MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
SHA3-384 hash:	39ee6f15336bd89bc1dd259404ab12c9929578273b7655d0c7fe1667498db0935b5aa74caaae475f1c09e797685823eb
SHA1 hash:	c80566dc1831a8f97fdac16d9c9bdf8b344ab35e
MD5 hash:	33c279b40a6bd3b9bb5dca8d41ec9fcc
humanhash:	wisconsin-eleven-fifteen-august
File name:	33c279b40a6bd3b9bb5dca8d41ec9fcc.exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	364'934 bytes
First seen:	2022-11-04 00:07:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32da495527a54fb94993345128030d1d (1 x Heodo)
ssdeep	6144:smUdcds3QFSx8tWHTG7pYIGAKeBbCalBcDS00XxMOxz0hJGUKsvZVM5QiMtq5:smlddw+MeBb5lBIPjOMJGOZV9Q
Threatray	2'401 similar samples on MalwareBazaar
TLSH	T1D874018B63C542F0E7AB18F50DAAA23FCB1ADEC6442A87C753D4EE423573191C627270
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	92d1e8b2da6c3292 (1 x Heodo)
Reporter	abuse_ch
Tags:	Emotet exe Heodo

abuse_ch

Heodo C2:
158.228.217.76:80

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

13.zip

Verdict:

Malicious activity

Analysis date:

2022-11-04 00:08:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9a94446e-b405-44c0-87a9-ebc7a2c6868d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Kovter

Link:

https://www.capesandbox.com/analysis/328285/

Detection(s):

Win.Packed.Kovter-6333830-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Launching a process

Sending a custom TCP request

Creating a window

Creating a process with a hidden window

Forced system process termination

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

kovter overlay packed poweliks upatre

Link:

https://www.filescan.io/uploads/636457e3d998c15a09aafe75/reports/728fd1a5-c905-466a-93bd-2fe31d594974/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Kovter

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8f764299-24fc-4269-8d81-811fa9c465f9

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1104963

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Creates processes via WMI

Delayed program exit found

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suspicious powershell command line found

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b/

Threat name:

Win32.Downloader.Upatre

Status:

Malicious

First seen:

2017-04-06 08:38:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wcy577cic73xewcddcuvkqsr2hfuljxqsvn5jam2hb2gn3i7gr5q._file

Verdict:

malicious

Heodo

60d6993aa5a8afaec167636b1d2231843134714a95cf4137a0cb765e10fd4284

Heodo

62184398a535b5aa0ccd7457470cdb9ab4fc22aaaed11a19cef2ddba8d75eaf5

Heodo

67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6

Heodo

e0233612d6f430952f891f3ca4d40ae4c825c428691a8bdff7b34f335beda674

Heodo

+ 2'391 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader evasion persistence trojan

Link:

https://tria.ge/reports/221104-aewn3sbbbn/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Looks for VMWare Tools registry key

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

Looks for VirtualBox drivers on disk

ModiLoader Second Stage

ModiLoader, DBatLoader

Process spawned unexpected child process

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/869228fe-e450-4e74-a7c4-c8b4c51e8e77

Unpacked files

SH256 hash:

4d5846e07b1c8d189a7af6f6812dec18188ce335e35b571647faeec8ccbb606a

MD5 hash:

fb47db4ff8b8400ae9ead3a1ef58b175

SHA1 hash:

568c9f5326de8b33dcf343de2b45e9856bc5c534

Detections:

win_kovter_g0

win_kovter_a0

win_kovter_auto

Link:

https://www.unpac.me/results/e2686d07-5e27-4258-b273-72e7f7ac7042/

Parent samples :

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

SH256 hash:

2d4ce20fb9a0c2ec0223cb0552468e42ed1282fd106bd58615c73b10f4608162

MD5 hash:

50c58f030e7f9c348b4fc51c0f1adf95

SHA1 hash:

56c90149dd6fbc51101fa90b9430e0c67a903d09

Link:

https://www.unpac.me/results/e2686d07-5e27-4258-b273-72e7f7ac7042/

SH256 hash:

b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b

MD5 hash:

33c279b40a6bd3b9bb5dca8d41ec9fcc

SHA1 hash:

c80566dc1831a8f97fdac16d9c9bdf8b344ab35e

Link:

https://www.unpac.me/results/e2686d07-5e27-4258-b273-72e7f7ac7042/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	aPLib_decompression Create hunting rule
Author:	@r3c0nst
Description:	Detects aPLib decompression code often used in malware
Reference:	https://ibsensoftware.com/files/aPLib-1.1.1.zip

Rule name:	Kovter Create hunting rule
Author:	kevoreilly
Description:	Kovter Payload

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Win32_Ransomware_Kovter Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Kovter ransomware.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/328285/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample