MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2
SHA3-384 hash: a70fa661690588452528af54487fafe9aefafb21fa872989200ceeb8ba9ebae6dd72752f043c4575be2bb89ef61cae05
SHA1 hash: 090bb4411eff974e9c191e02ac7af95f6f7c7f35
MD5 hash: 662d2aba9cb5182eb12d2a6acf3296ae
humanhash: lake-purple-salami-lake
File name:emotet_exe_e1_4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2_2021-01-14__000142.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:277'504 bytes
First seen:2021-01-14 00:01:51 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 68aea345b134d576ccdef7f06db86088 (46 x Heodo)
ssdeep 6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGM:X5DpBw/KViMTB1MnEWk0115JD
Threatray 382 similar samples on MalwareBazaar
TLSH 1244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717
Reporter Cryptolaemus1
Tags:Emotet epoch1 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch1 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111884/
Detection(s):
SecuriteInfo.com.Generic.mg.6d65571a1d5bb5ce.718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2/
Threat name:
Win32.Trojan.EmotetCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 00:02:09 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6thwfd5nmv446w4o5wyrel2nm5ebpgrqwhb3pqrhq4fzm2km6ra._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
4b0fc83ee767b76b201f8a8a9e472a859cea02ea98ed7734a72751699707386b
Heodo
5c3fbb6d9fac98e2745a447d3d9b307dec3b1c1775fb70c2fc743855c1e5588d
Heodo
79458b5fb130ddafe84e085fa6987bf389a846e6499269370c53f78aa2ae9ed2
Heodo
857bf27eca7a18ae952957aa89a2fe289091d6b08613d027503d503c935bc7f3
Heodo
8943f490a334356cb24f24d1787e07f5c4e0ebf512052a9214d63f632eab62e9
Heodo
d1d9c724a709955a475f9126fd20b0858ffa92512bd4bb498e86e4ebe57848d1
Heodo
e0c7356fbbaed85b1353cf0baa2ac4572cbe692e65e814c456d6756d7e2c2419
Heodo
e24c3f5539484830fa7fe0615578d543a2e90715fbf04390bfddbbfd62e4c450
Heodo
eeebf89c156e701c34286f9dfacacdc3d54b005d97721e6523aed218a9e6d6ec
Heodo
f9e1b462ba46330f565d8177bb919e16c28e33c87795c0e69e70a6b9b5379ae1
Heodo
+ 372 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-cfrg93nf5a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Unpacked files
SH256 hash:
4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2
MD5 hash:
662d2aba9cb5182eb12d2a6acf3296ae
SHA1 hash:
090bb4411eff974e9c191e02ac7af95f6f7c7f35
Link:
https://www.unpac.me/results/ccecec33-743b-4b66-955a-6d3d114d47ba/
SH256 hash:
8e991423fbbe65fe96b933fedf22f3abef3e8a01529bd1e31628089806687a36
MD5 hash:
7685af8cf9329a7a2f44063a5a69e57a
SHA1 hash:
b1825190b19bdab86eefae70f035498ba2d8ab32
Detections:
win_emotet_a2
Create hunting rule
Link:
https://www.unpac.me/results/ccecec33-743b-4b66-955a-6d3d114d47ba/
Parent samples :
95c32e94bdb89c25d54fbf5881e5f992b3c5f8771d250e5b722cada230090527
fead1cbbdd218fb7a8eec59c05c87febed5a6d77a944acab5b97ae806750e8b9
4bed3b3e5389c7c69744d97fe5c757a302ba0439dce7ace1ded498468cfe64f3
c8304fe992e24617c3eb5216907bc041d7920738f6809b4dd82ed0cec85c6170
6541580253433e76eea2fdfa5fa2e02a703ee53e8550cbc779a506566e92628c
958af16e38cd619acb45b7932c15c6e03a0b68b4eb04e40f91d5313ca0943761
f93544c3fd1fbbcc9f0eca7960234a7d3ca56787410d8273ccb0aa42f2103e53
d76937a5b03506941a1b1342dc79c568dfb10f54d894fd93626745881e218dc5
f623d86a38b063646077f6bd197b00e07b8ccfbf8696424a01c1fb27d4e0427c
2057b1c272cca18b84d820801257555faf68c282de7009a9a6eda9012fdb7e9b
b21188a7eb5209c09dda0cc8baa89dcdc5f0519d217f6e870d1fb70d39d84b23
8e49e91421b46aa7b6f566d39f5855600e21a6122260c180483bb82dcb3f5458
d96793e74d9d81ef432fc9a2bcaddb46b2d5a26a418f534fe27cdd5fbf894460
b9acca30f236050f9b154b71bc3ee0d685e3472c3c985422b1bf7058960d8ef6
a022d807e9772d518fe062e9bf5bf216684cbde33d14522c2df82847d5dadff1
074dd1cc1ce739876eab2993b549570e81ff18f4073a5a13c4461bc880d81281
6baa699f3896ec02629c42551aef3e4bfa1935e93d164eef7d32b2054114e8a2
7c073c25d28eb332ba72fbc5424370dc6b87fd2dd737ec704871819936502954
f9e1b462ba46330f565d8177bb919e16c28e33c87795c0e69e70a6b9b5379ae1
8fa8d19ca8875f370b5267c9e666f67d3eeb4ea55d061e6ac0aa618e8ac3d8de
d1d9c724a709955a475f9126fd20b0858ffa92512bd4bb498e86e4ebe57848d1
79458b5fb130ddafe84e085fa6987bf389a846e6499269370c53f78aa2ae9ed2
eeebf89c156e701c34286f9dfacacdc3d54b005d97721e6523aed218a9e6d6ec
e0c7356fbbaed85b1353cf0baa2ac4572cbe692e65e814c456d6756d7e2c2419
2123b6fe4cba8ee254a8cc742b91e6189378eab77a3157a484c41746e6181abd
857bf27eca7a18ae952957aa89a2fe289091d6b08613d027503d503c935bc7f3
25fb0a71ad75732672b88e0571fb4ff7deee9cb7dd6bac5d98e6dc77efbb9fbc
4b0fc83ee767b76b201f8a8a9e472a859cea02ea98ed7734a72751699707386b
e24c3f5539484830fa7fe0615578d543a2e90715fbf04390bfddbbfd62e4c450
d9f6dfa452f15185695123ea5f83cb15f8d77c8dc1f3bce6ed0272a547a978c4
8943f490a334356cb24f24d1787e07f5c4e0ebf512052a9214d63f632eab62e9
4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2
e7f08dc9b1f0f6563565d7a921598187003b68a734ba6d26dba7504638e26a08
15cc24b45bd3410a7c5d47728c7cb9771ebeab5a8f80044f362269abc3b9743f
c41e93c99d54a0e8991d6dd29a938bd73570c7c0c00cc6bf912968ae8009b239
5c3fbb6d9fac98e2745a447d3d9b307dec3b1c1775fb70c2fc743855c1e5588d
e2481621ce7efec0179a45d8557c67edf6a064445119cbc16802f434166c5498
63d55a92c9e8725b65071348832610838582fc2f25adda7957b17f8c98cf29d7
f60d077ca928c68be7a0467f97ce15cece83f775577861b37a7f2cdf7ab783ca
5d8625956430bb53f7eed93fca105f50b57763e7b6fbefada2d8bcfc3e26a1c5
9635531f6e60a7d36f4017644a5ed549250c3fc70c6d97654fc61d4dbf3c919a
72b420b1afff83f7fb58a5c7a8c17d133e6e3411e49c0962e42a07f528bcc718
584d18ef44af9d254d115ab93d5bb516dab54cc354119c817190aef79fd25119
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll 4fa67b147d6b2bce7adc776d88917a6b3a40bcd1858e1dbe113c385cb34a67a2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/111884/
  
URLhaus
https://urlhaus.abuse.ch/url/958059/
  
Delivery method
Distributed via web download

Comments