MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd6bd18b879ab9ad503c4c091c480a8907d11767167d4ec8ac5ff4e9648dd104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd6bd18b879ab9ad503c4c091c480a8907d11767167d4ec8ac5ff4e9648dd104
SHA3-384 hash: 6623e4fab8082e6b5b49e360f64d3d3d892e969c1275a9b82f964353a46f059426d9338f19c4c57f4d2311ac02f145a4
SHA1 hash: f0dcd07eb69c2641226b4d475d1872328cbdca6f
MD5 hash: ea0e6b36ed3180bf7be0d7faa142f421
humanhash: uncle-zebra-football-spring
File name:newservervictor.exe
Download: download sample
Signature Emotet
Create hunting rule
File size:254'976 bytes
First seen:2020-05-28 06:36:15 UTC
Last seen:2020-05-28 08:22:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'859 x AgentTesla, 19'785 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 6144:RMWMdYP5kc+tMGWlhcL9eCALdJbrRUxO:6W7r+tAcL9eRB1CxO
Threatray 493 similar samples on MalwareBazaar
TLSH 6E448D4533E48421F5BF4B3194721A2087B8B6329E2BD75F4BE054AB2DB3781EE1635B
Reporter abuse_ch
Tags:Emotet exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: co.coolserv.live
Sending IP: 45.95.171.183
From: 김은주[KIM EUN JOO] <kej0610@hhi.co.kr>
Subject: QG, NFPS Project / RFQ-P-013 Inconel 625 Clad_Butting
Attachment: gunzipped (contains "newservervictor.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ILCrypt.26982.22463.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Mailpassview
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 03:07:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
0b0843fec59e2e7c90b04d88f9d90f7e6a3c8e7511a601d20ba588a52380781b
Emotet
3853c83c0df51ab8dc2d06d29efc8ca581044dbbcfe4c7c4d05fcc0ab62e22a8
Emotet
3a2adcac20af82cdb882ab9bd9a1a78ca30f833a488cd13a55daf8ff743271a3
Emotet
400ad786bf1e76812b70a3ab4ba345668fe07c176743f412f6ff5372238c2320
Emotet
538a207974969d50055870c016eb819c2a71a1388db863bf025ea5bc2144b00b
Emotet
a4b07204b33173093041072e00e88d0083c88b88f634561aabe46ec8992f9332
Emotet
c0a5e2237ef1901c7a3ee2c15290c8db625a1cb9659e99a86ee474460533aa32
Emotet
c730e6287aa786e04d22daa4e6c77b504cdf80dc4f09877a15bc79bac84403f6
Emotet
f86be0fe01d3a3fae24c8bf92bb289ec52dd7f6a9461b9ce95f062d162f124c0
Emotet
f9aa404e6b892570fa59a968eb1e6f2069cb6e6105632e323ae91d7c8005fe57
Emotet
+ 483 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:m00nd3v_logger spyware
Link:
https://tria.ge/reports/201109-b2tev28yx6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_NK_BabyShark_KimJoingRAT_Apr19_1
Create hunting rule
Author:Florian Roth
Description:Detects BabyShark KimJongRAT
Reference:https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Emotet

zip f495359a680bc1aaa211898f3a4c0225599261762f8d21bdcb60c50e8aa6e22c

Emotet

Executable exe dd6bd18b879ab9ad503c4c091c480a8907d11767167d4ec8ac5ff4e9648dd104

(this sample)

  
Dropped by
MD5 e15e709115885e1f0f8068e3324d94b4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f495359a680bc1aaa211898f3a4c0225599261762f8d21bdcb60c50e8aa6e22c

Comments