MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b46dd945c18e7f16126969ebe14d33e3e9bd641c57667895722181c09020ebb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b46dd945c18e7f16126969ebe14d33e3e9bd641c57667895722181c09020ebb
SHA3-384 hash: 880aaddb66622e563d2a23dafb6c04d9277a72291f131bc38c7f6c082ad9706276ac26d9ea9dbb9cfe7fd4726b4fc3e5
SHA1 hash: f04a20f98908313eb5e10f990ef5b693f383b0c3
MD5 hash: 23299e7a31ab7fcf475a051a9c2c38f3
humanhash: apart-arizona-kansas-south
File name:3dq99ytpeq16490465.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:466'944 bytes
First seen:2020-07-30 09:40:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 120efc16172bc76d5533abe6651a5346 (48 x Heodo)
ssdeep 12288:xH9tNCsqbIoCyJgllh/krhM3UqKsRR2Bw:btEfbjJglvdyBw
Threatray 8'245 similar samples on MalwareBazaar
TLSH A6A47C03B6E4C0B2C5B261701EE7CB75A2A8FD504E368A9773C46F4D8A35BC1A63B355
Reporter JAMESWT_WT
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35443/
Detection(s):
PUA.Win.Packer.Armadillo-65
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a service
Connection attempt
Sending an HTTP POST request
Moving of the original file
Enabling autorun for a service
Deleting of the original file
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/403445
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253950 Sample: 3dq99ytpeq16490465.exe Startdate: 30/07/2020 Architecture: WINDOWS Score: 60 25 g.msn.com 2->25 27 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->27 35 Yara detected Emotet 2->35 8 3dq99ytpeq16490465.exe 6 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 1 1 2->13         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 37 Drops executables to the windows directory (C:\Windows) and starts them 8->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->39 18 wsock32.exe 16 8->18         started        41 Changes security center settings (notifications, updates, antivirus, firewall) 11->41 21 MpCmdRun.exe 1 11->21         started        31 127.0.0.1 unknown unknown 13->31 33 192.168.2.1 unknown unknown 16->33 signatures6 process7 dnsIp8 29 201.235.10.215, 49731, 80 TelecomArgentinaSAAR Argentina 18->29 23 conhost.exe 21->23         started        process9
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b46dd945c18e7f16126969ebe14d33e3e9bd641c57667895722181c09020ebb/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 09:42:07 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lndn3fc4ddt7cyjgs2pl4fgthy7jxvsbyv3gpckxeimbycicb25q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
027c5b914337ab318c472a0c0d62be441fc055d0887336001ea0c6054bc3612b
Heodo
1891ebf9d653c775c93eb2a3be13c6323b3dc59916198420ea3084cacfe60746
Heodo
2d896c9a1406d575705d710311b72b4f26df172cfa920451be16dc4d039efc23
Heodo
4295495dd996c2b1ca41ea3846aa94363f9c4fad2012507cf3048ed775097d87
Heodo
61e7b302d691d3624d548d409e5fa880dfe260580f6ffb3089ee74a7f319edad
Heodo
6ac3c593bc8801a69314737946659acc7c4fd861653038ef7813c55230cd14a5
Heodo
7c124fca2b116307323a2517dd29cb9e5304058afdeb28816d62c4be2d6e6707
Heodo
a2872b8e7c6d23b71ca7830e6beed460fa549dea3bfb38c2a91d291f570d1ce4
Heodo
e1fefe212116f7fd41f075fc0090a952fd17a62d7029a636d02b743fdea86517
Heodo
e7e16d40985bf9bb9d551a7697282a6f2b9efcf0f1a31158be89b0bf893755d6
Heodo
+ 8'235 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/200730-89xgekgb22/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Executes dropped EXE
Emotet Payload
Emotet
Malware Config
C2 Extraction:
201.235.10.215:80
198.57.203.63:8080
163.172.107.70:8080
172.105.78.244:8080
107.161.30.122:8080
203.153.216.182:7080
37.46.129.215:8080
201.214.108.231:80
178.33.167.120:8080
181.113.229.139:443
192.210.217.94:8080
24.157.25.203:80
94.96.60.191:80
157.7.164.178:8081
75.127.14.170:8080
189.146.1.78:443
190.164.75.175:80
192.241.220.183:8080
190.55.233.156:80
91.83.93.103:443
144.139.91.187:80
87.106.231.60:8080
140.207.113.106:443
139.59.12.63:8080
181.167.35.84:80
50.116.78.109:8080
74.208.173.91:8080
46.49.124.53:80
81.17.93.134:80
81.214.253.80:443
46.32.229.152:8080
41.185.29.128:8080
190.111.215.4:8080
216.75.37.196:8080
37.70.131.107:80
181.143.101.19:8080
115.79.195.246:80
192.163.221.191:8080
87.252.100.28:80
181.164.110.7:80
89.108.158.234:8080
105.209.239.55:80
181.134.9.162:80
185.142.236.163:443
195.201.56.70:8080
78.189.111.208:443
113.160.180.109:80
5.79.70.250:8080
37.208.106.146:8080
179.5.118.12:80
203.153.216.178:7080
177.144.130.105:443
75.139.38.211:80
177.37.81.212:443
77.74.78.80:443
78.188.170.128:80
212.156.133.218:80
113.161.148.81:80
46.105.131.68:8080
51.38.201.19:7080
143.95.101.72:8080
212.112.113.235:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b46dd945c18e7f16126969ebe14d33e3e9bd641c57667895722181c09020ebb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:IceID_Bank_trojan
Create hunting rule
Author:unixfreaxjp
Description:Detects IcedID..adjusted several times
Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35443/

Comments