MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62a66db694974210b72e57cf3e0ab1b21ae6f6222ca788b5ac541d1d8e017fb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	62a66db694974210b72e57cf3e0ab1b21ae6f6222ca788b5ac541d1d8e017fb0
SHA3-384 hash:	0a7ceb5a42f5312ab4aa8ab86d59b2046d08ba09937e11d747093924c0cf0a2a981cd8c49494c7db0a891b197f8b0316
SHA1 hash:	f86310ff23f4cb8d5324252b4674f070d4669f88
MD5 hash:	15b145dceb9ffca329545cef120e9ce8
humanhash:	foxtrot-early-north-red
File name:	62a66db694974210b72e57cf3e0ab1b21ae6f6222ca788b5ac541d1d8e017fb0
Download:	download sample
Signature	Heodo Create hunting rule
File size:	274'432 bytes
First seen:	2020-11-15 23:03:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0b5e672b44c0a5f8310da7164ee484a1 (29 x Heodo)
ssdeep	3072:xGzLaW/evi81//IPCPVr2H42rJHK4lzIZqnhbvMJ4aiiiiHiiiiiiiiiiiiiiiiq:xWH8/IaPVAUdZqxBjH4BB3K
TLSH	BF448B16B2E1C072C1A326340DE69BA967BAFC709F7187877780370EAE75BD05936721
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Emotet-9786810-0

Win.Keylogger.Emotet-9786901-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62a66db694974210b72e57cf3e0ab1b21ae6f6222ca788b5ac541d1d8e017fb0/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-15 23:06:10 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mktg3nuus5bbbnzok7ht4cvrwinon5rcfstyrnnmkqor3dqbp6ya._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch2 banker trojan

Link:

https://tria.ge/reports/201115-2l2wms2q86/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Emotet Payload

Emotet

Malware Config

C2 Extraction:

12.184.217.101:80
98.150.169.135:80
51.89.36.180:443
64.207.182.168:8080
51.89.199.141:8080
62.171.142.179:8080
27.114.9.93:80
94.200.114.161:80
24.230.141.169:80
190.162.215.233:80
85.105.111.166:80
168.235.67.138:7080
110.142.236.207:80
67.170.250.203:443
184.180.181.202:80
109.116.245.80:80
94.23.237.171:443
76.175.162.101:80
108.46.29.236:80
157.245.99.39:8080
186.70.56.94:443
100.37.240.62:80
220.245.198.194:80
78.188.106.53:443
61.19.246.238:443
216.139.123.119:80
142.112.10.95:20
176.111.60.55:8080
139.99.158.11:443
190.164.104.62:80
120.150.218.241:443
174.106.122.139:80
72.186.136.247:443
110.145.101.66:443
202.134.4.211:8080
74.208.45.104:8080
24.137.76.62:80
68.115.186.26:80
110.145.77.103:80
78.24.219.147:8080
75.143.247.51:80
95.9.5.93:80
71.15.245.148:8080
49.50.209.131:80
62.30.7.67:443
200.116.145.225:443
24.133.106.23:80
88.153.35.32:80
50.91.114.38:80
50.245.107.73:443
76.27.179.47:80
102.182.145.130:80
190.240.194.77:443
217.123.207.149:80
167.114.153.111:8080
123.176.25.234:80
194.190.67.75:80
185.94.252.104:443
37.179.204.33:80
182.208.30.18:443
37.139.21.175:8080
137.59.187.107:8080
173.173.254.105:80
46.105.131.79:8080
186.74.215.34:80
96.245.227.43:80
112.185.64.233:80
201.241.127.190:80
194.4.58.192:7080
138.68.87.218:443
139.59.60.244:8080
190.108.228.27:443
97.82.79.83:80
217.20.166.178:7080
201.171.244.130:80
37.187.72.193:8080
41.185.28.84:8080
134.209.144.106:443
118.83.154.64:443
176.113.52.6:443
162.241.140.129:8080
95.213.236.64:8080
202.134.4.216:8080
89.216.122.92:80
49.3.224.99:8080
119.59.116.21:8080
61.76.222.210:80
74.40.205.197:443
103.86.49.11:8080
5.39.91.110:7080
2.58.16.89:8080
93.147.212.206:80
120.150.60.189:80
62.75.141.82:80
188.219.31.12:80
102.182.93.220:80
104.131.11.150:443
74.214.230.200:80
218.147.193.146:80
202.141.243.254:443
194.187.133.160:443
187.161.206.24:80
94.230.70.6:80
190.29.166.0:80
113.61.66.94:80
24.178.90.49:80
123.142.37.166:80
190.12.119.180:443
209.141.54.221:7080
79.137.83.50:443
172.105.13.66:443
87.106.139.101:8080
172.91.208.86:80
59.125.219.109:443
115.94.207.99:443
154.91.33.137:443
139.162.60.124:8080
121.124.124.40:7080
203.153.216.189:7080
172.104.97.173:8080
109.74.5.95:8080
172.86.188.251:8080
91.211.88.52:7080
80.227.52.78:80
173.63.222.65:80
47.36.140.164:80
89.121.205.18:80

Unpacked files

SH256 hash:

62a66db694974210b72e57cf3e0ab1b21ae6f6222ca788b5ac541d1d8e017fb0

MD5 hash:

15b145dceb9ffca329545cef120e9ce8

SHA1 hash:

f86310ff23f4cb8d5324252b4674f070d4669f88

Link:

https://www.unpac.me/results/965c75ec-29bd-497e-b56d-62ccfcb72867/

SH256 hash:

2abc80716bc20c406a423c796776c6abd1b467bdc70ca3fa381478a46477eb7b

MD5 hash:

535aef408f90a140f77dc8de37e95156

SHA1 hash:

10a57103e58c8395b41629ba569cdee658b117f7

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/965c75ec-29bd-497e-b56d-62ccfcb72867/

Parent samples :

dda7a3d0c59d3c9ab7a8ca49e67e3ca01260fae9cee96e83c5a1be68f922ec47
14f16342cb02ee250f805cba7414861a4ab96c9679b71e50475a3aa09121d14d
1cf716938758f77997b23cbbdc48762b86fed1826ad7fd24a55c038d783b9011
4ec7a2513e0e0a6f6779ef360dadb8b4726c3cf7f29846a36d74689311c82ccb
1cf43af4fa833710e3a1c483f0878aa81e0c31d3519b23ae49c76e07a740df6e
690b852b0eaf7730b6a2357a5b62581d8464a6fd8a91bed10580fa73a42a0f40
850fb7ceddf94de8c37dd247e73cda9ba2780414e6e7ebb61031eb867719053b
000e51bc2515d2a9e333a4ba31fb58c88490ab16540f2eb2aba1c2c49702650d
d1a7171d6b765789317d25b6e403d99ec49dc451810f9eaeafb19b585defe4ee
f274ac88eb16aed251f6ed066ad4fceb009028bb31f44475d6561ef96d5c4a95
81ec98cfd753bf4952c3411c4afe1e24d3382b5ff833089224b430791c0a9564
e8ee55a65231cd6fc1b05280904b38f2cfdd2d822661523f025fc38f431b45ba
62a66db694974210b72e57cf3e0ab1b21ae6f6222ca788b5ac541d1d8e017fb0
174312bbf7e4a75944ffd494ca7bf19aa72709b6c0a699a9f02b08c192d562bb
b7e06ae055e9edd7b5809c59e51914a70ec6a9c166e48a88f4ca4cee94728ff5

SH256 hash:

1a6873aa351dd8cac71bef84bd2fc954575716e34dbee4e10bf95f4f75d1615a

MD5 hash:

3202a743a7987f5a32b76adb96520c07

SHA1 hash:

efdda18b47dd5f08f92dc78a7b5bcdcd30dc488b

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/965c75ec-29bd-497e-b56d-62ccfcb72867/

Parent samples :

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/62a66db694974210b72e57cf3e0ab1b21ae6f6222ca788b5ac541d1d8e017fb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	IceID_Bank_trojan Create hunting rule
Author:	unixfreaxjp
Description:	Detects IcedID..adjusted several times

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample