MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89994f4fbf20320373edd6014ad7b3f793aa61afb60413179a92e7a12023c92e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	89994f4fbf20320373edd6014ad7b3f793aa61afb60413179a92e7a12023c92e
SHA3-384 hash:	4584b5ef9db0d057acc92c7d686cba16edcaebda8b4d15d87e4814489a76ad243c474bf8ca99b110eb76a3d230572e18
SHA1 hash:	326bf24917c5f59089ddf0a74164f5c170b869c6
MD5 hash:	48d016a5e210a8298db7af6740d1c963
humanhash:	sad-mockingbird-failed-oxygen
File name:	emotet_exe_e4_89994f4fbf20320373edd6014ad7b3f793aa61afb60413179a92e7a12023c92e_2022-01-25__133442.exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	602'112 bytes
First seen:	2022-01-25 13:35:21 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	4b3c6568be69655a83355a8193247571 (126 x Heodo)
ssdeep	12288:ykrMviH2ihj94wyHz4MmhihUEOH2KZ6psjQxGuTe5:/MaH994UAgH2T+ElT2
Threatray	234 similar samples on MalwareBazaar
TLSH	T136D49C2233DCC8B9E0AE1D3C290296D523F8AE140B93C58FA650FBDD9D3B1C595E52D6
File icon (PE):
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	Cryptolaemus1
Tags:	dll Emotet epoch4 exe Heodo

Cryptolaemus1

Emotet epoch4 exe

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/222486/

Detection(s):

SecuriteInfo.com.VHO.Trojan-Banker.Win32.Emotet.gen.17017.16944.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware keylogger shell32.dll update.exe

Link:

https://www.filescan.io/uploads/61effcdaf81da814afa3fa79/reports/eeaeff74-37e7-49de-99b6-e3ffbe25a04b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/39afa854-0f40-4a2f-8c6a-3e8efb96707a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89994f4fbf20320373edd6014ad7b3f793aa61afb60413179a92e7a12023c92e/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2022-01-25 13:34:32 UTC

AV detection:

26 of 41 (63.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rgmu6t57eazag47n2yauvv5t66j2uynpwycbgf42slt2cibdzexa._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch4 banker trojan

Link:

https://tria.ge/reports/220125-qv9tmsggg5/

Behaviour

Suspicious use of WriteProcessMemory

Emotet

Malware Config

C2 Extraction:

45.80.148.200:443
80.211.3.13:8080
110.232.117.186:8080
45.142.114.231:8080
131.100.24.231:80
107.182.225.142:8080
45.118.135.203:7080
164.68.99.3:8080
212.237.56.116:7080
41.76.108.46:8080
58.227.42.236:80
104.168.155.129:8080
79.172.212.216:8080
192.254.71.210:443
51.38.71.0:443
217.182.143.207:443
203.114.109.124:443
185.157.82.211:8080
173.212.193.249:8080
45.176.232.124:443
158.69.222.101:443
212.237.17.99:8080
207.38.84.195:8080
195.154.133.20:443
162.243.175.63:443
138.185.72.26:8080
103.8.26.102:8080
103.8.26.103:8080
50.116.54.215:443
178.79.147.66:8080
45.118.115.99:8080
178.63.25.185:443
46.55.222.11:443
103.75.201.2:443
81.0.236.90:443
176.104.106.96:8080
162.214.50.39:7080
212.237.5.209:443
209.59.138.75:7080
216.158.226.206:443
104.251.214.46:8080
212.24.98.99:8080