MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eae48320abe04b3923ba5f6dc28016206e1c489831f320640c12afd8f09468c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eae48320abe04b3923ba5f6dc28016206e1c489831f320640c12afd8f09468c
SHA3-384 hash: 338d8b0daccb5e4e428864bbe572ba8c421219d351c810065d0cf518788761620c9d99fbf007129b8901c2f2d63cf7f4
SHA1 hash: 18fbfe5fac2443c67e61054de63d30334c4285fb
MD5 hash: 54faa403df1d7b9e6a630ebfd6565e19
humanhash: river-july-alanine-bravo
File name:54faa403df1d7b9e6a630ebfd6565e19
Download: download sample
Signature Heodo
Create hunting rule
File size:460'288 bytes
First seen:2021-12-04 04:21:11 UTC
Last seen:2021-12-09 03:10:43 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 479782c40538d0c8b72b2791f9b6cfc8 (37 x Heodo)
ssdeep 6144:31v9X/WHuR1R0bB5HKg0EWBe0uCvn7DOPnAOEiZouxc16uoSr4j7G63up9A2:31J/WHlN5HKcWEMn70bxnuF+jKx
Threatray 803 similar samples on MalwareBazaar
TLSH T119A4C010B682C032D5BF0134643ADAA605BE7C718BB1C4EBB3D42B7E5E356C15B35AA7
Reporter zbetcheckin
Tags:32 dll Emotet exe Heodo

Intelligence

File Origin
# of uploads :
3
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211190/
Detection(s):
SecuriteInfo.com.Variant.Zusy.409265.15420.8264.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
emotet packed zusy
Link:
https://www.filescan.io/uploads/61aaeceefa72c81b5b0a755e/reports/252d4080-3c89-43f3-b684-7b20bd7daedb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5ddb5d4-d2ab-4050-befb-61bffc0d2237
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/901281
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533759 Sample: MI99gmyC7v Startdate: 04/12/2021 Architecture: WINDOWS Score: 56 42 Multi AV Scanner detection for submitted file 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 46 Tries to detect virtualization through RDTSC time measurements 8->46 11 cmd.exe 1 8->11         started        13 rundll32.exe 2 8->13         started        16 regsvr32.exe 8->16         started        18 4 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        48 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->48 23 rundll32.exe 13->23         started        50 Tries to detect virtualization through RDTSC time measurements 16->50 25 rundll32.exe 16->25         started        27 iexplore.exe 2 143 18->27         started        30 rundll32.exe 18->30         started        32 rundll32.exe 18->32         started        process7 dnsIp8 44 Tries to detect virtualization through RDTSC time measurements 20->44 34 rundll32.exe 20->34         started        36 btloader.com 104.26.6.139, 443, 49816, 49817 CLOUDFLARENETUS United States 27->36 38 hblg.media.net 23.211.6.95, 443, 49783, 49784 AKAMAI-ASUS United States 27->38 40 5 other IPs or domains 27->40 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eae48320abe04b3923ba5f6dc28016206e1c489831f320640c12afd8f09468c/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 09:09:07 UTC
File Type:
PE (Dll)
Extracted files:
4
AV detection:
24 of 44 (54.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2xeqmqkxyclher3ux3nykabmidodrejqmptebsayevp3dyji2ga._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
46892e948fb220b65f25f5a48f773d7c75b2bb822b81fb706c6ddbd9c8cefcc8
Heodo
4dbe02d21aa642de75843f7b08b3c6260c618cfdeeb19b375fdad10754fc0a8c
Heodo
7b8d685c992898c10a03ef7d97e3c65f5accdf7d4fb1dfc272f1848b904fa687
Heodo
b39723c67977d3e90e4ef6e82418d361f61e254f8a611138ff2b78a7f46c129e
Heodo
bc837218ff35083c9236f7955000a43e678825d9aaa3e285d3603da51ba8024d
Heodo
c19c6edabcc98e545a2365f82ef59f54e13e5a23f5583c18937612f1c6a96b48
Heodo
d351ae2bef11c070988dd99afec0446216ffb14f99290c8955c34e8f5cfaef63
Heodo
d36820a2a6f957fe2cfefabef255a96e0a430e2fe9cbe25e1fcb006b24398a27
Heodo
fc648cec0e96fd39387619ec2855ca083fbfbe3013893ee720d9bec934ddcc0f
Heodo
fd8237417d71c5c0d390bf8e5cfd4019843310c01262a90cb6de53dbc4d25312
Heodo
+ 793 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211204-ey9r9sadcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
2080139a274117c8dfc7dc5b51670426dab5dc4fb0698d5f0218f02b02f3006a
MD5 hash:
6b788619784caf1c8a5dad999c5bebaa
SHA1 hash:
5003860b2ad74d435d886340afa1c6310ae658cf
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/b352c802-8265-4cdb-9541-ed029a7f74c2/
SH256 hash:
6eae48320abe04b3923ba5f6dc28016206e1c489831f320640c12afd8f09468c
MD5 hash:
54faa403df1d7b9e6a630ebfd6565e19
SHA1 hash:
18fbfe5fac2443c67e61054de63d30334c4285fb
Link:
https://www.unpac.me/results/b352c802-8265-4cdb-9541-ed029a7f74c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eae48320abe04b3923ba5f6dc28016206e1c489831f320640c12afd8f09468c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll 6eae48320abe04b3923ba5f6dc28016206e1c489831f320640c12afd8f09468c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1840885/
Cape
Cape
https://www.capesandbox.com/analysis/211190/

Comments


Avatar
zbet commented on 2021-12-04 04:21:13 UTC

url : hxxp://fortcomfurniture.com/wp-content/CjlFlJJbwZI6VgFMj/