MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e
SHA3-384 hash: 29f183e0fbea627eaf8d68c86061f508b34e7f690e362def44cf2249d409d327b8bd0656a567d24f19df29f3047f8a9c
SHA1 hash: cabd670356eb3a183f5d0d585972245ce6292f91
MD5 hash: 17b478292cbfbf4efdf27efe702d5a8c
humanhash: jersey-glucose-arkansas-sad
File name:emotet_exe_e2_b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e_2020-10-21__134135._exe
Download: download sample
Signature Heodo
Create hunting rule
File size:685'056 bytes
First seen:2020-10-21 13:41:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 14c47c4e82000e6583657c74e96fcc05 (88 x Heodo)
ssdeep 12288:jGBJzNyknEyM6MlnKFEPD9xF9S7Y5CzRQITFx0Vg+Qfu:jGhM6MlZLoM8SITrug+QW
TLSH 16E4D02132E0C436D2A7357648A6D7B46AB9BD708C75C30F6B903B7E9F306929A1471F
Reporter Cryptolaemus1
Tags:Emotet epoch2 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch2 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74156/
Detection(s):
Win.Trojan.Emotet-9781265-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP POST request
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 13:43:22 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfbpyhnmsoxofimfcmqfkbsgkyitivspbi4fqxz2c2yciiq7cuxa._file
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/201021-qz873hda6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Emotet Payload
Emotet
Malware Config
C2 Extraction:
115.94.207.99:443
5.196.108.185:8080
167.114.153.111:8080
87.106.136.232:8080
62.30.7.67:443
108.46.29.236:80
24.179.13.119:80
89.121.205.18:80
46.105.131.79:8080
173.63.222.65:80
174.45.13.118:80
216.139.123.119:80
172.91.208.86:80
155.186.9.160:80
96.245.227.43:80
102.182.93.220:80
24.230.141.169:80
104.131.123.136:443
104.131.11.150:443
203.153.216.189:7080
37.139.21.175:8080
94.230.70.6:80
194.187.133.160:443
50.91.114.38:80
118.83.154.64:443
78.24.219.147:8080
97.82.79.83:80
95.9.5.93:80
24.137.76.62:80
190.29.166.0:80
50.35.17.13:80
139.162.108.71:8080
50.245.107.73:443
98.174.164.72:80
49.3.224.99:8080
190.108.228.27:443
209.141.54.221:7080
61.19.246.238:443
76.175.162.101:80
5.39.91.110:7080
87.106.139.101:8080
72.143.73.234:443
110.142.236.207:80
190.240.194.77:443
74.208.45.104:8080
113.61.66.94:80
103.86.49.11:8080
181.126.74.180:80
121.7.31.214:80
209.54.13.14:80
153.164.70.236:80
186.70.56.94:443
186.74.215.34:80
91.211.88.52:7080
47.144.21.12:443
202.141.243.254:443
68.252.26.78:80
71.15.245.148:8080
188.219.31.12:80
104.131.44.150:8080
174.106.122.139:80
49.50.209.131:80
66.76.12.94:8080
123.176.25.234:80
123.142.37.166:80
218.147.193.146:80
91.146.156.228:80
139.99.158.11:443
69.206.132.149:80
120.150.60.189:80
85.105.111.166:80
94.200.114.161:80
185.94.252.104:443
89.216.122.92:80
62.75.141.82:80
208.180.207.205:80
162.241.140.129:8080
109.74.5.95:8080
75.139.38.211:80
95.213.236.64:8080
220.245.198.194:80
139.59.60.244:8080
130.0.132.242:80
78.188.106.53:443
71.72.196.159:80
110.145.77.103:80
83.110.223.58:443
139.162.60.124:8080
176.111.60.55:8080
94.23.237.171:443
37.187.72.193:8080
47.36.140.164:80
124.41.215.226:80
121.124.124.40:7080
120.150.218.241:443
61.33.119.226:443
137.59.187.107:8080
157.245.99.39:8080
75.143.247.51:80
172.104.97.173:8080
184.180.181.202:80
75.188.96.231:80
79.137.83.50:443
142.112.10.95:20
76.171.227.238:80
162.241.242.173:8080
168.235.67.138:7080
93.147.212.206:80
74.214.230.200:80
194.4.58.192:7080
80.241.255.202:8080
Unpacked files
SH256 hash:
b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e
MD5 hash:
17b478292cbfbf4efdf27efe702d5a8c
SHA1 hash:
cabd670356eb3a183f5d0d585972245ce6292f91
Link:
https://www.unpac.me/results/bf622e8e-b65b-41ff-a112-c033cbbe2ba8/
SH256 hash:
f35f414b1b6ed073197104bae85e53507c565db2bb9ceee779e774dbb1bf40e2
MD5 hash:
2e0a5c18d0490ca792a1f8ca597c5b31
SHA1 hash:
8b2e2b1832233b3648c2cea27b76aebeba6c80ca
Detections:
win_emotet_a2
Create hunting rule
Link:
https://www.unpac.me/results/bf622e8e-b65b-41ff-a112-c033cbbe2ba8/
Parent samples :
b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e
8b0bcc6b08b1ff965a463f22523ef3d2f577b23b905807f7683d87ec42b2570a
SH256 hash:
e0b57b05510e7deb5a68602a305b15f048440c2406af2a3ddd2f8638936d4ae6
MD5 hash:
cc04b39d568b77fb9a1bbbbb4e2bee2d
SHA1 hash:
e019742bdc2058a93ae6e4818136376e8e5ab219
Detections:
win_emotet_a2
Create hunting rule
Link:
https://www.unpac.me/results/bf622e8e-b65b-41ff-a112-c033cbbe2ba8/
Parent samples :
c1d593c8c05e5fc98f0db05af7053f1eba84ba192747e840b7a20e619c099cda
023f7e6bb64c60d3394e022ee6db23b70157c2e9ba25f01a4c2b0f0d23b68cfc
b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e
8b0bcc6b08b1ff965a463f22523ef3d2f577b23b905807f7683d87ec42b2570a
ec78edc30178d10f71112951d7effddc0218ecb082789e3d911b8ffc5168a41e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MALWARE_Win_Emotet
Create hunting rule
Author:ditekSHen
Description:Detects Emotet variants
Rule name:Win32_Trojan_Emotet
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects Emotet trojan.
Rule name:win_sisfader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe b942fc1dac93aee2a1851320550646561134564f0a38585f3a16b024221f152e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/74156/
  
URLhaus
https://urlhaus.abuse.ch/url/728403/
  
Delivery method
Distributed via web download

Comments