MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb
SHA3-384 hash:	f151a5fe4ccd4646077736f61e9196775cf31c9f2ca17e0cbc89658fba72436793211dac6dfa0e9603ee4aec63fdec2b
SHA1 hash:	8afeeb4b6fd6e7256963e57085c8e0b4bb584bc8
MD5 hash:	42817b376d2e9cb4a037f94a6ff12666
humanhash:	spring-three-skylark-missouri
File name:	d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb
Download:	download sample
Signature	Heodo Create hunting rule
File size:	260'919 bytes
First seen:	2020-11-15 23:06:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	369f3d28138a96673521f3ed260e22c6 (2 x Kovter, 1 x Heodo)
ssdeep	6144:Nya5VWKmoCLdd0F5HkW6EIFrouU7hlFYdn/HpyXwIT:NyawjLnS5bMor9bYFHpyXwM
TLSH	A5441232749EF6A5D6D22FB65AF44762F0AEB0089675377E9741F2C2643300C9C26DE2
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Launching a process

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb/

Threat name:

Win32.Trojan.Kovter

Status:

Malicious

First seen:

2020-11-15 23:09:31 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2wctghhxhebgcpfwp5bkjk563fdsoln33svbewdlckqliiiwb7nq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

upx

Link:

https://tria.ge/reports/201115-7f2x19dkta/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of SetThreadContext

Process spawned unexpected child process

Unpacked files

SH256 hash:

d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb

MD5 hash:

42817b376d2e9cb4a037f94a6ff12666

SHA1 hash:

8afeeb4b6fd6e7256963e57085c8e0b4bb584bc8

Link:

https://www.unpac.me/results/01130d06-d640-4fb9-af4b-77a2e9b0251c/

SH256 hash:

c87cd4585db83b26ceccb01c219468ae9bd70fc8859ee6089390c9ea8e9e4bbb

MD5 hash:

5440dcf5c0314178865e795964f3d1a2

SHA1 hash:

11249c23ae71bb98475c26aa35e3d9279f7e4ac6

Link:

https://www.unpac.me/results/01130d06-d640-4fb9-af4b-77a2e9b0251c/

SH256 hash:

2bc73f602f57fdc7844f94a37327df2bfa73eb3482f2216e00e9d989c04bdeb5

MD5 hash:

fc246fde18697c64f58473c031fc362b

SHA1 hash:

acbd862746351912872921327f6d7e0f51906f7f

Detections:

win_kovter_auto

Link:

https://www.unpac.me/results/01130d06-d640-4fb9-af4b-77a2e9b0251c/

Parent samples :

7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb
0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_kovter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample