MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b00b0a31d4f9c373d720daa53bedfe7cf57cf4827fa58465cf60923913fc1bb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	b00b0a31d4f9c373d720daa53bedfe7cf57cf4827fa58465cf60923913fc1bb6
SHA3-384 hash:	6172a870ccde338c17c114795bf2896accf6721e6fa3de56ef76b23f3f1fa221b26c5eda814c187bc6d1fab2d1c558de
SHA1 hash:	ce60ea865d7f05f290f732725608af87cf5c36cb
MD5 hash:	535808cac3ad2ec6438ea4b2e8704bf6
humanhash:	butter-tennis-shade-fish
File name:	b00b0a.dll
Download:	download sample
Signature	Heodo Create hunting rule
File size:	356'696 bytes
First seen:	2022-03-04 14:29:25 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	af263152594d80bd9c18d0a70e4d94ec (26 x Heodo)
ssdeep	3072:/a99Ky1S0SD8MHjO73Ba01/H/7FlwZ2RJJBvX+WUEAQbb:/aGy1nS8MHi7xai73JtkWUEAKb
Threatray	3'475 similar samples on MalwareBazaar
TLSH	T1D1749CEAF8BBA814C789F1716BDA6D7399378F33028C61757F542ACE03836C81AD6405
Reporter	adm1n_usa32
Tags:	dll Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/247370/

Detection(s):

Win.Malware.Generic-9822852-0

Win.Malware.Generic-9822878-0

Win.Ransomware.Emotet-9822990-0

Win.Ransomware.Emotet-9822991-0

Win.Ransomware.Emotet-9823370-0

Win.Ransomware.Emotet-9823373-0

Win.Ransomware.Emotet-9823374-0

Win.Ransomware.Emotet-9823375-0

Win.Ransomware.Emotet-9823377-0

Win.Ransomware.Emotet-9823378-0

Win.Ransomware.Emotet-9823379-0

Win.Ransomware.Emotet-9823380-0

Win.Ransomware.Emotet-9823381-0

Win.Ransomware.Emotet-9823382-0

Win.Ransomware.Emotet-9823383-0

Win.Ransomware.Emotet-9823384-0

Win.Ransomware.Emotet-9823385-0

Win.Ransomware.Emotet-9823387-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9fbb1e02-6a85-4989-9d79-40affe3ade84

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b00b0a31d4f9c373d720daa53bedfe7cf57cf4827fa58465cf60923913fc1bb6/

Threat name:

Win32.Trojan.PinkSbot

Status:

Malicious

First seen:

2021-01-20 18:47:41 UTC

File Type:

PE (Dll)

AV detection:

35 of 42 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wafqumou7hbxhvza3kstx3p6pt2xz5ecp6syizopmcjdse74do3a._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220304-rt6ahagefm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Unpacked files

SH256 hash:

e26e4c92f7fda13abff367a9147d63aa2d09b0a87a6b9ac3d10de4dbfe61e8a3

MD5 hash:

cdcd84d1d782e94cff60db893e12449a

SHA1 hash:

3c2e33a67fc8b59c6806edef543a782eaa86118e

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/7bfba913-069c-4e77-b073-5325622ad253/

Parent samples :

b5abacf24ae5aa96016c09f71a78d0121fff396d6154740eab622c4751e1764f
06040e1406a3b99da60e639edcf14ddb1f3c812993b408a8164285f2a580caaf
4f0aebbe2bd0308a5f20f96491a8c87875b2373da050bb36f8b9fc3200dc8215
b00b0a31d4f9c373d720daa53bedfe7cf57cf4827fa58465cf60923913fc1bb6

SH256 hash:

b00b0a31d4f9c373d720daa53bedfe7cf57cf4827fa58465cf60923913fc1bb6

MD5 hash:

535808cac3ad2ec6438ea4b2e8704bf6

SHA1 hash:

ce60ea865d7f05f290f732725608af87cf5c36cb

Link:

https://www.unpac.me/results/7bfba913-069c-4e77-b073-5325622ad253/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/b00b0a31d4f9c373d720daa53bedfe7cf57cf4827fa58465cf60923913fc1bb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Emotet Create hunting rule
Author:	kevoreilly
Description:	Emotet Payload

Rule name:	INDICATOR_KB_CERT_98a04ea05e8a949a4d880d0136794df3 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.emotet.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/4e9c4338-6e89-476b-8a15-934e3b51784e

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/247370/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample