MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a328c37000735ca36b5fdde7088637c1d7450fbebfb781acbaa9546835fa3dc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a328c37000735ca36b5fdde7088637c1d7450fbebfb781acbaa9546835fa3dc2
SHA3-384 hash:	014f66932fbb54dd693dd8ac62f282eceb4dd4c4b0585dbfa94dfab524d8b817815272ca8b36eaabf78a562e14f1bb86
SHA1 hash:	d32b7b9e95688340c33e0c18b915b2c6810fc4d5
MD5 hash:	b0a42b5f507a81df7abc6e9ef1d38f10
humanhash:	purple-lamp-apart-carbon
File name:	b0a42b5f507a81df7abc6e9ef1d38f10.dll
Download:	download sample
Signature	Heodo Create hunting rule
File size:	356'696 bytes
First seen:	2021-01-20 14:50:41 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	af263152594d80bd9c18d0a70e4d94ec (26 x Heodo)
ssdeep	3072:wa99Ky1S0SD8MHjO73Ba01/H/7FlwZ2RJJBvX+WUwAmrt:waGy1nS8MHi7xai73JtkWUwAwt
Threatray	338 similar samples on MalwareBazaar
TLSH	16749CEAF8BBA814C789F1716BDA6D7799378F37028C61753F542ACE03836C81AD5405
Reporter	abuse_ch
Tags:	dll Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/113146/

Detection(s):

SecuriteInfo.com.BScope.Trojan.Chanitor.13222.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Sending a UDP request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a328c37000735ca36b5fdde7088637c1d7450fbebfb781acbaa9546835fa3dc2/

Threat name:

Win32.Trojan.EmotetCrypt

Status:

Malicious

First seen:

2021-01-20 14:51:06 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch1 banker trojan

Link:

https://tria.ge/reports/210120-rvppevlzx2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Emotet

Malware Config

C2 Extraction:

152.231.89.226:80
2.58.16.88:8080
206.189.232.2:8080
154.127.113.242:80
190.114.254.163:8080
190.210.246.253:80
138.197.99.250:8080
172.104.169.32:8080
85.214.26.7:8080
152.170.79.100:80
190.45.24.210:80
143.0.85.206:7080
46.43.2.95:8080
110.39.162.2:443
1.226.84.243:8080
87.106.46.107:8080
111.67.12.221:8080
137.74.106.111:7080
81.17.93.134:80
62.84.75.50:80
51.255.165.160:8080
177.23.7.151:80
51.15.7.145:80
178.211.45.66:8080
170.81.48.2:80
178.250.54.208:8080
200.75.39.254:80
191.223.36.170:80
186.177.174.163:80
202.134.4.210:7080
138.97.60.140:8080
190.247.139.101:80
185.94.252.27:443
152.169.22.67:80
190.24.243.186:80
190.251.216.100:80
80.15.100.37:80
192.232.229.53:4143
5.196.35.138:7080
78.206.229.130:80
191.241.233.198:80
110.39.160.38:443
46.105.114.137:8080
93.146.143.191:80
172.245.248.239:8080
81.215.230.173:443
190.162.232.138:80
82.208.146.142:7080
31.27.59.105:80
190.64.88.186:443
68.183.170.114:8080
192.175.111.212:7080
197.232.36.108:80
217.13.106.14:8080
185.183.16.47:80
70.32.115.157:8080
91.233.197.70:80
187.162.248.237:80
104.131.41.185:8080
209.236.123.42:8080
188.135.15.49:80
95.76.153.115:80
201.241.127.190:80
46.101.58.37:8080
83.144.109.70:80
94.176.234.118:443
93.149.120.214:80
105.209.235.113:8080
177.85.167.10:80
138.97.60.141:7080
12.162.84.2:8080
80.249.176.206:80
211.215.18.93:8080
188.225.32.231:7080
60.93.23.51:80
50.28.51.143:8080
181.30.61.163:443
149.202.72.142:7080
155.186.9.160:80
45.16.226.117:443
12.163.208.58:80
70.32.84.74:8080
82.48.39.246:80
122.201.23.45:443
68.183.190.199:8080
167.71.148.58:443
202.79.24.136:443
81.214.253.80:443
83.169.21.32:7080
212.71.237.140:8080
213.52.74.198:80
201.185.69.28:443

Unpacked files

SH256 hash:

0247202f2443c7d9326aef7454dfe9633e3a2c7daea9da7d45bcd685986cba4d

MD5 hash:

29075ab682222795ec0cc50a370726a7

SHA1 hash:

4c27240aa65b08db88d7d3e501d532d851c3cbe3

Detections:

win_emotet_a2

Link:

https://www.unpac.me/results/81b74bfe-aa4b-4368-8138-dd1d266495b8/

Parent samples :

8dfea226b31ee7eebec6f38643b45409deb36d939b85dd93f4307bf5021a9e74
ea1aed2fa4eed88f459869c9244525b4238c9e8261f24a4852a9abd3d165bed6
d9122cd3d2ff91b6b962dcfb08dd5e91f982ecf070ea90e3bbeb4b1b76c1fe2c
4a6f406df2dfa5f94d8cadb9e6cadad59ab199bb9b651a4f59156cd70213d424
ab9f96936a263107c6c57421ad191d8b266130ac26471f92844fbff75b953c85
8bdacf660f7dd51f6e6a255040e0d9c99c4cf0de921adcd2026b2d04441604f7
2ea141c11fb68e3bcdff47e3c61a3b3af7a40b829172c2ed67b02ff7b31c1929
a328c37000735ca36b5fdde7088637c1d7450fbebfb781acbaa9546835fa3dc2

SH256 hash:

a328c37000735ca36b5fdde7088637c1d7450fbebfb781acbaa9546835fa3dc2

MD5 hash:

b0a42b5f507a81df7abc6e9ef1d38f10

SHA1 hash:

d32b7b9e95688340c33e0c18b915b2c6810fc4d5

Link:

https://www.unpac.me/results/81b74bfe-aa4b-4368-8138-dd1d266495b8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a328c37000735ca36b5fdde7088637c1d7450fbebfb781acbaa9546835fa3dc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.