MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
SHA3-384 hash: 79cd9618a4092891382acc2e6b6d5ece9ceebf067f80509506e5094fb96ecf20a9f12908352a38bb15d0243dd1a47fc3
SHA1 hash: bcb1e5e26724591376230c769ae4d9e63344d156
MD5 hash: b03e1dfd0c34abb419e35e31eb9eeb8d
humanhash: quiet-tennessee-double-magazine
File name:6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
Download: download sample
Signature Heodo
Create hunting rule
File size:425'984 bytes
First seen:2020-11-15 22:45:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66ec9561fcca92628267bd0fed88965e (17 x Heodo)
ssdeep 12288:rFCyaUckekGDOhZV+b0DIOiG5RERxRPRAR1RpR9r5xwVsS:rFskGihZVlEOi+esS
TLSH 6394AD1177D0D472C26220394A56A7B4AABEFCB19EB553877BD03B2D9F302D19A38707
Reporter seifreed
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Emotet-9789042-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 22:46:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2lgv4urs7iqarvcfviptvbaj6tmxr77ginnhgzymfu336laneba._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch3 banker trojan
Link:
https://tria.ge/reports/201115-lmw3mnq5q2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Emotet Payload
Emotet
Malware Config
C2 Extraction:
27.78.27.110:443
81.241.22.161:20
91.121.200.35:8080
159.203.16.11:8080
188.226.165.170:8080
115.79.195.246:80
153.204.122.254:80
77.74.78.80:443
37.205.9.252:7080
36.91.44.183:80
58.94.58.13:80
37.46.129.215:8080
172.96.190.154:8080
157.7.164.178:8081
175.103.38.146:80
103.229.73.17:8080
45.239.204.100:80
5.12.246.155:80
179.5.118.12:80
185.80.172.199:80
116.202.10.123:8080
195.201.56.70:8080
192.210.217.94:8080
202.29.237.113:8080
2.58.16.86:8080
120.51.34.254:80
46.105.131.68:8080
27.82.13.10:80
223.17.215.76:80
177.85.177.206:80
119.228.75.211:80
115.79.59.157:80
192.241.220.183:8080
73.55.128.120:80
177.130.51.198:80
198.20.228.9:8080
185.142.236.163:443
5.79.70.250:8080
79.133.6.236:8080
5.2.164.75:80
113.203.238.130:80
180.148.4.130:8080
178.33.167.120:8080
109.13.179.195:80
201.163.74.203:80
139.59.61.215:443
183.91.3.63:80
85.246.78.192:80
190.192.39.136:80
143.95.101.72:8080
103.93.220.182:80
213.165.178.214:80
190.7.217.90:80
185.208.226.142:8080
117.2.139.117:443
190.180.65.104:80
41.185.29.128:8080
2.82.75.215:80
121.117.147.153:443
178.254.36.182:8080
109.99.146.210:8080
189.123.103.233:80
203.56.191.129:8080
188.166.220.180:7080
91.75.75.46:80
186.146.229.172:80
110.37.224.243:80
78.90.78.210:80
58.27.215.3:8080
200.243.153.66:80
73.100.19.104:80
162.144.145.58:8080
54.38.143.245:8080
60.108.128.186:80
172.105.78.244:8080
190.194.12.132:80
75.127.14.170:8080
139.59.12.63:8080
86.124.32.113:80
46.32.229.152:8080
190.85.46.52:7080
91.83.93.103:443
153.229.219.1:443
74.208.173.91:8080
42.200.96.63:80
94.52.168.188:80
190.164.135.81:80
103.80.51.61:8080
109.206.139.119:80
8.4.9.137:8080
190.147.84.191:443
203.153.216.178:7080
192.163.221.191:8080
50.116.78.109:8080
60.125.114.64:443
152.32.75.74:443
189.55.48.40:80
5.2.246.108:80
Unpacked files
SH256 hash:
6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
MD5 hash:
b03e1dfd0c34abb419e35e31eb9eeb8d
SHA1 hash:
bcb1e5e26724591376230c769ae4d9e63344d156
Link:
https://www.unpac.me/results/cbacba91-3216-4630-afef-adc71d3e6b78/
SH256 hash:
dc9f695ee10ff2257e0de36d508197bd6b99ec41339dd6ab7ba05bdd9d38f229
MD5 hash:
6637c17fc8793557387a51aa22fbfc06
SHA1 hash:
9ed50142dceab4d8280735ee995fb914a1491dc1
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/cbacba91-3216-4630-afef-adc71d3e6b78/
Parent samples :
46caf733990074e9fc82b654c0aecd9b72e59409df1074216e18a0f100202249
1275d1d7336acbed34142c9727384765a493d6c585fb6b9f2d5c913068d170da
146d77f2b3105bf906b5466e65e71dd9096d83aa585bdc8669d2f1b81406890c
2d7bc74b468ee47a209a23a7b0e7b98dad2f1ccf84382921244ba8d59a3a3213
6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
f6bed6f55ffc433c48050563a426756f6382356aa56e4562c4a07a4cd3d80a51
ecaae16ebe63e39f9a1f2a1076053b909634e17e596628a9487e30f755e7881c
c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3
SH256 hash:
0f58e8542a35156fd003cdea8d284a2c4e9e3b7b29e060350ef2b48a265f4b61
MD5 hash:
69f4c004fe51d93f9aac7e57e8db51ff
SHA1 hash:
cfec0e154c158c941cac4d1cdb3b796984417be2
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/cbacba91-3216-4630-afef-adc71d3e6b78/
Parent samples :
46caf733990074e9fc82b654c0aecd9b72e59409df1074216e18a0f100202249
1275d1d7336acbed34142c9727384765a493d6c585fb6b9f2d5c913068d170da
8acccd748190b61c34a12c5d5fd234b21bba651288e81cf924a5f2553c6df9af
7dce9f57836ba1b8f708ead7140a5e850050c25695351f0fbcc0c6729c84107a
6366899c0bacf9ad12319e59da305c333cbab6ecfdd84db601c699a074b9add3
146d77f2b3105bf906b5466e65e71dd9096d83aa585bdc8669d2f1b81406890c
35e1d713a4a3663cc9d822a94cf0e55aeb0281d86d7f886205ee0d71d0f0889d
2d7bc74b468ee47a209a23a7b0e7b98dad2f1ccf84382921244ba8d59a3a3213
a7fe02ff5bfef61b9d2344b8b8cc225f988f0f354220b564457231e4d98d21fb
6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
f6bed6f55ffc433c48050563a426756f6382356aa56e4562c4a07a4cd3d80a51
5b1e742aa624e3ba3590c2954660614d69ed01c4527a7f5c596fc862c82c77b5
f2c455143ba76694ed0d1d2c33add8d98601892b6707f41d289af96e2bd3e6fb
ecaae16ebe63e39f9a1f2a1076053b909634e17e596628a9487e30f755e7881c
997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5
c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3
9578ec5dbef3ce203772d7609288fe9a7a81b140049d7ef74d55522ed451f41e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Win32_Trojan_Emotet
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects Emotet trojan.
Rule name:win_emotet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments