MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8139d892de1928bad1b01c1298cd30e44e2ff1d283b9626910d021a9e154baff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8139d892de1928bad1b01c1298cd30e44e2ff1d283b9626910d021a9e154baff
SHA3-384 hash: 29c21bbcc65890e09266297ee3a3f0bd4fe7129377111bdb7a1fe5f30e4c5c4323167a5d2723018f4a305f9398523652
SHA1 hash: 5dac2f6c1b0b48d83612ced7a4614f32138de2e7
MD5 hash: 78f491ed6725761f5e20e37f9c3e0ba6
humanhash: oregon-video-kitten-red
File name:emotet_exe_e1_8139d892de1928bad1b01c1298cd30e44e2ff1d283b9626910d021a9e154baff_2020-08-11__055804._exe
Download: download sample
Signature Heodo
Create hunting rule
File size:331'776 bytes
First seen:2020-08-11 05:58:07 UTC
Last seen:2020-08-11 06:45:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56d305eecfade0ca348325505b3fbeb3 (13 x Heodo)
ssdeep 6144:QzC9yixK0dkI6ukU1EqlhVLLiLLwLL5ZbgiUP/DRNQg3uxS/D:KCrxRdbDHTC3P/NNRuxS
Threatray 8'250 similar samples on MalwareBazaar
TLSH F5648D712449D0FDEF64C9309BEDE23852162CAEB8E5512717F4BF4F393B866244B81A
Reporter Cryptolaemus1
Tags:Emotet epoch1 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch1 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.BScope.Trojan.Emotet.19287.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Artemis15E75A62D6FA.32377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/417773
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 261144 Sample: _055804._exe Startdate: 11/08/2020 Architecture: WINDOWS Score: 64 28 Yara detected Emotet 2->28 30 Machine Learning detection for sample 2->30 7 _055804.exe 2 2->7         started        10 svchost.exe 2->10         started        12 svchost.exe 1 1 2->12         started        15 8 other processes 2->15 process3 dnsIp4 32 Drops executables to the windows directory (C:\Windows) and starts them 7->32 34 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->34 17 dialclient.exe 12 7->17         started        36 Changes security center settings (notifications, updates, antivirus, firewall) 10->36 20 MpCmdRun.exe 1 10->20         started        26 127.0.0.1 unknown unknown 12->26 signatures5 process6 dnsIp7 24 58.171.153.81, 49726, 80 ASN-TELSTRATelstraCorporationLtdAU Australia 17->24 22 conhost.exe 20->22         started        process8
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8139d892de1928bad1b01c1298cd30e44e2ff1d283b9626910d021a9e154baff/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 06:00:12 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qe45rew6deulvunqdqjjrtjq4rhc74osqo4we2iq2aq2tykuxl7q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
289b869e4c90cfcb4d9bc607adef7926b95500952d65d58ec5034cb727fd81d0
Heodo
3f5bc7d1f9d39d4205823c5912565de09e47134255c455c6ae93b29d49679593
Heodo
65f7e84472220afc0fa1577eb5d36c4dd61efd15e42ac1070592e2ca24bc8648
Heodo
66b8159a106d2e6434159c648ab7fd2a32fcc1471a779004f78a4ac2def5b5d3
Heodo
68d7085829becc941271e3a2706067d7fc64840e51883644a09faf591a1ff8d7
Heodo
8bd25f5aad3ce69803b5f53e4419a70be5e95fe87ae09be562fc667d80134fd9
Heodo
94b5f041e83e25c2e9d3c413c7a65059302c88cb0cceb949707c090c46542d93
Heodo
aa82acfbc1fa6c7b84a5444ed23d5d503c791dfd83c126441144a75a800f3bdb
Heodo
b6e1ca255a1c2bcecd030067348876a995ceae680f84a749775e2817ed6dc4c8
Heodo
f340e2d2cd70f9bffe51ac6d4031e888150f78714ac9f5e9318e33addee481d6
Heodo
+ 8'240 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/200811-gtdb91gane/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Emotet Payload
Emotet
Malware Config
C2 Extraction:
58.171.153.81:80
104.131.103.128:443
66.228.49.173:8080
181.120.79.227:80
82.76.111.249:443
177.66.190.130:80
114.109.179.60:80
190.147.137.153:443
70.32.84.74:8080
104.131.103.37:8080
111.67.12.221:8080
177.74.228.34:80
217.13.106.14:8080
187.162.248.237:80
170.81.48.2:80
186.70.127.199:8090
104.236.161.64:8080
12.162.84.2:8080
177.73.0.98:443
191.182.6.118:80
143.0.87.101:80
177.72.13.80:80
204.225.249.100:7080
201.213.156.176:80
94.206.45.18:80
94.176.234.118:443
137.74.106.111:7080
190.190.148.27:8080
177.144.135.2:80
192.241.146.84:8080
202.62.39.111:80
91.219.169.180:80
186.250.52.226:8080
147.91.184.91:80
80.249.176.206:80
61.92.159.208:8080
68.183.190.199:8080
192.241.143.52:8080
104.131.41.185:8080
190.163.31.26:80
213.181.91.224:80
77.55.211.77:8080
172.104.169.32:8080
190.181.235.46:80
217.199.160.224:7080
213.60.96.117:80
145.236.8.174:80
70.32.115.157:8080
212.231.60.98:80
185.94.252.12:80
178.79.163.131:8080
217.160.182.191:8080
82.196.15.205:8080
46.28.111.142:7080
181.129.96.162:8080
73.116.193.136:80
186.103.141.250:443
83.169.21.32:7080
185.94.252.27:443
116.125.120.88:443
181.36.42.205:443
77.90.136.129:8080
50.28.51.143:8080
87.106.46.107:8080
51.255.165.160:8080
89.32.150.160:8080
2.47.112.152:80
149.62.173.247:8080
93.151.186.85:80
209.236.123.42:8080
189.2.177.210:443
190.6.193.152:8080
191.99.160.58:80
72.47.248.48:7080
68.183.170.114:8080
81.198.69.61:80
219.92.13.25:80
212.71.237.140:8080
45.161.242.102:80
189.194.58.119:80
190.17.195.202:80
5.196.35.138:7080
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8139d892de1928bad1b01c1298cd30e44e2ff1d283b9626910d021a9e154baff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe 8139d892de1928bad1b01c1298cd30e44e2ff1d283b9626910d021a9e154baff

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/43049/
  
URLhaus
https://urlhaus.abuse.ch/url/428910/
  
Delivery method
Distributed via web download

Comments