MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bc677a7fb0a40c95422843c2015bba725d3fa9aa4d2b332f3ea33d604d1fdd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	5bc677a7fb0a40c95422843c2015bba725d3fa9aa4d2b332f3ea33d604d1fdd4
SHA3-384 hash:	b0dd6aa3bf4209ae3a6ea25b5aaa11b0b860271eaa18001b73399997da3278a5a60c96f87680ca2f4633142d06bc36ef
SHA1 hash:	6d44868368a89bd4d9cc465e0bf905a2af00762c
MD5 hash:	41b853c346633bdea9751fbaec223e2e
humanhash:	double-uniform-idaho-ack
File name:	emotet_exe_e1_5bc677a7fb0a40c95422843c2015bba725d3fa9aa4d2b332f3ea33d604d1fdd4_2020-08-25__075422._exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	368'760 bytes
First seen:	2020-08-25 07:54:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9ec6ac70f432b127d4038c1b4793b8ef (25 x Heodo)
ssdeep	6144:ckps/EJxl4tfji9K/9AFnXQkT2r+t0ooMSSFjNX4DyXX4st:ckpsClQLMK/qXQkT2r+tFVSSsDynTt
TLSH	B2744A0523F08833DADB053219F7EFFAE3AD5E645E31598B83794F8EA6310D1A52560B
Reporter	Cryptolaemus1
Tags:	Emotet epoch1 exe Heodo

Cryptolaemus1

Emotet epoch1 exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/50444/

Detection(s):

SecuriteInfo.com.Generic.mg.0135cc9ab58cb2e4.9339.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Connection attempt

Sending an HTTP POST request

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/448530

Signature

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/5bc677a7fb0a40c95422843c2015bba725d3fa9aa4d2b332f3ea33d604d1fdd4/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-08-25 07:56:08 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lpdhpj73bjamsvbcqq6cafn3u4s5h6u2utjlgmxt5iz5mbgr7xka._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

trojan banker family:emotet

Link:

https://tria.ge/reports/200825-9p4fcjs9lj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Emotet

Malware Config

C2 Extraction:

190.2.31.172:80
116.125.120.88:443
209.236.123.42:8080
177.73.0.98:443
45.173.88.33:80
207.144.103.227:80
68.183.170.114:8080
185.94.252.12:80
188.2.217.94:80
87.106.46.107:8080
185.33.0.233:80
94.176.234.118:443
85.105.140.135:443
181.30.61.163:443
77.55.211.77:8080
190.163.31.26:80
152.169.22.67:80
190.128.173.10:80
137.74.106.111:7080
217.199.160.224:7080
190.24.243.186:80
188.135.15.49:80
104.131.41.185:8080
82.163.245.38:80
186.70.127.199:8090
12.162.84.2:8080
73.213.208.163:80
219.92.8.17:8080
177.74.228.34:80
217.13.106.14:8080
189.131.57.131:80
189.2.177.210:443
185.94.252.27:443
51.255.165.160:8080
73.116.193.136:80
83.169.21.32:7080
174.100.27.229:80
82.196.15.205:8080
85.109.159.61:443
187.162.248.237:80
190.190.148.27:8080
114.109.179.60:80
95.9.180.128:80
50.28.51.143:8080
172.104.169.32:8080
70.32.115.157:8080
177.72.13.80:80
190.195.129.227:8090
219.92.13.25:80
70.32.84.74:8080
111.67.12.221:8080
199.203.62.165:80
58.171.153.81:80
91.219.169.180:80
24.135.1.177:80
81.129.198.57:80
24.148.98.177:80
5.196.35.138:7080
104.131.103.37:8080
204.225.249.100:7080
46.28.111.142:7080
190.6.193.152:8080
213.60.96.117:80
149.62.173.247:8080
170.81.48.2:80
192.241.146.84:8080
2.47.112.152:80
178.250.54.208:8080
67.247.242.247:80
212.71.237.140:8080
181.129.96.162:8080
186.103.141.250:443
61.92.159.208:8080
212.93.117.170:80
68.183.190.199:8080
190.115.18.139:8080
82.76.111.249:443
89.32.150.160:8080
45.33.77.42:8080
77.90.136.129:8080
191.99.160.58:80
51.159.23.217:443
24.135.198.218:80
191.182.6.118:80
45.161.242.102:80
72.47.248.48:7080
178.79.163.131:8080
192.241.143.52:8080
65.36.62.20:80
190.147.137.153:443

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5bc677a7fb0a40c95422843c2015bba725d3fa9aa4d2b332f3ea33d604d1fdd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT