MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a492a423b9d053fdffc1857faa73b1d7661a81a712521679bb786aeabad840f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 10


Maldoc score: 14


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a492a423b9d053fdffc1857faa73b1d7661a81a712521679bb786aeabad840f0
SHA3-384 hash: 70d8594fadea13a2dca226c7835b15b14dbb63a83b49a71309a04e6a57d93742d34a4c30057b0937470c6f30591eb3d6
SHA1 hash: ce0fb672df362bebe246082c61203a1c9117d86b
MD5 hash: e1ddac69f8378679ea45dc48b40b21ac
humanhash: lamp-lithium-lake-monkey
File name:tmpbus88aiz
Download: download sample
Signature Heodo
Create hunting rule
File size:123'904 bytes
First seen:2022-02-08 15:52:27 UTC
Last seen:2022-02-13 22:22:44 UTC
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 3072:OmcKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dg+BR:fcKoSsxzNDZLDZjlbR868O8KlVH37keU
TLSH T180C35A55F685EA1ADE0822350DDFC7F9733ABC828E9A83473259B32F3D76550CA12706
Reporter Cryptolaemus1
Tags:Emotet epoch5 Heodo xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 14
OLE dump

MalwareBazaar was able to identify 23 sections in this file using oledump:

Section IDSection sizeSection name
1109 bytesCompObj
2220 bytesDocumentSummaryInformation
3204 bytesSummaryInformation
472395 bytesWorkbook
5646 bytes_VBA_PROJECT_CUR/PROJECT
6122 bytes_VBA_PROJECT_CUR/PROJECTwm
79756 bytes_VBA_PROJECT_CUR/VBA/Fbhndfghsret3
81191 bytes_VBA_PROJECT_CUR/VBA/GhFdrtdSrt4ufg
97302 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
102768 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
11764 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
12302 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
13400 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
14228 bytes_VBA_PROJECT_CUR/VBA/__SRP_4
1566 bytes_VBA_PROJECT_CUR/VBA/__SRP_5
16603 bytes_VBA_PROJECT_CUR/VBA/__SRP_6
171182 bytes_VBA_PROJECT_CUR/VBA/__SRP_7
18866 bytes_VBA_PROJECT_CUR/VBA/dir
1915531 bytes_VBA_PROJECT_CUR/VBA/kjDygzs34e
2097 bytes_VBA_PROJECT_CUR/kjDygzs34e/CompObj
21294 bytes_VBA_PROJECT_CUR/kjDygzs34e/VBFrame
22270 bytes_VBA_PROJECT_CUR/kjDygzs34e/f
23268 bytes_VBA_PROJECT_CUR/kjDygzs34e/o
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
AutoExectrgsEtgseg_ChangeRuns when the file is opened and ActiveX objects trigger events
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousCreateObjectMay create an OLE object
SuspiciousexecMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/238312/
Detection(s):
TwinWave.EvilDoc.CROStringBuilderHidingPlacesPapaDontTakeNoMess.20200916.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROKissFromARose.M4.20201215.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.PowerShell.Agent-19.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PSHELLB64INVOKEDASHWINVOKEDASHW.3.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PDATARootDown.20220203.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTP_.210304B64.1.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTP_.210304B64.4.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTP_.210304B64.8.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTPS_.210304B64.4.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTPS_.210304B64.8.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD._OUTFILE.220203B64.2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/a492a423b9d053fdffc1857faa73b1d7661a81a712521679bb786aeabad840f0/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe macros macros-on-open
Link:
https://www.filescan.io/uploads/62029215845a69d7734e79e4/reports/45663641-2858-4975-924c-2890310263c5/overview
Label:
Malicious
Suspicious Score:
6.8/10
Score Malicious:
68%
Score Benign:
32%
Link:
https://www.malware.ai/gui/files/?id=eaf060fe-2e61-4a24-80f8-19eb9a2af8ed
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a492a423b9d053fdffc1857faa73b1d7661a81a712521679bb786aeabad840f0
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a492a423b9d053fdffc1857faa73b1d7661a81a712521679bb786aeabad840f0/
Threat name:
Script-Macro.Trojan.Logan
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 15:53:13 UTC
File Type:
Document
Extracted files:
28
AV detection:
7 of 42 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=usjkii5z2bj7376bqv72u45r25tbvanhcjjbm6n3pbvovowyidya._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/220208-tbmfsaaag7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://lbsbriefs.com/cgi/2kl8X826xEKeuhI/
http://howebeautiful.com/eln-images/tyj208/
http://lazylargomotels.com/cgi/wZrYbJ/
http://sleepstarlite-ozark.com/batesville/UjX/
http://osaka.musicaldog.com/05-set/YLBOd/
http://mattknapp.net/Resources/OipJPXsI/
https://erolmutfak.com/dso/S3d34UHm0Qkibn57N0G/
http://catower.com/cgi/iC2/
http://meridianites.com/cgi/pBoGxZ9igKZKn/
http://hoodeeconsulting.com/cgi/I2N0wPElFdvAP2dZ2K6/
http://rinoflexconnectors.com/eln-images/MIzLHf0Wk6wXNS/
https://egemenrulman.com/Fox-C404/qrr2OCShGJGH06Gm/
http://skyridgedesigns.com/eln-images/38pr2cu3xt2Ai/
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a492a423b9d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/238312/

Comments