win.emotet (Back to overview)

Emotet

aka: Geodo, Heodo

Actor(s): MUMMY SPIDER, Mealybug

URLhaus                                  

There is no description at this point.

References
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/
https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html
https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/
https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage
https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/
https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/
https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/
https://github.com/d00rt/emotet_research
https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html
https://www.us-cert.gov/ncas/alerts/TA18-201A
https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack
https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html
http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/
https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/
https://research.checkpoint.com/emotet-tricky-trojan-git-clones/
https://www.cert.pl/en/news/single/analysis-of-emotet-v4/
https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
https://persianov.net/emotet-malware-analysis-part-1
https://persianov.net/emotet-malware-analysis-part-2
https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol
https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/
https://paste.cryptolaemus.com
https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc
https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/
https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader
https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/
https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69
https://feodotracker.abuse.ch/?filter=version_e
https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus
https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/
https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/
Yara Rules
[TLP:WHITE] win_emotet_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_emotet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { c1e807 41 83f87f 77f7 }
            // n = 4, score = 8000
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72a18

        $sequence_1 = { c1e807 46 83f87f 77f7 }
            // n = 4, score = 8000
            //   c1e807               | shr                 eax, 7
            //   46                   | inc                 esi
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72a00

        $sequence_2 = { b901000000 83f87f 7609 c1e807 }
            // n = 4, score = 6000
            //   b901000000           | mov                 ecx, 1
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7

        $sequence_3 = { c1e807 42 83f87f 77f7 }
            // n = 4, score = 6000
            //   c1e807               | shr                 eax, 7
            //   42                   | inc                 edx
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72997

        $sequence_4 = { 83f87f 7609 c1e807 41 }
            // n = 4, score = 6000
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx

        $sequence_5 = { 7907 83c107 3bf7 72e8 }
            // n = 4, score = 6000
            //   7907                 | jns                 0x1e72ab0
            //   83c107               | add                 ecx, 7
            //   3bf7                 | cmp                 esi, edi
            //   72e8                 | jb                  0x1e72a98

        $sequence_6 = { 7609 c1e807 41 83f87f }
            // n = 4, score = 6000
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f

        $sequence_7 = { 7609 c1e807 41 83f87f 77f7 }
            // n = 5, score = 6000
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72a18

        $sequence_8 = { b901000000 83f87f 7609 c1e807 41 }
            // n = 5, score = 6000
            //   b901000000           | mov                 ecx, 1
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx

        $sequence_9 = { 83f87f 7609 c1e807 41 83f87f }
            // n = 5, score = 6000
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f

    condition:
        7 of them
}
Download all Yara Rules