MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74cd27b676a9a1e40fc865758435989dcf9d0b73d9667e7313283bdb0c2ba2ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74cd27b676a9a1e40fc865758435989dcf9d0b73d9667e7313283bdb0c2ba2ff
SHA3-384 hash: f1de7891f48882bd3b7178c360f2a54faa7c804924567344e743fca35d7fe798becb1ebdffc4362f58e1e6896722a697
SHA1 hash: 17d0bff19c8cc70fdf38c6357628ba81d3a0f1ea
MD5 hash: 07a749f2883ad53ba186af1c8fa6ef00
humanhash: potato-india-neptune-october
File name:74cd27b676a9a1e40fc865758435989dcf9d0b73d9667e7313283bdb0c2ba2ff
Download: download sample
Signature Heodo
Create hunting rule
File size:299'008 bytes
First seen:2020-11-06 10:40:12 UTC
Last seen:2020-11-07 12:48:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f7795bfd30310fda3dd177152179acc3 (26 x Heodo)
ssdeep 3072:MVwGs+K2E4uoG+CFT7xtNX0oFg1zrXBlC5eTFQqibjYSPC0u8OMGeIkSJxDNZ6E5:hG8+UnFT9Isg1X4eTqqFuu8Qefyx3N5
TLSH 26546B93F2C5C577E0F2A171CD61B30662A5FC61CAF182A76A43F60E5DBB5C0E928352
Reporter seifreed
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
2
# of downloads :
49
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Armadillo-65
Create hunting rule

Win.Trojan.Generic-9763568-0
Create hunting rule

SecuriteInfo.com.IceID_Bank_trojan.12206.24112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Connection attempt
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74cd27b676a9a1e40fc865758435989dcf9d0b73d9667e7313283bdb0c2ba2ff/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 23:42:58 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=otgspntwvgq6id6imv2yinmytxhz2c3t3fth44ytfa55wdblul7q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch2 banker trojan
Link:
https://tria.ge/reports/201106-qbrag84zqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Emotet Payload
Emotet
Malware Config
C2 Extraction:
71.72.196.159:80
134.209.36.254:8080
120.138.30.150:8080
94.23.216.33:80
157.245.99.39:8080
137.59.187.107:8080
94.23.237.171:443
61.19.246.238:443
156.155.166.221:80
50.35.17.13:80
153.137.36.142:80
91.211.88.52:7080
209.141.54.221:8080
185.94.252.104:443
174.45.13.118:80
87.106.136.232:8080
62.75.141.82:80
213.196.135.145:80
188.219.31.12:80
82.80.155.43:80
187.161.206.24:80
172.91.208.86:80
124.41.215.226:80
107.5.122.110:80
200.123.150.89:443
95.179.229.244:8080
83.169.36.251:8080
1.221.254.82:80
95.213.236.64:8080
181.169.34.190:80
47.144.21.12:443
203.153.216.189:7080
89.216.122.92:80
84.39.182.7:80
94.200.114.161:80
104.236.246.93:8080
139.99.158.11:443
176.111.60.55:8080
78.24.219.147:8080
220.245.198.194:80
62.30.7.67:443
139.162.108.71:8080
104.32.141.43:80
153.232.188.106:80
93.147.212.206:80
79.137.83.50:443
96.249.236.156:443
24.43.99.75:80
75.80.124.4:80
42.200.107.142:80
110.5.16.198:80
5.196.74.210:8080
110.145.77.103:80
200.114.213.233:8080
85.152.162.105:80
5.39.91.110:7080
109.74.5.95:8080
140.186.212.146:80
37.187.72.193:8080
97.82.79.83:80
139.130.242.43:80
201.173.217.124:443
123.176.25.234:80
104.131.44.150:8080
74.208.45.104:8080
139.59.60.244:8080
120.150.60.189:80
74.219.172.26:80
219.75.128.166:80
82.225.49.121:80
85.105.205.77:8080
24.179.13.119:80
74.120.55.163:80
174.102.48.180:443
219.74.18.66:443
168.235.67.138:7080
194.187.133.160:443
78.187.156.31:80
103.86.49.11:8080
61.92.17.12:80
24.137.76.62:80
104.131.11.150:443
79.98.24.39:8080
75.139.38.211:80
162.241.242.173:8080
195.251.213.56:80
37.139.21.175:8080
46.105.131.79:8080
50.91.114.38:80
121.124.124.40:7080
74.134.41.124:80
68.188.112.97:80
137.119.36.33:80
121.7.127.163:80
87.106.139.101:8080
94.1.108.190:443
169.239.182.217:8080
Unpacked files
SH256 hash:
74cd27b676a9a1e40fc865758435989dcf9d0b73d9667e7313283bdb0c2ba2ff
MD5 hash:
07a749f2883ad53ba186af1c8fa6ef00
SHA1 hash:
17d0bff19c8cc70fdf38c6357628ba81d3a0f1ea
Link:
https://www.unpac.me/results/bcf3f80c-d64b-408f-b62f-2f086d3d2090/
SH256 hash:
3822ffa36b251a65ab4042d3c6f7457684abb452366ef248868176b3d22c2ab2
MD5 hash:
41e94aa07c5dccad6e51f44b0d1fdc9a
SHA1 hash:
6a25ae2aa5bf3b439f600b07375b7a1ad3fa28fc
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/bcf3f80c-d64b-408f-b62f-2f086d3d2090/
Parent samples :
5372bd0828f244194da1276444cd7953d87db2ceebd38800a1fac79362f57b5f
8248bd7cc2f5bbb3e08c661d1296399dfd34b396738569bf29a9529e705044d9
eabe42a0d48d5ef375af2877cf5c91faba8c275d74dbca212a0946c45cd7dc56
74cd27b676a9a1e40fc865758435989dcf9d0b73d9667e7313283bdb0c2ba2ff
386ffcd69cb2209f6df22a6eebf30aec0abf91359a33336b1c14207f0b5d530c
0d0f737d12f56d6d619459b084ee19183a1871e304c5b11ee2ffaa029d33146c
da46e949f33f5e9f7b2129d4b423326ec35d156e1d5c40ec0b5893936b46b783
d38334e63877177fbd45f763f930a5953f41c28087bc6e7a4e43057ca2b8c064
e889114fdcc57a1e8590a7e31a90b545f0ac0f6e9e16159a1be159185db16914
48765ef6696047df4c096636581097f972dd1b2cb9e1ae05b76f667118f59de5
22bd7f59268468c81d8919b7b12f4122c140eeaed950d3e076fe6e72785dce90
df3ae8affc8879b2c5c403fa8ae52d0c944d61e7f39adda2f3e6155188ed38d7
c37ae465ddd63d49f36380cf223d1b0d3117021190d73bc37ee132ec10020342
ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf
8c040d75defb681d1757421cad1fde62b74ba124a23e3b9ab3826d9806dcb35a
SH256 hash:
ecaa464c51f7824390a26bb3a17eeda32a91f706fd3d4c552eb6b30f652fa0d6
MD5 hash:
117cab84612bda20c85b9547e9eca073
SHA1 hash:
c847972ba7a1b294da61070f56dcb66900e40b3f
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/bcf3f80c-d64b-408f-b62f-2f086d3d2090/
Parent samples :
74cd27b676a9a1e40fc865758435989dcf9d0b73d9667e7313283bdb0c2ba2ff
386ffcd69cb2209f6df22a6eebf30aec0abf91359a33336b1c14207f0b5d530c
da46e949f33f5e9f7b2129d4b423326ec35d156e1d5c40ec0b5893936b46b783
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:IceID_Bank_trojan
Create hunting rule
Author:unixfreaxjp
Description:Detects IcedID..adjusted several times
Rule name:Win32_Trojan_Emotet
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects Emotet trojan.
Rule name:win_emotet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_sisfader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments