MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd9d6397f31eccd414eb5605fdb0c1326d0c896f3ca781dc694d9584605a776c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	dd9d6397f31eccd414eb5605fdb0c1326d0c896f3ca781dc694d9584605a776c
SHA3-384 hash:	15a2346529a49e370fa187845facf6a14af0bbfb6ca242aafebf5e16ca6efd36aed1e5f8ce30cfb66a06504c7ff8a592
SHA1 hash:	cda1f7241fccf0c74a63d132fb9a061d61956959
MD5 hash:	4e046e4093be0c049abdbb50e2fb6262
humanhash:	failed-batman-failed-berlin
File name:	dd9d6397f31eccd414eb5605fdb0c1326d0c896f3ca781dc694d9584605a776c
Download:	download sample
Signature	Heodo Create hunting rule
File size:	242'539 bytes
First seen:	2020-03-23 16:55:12 UTC
Last seen:	2020-09-29 11:46:41 UTC
File type:	docx
MIME type:	application/msword
ssdeep	6144:Ww0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+B2KEwCzRW:l0E3dxtR/iU9mvUPBawCzRW
TLSH	3F34AE06B2C1FD5BDF5256310DABCEF9722AAC55EE04CE23329CB7AD6B366608744710
Reporter	Marco_Ramilli
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Doc.Downloader.Emotet-7580201-0

Doc.Malware.Chartres-7580423-0

TwinWave.EvilDoc.EmotetWindowSong.20200204.UNOFFICIAL

TwinWave.EvilDoc.EmotetCallCreatePickMeUp.20200204.UNOFFICIAL

TwinWave.EvilDoc.EmotetYourPshellsAresoEMO.20200211.UNOFFICIAL

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/386863

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to a URL shortener service

Creates processes via WMI

Document contains an embedded VBA with many string operations indicating source code obfuscation

Encrypted powershell cmdline option found

Machine Learning detection for sample

Malicious encrypted Powershell command line found

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

PowerShell case anomaly found

Very long command line found

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Document-Word.Trojan.Emotet

Status:

Malicious

First seen:

2020-02-08 00:02:34 UTC

File Type:

Document

Extracted files:

AV detection:

22 of 31 (70.97%)

Threat level:

5/5

Verdict:

unknown

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	Internal names found in LURK0/CCTV0 samples

Rule name:	win_alina_pos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_gootkit_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator