MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f38b9f4aa29e63c72660936a845cfac204509e778188bcd81cfd2e76141a1d23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	f38b9f4aa29e63c72660936a845cfac204509e778188bcd81cfd2e76141a1d23
SHA3-384 hash:	674e45b7dedea8a16043cb4d5d24dd6de77f48f3eb80efec23b3c558d3efaab348b1682a53fce8e408387f041e5ef5fb
SHA1 hash:	513b2942d041183f746201ff540625ae8b4595f9
MD5 hash:	e225b045d1029c5150eaef1f55b6673e
humanhash:	double-hotel-spaghetti-michigan
File name:	f38b9f4aa29e63c72660936a845cfac204509e778188bcd81cfd2e76141a1d23
Download:	download sample
Signature	Heodo Create hunting rule
File size:	335'872 bytes
First seen:	2020-11-14 18:13:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eb2bebf329902babdbf3bb9575bf2659 (3 x Heodo)
ssdeep	6144:pfs/Wsohg6astcmGujoN0wwl0fir0yhzZ4eI1D52XIM0mvLpEN6rofW:pfs/WswilUZwsrV9OD52XIMxa6ofW
Threatray	115 similar samples on MalwareBazaar
TLSH	8E649D2272D0C977C1E325715EE68BB9A3B6FC204F72874763943B0EAE356D24636391
Reporter	seifreed
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Emotet-7534606-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a service

Launching a service

Creating a file

Creating a file in the Windows subdirectories

Adding an access-denied ACE

Moving of the original file

Enabling autorun for a service

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f38b9f4aa29e63c72660936a845cfac204509e778188bcd81cfd2e76141a1d23/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-14 18:16:44 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ofz6svctzr4ojtasnviixh2yicfbhtxqgelzwa47uxhmfa2durq._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch3 banker trojan

Link:

https://tria.ge/reports/201114-4qge4my9j2/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EmotetMutantsSpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Emotet

Malware Config

C2 Extraction:

41.215.79.182:80
70.45.30.28:80
183.91.3.63:80
143.95.101.72:8080
91.205.173.150:8080
198.57.217.170:7080
192.163.221.191:7080
106.248.79.174:80
192.210.217.94:8080
42.51.192.231:8080
82.146.55.23:7080
158.69.167.246:8080
37.46.129.215:8080
124.150.175.133:80
66.229.161.86:443
41.77.74.214:443
91.117.131.122:80
114.179.127.48:80
82.79.244.92:80
91.117.31.181:80
95.216.212.157:8080
88.248.140.80:80
95.216.207.86:7080
75.86.6.174:80
193.33.38.208:443
182.176.116.139:995
1.221.254.82:80
201.137.247.222:443
198.199.112.197:8080
217.12.70.226:80
41.185.29.128:8080
37.59.24.25:8080
78.210.132.35:80
124.150.175.129:8080
203.124.57.50:80
110.2.118.164:80
157.7.164.178:8081
95.130.37.244:443
105.209.235.113:8080
37.210.208.141:80
187.72.47.161:443
183.82.123.60:443
176.58.93.123:80
23.253.207.142:8080
139.59.12.63:8080
160.119.153.20:80
122.116.104.238:7080
175.127.140.68:80
197.94.32.129:8080
190.17.94.108:443
185.192.75.240:443
212.129.14.27:8080
80.211.32.88:8080
110.142.161.90:80
82.165.15.188:8080
46.32.229.152:8080
210.224.65.117:80
182.187.137.199:8080
95.9.217.200:8080
78.186.102.195:80
69.30.205.162:7080
186.84.173.136:8080
211.42.204.154:80
50.116.78.109:8080
58.185.224.18:80
72.27.212.209:8080
50.63.13.135:8080
85.109.190.235:443
189.225.211.171:443
200.41.121.69:443
196.6.119.137:80
201.183.251.100:80
190.171.153.139:80
185.207.57.205:443
112.68.254.127:80
88.247.26.78:80
156.155.163.232:80
192.241.220.183:8080
94.203.236.122:80
89.215.225.15:80
180.33.6.136:443
138.197.140.163:8080
216.75.37.196:8080
181.53.29.136:8080
190.93.210.113:80
67.254.196.78:443
113.52.135.33:7080
179.5.118.12:8080
200.45.187.90:80
83.156.88.159:80
191.100.24.201:50000
210.171.146.118:80
210.111.160.220:80
188.251.213.180:443
177.144.130.105:443
46.17.6.116:8080
14.161.30.33:443
181.196.27.123:80
200.82.88.254:80
185.244.167.25:443
78.189.165.52:8080
112.186.195.176:80
125.209.114.180:443
91.83.93.103:443
190.201.144.85:7080
183.87.40.21:8080
181.167.35.84:80
91.73.169.210:80
37.70.131.107:80
190.5.162.204:80
162.144.46.90:8080
144.139.91.187:80
212.112.113.235:80
69.14.208.221:80
98.15.140.226:80
220.78.29.88:80
142.93.87.198:8080
195.201.56.70:8080
85.100.122.211:80
98.178.241.106:80
192.241.241.221:443
72.51.153.27:80
1.217.126.11:443
5.178.245.100:80
87.9.181.247:80
78.189.60.109:443
88.249.181.198:443

Unpacked files

SH256 hash:

f38b9f4aa29e63c72660936a845cfac204509e778188bcd81cfd2e76141a1d23

MD5 hash:

e225b045d1029c5150eaef1f55b6673e

SHA1 hash:

513b2942d041183f746201ff540625ae8b4595f9

Link:

https://www.unpac.me/results/03bbe762-5577-40f3-ba35-9335f88b0f49/

SH256 hash:

fcfcdd2cbaf5f2e01b9eeef522a40788db147a8c9f85b2036676123dad2f8dc1

MD5 hash:

59dd35773597b5dbb6f665e1dc3d835a

SHA1 hash:

7e9338378dca00ea8640e5dbbe1bc0769dea9c6b

Detections:

win_emotet_a2

win_emotet_auto

Link:

https://www.unpac.me/results/03bbe762-5577-40f3-ba35-9335f88b0f49/

Parent samples :

23c3801cf2ec1ff37adf23a40bd509e9a0e15c257733c1e0274c32ce63c79d9a
f38b9f4aa29e63c72660936a845cfac204509e778188bcd81cfd2e76141a1d23

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trickbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f38b9f4aa29e63c72660936a845cfac204509e778188bcd81cfd2e76141a1d23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Emotet Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Emotet in memory
Reference:	internal research

Rule name:	IceID_Bank_trojan Create hunting rule
Author:	unixfreaxjp
Description:	Detects IcedID..adjusted several times

Rule name:	MALW_emotet Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect unpacked Emotet

Rule name:	MAL_Emotet_Jan20_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Emotet malware
Reference:	https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/

Rule name:	Win32_Trojan_Emotet Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Emotet trojan.

Rule name:	win_emotet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample