MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3c1aa22ce237c9c533f077f4d4f08a81a3f0d93d5deb45b18d837cd6b916320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	c3c1aa22ce237c9c533f077f4d4f08a81a3f0d93d5deb45b18d837cd6b916320
SHA3-384 hash:	3c51d8f1235a12bdb7cbe2f1b1936a948d12c157ddf3bdef3171c6645515b810e0963a79ca3b9674a6200d5d77aae290
SHA1 hash:	5b8c3a8347f252aebcdfe51c2a6bb025bfc1d8a3
MD5 hash:	24c90cd5840b9133919d61b11c8fc877
humanhash:	may-queen-hotel-march
File name:	game-test-build.exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	10'058'722 bytes
First seen:	2023-04-10 03:53:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep	196608:wjuL9HLAlnfih8FwjxHSRHvUWvozhx0PuqLQbRLX4gR49Ut8wgTCc:IUxAlnfLFHRHd2x0u+Qbd62N
Threatray	41 similar samples on MalwareBazaar
TLSH	T1B8A6339835A4D0FBEEB250399C5A841E25F0B4723726DBCF03606D514F2B2D2A93DFA5
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	Anonymous
Tags:	Emotet exe Heodo Sordeal-Stealer

Intelligence

File Origin

# of uploads :

# of downloads :

561

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/381151/

Detection(s):

SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Running batch commands

Searching for the window

Creating a process with a hidden window

Launching the process to change network settings

Creating a window

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/77202/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed python

Link:

https://www.filescan.io/uploads/6433885bb7dc98ff877995aa/reports/1a450bfc-bd15-49b5-8548-1dd34e433ea6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c3c1aa22ce237c9c533f077f4d4f08a81a3f0d93d5deb45b18d837cd6b916320

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6423c82d-0275-448d-ab45-09b977933979

Result

Threat name:

MicroClip

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1210993

Signature

Multi AV Scanner detection for submitted file

Yara detected MicroClip

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3c1aa22ce237c9c533f077f4d4f08a81a3f0d93d5deb45b18d837cd6b916320/

Threat name:

Win64.Trojan.Emotet

Status:

Suspicious

First seen:

2023-04-10 03:54:22 UTC

File Type:

PE+ (Exe)

Extracted files:

1221

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ypa2uiwoen6jyuz7a57u2tyivand6dmt2xpliwyy3a34224rmmqa._file

Verdict:

unknown

Heodo

20632d113408af16371070219ed4e9f260a3cc23db39fcddce2580ebf6669b5f

Heodo

310fae0d844061aeea3d540052c5daadd3ea406b6fcc529b44c7997ac6a09cbb

Heodo

3b0627313c0c8731f0b7250bae43fe2df57bd8b05f06017222de8edd91d22c90

Heodo

6e86ad43d7677a7d9a81ac9dd17df97703dfb49ee4456601b4fa2edd518ce0e5

Heodo

80f4e41827dfe57bd2217eabe487099a2912be536fe4b0aef95b4bbb215c8a2a

Heodo

8befc91b605e2dd3ee8917f6e4b2ab943ec7900d257b704955c2defc0328b4d8

Heodo

db78805d0267b4c28d933f9ed363ae4fa2019aeb7f219a80286cf9be117172d3

Heodo

+ 31 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller spyware stealer upx

Link:

https://tria.ge/reports/230410-ef7vysgg81/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Maps connected drives based on registry

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Unpacked files

SH256 hash:

c3c1aa22ce237c9c533f077f4d4f08a81a3f0d93d5deb45b18d837cd6b916320

MD5 hash:

24c90cd5840b9133919d61b11c8fc877

SHA1 hash:

5b8c3a8347f252aebcdfe51c2a6bb025bfc1d8a3

Link:

https://www.unpac.me/results/3fd61bed-07fb-42cc-aeaf-4406855cb772/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c3c1aa22ce237c9c533f077f4d4f08a81a3f0d93d5deb45b18d837cd6b916320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Emotet Create hunting rule
Author:	kevoreilly
Description:	Emotet Payload

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/381151/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample