29863d8182c653dd5
Download:	download sample
Signature	Heodo Create hunting rule
File size:	453'120 bytes
First seen:	2020-11-17 15:42:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b9a828eedab63fed364da587e7a28d45 (72 x Heodo)
ssdeep	12288:vQXSckm7FjteU1EPOOgP8Dqz1QyUrdFQ:vQCcpFJnfwqpVgQ
TLSH	F1A4D02032E0C073C167213548EA97B4B676BE719F758647B7903B2E5E316E28E35B4B
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Emotet-9778548-0

Win.Malware.Emotet-9778556-0

Win.Malware.Emotet-9778558-0

Win.Malware.Emotet-9778592-0

Win.Dropper.Generickdz-9780194-0

Win.Packed.Emotet-9790742-0

Win.Packed.Emotet-9790818-0

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ef5c3a3663f87c4ea1ba982fec90b6e96c67d35ace85cb399223def5ad940e4/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-17 15:48:03 UTC

AV detection:

37 of 48 (77.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=j324hi3gh6d4j2q3vgbp5siln2lmm7jvvtufzm4zei666wwzidsa._file

Unpacked files

SH256 hash:

4ef5c3a3663f87c4ea1ba982fec90b6e96c67d35ace85cb399223def5ad940e4

MD5 hash:

40554374e689d07589cfd35d73fa0f17

SHA1 hash:

af2b95eee83b781815ced84f7ad63677448cf1e1

Link:

https://www.unpac.me/results/6ffcf352-3c74-4222-a79b-4b50c8d92781/

SH256 hash:

237591f6dbeeb4e32c0d48134d7b68084a3c726a5a1ae58db8f8792d6fd1934d

MD5 hash:

9b9a13e0ce01aafd056c998a9fe3ba84

SHA1 hash:

38839ab0ab5ede4e3958e51b06bbd4dffd0e0dd5

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/6ffcf352-3c74-4222-a79b-4b50c8d92781/

Parent samples :

d3a2d71b5190821f62ef62fd979e912e2395d8a5479f3104e7d125bfe14b4bb6
10449d9f3477978a9d555830305c817236b1125e29aba6730da8beecdacb0c33
781513560e150a34900e159fdfe643318c01fe34092de7dcc17f914a10b4bdf0
ca0f36d76eec62d8c02d69d5179c4c020cb9cfffd7011a99bfcb4f96bb128284
921c4ef625983795752ebc521764493664bf4563a6a7c817dbf71770f9873d48
b2c45406e0ae8695243a6e9a3297e1fa75b7bcd7054df458a29589ae4174a7d5
ce6b0653be744290b8ff7015662c06ff40ee7bbd76e78599c542b0d15bc9086d
afae098712ab4ca062645cdd8f9128a7c42c78b4147981ef44ad81266ed9bd97
7af217fd37fb58df024554c56d30042f1d09b67271bf6008819159cd8522bfaf
f747d72e90e27e2313325632a2a0c808e4020435d6b19432c576710a504a28e1
082d76d67d692a3eefa108f466b5b2cb647228f33888fb91e6a80f5c364afd9a
29055d7a058f2325fc9deba2f9b63ecbc37dc29436bd9a9b516eff746e0f1961
51457c20ae7b189934a79db83af9dd6ec015847e1f63ae960853067a78cb69b5
d7c4513b618eb8960020de6c2c4919c11a496232448c56aad15fd2f441736ff3
290af1bb273389153752dbafbfbe518be5c7233d39deac149583c718a7ceec47
76fb6f2452f1df499bb16e8cf4cb9d1e8409feb95b77df739db963b444560091
08e81ff5ab127e89ea6f9613fa2d0a92dbd1fbda7f32dccd3d5486b9f265460a
f224e6ecd9a251ad3674a5d8eb63428a67e9d5412f9e5a600e7e17f7f7b72a45
119b975ea6fde9731328437d1f1f4c5f7ea7d8d1b5e91bc2409c85467ac50d70
a79c9a62297e5696f7aafb3c4627ada368a99cfc57bf5f3a49019ac45a595271
6409a0cc171844d8346fdece2d5078c767d9f5e4f71ab0f7d92dd3c9c7fc04d6
9bd5b879a08ce4ac1be24cfdc4e0d1eea2041a0d3cfd0c13c6d54a103b743907
4ef5c3a3663f87c4ea1ba982fec90b6e96c67d35ace85cb399223def5ad940e4

SH256 hash:

7f56c4d26878a511829675b1dfab8395c8e9c7998b07c8d3c016214b282552a1

MD5 hash:

ccc996c33549143bb01e14b0d93b69d5

SHA1 hash:

adf5a2cfe29a62717c50f3fb549c6607b0181ad1

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/6ffcf352-3c74-4222-a79b-4b50c8d92781/

Parent samples :

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample