MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments

SHA256 hash:	57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb
SHA3-384 hash:	cfa39843b52848cd3d7088311432c10bc7fb0313b672f0a8e2941500e3ac3434cc5d9811486b78b71195218544edcc88
SHA1 hash:	fbcb590b4171af1d5a4207573323338f2b23025b
MD5 hash:	d4c7849e4462ac20c6f5af50569b879a
humanhash:	cat-item-charlie-network
File name:	ExeFile (39).exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	278'528 bytes
First seen:	2024-08-20 14:13:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1deacf3db700948b483204d3f073879e (209 x Heodo)
ssdeep	6144:ADC5yQfvp9e4YbTaPnEu/+6i5j0RgfJWIafGX40T:oCBfvLoaPDHiPJgfOn
Threatray	952 similar samples on MalwareBazaar
TLSH	T131449D1272E0C877C1A325761DE29BAAB3B6FC604F738B8767843B0E9E306D25536355
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	byMattii1234
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ExeFile (39).exe

Verdict:

Malicious activity

Analysis date:

2024-08-20 16:45:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d41204fd-24b3-4df7-8c96-bedef7edcd8e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Emotet-9752262-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c4a4ebb2a4681a7296625d

Tags:

Execution Generic Infostealer Network Other Stealth Trojan Emotet

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

emotet epmicrosoft_visual_cc fingerprint iceid keylogger microsoft_visual_cc

Link:

https://www.filescan.io/uploads/66c4a4c3a2e3279d6c82badd/reports/1f1e4198-1d51-4c80-880c-754e096437a9/overview

Verdict:

Malicious

Labled as:

Trojan.Emotet

Link:

https://www.hybrid-analysis.com/sample/57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c77c817b-8dc4-479e-84d5-792eea431aa3

Result

Threat name:

Emotet

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1495874

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Uses known network protocols on non-standard ports

Yara detected Emotet

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-20 03:00:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 38 (92.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k6zb6bnpb6wnade2xszdgm6mhtqzzjh3etcgxdavriq637xqh75q._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch3 banker discovery trojan

Link:

https://tria.ge/reports/240820-rjttqawdrf/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Emotet

Malware Config

C2 Extraction:

118.110.236.121:8080
149.202.5.139:443
153.92.4.96:8080
51.75.163.68:7080
143.95.101.72:8080
190.225.150.234:80
186.227.146.102:80
181.137.229.1:80
175.29.183.2:80
77.74.78.80:443
175.139.144.229:8080
222.159.240.58:80
190.55.186.229:80
190.190.15.20:80
157.245.138.101:7080
46.32.229.152:8080
195.201.56.70:8080
198.57.203.63:8080
157.7.164.178:8081
189.39.32.161:80
82.239.200.118:80
73.84.105.76:80
66.61.94.36:80
223.17.215.76:80
88.249.181.198:443
188.251.213.180:443
139.59.12.63:8080
95.216.205.155:8080
177.94.227.143:80
2.144.244.204:443
220.254.198.228:443
188.0.135.237:80
173.94.215.84:80
37.46.129.215:8080
190.96.15.50:80
50.116.78.109:8080
60.125.114.64:443
162.249.220.190:80
197.232.36.108:80
71.57.180.213:80
37.187.100.220:7080
37.205.9.252:7080
46.105.131.68:8080
190.164.75.175:80
185.208.226.142:8080
201.235.10.215:80
177.144.130.105:443
101.50.232.218:80
190.53.144.120:80
172.105.78.244:8080
201.213.177.139:80
58.27.215.3:8080
185.142.236.163:443
210.1.219.238:80
45.182.161.17:80
197.221.158.162:80
54.38.143.245:8080
81.17.93.134:80
185.86.148.68:443
162.144.42.60:8080
203.153.216.178:7080
179.191.239.255:80
181.122.154.240:80
192.241.220.183:8080
179.62.238.49:80
181.113.229.139:443
118.101.24.148:80
24.26.151.3:80
178.33.167.120:8080
105.209.235.113:8080
51.38.201.19:7080
113.161.148.81:80
8.4.9.137:8080
74.208.173.91:8080
113.203.250.121:443
103.80.51.61:8080
190.212.140.6:80
75.127.14.170:8080
179.5.118.12:80
172.96.190.154:8080
192.210.217.94:8080
91.75.75.46:80
192.163.221.191:8080
5.79.70.250:8080
190.136.179.102:80
168.0.97.6:80
91.83.93.103:443
41.185.29.128:8080
81.214.253.80:443
115.78.11.155:80
115.79.195.246:80
86.98.143.163:80

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/19f68b0c-08d5-4017-b34e-6a9ac3f26134

Unpacked files

SH256 hash:

64c42eee893c1b56e0d5650192cea5c7949bef4c82ebcc2a8a5fb443d50735ac

MD5 hash:

d0b342b841ad6c1b28018c6bd97b8a2f

SHA1 hash:

2b33b97832052119005c7f40410b37a2c62e47e4

Detections:

win_emotet_auto

win_emotet_a2

Emotet

Link:

https://www.unpac.me/results/e3ee1ba4-0110-4df3-81cd-3164eca558ea/

Parent samples :

00a070e51a978caa8344eded83f97b7149d67d837991945f067d9278d86e9eb0
98176bd01d12f0c0071149b1085db47e5c76096d2d79a66ce1d0e4e7441c4189
17274f563d1b3deaaf2f8d1a7dabc0937b263523c672927435385ac49a598086
5f11271d1b1cb76bec3ce45df1aa65d650d3d5a06e9a6ae8ebdbbe45274a5e14
1fdf897edad7a930f9e53a141c6e8aeeaca01e3fdb6cc9b878447405479a880d
a8d65fe1194a6019ee6068bf8b074b06688b024ce429601567b99014d7d7a11e
633d78daca7ba44443def63ec744b77e6dc8e5faa9cbec107c613db9986e08cf
a41f8750931a80ad698bc1d6c2023f55dfa460f9f2aab1bb06d1a1394dcaad62
57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb

SH256 hash:

57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb

MD5 hash:

d4c7849e4462ac20c6f5af50569b879a

SHA1 hash:

fbcb590b4171af1d5a4207573323338f2b23025b

Link:

https://www.unpac.me/results/e3ee1ba4-0110-4df3-81cd-3164eca558ea/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

exe 57b21f05af0facd00c9abcb23333cc3ce19ca4fb24c46b8c158a21edfef03ffb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/452249/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesA KERNEL32.dll::FindFirstFileA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegQueryValueA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample