MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 8


Maldoc score: 9


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de
SHA3-384 hash: fca776cd6aad863562ccba4390d0894933cbcc0ca3f50b84754502ba3e4341bba66a31bb73f30535651daf6695e94e40
SHA1 hash: 0f3b23448deba14c742c4f19bf0d2632a3a265bd
MD5 hash: 0a71d990b929b6b282d6442d6c9d5e69
humanhash: three-video-mexico-social
File name:emotet_e2_f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de_2021-01-06__041842916015._doc
Download: download sample
Signature Heodo
Create hunting rule
File size:170'637 bytes
First seen:2021-01-06 04:21:16 UTC
Last seen:Never
File type:Word file docx
MIME type:application/msword
ssdeep 3072:8PU9ufstRUUKSns8T00JSHUgteMJ8qMD7ghn9AtYPo:GU9ufsfgIf0pLp9AtYA
TLSH C2F37D04123386BED65B353938D14AB97D24BFEB9449C50E331CF6D87A3925BAE0F225
Reporter Cryptolaemus1
Tags:doc Emotet epoch2 Heodo


Avatar
Cryptolaemus1
Emotet epoch2 doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 13 sections in this file using oledump:

Section IDSection sizeSection name
1146 bytesCompObj
24096 bytesDocumentSummaryInformation
3556 bytesSummaryInformation
46424 bytes1Table
599187 bytesData
6513 bytesMacros/PROJECT
7146 bytesMacros/PROJECTwm
817931 bytesMacros/VBA/A71f1shi61rzri0
91116 bytesMacros/VBA/K55gbkjma19veyf0o3
10699 bytesMacros/VBA/Qb4o19rg4sak
115199 bytesMacros/VBA/_VBA_PROJECT
12674 bytesMacros/VBA/dir
1322062 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_openRuns when the Word or Publisher document is opened
SuspiciousCreateTextFileMay create a text file
SuspiciousCreateMay execute file or a system command through WMI
SuspiciousCreateObjectMay create an OLE object
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
emotet_e2_f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de_2021-01-06__041842916015._doc
Verdict:
Malicious activity
Analysis date:
2021-01-06 04:23:48 UTC
Tags:
macros macros-on-open emotet-doc emotet generated-doc
Link:
https://app.any.run/tasks/0c51eefa-07f8-4881-a582-6e6f7ab730d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.CROHeadGames.20200320.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROKissFromARose.M2.20201210.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EMOThisMustBeThePlace.20201229.UNOFFICIAL
Create hunting rule

Doc.Dropper.EmotetRed1220-9816007-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Deleting a recently created file
Sending an HTTP GET request
Possible injection to a system process
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
DNS request
Sending a TCP request to an infection source
Launching a process by exploiting the app vulnerability
Sending an HTTP GET request to an infection source
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de/
Threat name:
Document-Word.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 04:22:05 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro
Link:
https://tria.ge/reports/210106-ee199zbrna/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Drops file in System32 directory
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://astrologiaexistencial.com/l/4bm8/
http://www.dirgantaratuba.com/cgi-bin/PX4K/
https://unimedunihealth.com/wp-includes/E/
https://mirvalgroup.com/wp-includes/FOeYo/
https://wp.gensoukyou.org/souzinv_old/1a/
http://mail.ninosindigochile.cl/1989-gmc-oq21w/ZVTCY/
https://walkerswebshop.com/images/O7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Word file docx f3c5080c43a46f6529e6bce9c77fc70b860e70debf661e697df22982a00294de

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/949866/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/949493/
  
URLhaus
https://urlhaus.abuse.ch/url/949547/
  
URLhaus
https://urlhaus.abuse.ch/url/949409/
  
URLhaus
https://urlhaus.abuse.ch/url/949657/
  
URLhaus
https://urlhaus.abuse.ch/url/949407/
  
URLhaus
https://urlhaus.abuse.ch/url/949361/
  
URLhaus
https://urlhaus.abuse.ch/url/949461/
  
URLhaus
https://urlhaus.abuse.ch/url/949676/
  
URLhaus
https://urlhaus.abuse.ch/url/949536/
  
URLhaus
https://urlhaus.abuse.ch/url/949654/
  
URLhaus
https://urlhaus.abuse.ch/url/948960/
  
URLhaus
https://urlhaus.abuse.ch/url/949464/
  
URLhaus
https://urlhaus.abuse.ch/url/949818/
  
URLhaus
https://urlhaus.abuse.ch/url/949411/
  
URLhaus
https://urlhaus.abuse.ch/url/949317/
  
URLhaus
https://urlhaus.abuse.ch/url/949791/
  
URLhaus
https://urlhaus.abuse.ch/url/949562/
  
URLhaus
https://urlhaus.abuse.ch/url/949655/
  
URLhaus
https://urlhaus.abuse.ch/url/949538/
  
URLhaus
https://urlhaus.abuse.ch/url/949564/
  
URLhaus
https://urlhaus.abuse.ch/url/949476/
  
URLhaus
https://urlhaus.abuse.ch/url/949578/
  
URLhaus
https://urlhaus.abuse.ch/url/949677/
  
URLhaus
https://urlhaus.abuse.ch/url/948910/

Comments