MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c312e169d05ed2329411b08386077741f500f2dabf7e43709d873805ea750131. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	c312e169d05ed2329411b08386077741f500f2dabf7e43709d873805ea750131
SHA3-384 hash:	953189f1de7d334ea095b0b778aaa30829b99f46643ec75de743fe74c412a52f9f2f70a95c80b7dbf31fd1e6216e7462
SHA1 hash:	b37e8bed73c0bd68ec071ee1aec441b7a7b5d1a4
MD5 hash:	8ad554ce5c6be82aaf6ce84467dce893
humanhash:	earth-alabama-dakota-mexico
File name:	emotet_exe_e5_52188d393078ea627ef12b4361726b6ae47c4d5b7fd8c264770b8dcd4de694ed_2021-12-08__090214.exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	460'288 bytes
First seen:	2021-12-08 09:02:18 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	9569af1b45171dd851ce75febf6ecf35 (9 x Heodo)
ssdeep	6144:n4vIUfGZ60vflUvTdXXgSCdv+RXoZ0CaTU3MihxP6MF8G63up9A2:/EGZ6KWCZ+RXoZ0hU3M2xP7CjKx
Threatray	827 similar samples on MalwareBazaar
TLSH	T1DAA4CF0272E0C17AC2BB233949779F6463FEFC508A71C60B6B447E8D6E35A85D929353
File icon (PE):
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	Cryptolaemus1
Tags:	dll Emotet epoch5 exe Heodo

Cryptolaemus1

Emotet epoch5 exe

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/212405/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.20863.32426.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware keylogger overlay packed

Link:

https://www.filescan.io/uploads/61b074c8fa72c81b5b116627/reports/dcc9850e-421b-4043-b927-53ed8e3d0a20/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1516f84-3956-4f98-a575-ac47d1416b0e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c312e169d05ed2329411b08386077741f500f2dabf7e43709d873805ea750131/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2021-12-08 09:03:12 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ymjoc2oql3jdffarwcbymb3xih2qb4w2x57eg4e5q44al2tvaeyq._file

Verdict:

malicious

Label(s):

emotet

Heodo

6119525a6bba7b502dadc964d2759247554cc4448583a802f3c47c497ee3de97

Heodo

6b627d2c74189a5d71551b1344cf68d528813b78ed516732d193981aa5fd6bc8

Heodo

7bd0ee5200d1010cf976dcddf457bfa3e0c006dbd33140a2a6b58b24e255ce13

Heodo

dd59d54ccaf4dbeabff99930b460b7cf0c28ad2339dabfec50b6ec631fdf6cc7

Heodo

f59e804e0e8db7786adabd23a5bd75114769cadcc81e867d9577c669b579d8c3

Heodo

+ 817 additional samples on MalwareBazaar

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch5 banker trojan

Link:

https://tria.ge/reports/211208-kz15eacad7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Emotet

Malware Config

C2 Extraction:

45.63.5.129:443
128.199.192.135:8080
51.178.61.60:443
168.197.250.14:80
177.72.80.14:7080
51.210.242.234:8080
142.4.219.173:8080
78.47.204.80:443
78.46.73.125:443
37.44.244.177:8080
37.59.209.141:8080
191.252.103.16:80
54.38.242.185:443
85.214.67.203:8080
217.182.143.207:443
159.69.237.188:443
210.57.209.142:8080
54.37.228.122:443
207.148.81.119:8080
195.77.239.39:8080
66.42.57.149:443
195.154.146.35:443

Unpacked files

SH256 hash:

bcb6de72aa2d11ad5581ce879c09c2363349e98112e35e0127257b484ca24fa6

MD5 hash:

479012d76266b4f1c241bdd8d7e63610

SHA1 hash:

79cca62be9f180af74d6031178ff79cda57faa59

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/32a14cae-4c02-40dc-bd99-7ce2fb5da2bc/

Parent samples :

fa32057ace2dfe1cfd5918cfe9b666e5e3ed3e269f8393a0ef174819a6465a30
e6476d65306ae0938843cf2dda940732d75094a68046f496bb7dc984187498f8
e64255fec3b143269e6b756a0b32ff9d787d6ba2b4f954b7b8d98e3755441366
dd59d54ccaf4dbeabff99930b460b7cf0c28ad2339dabfec50b6ec631fdf6cc7
7bd0ee5200d1010cf976dcddf457bfa3e0c006dbd33140a2a6b58b24e255ce13
f59e804e0e8db7786adabd23a5bd75114769cadcc81e867d9577c669b579d8c3
41110bf9d845461c796f85311b37247dd2a0049c698b8f290559853aaa7d9f54
6b627d2c74189a5d71551b1344cf68d528813b78ed516732d193981aa5fd6bc8
6119525a6bba7b502dadc964d2759247554cc4448583a802f3c47c497ee3de97
d793dee3a6ed96311d8dffe9aa40a31f7ee1c03a3475b46879cd1ac25411a05d
9d908ca79fd014182d6524176d4dcd3a461c26da7cbb99300c31a7713bdc4f23
f22d49e91603d41e8a8c1c365a4629d79292dcaf39dec17cca0f1bf37eaad5ba
4f1fe3b81461e3adc5ae04e92ce5bb956ce55c21bfc905b054043a177d897f62
e5dee46bdf1fc3040f19bff41fd072d3b6e5a0cb82efa0d5e16476a43dc4e78f
a42b19809d5c72e4bfb1f3c32db4ddd2c000b9e85d84fe34de06dbd658f186e9
fc17bf7b72437688f666a6e527a23357bca67025a70484c95622512774ce11f1
62ea4a0e0ad8fa3b025a5eb6a6ef0e74972ee8f4ca55be901d4badbf6d60d6e8
e523b545ce399ceb37ba1fb400ba5e7a285e6d4c1e3ae5bbd5607ce538b64ac7
5207dda3f4017757489d6cb863883029aa31d8b0138fc2af6143bb2bef22a2ce
d66ab3d6d153c3a9bea2e6fbd6a9ebeb7865a7c7e69a7e5175f4af70f9c14bf4
4ca038b1070a3dfea9c3269f8cc53121b7896623a198a512a2d327ad2445a5f5
423bd5a167eeb14fee2d23ba0b6bbc6cfeb04193cdf60c3192a88187bee4e6ce
e96413625860b8f56080b7fe5d65db93c14cf8d93cc4606eb01a259c287447db
c312e169d05ed2329411b08386077741f500f2dabf7e43709d873805ea750131

SH256 hash:

c312e169d05ed2329411b08386077741f500f2dabf7e43709d873805ea750131

MD5 hash:

8ad554ce5c6be82aaf6ce84467dce893

SHA1 hash:

b37e8bed73c0bd68ec071ee1aec441b7a7b5d1a4

Link:

https://www.unpac.me/results/32a14cae-4c02-40dc-bd99-7ce2fb5da2bc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c312e169d05ed2329411b08386077741f500f2dabf7e43709d873805ea750131

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Emotet Create hunting rule
Author:	kevoreilly
Description:	Emotet Payload

Rule name:	MALW_emotet Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/212405/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample