MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f86a2882452a6a3b7c33a7a5b7a7e129631dd6cef8b70412e4b7e0fb4da8e659. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f86a2882452a6a3b7c33a7a5b7a7e129631dd6cef8b70412e4b7e0fb4da8e659
SHA3-384 hash: f4f3b9c92b04d0fb2c45cad90b64090f7ec3f18f29f1a959225935862fb0cfde93e62981aea5bdc2862ead40af6080f5
SHA1 hash: 62a9d9f8c2df3232303d421fa325c5ca359a4b7a
MD5 hash: 7ae377da1d45f77d9e48442ae6a11a54
humanhash: apart-muppet-enemy-batman
File name:emotet_exe_e2_72bc148b12ec1a9e9e8bb76db4a895074421d6f54e23a0bbb2c7f8a6ba950918_2020-10-11__163239._exe
Download: download sample
Signature Heodo
Create hunting rule
File size:680'375 bytes
First seen:2020-10-11 16:32:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2f60607f26cfefadf420695bfe549e8 (1 x Heodo)
ssdeep 6144:dHmIaNXDOloDkOBODS3YCtY8FBgWpVtm4BxwEfmlm+GnZ3NX6xNTs8:1mYoo1CfFBWqw+ml21Kg
Threatray 29 similar samples on MalwareBazaar
TLSH 2EE4AE1232D2D47AD1F723F24D25CB2C67B3FD109A35968B67E12A5D6E349818F3A312
Reporter Cryptolaemus1
Tags:Emotet epoch2 exe Heodo


Avatar
Cryptolaemus1
Emotet epoch2 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69842/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a service
Launching a service
Creating a file
Creating a file in the Windows subdirectories
Adding an access-denied ACE
Connection attempt
Moving of the original file
Enabling autorun for a service
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f86a2882452a6a3b7c33a7a5b7a7e129631dd6cef8b70412e4b7e0fb4da8e659/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2019-12-21 01:18:39 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
009a744e1e9bf38a9a578be15442b25070aae17ffba3613ca1d1f629a44a4f23
Heodo
035a69580d783b6027b9d5a6f088bfcc1c296921e923a6793aae6bc972c294d6
Heodo
181a79a35af190ce05e5bac09e23d8670c247db0b55f465ff2af8c834e984ed6
Heodo
2aed441feb0d38c4c21858e907fb45a10a75f33c53158c64c67e85bab1e621c5
Heodo
60d8175e0a4a6e115ed79800717cc27bd3e8d8b88af2f81823623c1b3fead089
Heodo
92e12063000f62cec43e02f8aea606dc535b5138a27085bf80678efdb1ca1e9b
Heodo
ab5dc331127be64fb5120501c03de22a819a9ad88d8e17a8cc04e709900e4f6e
Heodo
ac2327f210643de38481941d82d7dddcdf00af04546849e465856cb8451241ee
Heodo
e3c4521c113245a96b4d4ebbfbbe894a891bdcb8e165dacc0dc29e733e37f431
Heodo
f3f0f8469aae4354a97974161df582e87dfeaccf59706e182aa9fe527aa72c47
Heodo
+ 19 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/201011-nsjpqzbhs2/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EmotetMutantsSpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Emotet
Malware Config
C2 Extraction:
24.181.125.62:80
98.156.206.153:80
173.21.26.90:80
108.61.99.179:8080
165.227.156.155:443
159.69.89.130:8080
167.99.105.223:7080
5.196.74.210:8080
200.7.243.108:443
183.102.238.69:465
64.147.15.138:80
85.152.174.56:80
59.148.227.190:80
62.75.187.192:8080
174.77.190.137:8080
87.106.139.101:8080
173.247.19.238:80
2.38.99.79:80
178.210.51.222:8080
209.141.54.221:8080
91.242.138.5:443
190.147.215.53:22
186.67.208.78:8080
107.170.24.125:8080
81.0.63.86:8080
100.14.117.137:80
190.220.19.82:443
76.164.99.46:80
190.189.224.117:443
110.143.57.109:80
47.156.70.145:80
206.189.112.148:8080
217.160.182.191:8080
47.149.28.234:80
2.237.76.249:80
45.51.40.140:80
128.65.154.183:443
138.59.177.106:443
78.24.219.147:8080
87.230.19.21:8080
200.114.167.85:80
149.202.153.252:8080
82.27.181.93:80
173.91.11.142:80
66.25.34.20:80
190.162.159.212:80
176.106.183.253:8080
139.130.241.252:443
46.105.131.87:80
73.11.153.178:8080
210.6.85.121:80
178.237.139.83:8080
184.167.148.162:80
120.150.246.241:80
108.20.69.44:80
201.184.105.242:443
138.122.5.214:8080
182.176.132.213:8090
85.72.180.68:80
219.78.255.48:80
176.31.200.130:8080
45.33.49.124:443
174.81.132.128:80
201.251.133.92:443
104.131.11.150:8080
12.176.19.218:80
82.155.161.203:80
62.138.26.28:8080
169.239.182.217:8080
167.71.10.37:8080
47.6.15.79:443
85.67.10.190:80
192.241.255.77:8080
5.88.182.250:80
61.197.110.214:80
95.128.43.213:8080
31.172.240.91:8080
66.209.97.122:8080
188.152.7.140:80
159.65.25.128:8080
59.103.164.174:80
24.94.237.248:80
190.12.119.180:443
101.187.247.29:80
104.236.246.93:8080
5.154.58.24:80
93.147.141.5:80
31.31.77.83:443
31.177.54.196:443
75.80.148.244:80
116.48.142.21:443
186.75.241.230:80
86.98.156.239:443
120.151.135.224:80
165.228.24.197:80
206.81.10.215:8080
73.214.99.25:80
212.129.24.79:8080
104.131.44.150:8080
144.139.247.220:80
24.93.212.32:80
91.205.215.66:443
47.6.15.79:80
68.118.26.116:80
24.105.202.216:443
108.179.206.219:8080
37.59.24.177:8080
209.97.168.52:8080
91.73.197.90:80
92.222.216.44:8080
50.116.86.205:8080
218.44.21.114:80
103.86.49.11:8080
110.142.38.16:80
104.137.176.186:80
179.13.185.19:80
195.244.215.206:80
67.225.179.64:8080
178.209.71.63:8080
37.157.194.134:443
73.176.241.255:80
80.21.182.46:80
201.173.217.124:443
211.63.71.72:8080
46.216.60.138:80
1.33.230.137:80
87.106.136.232:8080
Unpacked files
SH256 hash:
f86a2882452a6a3b7c33a7a5b7a7e129631dd6cef8b70412e4b7e0fb4da8e659
MD5 hash:
7ae377da1d45f77d9e48442ae6a11a54
SHA1 hash:
62a9d9f8c2df3232303d421fa325c5ca359a4b7a
Link:
https://www.unpac.me/results/cb55584c-94b0-4903-9e1f-ba30aa286332/
SH256 hash:
21496d1abb02d961a676b7f6359fe1ca89a1bc3280b7f3845d132918304d127b
MD5 hash:
02b1013605e7f59a962ddc3c9d36f2c7
SHA1 hash:
b62e00a531e93417669a63c50c2c64ff683686f0
Detections:
win_emotet_a2
Create hunting rule
win_emotet_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb55584c-94b0-4903-9e1f-ba30aa286332/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f86a2882452a6a3b7c33a7a5b7a7e129631dd6cef8b70412e4b7e0fb4da8e659

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Emotet
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Emotet in memory
Reference:internal research
Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet
Rule name:MAL_Emotet_Jan20_1
Create hunting rule
Author:Florian Roth
Description:Detects Emotet malware
Reference:https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Rule name:Win32_Trojan_Emotet
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects Emotet trojan.
Rule name:win_emotet_a2
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_emotet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

Executable exe f86a2882452a6a3b7c33a7a5b7a7e129631dd6cef8b70412e4b7e0fb4da8e659

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/69842/
  
URLhaus
https://urlhaus.abuse.ch/url/274346/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/274349/
  
URLhaus
https://urlhaus.abuse.ch/url/274350/
  
URLhaus
https://urlhaus.abuse.ch/url/274348/
  
URLhaus
https://urlhaus.abuse.ch/url/274079/
  
URLhaus
https://urlhaus.abuse.ch/url/274081/
  
URLhaus
https://urlhaus.abuse.ch/url/274082/
  
URLhaus
https://urlhaus.abuse.ch/url/274066/
  
URLhaus
https://urlhaus.abuse.ch/url/274067/
  
URLhaus
https://urlhaus.abuse.ch/url/274078/
  
URLhaus
https://urlhaus.abuse.ch/url/274064/
  
URLhaus
https://urlhaus.abuse.ch/url/274063/
  
URLhaus
https://urlhaus.abuse.ch/url/274065/
  
URLhaus
https://urlhaus.abuse.ch/url/274080/
  
URLhaus
https://urlhaus.abuse.ch/url/273750/
  
URLhaus
https://urlhaus.abuse.ch/url/273752/
  
URLhaus
https://urlhaus.abuse.ch/url/273751/
  
URLhaus
https://urlhaus.abuse.ch/url/273418/
  
URLhaus
https://urlhaus.abuse.ch/url/273230/
  
URLhaus
https://urlhaus.abuse.ch/url/273233/
  
URLhaus
https://urlhaus.abuse.ch/url/273104/
  
URLhaus
https://urlhaus.abuse.ch/url/272942/
  
URLhaus
https://urlhaus.abuse.ch/url/272591/
  
URLhaus
https://urlhaus.abuse.ch/url/272592/
  
URLhaus
https://urlhaus.abuse.ch/url/272589/
  
URLhaus
https://urlhaus.abuse.ch/url/273417/

Comments