MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dedbcf292a33b8295491583aec35f78d4f1550d4f62c056a7f7be29331c5585d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	dedbcf292a33b8295491583aec35f78d4f1550d4f62c056a7f7be29331c5585d
SHA3-384 hash:	3a4b9f906366a1d7f7d72b457900117b45ee568590a2957fa436b75d42e049ceb2cb057ffbdf94f5a84506763b91ea5c
SHA1 hash:	ce97c0e08a059e474068227b0d1bceba4657c5d6
MD5 hash:	c753b70b89cb08f28b763b936609257a
humanhash:	johnny-alpha-johnny-mars
File name:	emotet_exe_e2_dedbcf292a33b8295491583aec35f78d4f1550d4f62c056a7f7be29331c5585d_2020-10-22__222154._exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	376'832 bytes
First seen:	2020-10-22 22:22:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	875a1634331d344707689db6d9489063 (219 x Heodo)
ssdeep	6144:HzoTjUrx4KVHa9eUfTLHy2VrH0D+wieInl7lT2IcO/wksAPJLzx:ToCHVcjZwieE7l6i/wi
TLSH	5D84C01272E0C87BC6A312324EFA5BB4B7F5FD501E73954763949F1FAD329524A22322
Reporter	Cryptolaemus1
Tags:	Emotet epoch2 exe Heodo

Cryptolaemus1

Emotet epoch2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/74814/

Detection(s):

SecuriteInfo.com.Generic.mg.c753b70b89cb08f2.24208.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt to an infection source

Sending an HTTP POST request to an infection source

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dedbcf292a33b8295491583aec35f78d4f1550d4f62c056a7f7be29331c5585d/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-10-22 22:38:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=33n46kjkgo4csverla5oynpxrvhrkugu6ywak2t7pprjgmoflboq._file

Result

Malware family:

emotet

Score:

10/10

Tags:

trojan banker family:emotet

Link:

https://tria.ge/reports/201022-zt75ljn6ax/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Emotet Payload

Emotet

Malware Config

C2 Extraction:

200.116.145.225:443
96.126.101.6:8080
5.196.108.185:8080
167.114.153.111:8080
194.187.133.160:443
98.174.164.72:80
103.86.49.11:8080
78.24.219.147:8080
50.245.107.73:443
110.145.77.103:80
94.200.114.161:80
61.19.246.238:443
194.4.58.192:7080
209.54.13.14:80
102.182.93.220:80
46.105.131.79:8080
142.112.10.95:20
186.70.56.94:443
203.153.216.189:7080
49.50.209.131:80
176.113.52.6:443
62.30.7.67:443
61.76.222.210:80
113.61.66.94:80
157.245.99.39:8080
216.139.123.119:80
184.180.181.202:80
123.142.37.166:80
124.41.215.226:80
119.59.116.21:8080
41.185.28.84:8080
5.39.91.110:7080
220.245.198.194:80
139.162.108.71:8080
75.143.247.51:80
74.214.230.200:80
185.94.252.104:443
208.180.207.205:80
49.3.224.99:8080
93.147.212.206:80
182.208.30.18:443
95.213.236.64:8080
37.187.72.193:8080
59.125.219.109:443
37.179.204.33:80
95.9.5.93:80
168.235.67.138:7080
118.83.154.64:443
121.7.31.214:80
74.208.45.104:8080
87.106.136.232:8080
138.68.87.218:443
62.75.141.82:80
66.76.12.94:8080
202.134.4.216:8080
47.36.140.164:80
110.142.236.207:80
134.209.144.106:443
89.216.122.92:80
75.188.96.231:80
24.179.13.119:80
218.147.193.146:80
174.106.122.139:80
71.15.245.148:8080
104.131.11.150:443
202.141.243.254:443
94.230.70.6:80
24.178.90.49:80
97.82.79.83:80
68.252.26.78:80
173.63.222.65:80
162.241.242.173:8080
79.137.83.50:443
80.241.255.202:8080
120.150.60.189:80
190.29.166.0:80
96.245.227.43:80
50.91.114.38:80
83.110.223.58:443
24.230.141.169:80
37.139.21.175:8080
202.134.4.211:8080
190.240.194.77:443
176.111.60.55:8080
123.176.25.234:80
209.141.54.221:7080
115.94.207.99:443
50.35.17.13:80
109.74.5.95:8080
120.150.218.241:443
121.124.124.40:7080
217.20.166.178:7080
108.46.29.236:80
2.58.16.89:8080
85.105.111.166:80
137.59.187.107:8080
139.162.60.124:8080
76.175.162.101:80
139.99.158.11:443
104.131.123.136:443
91.211.88.52:7080
91.146.156.228:80
172.104.97.173:8080
89.121.205.18:80
186.74.215.34:80
61.33.119.226:443
162.241.140.129:8080
130.0.132.242:80
190.108.228.27:443
201.241.127.190:80
87.106.139.101:8080
78.188.106.53:443
188.219.31.12:80
76.171.227.238:80
72.143.73.234:443
62.171.142.179:8080
139.59.60.244:8080
24.137.76.62:80
172.86.188.251:8080
172.91.208.86:80
94.23.237.171:443

Unpacked files

SH256 hash:

dedbcf292a33b8295491583aec35f78d4f1550d4f62c056a7f7be29331c5585d

MD5 hash:

c753b70b89cb08f28b763b936609257a

SHA1 hash:

ce97c0e08a059e474068227b0d1bceba4657c5d6

Link:

https://www.unpac.me/results/c8c6c2f6-3856-4114-b087-b027e1d7775e/

SH256 hash:

321c0765dda06211c251f174bc3df4e3583028484d4e874206a76ed968583bf9

MD5 hash:

ec256f3df528959cf4e4a4d8c58e03a9

SHA1 hash:

92ad554258d6610e19604439c3299d0e4352668a

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/c8c6c2f6-3856-4114-b087-b027e1d7775e/

Parent samples :

1524fbd0475802e68b523853786098fde2008b5ce6606894438bd938c401f3c9
cbceff6f23665e5941b7af68b1586dad5941ca61f11eabb3e7eb9240c17ef039
1cacf612f5baa3e23c5bf1b4bfba01fb1b12cc173cd2e077e7b84f5b3e0d066a
c344f3d47d8f3def0f441134f6a51bf163b1ad9ecbb4ad3601c38b7d3d7824e6
401879a6acda7e63c18e4699baf63fb822eec0bab1a080b2ef106ab1bf1f7e7d
065d9d6088bd2ef42a792978d28942149814f246ab8a9e1dd874b5491f3adaba
67a518c1354b702bb96fc4b6e347c327f7f5b5d9475322c29871bd698cc924c9
dedbcf292a33b8295491583aec35f78d4f1550d4f62c056a7f7be29331c5585d
954121661374079f566345fcb81b7f2ba17d60b6075ee205710648bd1af71b73
116b1fcb5744a17bce05c9db9020d30f3a3f105919246b01ca91246c2f7a1d82
686f18d02b65a34a06cf0e28030feeb7c8fbe3a6906db1bc8f0ef1adb4329634
61a49f945d1727f99e99ff231fccac5925c5c13420405e5f49e545e762a881e2
5e0da19a904adb77eb34209c56c344f1ed9e7172d910f14c3eb5bf156e5bb5b5
46db02efab25befd72d28d97d7bcdec31ae4fd03e5291531b922358e34a2190b
bf8c1424c68b6599978f8f2d3c7aebc185feeec8f085641009a4c5724f3e5535
aa57610a9eb18245e598432f84f7b1d68c130653bcd5b3e9bef37293fce75333
fa59479ebc3af5921cca1c70e706c956fd0d5b2d54dcdb3e94a9f02b7a2166ab
2693d41f577fc18e9ed64eacb68b93a0e142c38f85a11a2142907287d00d3683
56a6c0607a0240daa4fcda2e8feac5f968b0e716d6d6b7ce84487da910789a38
555715833d0a4354bc655ab818259fd310347a2eb5d696dcbb22236a2ea7a9cd
ad978432ad4d995652043b35737ecc5b7ab1560b92369ab2e9ee27d87d846b5a
1c0778a3db31ee325573b62590df7de2db9b474cd1cc20bbf79f50a5e74b5824
5197ad79cdc42bfe7c42e68f4bc91563937b84a0e360aaf24237e23012bb1b96
78ab57165e977503eb7bed78e1ac4fd26bb7baf8c0211c16df9f98caae5e21b4
69b2495068360bc469201c79b1a52461bbef0f9da8299dc9103d96bdafbb53c0
828b4ed6b22db9293c3367361f1f2f3c481135b921c8780fd674cd054b0672db
c75af1aa16ad61c83da2970ef71a48926efc904045cf741d0c151cf289c7a836
6d8d6ff518394514ba7e5aba88988384927b8142602363110052564410767785
b291d1bee82a11276b0bcfbdcb464cf02683e3e991f90b063dc1de645d01ace3
aafb8f4491240d1dc0099ec97128a961a87e3a84edb996be04f7b04ee20615e4
568eab1d56dd6573dde565207666f7ed73188e9f92c66682084c39c6b5bfc7d2
a37ca5df5c0c027cf1ca8f77ea9bfd21ec67b83ab92a069ae8ca95c63fbd26b9
112648029ee4c98b94bc76919603b54c942dd714298024339cdd86445bf036fb

SH256 hash:

af3e2868c1323b2ab6a3b895f949f199a103f2a6d3a7ff28f3df6ea7db0ef51f

MD5 hash:

d3991e339e53faff49e4a611161314fc

SHA1 hash:

a76ee4a4a372d979e4d5203381e81ac8db7bcb86

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/c8c6c2f6-3856-4114-b087-b027e1d7775e/

Parent samples :

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_icondown_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_sisfader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/74814/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample