MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f078d565f1ce7c1ba763308e818897ba32be72d4e06dc43324a5386cc9844946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	f078d565f1ce7c1ba763308e818897ba32be72d4e06dc43324a5386cc9844946
SHA3-384 hash:	36aa661045d8db8db13ff29ee3c49cc819c88027ddcfc4358b3a821ad7a871257127e9037ff36241abcdc618a9471665
SHA1 hash:	c41c4a43da89e7a7241fc341fb35248ef6e530a8
MD5 hash:	c0a0af5119a38cc0955fa32dccd9519c
humanhash:	hydrogen-hot-friend-nebraska
File name:	N.717 CJY 16.03.2022.xlsm
Download:	download sample
Signature	Heodo Create hunting rule
File size:	33'750 bytes
First seen:	2022-04-15 14:23:33 UTC
Last seen:	Never
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	384:wjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:wjpFhNNlizXT28dFfPdkqstJmE6/
TLSH	T11FE2C02DF2A0EE1DC21EE939446895DA421DB4558502EB4FB95CFB1D2F0A5C23B1F0DE
TrID	60.1% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 30.9% (.ZIP) Open Packaging Conventions container (17500/1/4) 7.0% (.ZIP) ZIP compressed archive (4000/1) 1.7% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	notdodo
Tags:	Emotet Heodo xlsm

Intelligence

File Origin

# of uploads :

# of downloads :

646

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

N.717 CJY 16.03.2022.xlsm

Verdict:

Malicious activity

Analysis date:

2022-04-15 14:07:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aff14f9e-8f68-4c67-8e71-4accfe049275

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/vnd.ms-excel.sheet.macroEnabled.12

Has a screenshot:

False

Contains macros:

False

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264000/

Detection(s):

TwinWave.EvilDoc.SilentInvasion.20210310.UNOFFICIAL

TwinWave.EvilDoc.EmoVietNow.20220703.UNOFFICIAL

SecuriteInfo.com.Heur.16611.343.UNOFFICIAL

SecuriteInfo.com.Heur.10014.10723.UNOFFICIAL

TwinWave.EvilDoc.EnjoyTheSilence.M2.20210317.UNOFFICIAL

TwinWave.EvilDoc.EnjoyTheSilence.20210716.UNOFFICIAL

TwinWave.EvilDoc.EmotetEsqXL4EarlyHours.20211126.UNOFFICIAL

TwinWave.EvilDoc.EmoNotSoEmergencyMalHarder.20230315.UNOFFICIAL

TwinWave.EvilDoc.EmoNotSoEmergencyMalHarder.20220321.UNOFFICIAL

TwinWave.EvilDoc.EmotetBlueNoticePicturesOfU.XL.220316.UNOFFICIAL

Xls.Downloader.Emotet03222-9941788-0

SecuriteInfo.com.Macro.Trojan-Downloader.Agent.BDH.1284.30004.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Creating a file

Creating a process with a hidden window

Sending an HTTP GET request

Query of malicious DNS domain

Sending a custom TCP request by exploiting the app vulnerability

Sending an HTTP GET request to an infection source by exploiting the app vulnerability

Launching a process by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

OOXML Excel File with Excel4Macro

Link:

https://app.docguard.net/f078d565f1ce7c1ba763308e818897ba32be72d4e06dc43324a5386cc9844946/results/dashboard

Payload URLs

URL

File name

https://casache.com/web/n3jxwXXwa/

sharedStrings.xml

Document image

Image:

Download PNG

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

emotet macros-on-open regsvr32

Link:

https://www.filescan.io/uploads/62598003ffe27d5119db44fd/reports/f5b3ef40-4c02-4e51-b8b7-1b4982d30091/overview

Label:

Malicious

Suspicious Score:

9.6/10

Score Malicious:

96%

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=e2ff318c-7cac-4c59-a544-9a1646671147

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f078d565f1ce7c1ba763308e818897ba32be72d4e06dc43324a5386cc9844946

Details

Macro Execution Coercion

Detected a document that appears to social engineer the user into activating embedded logic.

Autostarting Excel Macro Sheet

Excel contains Macrosheet logic that will trigger automatically upon document open.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f078d565f1ce7c1ba763308e818897ba32be72d4e06dc43324a5386cc9844946/

Threat name:

Document-Excel.Trojan.Emotet

Status:

Malicious

First seen:

2022-03-17 00:55:12 UTC

File Type:

Document

Extracted files:

AV detection:

27 of 42 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6b4nkzprzz6bxj3dgchidcexxizl44wu4bw4imzeuu4gzsmejfda._file

Result

Malware family:

n/a

Score:

10/10

Tags:

macro xlm

Link:

https://tria.ge/reports/220415-rqphksgea5/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Process spawned unexpected child process

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.89

Link:

https://yomi.yoroi.company/submissions/f078d565f1ce7c1ba763308e818897ba32be72d4e06dc43324a5386cc9844946

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.