MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a668cf006e73e1be96a310ff4ab5d1833ec178717f7c8e85749827ff8587167b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a668cf006e73e1be96a310ff4ab5d1833ec178717f7c8e85749827ff8587167b
SHA3-384 hash: 28dffd34d2837f6e4e45d749311dd126e77d41966c69b12fcf3b159860466b996a8974a9290017fc23b1cf32a74a2d80
SHA1 hash: 0f4adc1e2e28b0b2e9fc03e2d911bd42d4532a7a
MD5 hash: 4b52d4f5e27287e2db23e793a652a11f
humanhash: fifteen-lemon-zebra-hawaii
File name:SecuriteInfo.com.VHO.Trojan.Win64.Zenpak.auj.10872.12367
Download: download sample
Signature Heodo
Create hunting rule
File size:375'296 bytes
First seen:2022-04-20 02:30:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7299ff35d36f085b368e0d49e7db4ec (16 x Heodo)
ssdeep 6144:sq4dLUt3FhPgUqgoPOeT1sIfBKoh7xyHfsfF8OLFN16B1nO:sq4dokQv9ojyHfst1Rn6HO
Threatray 33 similar samples on MalwareBazaar
TLSH T1E0849E06B59D44B2D5B261B4B58B6A17F736BC41833DC3FB47900A6A0E7B390687BB30
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264759/
Detection(s):
SecuriteInfo.com.VHO.Trojan.Win64.Zenpak.auj.10872.12367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/625f7071ffe27d51191251ea/reports/4a78e745-f0ae-4559-aea8-fcd424ff904d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e44d120-7ec9-4bc5-afa7-aeb91b37df52
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/979255
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611742 Sample: SecuriteInfo.com.VHO.Trojan... Startdate: 20/04/2022 Architecture: WINDOWS Score: 80 40 Multi AV Scanner detection for submitted file 2->40 42 Sigma detected: Suspicious Call by Ordinal 2->42 44 Sigma detected: Regsvr32 Command Line Without DLL 2->44 46 Sigma detected: Regsvr32 Network Activity 2->46 7 loaddll64.exe 1 2->7         started        9 svchost.exe 2->9         started        12 svchost.exe 2->12         started        14 9 other processes 2->14 process3 dnsIp4 17 regsvr32.exe 5 7->17         started        20 cmd.exe 1 7->20         started        22 rundll32.exe 7->22         started        48 Changes security center settings (notifications, updates, antivirus, firewall) 9->48 24 MpCmdRun.exe 1 9->24         started        50 Query firmware table information (likely to detect VMs) 12->50 36 127.0.0.1 unknown unknown 14->36 signatures5 process6 signatures7 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->38 26 regsvr32.exe 17->26         started        30 rundll32.exe 2 20->30         started        32 conhost.exe 24->32         started        process8 dnsIp9 34 138.197.147.101, 443, 49742 DIGITALOCEAN-ASNUS United States 26->34 52 System process connects to network (likely due to code injection or exploit) 26->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->54 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a668cf006e73e1be96a310ff4ab5d1833ec178717f7c8e85749827ff8587167b/
Threat name:
Win64.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 00:25:55 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
0182cce6c06675098a1c591f1ebb611d5107debd7ca4a33ce662d0f4ac2568d0
Heodo
217e21202fe40db1db5de317c8da4ce334ce92190a5232e8d5e2dcf8dde3a473
Heodo
56b98c27f72ea15082f64c9196c0de69a2205a4bddca5df408b1e7e2ce94506c
Heodo
71a1d9ec3327db8fe7fc07fbbd155ec06d994710f31d1e40f182757a40a8b8b5
Heodo
7a2a52aeddb93a2a5088274c8a331903b332b19742aedad20da9d114177b9b34
Heodo
7da33123061e1ba2e0168b9d75ae358fb5422b144068c52735937f939a30e4f3
Heodo
8b03814010d60c9332105d54a943361374bce3d9d872676645698c78b34c9b77
Heodo
93f0b29c3f327c1fec4fefc4811209e4840600ce555aec746a9d7ee3e63579ed
Heodo
a130fa6cd3805ec81d3139cb4e76cdd77602a12e50c66eb39d01c2244ffffb0a
Heodo
cdd06024b83a215dc7fb17d28c43fbcc53b4a9d060fd93c22226ae7af9354fa6
Heodo
+ 23 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch4 banker trojan
Link:
https://tria.ge/reports/220420-czpsdahdh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Emotet
Malware Config
C2 Extraction:
138.197.147.101:443
134.195.212.50:7080
104.168.154.79:8080
149.56.131.28:8080
187.84.80.182:443
158.69.222.101:443
91.207.28.33:8080
5.9.116.246:8080
103.70.28.102:8080
153.126.146.25:7080
189.126.111.200:7080
110.232.117.186:8080
167.99.115.35:8080
146.59.226.45:443
201.94.166.162:443
103.43.46.182:443
103.132.242.26:8080
185.4.135.165:8080
159.65.88.10:8080
1.234.21.73:7080
196.218.30.83:443
46.55.222.11:443
82.165.152.127:8080
212.237.17.99:8080
45.176.232.124:443
103.75.201.2:443
209.250.246.206:443
27.54.89.58:8080
58.227.42.236:80
107.182.225.142:8080
45.235.8.30:8080
131.100.24.231:80
164.68.99.3:8080
185.8.212.130:7080
167.172.253.162:8080
203.114.109.124:443
129.232.188.93:443
206.189.28.199:8080
185.157.82.211:8080
172.104.251.154:8080
197.242.150.244:8080
183.111.227.137:8080
50.30.40.196:8080
151.106.112.196:8080
212.24.98.99:8080
176.104.106.96:8080
173.212.193.249:8080
134.122.66.193:8080
51.91.7.5:8080
45.118.115.99:8080
188.44.20.25:443
94.23.45.86:4143
209.126.98.206:8080
101.50.0.91:8080
1.234.2.232:8080
51.91.76.89:8080
72.15.201.15:8080
160.16.142.56:8080
119.193.124.41:7080
216.158.226.206:443
51.254.140.238:7080
Unpacked files
SH256 hash:
a668cf006e73e1be96a310ff4ab5d1833ec178717f7c8e85749827ff8587167b
MD5 hash:
4b52d4f5e27287e2db23e793a652a11f
SHA1 hash:
0f4adc1e2e28b0b2e9fc03e2d911bd42d4532a7a
Link:
https://www.unpac.me/results/d93a83e3-e5ac-4eb5-8a44-8a97886d87cf/
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a668cf006e73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a668cf006e73e1be96a310ff4ab5d1833ec178717f7c8e85749827ff8587167b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264759/

Comments