MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5
SHA3-384 hash:	73df06216d257b6a790a4bf7e04e84fe02f508633f84f0fe8234cfc7b27cb60f31a09eee8622c0394c14c82ea3a3a4ff
SHA1 hash:	7f2b01b7b8cc43d6d2f464eaf6cd8c1af29913ad
MD5 hash:	7fd742aecb8f32aabdf2035dca7b3a87
humanhash:	black-tango-salami-emma
File name:	54962b5efe315f58c48e2e6d0b686ef3
Download:	download sample
Signature	Heodo Create hunting rule
File size:	567'808 bytes
First seen:	2020-11-17 12:05:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	932064b83fe7e6e9ea82f5de73fcbab1 (18 x Heodo)
ssdeep	12288:x1zE9CrIYb6/bbDoDbdzBbtZ5H+1MEa5GQD66i:EAtb6XDwbZBbtZ5LEa1t
TLSH	E9C49D2136F1C036C16661708E5AEB68B6EAFC709DB6974B77D02B7C2E305919E38317
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Emotet-9789045-0

Win.Packed.Emotet-9790742-0

Win.Packed.Emotet-9790818-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-17 12:10:33 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tf7geipvh3m2bu6eq7axhap6qtmkxb6ckwb67mftw53ldtkmvhkq._file

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch3 banker trojan

Link:

https://tria.ge/reports/201117-6mjcahlv9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Emotet Payload

Emotet

Malware Config

C2 Extraction:

27.78.27.110:443
81.241.22.161:20
91.121.200.35:8080
159.203.16.11:8080
188.226.165.170:8080
115.79.195.246:80
153.204.122.254:80
77.74.78.80:443
37.205.9.252:7080
36.91.44.183:80
58.94.58.13:80
37.46.129.215:8080
172.96.190.154:8080
157.7.164.178:8081
175.103.38.146:80
103.229.73.17:8080
45.239.204.100:80
5.12.246.155:80
179.5.118.12:80
185.80.172.199:80
116.202.10.123:8080
195.201.56.70:8080
192.210.217.94:8080
202.29.237.113:8080
2.58.16.86:8080
120.51.34.254:80
46.105.131.68:8080
27.82.13.10:80
223.17.215.76:80
177.85.177.206:80
119.228.75.211:80
115.79.59.157:80
192.241.220.183:8080
73.55.128.120:80
177.130.51.198:80
198.20.228.9:8080
185.142.236.163:443
5.79.70.250:8080
79.133.6.236:8080
5.2.164.75:80
113.203.238.130:80
180.148.4.130:8080
178.33.167.120:8080
109.13.179.195:80
201.163.74.203:80
139.59.61.215:443
183.91.3.63:80
85.246.78.192:80
190.192.39.136:80
143.95.101.72:8080
103.93.220.182:80
213.165.178.214:80
190.7.217.90:80
185.208.226.142:8080
117.2.139.117:443
190.180.65.104:80
41.185.29.128:8080
2.82.75.215:80
121.117.147.153:443
178.254.36.182:8080
109.99.146.210:8080
189.123.103.233:80
203.56.191.129:8080
188.166.220.180:7080
91.75.75.46:80
186.146.229.172:80
110.37.224.243:80
78.90.78.210:80
58.27.215.3:8080
200.243.153.66:80
73.100.19.104:80
162.144.145.58:8080
54.38.143.245:8080
60.108.128.186:80
172.105.78.244:8080
190.194.12.132:80
75.127.14.170:8080
139.59.12.63:8080
86.124.32.113:80
46.32.229.152:8080
190.85.46.52:7080
91.83.93.103:443
153.229.219.1:443
74.208.173.91:8080
42.200.96.63:80
94.52.168.188:80
190.164.135.81:80
103.80.51.61:8080
109.206.139.119:80
8.4.9.137:8080
190.147.84.191:443
203.153.216.178:7080
192.163.221.191:8080
50.116.78.109:8080
60.125.114.64:443
152.32.75.74:443
189.55.48.40:80
5.2.246.108:80

Unpacked files

SH256 hash:

997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5

MD5 hash:

7fd742aecb8f32aabdf2035dca7b3a87

SHA1 hash:

7f2b01b7b8cc43d6d2f464eaf6cd8c1af29913ad

Link:

https://www.unpac.me/results/188d91bc-5b3f-44e2-8fa9-a7afd8393c87/

SH256 hash:

6d0bd0a1e4b6f482c6f1472632496045712a5312ea0a02d707aedeb8537135ea

MD5 hash:

fb90083562dabf97f41ee9aacd8f8ea8

SHA1 hash:

ae49dc2030975dfc64bca99b23c4284c6e26d8ad

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/188d91bc-5b3f-44e2-8fa9-a7afd8393c87/

Parent samples :

8acccd748190b61c34a12c5d5fd234b21bba651288e81cf924a5f2553c6df9af
7dce9f57836ba1b8f708ead7140a5e850050c25695351f0fbcc0c6729c84107a
6366899c0bacf9ad12319e59da305c333cbab6ecfdd84db601c699a074b9add3
35e1d713a4a3663cc9d822a94cf0e55aeb0281d86d7f886205ee0d71d0f0889d
a7fe02ff5bfef61b9d2344b8b8cc225f988f0f354220b564457231e4d98d21fb
5b1e742aa624e3ba3590c2954660614d69ed01c4527a7f5c596fc862c82c77b5
f2c455143ba76694ed0d1d2c33add8d98601892b6707f41d289af96e2bd3e6fb
997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5
9578ec5dbef3ce203772d7609288fe9a7a81b140049d7ef74d55522ed451f41e

SH256 hash:

0f58e8542a35156fd003cdea8d284a2c4e9e3b7b29e060350ef2b48a265f4b61

MD5 hash:

69f4c004fe51d93f9aac7e57e8db51ff

SHA1 hash:

cfec0e154c158c941cac4d1cdb3b796984417be2

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/188d91bc-5b3f-44e2-8fa9-a7afd8393c87/

Parent samples :

46caf733990074e9fc82b654c0aecd9b72e59409df1074216e18a0f100202249
1275d1d7336acbed34142c9727384765a493d6c585fb6b9f2d5c913068d170da
8acccd748190b61c34a12c5d5fd234b21bba651288e81cf924a5f2553c6df9af
7dce9f57836ba1b8f708ead7140a5e850050c25695351f0fbcc0c6729c84107a
6366899c0bacf9ad12319e59da305c333cbab6ecfdd84db601c699a074b9add3
146d77f2b3105bf906b5466e65e71dd9096d83aa585bdc8669d2f1b81406890c
35e1d713a4a3663cc9d822a94cf0e55aeb0281d86d7f886205ee0d71d0f0889d
2d7bc74b468ee47a209a23a7b0e7b98dad2f1ccf84382921244ba8d59a3a3213
a7fe02ff5bfef61b9d2344b8b8cc225f988f0f354220b564457231e4d98d21fb
6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
f6bed6f55ffc433c48050563a426756f6382356aa56e4562c4a07a4cd3d80a51
5b1e742aa624e3ba3590c2954660614d69ed01c4527a7f5c596fc862c82c77b5
f2c455143ba76694ed0d1d2c33add8d98601892b6707f41d289af96e2bd3e6fb
ecaae16ebe63e39f9a1f2a1076053b909634e17e596628a9487e30f755e7881c
997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5
c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3
9578ec5dbef3ce203772d7609288fe9a7a81b140049d7ef74d55522ed451f41e

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample