MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c6ef89802a2c9e031dca9a83e8094a37f4ca04cacdd689de8a5330e041278d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	9c6ef89802a2c9e031dca9a83e8094a37f4ca04cacdd689de8a5330e041278d4
SHA3-384 hash:	49b245632ed9cca61832f6a81af65c3d6c5338bc854f1ddea2daeb699c638b0c9383117477e49854e3b2d1b3600f6362
SHA1 hash:	efd1fdaca98e9ee110908e113cd46003f44c237c
MD5 hash:	4c4b8f0859fde3f76ba8e60eb6fff65c
humanhash:	bulldog-ink-hawaii-skylark
File name:	変化_20200915.doc
Download:	download sample
Signature	Heodo Create hunting rule
File size:	159'293 bytes
First seen:	2020-09-15 12:02:31 UTC
Last seen:	Never
File type:	doc
MIME type:	application/msword
ssdeep	1536:gURA+F6URA+Fhrdi1Ir77zOH98Wj2gpngd+a9axQIY0y+WbBw:frfrzOH98ipgCxDH7ABw
TLSH	76F3950926D1994EF33A8E3027D9AAE91856DCF45D8D40673288BB147737B40E9F1BF8
Reporter	GovCERT_CH
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

1

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.AutoExecSeparateWays.20200818.UNOFFICIAL

SecuriteInfo.com.VB.Trojan.VBA.Agent.BHH.UNOFFICIAL

TwinWave.EvilDoc.WelcomeBackEmotetThatsWhyTheyCallItWindowPain.2020717.UNOFFICIAL

TwinWave.EvilDoc.EmotetCROCryLittleSister.20200720.UNOFFICIAL

TwinWave.EvilDoc.EmotetARCROClubbedToDeathKurayamino.20200904.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a process with a hidden window

DNS request

Creating a file

Creating a process from a recently created file

Moving a file to the Windows subdirectory

Creating a service

Connection attempt

Deleting a recently created file

Possible injection to a system process

Enabling autorun for a service

Launching a process by exploiting the app vulnerability

Sending an HTTP GET request to an infection source

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/9c6ef89802a2c9e031dca9a83e8094a37f4ca04cacdd689de8a5330e041278d4/

Threat name:

Document-Word.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-15 08:13:31 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=trxprgacule6amo4vgud5aeuun7uzicmvtowrhpiuuzq4baspdka._file

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/200915-56eca4l4ls/

Behaviour

Suspicious Office macro

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c6ef89802a2c9e031dca9a83e8094a37f4ca04cacdd689de8a5330e041278d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

doc 9c6ef89802a2c9e031dca9a83e8094a37f4ca04cacdd689de8a5330e041278d4

(this sample)

Dropped by

Heodo

Delivery method

Distributed via e-mail attachment

URLhaus

https://urlhaus.abuse.ch/url/510250/

URLhaus

https://urlhaus.abuse.ch/url/503824/

URLhaus

https://urlhaus.abuse.ch/url/506424/

URLhaus

https://urlhaus.abuse.ch/url/500828/

URLhaus

https://urlhaus.abuse.ch/url/508595/

URLhaus

https://urlhaus.abuse.ch/url/503831/

URLhaus

https://urlhaus.abuse.ch/url/504164/

URLhaus

https://urlhaus.abuse.ch/url/505659/

URLhaus

https://urlhaus.abuse.ch/url/500059/

URLhaus

https://urlhaus.abuse.ch/url/505243/

URLhaus

https://urlhaus.abuse.ch/url/502917/

URLhaus

https://urlhaus.abuse.ch/url/501299/

URLhaus

https://urlhaus.abuse.ch/url/510256/

URLhaus

https://urlhaus.abuse.ch/url/503688/

URLhaus

https://urlhaus.abuse.ch/url/501251/

URLhaus

https://urlhaus.abuse.ch/url/501295/

URLhaus

https://urlhaus.abuse.ch/url/501204/

URLhaus

https://urlhaus.abuse.ch/url/503389/

URLhaus

https://urlhaus.abuse.ch/url/501400/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample