MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76f0b6edc295cc561be4c44c83fcf7cb8e7807546d8babf137b6f4ae9dcee9a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76f0b6edc295cc561be4c44c83fcf7cb8e7807546d8babf137b6f4ae9dcee9a2
SHA3-384 hash: ff8aa32361dc1420d6e72ac45c1b14875c535d6de76a6683c4d8b0d265d0571e5dc79557539a125c44c56df4b6254f54
SHA1 hash: 2465e196c140581789af0e6f20de72a2a0eb3718
MD5 hash: 337595256cb7048b02fb34a7412cac07
humanhash: bacon-don-bluebird-seventeen
File name:76f0b6edc295cc561be4c44c83fcf7cb8e7807546d8babf137b6f4ae9dcee9a2
Download: download sample
Signature Heodo
Create hunting rule
File size:356'352 bytes
First seen:2020-04-13 16:16:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2682ff10185614b2a5692ebc459857d (3 x Heodo)
ssdeep 6144:dbVO1cG/3mdn5NPUeYtjCJ2GnXGOr709nEXn99sF5M:hn5NPUjtjAGOrQwuI
Threatray 150 similar samples on MalwareBazaar
TLSH 5974BE2273E1C476D56312335E56C369A7BABD509E328387BBD03B0EEE305928E35761
Reporter abuse_ch
Tags:Emotet epoch1 exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://capesandbox.com/analysis/1087/
Detection(s):
Win.Malware.Emotet-7665911-0
Create hunting rule

Win.Malware.Emotet-7665924-0
Create hunting rule

Win.Malware.Emotet-7665928-0
Create hunting rule

Win.Malware.Emotet-7665934-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-04-13 16:35:25 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3yln3ocsxgfmg7eyrgih7hxzohhqb2unwf2x4jxw32k5hoo5gra._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
1ca20db037045c721981ddce01528fa4406e581f5d0ea897c9ddd17b0db1f545
Heodo
1d70a3a3a0a272e37e03631b10eff1d17318e82105aa4d365b5c0ca67d051ada
Heodo
1ff36792edbc187f3c27fea4601240b03ebf68a35d99ee3b3aa98f27b4d04cf2
Heodo
23d88898a1f8368db37855bc147da3b0e455a9c866a6924dea2ac2715c7a5721
Heodo
7a3cdb575c0821cb1a8c492105fb674999f7fb0674007b669ef837a77335e447
Heodo
8978de8be9668bb2ce0f813180efe103e0660cbc68633916f2f0b8c49e6f1508
Heodo
9b35408ca7fc6cbc2185a36d5e5665e6f47c168c5d074cc848916bf1c8b96d0d
Heodo
aeb5918b32bf5beccd7b45c00049af6a1754d3834f3f3e1376c60f33df02c385
Heodo
d8e0beeb51f2332cfe5cefe52260444b054bb4b1ef7e0bc1442c266772c14619
Heodo
eac1f0da2a4d4863824da293add5f733b84a2212bec8aee9b7b339cb8321c97e
Heodo
+ 140 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://capesandbox.com/analysis/1087/
  
X
https://twitter.com/Cryptolaemus1/status/1249731973893042181
  
Link
https://paste.cryptolaemus.com/emotet/2020/04/13/emotet-c2-rsa-update-04-13-20-1.html
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/1186/
Cape
Cape
https://www.capesandbox.com/analysis/1182/
Cape
Cape
https://www.capesandbox.com/analysis/1087/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments