MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8a2f75c27ebfd8df0a61e2cfc2e72e0ce7aa0df0edfe067843f0b9c46dfcb4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 7

Maldoc score: 15

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c8a2f75c27ebfd8df0a61e2cfc2e72e0ce7aa0df0edfe067843f0b9c46dfcb4e
SHA3-384 hash:	d06321a90f3b86358f8527e090553956ff49c4736fbc77bbb0b8c9ca6763d45bce3b0fc8144591fb93a38f0ab71b4f4f
SHA1 hash:	31be0fd6ea78612754761c54ebcdd6be5a8be5c9
MD5 hash:	a0a4fcae2fc3c4c466c5090ab4003fc8
humanhash:	louisiana-ceiling-nitrogen-december
File name:	file 2112 F-2708620.doc
Download:	download sample
Signature	Heodo Create hunting rule
File size:	195'813 bytes
First seen:	2020-12-21 12:36:32 UTC
Last seen:	2020-12-21 15:10:02 UTC
File type:	doc
MIME type:	application/msword
ssdeep	3072:N9ufstRUUKSns8T00JSHUgteMJ8qMD7gDvMbTQqlJjq8ypsUSU:N9ufsfgIf0pLDaUqlJjq8ypsUSU
TLSH	9C142901B660CECEE236323CD8C299A92567EFA14F49860F315CB7CDE6F5D659903E18
Reporter	JAMESWT_WT
Tags:	doc Emotet Heodo

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 15

Application name is Microsoft Office Word

Office document is in OLE format

Office document contains VBA Macros

OLE dump

MalwareBazaar was able to identify 38 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	4096 bytes	DocumentSummaryInformation
3	552 bytes	SummaryInformation
4	7231 bytes	1Table
5	99184 bytes	Data
6	896 bytes	Macros/PROJECT
7	278 bytes	Macros/PROJECTwm
8	97 bytes	Macros/UserForm1/CompObj
9	266 bytes	Macros/UserForm1/VBFrame
10	38 bytes	Macros/UserForm1/f
11	0 bytes	Macros/UserForm1/o
12	97 bytes	Macros/UserForm2/CompObj
13	266 bytes	Macros/UserForm2/VBFrame
14	38 bytes	Macros/UserForm2/f
15	0 bytes	Macros/UserForm2/o
16	97 bytes	Macros/UserForm3/CompObj
17	266 bytes	Macros/UserForm3/VBFrame
18	38 bytes	Macros/UserForm3/f
19	0 bytes	Macros/UserForm3/o
20	97 bytes	Macros/UserForm4/CompObj
21	266 bytes	Macros/UserForm4/VBFrame
22	38 bytes	Macros/UserForm4/f
23	0 bytes	Macros/UserForm4/o
24	97 bytes	Macros/UserForm5/CompObj
25	266 bytes	Macros/UserForm5/VBFrame
26	38 bytes	Macros/UserForm5/f
27	0 bytes	Macros/UserForm5/o
28	16854 bytes	Macros/VBA/D7w9m5cll8x
29	682 bytes	Macros/VBA/Jsw5j1t_5nbxs
30	1117 bytes	Macros/VBA/Kh0pzi2jvi6r2su
31	1159 bytes	Macros/VBA/UserForm1
32	1160 bytes	Macros/VBA/UserForm2
33	1159 bytes	Macros/VBA/UserForm3
34	1160 bytes	Macros/VBA/UserForm4
35	1160 bytes	Macros/VBA/UserForm5
36	5945 bytes	Macros/VBA/_VBA_PROJECT
37	1045 bytes	Macros/VBA/dir
38	32820 bytes	WordDocument

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Document_open	Runs when the Word or Publisher document is opened
Suspicious	Create	May execute file or a system command through WMI
Suspicious	CreateObject	May create an OLE object
Suspicious	ChrW	May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Open	May open a file
Suspicious	Put	May write to a file (if combined with Open)
Suspicious	Binary	May read or write a binary file (if combined with Open)

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file 2112 F-2708620.doc

Verdict:

Malicious activity

Analysis date:

2020-12-21 12:32:23 UTC

Tags:

macros macros-on-open generated-doc emotet-doc emotet

Link:

https://app.any.run/tasks/98b5ebfa-a049-49f8-9483-f8aa34cbb122

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/msword

Has a screenshot:

False

Contains macros:

True

Detection(s):

TwinWave.EvilDoc.EMOCROCreateRomanticWarrior.20200916.UNOFFICIAL

TwinWave.EvilDoc.EMOCROSnakeCharmer.20201103.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

DNS request

Sending a custom TCP request

Creating a file

Moving a file to the Windows subdirectory

Creating a service

Connection attempt

Deleting a recently created file

Possible injection to a system process

Sending a TCP request to an infection source

Enabling autorun for a service

Launching a process by exploiting the app vulnerability

Sending an HTTP GET request to an infection source

Result

Verdict:

Malicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/c8a2f75c27ebfd8df0a61e2cfc2e72e0ce7aa0df0edfe067843f0b9c46dfcb4e/results/dashboard

Document image

Image:

Download PNG

Result

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8a2f75c27ebfd8df0a61e2cfc2e72e0ce7aa0df0edfe067843f0b9c46dfcb4e/

Threat name:

Document-Excel.Downloader.Heuristic

Status:

Malicious

First seen:

2020-12-21 12:37:14 UTC

File Type:

Document

Extracted files:

AV detection:

11 of 48 (22.92%)

Threat level:

2/5

Result

Malware family:

n/a

Score:

10/10

Tags:

macro

Link:

https://tria.ge/reports/201221-191rwc6cr2/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Drops file in System32 directory

Loads dropped DLL

Blocklisted process makes network request

Process spawned unexpected child process

Malware Config

Dropper Extraction:

http://parakkunnathtemple.com/bckup/7SDAvi/
http://helionspharmaceutical.com/wp-admin/oXJB/
https://accordiblehr.com/wp-admin/HdzyEn/
https://snjwellers.com/wp-includes/esttW/
https://norailya.com/vendor/1j/
https://whytech.info/wp-includes/HceUxFK/
http://resuco.net/wp-content/uploads/2020/12/S0K/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8a2f75c27ebfd8df0a61e2cfc2e72e0ce7aa0df0edfe067843f0b9c46dfcb4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample