MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb674159b6c80120ef511724f51349c52d6566c95a3e8baf60d114f03b4d463e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb674159b6c80120ef511724f51349c52d6566c95a3e8baf60d114f03b4d463e
SHA3-384 hash: 7e0652edef1d8d066feca506de7ebebb11748a2e72cb8dc7185500deb3903f3f0d042c07b82e3c8fa18934d61140edb8
SHA1 hash: 7f8851905aa4ceeff16f6568b74241bebd03f7da
MD5 hash: b1c27b7280ee64130e5a45a6300b9c7d
humanhash: venus-uniform-oregon-hawaii
File name:emotet_exe_e2_cb674159b6c80120ef511724f51349c52d6566c95a3e8baf60d114f03b4d463e_2020-08-21__112728._exe
Download: download sample
Signature Heodo
Create hunting rule
File size:221'288 bytes
First seen:2020-08-21 11:27:34 UTC
Last seen:2020-08-21 13:00:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4cdfb0f74c2da3a5a0531cfa2dbb537 (26 x Heodo, 1 x Emotet)
ssdeep 6144:V26zQqGAvo3z6c4ccld5b2IOIQlNtGZknCiS6cyjZZ:VJGAgjjLcyjH
Threatray 8'165 similar samples on MalwareBazaar
TLSH 74249C1133E1C873F49144B449995FEE963AFE263E08DE4363E1BB8D0C79DE29922247
Reporter Cryptolaemus1
Tags:Emotet epoch2 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch2 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49514/
Detection(s):
SecuriteInfo.com.HEUR.QVM07.1.64E0.Malware.Gen.14166.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/444028
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb674159b6c80120ef511724f51349c52d6566c95a3e8baf60d114f03b4d463e/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-21 11:29:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zntucwnwzaasb32rc4spke2jyuwwkzwjli7ixl3a2ekpao2niy7a._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
02ac0e62a15f00a502e13803fe7595a1bb129959fdf78b95948dc8b4d34df969
Heodo
09c43c902de2b44c93bde8cd642fe5db1d9e49071a0a8576dde415d7a31b5ac3
Heodo
0f1c13e90c2dd17c9ae2b70e5605273dbe25d689aeebf56d5c981d6b88991318
Heodo
4f05d69bc462da5885099ffb631d58ffe8bb0b526f78563df6daa68c2dcb09c3
Heodo
79e4c075432e7a51aa0c06d746b1e36ccbd5c8c067704d1c25a29200b2556105
Heodo
7ca9972320e34f7ec527fe991e0b9a59cb7ab4b9d27f16e9c82ef4e484342349
Heodo
99a21c446fefddc2e39687a0c1ea5d39fe3b5ccc0feb109ea409663ae401a16b
Heodo
9b30a65f530bcd0d0e1554c73ec6522bf0a14966b0eb37c45521bf121e13b10a
Heodo
cb6ca7f42dd9b144c4e249dc48b8da468f4876edf63c995c199156af08d254fc
Heodo
f9ff9f2f3e6bce00af9c59caf6573b945e24a8e332e1fb01bbc911f9df5510e6
Heodo
+ 8'155 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/200821-xqnwmkxxa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Emotet Payload
Emotet
Malware Config
C2 Extraction:
137.119.36.33:80
116.202.234.183:8080
69.30.203.214:8080
204.197.146.48:80
87.106.136.232:8080
153.163.83.106:80
91.211.88.52:7080
93.147.212.206:80
222.214.218.37:4143
189.212.199.126:443
203.153.216.189:7080
83.169.36.251:8080
188.83.220.2:443
104.236.246.93:8080
173.62.217.22:443
5.196.74.210:8080
68.188.112.97:80
139.130.242.43:80
61.19.246.238:443
24.179.13.119:80
157.245.99.39:8080
116.203.32.252:8080
203.117.253.142:80
75.139.38.211:80
41.60.200.34:80
2.58.16.85:7080
199.101.86.142:8080
169.239.182.217:8080
209.141.54.221:8080
121.124.124.40:7080
67.205.85.243:8080
79.98.24.39:8080
85.105.205.77:8080
200.41.121.90:80
185.94.252.104:443
24.233.112.152:80
37.187.72.193:8080
89.186.91.200:443
47.144.21.12:443
103.86.49.11:8080
95.179.229.244:8080
190.55.181.54:443
113.160.130.116:8443
62.75.141.82:80
47.146.117.214:80
187.161.206.24:80
104.131.44.150:8080
109.74.5.95:8080
200.114.213.233:8080
139.59.60.244:8080
81.2.235.111:8080
174.137.65.18:80
24.43.99.75:80
201.173.217.124:443
137.59.187.107:8080
46.105.131.79:8080
70.121.172.89:80
78.24.219.147:8080
74.120.55.163:80
85.152.162.105:80
93.51.50.171:8080
98.109.204.230:80
104.131.11.150:443
95.213.236.64:8080
153.232.188.106:80
176.111.60.55:8080
74.208.45.104:8080
174.102.48.180:80
190.160.53.126:80
152.168.248.128:443
180.92.239.110:8080
37.139.21.175:8080
157.147.76.151:80
167.86.90.214:8080
24.137.76.62:80
112.185.64.233:80
5.39.91.110:7080
87.106.139.101:8080
97.82.79.83:80
85.66.181.138:80
181.230.116.163:80
37.70.8.161:80
110.145.77.103:80
168.235.67.138:7080
68.44.137.144:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb674159b6c80120ef511724f51349c52d6566c95a3e8baf60d114f03b4d463e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49514/

Comments