MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3
SHA3-384 hash:	b854352be806b1bfaba9d33ee88bb331ef88df76206b5fba25da29a49de4ea47c3e7854eec53f05090fab551df04f293
SHA1 hash:	8c6ae3cb7ef2ed15de90d155d71db5125fb22c4a
MD5 hash:	7063658b6be4ab99edb99a4495ba39a4
humanhash:	bakerloo-harry-edward-yankee
File name:	23dc4aa9deffcf0b8b0903de7966e81b
Download:	download sample
Signature	Heodo Create hunting rule
File size:	425'984 bytes
First seen:	2020-11-17 12:08:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	66ec9561fcca92628267bd0fed88965e (17 x Heodo)
ssdeep	12288:DhT3vmmA+QDhZCNxdpCZG5RERxRPRAR1RpR9r5xwVsS:Dtfmb+qhZCX3CZ+esS
Threatray	18'766 similar samples on MalwareBazaar
TLSH	3294AD1137D0D473C16220764A56ABB5AABEFCB19EB553877BD03B2C9E302D19A38707
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Emotet-9789042-0

Win.Packed.Emotet-9790742-0

Win.Packed.Emotet-9790818-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-17 12:12:13 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yihyidsfvsqr5lwxj4l7cvwadrwwly73jswhrmsf3jnfe2uek3jq._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch3 banker trojan

Link:

https://tria.ge/reports/201117-f181frvs6s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Emotet Payload

Emotet

Malware Config

C2 Extraction:

27.78.27.110:443
81.241.22.161:20
91.121.200.35:8080
159.203.16.11:8080
188.226.165.170:8080
115.79.195.246:80
153.204.122.254:80
77.74.78.80:443
37.205.9.252:7080
36.91.44.183:80
58.94.58.13:80
37.46.129.215:8080
172.96.190.154:8080
157.7.164.178:8081
175.103.38.146:80
103.229.73.17:8080
45.239.204.100:80
5.12.246.155:80
179.5.118.12:80
185.80.172.199:80
116.202.10.123:8080
195.201.56.70:8080
192.210.217.94:8080
202.29.237.113:8080
2.58.16.86:8080
120.51.34.254:80
46.105.131.68:8080
27.82.13.10:80
223.17.215.76:80
177.85.177.206:80
119.228.75.211:80
115.79.59.157:80
192.241.220.183:8080
73.55.128.120:80
177.130.51.198:80
198.20.228.9:8080
185.142.236.163:443
5.79.70.250:8080
79.133.6.236:8080
5.2.164.75:80
113.203.238.130:80
180.148.4.130:8080
178.33.167.120:8080
109.13.179.195:80
201.163.74.203:80
139.59.61.215:443
183.91.3.63:80
85.246.78.192:80
190.192.39.136:80
143.95.101.72:8080
103.93.220.182:80
213.165.178.214:80
190.7.217.90:80
185.208.226.142:8080
117.2.139.117:443
190.180.65.104:80
41.185.29.128:8080
2.82.75.215:80
121.117.147.153:443
178.254.36.182:8080
109.99.146.210:8080
189.123.103.233:80
203.56.191.129:8080
188.166.220.180:7080
91.75.75.46:80
186.146.229.172:80
110.37.224.243:80
78.90.78.210:80
58.27.215.3:8080
200.243.153.66:80
73.100.19.104:80
162.144.145.58:8080
54.38.143.245:8080
60.108.128.186:80
172.105.78.244:8080
190.194.12.132:80
75.127.14.170:8080
139.59.12.63:8080
86.124.32.113:80
46.32.229.152:8080
190.85.46.52:7080
91.83.93.103:443
153.229.219.1:443
74.208.173.91:8080
42.200.96.63:80
94.52.168.188:80
190.164.135.81:80
103.80.51.61:8080
109.206.139.119:80
8.4.9.137:8080
190.147.84.191:443
203.153.216.178:7080
192.163.221.191:8080
50.116.78.109:8080
60.125.114.64:443
152.32.75.74:443
189.55.48.40:80
5.2.246.108:80

Unpacked files

SH256 hash:

c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3

MD5 hash:

7063658b6be4ab99edb99a4495ba39a4

SHA1 hash:

8c6ae3cb7ef2ed15de90d155d71db5125fb22c4a

Link:

https://www.unpac.me/results/e41ee63c-fec4-4f5f-a1a1-ceaf1bcfb1b9/

SH256 hash:

dc9f695ee10ff2257e0de36d508197bd6b99ec41339dd6ab7ba05bdd9d38f229

MD5 hash:

6637c17fc8793557387a51aa22fbfc06

SHA1 hash:

9ed50142dceab4d8280735ee995fb914a1491dc1

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/e41ee63c-fec4-4f5f-a1a1-ceaf1bcfb1b9/

Parent samples :

46caf733990074e9fc82b654c0aecd9b72e59409df1074216e18a0f100202249
1275d1d7336acbed34142c9727384765a493d6c585fb6b9f2d5c913068d170da
146d77f2b3105bf906b5466e65e71dd9096d83aa585bdc8669d2f1b81406890c
2d7bc74b468ee47a209a23a7b0e7b98dad2f1ccf84382921244ba8d59a3a3213
6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
f6bed6f55ffc433c48050563a426756f6382356aa56e4562c4a07a4cd3d80a51
ecaae16ebe63e39f9a1f2a1076053b909634e17e596628a9487e30f755e7881c
c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3

SH256 hash:

0f58e8542a35156fd003cdea8d284a2c4e9e3b7b29e060350ef2b48a265f4b61

MD5 hash:

69f4c004fe51d93f9aac7e57e8db51ff

SHA1 hash:

cfec0e154c158c941cac4d1cdb3b796984417be2

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/e41ee63c-fec4-4f5f-a1a1-ceaf1bcfb1b9/

Parent samples :

46caf733990074e9fc82b654c0aecd9b72e59409df1074216e18a0f100202249
1275d1d7336acbed34142c9727384765a493d6c585fb6b9f2d5c913068d170da
8acccd748190b61c34a12c5d5fd234b21bba651288e81cf924a5f2553c6df9af
7dce9f57836ba1b8f708ead7140a5e850050c25695351f0fbcc0c6729c84107a
6366899c0bacf9ad12319e59da305c333cbab6ecfdd84db601c699a074b9add3
146d77f2b3105bf906b5466e65e71dd9096d83aa585bdc8669d2f1b81406890c
35e1d713a4a3663cc9d822a94cf0e55aeb0281d86d7f886205ee0d71d0f0889d
2d7bc74b468ee47a209a23a7b0e7b98dad2f1ccf84382921244ba8d59a3a3213
a7fe02ff5bfef61b9d2344b8b8cc225f988f0f354220b564457231e4d98d21fb
6e966af29197d10046a22d50f9d4204fa6cbc7ff321ad39b386169bdf9606902
f6bed6f55ffc433c48050563a426756f6382356aa56e4562c4a07a4cd3d80a51
5b1e742aa624e3ba3590c2954660614d69ed01c4527a7f5c596fc862c82c77b5
f2c455143ba76694ed0d1d2c33add8d98601892b6707f41d289af96e2bd3e6fb
ecaae16ebe63e39f9a1f2a1076053b909634e17e596628a9487e30f755e7881c
997e6221f53ed9a0d3c487c17381fe84d8ab87c25583efb0b3b776b1cd4ca9d5
c20f840e45aca11eaed74f17f156c01c6d65e3fb4cac78b245da5a526a8456d3
9578ec5dbef3ce203772d7609288fe9a7a81b140049d7ef74d55522ed451f41e

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample