MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baaf9add58e7b7056045bf754145cf573d00ee06fa53f9ae489e6daaa8bbaa25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baaf9add58e7b7056045bf754145cf573d00ee06fa53f9ae489e6daaa8bbaa25
SHA3-384 hash: 0ec005013fa6dd29dbf46bece642b2344a0eb05d0f78c7374652f8d575e93267ba4b313a677894366fe26c70e8152f39
SHA1 hash: 5f898522c11714b79bf5dcf04135698e13e3fc78
MD5 hash: 0b839f80b68c5ab0f34986bd885e51f8
humanhash: hotel-kitten-comet-mississippi
File name:0b839f80b68c5ab0f34986bd885e51f8
Download: download sample
Signature Heodo
Create hunting rule
File size:776'192 bytes
First seen:2022-02-08 17:23:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 36d18f8cb3bee16af0421e6a936157a8 (56 x Heodo)
ssdeep 12288:lBseOTwOg957PAMTEFv49thrFcmxLFwD7wGcXbtzbEOpUDlBAawsoei4:keOTwOUPnTC49LJxJwaCOpUD7Toei4
Threatray 570 similar samples on MalwareBazaar
TLSH T175F4C0006582907AE4F930B842667BF1E93D1CB0372511D39BD069FEA6E41F1B6B376B
File icon (PE):PE icon
dhash icon cc9686aacce828b2 (56 x Heodo)
Reporter zbetcheckin
Tags:32 dll Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/238418/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.13311.25910.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6202a76f4077c8b9a02264dc/reports/e108afa1-fcc5-4e54-ad13-9cc4bf1173c5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b92f57a-8661-4ba3-a59c-08fa7df9fa58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baaf9add58e7b7056045bf754145cf573d00ee06fa53f9ae489e6daaa8bbaa25/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 17:24:15 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkxzvxky463qkycfx52ucropk46qb3qg7jj7tlsitzw2vkf3visq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
0864d8f13cd46ae594a57d50af2526adc6b3528ac70b752ee63eabb7f580b1d6
Heodo
3c4513de383d429c8b86126c0b492eb55b6681ff15edf8a864b1e13fb1a7744e
Heodo
43ea4eeb90312fd5e92a08b1e11d1bcbd693da52c23cc13f9b0379e0cb7ccf63
Heodo
54c4135c2067fb4acd07f9839417c5dbfdf00230c4e1f73a2c7fa204af222876
Heodo
59f8ea2cf65de21e622ec8f3b154990388ce5ad04f112663540447cc42000e47
Heodo
764452d9b4b97e792ff4d066c0068c368094f9e6c46aaad40646a8748c15023b
Heodo
7961d848e8a23352de62e269d308e61de62e8961ab3069938e17d0854b8ba4ca
Heodo
8bc94689f7f722bb57eb0bef7a89262cffacf5ad8a4bde59660deeb2b6164da5
Heodo
da6ce8966d86b8359b27559659ba1b51d41d6bc512667144d9ea9c6c31ec039b
Heodo
ea1a11adbc302e40048540261d837f5c8fa693ad88dea6ca71ae4a3a63f019c4
Heodo
+ 560 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch5 banker trojan
Link:
https://tria.ge/reports/220208-vyqmdsbhd2/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Emotet
Malware Config
C2 Extraction:
103.42.57.17:8080
93.104.208.37:8080
195.154.146.35:443
62.171.178.147:8080
37.59.209.141:8080
139.196.72.155:8080
37.44.244.177:8080
191.252.103.16:80
217.182.143.207:443
128.199.192.135:8080
103.41.204.169:8080
185.148.168.15:8080
168.197.250.14:80
78.46.73.125:443
194.9.172.107:8080
185.148.168.220:8080
118.98.72.86:443
54.37.106.167:8080
78.47.204.80:443
159.69.237.188:443
116.124.128.206:8080
59.148.253.194:443
85.214.67.203:8080
185.184.25.78:8080
173.203.78.138:443
54.37.228.122:443
198.199.98.78:8080
195.77.239.39:8080
210.57.209.142:8080
66.42.57.149:443
104.131.62.48:8080
54.38.242.185:443
190.90.233.66:443
207.148.81.119:8080
203.153.216.46:443
Unpacked files
SH256 hash:
baaf9add58e7b7056045bf754145cf573d00ee06fa53f9ae489e6daaa8bbaa25
MD5 hash:
0b839f80b68c5ab0f34986bd885e51f8
SHA1 hash:
5f898522c11714b79bf5dcf04135698e13e3fc78
Link:
https://www.unpac.me/results/3a4bd9cd-beee-4f1f-b7b3-7517e547bee6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll baaf9add58e7b7056045bf754145cf573d00ee06fa53f9ae489e6daaa8bbaa25

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2036940/
Cape
Cape
https://www.capesandbox.com/analysis/238418/

Comments


Avatar
zbet commented on 2022-02-08 17:23:12 UTC

url : hxxp://meridianites.com/cgi/pBoGxZ9igKZKn/