MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
SHA3-384 hash:	e6b4e48cfd0c52f1824833c7e24549f0bf20975177dad3f563016d00567e57bab4564c193d0bc7f1e63b128d82558d34
SHA1 hash:	87a8a8e6f8a3dc357203ed51e468960a284431a2
MD5 hash:	1d8d40a278cf0437c2d76738e1beaf98
humanhash:	december-quiet-social-west
File name:	618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
Download:	download sample
Signature	Heodo Create hunting rule
File size:	337'848 bytes
First seen:	2020-11-15 22:44:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	517341ae1ccc6afec85c307c3a906f58 (2 x Kovter, 1 x Heodo)
ssdeep	6144:AylYb0nMtBJ/f11s+J7xmGm0O36kQ2XBKnouECmg/4FhC/4a3KQiK:JlKM69f11s+dxm936k1C9wFhP6gK
Threatray	7 similar samples on MalwareBazaar
TLSH	B774F2CBD38581F1F59F71FA1C9AA13FCB529AC756568A8393E4CF966AB31018C4B130
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

Launching a process

Creating a window

Creating a process with a hidden window

Creating a file

Searching for the window

Connection attempt

Possible injection to a system process

Changing settings of the browser security zones

Enabling autorun with the shell\open\command registry branches

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824/

Threat name:

Win32.Dropper.Powerliks

Status:

Malicious

First seen:

2020-11-15 22:45:22 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mgg6n2t4gsudbewzagmpn3ui6xbrpxfunwpkgifozdc3i3hfjasa._file

Verdict:

malicious

Heodo

21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f

Heodo

2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e

Heodo

384a8272bad1e926177a0791a932a4ad7f60a9cd8f05c0ae3c9ac31932ef2528

Heodo

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84

Heodo

7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b

Heodo

f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e

Heodo

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201115-v144ssaq46/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Process spawned unexpected child process

Unpacked files

SH256 hash:

bea11bcf87fe4c870f05e1689dae2a3156fc0ce53e4b873c3a43f5f02c6598ca

MD5 hash:

400d944a3def0e943d8be41745e8c9c8

SHA1 hash:

b8bd3ef981ed0d24feaf44378c425b1e8c5efc6a

Link:

https://www.unpac.me/results/11992f13-5775-4e68-8124-647a5ffe4631/

SH256 hash:

4d5846e07b1c8d189a7af6f6812dec18188ce335e35b571647faeec8ccbb606a

MD5 hash:

fb47db4ff8b8400ae9ead3a1ef58b175

SHA1 hash:

568c9f5326de8b33dcf343de2b45e9856bc5c534

Detections:

win_kovter_auto

Link:

https://www.unpac.me/results/11992f13-5775-4e68-8124-647a5ffe4631/

Parent samples :

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

SH256 hash:

618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824

MD5 hash:

1d8d40a278cf0437c2d76738e1beaf98

SHA1 hash:

87a8a8e6f8a3dc357203ed51e468960a284431a2

Link:

https://www.unpac.me/results/11992f13-5775-4e68-8124-647a5ffe4631/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Win32_Ransomware_Kovter Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Kovter ransomware.

Rule name:	win_kovter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample