MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e669a8cce021c5be1d0db3b19c7e164c51083609cdb495c20035ec735ba4ab2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	e669a8cce021c5be1d0db3b19c7e164c51083609cdb495c20035ec735ba4ab2d
SHA3-384 hash:	2024eb38fe04cad8f5eecfca7ad13398ee7154b411cad2eaf6857fb184e48539b7179f899c80e97710d9dead1758c067
SHA1 hash:	ac87e0f425d8beae79aa053ef2ee830fa722b437
MD5 hash:	a5cea345a35440f47fbb64b10470bf52
humanhash:	fruit-oxygen-fix-stairway
File name:	emotet_exe_e3_e669a8cce021c5be1d0db3b19c7e164c51083609cdb495c20035ec735ba4ab2d_2020-09-29__135841._exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	417'792 bytes
First seen:	2020-09-29 13:58:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1e6b456eed015cc8476b38993407e4c5 (32 x Heodo)
ssdeep	6144:hSTANNR+Jqv6/4e805rRRK7wGiXUNHFd7Dc9k1:hgANNk35SwGiXUNHl1
TLSH	54941B33E9907341EA4304710D35BABA2A2A5C25D0429D47A6C5FE4F1E73A93BDF532E
Reporter	Cryptolaemus1
Tags:	Emotet epoch3 exe Heodo

Cryptolaemus1

Emotet epoch3 exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Generic.mg.a5cea345a35440f4.31889.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Connection attempt

Sending an HTTP POST request

Connection attempt to an infection source

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/e669a8cce021c5be1d0db3b19c7e164c51083609cdb495c20035ec735ba4ab2d/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-29 14:00:09 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zu2rthaehc34hinwoyzy7qwjriqqnqjzw2jlqqagxwhgw5evmwq._file

Result

Malware family:

emotet

Score:

10/10

Tags:

trojan banker family:emotet

Link:

https://tria.ge/reports/200929-mwrqmx4lta/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Emotet Payload

Emotet

Malware Config

C2 Extraction:

49.243.9.118:80
167.71.227.113:8080
190.85.46.52:7080
162.144.42.60:8080
86.57.216.23:80
202.166.170.43:80
118.243.83.70:80
36.91.44.183:80
118.33.121.37:80
116.202.10.123:8080
113.193.239.51:443
169.1.211.133:80
192.163.221.191:8080
115.79.59.157:80
51.38.201.19:7080
45.177.120.37:8080
190.194.12.132:80
185.80.172.199:80
128.106.187.110:80
73.55.128.120:80
183.77.227.38:80
195.201.56.70:8080
91.83.93.103:443
202.153.220.157:80
198.57.203.63:8080
200.116.93.61:80
103.229.73.17:8080
180.148.4.130:8080
126.126.139.26:443
185.86.148.68:443
37.205.9.252:7080
182.227.240.189:443
181.95.133.104:80
186.20.52.237:80
192.241.220.183:8080
139.59.61.215:443
223.17.215.76:80
103.80.51.61:8080
111.89.241.139:80
203.153.216.178:7080
27.73.70.219:8080
14.241.182.160:80
37.187.100.220:7080
181.80.129.181:80
78.186.65.230:80
91.75.75.46:80
172.105.78.244:8080
115.176.16.221:80
178.33.167.120:8080
41.212.89.128:80
67.121.104.51:20
8.4.9.137:8080
74.208.173.91:8080
54.38.143.245:8080
46.105.131.68:8080
119.92.77.17:80
103.133.66.57:443
79.133.6.236:8080
58.27.215.3:8080
88.247.58.26:80
172.96.190.154:8080
190.192.39.136:80
78.114.175.216:80
37.46.129.215:8080
120.51.34.254:80
179.5.118.12:80
189.150.209.206:80
5.79.70.250:8080
113.160.248.110:80
192.210.217.94:8080
113.156.82.32:80
182.253.83.234:7080
46.32.229.152:8080
80.200.62.81:20
175.103.38.146:80
95.216.205.155:8080
153.229.219.1:443
223.135.30.189:80
220.147.247.145:80
138.201.45.2:8080
45.239.204.100:80
50.116.78.109:8080
113.161.148.81:80
220.106.127.191:443
185.142.236.163:443
157.7.164.178:8081
115.79.195.246:80
75.127.14.170:8080
143.95.101.72:8080
77.74.78.80:443
139.59.12.63:8080
187.189.66.200:8080
93.20.157.143:80
41.185.29.128:8080
113.203.238.130:80
185.208.226.142:8080
27.7.14.122:80
60.125.114.64:443
103.93.220.182:80
190.191.171.72:80
109.206.139.119:80

Unpacked files

SH256 hash:

e669a8cce021c5be1d0db3b19c7e164c51083609cdb495c20035ec735ba4ab2d

MD5 hash:

a5cea345a35440f47fbb64b10470bf52

SHA1 hash:

ac87e0f425d8beae79aa053ef2ee830fa722b437

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/b57bd785-77b0-411a-93be-23747117560f/

SH256 hash:

5d27815709a9c0a27581c23fe59f13748b5f62aaef00f33b413bb8cad36e2093

MD5 hash:

625aae53e23093ee004d72b2c57ba851

SHA1 hash:

a5ac90361ea7be98aad73dcbf81928f070aa2449

Detections:

win_emotet_a2

Link:

https://www.unpac.me/results/b57bd785-77b0-411a-93be-23747117560f/

Parent samples :

840f8e7666ebe1fbc445dd7634cdaf053333468904e2d04bbc8a17c41907b612
69222c6e1e991389460f833aab370d1b13372d7ca9797288426df178053ad2a8
15de097896aade0dd22abe8e1dcad6da8ebd153539dcb133d44c495fcbca5200
4dd1bcb4bb1f4c55ff2f863cc2909d0b474746e2d7351439778cd739f082ba89
1db3b00758aa451e283959514893ff7f3761beba29a514238720c241ae2db602
dff92349840806814a51ec4c963a414d291e01246cb7c8646fbab87727cc4129
ee396fefb4234b358365a697b561cf5051de0ab571fc14bd5bb8e7aaa28809d5
106e2eca85041fca67d8f97b695a0801ccbb9a71d8193d98a3a814840c65fdeb
2640a7636c886d319e3c72669eec48f607b5e5dfb428233861fa22c2a388ffad
27f1d16a7aaabf35b1a79915e1bc5f2e8e8bf0c1ea3fc0096bb69a9310c836d9
d3a7925fc673a9d1d9d7cebc1dcf8856c0ca34ff037cea2c9f28e6538aae3789
77f0287cff44d3d1494b6485cd075e0c45ad59c5ecdf43c1b50ee83359aff012
e669a8cce021c5be1d0db3b19c7e164c51083609cdb495c20035ec735ba4ab2d
e354b47d0301fcc9ec6fcd2d716952c11d580c872263a74d466b9bd9e0099282
286281cb38cfcef925707d75e0612a557d3fdc5235e00836e0024713fe7239a1
103cc8add6d843ea3c670b8b56abbcc7d25245ebc36b5b71d05b979b89b3ad9d
6bfbbb0f066a2426a8ce1f865048c84eba69def835ce709c95abd516fddc39c9

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e669a8cce021c5be1d0db3b19c7e164c51083609cdb495c20035ec735ba4ab2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_trickbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/66757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample