MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80f4dd3bacd478bc6e6975bf155987e9bd4585c14f832649a09cfa542222cf00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	80f4dd3bacd478bc6e6975bf155987e9bd4585c14f832649a09cfa542222cf00
SHA3-384 hash:	5cd5a4822a91c63930ced7a0aa6a9a068804355d466757ee402dbcc516a78e774022e268bc0cc99a0bad973573a1b6c7
SHA1 hash:	2c9654bc8864d5a58cbfbdf8ba02d65134b2c58d
MD5 hash:	84ff2496d0a77fd3f42f637f0b4d16f8
humanhash:	cup-violet-carbon-high
File name:	84ff2496d0a77fd3f42f637f0b4d16f8
Download:	download sample
Signature	Heodo Create hunting rule
File size:	275'456 bytes
First seen:	2022-07-14 06:33:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	63eff8a065c6d44859c3b54eb482a5d6 (84 x Heodo)
ssdeep	6144:HhuDhkX/MAXxTCFQi+2JW/PAiikmKx770v/5kjjB589:HhuDCvM0IQi1W/PAiikPNm+jD
Threatray	5'630 similar samples on MalwareBazaar
TLSH	T10944DF01748CD0E9D27A9938A8E20B0387A57C11D3F653EF9B2046790BB37DA6D7F694
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	f4f4ac8cacacd4d4 (85 x Heodo, 11 x Formbook, 10 x SnakeKeylogger)
Reporter	openctibr
Tags:	Emotet exe Heodo OpenCTI.BR Sandboxed

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/288536/

Detection(s):

Win.Trojan.Emotet-9955402-0

SecuriteInfo.com.Emotet-FTY2DF0051B2E60.18134.26496.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a service

Launching a process

Moving of the original file

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62cfb8fe3c475438b5479c20/reports/0ac16da5-abc7-4dc6-b701-8ee67e9aeacb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80f4dd3bacd478bc6e6975bf155987e9bd4585c14f832649a09cfa542222cf00/

Threat name:

Win64.Trojan.Emotet

Status:

Malicious

First seen:

2022-07-10 05:27:09 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qd2n2o5m2r4ly3tjow7rkwmh5g6ulbobj6bsmsnatt5fiircz4aa._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch4 banker trojan

Link:

https://tria.ge/reports/220714-hbtz3sdcg9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Emotet

Malware Config

C2 Extraction:

94.23.45.86:4143
209.97.163.214:443
212.24.98.99:8080
103.43.75.120:443
183.111.227.137:8080
197.242.150.244:8080
129.232.188.93:443
159.65.88.10:8080
163.44.196.120:8080
51.161.73.194:443
164.90.222.65:443
159.89.202.34:443
1.234.2.232:8080
150.95.66.124:8080
51.91.76.89:8080
196.218.30.83:443
5.9.116.246:8080
146.59.226.45:443
173.212.193.249:8080
213.241.20.155:443
213.239.212.5:443
207.148.79.14:8080
51.254.140.238:7080
45.235.8.30:8080
147.139.166.154:8080
64.227.100.222:8080
82.165.152.127:8080
172.105.226.75:8080
131.100.24.231:80
206.189.28.199:8080
151.106.112.196:8080
119.193.124.41:7080
45.176.232.124:443
79.137.35.198:8080
186.194.240.217:443
103.70.28.102:8080
159.65.140.115:443
104.168.155.143:8080
45.118.115.99:8080
115.68.227.76:8080
72.15.201.15:8080
144.202.108.116:8080
37.187.115.122:8080
110.232.117.186:8080
209.126.98.206:8080
172.104.251.154:8080
82.223.21.224:8080
101.50.0.91:8080
103.132.242.26:8080
201.94.166.162:443
185.4.135.165:8080
160.16.142.56:8080
107.170.39.149:8080
134.122.66.193:8080
139.59.126.41:443
149.56.131.28:8080
91.207.28.33:8080
164.68.99.3:8080
188.44.20.25:443
103.75.201.2:443
167.172.253.162:8080
158.69.222.101:443
153.126.146.25:7080

Unpacked files

SH256 hash:

d5e8221740431d442de6546c57911f4e8048c6c3a5f71c12ef374fa96bfafad7

MD5 hash:

10833f10cb9120beff2f7c1a3c20c4bf

SHA1 hash:

e018959ad7ac59d4b01bc4c14f176634e86c57f7

Detections:

win_emotet_a3

Link:

https://www.unpac.me/results/c45dca22-fdf7-46ce-98ce-5aaafd42dc25/

Parent samples :

d512a63173c85d45661f576a3cc90806e773471f0750753c442f19e08cedb325
d1cb5ffb4deeee8961e4fe40180aaaabbfec90c8c4ee066ee916889878f1e11d
22fcdbad38108dd56f5bbbbc22baf9fb1d11b8efe21de9748cd2746a78e0ff60
6ad72ec387d5b43b8da95164cd325ee7d382f91f4c7b4e232d866cad70563de6
2d2da29472aa65caafbcb909e8db1d9d41e3d59c995c8402a98039c613cfc2ae
5b3f8d89627363ded1b9814ff02e7c859bd8c1549b0383d53a045e98dd2d6d4c
68099b71111a3f9623cfdf3e7f9e1a1c9016cc9e7542e4b76435ba2ff7c96e41
891962d9854095ea15755b1ac3e6e3f45c11d0b7dc588764b9f7f6d28607086a
434d98c6766894ce2c58b3a0e2123fe861ad0b3f894e73662cba707e3a9804ef
94b421df7a9139f5cf3d4bc11fd80c00981c77513bbdba1aae87df0252c39a74
d6116e92f91c052174c4ee11707c77d0447b9a2299604d47b33025ef08666a40
952171e3547e24f0367dbcdb066dc48d06333a3668c8f292e420b1fa207f47b6
f08b21825b10a78c50bc8fc6557e2f01803da7d35db1022afd5e9f34971ea37a
1775105531d665e73ca9409e6cb410f512783c7dcd1acb5615dbff3e05fdfd2e
fbaf857bb62b3f5f78b894c92ef05ac19e155384ac881f59ee991f6983530229
da5824f19cd202aac261ae9036f53c279e3909a4c91516d07afde1c8fa14c973
b888a31d251f1ebf4f58fb308bcb3c5fb188ad1d214b13e7e3d2279e2621a062
6f2e9781c0fce00b69882decc55ae5191772309e282a46709ffa8b5177232397
653434db1f16ae86fd2a0e5e1fffacb440cee736214b2f6020dfeb685919edad
243c54a469864864237a41de995e0b6f778ba5760f76938c122404ebf4a292cd
80f4dd3bacd478bc6e6975bf155987e9bd4585c14f832649a09cfa542222cf00
3b7e4ba6bdd5a65df53d840b0dfcc51f798fad651392edf51ff74fc00f416cf5
5539613e4d0c3ed75c2ef63bc5b78e97d14db942b297bdfa5e0430cc3a0065c6
23137353070238cc2426e07c0de6da938ea8364e5a79dd03952465116a9691a7

SH256 hash:

80f4dd3bacd478bc6e6975bf155987e9bd4585c14f832649a09cfa542222cf00

MD5 hash:

84ff2496d0a77fd3f42f637f0b4d16f8

SHA1 hash:

2c9654bc8864d5a58cbfbdf8ba02d65134b2c58d

Link:

https://www.unpac.me/results/c45dca22-fdf7-46ce-98ce-5aaafd42dc25/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/80f4dd3bacd478bc6e6975bf155987e9bd4585c14f832649a09cfa542222cf00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win64_emotet_unpacked Create hunting rule
Author:	Rony (r0ny_123)

Rule name:	Emotet_Botnet Create hunting rule
Author:	Harish Kumar P
Description:	To Detect Emotet Botnet

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_heodo Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

exe 80f4dd3bacd478bc6e6975bf155987e9bd4585c14f832649a09cfa542222cf00

(this sample)

Cape

https://www.capesandbox.com/analysis/288536/

URLhaus

https://urlhaus.abuse.ch/url/2255390/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample