MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Emotet (aka Heodo)

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a
SHA3-384 hash:	1f028bf8df075ae9d85a21302efb025ce879ca3ee968382df7e9d05fc2ac25f6fc2c71438d5ccbd1808fe1c885efd9f4
SHA1 hash:	7f51b30226520b2e6865ed808bc1d01dd64d78cc
MD5 hash:	406ac12181bdbb42a750ef38545afe02
humanhash:	diet-comet-network-wisconsin
File name:	ExeFile (286).exe
Download:	download sample
Signature	Heodo Create hunting rule
File size:	860'672 bytes
First seen:	2024-08-20 14:12:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	195dab9a91ce851036d6dd209691ccd0 (58 x Heodo)
ssdeep	12288:whFdbbWYbWeVqXIl0tx8uX7pKgR0vT+LyYuOu7qy36DINoKOfc3O:ijbWY/yLLwrT+LyYKmIdOfc
Threatray	1'373 similar samples on MalwareBazaar
TLSH	T113057B2236C1C073C1B23171461AE77466AAF9329F795ACBABD51B3D5F385C24A3870E
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	byMattii1234
Tags:	Emotet Heodo

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

Vendor Threat Intelligence

Malware family:

emotet

ID:

File name:

ExeFile (286).exe

Verdict:

Malicious activity

Analysis date:

2024-08-20 15:00:01 UTC

Tags:

emotet

Link:

https://app.any.run/tasks/ad07fe7f-73f7-4269-abef-d535a2513b0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Emotet-9781713-0

Win.Trojan.Emotet-9781719-0

Win.Packed.Emotet-9782622-0

Win.Trojan.Emotet-9782694-0

Win.Trojan.Emotet-9782703-0

Win.Trojan.Emotet-9782724-0

Win.Packed.Emotet-9782945-0

Win.Packed.Emotet-9782633-0

Win.Trojan.Generickdz-9786334-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c4a479b2a4681a72966183

Tags:

Execution Generic Infostealer Network Other Stealth Trojan Emotet

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

emotet epmicrosoft_visual_cc fingerprint keylogger microsoft_visual_cc

Link:

https://www.filescan.io/uploads/66c4a4729498a0e255aff7bc/reports/89411f7e-7ede-48e6-9484-3ab1b7059cc8/overview

Verdict:

Malicious

Labled as:

Trojan.Emotet

Link:

https://www.hybrid-analysis.com/sample/fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cc27c7bc-48e5-4e54-8a1c-14b2a3ebfc0e

Result

Threat name:

Emotet

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1495815

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Emotet

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-10-22 22:46:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 38 (86.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7xaciwqyzyg2xyu4nlsznr6kifchpcjd64lrf4t4b5j3iekmfmna._file

Verdict:

malicious

Label(s):

emotet

Result

Malware family:

emotet

Score:

10/10

Tags:

family:emotet botnet:epoch1 banker discovery trojan

Link:

https://tria.ge/reports/240820-rh5jtszelp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Emotet payload

Emotet

Malware Config

C2 Extraction:

197.245.25.228:80
98.103.204.12:443
59.148.253.194:8080
173.212.197.71:8080
87.106.46.107:8080
50.28.51.143:8080
177.73.0.98:443
213.197.182.158:8080
185.94.252.12:80
189.223.16.99:80
5.189.178.202:8080
186.103.141.250:443
181.129.96.162:8080
190.101.156.139:80
46.105.114.137:8080
51.15.7.145:80
98.13.75.196:80
202.134.4.210:7080
104.131.41.185:8080
181.123.6.86:80
60.93.23.51:80
201.71.228.86:80
128.92.203.42:80
174.118.202.24:443
2.45.176.233:80
181.30.61.163:443
70.32.84.74:8080
177.144.130.105:443
181.56.32.36:80
81.215.230.173:443
82.76.111.249:443
64.201.88.132:80
103.236.179.162:80
76.121.199.225:80
137.74.106.111:7080
152.169.22.67:80
178.250.54.208:8080
170.81.48.2:80
138.97.60.141:7080
1.226.84.243:8080
70.169.17.134:80
85.214.26.7:8080
192.232.229.54:7080
181.61.182.143:80
74.58.215.226:80
192.241.143.52:8080
209.236.123.42:8080
217.13.106.14:8080
201.213.177.139:80
45.46.37.97:80
74.135.120.91:80
190.190.219.184:80
51.75.33.127:80
62.84.75.50:80
213.52.74.198:80
37.179.145.105:80
189.2.177.210:443
68.183.170.114:8080
45.33.77.42:8080
177.129.17.170:443
185.94.252.27:443
186.189.249.2:80
77.78.196.173:443
191.97.154.2:80
190.24.243.186:80
94.176.234.118:443
68.183.190.199:8080
5.89.33.136:80
191.182.6.118:80
46.101.58.37:8080
77.238.212.227:80
12.162.84.2:8080
37.183.81.217:80
173.68.199.157:80
37.187.161.206:8080
149.202.72.142:7080
219.92.13.25:80
109.190.249.106:80
172.86.186.21:8080
109.190.35.249:80
70.32.115.157:8080
185.183.16.47:80
186.70.127.199:8090
24.232.228.233:80
175.143.12.123:8080
178.211.45.66:8080
51.255.165.160:8080
46.43.2.95:8080
181.58.181.9:80
190.188.245.242:80
177.23.7.151:80
212.71.237.140:8080
83.169.21.32:7080
200.59.6.174:80
190.115.18.139:8080
2.85.9.41:8080
188.135.15.49:80
172.104.169.32:8080
51.15.7.189:80
111.67.12.221:8080
5.196.35.138:7080
12.163.208.58:80
188.251.213.180:80
177.144.130.105:8080
138.97.60.140:8080
188.157.101.114:80
216.47.196.104:80
183.176.82.231:80
79.118.74.90:80

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6763ff62-431f-4017-89ff-9052112ab42c

Unpacked files

SH256 hash:

d231ab06ebfe63f1f39c16675ab8ee9a8d48bd97afcbf147a787f07b7141131a

MD5 hash:

d1b1134d96e7f9729659d6b73c9eaae4

SHA1 hash:

cf72eb987ce045d4d18242d5439a91a42eeae0f5

Detections:

win_emotet_auto

win_grimagent_auto

win_emotet_a2

Win32_Trojan_Emotet

Link:

https://www.unpac.me/results/c9db6625-15c0-4adc-8a22-5029fb8f86be/

Parent samples :

60a7dd04a462a1ad0d83b02622336f35653fe6b6ab15880b392a8c99c8f3b69b
b382c5f8c985f191c251e9b7757178f16e2a68debb9bbc590bd8218ccae74a72
8f91a169f948eaefb5f6f1f725f38e785a33367e15f2e228bc7fbeb01ca757d1
8abd6b01f43d12b81d2a255d72788d2f82f5d95ed94a47202287e1be9208b1ee
8ecee971458289dd6e0e0678540ddfaebeb587f9554748a203b908b97fdbb586
471d2518a4e3d95a5cc799d0704a28e3ab32a4346cbe1b138181113d94cf6ea3
32bdfeaffa35e8c3dd51c521df7a61fee24e21411e5c2912f7ad9d71a8978385
afcef5632a777f1c3edc8dd3f8867e18831f6efbd12255b61e659bf2b1d809c1
3e84ca57eef056d9ee1a0ef3bb9fd1dc8895698845817e5b5ebcbfc4b705ac05
245d875ff1e2d2416c336a5231d937a93cf721d58996f9c164268e757c5d5509
fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

SH256 hash:

1c9d11817a98ec7e35b5177982b38db5371e1806293f621e40d103053e886bcb

MD5 hash:

296e3c72ece15d69ac123176dffe1ed2

SHA1 hash:

277a57599591cf1599876439692b86dcb287883d

Detections:

win_emotet_auto

win_emotet_a2

Win32_Trojan_Emotet

Link:

https://www.unpac.me/results/c9db6625-15c0-4adc-8a22-5029fb8f86be/

Parent samples :

SH256 hash:

fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

MD5 hash:

406ac12181bdbb42a750ef38545afe02

SHA1 hash:

7f51b30226520b2e6865ed808bc1d01dd64d78cc

Link:

https://www.unpac.me/results/c9db6625-15c0-4adc-8a22-5029fb8f86be/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Heodo

exe fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/724069/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
MULTIMEDIA_API	Can Play Multimedia	GDI32.dll::StretchDIBits
SHELL_API	Manipulates System Shell	SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileA SHLWAPI.dll::PathRemoveFileSpecW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueA ADVAPI32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample