MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b92df59091f224abb1d3d9028675a6c5723b261262d9cd945a45d90212afafa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b92df59091f224abb1d3d9028675a6c5723b261262d9cd945a45d90212afafa3
SHA3-384 hash: 59c527c3cc52caaa98979a00732fa144826e9ced4465290b3675ad9a39fd455d3093f0dbdbbf4fa4d3a56769ee210dfa
SHA1 hash: 2cd9f2612d207893ca0619da816342bac14a4096
MD5 hash: 08e5f36daf9edb54af101af10618fff8
humanhash: butter-cold-november-lake
File name:opp.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:686'392 bytes
First seen:2020-12-08 11:13:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bacd130206714d0940a14df0a82e0b8a (3 x ModiLoader, 2 x Heodo)
ssdeep 12288:rZfbY6IbcKK04S+955Vy7XRVXCP0XbAfX44xC/eKRKQ:rF8OKfKPcyeUfX44xCb
Threatray 20 similar samples on MalwareBazaar
TLSH 2FE4BF22F1A3853BD1271A3D9C1B96BC9875BF513D2878866BE95D0C4E3E6C3382E057
Reporter ffforward
Tags:Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
opp.exe
Verdict:
No threats detected
Analysis date:
2020-12-08 11:34:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e026f46b-d3b6-4fd7-a38f-f5223914522e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107236/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Bulz.252116.13533.16052.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/557840
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b92df59091f224abb1d3d9028675a6c5723b261262d9cd945a45d90212afafa3/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 11:14:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
Heodo
08748788c6b5038ebd459dd1ca22636f8510231ccbe58c7e13725218ba599c63
Heodo
11d195441403dc817c5548c7ecb041e5e328f0751d6cc295058e81f916cea67e
Heodo
2dae80e04d518be8a6e1659d53afd6aea2eecc35086db46b4dd0a701a4b6f812
Heodo
6fe2c258a1b901252b18bd79958169566e889fe74af69b54afc53f5945184268
Heodo
7ee5b9efb560631ad507780466048457784cdde32db86f60b06da06e5a1201ce
Heodo
943ff6246e04df7820f06c61b030b6c18249664ad2fbf34d09f3e6306e565c88
Heodo
957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c
Heodo
99cf04b4681e23be9445dd54668231f52276645f4c263e4d2c1c730e7d264303
Heodo
f862eb253778c7b1c35349d798736124d7ee97db446217b2e5962fe2431d1e46
Heodo
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201208-ta8pke5p22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
b92df59091f224abb1d3d9028675a6c5723b261262d9cd945a45d90212afafa3
MD5 hash:
08e5f36daf9edb54af101af10618fff8
SHA1 hash:
2cd9f2612d207893ca0619da816342bac14a4096
Link:
https://www.unpac.me/results/8d95e5cd-90c7-4168-bb4e-50960e3a5a63/
SH256 hash:
3598e40303510365ccb486ae1d4cc1715e2e4c56ebd2ccb913afa1b9b2077a05
MD5 hash:
829d5b86e8460f3dc95682fa31008108
SHA1 hash:
5686603f20173ab3d6068b447f6315547ffa26c6
Link:
https://www.unpac.me/results/8d95e5cd-90c7-4168-bb4e-50960e3a5a63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b92df59091f224abb1d3d9028675a6c5723b261262d9cd945a45d90212afafa3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xlsx 11d195441403dc817c5548c7ecb041e5e328f0751d6cc295058e81f916cea67e

Heodo

Executable exe b92df59091f224abb1d3d9028675a6c5723b261262d9cd945a45d90212afafa3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/898740/
  
Dropped by
SHA256 11d195441403dc817c5548c7ecb041e5e328f0751d6cc295058e81f916cea67e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107236/

Comments