MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fba94d424f4d4ac25e7eec77cfcd949e0967e425365e435e4488548c70b432e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet (aka Heodo)


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fba94d424f4d4ac25e7eec77cfcd949e0967e425365e435e4488548c70b432e9
SHA3-384 hash: 494f540134d9e81fc41aa328622bbb3f22ec1ba9a4048324095d7684904d967287e9912050ca794a57a5cd323ab6d69b
SHA1 hash: 719b6a17f9f41d74cf059ff5a9515fb0e946b069
MD5 hash: 71e9ad0360c1fa01fec085497bf7803d
humanhash: sweet-princess-ten-asparagus
File name:ju44785053.exe
Download: download sample
Signature Heodo
Create hunting rule
File size:704'512 bytes
First seen:2020-07-28 07:06:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f055c6d104f67955b2fc107928fe0dc (518 x Heodo)
ssdeep 12288:++fveUixLcAQE+SubhHBjoPkGStI4RgLSp:+3T1HQE0bJaPERH
Threatray 8'233 similar samples on MalwareBazaar
TLSH D6E47D123AC3C07ED1B352B24A5AD7B8B2B3BC714C365A471BD11B2D1E78D768E29316
Reporter JAMESWT_WT
Tags:Emotet Heodo

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Emotet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33274/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Threat name:
Emotet MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/399478
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Emotet Banking Trojan found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Emotet
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251982 Sample: ju44785053.exe Startdate: 28/07/2020 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 4 other signatures 2->70 8 ju44785053.exe 6 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 4 2->13         started        15 10 other processes 2->15 process3 dnsIp4 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->82 18 samlib.exe 24 8->18         started        84 Changes security center settings (notifications, updates, antivirus, firewall) 11->84 23 MpCmdRun.exe 11->23         started        25 WerFault.exe 13->25         started        62 127.0.0.1 unknown unknown 15->62 signatures5 process6 dnsIp7 56 75.139.38.211, 49714, 49732, 80 CHARTER-20115US United States 18->56 58 104.236.52.89, 49728, 8080 DIGITALOCEAN-ASNUS United States 18->58 46 C:\Windows\SysWOW64\...\udhisapi709.exe, PE32 18->46 dropped 48 C:\Windows\SysWOW64\PlaySndSrv\samlibom.exe, PE32+ 18->48 dropped 50 C:\Windows\SysWOW64\PlaySndSrv\samliboe.exe, PE32+ 18->50 dropped 52 C:\Windows\...\Windows.StateRepository706.exe, PE32 18->52 dropped 72 Detected unpacking (changes PE section rights) 18->72 74 Detected unpacking (overwrites its own PE header) 18->74 76 Emotet Banking Trojan found 18->76 80 7 other signatures 18->80 27 Windows.StateRepository706.exe 18->27         started        30 udhisapi709.exe 8 18->30         started        32 samlib.exe 18->32         started        36 5 other processes 18->36 34 conhost.exe 23->34         started        78 Writes to foreign memory regions 25->78 file8 signatures9 process10 dnsIp11 86 Antivirus detection for dropped file 27->86 88 Multi AV Scanner detection for dropped file 27->88 90 Detected unpacking (changes PE section rights) 27->90 100 2 other signatures 27->100 40 Windows.StateRepository706.exe 27->40         started        92 Drops executables to the windows directory (C:\Windows) and starts them 30->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->94 42 samlib.exe 30->42         started        96 Tries to steal Instant Messenger accounts or passwords 32->96 98 Tries to steal Mail credentials (via file access) 32->98 60 192.168.2.1 unknown unknown 36->60 54 C:\Users\user\AppData\Local\Temp\28D8.tmp, ASCII 36->54 dropped 44 WerFault.exe 23 9 36->44         started        file12 signatures13 process14
Detection:
emotet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fba94d424f4d4ac25e7eec77cfcd949e0967e425365e435e4488548c70b432e9/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 07:07:27 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ouu2qspjvfmext65r347tmutyewpzbfgzpegxserbkiy4fugluq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
04820003617c8e1c48eec515f6f67daef859619b4d411c90cc76d2c3dd765756
Heodo
0e5fc31b9ce01ce4454d9ff8533447e9cac61190e83e5a131453af76c84ddac7
Heodo
1bce2d0c7b345e757570256d86b1d191195759ed579f6a63c854c5a9a34d7b87
Heodo
28865de635e194108c0541473204ea70cd100a861eb2578d5567e7df923924d0
Heodo
4776a811faee1b09a88f4986cd0e435ebea12d0e9df7eab46e2ba3d5013c4a26
Heodo
4b0984a2ac55e396c0b33fceaf04d3e489bc81ad478d8c86a5382d3b5b0b2dec
Heodo
5567a43d1abf6489e1afa5c766dab72f4026d5c5f601ec7fa10e732079f0fea6
Heodo
93bf99304d4c7260996214aa977e1b6fe5661c38af360db358b187d2b2aa0ac3
Heodo
9e549b93e2fff7cf428717a2f453b933fa46e22c04345a853f881623df6b5d2a
Heodo
b19b90d5f83d8489fd111703df73ebf9b854cf21e43f11c210b71b72b20b3a10
Heodo
+ 8'223 additional samples on MalwareBazaar
Result
Malware family:
emotet
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:emotet
Link:
https://tria.ge/reports/200728-vq9b5g7q46/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Executes dropped EXE
Emotet Payload
Emotet
Malware Config
C2 Extraction:
75.139.38.211:80
74.207.230.187:8080
115.79.195.246:80
46.105.131.68:8080
78.189.111.208:443
50.116.78.109:8080
105.209.239.55:80
157.7.164.178:8081
143.95.101.72:8080
181.113.229.139:443
45.118.136.92:8080
87.252.100.28:80
179.5.118.12:80
211.20.154.102:80
216.75.37.196:8080
46.32.229.152:8080
74.208.173.91:8080
185.142.236.163:443
37.70.131.107:80
41.185.29.128:8080
203.153.216.178:7080
181.134.9.162:80
190.63.7.166:8080
139.59.12.63:8080
220.128.125.18:80
24.157.25.203:80
163.172.107.70:8080
140.207.113.106:443
46.49.124.53:80
192.241.220.183:8080
201.214.108.231:80
203.153.216.182:7080
37.46.129.215:8080
212.112.113.235:80
37.208.106.146:8080
87.106.231.60:8080
190.55.233.156:80
192.210.217.94:8080
190.111.215.4:8080
113.161.148.81:80
91.83.93.103:443
75.127.14.170:8080
77.74.78.80:443
212.156.133.218:80
190.164.75.175:80
187.207.207.16:80
81.214.253.80:443
181.164.110.7:80
181.167.35.84:80
192.163.221.191:8080
144.139.91.187:80
190.171.153.139:80
80.211.32.88:8080
113.160.180.109:80
51.38.201.19:7080
78.188.170.128:80
195.201.56.70:8080
178.33.167.120:8080
177.144.130.105:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fba94d424f4d4ac25e7eec77cfcd949e0967e425365e435e4488548c70b432e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MALW_emotet
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect unpacked Emotet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33274/

Comments