MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f6bac4133e06b5a0bb3a8dad3874f7c33b51319396896c60d2bdf9e9f77def9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f6bac4133e06b5a0bb3a8dad3874f7c33b51319396896c60d2bdf9e9f77def9
SHA3-384 hash: 83421f02dd75576dcd9dad50e0fceea63b21998b7b3b8902704f7bdaef6a28697b553780118c9edf8948be1e3ab250e7
SHA1 hash: 5d845b029a550d73364071c8d6ddccbfcc3cbf5c
MD5 hash: 49de0cbd75e714e647749f752ed46c78
humanhash: asparagus-pasta-mississippi-oscar
File name:LisectAVT_2403002B_302.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:217'088 bytes
First seen:2024-07-25 01:12:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1819c2454df9ac0d69e1d0af92c7bcf2 (1 x Heodo)
ssdeep 3072:NRZLLKF311qOaUlc7XBGbuQickfJ4/sWjk3lGz5JuRQ6FSpuAHkruD+GCH:PC13aU2LYCVD4//D5J6FSp30K
Threatray 91 similar samples on MalwareBazaar
TLSH T1CE248C1336D1C4B2F1AA21310D62BA59E3B6FD305F31866B63543B0EAE37AC54F2535A
TrID 31.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
23.7% (.EXE) InstallShield setup (43053/19/16)
17.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon ec130f4c4d4d4d4d (1 x Heodo)
Reporter Anonymous
Tags:Emotet exe Heodo


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Emotet-7796239-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Modifying an executable file
Сreating synchronization primitives
Connection attempt
Query of malicious DNS domain
Connection attempt to an infection source
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint iceid keylogger lolbin microsoft_visual_cc shell32
Link:
https://www.filescan.io/uploads/66a1a6ad4c5c17942a7d383b/reports/5d817091-929c-47ee-92b2-083275863eab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42012e88-98b7-46db-a335-cdb7f2165591
Result
Threat name:
Bdaejec, Emotet
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1481827
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6f6bac4133e06b5a0bb3a8dad3874f7c33b51319396896c60d2bdf9e9f77def9
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f6bac4133e06b5a0bb3a8dad3874f7c33b51319396896c60d2bdf9e9f77def9/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 01:13:12 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5v2yqjt4bvvuc5tvdnnhb2ppqz3keyzhfujnrqnfppz5h3x334q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
054950ec4b96885bf32f8fb76cbc035cb43e92ed3d32b8b2e6612aab6bf2e764
Heodo
2a512a362b97d38dd7c779075c6fd2025f12730a48ca1efc83e906ad79925fdc
Heodo
428be1092c4ae65fce28e356d4c95f340fe44c5f6fa25c32e73e274876ff2e4a
Heodo
61e7c063001add6f34d3a5b2c5c7a9458c7177b25b3138647a2a74ffa5f8b5c1
Heodo
7984d09227202bd6711dd92823252456c24a686415fc097d868479b04ef20cc1
Heodo
7e7da71b1c666d77de8142851f42c836a3f0bf690d6fb331a4512bd032c684d9
Heodo
a5692e2ce3da355c332f3720f2ece1bb71323038ae533d578796ec965adea7d0
Heodo
b9d9d5e9b09bddfa66571cc8750e609980c77ef3353a83bb702757f84588a1f8
Heodo
cd13a9a774197bf84bd25a30f4cd51dbc4908138e2e008c81fc1feef881c6da7
Heodo
cff795abfd7be108213e53e2be91749f487d1eb37169ddf81d5084a27cb68ad7
Heodo
+ 81 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch2 aspackv2 banker discovery trojan
Link:
https://tria.ge/reports/240725-bk6xnssbke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Emotet
Malware Config
C2 Extraction:
195.76.232.114:80
82.223.70.24:8080
45.33.49.124:443
136.243.205.112:7080
110.145.77.103:80
74.208.45.104:8080
24.94.237.248:80
186.208.123.210:443
67.235.68.222:80
209.151.248.242:8080
200.41.121.90:80
5.196.74.210:8080
201.173.217.124:443
185.155.20.82:80
139.130.242.43:80
114.145.241.208:80
168.235.67.138:7080
162.241.92.219:8080
98.156.206.153:80
101.187.97.173:80
95.213.236.64:8080
113.160.130.116:8443
46.105.131.87:80
104.131.44.150:8080
95.128.43.213:8080
68.44.137.144:443
178.20.74.212:80
60.250.78.22:443
87.106.136.232:8080
113.61.66.94:80
87.106.139.101:8080
58.171.38.26:80
193.80.169.64:80
91.205.215.66:443
37.187.72.193:8080
104.236.246.93:8080
169.239.182.217:8080
50.116.86.205:8080
196.179.249.218:8080
60.130.173.117:80
85.152.174.56:80
210.56.10.58:80
211.63.71.72:8080
58.177.172.160:80
93.51.50.171:8080
185.94.252.104:443
62.138.26.28:8080
98.15.140.226:80
78.189.165.52:8080
31.31.77.83:443
160.16.215.66:8080
176.9.43.37:8080
103.86.49.11:8080
62.75.141.82:80
5.39.91.110:7080
177.230.81.0:22
104.131.11.150:443
176.111.60.55:8080
78.24.219.147:8080
78.186.5.109:443
62.75.187.192:8080
212.174.19.87:80
37.139.21.175:8080
190.160.53.126:80
195.244.215.206:80
59.20.65.102:80
209.141.54.221:8080
23.92.16.164:8080
92.222.216.44:8080
120.151.135.224:80
41.60.200.34:80
87.127.197.7:8080
46.105.131.69:443
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6ef13a3-6789-49ae-b4fd-fe404413b042
Unpacked files
SH256 hash:
adb00e9baff6a73dac0b588b18d06a5a4be33e9af0cf13d1f2fb669636fbb9d7
MD5 hash:
edccd808851f473d531a58bbd5f8d1d7
SHA1 hash:
eff5f9358937eb9e78aab38581f62a8985dbb300
Detections:
win_emotet_auto
Create hunting rule
win_emotet_a2
Create hunting rule
MALW_emotet
Create hunting rule
Emotet
Create hunting rule
Link:
https://www.unpac.me/results/d2c11f02-c5ed-4b32-a820-23c0f7d002a7/
SH256 hash:
6711adb4175ab83a30fb5606913ced5476dbfeb522f64da0e351b28146987403
MD5 hash:
32d49d01251f49eb7346f9aeeb09a41c
SHA1 hash:
2fc7547d06c8e0aebcbba0d3c482f231bdf36120
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/d2c11f02-c5ed-4b32-a820-23c0f7d002a7/
SH256 hash:
6f6bac4133e06b5a0bb3a8dad3874f7c33b51319396896c60d2bdf9e9f77def9
MD5 hash:
49de0cbd75e714e647749f752ed46c78
SHA1 hash:
5d845b029a550d73364071c8d6ddccbfcc3cbf5c
Link:
https://www.unpac.me/results/d2c11f02-c5ed-4b32-a820-23c0f7d002a7/
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f6bac4133e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Heodo

Executable exe 6f6bac4133e06b5a0bb3a8dad3874f7c33b51319396896c60d2bdf9e9f77def9

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments