MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dafcf4cefffd38e43e04f7d536f01e1794bf1ef00842bc27efbd40fb039fb8c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dafcf4cefffd38e43e04f7d536f01e1794bf1ef00842bc27efbd40fb039fb8c4
SHA3-384 hash: c363f6b4e4a192d50043c19ba0fe888333f863b2b64e211be52fe236a79fba5ebec1393f9d53c71fd5dda3bc8516212e
SHA1 hash: 74893e80c29ea93d3f599e1eb2041242402b96c5
MD5 hash: 1158442168e2a84543170ef7b11bb173
humanhash: seven-sweet-berlin-arkansas
File name:1158442168e2a84543170ef7b11bb173
Download: download sample
Signature Heodo
Create hunting rule
File size:1'253'888 bytes
First seen:2021-12-24 06:55:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 6e16afd0d7990d33ac75371bcceecbc8 (44 x Heodo)
ssdeep 24576:JbYRleg4H/qZHeK+dVxodFx2mi8WJhFwmuK/DHvb1MrzM+SU5L5tj112jGLF2eoU:0UQH1dFx2mi8kwybqzM8L5tj112jGLFV
Threatray 347 similar samples on MalwareBazaar
TLSH T1A145BD0078C2C0B6F62B2479053AB3690FEE65201720CEEFDB88DDB56F75DC2593665A
Reporter zbetcheckin
Tags:32 dll Emotet exe Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216095/
Detection(s):
Win.Trojan.Generic-9917122-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61c56f0a8991ba72b3950d5c/reports/f6ebd23b-749e-44fb-a40b-cc5458d5fa9a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16221ff1-291c-4011-91cd-71ad9dd3c8ba
Result
Threat name:
Emotet
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/912335
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544811 Sample: sD38AZFcDx Startdate: 24/12/2021 Architecture: WINDOWS Score: 84 42 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->42 44 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->44 46 33 other IPs or domains 2->46 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Emotet 2->56 58 2 other signatures 2->58 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        22 rundll32.exe 9->22         started        24 2 other processes 9->24 signatures6 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->50 26 rundll32.exe 17->26         started        28 rundll32.exe 20->28         started        30 rundll32.exe 22->30         started        32 conhost.exe 22->32         started        34 rundll32.exe 24->34         started        process7 process8 36 rundll32.exe 26->36         started        40 rundll32.exe 2 28->40         started        dnsIp9 48 144.217.91.150, 443, 49744 OVHFR Canada 36->48 60 System process connects to network (likely due to code injection or exploit) 36->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->62 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dafcf4cefffd38e43e04f7d536f01e1794bf1ef00842bc27efbd40fb039fb8c4/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-12-24 06:56:12 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3l6pjtx77u4oipqe67ktn4a6c6kl6hxqbbblyj7pxvapwa47xdca._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
3c8d49a046157a3efca16ecd5e1786f4e1a169c2937572c322165f0048c34ed8
Heodo
5468689bded8f2b88fbde520c77e424752e98f575ab9c90c8a292d17a313b060
Heodo
5bb626d65f16f3befd6929af097b9f8513a435662959c67645414a795777208a
Heodo
627514179c485caf59499a86f96a39eff2b3c8b9592354d9044e8ced8a89af23
Heodo
824a3f0277b943e71033fce00144f02f387109b820629795a6004b19b78504b4
Heodo
94ff8b39e638e4bcb9c4ed01e51ec7197a69a4fdfa0c13218bf2ba675c85aa7a
Heodo
a84e754252e4a6e668881039eecad1adcb502f398d91a36ed0c2eaa6ba808a3f
Heodo
ae275aba1d935bd3045e9cd3f258b72636e6759506e183423341a992faf47f80
Heodo
ce41b55d753ea32625cc635dd310589a68b7d908e6ff8f3ddfdade1180d0e7ee
Heodo
+ 337 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
family:emotet botnet:epoch4 banker trojan
Link:
https://tria.ge/reports/211224-hqcz4sdcep/
Behaviour
Suspicious use of WriteProcessMemory
Emotet
Malware Config
C2 Extraction:
144.217.91.150:443
51.38.71.0:443
212.237.56.116:7080
79.172.212.216:8080
178.79.147.66:8080
138.185.72.26:8080
192.254.71.210:443
178.63.25.185:443
195.154.133.20:443
45.118.135.203:7080
81.0.236.90:443
107.182.225.142:8080
162.214.50.39:7080
50.116.54.215:443
203.114.109.124:443
45.118.115.99:8080
216.158.226.206:443
104.168.155.129:8080
110.232.117.186:8080
176.104.106.96:8080
46.55.222.11:443
51.68.175.8:8080
207.38.84.195:8080
58.227.42.236:80
45.176.232.124:443
104.251.214.46:8080
103.8.26.102:8080
45.142.114.231:8080
217.182.143.207:443
41.76.108.46:8080
212.237.5.209:443
103.8.26.103:8080
212.237.17.99:8080
173.212.193.249:8080
158.69.222.101:443
103.75.201.2:443
Unpacked files
SH256 hash:
e5725b033e0ab4d5262c8d58d0b7cdbd1448e349ca1baa4d21352341f91c02c1
MD5 hash:
4f0b12d9484b36952da87aada6d5380c
SHA1 hash:
c5e91ebce8a89b85b28fe30ef43a10a5c5178147
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/2a6187fd-0e37-43fa-be03-7e3baeac023e/
Parent samples :
70c1288e9d31fc88843baab3f22646ffa7a168dfccae59114efa4e313ed93342
dafcf4cefffd38e43e04f7d536f01e1794bf1ef00842bc27efbd40fb039fb8c4
2db9ce3901b75309b5669e0e94c8cfd2c93f9f4d5c6b1c023bfa0ac1806e0a87
a93f9ee50c0d705ffe8f402e27c1c8018dc239f6ea8f4dd435e8ffe3a7132c3a
9dd4052fc27960c70e03bcbd521c7b832f5617da0b69821e9c06a174380339c0
caab57f5666791e06569dec2525a73c05093f802ff9fcb63217d617885934b31
b5055179d3096337ee8a59d012b693b98a06f1b74557aae4755d88e8f9c283bd
5481eca24911b03018ce88cbe69e2a4380da4ad6d050a3939eb2fd22121524f8
c521fe1757f1650ee0ebee5f40803b472645be5d079923ee31e9d06501f8b150
ae265469e957237bdefc756052fdf16a57b327df1c0e297af060a782151b0eb7
3ef54d0b4ddae929dcea58be681402552563083a84ff4c71bd4ee21f4e6869ad
5656363529527938e25ed8f39e568b5ed241a25e124b4cdbd9170d103a4a5dd0
8784798dbddfb7c712b0336bdf3d7dd2c03c4e0f0fe44c51783321dbb6fe0cd3
761f99ee9f3efb8fc11aff822ee30b8f6d7db09f4c38f4d60670c601307517d9
4fbbc63b55175875a2b55c5881fa93e51af5fd6bcd9c124a774635902f437717
faea97bf475f57afbea3768e9e11ec5161c6b66456eba7461ae649a38d6dc77b
1fa8c05f509df70da3ca7f1834df62435da3bb5e0f3b8f563b103878ed7bce7e
2e1f12f551f566a963772190fedde695dc87b4fd54e7ca0a40c46dfdb6621cc4
636d4994c59fd2b09d078c5bae3513c22b59e4794d71281c17a7edc33b78021a
096a65b7271696f2cea35b736edd00201427c4be1bcf1f518a4dc8589d612725
1652d4bbec44afc20fd2a289c061fc130e43003bd35c65ae7b026c7091ca0e1c
945d5d4be4e003c4ca685521d7d22f2c35508c9ee8d8c18e4d8a6db14f4ec121
898b9eddb7ad4aa2623c50eb79a25d49262b6230cf1713c825553110386fcf75
SH256 hash:
dafcf4cefffd38e43e04f7d536f01e1794bf1ef00842bc27efbd40fb039fb8c4
MD5 hash:
1158442168e2a84543170ef7b11bb173
SHA1 hash:
74893e80c29ea93d3f599e1eb2041242402b96c5
Link:
https://www.unpac.me/results/2a6187fd-0e37-43fa-be03-7e3baeac023e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dafcf4cefffd38e43e04f7d536f01e1794bf1ef00842bc27efbd40fb039fb8c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Emotet
Create hunting rule
Author:kevoreilly
Description:Emotet Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

DLL dll dafcf4cefffd38e43e04f7d536f01e1794bf1ef00842bc27efbd40fb039fb8c4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216095/

Comments


Avatar
zbet commented on 2021-12-24 06:55:52 UTC

url : hxxps://conseilprefectoralagadir.ma/ooo/dGhjdeED8L5FjMnuBR/