MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e3b4a38d48c38c3a4b7cd900c9b77fd2d78b867912e49b10fbbea5b6be79980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	6e3b4a38d48c38c3a4b7cd900c9b77fd2d78b867912e49b10fbbea5b6be79980
SHA3-384 hash:	c868c1df92167fcd846f448609a91a17aaf78e05f3e042187e3fb513802671a8e487cc3ecce935de89ec11d0a75857d7
SHA1 hash:	9b4d490d173c9656b238aef9779880b47303f4f5
MD5 hash:	2cfd324d6f5bd0b92043276bf8d1ceee
humanhash:	mars-georgia-sodium-mockingbird
File name:	9b4d490d173c9656b238aef9779880b47303f4f5
Download:	download sample
Signature	Heodo Create hunting rule
File size:	378'880 bytes
First seen:	2022-11-30 09:18:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f2117c5afc3adc434e754255980fd9e5 (1 x Heodo)
ssdeep	6144:PvGO3yl828vcPvSyv8vrvvvLvvvLvvvrvvvLvvvrvjvrvTPnbH7fvTv1DhU8888I:z1yWG888888888888W88888888888ETB
Threatray	118 similar samples on MalwareBazaar
TLSH	T10E84B7057BEA1179E5FE46384BB302C01D6EFE2015F1E4491E30EA4F9A7A5E788737A1
TrID	46.6% (.RLL) Microsoft Resource Library (x86) (177572/6/26) 35.4% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65) 8.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 2.7% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	EstisRemiel
Tags:	Emotet exe Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

Vendor Threat Intelligence

Malware family:

emotet

ID:

File name:

9b4d490d173c9656b238aef9779880b47303f4f5

Verdict:

Malicious activity

Analysis date:

2022-01-03 07:44:52 UTC

Tags:

trojan emotet

Link:

https://app.any.run/tasks/6eeb16e3-3369-4ec1-9767-60296a1bbe2d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/339959/

Detection(s):

Win.Malware.Emotet-7340122-0

Win.Malware.Emotet-7352065-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a service

Launching a service

Forced system process termination

Adding an access-denied ACE

Moving of the original file

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed shell32.dll

Link:

https://www.filescan.io/uploads/63872007151dc20f68a7ecf9/reports/068b1042-8687-46de-84a4-278fc4866c4a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/671a2105-44d7-457f-b25c-e706a6462b1b

Result

Threat name:

CryptOne, Emotet

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1123771

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Detected CryptOne packer

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Yara detected Emotet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e3b4a38d48c38c3a4b7cd900c9b77fd2d78b867912e49b10fbbea5b6be79980/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2019-10-12 04:04:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 41 (82.93%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ny5uuogurq4mhjfxzwiazg3x7uwxrodhsexetmipxpvfw27htgaa._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch2 banker trojan

Link:

https://tria.ge/reports/221130-k964eaag7t/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Emotet

Malware Config

C2 Extraction:

91.121.116.137:443
80.79.23.144:443
192.254.173.31:8080
27.4.80.183:443
31.12.67.62:7080
95.128.43.213:8080
94.192.225.46:80
190.108.228.48:990
186.4.172.5:8080
87.230.19.21:8080
136.243.177.26:8080
185.94.252.13:443
206.189.98.125:8080
190.18.146.70:80
186.75.241.230:80
94.205.247.10:80
211.63.71.72:8080
190.186.203.55:80
115.78.95.230:443
212.71.234.16:8080
63.142.253.122:8080
92.233.128.13:143
190.211.207.11:443
159.65.25.128:8080
181.31.213.158:8080
85.54.169.141:8080
86.98.25.30:53
217.145.83.44:80
47.41.213.2:22
190.53.135.159:21
85.106.1.166:50000
101.187.237.217:20
85.104.59.244:20
169.239.182.217:8080
201.251.43.69:8080
149.167.86.174:990
173.212.203.26:8080
199.19.237.192:80
186.4.172.5:20
178.79.161.166:443
78.24.219.147:8080
189.209.217.49:80
182.176.132.213:8090
91.205.215.66:8080
138.201.140.110:8080
190.145.67.134:8090
92.222.216.44:8080
37.157.194.134:443
67.225.229.55:8080
104.236.246.93:8080
80.11.163.139:443
62.75.187.192:8080
217.160.182.191:8080
144.139.247.220:80
182.176.106.43:995
103.255.150.84:80
45.79.188.67:8080
87.106.139.101:8080
190.106.97.230:443
190.226.44.20:21
104.131.11.150:8080
103.97.95.218:143
80.11.163.139:21
124.240.198.66:80
142.44.162.209:8080
41.220.119.246:80
179.32.19.219:22
190.228.72.244:53
5.196.74.210:8080
83.136.245.190:8080
27.147.163.188:8080
45.33.49.124:443
45.123.3.54:443
149.202.153.252:8080
87.106.136.232:8080
24.51.106.145:21
182.76.6.2:8080
88.156.97.210:80
186.4.172.5:443
188.166.253.46:8080
46.105.131.87:80
222.214.218.192:8080
152.89.236.214:8080
181.143.194.138:443
181.143.53.227:21
200.71.148.138:8080
31.172.240.91:8080
178.254.6.27:7080

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8f798932-917b-4a5e-83c5-d0339d18142b

Unpacked files

SH256 hash:

8616c8b9fb80e13cb71c58044eabb58c861b0e9df7903f57126d97b88bbe05d7

MD5 hash:

d79e4bcd22737a7055276dfd7e09b722

SHA1 hash:

d1f7b2713b09c76c3b2c19a5573b729a73f436f8

Detections:

win_emotet_auto

win_emotet_a2

Link:

https://www.unpac.me/results/a679331a-4bf0-4f04-8cb5-a29400471d35/

SH256 hash:

6e3b4a38d48c38c3a4b7cd900c9b77fd2d78b867912e49b10fbbea5b6be79980

MD5 hash:

2cfd324d6f5bd0b92043276bf8d1ceee

SHA1 hash:

9b4d490d173c9656b238aef9779880b47303f4f5

Link:

https://www.unpac.me/results/a679331a-4bf0-4f04-8cb5-a29400471d35/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e3b4a38d48c38c3a4b7cd900c9b77fd2d78b867912e49b10fbbea5b6be79980

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/339959/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample