MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b85e7cf333acc93e74b38cb5158aa947359feb1df04a4f27f5569a740689a895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	b85e7cf333acc93e74b38cb5158aa947359feb1df04a4f27f5569a740689a895
SHA3-384 hash:	f1259d0ac1c413b4c1f16d7d142f2175d014d1959733006aca9b1b1b3ab2290ca69d8ce1d125358b50765cdc45e70910
SHA1 hash:	6196f76462244d34d32904da8fd451e8ad5040eb
MD5 hash:	566ce1cd261f69ad67efda6de64a1bd9
humanhash:	alabama-mobile-missouri-zulu
File name:	hbqen.dll
Download:	download sample
Signature	Heodo Create hunting rule
File size:	676'352 bytes
First seen:	2022-11-02 07:54:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6e8babed9b0b941a34aa7c12e96745c0 (38 x Heodo)
ssdeep	12288:H6NFi+qz19gtAgY2tiZl4S/aukg78I8v4lSRi4gu2CTRD:aNY19gigZtiZydukmQAlQEG
Threatray	6'449 similar samples on MalwareBazaar
TLSH	T1B0E48C82F6AC84B0D06BD13DC9A34B45EA713C988B3597CB5394EB2A2F337D55939321
TrID	37.7% (.SCR) Windows screen saver (13101/52/3) 30.3% (.EXE) Win64 Executable (generic) (10523/12/4) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.8% (.EXE) OS/2 Executable (generic) (2029/13) 5.7% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	matcha_shake
Tags:	Emotet exe Heodo

Intelligence

File Origin

# of uploads :

1

# of downloads :

241

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

hbqen.dll

Verdict:

No threats detected

Analysis date:

2022-11-02 07:56:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bd490c61-2a2f-47ec-8b4d-d877ec228a86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/327017/

Detection(s):

SecuriteInfo.com.Win64.BotX-gen.15406.32435.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Sending a custom TCP request

Moving of the original file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/47327/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CursorPosition

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware keylogger packed

Link:

https://www.filescan.io/uploads/6362225758409ff7bc0c8491/reports/ae9d42e5-e60d-45e7-a898-5acc5c273f96/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ac93d451-5bc1-4eae-9535-3aba0516f9b6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b85e7cf333acc93e74b38cb5158aa947359feb1df04a4f27f5569a740689a895/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xbphz4ztvtet45ftrs2rlcvji42z72y56bfe6j7vk2nhibujvckq._file

Verdict:

malicious

Label(s):

emotet

Similar samples:

136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f

38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6

864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd

98d1a1ed8da6588112a805e5864e7ff29031d5bf9db49486a63fc7d652e66f8e

997e83ecf17b2ea03da19ee8897457445263f9a6daecc750b6430f952fe0e60c

9e4ef8eeb8d7eeab54ac5d61c175c32c82a9b7f4e6a28b1b776e789edffcfbbb

e66a0d185d9ce0330072e8a13d07f3d9bb56cb7b7ad1b0db2780e74b7e55c3d4

f07c61b593733b1a8d2b35f0667a3d39988917f0ceaa73b474f9a559beddf992

+ 6'439 additional samples on MalwareBazaar

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet banker persistence trojan

Link:

https://tria.ge/reports/221102-jr41nabafk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Adds Run key to start application

Emotet

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/55321775-8a48-493d-85bc-9511c3e150cc

Unpacked files

SH256 hash:

b85e7cf333acc93e74b38cb5158aa947359feb1df04a4f27f5569a740689a895

MD5 hash:

566ce1cd261f69ad67efda6de64a1bd9

SHA1 hash:

6196f76462244d34d32904da8fd451e8ad5040eb

Link:

https://www.unpac.me/results/e0ea6e8f-91a7-40c1-b3b1-7592abf27ae0/

Malware family:

Emotet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b85e7cf333ac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b85e7cf333acc93e74b38cb5158aa947359feb1df04a4f27f5569a740689a895

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/327017/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample