MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 558fe11c90d3dc6ab7f55a81fb42104d445caf651d9cff1f525489dd0b4ef6c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 558fe11c90d3dc6ab7f55a81fb42104d445caf651d9cff1f525489dd0b4ef6c6
SHA3-384 hash: 7a1ca31a8c228a45f917a7a3724e6c31875bd60729276402c022eb2c204f38ecb2b47651fe70af44f769297a0cdb70bb
SHA1 hash: cea93d1ae9ee91284b343758f55a7dbe99047d34
MD5 hash: 168847ec4d09137f94fc7bf4b2b34ef0
humanhash: spring-louisiana-princess-coffee
File name:emotet_exe_e2_558fe11c90d3dc6ab7f55a81fb42104d445caf651d9cff1f525489dd0b4ef6c6_2020-08-11__181248._exe
Download: download sample
Signature Heodo
Create hunting rule
File size:479'232 bytes
First seen:2020-08-11 18:12:54 UTC
Last seen:2020-08-11 19:18:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 421f049edf2866c78ac230b8098442da (26 x Heodo)
ssdeep 6144:Mg5alZHCNqClhpALe+/LyK7AF0fY7S2KWCHMPzwO:t5KCNqQ2a6b7NY7pKwz7
Threatray 8'268 similar samples on MalwareBazaar
TLSH 40A4BE0C36E3C372F856013A44B68B2953AEB0205B7655DB7BE4267CAE353F89937385
Reporter Cryptolaemus1
Tags:Emotet epoch2 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch2 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43676/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/420037
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 262359 Sample: _181248._exe Startdate: 12/08/2020 Architecture: WINDOWS Score: 60 26 cdn.onenote.net 2->26 28 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->28 30 Yara detected Emotet 2->30 8 _181248.exe 2 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 7 other processes 2->15 signatures3 process4 signatures5 32 Drops executables to the windows directory (C:\Windows) and starts them 8->32 34 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->34 17 dllhst3g.exe 12 8->17         started        36 Changes security center settings (notifications, updates, antivirus, firewall) 11->36 20 MpCmdRun.exe 1 11->20         started        process6 dnsIp7 24 107.185.211.16, 49733, 80 TWC-20001-PACWESTUS United States 17->24 22 conhost.exe 20->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/558fe11c90d3dc6ab7f55a81fb42104d445caf651d9cff1f525489dd0b4ef6c6/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 18:14:23 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwh6cheq2pogvn7vlka7wqqqjvcfzl3fdwop6h2skse52c2o63da._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
481555a4110095600f82ae281ca07f24b8a2cdc11b25b8328c2ab3f7a1be5c8b
Heodo
4e18cf314291b0ccc568b3cd9511db21de722fa552f3cd2d1178521e6a1b9da6
Heodo
5b17d42e3981d6d9878c1d42ece49747bc4da91851c11be3ced2f34903014ec9
Heodo
63b3a6c7bed7fe9075f9fbaabc8cc9cd1b68104f51008214cf7896287ee1950d
Heodo
65369b148f18cceb3e28b9ea5ca5750323c33b60e69318d43c1e1c5de6242638
Heodo
66d0284e2368cfe7741f288af2daf495ee05d19cbc0f03442902bd4aaf7946e1
Heodo
b2e9ecd106ad87efe19942be48953b946760942c33c2b3b2ee5a3bccf51c934e
Heodo
ccf53097e80113f685164e199ea4bbe451d37a4a43a4349db496b44049268a88
Heodo
d2ab57c299affa03407a6f42b9265d4154579d120a9da15a5f7946516213f19b
Heodo
d41ad74538f15f930cac43834e5849cfb7474c302109f6786b4c9dedba0b083f
Heodo
+ 8'258 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/200811-l3pevwzkjn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Emotet Payload
Emotet
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/558fe11c90d3dc6ab7f55a81fb42104d445caf651d9cff1f525489dd0b4ef6c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe 558fe11c90d3dc6ab7f55a81fb42104d445caf651d9cff1f525489dd0b4ef6c6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/43676/
  
URLhaus
https://urlhaus.abuse.ch/url/429028/
  
Delivery method
Distributed via web download

Comments