MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3
SHA3-384 hash: b7a9729f7a326cd303c929969b8b307a065207412e2dade3a8ac47a74f1efd9e7de7ea31a376cf032bf3174c999d045b
SHA1 hash: 27836d3e04a31548fa09ec8537ba50777a73a42a
MD5 hash: 6988533cf7cbdccd0ea429571e0441a9
humanhash: gee-green-iowa-burger
File name:6988533cf7cbdccd0ea429571e0441a9
Download: download sample
Signature Heodo
Create hunting rule
File size:473'600 bytes
First seen:2021-12-02 08:18:45 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 057d91f9747659ff50a0558e0aed5a44 (7 x Heodo)
ssdeep 12288:mFyGBDytNZAR5Myju+qQuj/J+7C6Dg8stHb1h:mF92e/jEk7zDg8stJh
Threatray 240 similar samples on MalwareBazaar
TLSH T1ADA4BF20B961C036E4AE10303D68D6EA056F7D364FF0CADB67E42F6D4E352C16B3566A
Reporter zbetcheckin
Tags:32 dll Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210576/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.44700.27465.6370.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
emotet greyware packed
Link:
https://www.filescan.io/uploads/61a88179f9d950eb11b66725/reports/94c656da-d7a5-4642-8e13-feee1b6de739/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0c00d26-6096-47db-b923-7481c8b9d664
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/899951
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532429 Sample: UioA2E9DBG Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 34 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->34 36 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->36 38 27 other IPs or domains 2->38 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Emotet 2->46 48 C2 URLs / IPs found in malware configuration 2->48 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 50 Tries to detect virtualization through RDTSC time measurements 9->50 15 rundll32.exe 2 9->15         started        18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        22 2 other processes 9->22 40 127.0.0.1 unknown unknown 12->40 signatures6 process7 signatures8 52 Found potential dummy code loops (likely to delay analysis) 15->52 54 Tries to detect virtualization through RDTSC time measurements 15->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->56 24 rundll32.exe 15->24         started        26 rundll32.exe 18->26         started        28 rundll32.exe 20->28         started        30 rundll32.exe 22->30         started        process9 process10 32 rundll32.exe 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 08:19:13 UTC
File Type:
PE (Dll)
Extracted files:
4
AV detection:
13 of 44 (29.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvurfijp3tft23kvtagdwh6sbtexujzw2m4b4mkwk6r5n4xy2gzq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
00f1537b13933762e1146e41f3bac668123fac7eacd0aa1f7be0aa37a91ef3ce
Heodo
0154c5dc4d578ef24731afff8e710f01898e2f9da01630228d9b28694def81ab
Heodo
188f8280f0c74181710c91e91ebe026e1723c7a4b9f83f4b518c376528ce5e91
Heodo
1f0b6bf7c09828d877e93f6fbafa84134bd7d40888d5c0c161b797c1f366dfcf
Heodo
3e651cef6a05ae7d259eb01913e1b157c16ab08fba4cd9129e3a50caaf349e0c
Heodo
6f67fa640c1f575356ff7c3bf9c58f5a557d300c564a2f221878f03edbb24bc7
Heodo
932b5e1683b32ff36675a9cb16cad8a0b4ca943a61382fda7492e7df4a8283bc
Heodo
a992ff368ad62808efd4623edc68b50c4a36603a411b9ec0977336b99855ca88
Heodo
b777ca4e3c07d59acf57fa180c4d878db1745ae9c78a93228704aa5eadf5a6c8
Heodo
c9126700302e3f650e51a8cdaa7f3e56395c8c58bee4d0a931db7b91aa44d0a3
Heodo
+ 230 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211202-j7v3pagcd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
351c499ab0db6c3d51305b9041babb6625c1b11375e85626b21fe39210cd6fb2
MD5 hash:
29dfea21774551a30d3990eac51d018f
SHA1 hash:
94c20b3556d7286a3a2093bf4d57d558b185a6f3
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/55ac2bdd-08d2-47dd-a113-ee08aee675fe/
SH256 hash:
8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3
MD5 hash:
6988533cf7cbdccd0ea429571e0441a9
SHA1 hash:
27836d3e04a31548fa09ec8537ba50777a73a42a
Link:
https://www.unpac.me/results/55ac2bdd-08d2-47dd-a113-ee08aee675fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll 8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210576/

Comments


Avatar
zbet commented on 2021-12-02 08:18:47 UTC

url : hxxps://thetrendskill.com/wp-content/uH11/