MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc
SHA3-384 hash: 36d66eee2b09563082237de7c9393fc95ec7f37ee4e8e5e0d88c42b00057f4457338deee4a142bb196653bab047a090d
SHA1 hash: ee8717fefe44c90cdd41ff52fd3402a565c3986a
MD5 hash: f4f8bdef1fcc6271e430ac06a14e7fb8
humanhash: five-summer-berlin-burger
File name:f4f8bdef1fcc6271e430ac06a14e7fb8.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:417'892 bytes
First seen:2024-09-25 16:25:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c60c499092f93ea388f8e4d5b9d84aeb (1 x Heodo)
ssdeep 6144:IUqmsjhG9pJ8NU8Z1+3iFLs+4MrQLhElL9nZ0p5Vf0Wuk0d4ohXyulBiJ2EE:LajhG9pJmN4e5LIQZ0fVfMHituz02n
Threatray 69 similar samples on MalwareBazaar
TLSH T14094CF00A7E1C039F5B713F48AB692A8E9297EA16B3580CF62D15BEA67347D0DD31317
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:DBatLoader Emotet exe Heodo Kovter Novter


Avatar
abuse_ch
Heodo C2:
88.253.254.6:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
88.253.254.6:80 https://threatfox.abuse.ch/ioc/1329133/

Intelligence

File Origin
# of uploads :
1
# of downloads :
638
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4f8bdef1fcc6271e430ac06a14e7fb8.exe
Verdict:
No threats detected
Analysis date:
2024-09-25 16:32:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13d83376-de12-47eb-b138-6dbe0d344946

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Kovter-6996847-0
Create hunting rule

Win.Dropper.Kovter-6996848-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f439ac56c487103d527f29
Tags:
Encryption Execution Generic Static Stealth Kovter Shellcode Exploit Kovter Tori
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Your mouse was active while VM was running
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc keylogger kovter lolbin microsoft_visual_cc mikey miuref overlay packed setupapi yakes
Link:
https://www.filescan.io/uploads/66f439ae51c8a9eee173a54d/reports/be6522d7-6e45-4ea0-b136-cc953a0728f5/overview
Verdict:
Malicious
Labled as:
Trojan.Yakes
Link:
https://www.hybrid-analysis.com/sample/b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kovter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/346bcd92-988d-4c86-ab7c-b4a73e9a89ac
Result
Threat name:
DBatLoader, Kovter, Novter
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1518475
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Creates processes via WMI
Delayed program exit found
Detected unpacking (changes PE section rights)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Yara detected DBatLoader
Yara detected Kovter
Yara detected Novter bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1518475 Sample: pAidPh3K8N.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 7 other signatures 2->41 8 pAidPh3K8N.exe 3 2->8         started        11 svchost.exe 1 1 2->11         started        process3 dnsIp4 43 Detected unpacking (changes PE section rights) 8->43 45 Creates processes via WMI 8->45 47 Delayed program exit found 8->47 49 Contains functionality to detect sleep reduction / modifications 8->49 14 mshta.exe 1 8->14         started        17 WerFault.exe 21 16 8->17         started        20 WerFault.exe 1 16 8->20         started        22 WerFault.exe 2 8->22         started        33 127.0.0.1 unknown unknown 11->33 signatures5 process6 file7 53 Suspicious powershell command line found 14->53 24 powershell.exe 15 14->24         started        29 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->31 dropped signatures8 process9 signatures10 51 Found suspicious powershell code related to unpacking or dynamic code loading 24->51 27 conhost.exe 24->27         started        process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc/
Threat name:
Win32.Ransomware.Kovter
Create hunting rule
Status:
Malicious
First seen:
2015-09-22 04:15:40 UTC
File Type:
PE (Exe)
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wlsybe3enbau4icotwsp2xalfnlrtq5gv5n3e6lnfhqgdt5iolga._file
Verdict:
malicious
Label(s):
upatre
Create hunting rule
kovter
Create hunting rule
Similar samples:
0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
Heodo
46d257cdc1b24b2ee509c4e2613d908280c67b7e169351a62b38243c2241869b
Heodo
4f1bc9991852b1fb67118735dc1827ca631d55a27cce4ea0eb4c8dfc2efe3c6b
Heodo
7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
Heodo
8641e15c78f1ce0512d18e2bf90539ff8df008e4092b001cda6ca0cebd99ae25
Heodo
a25c032f736a088ad2574afdfbf10662aacbfd0f14d05ae215033fd4eb21687e
Heodo
+ 59 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery evasion execution persistence trojan
Link:
https://tria.ge/reports/240925-txjl1sycja/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Adds policy Run key to start application
Looks for VMWare Tools registry key
Checks for common network interception software
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox drivers on disk
ModiLoader Second Stage
ModiLoader, DBatLoader
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4af0f96a-fde4-4027-8f66-7287b2d76e32
Unpacked files
SH256 hash:
50980538f2ed4d3b7b2dd4881993f038e29c1f15adc7d32331cecbb4aa4c574a
MD5 hash:
03414b43e516909c4ca8fd964b2ca5f2
SHA1 hash:
f66be3cbee68e7244d38544a5288c8faf5df85eb
Link:
https://www.unpac.me/results/c8d179b4-4fc6-473f-bb4b-243e84a0aa92/
SH256 hash:
2bc73f602f57fdc7844f94a37327df2bfa73eb3482f2216e00e9d989c04bdeb5
MD5 hash:
fc246fde18697c64f58473c031fc362b
SHA1 hash:
acbd862746351912872921327f6d7e0f51906f7f
Detections:
win_kovter_g0
Create hunting rule
win_kovter_a0
Create hunting rule
win_kovter_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8d179b4-4fc6-473f-bb4b-243e84a0aa92/
Parent samples :
7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb
0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc
SH256 hash:
4f4523123620c1384fe37c6cfd46b46c8f9eeb4716550227ab849b358b510c50
MD5 hash:
d46f7173d090ebfe2411d1eb87304151
SHA1 hash:
4a5632e9a0bd51c65386e4336c4cd43426037f39
Link:
https://www.unpac.me/results/c8d179b4-4fc6-473f-bb4b-243e84a0aa92/
SH256 hash:
5948ac04f91c3bd5851b3294c867d985ebe6717c9b3bfebdfe63e1e565c83fef
MD5 hash:
163db74b1a86e1e3c72dc9a40428ddc9
SHA1 hash:
d42b9092bcf3756a238bbd10330e32455ef10615
Link:
https://www.unpac.me/results/c8d179b4-4fc6-473f-bb4b-243e84a0aa92/
SH256 hash:
b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc
MD5 hash:
f4f8bdef1fcc6271e430ac06a14e7fb8
SHA1 hash:
ee8717fefe44c90cdd41ff52fd3402a565c3986a
Link:
https://www.unpac.me/results/c8d179b4-4fc6-473f-bb4b-243e84a0aa92/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2e580936468/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
USER32.dll::GetUserObjectSecurity
ADVAPI32.dll::InitializeAcl
ADVAPI32.dll::InitializeSecurityDescriptor
USER32.dll::SetUserObjectSecurity
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAccessAllowedAceEx
ADVAPI32.dll::AddAce
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorDacl
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::OpenClipboard
USER32.dll::CreateWindowExA

Comments