MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a60549d08d066eeb7cce46f19cd62b426b82f5f56512f9a6cd3c9781f3a67a6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a60549d08d066eeb7cce46f19cd62b426b82f5f56512f9a6cd3c9781f3a67a6b
SHA3-384 hash: 0845b82941453260ab5a1712df63f26cd57d08dd19c1cee836abbb5d557cb39a580ed8ee06158df2ebc8aa919798c917
SHA1 hash: 86a7ae8a7b71f0df8c4731693ce57f0e73309334
MD5 hash: e19685fb5d65e400f2dc9f6af799e637
humanhash: don-chicken-september-oklahoma
File name:e19685fb5d65e400f2dc9f6af799e637
Download: download sample
Signature Heodo
Create hunting rule
File size:9'168'384 bytes
First seen:2021-07-06 07:09:10 UTC
Last seen:2021-07-06 09:40:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:hDAQAUixXAdXU4ZkgCnU+Yu26kuA/CHksNE+fBJ+BM3D:hRAxxS/BCU+o6kJCHksK+VD
Threatray 129 similar samples on MalwareBazaar
TLSH B99622C1A3C11114D8A43EB9904DC13D6B5EDE496363BA1E28D23AD4B2745A44FE3FEE
Reporter zbetcheckin
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
3
# of downloads :
757
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e19685fb5d65e400f2dc9f6af799e637
Verdict:
No threats detected
Analysis date:
2021-07-06 07:12:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d5e7bac8-3617-4635-9699-b29a9702f18a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169889/
Detection(s):
SecuriteInfo.com.Variant.Bulz.492572.17105.10207.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a21a6e70-b0b4-4661-b786-6afb2be18441
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/812110
Signature
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a60549d08d066eeb7cce46f19cd62b426b82f5f56512f9a6cd3c9781f3a67a6b/
Threat name:
Win64.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 07:09:16 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1464e7d26d44d7a83f057056954155a3bec0ee3dfebde5bea8e36945e735c79c
Heodo
24fcb2c5bee18a1ace6dca1924a4fa86d0840a29ebfebd271a4f1399e758a895
Heodo
2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc
Heodo
30f3eecdbc1298dc6ba731ffc775390ee61b2bda813ba8f7763c9c39293ce33c
Heodo
55f1a2084fd1c1d5477519f06b02aa4fa4d917aaceffd116fc45820dc49a7795
Heodo
5773763b967c6f9a15f6e91ca299eeeb8995628451d5fe224784717d0427eac5
Heodo
59dd99ee3cd55d10de5aeca35b0f1c7f4288970d9ccd8ff624e049aca3cea5f1
Heodo
64c9c7ff15bf8c493c229fe32e455e2612c8282e8fc0beaad6e29dd2f5ca1d86
Heodo
a576dd4d6b216109bf7044bc90ebd70a2205bffb43272b28f8f112b480eecea5
Heodo
ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b
Heodo
+ 119 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210706-zvw6etq2ba/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
a60549d08d066eeb7cce46f19cd62b426b82f5f56512f9a6cd3c9781f3a67a6b
MD5 hash:
e19685fb5d65e400f2dc9f6af799e637
SHA1 hash:
86a7ae8a7b71f0df8c4731693ce57f0e73309334
Link:
https://www.unpac.me/results/29d0ce38-b877-4036-bc2e-e56e18bf80a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a60549d08d066eeb7cce46f19cd62b426b82f5f56512f9a6cd3c9781f3a67a6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe a60549d08d066eeb7cce46f19cd62b426b82f5f56512f9a6cd3c9781f3a67a6b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1430227/
Cape
Cape
https://www.capesandbox.com/analysis/169889/
  
URLhaus
https://urlhaus.abuse.ch/url/1431262/

Comments


Avatar
zbet commented on 2021-07-06 07:09:11 UTC

url : hxxp://andmaindance.art/gder/mod/ConsoleApp2.exe