MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 706bd5b40284565fdb308997c73ae1406cce4fa2490dfeede95062557296329a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 706bd5b40284565fdb308997c73ae1406cce4fa2490dfeede95062557296329a
SHA3-384 hash: 4a7bafdaeb447cae9e3ef3deddedcc341d37a83f71a0f8dc4d65a4d67f475d2a425eb9eb16a850978d864c0f221c64fc
SHA1 hash: e8b765095985c90cd68e79b6475c5145e453f092
MD5 hash: cab2779e7f7c8b776eb5684cebd68cf8
humanhash: william-oven-blue-seven
File name:emotet_e1_706bd5b40284565fdb308997c73ae1406cce4fa2490dfeede95062557296329a_2020-09-15__160559._doc
Download: download sample
Signature Heodo
Create hunting rule
File size:189'536 bytes
First seen:2020-09-15 16:06:58 UTC
Last seen:2020-09-15 22:58:34 UTC
File type:Word file docx
MIME type:application/msword
ssdeep 1536:qI491Y2wcI491Y2w+4tcTv8kvjEuJ0dH5L0c4vs3ti18NmIIP4ovlnoR+a9mXljx:A4tcTvjvTY140818tIP4ovpP1jn4PE
TLSH 4304C40927D2584EF33E8E712B94AAED1842DCF4999C906732C077657537B40FAE1AF8
Reporter Cryptolaemus1
Tags:doc Emotet epoch1 Heodo


Avatar
Cryptolaemus1
Emotet epoch1 doc

Intelligence

File Origin
# of uploads :
9
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.AutoExecSeparateWays.20200818.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VB.Trojan.VBA.Agent.BHH.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.WelcomeBackEmotetThatsWhyTheyCallItWindowPain.2020717.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EmotetCROCryLittleSister.20200720.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EmotetARCROClubbedToDeathKurayamino.20200904.UNOFFICIAL
Create hunting rule

Doc.Dropper.EmotetWinMob0920-9636503-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
DNS request
Creating a file
Creating a process from a recently created file
Moving a file to the Windows subdirectory
Creating a service
Connection attempt
Deleting a recently created file
Possible injection to a system process
Enabling autorun for a service
Launching a process by exploiting the app vulnerability
Sending an HTTP GET request to an infection source
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/706bd5b40284565fdb308997c73ae1406cce4fa2490dfeede95062557296329a/
Threat name:
Document-Word.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-09-15 16:08:06 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obv5lnacqrlf7wzqrgl4ooxbibwm4t5cjeg753pjkbrfk4uwgkna._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/200915-2wef13rbtj/
Behaviour
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/706bd5b40284565fdb308997c73ae1406cce4fa2490dfeede95062557296329a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Word file docx 706bd5b40284565fdb308997c73ae1406cce4fa2490dfeede95062557296329a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/503834/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/501295/
  
URLhaus
https://urlhaus.abuse.ch/url/502077/
  
URLhaus
https://urlhaus.abuse.ch/url/501292/
  
URLhaus
https://urlhaus.abuse.ch/url/505071/

Comments