MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 879c834241fbfd30a8180a6556e365e5cc79fb588eee0d1678e2de9c7477e780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	879c834241fbfd30a8180a6556e365e5cc79fb588eee0d1678e2de9c7477e780
SHA3-384 hash:	ef6094649681371ba6c6b82c85bcc2b92d0e5c9803d9ac60f40377f8521133342838a0c5e2ad117c3ea4d06ff878cec9
SHA1 hash:	3c24efe2290cf3bfc14897503f662520537f38a8
MD5 hash:	40789c5e1670d4ad61d386129eb69d63
humanhash:	pasta-vegan-july-romeo
File name:	からの変更20.09.15.doc
Download:	download sample
Signature	Heodo Create hunting rule
File size:	157'621 bytes
First seen:	2020-09-15 21:06:31 UTC
Last seen:	2020-09-16 00:34:37 UTC
File type:	doc
MIME type:	application/msword
ssdeep	1536:CJ0ZsWTJ0ZsWirdi1Ir77zOH98Wj2gpngR+a9rQ54LW04K:5rfrzOH98ipgn+qD4K
TLSH	EBF3A60A26D1994EF33E4E3027D9AAED1856DCF48D8C44673284BB157637B40E9E1BF8
Reporter	GovCERT_CH
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.AutoExecSeparateWays.20200818.UNOFFICIAL

SecuriteInfo.com.VB.Trojan.VBA.Agent.BHH.UNOFFICIAL

TwinWave.EvilDoc.WelcomeBackEmotetThatsWhyTheyCallItWindowPain.2020717.UNOFFICIAL

TwinWave.EvilDoc.EmotetCROCryLittleSister.20200720.UNOFFICIAL

TwinWave.EvilDoc.EmotetARCROClubbedToDeathKurayamino.20200904.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

DNS request

Creating a file

Creating a process from a recently created file

Moving a file to the Windows subdirectory

Creating a service

Connection attempt

Deleting a recently created file

Possible injection to a system process

Enabling autorun for a service

Launching a process by exploiting the app vulnerability

Sending an HTTP GET request to an infection source

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/879c834241fbfd30a8180a6556e365e5cc79fb588eee0d1678e2de9c7477e780/

Threat name:

Document-Word.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-15 08:59:47 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q6oigqsb7p6tbkaybjsvny3f4xght62yr3xa2fty4lpjy5dx46aa._file

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/200915-dc2tmv1f6a/

Behaviour

Suspicious Office macro

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/879c834241fbfd30a8180a6556e365e5cc79fb588eee0d1678e2de9c7477e780

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Heodo

doc 879c834241fbfd30a8180a6556e365e5cc79fb588eee0d1678e2de9c7477e780

(this sample)

Dropped by

Heodo

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample