MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 796c8eb72c7cc9a7774df89dd5dff3952bf269165519dbf4ca7a58e311ccb3ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	796c8eb72c7cc9a7774df89dd5dff3952bf269165519dbf4ca7a58e311ccb3ef
SHA3-384 hash:	c496e0fdbbc30ecd49aefcb2e41ebb26019d4297a408efecb9708f025ac66974a1d14b809f81ccbf56fc41a23951ef6e
SHA1 hash:	51adc554afb5428043e9377854599eed074ffcb1
MD5 hash:	295fb0980535fee8a7d590b300f2551d
humanhash:	batman-diet-sierra-mike
File name:	emotet_exe_e2_796c8eb72c7cc9a7774df89dd5dff3952bf269165519dbf4ca7a58e311ccb3ef_2020-12-28__164557.exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	520'192 bytes
First seen:	2020-12-28 16:46:02 UTC
Last seen:	2020-12-28 18:54:31 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	0c8e7bcd452798b457f58e9bd0178322 (16 x Heodo)
ssdeep	6144:RQGDUk3ymE3KEt2uzySsBybpfgYNAJJkNiSS3d+ML/y34UQ:R/YkzYKEIuHsBAZ3NiSSEaA7Q
Threatray	255 similar samples on MalwareBazaar
TLSH	00B4AD2179C5A03AD0EB91762624AB8329BE7D725B6198C76FFC3D0817741C2E736B13
Reporter	Cryptolaemus1
Tags:	Emotet epoch2 exe Heodo

Cryptolaemus1

Emotet epoch2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

345

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109572/

Detection(s):

SecuriteInfo.com.ML.PE-A.7870.UNOFFICIAL

SecuriteInfo.com.ML.PE-A.20865.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/796c8eb72c7cc9a7774df89dd5dff3952bf269165519dbf4ca7a58e311ccb3ef/

Threat name:

Win32.Trojan.EmotetCrypt

Status:

Malicious

First seen:

2020-12-28 16:47:07 UTC

AV detection:

11 of 29 (37.93%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pfwi5nzmpte2o52n7co5lx7tsuv7e2iwkum5x5gkpjmogeomwpxq._file

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch2 banker trojan

Link:

https://tria.ge/reports/201228-tshq4yne7j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Emotet

Malware Config

C2 Extraction:

98.109.133.80:80
75.177.207.146:80
50.116.111.59:8080
173.249.20.233:443
188.165.214.98:8080
181.165.68.127:80
110.145.101.66:443
74.208.45.104:8080
118.83.154.64:443
104.131.11.150:443
72.188.173.74:80
110.145.11.73:80
78.189.148.42:80
201.241.127.190:80
85.105.111.166:80
174.118.202.24:443
72.186.136.247:443
202.141.243.254:443
185.201.9.197:8080
139.99.158.11:443
79.137.83.50:443
109.116.245.80:80
87.106.139.101:8080
97.120.3.198:80
41.185.28.84:8080
190.240.194.77:443
5.39.91.110:7080
138.68.87.218:443
78.188.225.105:80
119.59.116.21:8080
61.19.246.238:443
167.114.153.111:8080
194.4.58.192:7080
115.94.207.99:443
37.139.21.175:8080
142.112.10.95:20
173.70.61.180:80
89.216.122.92:80
100.37.240.62:80
24.178.90.49:80
172.105.13.66:443
95.213.236.64:8080
62.30.7.67:443
50.91.114.38:80
95.9.5.93:80
152.170.205.73:80
136.244.110.184:8080
74.128.121.17:80
120.150.218.241:443
72.229.97.235:80
190.162.215.233:80
161.0.153.60:80
94.23.237.171:443
78.24.219.147:8080
220.245.198.194:80
46.105.131.79:8080
197.211.245.21:80
50.245.107.73:443
217.20.166.178:7080
70.183.211.3:80
202.134.4.211:8080
172.125.40.123:80
144.217.7.207:7080
190.29.166.0:80
134.209.144.106:443
194.190.67.75:80
201.252.34.3:80
178.152.87.96:80
47.144.21.37:80
2.58.16.89:8080
168.235.67.138:7080
203.153.216.189:7080
185.94.252.104:443
58.1.242.115:80
187.161.206.24:80
5.2.212.254:80
172.86.188.251:8080
24.69.65.8:8080
202.134.4.216:8080
64.207.182.168:8080
59.21.235.119:80
24.179.13.119:80
51.89.36.180:443
110.145.77.103:80
109.74.5.95:8080
121.124.124.40:7080
37.187.72.193:8080
172.104.97.173:8080
70.180.33.202:80
188.219.31.12:80
62.171.142.179:8080
62.75.141.82:80
74.40.205.197:443
200.116.145.225:443
139.162.60.124:8080
139.59.60.244:8080
181.171.209.241:443
209.141.54.221:7080
67.170.250.203:443
157.245.99.39:8080
70.92.118.112:80
120.150.60.189:80
176.111.60.55:8080
123.176.25.234:80
49.205.182.134:80

Unpacked files

SH256 hash:

796c8eb72c7cc9a7774df89dd5dff3952bf269165519dbf4ca7a58e311ccb3ef

MD5 hash:

295fb0980535fee8a7d590b300f2551d

SHA1 hash:

51adc554afb5428043e9377854599eed074ffcb1

Link:

https://www.unpac.me/results/74a50792-ef18-474e-8a0b-1c503b4f563d/

SH256 hash:

5046e105def8ee6114a35cb467a8a4370e0eb4e565a688e247638af280b7861d

MD5 hash:

3c8f39db16e6c3736571402b84e326a1

SHA1 hash:

dcc5f5d2708db13b775cfd15212c9873337f887f

Detections:

win_emotet_a2

Link:

https://www.unpac.me/results/74a50792-ef18-474e-8a0b-1c503b4f563d/

Parent samples :

3b41c52d4428f7c6f364835f47e41510f45eb7d4fa3d5bc110bd6c8657996a7e
8053ca9fb2c0e79064d92c06b0c6b8c84efa434c881e731e13393273639ae92f
796c8eb72c7cc9a7774df89dd5dff3952bf269165519dbf4ca7a58e311ccb3ef
3649e319c64de753313d27d8546e534f7cb5a8df0732ed6172135c021f368b9d
3cf5a2cdc11a161bdf3c6e732f0df7627f345d7e16d1b8b22411ed361538cdf8

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/796c8eb72c7cc9a7774df89dd5dff3952bf269165519dbf4ca7a58e311ccb3ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/109572/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample