MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc36a023348767aac9b22a40924d3c0e9abffca405a4f21db1f1f259ce5ad41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fc36a023348767aac9b22a40924d3c0e9abffca405a4f21db1f1f259ce5ad41
SHA3-384 hash: a46e86c84d3f8c81bf8eea55dbfef204f97ec72152d613b1b27902e0e2999593bb75d0e99c616081f7a0264d957f78f2
SHA1 hash: 23ebcb30c00e26e9a900796a1d4e94a553b0504a
MD5 hash: 3a1c8a284daf964de3b2c86a29bd58b7
humanhash: moon-mobile-alaska-johnny
File name:3a1c8a284daf964de3b2c86a29bd58b7.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:618'496 bytes
First seen:2020-05-01 10:04:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1938f25c06e95db431e0466c88400b31 (3 x Heodo)
ssdeep 12288:reEF5m0kU5o5V6V817yQdgdpOof6yA/Vq/G6xQMbGIRWNpGk7jEvf5m+ZgxG6gpj:fn7xWTkpOjrUXypuN
Threatray 2'273 similar samples on MalwareBazaar
TLSH 9CD49E1236E1E076C0A312F2499AC32C77F2BD205B375683B7C51B5D1E748A2AB3A775
Reporter abuse_ch
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
SHELL_APIManipulates System ShellSHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptEncrypt
ADVAPI32.dll::CryptImportKey
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments