MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247
SHA3-384 hash: c6cbd21fa59ae43e0d62adfb91b01c334c61a9868c5dd4b4c296900f7310da9cd8e061f69f5304307de5ff70ca5ce9f6
SHA1 hash: d15a23b026aa44ea2f5ac3f05203607cb5706e64
MD5 hash: c3655ee9fec9873bb87ade937095fed9
humanhash: quebec-berlin-gee-oxygen
File name:ExeFile (156).exe
Download: download sample
Signature Heodo
Create hunting rule
File size:458'752 bytes
First seen:2024-08-20 14:09:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 274ac2c59ebd50168147ffd939350467 (28 x Heodo)
ssdeep 12288:LfzaBuiszJbE9mO4sl9kVlAOyQkNvOzxMrBO:LbMmO4sl9sR2Otq
Threatray 253 similar samples on MalwareBazaar
TLSH T102A4C0227761CC77C1E301734DE68F65B9BEF9600F22828363848F1DEDB56C1AA6652D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon eeb2b2aea2e4e0e0 (1 x Heodo)
Reporter byMattii1234
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ExeFile (156).exe
Verdict:
Malicious activity
Analysis date:
2024-08-20 14:09:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6eb3eb67-a63f-4e63-8d37-82c553e47aad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Emotet-9371545-0
Create hunting rule

Win.Trojan.Emotet-9641703-0
Create hunting rule

SecuriteInfo.com.Gen.NN.ZexaF.34152.Cq0@a0DzhIlb.6418.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c4a3c7b2a4681a72965f13
Tags:
Execution Generic Infostealer Network Other Static Stealth Trojan Emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet epmicrosoft_visual_cc hook keylogger microsoft_visual_cc threat
Link:
https://www.filescan.io/uploads/66c4a3c29498a0e255aff75c/reports/41ff5884-1be2-48b7-aeea-a3e7c9d56fd9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3546732d-701a-442d-874b-257c761b2447
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495794
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-16 04:59:24 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
34 of 38 (89.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmgzz46j47biacpcbwogitfq62d5t647ignt3d7jysvzkih4ejdq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
21c37002b69efc98e95e8f34ddd1020e0ff72e48cb5c8f9c4884a9a5d3f3f29e
Heodo
3aa2e8afb76f29506f6f22ee89a04fc6156027f1212350365496d26347aa7671
Heodo
3dfd559a81a5b915bfcbcbe57eb9d13325efd35d5abe6bb846708bc725234c6a
Heodo
8c5dbc066a5c278653b42be8664fc8c77dee1e3c154ddd91614385e7cf390d83
Heodo
8f2e674c5f042ee18ba8192e65fbe78b9d542d0d7ed0f01e3afdb5e948488fb5
Heodo
9d42edbc499c450abcd3a29e3af4121ad04f61d391e60e040165b373796ceba6
Heodo
beeff9ae0d96841ce195089f6dbc34b8bd32ee5ff341906c4afd1242b140d7df
Heodo
cc6dbd58bd2fbe285afec9689b8827dc425c194f14261eaaea4fb2d25434308b
Heodo
cef015793a291a764ac1b079dab4a1775bd2736f5bab72733b866e9ced320b19
Heodo
d39558a89c4187ab1727efbc36640584204aae4573ea0fe282d3614bfec67f1d
Heodo
+ 243 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch2 banker discovery trojan
Link:
https://tria.ge/reports/240820-rgqpaazcrr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Emotet payload
Emotet
Malware Config
C2 Extraction:
75.139.38.211:80
69.30.203.214:8080
67.205.85.243:8080
190.160.53.126:80
183.101.175.193:80
137.59.187.107:8080
168.235.67.138:7080
209.143.35.232:80
180.92.239.110:8080
167.86.90.214:8080
85.66.181.138:80
95.213.236.64:8080
83.169.36.251:8080
157.245.99.39:8080
79.98.24.39:8080
70.167.215.250:8080
93.51.50.171:8080
174.102.48.180:80
24.179.13.119:80
41.60.200.34:80
188.83.220.2:443
91.211.88.52:7080
24.43.99.75:80
47.144.21.12:443
37.187.72.193:8080
104.131.44.150:8080
199.101.86.142:8080
116.203.32.252:8080
85.152.162.105:80
83.110.223.58:443
78.24.219.147:8080
62.75.141.82:80
152.168.248.128:443
157.147.76.151:80
24.137.76.62:80
121.124.124.40:7080
62.138.26.28:8080
173.62.217.22:443
107.185.211.16:80
103.86.49.11:8080
113.160.130.116:8443
72.12.127.184:443
181.211.11.242:80
204.197.146.48:80
176.111.60.55:8080
104.236.246.93:8080
97.82.79.83:80
74.208.45.104:8080
87.106.136.232:8080
209.141.54.221:8080
169.239.182.217:8080
110.145.77.103:80
222.214.218.37:4143
165.165.171.160:8080
47.146.117.214:80
139.59.60.244:8080
203.153.216.189:7080
5.196.74.210:8080
37.139.21.175:8080
201.173.217.124:443
47.153.182.47:80
2.58.16.85:7080
109.116.214.124:443
200.41.121.90:80
95.179.229.244:8080
142.105.151.124:443
5.39.91.110:7080
185.94.252.104:443
189.212.199.126:443
109.74.5.95:8080
37.70.8.161:80
190.55.181.54:443
61.19.246.238:443
74.120.55.163:80
85.105.205.77:8080
181.230.116.163:80
104.131.11.150:443
81.2.235.111:8080
203.117.253.142:80
24.233.112.152:80
47.146.32.175:80
76.27.179.47:80
87.106.139.101:8080
46.105.131.79:8080
139.130.242.43:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/944405c5-1e9d-45c3-8a4e-f78145b1ed95
Unpacked files
SH256 hash:
a81395a9dfe095f4057d6277ed256e6fa65e6818c4cb141ecff00e763a98d076
MD5 hash:
52f321829ab5ee533372f0eb3f17b3d9
SHA1 hash:
4d53ff2e752c61dffd4ed2b8786ef441a681c7a1
Detections:
win_emotet_auto
Create hunting rule
win_emotet_a2
Create hunting rule
MALW_emotet
Create hunting rule
Emotet
Create hunting rule
Win32_Trojan_Emotet
Create hunting rule
Link:
https://www.unpac.me/results/651a10f4-6b1d-4e0e-afbd-fa9a11a27bd3/
Parent samples :
d741b7060b4e9734c53ba5e1b13bf856a7debb4793a1d598a0f4644c461957ec
cc1f54f7fe1628aa704cc802355f68f45ac93c274d3a1742896ff92d92141b36
9d42edbc499c450abcd3a29e3af4121ad04f61d391e60e040165b373796ceba6
d39558a89c4187ab1727efbc36640584204aae4573ea0fe282d3614bfec67f1d
7eb1d3ba3690ea3a01f052777f5bf2cd511eb824998bee95e450ca6dde5db473
a05fe04f7d09d2e678d9eb4212a6c75bc170349d7cfab4332cea06d29147b29b
3300829c486f69726033570bbaf71934baa9791694c02bd90b7e95db122c89f2
bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247
SH256 hash:
bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247
MD5 hash:
c3655ee9fec9873bb87ade937095fed9
SHA1 hash:
d15a23b026aa44ea2f5ac3f05203607cb5706e64
Link:
https://www.unpac.me/results/651a10f4-6b1d-4e0e-afbd-fa9a11a27bd3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:without_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any url
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe bb0d9cf3c9e7c28009e20d9c644cb0f687d9fb9f419b3d8fe9c4ab9520fc2247

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/432291/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect
WS2_32.dll::WSAWaitForMultipleEvents
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments