MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbf74b32b2596df6e10efd513df30e60208e4d9ebcfe41cefcc1d4129b9a5026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments 1

SHA256 hash:	bbf74b32b2596df6e10efd513df30e60208e4d9ebcfe41cefcc1d4129b9a5026
SHA3-384 hash:	558cebcb27a9752227880f6265f34df8f8eaf03d1b464940a973476ca053193a556cb8c68247a405d68042594e169b9b
SHA1 hash:	4c68368cd3510ad484dc2e963b3ca5476519df5e
MD5 hash:	768371ce2842e92e8c115d12625434d4
humanhash:	finch-twenty-pizza-mirror
File name:	768371ce2842e92e8c115d12625434d4
Download:	download sample
Signature	Heodo Create hunting rule
File size:	609'792 bytes
First seen:	2022-11-10 17:01:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7478292598c4b3e108c368ee3209fb38 (51 x Heodo)
ssdeep	12288:QST8ek3+6ZIvp0p0tPEgBthNeYU5elGYpED+HlM:Qjee+6evbtPEihGFYo
Threatray	7'038 similar samples on MalwareBazaar
TLSH	T1B4D4CE457BE009B9D1BB823988734557D2B37C124774938F23E402AB2F37BA15B2EB56
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	zbetcheckin
Tags:	Emotet exe Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

768371ce2842e92e8c115d12625434d4

Verdict:

No threats detected

Analysis date:

2022-11-10 17:03:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2dbdcafc-6844-404b-8991-f180be88e47b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/332039/

Detection(s):

SecuriteInfo.com.Variant.Midie.118048.18453.30502.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Sending a custom TCP request

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

emotet greyware

Link:

https://www.filescan.io/uploads/636d2e8b37a53af3a7f551d0/reports/c60299a2-9441-438e-a162-3d2e851102f2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c92e91e9-7e7c-415c-b45e-733bffa4708a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbf74b32b2596df6e10efd513df30e60208e4d9ebcfe41cefcc1d4129b9a5026/

Threat name:

Win64.Trojan.Emotet

Status:

Malicious

First seen:

2022-11-10 17:02:08 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xp3uwmvslfw7nyio7vit34yomaqi4tm6xt7edtx4yhkbfg42kata._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch4 banker persistence trojan

Link:

https://tria.ge/reports/221110-vj468sbfe8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Adds Run key to start application

Emotet

Malware Config

C2 Extraction:

185.4.135.165:8080
159.89.202.34:443
82.223.21.224:8080
187.63.160.88:80
188.44.20.25:443
91.187.140.35:8080
110.232.117.186:8080
197.242.150.244:8080
119.59.103.152:8080
182.162.143.56:443
72.15.201.15:8080
173.255.211.88:443
206.189.28.199:8080
94.23.45.86:4143
45.63.99.23:7080
153.126.146.25:7080
45.118.115.99:8080
115.68.227.76:8080
163.44.196.120:8080
159.65.140.115:443
169.57.156.166:8080
139.59.56.73:8080
183.111.227.137:8080
202.129.205.3:8080
103.43.75.120:443
45.176.232.124:443
186.194.240.217:443
173.212.193.249:8080
139.59.126.41:443
149.56.131.28:8080
159.65.88.10:8080
201.94.166.162:443
107.170.39.149:8080
103.75.201.2:443
103.132.242.26:8080
209.97.163.214:443
129.232.188.93:443
79.137.35.198:8080
101.50.0.91:8080
147.139.166.154:8080
160.16.142.56:8080
153.92.5.27:8080
167.172.199.165:8080
95.217.221.146:8080
167.172.253.162:8080
164.90.222.65:443
172.105.226.75:8080
164.68.99.3:8080
213.239.212.5:443
91.207.28.33:8080
45.235.8.30:8080
172.104.251.154:8080
5.135.159.50:443
212.24.98.99:8080
104.168.155.143:8080
1.234.2.232:8080

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f3d50c10-352e-42ee-a86b-0d9e7d63fe36

Unpacked files

SH256 hash:

0340779d8979998dc6bf8c2c50f897cb38db0937942413811bf7facfe44dbb28

MD5 hash:

984b0edf157b2f09072947a68129c20d

SHA1 hash:

7775d11bac25c6794fb7e005986ba7838ea947c0

Detections:

win_emotet_auto

win_emotet_a3

Link:

https://www.unpac.me/results/61df4cee-e2c9-4b14-8ccd-e774784a9144/

Parent samples :

f2ea28ca765643ac35adf39d3902e75af65adff759921431e86c1788173fcc89
80e23aae365cfa46f7e548272eb16e60075c2fee24ad1f491ea7965129ff7643
f92b8baf034312d3355111aa87c0c795490618ff599fe57efbe08041fa3c8524
5b762dece57d4b6f1b5a52a40517e3e963eab34ae37b3032519cd96b503ad969
fe4a97847a12571410af252626c672a26a3846939bce54358e61e492d63c32ea
8b269deb90fbacf54178ce6bc1458f55d56126c224b1eeaabd3c1ed8402edd64
b53911cc95792fefadd192039fd795c846b171f4f801aa5b08b5c58f1aa8cccc
bbf74b32b2596df6e10efd513df30e60208e4d9ebcfe41cefcc1d4129b9a5026
aa60be9a75a63d14574945a1adce89d2ed9f8beb60f60e71f154472fe745819b
aac56c2763cac316cc684807a00750f496b087a44f5636cb239b5928eca98ac9
02db8220ca6b602dc7ad161615a098bfdd2910b168e2b6d74d1c75af5d749d72
db501d864c500ed953980de5e2ca8ebb7e4853e17a23aa0c1262f6d7d87fa582
01b984b9b2aeb320e05e551c6f797695f3f4716c774c551f3e189247829dd0ec
4abf17486c7ee902b4bbef873b99f5f01bc034a956fa5ece6da66c020d8dde40
6765d9b7970efde29514ba0f535c04b45321400334f4242316f6fe1184ebc8c5
c790fbc8ad37fd81ebb56e6e8b7d036f2da09233b8983d822e30aa3d8eff143b
cce503f830724ec3046ab9313b7c755ee941b57ca4fbb5e813880208d250f76d
6a4973a4d2ae621668a1989de4e03b5813c7c8416b439ea504024c2d5ca1c492
97c220348da03ccf602677f0be5491eb8433e99a867b5391426260978316be90
3e188bd66216a40efb746904c2bf5862776cb649ea3cced70f30b811217ef31d
c40f2efb0faef832589617974efe381b2b92883cd35043635f35cbd166fe6eea
47ee64954e6e5645e007ab2434adca7724a14276127768653342b81e93d5a92d
be872c6066ebeb77e24441698ecb279cbdc1051a15742029eabb1107935ef13f
db1be718f6a5a8226fde11f7f8a9f860f9612ce086e52811e3391c1e3621f17e
2b0645e5d9f8907afa8dfff4942d93c664078879c0e766892ac6a5683d2c06f6
52c896fbfca514ea0870bb75afe94697d0ccf763c0f590a7766781513032aa73
6fbf5a49266e234d140e075f54aa742c4cec213db755d5909be24f9253f74f80
7738d0b8b7c927ca3a92aa49988e2d8bb9bcfa67c09aaa139ae4289f35191708
b2aa99def35f913b42b882122c8dd5f72ceeab82f6747f1b659c8632cd6eb902
bc00d5060a802b4bb7901c021378e857409da883bba19217c6e5eb543a895151
c987ad0cc79b598bdee9ec7da96b07e82a04cadd73cb3caf85b799731deef9a1
cdc057b7c772e3ac5f6074b374c0c7fd7903ca5aa3fa19e45ef9c4921e11c89c

SH256 hash:

bbf74b32b2596df6e10efd513df30e60208e4d9ebcfe41cefcc1d4129b9a5026

MD5 hash:

768371ce2842e92e8c115d12625434d4

SHA1 hash:

4c68368cd3510ad484dc2e963b3ca5476519df5e

Link:

https://www.unpac.me/results/61df4cee-e2c9-4b14-8ccd-e774784a9144/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbf74b32b2596df6e10efd513df30e60208e4d9ebcfe41cefcc1d4129b9a5026

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	crime_win64_emotet_unpacked Create hunting rule
Author:	Rony (r0ny_123)

Rule name:	Windows_Trojan_Emotet_db7d33fa Create hunting rule
Author:	Elastic Security

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.emotet.

Rule name:	win_heodo Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

exe bbf74b32b2596df6e10efd513df30e60208e4d9ebcfe41cefcc1d4129b9a5026

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/332039/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-11-10 17:01:32 UTC

url : hxxp://www.vinyz.com/cache/rqWV/