Emotet (Malware Family)

Emotet
aka: Geodo, Heodo
Actor(s): MUMMY SPIDER, Mealybug
URLhaus
While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.
It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.
References
2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
Yara Rules
[TLP:WHITE] win_emotet_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_emotet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7307 e8???????? 8bc8 8b4510 }
            // n = 4, score = 3300
            //   7307                 | jae                 9
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_1 = { 740f 41 6698 668902 83c202 }
            // n = 5, score = 3200
            //   740f                 | je                  0x11
            //   41                   | inc                 ecx
            //   6698                 | cbw                 
            //   668902               | mov                 word ptr [edx], ax
            //   83c202               | add                 edx, 2

        $sequence_2 = { 83c202 8a01 84c0 75ed c7022e004400 33c0 c742044c004c00 }
            // n = 7, score = 3200
            //   83c202               | add                 edx, 2
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   84c0                 | test                al, al
            //   75ed                 | jne                 0xffffffef
            //   c7022e004400         | mov                 dword ptr [edx], 0x44002e
            //   33c0                 | xor                 eax, eax
            //   c742044c004c00       | mov                 dword ptr [edx + 4], 0x4c004c

        $sequence_3 = { 0fb7c0 83c020 eb03 0fb7c0 69d23f000100 }
            // n = 5, score = 3100
            //   0fb7c0               | cbw                 
            //   83c020               | mov                 word ptr [edx], ax
            //   eb03                 | add                 edx, 2
            //   0fb7c0               | mov                 word ptr [edx], ax
            //   69d23f000100         | add                 edx, 2

        $sequence_4 = { 7415 8d4dfc 51 6a00 6a01 }
            // n = 5, score = 3000
            //   7415                 | je                  0x17
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_5 = { 8bc8 e8???????? 83c40c 8b45fc }
            // n = 4, score = 3000
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_6 = { 85c0 7511 8d85f0fdffff 50 ff15???????? 85c0 }
            // n = 6, score = 2900
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 55 8bec 8a01 8d95f0fdffff }
            // n = 4, score = 2900
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   8d95f0fdffff         | lea                 edx, [ebp - 0x210]

        $sequence_8 = { 6a01 8d55f8 8bc8 e8???????? }
            // n = 4, score = 2900
            //   6a01                 | push                1
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_9 = { 8a01 8d95f0fdffff 81ec10020000 84c0 7413 3c2e 740f }
            // n = 7, score = 2900
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   8d95f0fdffff         | lea                 edx, [ebp - 0x210]
            //   81ec10020000         | sub                 esp, 0x210
            //   84c0                 | test                al, al
            //   7413                 | je                  0x15
            //   3c2e                 | cmp                 al, 0x2e
            //   740f                 | je                  0x11

        $sequence_10 = { 8d5801 f6c30f 7406 83e3f0 83c310 }
            // n = 5, score = 2700
            //   8d5801               | sub                 esp, 0x210
            //   f6c30f               | test                al, al
            //   7406                 | mov                 ebp, esp
            //   83e3f0               | mov                 al, byte ptr [ecx]
            //   83c310               | lea                 edx, [ebp - 0x210]

        $sequence_11 = { 6685c0 75de 3b55fc 740f 8b3f }
            // n = 5, score = 2700
            //   6685c0               | push                ebx
            //   75de                 | push                esi
            //   3b55fc               | push                edi
            //   740f                 | cmp                 cx, 0x19
            //   8b3f                 | ja                  5

        $sequence_12 = { 6683f919 7703 83c020 69d23f000100 83c602 03d0 }
            // n = 6, score = 2700
            //   6683f919             | test                al, al
            //   7703                 | je                  0x25
            //   83c020               | push                ebp
            //   69d23f000100         | mov                 ebp, esp
            //   83c602               | push                ecx
            //   03d0                 | mov                 eax, dword ptr fs:[0x30]

        $sequence_13 = { c1e807 46 83f87f 77f7 }
            // n = 4, score = 2600
            //   c1e807               | push                ecx
            //   46                   | push                0
            //   83f87f               | push                1
            //   77f7                 | lea                 edx, [ebp - 8]

        $sequence_14 = { 0fb6c0 c1e108 03c8 c1e108 }
            // n = 4, score = 2300
            //   0fb6c0               | movzx               eax, al
            //   c1e108               | shl                 ecx, 8
            //   03c8                 | add                 ecx, eax
            //   c1e108               | shl                 ecx, 8

        $sequence_15 = { 03c8 c1e108 c1e906 8bc1 c1e906 83e03f }
            // n = 6, score = 2300
            //   03c8                 | add                 ecx, eax
            //   c1e108               | shl                 ecx, 8
            //   c1e906               | shr                 ecx, 6
            //   8bc1                 | mov                 eax, ecx
            //   c1e906               | shr                 ecx, 6
            //   83e03f               | and                 eax, 0x3f

        $sequence_16 = { 8bec ff7508 6a00 51 }
            // n = 4, score = 1600
            //   8bec                 | lea                 ecx, [ebp - 4]
            //   ff7508               | push                ecx
            //   6a00                 | push                0
            //   51                   | push                1

        $sequence_17 = { 83f87f 760d 8d642400 c1e807 }
            // n = 4, score = 1600
            //   83f87f               | ja                  0xfffffffd
            //   760d                 | shr                 eax, 7
            //   8d642400             | inc                 ecx
            //   c1e807               | cmp                 eax, 0x7f

        $sequence_18 = { c745fc04000000 50 8d45f8 81ca00000020 }
            // n = 4, score = 1500
            //   c745fc04000000       | push                0
            //   50                   | push                ecx
            //   8d45f8               | push                ebp
            //   81ca00000020         | mov                 ebp, esp

        $sequence_19 = { 8d45f8 81ca00000020 50 52 }
            // n = 4, score = 1500
            //   8d45f8               | je                  0x19
            //   81ca00000020         | lea                 ecx, [ebp - 4]
            //   50                   | mov                 ebp, esp
            //   52                   | push                dword ptr [ebp + 8]

        $sequence_20 = { 83f87f 7609 c1e807 41 83f87f 77f7 }
            // n = 6, score = 1500
            //   83f87f               | ja                  6
            //   7609                 | shr                 eax, 7
            //   c1e807               | inc                 edx
            //   41                   | cmp                 eax, 0x7f
            //   83f87f               | ja                  0xfffffffc
            //   77f7                 | cmp                 eax, 0x7f

        $sequence_21 = { 2bc6 83c003 c1e802 3bf1 }
            // n = 4, score = 1400
            //   2bc6                 | push                ecx
            //   83c003               | push                eax
            //   c1e802               | lea                 eax, [ebp - 8]
            //   3bf1                 | or                  edx, 0x20000000

        $sequence_22 = { 8b5d08 b8afa96e5e 56 57 }
            // n = 4, score = 1400
            //   8b5d08               | test                bl, 0xf
            //   b8afa96e5e           | je                  0xe
            //   56                   | and                 ebx, 0xfffffff0
            //   57                   | xor                 eax, eax

        $sequence_23 = { 33c0 5f 668906 5e 5b 8be5 }
            // n = 6, score = 1300
            //   33c0                 | cmp                 esi, ecx
            //   5f                   | cmova               eax, edi
            //   668906               | mov                 eax, ecx
            //   5e                   | sub                 eax, esi
            //   5b                   | add                 eax, 3
            //   8be5                 | shr                 eax, 2

        $sequence_24 = { 7907 83c107 3bf7 72e8 }
            // n = 4, score = 1300
            //   7907                 | cmp                 eax, 0x7f
            //   83c107               | shr                 eax, 7
            //   3bf7                 | inc                 ebx
            //   72e8                 | cmp                 eax, 0x7f

        $sequence_25 = { 83ec14 53 8b5d08 b8afa96e5e }
            // n = 4, score = 1300
            //   83ec14               | mov                 ebx, dword ptr [ebp + 8]
            //   53                   | mov                 eax, 0x5e6ea9af
            //   8b5d08               | push                esi
            //   b8afa96e5e           | sub                 esp, 0x14

        $sequence_26 = { 0fb64a01 51 0fb64a02 51 }
            // n = 4, score = 1200
            //   0fb64a01             | pop                 ebx
            //   51                   | mov                 esp, ebp
            //   0fb64a02             | mov                 word ptr [esi], ax
            //   51                   | pop                 esi

        $sequence_27 = { 3c5a 7e03 c60158 41 }
            // n = 4, score = 1200
            //   3c5a                 | movzx               ecx, byte ptr [edx + 2]
            //   7e03                 | push                ecx
            //   c60158               | push                ecx
            //   41                   | movzx               ecx, byte ptr [edx + 1]

        $sequence_28 = { 83ec48 53 56 57 6a44 }
            // n = 5, score = 1100
            //   83ec48               | cmp                 dword ptr [esi], eax
            //   53                   | pop                 edi
            //   56                   | setne               al
            //   57                   | pop                 esi
            //   6a44                 | mov                 esp, ebp

        $sequence_29 = { 8bec 83ec08 56 57 8bf1 33ff }
            // n = 6, score = 1100
            //   8bec                 | mov                 ebx, dword ptr [ebp + 8]
            //   83ec08               | mov                 eax, 0x5e6ea9af
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf1                 | sub                 esp, 0x48
            //   33ff                 | push                ebx

        $sequence_30 = { 52 52 52 52 68???????? 52 }
            // n = 6, score = 1100
            //   52                   | jbe                 0xe
            //   52                   | shr                 eax, 7
            //   52                   | inc                 ecx
            //   52                   | mov                 ecx, 1
            //   68????????           |                     
            //   52                   | cmp                 eax, 0x7f

        $sequence_31 = { 750e 6683780650 7507 668378083a }
            // n = 4, score = 1000
            //   750e                 | jne                 0x10
            //   6683780650           | cmp                 word ptr [eax + 6], 0x50
            //   7507                 | jne                 9
            //   668378083a           | cmp                 word ptr [eax + 8], 0x3a

        $sequence_32 = { 66833853 751c 668378024d 7515 }
            // n = 4, score = 1000
            //   66833853             | cmp                 word ptr [eax], 0x53
            //   751c                 | jne                 0x1e
            //   668378024d           | cmp                 word ptr [eax + 2], 0x4d
            //   7515                 | jne                 0x17

        $sequence_33 = { 668378024d 7515 6683780454 750e 6683780650 }
            // n = 5, score = 1000
            //   668378024d           | cmp                 word ptr [eax + 2], 0x4d
            //   7515                 | jne                 0x17
            //   6683780454           | cmp                 word ptr [eax + 4], 0x54
            //   750e                 | jne                 0x10
            //   6683780650           | cmp                 word ptr [eax + 6], 0x50

        $sequence_34 = { 83f87f 760c c1e807 42 83f87f 77f7 }
            // n = 6, score = 800
            //   83f87f               | push                edx
            //   760c                 | push                edx
            //   c1e807               | push                edx
            //   42                   | push                edx
            //   83f87f               | push                edx
            //   77f7                 | push                edx

        $sequence_35 = { 6a00 6aff 50 51 ff15???????? }
            // n = 5, score = 800
            //   6a00                 | jbe                 0x20
            //   6aff                 | shr                 eax, 7
            //   50                   | inc                 edx
            //   51                   | cmp                 eax, 0x7f
            //   ff15????????         |                     

        $sequence_36 = { 50 6a00 6a01 6a00 ff15???????? a3???????? }
            // n = 6, score = 800
            //   50                   | cmp                 eax, 0x7f
            //   6a00                 | jbe                 0x1a
            //   6a01                 | shr                 eax, 7
            //   6a00                 | inc                 edx
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_37 = { 53 56 8bf1 bb00c34c84 }
            // n = 4, score = 700
            //   53                   | push                edi
            //   56                   | mov                 esi, ecx
            //   8bf1                 | xor                 edi, edi
            //   bb00c34c84           | mov                 eax, dword ptr [esi + 0x6c]

        $sequence_38 = { 57 56 ff7508 53 6a00 }
            // n = 5, score = 700
            //   57                   | sub                 esp, 0x14
            //   56                   | push                ebx
            //   ff7508               | mov                 ebx, dword ptr [ebp + 8]
            //   53                   | mov                 eax, 0x5e6ea9af
            //   6a00                 | sub                 esp, 0x14

        $sequence_39 = { 55 8bec 56 8b750c b856555555 }
            // n = 5, score = 600
            //   55                   | pop                 edi
            //   8bec                 | pop                 esi
            //   56                   | pop                 ebx
            //   8b750c               | mov                 esp, ebp
            //   b856555555           | pop                 ebp

        $sequence_40 = { 6a00 ff75fc 6800040000 6a00 6a00 }
            // n = 5, score = 600
            //   6a00                 | push                dword ptr [ebp + 8]
            //   ff75fc               | push                ebx
            //   6800040000           | push                0
            //   6a00                 | push                0xfde9
            //   6a00                 | push                0

        $sequence_41 = { 8bf1 bb00c34c84 57 33ff }
            // n = 4, score = 600
            //   8bf1                 | push                0
            //   bb00c34c84           | push                dword ptr [ebp + 8]
            //   57                   | push                ebx
            //   33ff                 | push                0

        $sequence_42 = { 83ec10 53 6a00 8d45fc }
            // n = 4, score = 600
            //   83ec10               | push                edi
            //   53                   | xor                 edi, edi
            //   6a00                 | push                0
            //   8d45fc               | push                3

        $sequence_43 = { 6a00 6a03 6a00 6a00 ff7508 }
            // n = 5, score = 600
            //   6a00                 | push                ebp
            //   6a03                 | mov                 ebp, esp
            //   6a00                 | push                esi
            //   6a00                 | mov                 esi, dword ptr [ebp + 0xc]
            //   ff7508               | mov                 eax, 0x55555556

        $sequence_44 = { 83ec08 56 68400000f0 6a18 33f6 56 }
            // n = 6, score = 600
            //   83ec08               | push                0
            //   56                   | push                dword ptr [ebp - 4]
            //   68400000f0           | push                0x400
            //   6a18                 | push                0
            //   33f6                 | push                0
            //   56                   | push                dword ptr [ebp - 4]

        $sequence_45 = { ff7514 6aff ff750c 57 }
            // n = 4, score = 600
            //   ff7514               | push                edi
            //   6aff                 | push                dword ptr [ebp - 8]
            //   ff750c               | push                ebx
            //   57                   | push                3

        $sequence_46 = { 56 56 57 ff75f8 53 }
            // n = 5, score = 600
            //   56                   | push                0
            //   56                   | push                0
            //   57                   | push                eax
            //   ff75f8               | push                0
            //   53                   | push                dword ptr [ebp - 4]

        $sequence_47 = { 50 56 6800800000 6a6a }
            // n = 4, score = 600
            //   50                   | push                esi
            //   56                   | push                0xf0000040
            //   6800800000           | push                0x18
            //   6a6a                 | xor                 esi, esi

        $sequence_48 = { 8b4d14 8b5510 8b750c 8b7d08 83fe00 8945f0 }
            // n = 6, score = 500
            //   8b4d14               | push                esi
            //   8b5510               | push                edi
            //   8b750c               | mov                 esi, ecx
            //   8b7d08               | xor                 edi, edi
            //   83fe00               | mov                 eax, dword ptr [ebp + 0x10]
            //   8945f0               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_49 = { 31c0 8b4de0 8b513c 01d1 }
            // n = 4, score = 500
            //   31c0                 | cmp                 esi, 0
            //   8b4de0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b513c               | push                edx
            //   01d1                 | add                 eax, ecx

        $sequence_50 = { 52 01c8 01d0 50 e8???????? }
            // n = 5, score = 500
            //   52                   | mov                 edx, dword ptr [ebp + 8]
            //   01c8                 | mov                 esi, 0xfffffffb
            //   01d0                 | mov                 byte ptr [eax], 0xe8
            //   50                   | sub                 esi, edx
            //   e8????????           |                     

        $sequence_51 = { 8b4130 83b8a400000006 0f92c2 80e201 0fb6c2 }
            // n = 5, score = 500
            //   8b4130               | add                 esi, ecx
            //   83b8a400000006       | mov                 ecx, dword ptr [ebp + 0x14]
            //   0f92c2               | mov                 edx, dword ptr [ebp + 0x10]
            //   80e201               | mov                 esi, dword ptr [ebp + 0xc]
            //   0fb6c2               | mov                 edi, dword ptr [ebp + 8]

        $sequence_52 = { 8b4510 8b4d0c 8b5508 befbffffff c600e8 29d6 01ce }
            // n = 7, score = 500
            //   8b4510               | push                esi
            //   8b4d0c               | push                edi
            //   8b5508               | mov                 esi, ecx
            //   befbffffff           | xor                 edi, edi
            //   c600e8               | push                ebp
            //   29d6                 | mov                 ebp, esp
            //   01ce                 | sub                 esp, 8

        $sequence_53 = { 889828020000 88982d030000 c7401801000000 88581c 88981c010000 }
            // n = 5, score = 400
            //   889828020000         | dec                 eax
            //   88982d030000         | sub                 esp, 0x248
            //   c7401801000000       | je                  0x14
            //   88581c               | dec                 eax
            //   88981c010000         | mov                 edx, eax

        $sequence_54 = { 80fa7b 7c08 80fa7e 7f08 }
            // n = 4, score = 400
            //   80fa7b               | mov                 byte ptr [eax + 0x228], bl
            //   7c08                 | mov                 byte ptr [eax + 0x32d], bl
            //   80fa7e               | mov                 dword ptr [eax + 0x18], 1
            //   7f08                 | mov                 byte ptr [eax + 0x1c], bl

        $sequence_55 = { 7424 899824020000 889828020000 88982d030000 }
            // n = 4, score = 400
            //   7424                 | mov                 byte ptr [eax + 0x1c], bl
            //   899824020000         | mov                 byte ptr [eax + 0x11c], bl
            //   889828020000         | je                  0x26
            //   88982d030000         | mov                 dword ptr [eax + 0x224], ebx

        $sequence_56 = { 4881ec48020000 e8???????? e8???????? e8???????? e8???????? ff15???????? }
            // n = 6, score = 300
            //   4881ec48020000       | ja                  5
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     

        $sequence_57 = { 410fb600 84c0 75e9 898c2450020000 }
            // n = 4, score = 300
            //   410fb600             | cmp                 word ptr [eax + 4], 0x54
            //   84c0                 | jne                 0x2c
            //   75e9                 | cmp                 word ptr [eax + 2], 0x4d
            //   898c2450020000       | jne                 0x1c

        $sequence_58 = { 4c8b4a10 448b4208 33d2 ff5028 85c0 7855 }
            // n = 6, score = 300
            //   4c8b4a10             | cmp                 word ptr [eax + 6], 0x50
            //   448b4208             | jne                 0x15
            //   33d2                 | cmp                 word ptr [eax + 8], 0x3a
            //   ff5028               | jne                 0x1e
            //   85c0                 | cmp                 word ptr [eax + 2], 0x4d
            //   7855                 | jne                 0x1e

        $sequence_59 = { 7703 83c020 0fb74a02 4883c202 }
            // n = 4, score = 300
            //   7703                 | dec                 ebp
            //   83c020               | add                 esp, esi
            //   0fb74a02             | dec                 ebp
            //   4883c202             | add                 ebp, esi

        $sequence_60 = { 448b6f1c 4d03ce 4d03e6 4d03ee }
            // n = 4, score = 300
            //   448b6f1c             | inc                 esp
            //   4d03ce               | mov                 ebp, dword ptr [edi + 0x1c]
            //   4d03e6               | dec                 ebp
            //   4d03ee               | add                 ecx, esi

        $sequence_61 = { 668945f0 8d45e0 50 e8???????? }
            // n = 4, score = 300
            //   668945f0             | mov                 byte ptr [eax + 0x11c], bl
            //   8d45e0               | je                  0x26
            //   50                   | mov                 dword ptr [eax + 0x224], ebx
            //   e8????????           |                     

        $sequence_62 = { 8b7020 8b7840 89c3 83c33c }
            // n = 4, score = 300
            //   8b7020               | ret                 
            //   8b7840               | inc                 esp
            //   89c3                 | mov                 dword ptr [esp + 0x18], eax
            //   83c33c               | dec                 eax

        $sequence_63 = { 31f6 89720c 897208 897204 }
            // n = 4, score = 200
            //   31f6                 | mov                 ecx, dword ptr [esp + 0x60]
            //   89720c               | inc                 ecx
            //   897208               | sub                 edx, ecx
            //   897204               | inc                 esp

        $sequence_64 = { 53 e8???????? 59 59 eb71 39bbe0010000 7569 }
            // n = 7, score = 200
            //   53                   | push                eax
            //   e8????????           |                     
            //   59                   | mov                 dword ptr [ebp - 0x1494], 0x449f4c
            //   59                   | add                 esp, 0xc
            //   eb71                 | mov                 byte ptr [edi + 0x67], 1
            //   39bbe0010000         | push                dword ptr [eax + 0x24]
            //   7569                 | call                dword ptr [ecx + 0x24]

        $sequence_65 = { 31c9 89e2 31f6 89720c }
            // n = 4, score = 200
            //   31c9                 | cwde                
            //   89e2                 | cmp                 byte ptr [esp + eax + 0x1f], 0x5c
            //   31f6                 | je                  0x18
            //   89720c               | dec                 eax

        $sequence_66 = { 59 ff7514 8d440002 50 }
            // n = 4, score = 200
            //   59                   | push                ebx
            //   ff7514               | push                esi
            //   8d440002             | mov                 esi, eax
            //   50                   | pop                 ebx

        $sequence_67 = { 4c8b8380000000 418bd5 498bcf 41ff13 488b8b88000000 }
            // n = 5, score = 200
            //   4c8b8380000000       | mov                 dword ptr [eax + 0x18], 1
            //   418bd5               | mov                 byte ptr [eax + 0x1c], bl
            //   498bcf               | je                  0x26
            //   41ff13               | mov                 dword ptr [eax + 0x224], ebx
            //   488b8b88000000       | mov                 byte ptr [eax + 0x228], bl

        $sequence_68 = { e8???????? 59 8d85e8efffff 50 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   59                   | movsx               eax, al
            //   8d85e8efffff         | dec                 ecx
            //   50                   | inc                 eax

        $sequence_69 = { 68???????? ff36 894620 ffd7 68???????? }
            // n = 5, score = 200
            //   68????????           |                     
            //   ff36                 | mov                 byte ptr [eax + 0x228], bl
            //   894620               | mov                 byte ptr [eax + 0x32d], bl
            //   ffd7                 | cmp                 dl, 0x7b
            //   68????????           |                     

        $sequence_70 = { 8bec 83ec28 53 56 8bf0 e8???????? }
            // n = 6, score = 200
            //   8bec                 | jl                  0xd
            //   83ec28               | cmp                 dl, 0x7e
            //   53                   | jg                  0xd
            //   56                   | mov                 word ptr [ebp - 0x10], ax
            //   8bf0                 | lea                 eax, [ebp - 0x20]
            //   e8????????           |                     

        $sequence_71 = { 488bc8 ff15???????? 488bc8 ff15???????? e9???????? 803d????????00 }
            // n = 6, score = 200
            //   488bc8               | dec                 ecx
            //   ff15????????         |                     
            //   488bc8               | mov                 ecx, edi
            //   ff15????????         |                     
            //   e9????????           |                     
            //   803d????????00       |                     

        $sequence_72 = { e8???????? 85c0 0f84ea020000 6a00 6a00 eb14 8b7dfc }
            // n = 7, score = 200
            //   e8????????           |                     
            //   85c0                 | lea                 eax, [ebp - 0x1018]
            //   0f84ea020000         | push                eax
            //   6a00                 | mov                 ebx, edx
            //   6a00                 | shr                 ebx, 0xa
            //   eb14                 | and                 ebx, eax
            //   8b7dfc               | xor                 edi, dword ptr [ebx*4 + 0x449930]

        $sequence_73 = { 59 8b45fc 81b8c000000051274400 7506 8b98c4000000 }
            // n = 5, score = 200
            //   59                   | mov                 dword ptr [esp + 0x1c], eax
            //   8b45fc               | mov                 eax, dword ptr [esp + 0xc]
            //   81b8c000000051274400     | mov    eax, dword ptr [eax + 0xc]
            //   7506                 | mov                 eax, dword ptr [eax]
            //   8b98c4000000         | pop                 ecx

        $sequence_74 = { 6a00 50 c7856cebffff4c9f4400 e8???????? 83c40c }
            // n = 5, score = 200
            //   6a00                 | push                dword ptr [ebx + 8]
            //   50                   | lea                 edi, [esp + 0x48]
            //   c7856cebffff4c9f4400     | push    esi
            //   e8????????           |                     
            //   83c40c               | push                dword ptr [ebp + 0x10]

        $sequence_75 = { 488b5c2450 4883c440 5f c3 4489442418 }
            // n = 5, score = 200
            //   488b5c2450           | mov                 byte ptr [eax + 0x32d], bl
            //   4883c440             | mov                 dword ptr [eax + 0x18], 1
            //   5f                   | mov                 byte ptr [eax + 0x32d], bl
            //   c3                   | mov                 dword ptr [eax + 0x18], 1
            //   4489442418           | mov                 byte ptr [eax + 0x1c], bl

        $sequence_76 = { 488d15217f0000 488d0dcac50000 e8???????? 488b15???????? 8d4b04 }
            // n = 5, score = 200
            //   488d15217f0000       | inc                 ecx
            //   488d0dcac50000       | call                dword ptr [ebx]
            //   e8????????           |                     
            //   488b15????????       |                     
            //   8d4b04               | dec                 eax

        $sequence_77 = { 4898 807c041f5c 7411 488d158a140100 488d4c2420 e8???????? }
            // n = 6, score = 200
            //   4898                 | mov                 byte ptr [eax + 0x11c], bl
            //   807c041f5c           | dec                 esp
            //   7411                 | mov                 eax, dword ptr [ebx + 0x80]
            //   488d158a140100       | inc                 ecx
            //   488d4c2420           | mov                 edx, ebp
            //   e8????????           |                     

        $sequence_78 = { 5b 7615 80b405fcfdffff5c 80b405fcfeffff36 40 3bc7 }
            // n = 6, score = 200
            //   5b                   | push                eax
            //   7615                 | push                dword ptr [esi]
            //   80b405fcfdffff5c     | mov                 dword ptr [esi + 0x20], eax
            //   80b405fcfeffff36     | call                edi
            //   40                   | mov                 ebp, esp
            //   3bc7                 | sub                 esp, 0x28

        $sequence_79 = { e8???????? ff7308 8d7c2448 56 e8???????? ff7510 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   ff7308               | pop                 ecx
            //   8d7c2448             | mov                 eax, dword ptr [ebp - 4]
            //   56                   | cmp                 dword ptr [eax + 0xc0], 0x442751
            //   e8????????           |                     
            //   ff7510               | jne                 0x12

        $sequence_80 = { e8???????? e9???????? 6683a57cf7ffff00 56 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   e9????????           |                     
            //   6683a57cf7ffff00     | mov                 esi, dword ptr [ecx + 0x24]
            //   56                   | push                0

        $sequence_81 = { 8bda c1eb0a 23d8 333c9d30994400 }
            // n = 4, score = 200
            //   8bda                 | dec                 eax
            //   c1eb0a               | add                 edx, 2
            //   23d8                 | mov                 word ptr [edx - 2], ax
            //   333c9d30994400       | mov                 edi, dword ptr [ebp + 0x10]

        $sequence_82 = { 8b4d10 8b550c 8b4508 51 52 50 8d4df8 }
            // n = 7, score = 100
            //   8b4d10               | add                 edx, edx
            //   8b550c               | add                 edx, edx
            //   8b4508               | add                 edx, edx
            //   51                   | sub                 eax, edx
            //   52                   | sub                 eax, ecx
            //   50                   | cmp                 dx, di
            //   8d4df8               | jne                 0xb

        $sequence_83 = { 899c24b8000000 8b5f68 899c24bc000000 8b5f64 899c24c0000000 89b424c4000000 893c24 }
            // n = 7, score = 100
            //   899c24b8000000       | xor                 ecx, ecx
            //   8b5f68               | mov                 edx, esp
            //   899c24bc000000       | xor                 esi, esi
            //   8b5f64               | mov                 dword ptr [edx + 0xc], esi
            //   899c24c0000000       | xor                 ecx, ecx
            //   89b424c4000000       | mov                 edx, esp
            //   893c24               | xor                 esi, esi

        $sequence_84 = { f20f5cd0 f20f10442470 8b54246c 89442468 f20f11542460 f20f11442458 }
            // n = 6, score = 100
            //   f20f5cd0             | mov                 dword ptr [edx + 0xc], esi
            //   f20f10442470         | mov                 dword ptr [edx + 8], esi
            //   8b54246c             | mov                 dword ptr [edx + 4], esi
            //   89442468             | mov                 dword ptr [esp + 0xb8], ebx
            //   f20f11542460         | mov                 ebx, dword ptr [edi + 0x68]
            //   f20f11442458         | mov                 dword ptr [esp + 0xbc], ebx

        $sequence_85 = { 663bd7 7506 8b783c 897df8 bf64860000 663bd7 }
            // n = 6, score = 100
            //   663bd7               | mov                 edx, 8
            //   7506                 | dec                 esp
            //   8b783c               | lea                 ecx, [esp + 0x60]
            //   897df8               | dec                 eax
            //   bf64860000           | lea                 edx, [eax + eax*4]
            //   663bd7               | mov                 eax, dword ptr [ecx + 0x14]

        $sequence_86 = { 56 57 68???????? c74508ffffffff e8???????? }
            // n = 5, score = 100
            //   56                   | push                ecx
            //   57                   | push                0
            //   68????????           |                     
            //   c74508ffffffff       | push                0
            //   e8????????           |                     

        $sequence_87 = { 8b4c247c 660f6ed1 660febd1 f20f5cd0 f20f10442470 8b54246c }
            // n = 6, score = 100
            //   8b4c247c             | mov                 edx, esp
            //   660f6ed1             | xor                 esi, esi
            //   660febd1             | mov                 dword ptr [edx + 0xc], esi
            //   f20f5cd0             | mov                 dword ptr [edx + 8], esi
            //   f20f10442470         | xor                 esi, esi
            //   8b54246c             | mov                 dword ptr [edx + 0xc], esi

        $sequence_88 = { 33db 41 8bf8 48 8bf2 4c 8bd1 }
            // n = 7, score = 100
            //   33db                 | mov                 eax, dword ptr [ebp - 4]
            //   41                   | test                eax, eax
            //   8bf8                 | je                  0x19
            //   48                   | lea                 ecx, [ebp - 4]
            //   8bf2                 | push                esi
            //   4c                   | push                edi
            //   8bd1                 | mov                 dword ptr [ebp + 8], 0xffffffff

        $sequence_89 = { 8bec 83ec08 56 8d45f8 50 e8???????? }
            // n = 6, score = 100
            //   8bec                 | push                8
            //   83ec08               | push                4
            //   56                   | push                esi
            //   8d45f8               | test                eax, eax
            //   50                   | xor                 ebx, ebx
            //   e8????????           |                     

        $sequence_90 = { 3de6030000 7550 ba08000000 4c 8d4c2460 48 }
            // n = 6, score = 100
            //   3de6030000           | inc                 ecx
            //   7550                 | mov                 edi, eax
            //   ba08000000           | dec                 eax
            //   4c                   | mov                 esi, edx
            //   8d4c2460             | dec                 esp
            //   48                   | mov                 edx, ecx

        $sequence_91 = { 8d9424ac000000 31f6 8b7c2464 8b1f 8bac2484000000 }
            // n = 5, score = 100
            //   8d9424ac000000       | mov                 dword ptr [edx + 8], esi
            //   31f6                 | mov                 dword ptr [edx + 4], esi
            //   8b7c2464             | xor                 ecx, ecx
            //   8b1f                 | mov                 edx, esp
            //   8bac2484000000       | xor                 esi, esi

        $sequence_92 = { c7424800d00000 8b7c2418 c787cc00000000000000 c787c800000000000000 89442410 89c8 83c434 }
            // n = 7, score = 100
            //   c7424800d00000       | mov                 dword ptr [edx + 0xc], esi
            //   8b7c2418             | mov                 dword ptr [edx + 8], esi
            //   c787cc00000000000000     | mov    edx, esp
            //   c787c800000000000000     | xor    esi, esi
            //   89442410             | mov                 dword ptr [edx + 0xc], esi
            //   89c8                 | mov                 dword ptr [edx + 8], esi
            //   83c434               | mov                 dword ptr [edx + 4], esi

        $sequence_93 = { 6a08 6a04 56 ff15???????? 85c0 }
            // n = 5, score = 100
            //   6a08                 | push                1
            //   6a04                 | lea                 edx, [ebp - 8]
            //   56                   | mov                 ecx, eax
            //   ff15????????         |                     
            //   85c0                 | add                 esp, 0xc

        $sequence_94 = { 8d1480 8b4114 03d2 03d2 03d2 2bc2 2bc1 }
            // n = 7, score = 100
            //   8d1480               | mov                 ebp, esp
            //   8b4114               | sub                 esp, 8
            //   03d2                 | push                esi
            //   03d2                 | lea                 eax, [ebp - 8]
            //   03d2                 | push                eax
            //   2bc2                 | cmp                 eax, 0x3e6
            //   2bc1                 | jne                 0x57

    condition:
        7 of them and filesize < 2859008
}
Download all Yara Rules
Emotet Propose Change

References

Yara Rules

Emotet
