MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29
SHA3-384 hash: 507e3706989bafbb66b49a717357abd2572d8a0618b911197adf5225cf8f9130a8eb7c38f7d9a15c732d6938db5babdf
SHA1 hash: e27425115470648445649668a01d4dc814aff6b1
MD5 hash: cb9af885381d262eb625537ebc43931e
humanhash: may-lemon-six-purple
File name:IMG_05_61_038_112.scr
Download: download sample
Signature Heodo
Create hunting rule
File size:381'952 bytes
First seen:2021-07-03 06:01:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:gdEOCtVzWvwtcxLqNKEXO5uW2qSHodFuCYYZOtEiyOBuqi5sab1Ex9pxgwDEmNrd:kEFVzMFEfXouWOHodF2YCEDChSrb1Ex5
TLSH 27841298B818F423C23745769CE3F2053B7A9E0D2943D78BAC4C7A8F06F6BD58681217
Reporter abuse_ch
Tags:Emotet exe Heodo scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
752
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_05_61_038_112.scr
Verdict:
Suspicious activity
Analysis date:
2021-07-03 06:05:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcdb85f9-5168-4ebd-956f-067a08991b5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169450/
Detection(s):
SecuriteInfo.com.Variant.Bulz.541197.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2eeda2be-8fa7-4a8a-94ea-34817f02abe8
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811336
Signature
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 443747 Sample: IMG_05_61_038_112.scr Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 37 netjul.xyz 2->37 39 checkip.dyndns.org 2->39 41 2 other IPs or domains 2->41 63 Found malware configuration 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 7 other signatures 2->69 7 IMG_05_61_038_112.exe 1 7 2->7         started        11 sgobs.exe 5 2->11         started        13 sgobs.exe 2 2->13         started        signatures3 process4 file5 25 C:\Users\user\AppData\Roaming\...\sgobs.exe, PE32 7->25 dropped 27 C:\Users\user\...\IMG_05_61_038_112.exe, PE32 7->27 dropped 29 C:\Users\user\...\sgobs.exe:Zone.Identifier, ASCII 7->29 dropped 35 2 other malicious files 7->35 dropped 71 Writes to foreign memory regions 7->71 73 Injects a PE file into a foreign processes 7->73 15 IMG_05_61_038_112.exe 15 2 7->15         started        31 C:\Users\user\AppData\Local\Temp\sgobs.exe, PE32 11->31 dropped 33 C:\Users\user\...\sgobs.exe:Zone.Identifier, ASCII 11->33 dropped 19 sgobs.exe 11->19         started        21 sgobs.exe 14 2 11->21         started        23 sgobs.exe 13->23         started        signatures6 process7 dnsIp8 43 netjul.xyz 104.219.248.46, 49752, 49753, 49754 NAMECHEAP-NETUS United States 15->43 45 checkip.dyndns.org 15->45 49 3 other IPs or domains 15->49 51 Multi AV Scanner detection for dropped file 15->51 53 May check the online IP address of the machine 15->53 55 Tries to steal Mail credentials (via file access) 15->55 61 3 other signatures 15->61 57 Machine Learning detection for dropped file 19->57 47 checkip.dyndns.org 21->47 59 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->59 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 11:32:58 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5wvnuqoewy3xzjzljr6ldkgxtg3wch75n2w3oqyxhjqqeo5fmuq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence spyware stealer
Link:
https://tria.ge/reports/210703-d8a575q2he/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
43c018e825848fc861d5b6f404a694f5fd2cd18d5e6b155506c0dbcb251a1039
MD5 hash:
6f6e549f2d4cf44d987c1fc85df16e41
SHA1 hash:
acacad8193907be3cce2e3eeb0b9e0a89a8cf1ff
Link:
https://www.unpac.me/results/469d8834-eb5b-41da-b49d-552e96882729/
SH256 hash:
023ba0319744add224f3048542f901f754730300805b279d87357fd67fba6d6a
MD5 hash:
27c9bb43a69cbff045c9ac0058c4f725
SHA1 hash:
92794ad995301b60fce21ae877a04e3c76ccac36
Link:
https://www.unpac.me/results/469d8834-eb5b-41da-b49d-552e96882729/
SH256 hash:
7512d171592577881ab5c5e3b08a2b85b4af840220611681f2e24a8e1031d60e
MD5 hash:
07a3d5f4963dd6d47b8a23d11eeaf74c
SHA1 hash:
381b17a2c21cd00d7f79d8ea27a0c9dfa693cbe2
Link:
https://www.unpac.me/results/469d8834-eb5b-41da-b49d-552e96882729/
SH256 hash:
4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29
MD5 hash:
cb9af885381d262eb625537ebc43931e
SHA1 hash:
e27425115470648445649668a01d4dc814aff6b1
Link:
https://www.unpac.me/results/469d8834-eb5b-41da-b49d-552e96882729/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Heodo

Executable exe 4f6d56d20e25b1bbe5395a63e58d46bccdbb08ffeb756dba18b9d30811dd2b29

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/169450/

Comments