MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1050efbc8ec4d8d6804f836d3bc33f69d1308f59b65aa19c98a33532bb7cfe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1050efbc8ec4d8d6804f836d3bc33f69d1308f59b65aa19c98a33532bb7cfe2
SHA3-384 hash: 6e88cfd16509cd0acf78cb520bf2fb7a6c81639002069f5aaa49121c0d27d82da7b327e9542760c5c56b6b5496a4875b
SHA1 hash: 30a4a7e9f4f90af67c5a12f1c56c87ecc0049803
MD5 hash: 5c93b74c3b3e7381a880ad97e792942b
humanhash: orange-arizona-emma-montana
File name:5c93b74c3b3e7381a880ad97e792942b
Download: download sample
Signature Heodo
Create hunting rule
File size:540'160 bytes
First seen:2021-12-25 01:12:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b5dc9ad96b513c24df30cb14bee2b2dd (28 x Heodo)
ssdeep 6144:GRQUWntghU/R+WtlgxTGZE7AeZ5V3Mi8oRifx/7/AOkcNlO+jOUTWolWVS/NeCcS:OUtghUkiKiZkAeZ5V3doKJ+iQVsV0/
Threatray 395 similar samples on MalwareBazaar
TLSH T153B4C001F6C1D077C12E0430262ED73A4A3A7D749B2899EB93D49A7F4E706C15E35EAE
Reporter zbetcheckin
Tags:32 dll Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216289/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.51189.12278.26942.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61c670278991ba72b3967d5d/reports/5f911927-847b-44d4-aae4-ff4414486841/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5decd8e-0031-43b6-b86a-ca4a5a252ea8
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/912619
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to detect virtualization through RDTSC time measurements
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545097 Sample: zdYjlk5UD1 Startdate: 25/12/2021 Architecture: WINDOWS Score: 80 38 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->38 40 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->40 42 34 other IPs or domains 2->42 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected Emotet 2->52 54 2 other signatures 2->54 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        signatures3 process4 signatures5 56 Tries to detect virtualization through RDTSC time measurements 9->56 16 cmd.exe 1 9->16         started        18 regsvr32.exe 9->18         started        21 rundll32.exe 2 9->21         started        23 3 other processes 9->23 process6 signatures7 25 rundll32.exe 16->25         started        44 Tries to detect virtualization through RDTSC time measurements 18->44 28 rundll32.exe 18->28         started        46 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->46 30 rundll32.exe 21->30         started        32 rundll32.exe 23->32         started        34 rundll32.exe 23->34         started        process8 signatures9 58 Tries to detect virtualization through RDTSC time measurements 25->58 36 rundll32.exe 25->36         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1050efbc8ec4d8d6804f836d3bc33f69d1308f59b65aa19c98a33532bb7cfe2/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-12-25 01:13:13 UTC
File Type:
PE (Dll)
Extracted files:
4
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
0239ccb0d3f610d6af8e3c5f5016bee87cf070f9e755adfc433c0afe06aeaf8b
Heodo
1e0eac8f6518dbcd6cd9c52acc913e02a4523b5a74080b8b59f2b65da6efe378
Heodo
30b624ce45e78d37193b739d653bffef18a067bfef94a0835e266541d83cbd18
Heodo
5083a010eebcbbdec77ae2c8ed79ce145b4a8fe5e8a06b188142ee6d2c38a431
Heodo
525cad864e0ca1450fc2e30caefab55372398cff8f5f3822566022ee0a652345
Heodo
587acc97a36898f25150a97b33647c66343abfaca3bc0dd5dbcb14f849f71837
Heodo
5f775497d95f169059a3c452d95d048401a55d7d5b1effb23d4f1b83c64f3944
Heodo
7b9411771c7dd51e84b9be71fb9cbe42ea9da534d8a3c61ba1992b7074995588
Heodo
b2bd03106cf484e043b77f2331a503d474a7b75e0f41c3564c8da4cd038a21a5
Heodo
e2d02ddcea53a61af2ead95c33b8d5f861d19a608bdc42beec14e326e9e9ce01
Heodo
+ 385 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch4 banker trojan
Link:
https://tria.ge/reports/211225-bk4sbafhd2/
Behaviour
Suspicious use of WriteProcessMemory
Emotet
Malware Config
C2 Extraction:
144.217.91.150:443
51.38.71.0:443
212.237.56.116:7080
79.172.212.216:8080
178.79.147.66:8080
138.185.72.26:8080
192.254.71.210:443
178.63.25.185:443
195.154.133.20:443
45.118.135.203:7080
81.0.236.90:443
107.182.225.142:8080
162.214.50.39:7080
50.116.54.215:443
203.114.109.124:443
45.118.115.99:8080
216.158.226.206:443
104.168.155.129:8080
110.232.117.186:8080
176.104.106.96:8080
46.55.222.11:443
51.68.175.8:8080
207.38.84.195:8080
58.227.42.236:80
45.176.232.124:443
104.251.214.46:8080
103.8.26.102:8080
45.142.114.231:8080
217.182.143.207:443
41.76.108.46:8080
212.237.5.209:443
103.8.26.103:8080
212.237.17.99:8080
173.212.193.249:8080
158.69.222.101:443
103.75.201.2:443
Unpacked files
SH256 hash:
b40a8936c34a1ea347ce6e6ed4ee50cf249d72d2f0aeb14017a06c0cd454bbdd
MD5 hash:
177824b3514b23a727f37603a086d10f
SHA1 hash:
a0993d07bc1a9e2a4cf76694a057347d39aaf051
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/24b9e108-4e86-4b49-93b2-6a86a38e42e6/
SH256 hash:
b1050efbc8ec4d8d6804f836d3bc33f69d1308f59b65aa19c98a33532bb7cfe2
MD5 hash:
5c93b74c3b3e7381a880ad97e792942b
SHA1 hash:
30a4a7e9f4f90af67c5a12f1c56c87ecc0049803
Link:
https://www.unpac.me/results/24b9e108-4e86-4b49-93b2-6a86a38e42e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1050efbc8ec4d8d6804f836d3bc33f69d1308f59b65aa19c98a33532bb7cfe2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll b1050efbc8ec4d8d6804f836d3bc33f69d1308f59b65aa19c98a33532bb7cfe2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1918599/
Cape
Cape
https://www.capesandbox.com/analysis/216289/

Comments


Avatar
zbet commented on 2021-12-25 01:12:48 UTC

url : hxxp://ferozeajmali.com/habitus/6KUMhYykY/