MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbfcace2db32e33128a2b1de097c73b82ed132ba58016c86ffee2ff55e03bdee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	bbfcace2db32e33128a2b1de097c73b82ed132ba58016c86ffee2ff55e03bdee
SHA3-384 hash:	8c9e08b0f1c2a5a48eec36ac01dc62fcef6e0fcc4c460b2cdfab0a1e8df541b3cc49a9052138a41fdb04113fe0b4cb07
SHA1 hash:	31aaed8fbe702f57b1ba4df395bbb1c816c795c9
MD5 hash:	aff9f4db1e89178797e12399ece84417
humanhash:	delta-hawaii-shade-sierra
File name:	z9MrftvbloX0Daniqv1ql8bBvrCBUgGrhE.dll.vir
Download:	download sample
Signature	Heodo Create hunting rule
File size:	315'904 bytes
First seen:	2022-06-21 16:06:45 UTC
Last seen:	2022-06-21 16:47:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fbb4d9f7f00c9636121e47653fd6dd01 (40 x Heodo)
ssdeep	6144:JqdSTDcHe3kjHfNsQnwXYyDzVbh2RVFKSwmA6I+108ios+4XPOl5uG9+:uAcFHf3wIyT2dkv8iI6w3
Threatray	3'883 similar samples on MalwareBazaar
TLSH	T167648C0636A04866F3194B348903F6DA8765AD7D15E0E60EE2787C761E332C36D7B62F
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	818da080a0a0a0a2 (137 x Heodo, 46 x Urelas, 12 x Rhadamanthys)
Reporter	KdssSupport
Tags:	dropped Emotet exe Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/282035/

Detection(s):

SecuriteInfo.com.Emotet-FTYAFF9F4DB1E89.5991.8613.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a service

Launching a process

Sending a custom TCP request

Moving of the original file

Enabling autorun for a service

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/22179/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62b1ecea08903778452d8799/reports/6a8d94cc-b1c3-45ba-99bd-8ed18f49407e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/caf13e95-c18d-4e58-afc7-04f544670c29

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbfcace2db32e33128a2b1de097c73b82ed132ba58016c86ffee2ff55e03bdee/

Threat name:

Win64.Trojan.Emotet

Status:

Malicious

First seen:

2022-06-21 16:07:09 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xp6kzyw3glrtckfcwhpas7dtxaxncmv2laawzbx75yx7kxqdxxxa._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch4 banker suricata trojan

Link:

https://tria.ge/reports/220621-tkmg5saaa8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Emotet

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Malware Config

C2 Extraction:

82.165.152.127:8080
51.161.73.194:443
103.75.201.2:443
5.9.116.246:8080
213.241.20.155:443
79.137.35.198:8080
119.193.124.41:7080
186.194.240.217:443
172.105.226.75:8080
150.95.66.124:8080
131.100.24.231:80
94.23.45.86:4143
209.97.163.214:443
206.189.28.199:8080
173.212.193.249:8080
153.126.146.25:7080
51.91.76.89:8080
1.234.2.232:8080
163.44.196.120:8080
149.56.131.28:8080
146.59.226.45:443
45.118.115.99:8080
139.162.113.169:8080
196.218.30.83:443
212.24.98.99:8080
115.68.227.76:8080
64.227.100.222:8080
207.148.79.14:8080
209.126.98.206:8080
151.106.112.196:8080
45.186.16.18:443
167.172.253.162:8080
160.16.142.56:8080
72.15.201.15:8080
158.69.222.101:443
91.207.28.33:8080
103.70.28.102:8080
185.4.135.165:8080
144.91.78.55:443
82.223.21.224:8080
45.235.8.30:8080
135.148.6.80:443
188.44.20.25:443
101.50.0.91:8080
46.55.222.11:443
159.89.202.34:443
134.122.66.193:8080
45.176.232.124:443
164.68.99.3:8080
103.43.75.120:443
183.111.227.137:8080
45.76.181.158:443
107.170.39.149:8080
110.232.117.186:8080
159.65.140.115:443
51.254.140.238:7080
159.65.88.10:8080
103.132.242.26:8080
172.104.251.154:8080
37.187.115.122:8080
197.242.150.244:8080
129.232.188.93:443
201.94.166.162:443

Unpacked files

SH256 hash:

62f394ca00735f7b1f14c6eae767f96a0c7af0e2473b3e8a7255655b3306345f

MD5 hash:

5a210cf3bc9eef37c7df371c74da97c5

SHA1 hash:

7ab3805b9a8dd00e24854ab9d17fa4be996ccf8c

Detections:

win_emotet_a3

Link:

https://www.unpac.me/results/6e5b7ebd-2e20-4c90-a79e-03221c78d900/

Parent samples :

e8fd61a16b6662fb96a04e0ffc4714438f723f8d16143c71230707d3270546a3
feca36fa47382c8ce959ae572f627b56ee60c59b3138ba0d5ff77de1f2348e8a
4e74eae21b7d5830b494b55f2b35718c126bcac46c384f856fe7f90a20f17eba
b1910acb925184da17a79176f236406e7ae5b71b7174234382b6c348da97b757
3108b202cfe4954b757f119f1b8e2bcaccf3eeb7b286bd42fcec9d64f087c401
8355d2429d453838954dfa3e1ec592853c1c49aa7cbd5a1dab48dcf2c070c4ab
a051d201dc87b9301f98bd53de834d111e0d9d7edc325331ed75f1f3a5ef24fd
bbfcace2db32e33128a2b1de097c73b82ed132ba58016c86ffee2ff55e03bdee
96b404e6974653e0bbfbd3f2fc10fe13bc58eca4682e33237d579b924d282ef0
3c65aa247d9d8d29848999fce1a9e6e59592ae32ef9b9434625237e8b7d38810
5f1a46afbeb33f0199e13f843a649f09c0abdf5d6d347510742560ceaf87d5fb
1863261e238973a3ee5c5bd187903726ac3aac68ddd493e21c3b2918fbd2f0a8
f5475dbfbad3b709918ab2af83cf7a3bc3d352f25e8b27843586ef454d222816
bf533cec392bf8bf8a0770d3ef5f3b9e8ad546f565e668b14b31c8eabe57b004
d64e1e30cafcd7c35d086221732e1cfb8a029c53caa561c019f0351e294e2883
71ed265e325581d682a0c1ab1f3ab148d0ae47d50fe8ee289b69c2aca0ab3ffc
da9c1e9509ee592f1b5a07aec954e0e656d5dadfc164fe72a3d23a3c9f364c6e
66657933d30fcae9d2dd67ac4155962aa6e0664fb012e8ae3f75f7f5020cc697
c66e6a45dee2a8b16e4aaabd32a71b6a0b88d3d97765e60b0e0247faae6f975c
5cc2846fe19961fc64c373ce84252a8b742bc6660f4b5b2bda6350cf1d0b0299
a7250f3f79e7e327cfc7ac2aa8e375721b87e82e2eef4860b7cee26b42ce83b7
90e944a8710dbaa47612d4ff71ab7800f32b11a80e6b7cf16674e97c56c6cb56

SH256 hash:

bbfcace2db32e33128a2b1de097c73b82ed132ba58016c86ffee2ff55e03bdee

MD5 hash:

aff9f4db1e89178797e12399ece84417

SHA1 hash:

31aaed8fbe702f57b1ba4df395bbb1c816c795c9

Link:

https://www.unpac.me/results/6e5b7ebd-2e20-4c90-a79e-03221c78d900/

Malware family:

Emotet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bbfcace2db32/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbfcace2db32e33128a2b1de097c73b82ed132ba58016c86ffee2ff55e03bdee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.