MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9558bbbb8facaeebb9539a63e639acd60d8fffdaa69c92c05ceb23e26e61c41b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	9558bbbb8facaeebb9539a63e639acd60d8fffdaa69c92c05ceb23e26e61c41b
SHA3-384 hash:	330b90a795d830cc077eff1bc05829b21dafe506165d8ac768d58b960c79733eee6110ebe42de5c7c65c5ee104d08bbe
SHA1 hash:	6cef9037f86fb368ed59ae5fbdf4442d7b1830c0
MD5 hash:	0b78cbd19ea8e1bb630f6b160015943a
humanhash:	papa-queen-south-oranges
File name:	REP_27093870.doc
Download:	download sample
Signature	Heodo Create hunting rule
File size:	157'071 bytes
First seen:	2020-09-15 10:51:30 UTC
Last seen:	2020-09-16 11:35:11 UTC
File type:	doc
MIME type:	application/msword
ssdeep	1536:VCOIDQhDHR4OIDQhDHRdrdi1Ir77zOH98Wj2gpngB+a9k7Qb4HrO4utHA:VzrfrzOH98ipgQ7I4HrO4utHA
TLSH	CCE3970A26C1994EF33A4E302BD9AAE91852DCF45D9D4067328CB7157737B40E9E1BF8
Reporter	FORMALITYDE
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

73

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.AutoExecSeparateWays.20200818.UNOFFICIAL

SecuriteInfo.com.VB.Trojan.VBA.Agent.BHH.UNOFFICIAL

TwinWave.EvilDoc.WelcomeBackEmotetThatsWhyTheyCallItWindowPain.2020717.UNOFFICIAL

TwinWave.EvilDoc.EmotetCROCryLittleSister.20200720.UNOFFICIAL

TwinWave.EvilDoc.EmotetARCROClubbedToDeathKurayamino.20200904.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

DNS request

Sending an HTTP GET request

Creating a file

Creating a process from a recently created file

Moving a file to the Windows subdirectory

Creating a service

Connection attempt

Sending an HTTP POST request

Deleting a recently created file

Enabling autorun for a service

Bypassing of proactive protection methods using Windows Management Instrumentation (WMI)

Launching a process by exploiting the app vulnerability

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/9558bbbb8facaeebb9539a63e639acd60d8fffdaa69c92c05ceb23e26e61c41b/

Threat name:

Document-Word.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-15 10:34:18 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=svmlxo4pvsxoxokttjr6monm2ygy7762u2ojfqc45mr6e3tbyqnq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/200915-wga6nc8al6/

Behaviour

Suspicious Office macro

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9558bbbb8facaeebb9539a63e639acd60d8fffdaa69c92c05ceb23e26e61c41b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

doc 9558bbbb8facaeebb9539a63e639acd60d8fffdaa69c92c05ceb23e26e61c41b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/511061/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/502514/

URLhaus

https://urlhaus.abuse.ch/url/501617/

URLhaus

https://urlhaus.abuse.ch/url/501854/

URLhaus

https://urlhaus.abuse.ch/url/494310/

URLhaus

https://urlhaus.abuse.ch/url/503980/

URLhaus

https://urlhaus.abuse.ch/url/504310/

URLhaus

https://urlhaus.abuse.ch/url/511623/

URLhaus

https://urlhaus.abuse.ch/url/505668/

URLhaus

https://urlhaus.abuse.ch/url/510706/

URLhaus

https://urlhaus.abuse.ch/url/509883/

URLhaus

https://urlhaus.abuse.ch/url/511272/

URLhaus

https://urlhaus.abuse.ch/url/512556/

URLhaus

https://urlhaus.abuse.ch/url/503533/

URLhaus

https://urlhaus.abuse.ch/url/501422/

URLhaus

https://urlhaus.abuse.ch/url/502187/

URLhaus

https://urlhaus.abuse.ch/url/504707/

URLhaus

https://urlhaus.abuse.ch/url/506464/

URLhaus

https://urlhaus.abuse.ch/url/493461/

URLhaus

https://urlhaus.abuse.ch/url/509720/

URLhaus

https://urlhaus.abuse.ch/url/503819/

URLhaus

https://urlhaus.abuse.ch/url/513290/

URLhaus

https://urlhaus.abuse.ch/url/511188/

URLhaus

https://urlhaus.abuse.ch/url/500845/

URLhaus

https://urlhaus.abuse.ch/url/508585/

URLhaus

https://urlhaus.abuse.ch/url/504247/

URLhaus

https://urlhaus.abuse.ch/url/501350/

URLhaus

https://urlhaus.abuse.ch/url/503217/

URLhaus

https://urlhaus.abuse.ch/url/510707/

URLhaus

https://urlhaus.abuse.ch/url/513166/

URLhaus

https://urlhaus.abuse.ch/url/505106/

URLhaus

https://urlhaus.abuse.ch/url/503417/

URLhaus

https://urlhaus.abuse.ch/url/513045/

URLhaus

https://urlhaus.abuse.ch/url/498964/

URLhaus

https://urlhaus.abuse.ch/url/505264/

URLhaus

https://urlhaus.abuse.ch/url/502136/

URLhaus

https://urlhaus.abuse.ch/url/503472/

URLhaus

https://urlhaus.abuse.ch/url/504051/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample