MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b35408ca7fc6cbc2185a36d5e5665e6f47c168c5d074cc848916bf1c8b96d0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b35408ca7fc6cbc2185a36d5e5665e6f47c168c5d074cc848916bf1c8b96d0d
SHA3-384 hash: f5d7898b45f5ad80b8950e1a2bac7c75a6058cb2509806a028613d855d926ff925ddd3444f24a151e278952fc897bd07
SHA1 hash: 6d29122a0ce3c5aac6c9c76246cddb01828497a3
MD5 hash: a2e1f2f64fb09b8a4e772a5a734e5b33
humanhash: utah-triple-social-gee
File name:a2e1f2f64fb09b8a4e772a5a734e5b33.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:685'568 bytes
First seen:2020-05-01 17:38:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c8ba287ac9aa4e47845a4657df35b9e3 (1 x Heodo)
ssdeep 12288:4FaVmXUbbYx3pd9N8YRHKXz0U2RgxsmXWIWg7z9uu05Zr:4FJXUupl8YRHeIbmTXWIWg7JuV5x
Threatray 95 similar samples on MalwareBazaar
TLSH E5E47B2237D2C07AC2723571465AD7B576AABC314E36078B6BC01B3D1F745E29E2836E
Reporter abuse_ch
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Emotet-7702424-0
Create hunting rule

Win.Malware.Emotet-7702427-0
Create hunting rule

Win.Malware.Emotet-7703303-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-04-25 19:37:00 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tm2ubdfh7rwlyimfunwv4vtf432hyfumluduzscisfv7dsfznugq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
1ca20db037045c721981ddce01528fa4406e581f5d0ea897c9ddd17b0db1f545
Heodo
1d70a3a3a0a272e37e03631b10eff1d17318e82105aa4d365b5c0ca67d051ada
Heodo
1ff36792edbc187f3c27fea4601240b03ebf68a35d99ee3b3aa98f27b4d04cf2
Heodo
23d88898a1f8368db37855bc147da3b0e455a9c866a6924dea2ac2715c7a5721
Heodo
76f0b6edc295cc561be4c44c83fcf7cb8e7807546d8babf137b6f4ae9dcee9a2
Heodo
7a3cdb575c0821cb1a8c492105fb674999f7fb0674007b669ef837a77335e447
Heodo
8978de8be9668bb2ce0f813180efe103e0660cbc68633916f2f0b8c49e6f1508
Heodo
aeb5918b32bf5beccd7b45c00049af6a1754d3834f3f3e1376c60f33df02c385
Heodo
d8e0beeb51f2332cfe5cefe52260444b054bb4b1ef7e0bc1442c266772c14619
Heodo
eac1f0da2a4d4863824da293add5f733b84a2212bec8aee9b7b339cb8321c97e
Heodo
+ 85 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:IceID_Bank_trojan
Create hunting rule
Author:unixfreaxjp
Description:Detects IcedID..adjusted several times

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipFillRectangleI
gdiplus.dll::GdipDeleteBrush
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
SHELL_APIManipulates System ShellSHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
SHLWAPI.dll::PathRemoveFileSpecW
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments