MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f
SHA3-384 hash: 0ba1b292025e59768b5898a0ab762fe0d8899bed333716f6a0ce41d5c608d21ed95fbace48d5f9dd2ade22d130f95527
SHA1 hash: c23bb4908353c3a9be9abc47f3efa2918650e60d
MD5 hash: 0aa6586e953d322f1d742ce8da578541
humanhash: video-iowa-rugby-utah
File name:ExeFile (106).exe
Download: download sample
Signature Heodo
Create hunting rule
File size:225'280 bytes
First seen:2024-08-20 14:08:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 383dc7a2e3f1ef0c20c50beefdda0ac1 (70 x Heodo)
ssdeep 3072:1mNXdDFrtXx7bZKxehc4bjLwEe/IN0r6blblNvakKHMxpNqWQ+xIYXD:mNxrtXRbQqvLXegc6BPa7
Threatray 769 similar samples on MalwareBazaar
TLSH T1EC24AE1273D0C5B6D1B322750DA68BA466B6FC308F72CB8727543B4F5E34AC59A39392
TrID 50.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
27.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.1% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.9% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter byMattii1234
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
emotet
Create hunting rule
ID:
1
File name:
ExeFile (106).exe
Verdict:
Malicious activity
Analysis date:
2024-08-20 14:45:00 UTC
Tags:
emotet stealer
Link:
https://app.any.run/tasks/6ed27afb-22bb-4702-b220-257731509321

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Keylogger.Emotet-9768687-0
Create hunting rule

Win.Trojan.Emotet-9993485-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c4a386e7ff3f5a063b9c35
Tags:
Execution Generic Network Other Stealth Trojan Emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint iceid keylogger microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66c4a3859498a0e255aff72c/reports/95ba7a35-b247-43da-b18a-f64b1df9ffe0/overview
Verdict:
Malicious
Labled as:
Trojan.Emotet
Link:
https://www.hybrid-analysis.com/sample/b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e1eb298-29b7-4631-97b1-c205da4ebfe4
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495774
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 04:38:18 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wg7rj42sfhvzobwedwm62c34xknta733vbdernbdk5imvuppay7q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
3f0693ecde0d7c9983bda3bfa22fbb8243695bf8a48ae127e121813ae527334e
Heodo
429991febde9f6921f9f6fc50b6dcff2107f8958d15fbbc0680e64088c9b2bab
Heodo
539ca5b5f6f01b93567163a24250b8b6a203afe5039c88486d2a58e18a08f0f0
Heodo
73c1fc3878b983a0245fcbdb1f80869271f6c38f43dfd3e27231d36862c4eefc
Heodo
9a1136d71659ceae577c196aa7a922e060d4de9205ceca9ccda87654444db199
Heodo
ce229b52ed6fb487324ce19d9c90771c28b72d4a86764c80b12813107bdd45ee
Heodo
cfa96397f78f28715c6d95a1238a132024c1e83a3676b396821e558e0fbd513f
Heodo
d02962bbec7102c8c929792ba400eee1fb202859a74801262ec28a2f10230c25
Heodo
d7e71e10bccd8eae1a60bf9e51695ada9ea037b2def65bdae6bac0edda2120d5
Heodo
dc6e9f07fd2e4fdba3e97ff1f12c217fdfe5374b0321555521735d25dedb3fc3
Heodo
+ 759 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch2 banker discovery trojan
Link:
https://tria.ge/reports/240820-rf5rtawbqb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Emotet payload
Emotet
Malware Config
C2 Extraction:
174.106.122.139:80
159.203.116.47:8080
173.249.6.108:443
104.236.246.93:8080
174.45.13.118:80
137.59.187.107:8080
94.200.114.161:80
37.187.72.193:8080
67.10.155.92:80
121.124.124.40:7080
24.43.99.75:80
75.139.38.211:80
109.74.5.95:8080
137.119.36.33:80
74.134.41.124:80
66.65.136.14:80
94.1.108.190:443
181.169.235.7:80
79.137.83.50:443
104.131.44.150:8080
121.7.127.163:80
96.249.236.156:443
120.150.60.189:80
134.209.36.254:8080
110.145.77.103:80
118.83.154.64:443
71.72.196.159:80
50.91.114.38:80
62.75.141.82:80
157.245.99.39:8080
140.186.212.146:80
168.235.67.138:7080
104.131.11.150:443
78.24.219.147:8080
46.105.131.79:8080
104.251.33.179:80
24.43.32.186:80
200.114.213.233:8080
153.137.36.142:80
85.96.199.93:80
94.23.237.171:443
5.39.91.110:7080
85.152.162.105:80
162.241.242.173:8080
213.196.135.145:80
139.99.158.11:443
194.187.133.160:443
78.187.156.31:80
1.221.254.82:80
124.41.215.226:80
139.130.242.43:80
209.141.54.221:8080
87.106.136.232:8080
83.169.36.251:8080
195.7.12.8:80
185.94.252.104:443
95.213.236.64:8080
42.200.107.142:80
203.153.216.189:7080
68.188.112.97:80
5.196.74.210:8080
87.106.139.101:8080
104.32.141.43:80
94.124.59.22:8080
74.219.172.26:80
108.46.29.236:80
93.147.212.206:80
172.104.97.173:8080
190.240.194.77:443
103.86.49.11:8080
74.208.45.104:8080
82.80.155.43:80
61.19.246.238:443
139.162.108.71:8080
121.7.31.214:80
188.219.31.12:80
37.139.21.175:8080
181.169.34.190:80
219.74.18.66:443
123.176.25.234:80
216.139.123.119:80
79.98.24.39:8080
62.30.7.67:443
139.162.60.124:8080
176.111.60.55:8080
91.211.88.52:7080
172.91.208.86:80
139.59.60.244:8080
89.216.122.92:80
142.112.10.95:20
107.5.122.110:80
50.35.17.13:80
97.82.79.83:80
68.252.26.78:80
110.142.236.207:80
47.144.21.12:443
24.137.76.62:80
220.245.198.194:80
74.120.55.163:80
24.179.13.119:80
113.61.66.94:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d105cd62-7e73-464d-8367-862f15a35eba
Unpacked files
SH256 hash:
5d267403191a8786db2062584f298478ba59aa7b4d23adcf850a2c14a55c6d97
MD5 hash:
68c76c3403570a22ce7a60a1b68d9056
SHA1 hash:
fa2bd2d37be88701a5c41b7955a72aede5275bb7
Detections:
win_emotet_a2
Create hunting rule
Win32_Trojan_Emotet
Create hunting rule
Link:
https://www.unpac.me/results/53af58c3-2e10-4811-8792-782a7e601a98/
Parent samples :
72a25ce17bce74fb97cdef010cb1942f19c7c106ab61720d262456fdfe045da9
9224365401e11a00f487699d989921e281e1a879f5a9153501737ce65b9531e0
89aa659ca56dfc1d4fd1a12709fce2cc2bd466a6cd976cf20a047625f05578bc
08db8531c4edc5f1681638e1dc5d9b11646eb0a4fee985d8f64f7e7560672d21
8112eaebc89c76acc0aeead1c225b3ab1662ec448cb5673d6bdb04b719826dee
9599887f65b068f4bf319e69c7c303165b40189fb4ac31f5e73d2f4133550458
400eeabb7cede1a80bb6f84f37737eb77582dd62cfafdcedcc5a3d099bb22d9c
06f24068edfad653d95b9a2e5ffc7c7bd1c8e23d5be7a244b2410ee606115e97
0edd8baa36baecdc16148a8ec4e8f16b8f9352d4d40c61ed3d57fd0612cb9126
929d9fb903b85d60718060f4f24339917ca3c4676ddf15ae3d69cd8f1ee07ebe
7f7d87d1b72f1c587e5335955fdb2c7f8da21aa897be09e84bb148a35b07a405
e6e9958e9affef55960358a1f7e1b0da4ad40748704362910fba5a6fcb91451a
eb04286692c95b0d54cdaa3ff7e3250e7eb1884f387fd6b46874425328cb621c
80085b1d0ed12c3069ce4004c9fef0799faab1e5001e4456131e205ed27edc3a
318b5ba35c163a2e7c72bca452d24b65c73d70c8460035af6b29099bb0d9dd9f
7930ef254707664c1c861414d014cf1337ee46467ae51fa2543991c034b07d42
03237623f4ef8bb50df8d36b19dab44fb7554df43b87ed48a420b37f06767abf
2be8118d5139a8f7ac965392055339af66c558ad0ae406075b58f5f1bf0b5c9b
25263298c7be31099a78ab6b840cc7641dbc80eef07969887315afa1df2e5d03
3a57f891a1b71fe745f5fcdce225d3685ebf49891d39f4ad07c10fb2bf04c989
0ee722df68655dcad6e06264e44b27d6f22d97d0553fa46ae481dcab0b0133d6
c6fbc31d4c71f7268525ecf8d1daa4be54408f21d1b92e1a074829261e950341
d6e0cef8c5d77b5dc63306976c248f8dd679a5a54ac32ceeefaf343ff69a9e23
31533739eb6970036a392a36f54d640ba9908b693f0a6a392be973dd705cc7c0
f5a4616fd6bbcc97c0ebeb756438c50d58f373f5a59d17aeab84cee4f2595f48
574d72b9be1a7ce7f941f86920a974935a6591056adbe497a0d084742a0f76ab
2fb6e26645747959e9200ccda5c581ddff2e1442ce96ba304c91055dc9f9cb71
0882361752b4cbc5cc7915f3e8f0f4a62bf9bb2682851139b6c4f3efb46f3762
6ec4296be92dbd5e3bac5fbbfb3d46cff26be34ca30560174fde222513a2191a
621aa32e2e091182a9f7383933e19bd809562b4db3211003418e0819fd343ba4
910d8c5c79d30abf6e53b21e40d6756121c2477f2c44f2415a81cf3b8a50bea8
989f488bc7194293661ecc4ec8c3196492e143e07fa56b6189765d377c91b865
5f2b54ef553a74625c9d5a8761fcc677d925f26898d709f813633f61c6045dca
d903262362ce5391cf96c9d32f0aba68932953290b04bf800c798b85aec1f475
aa5577489ae628cbf2ea0e070fc2796abb6c785530004c1e4c12887295d60ee8
33b07c9066cdd2b31fa1fef1f201421f45879577751c867fcfe1b7007af9808c
c6fc46a23fd16014be1d77beae9e9bd255b2b9c597c90443180c78d310018eb3
2aebe5bde91bd40f3c675a206a13183f38ec47f16bba850415b3d68df7dbe357
3f2ccd6dfad5b95e605538892c316d4217625ef0910d39d1f703d89c00929ccb
b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f
45c387266cdf2f6a0889fb0f917eac1860973602ffbf61c8341a62804db008ae
SH256 hash:
97330ae586dce2ea1e6e1508ceefd4d946c4f32a2533c1d8db3fb64908ce6c53
MD5 hash:
febffc5a8140c5ab1542b4e30e66c060
SHA1 hash:
1621e3f3fe8b37ab27f15d55e5a4d870039a395e
Detections:
win_grimagent_auto
Create hunting rule
win_emotet_a2
Create hunting rule
Win32_Trojan_Emotet
Create hunting rule
Link:
https://www.unpac.me/results/53af58c3-2e10-4811-8792-782a7e601a98/
Parent samples :
b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f
45c387266cdf2f6a0889fb0f917eac1860973602ffbf61c8341a62804db008ae
SH256 hash:
b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f
MD5 hash:
0aa6586e953d322f1d742ce8da578541
SHA1 hash:
c23bb4908353c3a9be9abc47f3efa2918650e60d
Link:
https://www.unpac.me/results/53af58c3-2e10-4811-8792-782a7e601a98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe b1bf14f35229eb9706c41d99ed0b7cba9b307f7ba84648b4235750cad1ef063f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/599464/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::FindWindowA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments