MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59ccd48279374377ac38f767764df31243b433c33a0df39daf005d950b5efba8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	59ccd48279374377ac38f767764df31243b433c33a0df39daf005d950b5efba8
SHA3-384 hash:	ca2003eec6b4258ee9bab6bebdda63371d5b4bd4588a36a3c71513f8e22e4c33000389806e161fb725eba7778e0469ff
SHA1 hash:	cabe3ee72469a5cd4b68d3de461bc421082ae297
MD5 hash:	f386cbc90a1eb84a3f6e287911320dfe
humanhash:	river-thirteen-hot-idaho
File name:	IMG1245950021323IMAGN59502912IMAGENVISTAPREVIA0129100011.exe
Download:	download sample
Signature	Emotet Create hunting rule
File size:	1'097'926 bytes
First seen:	2020-04-14 23:16:38 UTC
Last seen:	2020-04-14 23:53:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	24f4223e271413c25abad52fd456a9bc (21 x GuLoader, 15 x Loki, 10 x AgentTesla)
ssdeep	24576:LwgszDzEY4Ecy7DbDTafOuDZ/myydIESihr2eOkaHYmwmeBQSTG:u7r97D/TJuFbBN6ckaHYHVQGG
Threatray	6'164 similar samples on MalwareBazaar
TLSH	8D35339071DCE516D0B9E37087B038913FEB925125264E1FC790AB0C756BB81BC7ABAC
Reporter	Jirehlov
Tags:	Emotet exe

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/4492/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.ObfusRansom.bc.6542.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-14 06:55:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

emotet

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/4492/

Cape

https://www.capesandbox.com/analysis/4485/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::SetFileSecurityW
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample