SYMBOLCOMMON_NAMEaka. SYNONYMS
win.emotet (Back to overview)

Emotet

aka: Geodo, Heodo

Actor(s): MUMMY SPIDER, Mealybug

URLhaus                                  

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.
It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.

References
2020-09-11ThreatConnectThreatConnect Research Team
@online{team:20200911:research:edfb074, author = {ThreatConnect Research Team}, title = {{Research Roundup: Activity on Previously Identified APT33 Domains}}, date = {2020-09-11}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/}, language = {English}, urldate = {2020-09-15} } Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33
2020-09-07CERT-FRCERT-FR
@online{certfr:20200907:bulletin:f7b2023, author = {CERT-FR}, title = {{Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France}}, date = {2020-09-07}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/}, language = {English}, urldate = {2020-09-15} } Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France
Emotet
2020-09-07CERT NZCERT NZ
@online{nz:20200907:emotet:e7965c2, author = {CERT NZ}, title = {{Emotet Malware being spread via email}}, date = {2020-09-07}, organization = {CERT NZ}, url = {https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/}, language = {English}, urldate = {2020-09-15} } Emotet Malware being spread via email
Emotet
2020-08-28ProofpointAxel F, Proofpoint Threat Research Team
@online{f:20200828:comprehensive:df5ff9b, author = {Axel F and Proofpoint Threat Research Team}, title = {{A Comprehensive Look at Emotet’s Summer 2020 Return}}, date = {2020-08-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return}, language = {English}, urldate = {2020-08-30} } A Comprehensive Look at Emotet’s Summer 2020 Return
Emotet MUMMY SPIDER
2020-08-24HornetsecuritySecurity Lab
@online{lab:20200824:emotet:252c8de, author = {Security Lab}, title = {{Emotet Update increases Downloads}}, date = {2020-08-24}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/}, language = {English}, urldate = {2020-08-30} } Emotet Update increases Downloads
Emotet
2020-08-14Binary DefenseJames Quinn
@online{quinn:20200814:emocrash:4f12855, author = {James Quinn}, title = {{EmoCrash: Exploiting a Vulnerability in Emotet Malware for Defense}}, date = {2020-08-14}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/}, language = {English}, urldate = {2020-08-19} } EmoCrash: Exploiting a Vulnerability in Emotet Malware for Defense
Emotet
2020-08-05Github (mauronz)Francesco Muroni
@online{muroni:20200805:emotet:0fe027e, author = {Francesco Muroni}, title = {{Emotet API+string deobfuscator (v0.1)}}, date = {2020-08-05}, organization = {Github (mauronz)}, url = {https://github.com/mauronz/binja-emotet}, language = {English}, urldate = {2020-08-18} } Emotet API+string deobfuscator (v0.1)
Emotet
2020-08TG SoftTG Soft
@online{soft:202008:tg:88b671c, author = {TG Soft}, title = {{TG Soft Cyber - Threat Report}}, date = {2020-08}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469}, language = {Italian}, urldate = {2020-09-15} } TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB
2020-07-31HornetsecurityHornetsecurity Security Lab
@online{lab:20200731:webshells:4963ea5, author = {Hornetsecurity Security Lab}, title = {{The webshells powering Emotet}}, date = {2020-07-31}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/}, language = {English}, urldate = {2020-08-21} } The webshells powering Emotet
Emotet
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29Sophos LabsAndrew Brandt
@online{brandt:20200729:emotets:cb1de9b, author = {Andrew Brandt}, title = {{Emotet’s return is the canary in the coal mine}}, date = {2020-07-29}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728}, language = {English}, urldate = {2020-07-30} } Emotet’s return is the canary in the coal mine
Emotet
2020-07-28Bleeping ComputerSergiu Gatlan
@online{gatlan:20200728:emotet:37429c5, author = {Sergiu Gatlan}, title = {{Emotet malware now steals your email attachments to attack contacts}}, date = {2020-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/}, language = {English}, urldate = {2020-07-30} } Emotet malware now steals your email attachments to attack contacts
Emotet
2020-07-20HornetsecurityHornetsecurity Security Lab
@online{lab:20200720:emotet:f918eaf, author = {Hornetsecurity Security Lab}, title = {{Emotet is back}}, date = {2020-07-20}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-is-back/}, language = {English}, urldate = {2020-07-30} } Emotet is back
Emotet
2020-07-20Bleeping ComputerLawrence Abrams
@online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot
2020-07-20NTTSecurity division of NTT Ltd.
@online{ltd:20200720:shellbot:adab896, author = {Security division of NTT Ltd.}, title = {{Shellbot victim overlap with Emotet network infrastructure}}, date = {2020-07-20}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure}, language = {English}, urldate = {2020-07-30} } Shellbot victim overlap with Emotet network infrastructure
Emotet
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-06-18NTT SecuritySecurity division of NTT Ltd.
@online{ltd:20200618:behind:a5e168d, author = {Security division of NTT Ltd.}, title = {{Behind the scenes of the Emotet Infrastructure}}, date = {2020-06-18}, organization = {NTT Security}, url = {https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure}, language = {English}, urldate = {2020-06-20} } Behind the scenes of the Emotet Infrastructure
Emotet
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Ransomware Emotet Kimsuky
2020-05-28VMWare Carbon BlackTom Kellermann, Ryan Murphy
@techreport{kellermann:20200528:modern:8155ea4, author = {Tom Kellermann and Ryan Murphy}, title = {{Modern Bank Heists 3.0}}, date = {2020-05-28}, institution = {VMWare Carbon Black}, url = {https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf}, language = {English}, urldate = {2020-05-29} } Modern Bank Heists 3.0
Emotet
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-05-05HornetsecuritySecurity Lab
@online{lab:20200505:awaiting:513382e, author = {Security Lab}, title = {{Awaiting the Inevitable Return of Emotet}}, date = {2020-05-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/}, language = {English}, urldate = {2020-05-05} } Awaiting the Inevitable Return of Emotet
Emotet
2020-04-22Youtube (Infosec Alpha)Raashid Bhat
@online{bhat:20200422:flattenthecurve:0bdf5a3, author = {Raashid Bhat}, title = {{FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2}}, date = {2020-04-22}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=8PHCZdpNKrw}, language = {English}, urldate = {2020-04-23} } FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2
Emotet
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-04-03Bleeping ComputerSergiu Gatlan
@online{gatlan:20200403:microsoft:c12a844, author = {Sergiu Gatlan}, title = {{Microsoft: Emotet Took Down a Network by Overheating All Computers}}, date = {2020-04-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/}, language = {English}, urldate = {2020-04-08} } Microsoft: Emotet Took Down a Network by Overheating All Computers
Emotet
2020-03-31Youtube (Infosec Alpha)Raashid Bhat
@online{bhat:20200331:emotet:50264e0, author = {Raashid Bhat}, title = {{Emotet Binary Deobfuscation | Coconut Paradise | Episode 1}}, date = {2020-03-31}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=_mGMJFNJWSk}, language = {English}, urldate = {2020-04-23} } Emotet Binary Deobfuscation | Coconut Paradise | Episode 1
Emotet
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-30SymantecNguyen Hoang Giang, Mingwei Zhang
@online{giang:20200330:emotet:6034d14, author = {Nguyen Hoang Giang and Mingwei Zhang}, title = {{Emotet: Dangerous Malware Keeps on Evolving}}, date = {2020-03-30}, organization = {Symantec}, url = {https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de}, language = {English}, urldate = {2020-04-01} } Emotet: Dangerous Malware Keeps on Evolving
Emotet
2020-03-12Digital ShadowsAlex Guirakhoo
@online{guirakhoo:20200312:how:cf2276f, author = {Alex Guirakhoo}, title = {{How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation}}, date = {2020-03-12}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/}, language = {English}, urldate = {2020-03-19} } How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation
Emotet
2020-03-11Twitter (@raashidbhatt)Raashid Bhat
@online{bhat:20200311:emotet:c178008, author = {Raashid Bhat}, title = {{Tweet on Emotet Deobfuscation with Video}}, date = {2020-03-11}, organization = {Twitter (@raashidbhatt)}, url = {https://twitter.com/raashidbhatt/status/1237853549200936960}, language = {English}, urldate = {2020-03-13} } Tweet on Emotet Deobfuscation with Video
Emotet
2020-03-06TelekomThomas Barabosch
@online{barabosch:20200306:dissecting:809bc54, author = {Thomas Barabosch}, title = {{Dissecting Emotet - Part 2}}, date = {2020-03-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128}, language = {English}, urldate = {2020-03-09} } Dissecting Emotet - Part 2
Emotet
2020-03-06Binary DefenseJames Quinn
@online{quinn:20200306:emotet:e93ab0b, author = {James Quinn}, title = {{Emotet Wi-Fi Spreader Upgraded}}, date = {2020-03-06}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/}, language = {English}, urldate = {2020-03-09} } Emotet Wi-Fi Spreader Upgraded
Emotet
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-03-02c'tChristian Wölbert
@online{wlbert:20200302:was:1b9cc93, author = {Christian Wölbert}, title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}}, date = {2020-03-02}, organization = {c't}, url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html}, language = {German}, urldate = {2020-03-02} } Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk
2020-02-29ZDNetCatalin Cimpanu
@online{cimpanu:20200229:meet:b1d7dbd, author = {Catalin Cimpanu}, title = {{Meet the white-hat group fighting Emotet, the world's most dangerous malware}}, date = {2020-02-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/}, language = {English}, urldate = {2020-03-02} } Meet the white-hat group fighting Emotet, the world's most dangerous malware
Emotet
2020-02-18CERT.PLMichał Praszmo
@online{praszmo:20200218:whats:2790998, author = {Michał Praszmo}, title = {{What’s up Emotet?}}, date = {2020-02-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/whats-up-emotet/}, language = {English}, urldate = {2020-02-18} } What’s up Emotet?
Emotet
2020-02-13TalosNick Biasini, Edmund Brumaghin
@online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } Threat actors attempt to capitalize on coronavirus outbreak
Emotet Nanocore RAT Parallax RAT
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-08PICUS SecuritySüleyman Özarslan
@online{zarslan:20200208:emotet:1fac6a4, author = {Süleyman Özarslan}, title = {{Emotet Technical Analysis - Part 2 PowerShell Unveiled}}, date = {2020-02-08}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled}, language = {English}, urldate = {2020-06-03} } Emotet Technical Analysis - Part 2 PowerShell Unveiled
Emotet
2020-02-07Binary DefenseJames Quinn
@online{quinn:20200207:emotet:07de43a, author = {James Quinn}, title = {{Emotet Evolves With New Wi-Fi Spreader}}, date = {2020-02-07}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/}, language = {English}, urldate = {2020-02-09} } Emotet Evolves With New Wi-Fi Spreader
Emotet
2020-02-03TelekomThomas Barabosch
@online{barabosch:20200203:dissecting:c1a6bca, author = {Thomas Barabosch}, title = {{Dissecting Emotet – Part 1}}, date = {2020-02-03}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612}, language = {English}, urldate = {2020-02-07} } Dissecting Emotet – Part 1
Emotet
2020-01-30PICUS SecuritySüleyman Özarslan
@online{zarslan:20200130:emotet:1d5ef78, author = {Süleyman Özarslan}, title = {{Emotet Technical Analysis - Part 1 Reveal the Evil Code}}, date = {2020-01-30}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code}, language = {English}, urldate = {2020-06-03} } Emotet Technical Analysis - Part 1 Reveal the Evil Code
Emotet
2020-01-30IBM X-Force ExchangeAshkan Vila, Golo Mühr
@online{vila:20200130:coronavirus:f0121b9, author = {Ashkan Vila and Golo Mühr}, title = {{Coronavirus Goes Cyber With Emotet}}, date = {2020-01-30}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b}, language = {English}, urldate = {2020-02-03} } Coronavirus Goes Cyber With Emotet
Emotet
2020-01-27T-SystemsT-Systems
@techreport{tsystems:20200127:vorlufiger:39dc989, author = {T-Systems}, title = {{Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht}}, date = {2020-01-27}, institution = {T-Systems}, url = {https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf}, language = {German}, urldate = {2020-01-28} } Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020-01-17Hiroaki Ogawa, Manabu Niseki
@techreport{ogawa:20200117:100:035a7dd, author = {Hiroaki Ogawa and Manabu Niseki}, title = {{100 more behind cockroaches?}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf}, language = {English}, urldate = {2020-01-17} } 100 more behind cockroaches?
MoqHao Emotet Predator The Thief
2020-01-14Bleeping ComputerLawrence Abrams
@online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } United Nations Targeted With Emotet Malware Phishing Attack
Emotet
2020-01-13GigamonWilliam Peteroy, Ed Miles
@online{peteroy:20200113:emotet:60abae1, author = {William Peteroy and Ed Miles}, title = {{Emotet: Not your Run-of-the-mill Malware}}, date = {2020-01-13}, organization = {Gigamon}, url = {https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/}, language = {English}, urldate = {2020-01-17} } Emotet: Not your Run-of-the-mill Malware
Emotet
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-07Hatching.ioTeam
@online{team:20200107:powershell:fb8264e, author = {Team}, title = {{Powershell Static Analysis & Emotet results}}, date = {2020-01-07}, organization = {Hatching.io}, url = {https://hatching.io/blog/powershell-analysis}, language = {English}, urldate = {2020-01-12} } Powershell Static Analysis & Emotet results
Emotet
2020SecureworksSecureWorks
@online{secureworks:2020:gold:9b89cea, author = {SecureWorks}, title = {{GOLD CRESTWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-crestwood}, language = {English}, urldate = {2020-05-23} } GOLD CRESTWOOD
Emotet MUMMY SPIDER
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-10JPCERT/CCJPCERT/CC
@online{jpcertcc:20191210:updated:86aee30, author = {JPCERT/CC}, title = {{[Updated] Alert Regarding Emotet Malware Infection}}, date = {2019-12-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/english/at/2019/at190044.html}, language = {English}, urldate = {2020-01-09} } [Updated] Alert Regarding Emotet Malware Infection
Emotet
2019-12-04JPCERT/CCKen Sajo
@online{sajo:20191204:how:60225fe, author = {Ken Sajo}, title = {{How to Respond to Emotet Infection (FAQ)}}, date = {2019-12-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html}, language = {English}, urldate = {2020-01-13} } How to Respond to Emotet Infection (FAQ)
Emotet
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-30ZscalerAtinderpal Singh, Abhay Yadav
@online{singh:20191030:emotet:61821fe, author = {Atinderpal Singh and Abhay Yadav}, title = {{Emotet is back in action after a short break}}, date = {2019-10-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break}, language = {English}, urldate = {2020-07-01} } Emotet is back in action after a short break
Emotet
2019-10-14Marco Ramilli
@online{ramilli:20191014:is:de28de6, author = {Marco Ramilli}, title = {{Is Emotet gang targeting companies with external SOC?}}, date = {2019-10-14}, url = {https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/}, language = {English}, urldate = {2019-12-20} } Is Emotet gang targeting companies with external SOC?
Emotet
2019-09-24Dissecting MalwareMarius Genheimer
@online{genheimer:20190924:return:f85ef19, author = {Marius Genheimer}, title = {{Return of the Mummy - Welcome back, Emotet}}, date = {2019-09-24}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html}, language = {English}, urldate = {2020-03-27} } Return of the Mummy - Welcome back, Emotet
Emotet
2019-09-16MalwarebytesThreat Intelligence Team
@online{team:20190916:emotet:9c6c8f3, author = {Threat Intelligence Team}, title = {{Emotet is back: botnet springs back to life with new spam campaign}}, date = {2019-09-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/}, language = {English}, urldate = {2019-12-20} } Emotet is back: botnet springs back to life with new spam campaign
Emotet
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-08-12Schweizerische EidgenossenschaftSchweizerische Eidgenossenschaft
@online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } Trojaner Emotet greift Unternehmensnetzwerke an
Emotet
2019-06-06FortinetKai Lu
@online{lu:20190606:deep:0ac679a, author = {Kai Lu}, title = {{A Deep Dive into the Emotet Malware}}, date = {2019-06-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html}, language = {English}, urldate = {2020-01-07} } A Deep Dive into the Emotet Malware
Emotet
2019-05-15ProofpointAxel F, Proofpoint Threat Insight Team
@online{f:20190515:threat:06b415a, author = {Axel F and Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA542, From Banker to Malware Distribution Service}}, date = {2019-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service}, language = {English}, urldate = {2019-12-20} } Threat Actor Profile: TA542, From Banker to Malware Distribution Service
Emotet MUMMY SPIDER
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-04-29BluelivBlueliv Labs Team
@online{team:20190429:where:8c3db39, author = {Blueliv Labs Team}, title = {{Where is Emotet? Latest geolocation data}}, date = {2019-04-29}, organization = {Blueliv}, url = {https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/}, language = {English}, urldate = {2020-01-08} } Where is Emotet? Latest geolocation data
Emotet
2019-04-25Trend MicroTrendmicro
@online{trendmicro:20190425:emotet:04884ca, author = {Trendmicro}, title = {{Emotet Adds New Evasion Technique}}, date = {2019-04-25}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/}, language = {English}, urldate = {2019-11-26} } Emotet Adds New Evasion Technique
Emotet
2019-04-22int 0xcc blogRaashid Bhat
@online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } Dissecting Emotet’s network communication protocol
Emotet
2019-04-12SpamTitantitanadmin
@online{titanadmin:20190412:emotet:12ca0e7, author = {titanadmin}, title = {{Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates}}, date = {2019-04-12}, organization = {SpamTitan}, url = {https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/}, language = {English}, urldate = {2020-01-09} } Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates
Emotet
2019-04-07Sveatoslav Persianov
@online{persianov:20190407:emotet:0aeaa67, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 2}}, date = {2019-04-07}, url = {https://persianov.net/emotet-malware-analysis-part-2}, language = {English}, urldate = {2020-01-05} } Emotet malware analysis. Part 2
Emotet
2019-04Cafe Babe
@online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } Analyzing Emotet with Ghidra — Part 1
Emotet
2019-03-27SpamhausSpamhaus Malware Labs
@online{labs:20190327:emotet:388559f, author = {Spamhaus Malware Labs}, title = {{Emotet adds a further layer of camouflage}}, date = {2019-03-27}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage}, language = {English}, urldate = {2020-01-06} } Emotet adds a further layer of camouflage
Emotet
2019-03-17Persianov on SecuritySveatoslav Persianov
@online{persianov:20190317:emotet:ee3ed0b, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 1}}, date = {2019-03-17}, organization = {Persianov on Security}, url = {https://persianov.net/emotet-malware-analysis-part-1}, language = {English}, urldate = {2019-12-17} } Emotet malware analysis. Part 1
Emotet
2019-03-15CofenseThreat Intelligence
@online{intelligence:20190315:flash:c7544fd, author = {Threat Intelligence}, title = {{Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication}}, date = {2019-03-15}, organization = {Cofense}, url = {https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/}, language = {English}, urldate = {2019-10-23} } Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication
Emotet
2019-03-08The Daily SwigJames Walker
@online{walker:20190308:emotet:f1a68de, author = {James Walker}, title = {{Emotet trojan implicated in Wolverine Solutions ransomware attack}}, date = {2019-03-08}, organization = {The Daily Swig}, url = {https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack}, language = {English}, urldate = {2019-07-10} } Emotet trojan implicated in Wolverine Solutions ransomware attack
Emotet
2019-02-16Max Kersten's BlogMax Kersten
@online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } Emotet droppers
Emotet
2019-01-17SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } Emotet infections and follow-up malware
Emotet
2019-01-05Github (d00rt)d00rt
@online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } Emotet Research
Emotet
2019D00RT_RM
@online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } Emutet
Emotet
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-11-16Trend MicroTrend Micro
@online{micro:20181116:exploring:be1e153, author = {Trend Micro}, title = {{Exploring Emotet: Examining Emotet’s Activities, Infrastructure}}, date = {2018-11-16}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/}, language = {English}, urldate = {2020-01-12} } Exploring Emotet: Examining Emotet’s Activities, Infrastructure
Emotet
2018-11-09ESET ResearchESET Research
@online{research:20181109:emotet:b12ec91, author = {ESET Research}, title = {{Emotet launches major new spam campaign}}, date = {2018-11-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/}, language = {English}, urldate = {2019-11-14} } Emotet launches major new spam campaign
Emotet
2018-10-31Kryptos LogicKryptos Logic
@online{logic:20181031:emotet:ab7226f, author = {Kryptos Logic}, title = {{Emotet Awakens With New Campaign of Mass Email Exfiltration}}, date = {2018-10-31}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html}, language = {English}, urldate = {2020-01-08} } Emotet Awakens With New Campaign of Mass Email Exfiltration
Emotet
2018-09-12Cryptolaemus PastedumpCryptolaemus
@online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } Emotet IOC
Emotet
2018-08-01Kryptos LogicKryptos Logic
@online{logic:20180801:inside:e5a8e2c, author = {Kryptos Logic}, title = {{Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads}}, date = {2018-08-01}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html}, language = {English}, urldate = {2020-01-09} } Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads
Emotet
2018-07-26IntezerItai Tevet
@online{tevet:20180726:mitigating:30dc2fb, author = {Itai Tevet}, title = {{Mitigating Emotet, The Most Common Banking Trojan}}, date = {2018-07-26}, organization = {Intezer}, url = {https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/}, language = {English}, urldate = {2019-12-31} } Mitigating Emotet, The Most Common Banking Trojan
Emotet
2018-07-24Check PointOfer Caspi, Ben Herzog
@online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } Emotet: The Tricky Trojan that ‘Git Clones’
Emotet
2018-07-23MalFindLasq
@online{lasq:20180723:deobfuscating:dd200d6, author = {Lasq}, title = {{Deobfuscating Emotet’s powershell payload}}, date = {2018-07-23}, organization = {MalFind}, url = {https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/}, language = {English}, urldate = {2020-01-09} } Deobfuscating Emotet’s powershell payload
Emotet
2018-07-20NCCICNational Cybersecurity, Communications Integration Center
@online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } Alert (TA18-201A) Emotet Malware
Emotet
2018-07-18SymantecSecurity Response Attack Investigation Team
@online{team:20180718:evolution:25e5d39, author = {Security Response Attack Investigation Team}, title = {{The Evolution of Emotet: From Banking Trojan to Threat Distributor}}, date = {2018-07-18}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor}, language = {English}, urldate = {2019-11-27} } The Evolution of Emotet: From Banking Trojan to Threat Distributor
Emotet
2018-02-08CrowdStrikeAdam Meyers
@online{meyers:20180208:meet:39f25b3, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER}}, date = {2018-02-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/}, language = {English}, urldate = {2019-12-20} } Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER
Emotet MUMMY SPIDER
2018Quick HealQuick Heal
@techreport{heal:2018:complete:96388ed, author = {Quick Heal}, title = {{The Complete story of EMOTET Most prominent Malware of 2018}}, date = {2018}, institution = {Quick Heal}, url = {https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf}, language = {English}, urldate = {2020-01-13} } The Complete story of EMOTET Most prominent Malware of 2018
Emotet
2017-11-15Trend MicroRubio Wu
@online{wu:20171115:new:dde35b0, author = {Rubio Wu}, title = {{New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis}}, date = {2017-11-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/}, language = {English}, urldate = {2019-10-14} } New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis
Emotet
2017-11-06MicrosoftMicrosoft Defender ATP Research Team
@online{team:20171106:mitigating:f52d1d9, author = {Microsoft Defender ATP Research Team}, title = {{Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks}}, date = {2017-11-06}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc}, language = {English}, urldate = {2019-12-18} } Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Emotet
2017-10-12G DataG Data
@online{data:20171012:emotet:c99dec0, author = {G Data}, title = {{Emotet beutet Outlook aus}}, date = {2017-10-12}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus}, language = {English}, urldate = {2019-12-05} } Emotet beutet Outlook aus
Emotet
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-09-07Trend MicroDon Ladores
@online{ladores:20170907:emotet:bf3075c, author = {Don Ladores}, title = {{EMOTET Returns, Starts Spreading via Spam Botnet}}, date = {2017-09-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/}, language = {English}, urldate = {2019-11-28} } EMOTET Returns, Starts Spreading via Spam Botnet
Emotet
2017-07-17MalwarebytesThreat Intelligence Team
@online{team:20170717:its:4b94b0b, author = {Threat Intelligence Team}, title = {{It’s baaaack: Public cyber enemy Emotet has returned}}, date = {2017-07-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/}, language = {English}, urldate = {2020-07-17} } It’s baaaack: Public cyber enemy Emotet has returned
Emotet
2017-05-31ropgadget.comJeff White
@online{white:20170531:writing:1ad3f1b, author = {Jeff White}, title = {{Writing PCRE's for applied passive network defense [Emotet]}}, date = {2017-05-31}, organization = {ropgadget.com}, url = {http://ropgadget.com/posts/defensive_pcres.html}, language = {English}, urldate = {2020-03-06} } Writing PCRE's for applied passive network defense [Emotet]
Emotet
2017-05-24CERT.PLPaweł Srokosz
@online{srokosz:20170524:analysis:1d591e7, author = {Paweł Srokosz}, title = {{Analysis of Emotet v4}}, date = {2017-05-24}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/analysis-of-emotet-v4/}, language = {English}, urldate = {2020-01-09} } Analysis of Emotet v4
Emotet
2017-05-03FortinetXiaopeng Zhang
@online{zhang:20170503:deep:4b1f7c7, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Emotet Variant - Part 1}}, date = {2017-05-03}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1}, language = {English}, urldate = {2019-07-08} } Deep Analysis of New Emotet Variant - Part 1
Emotet
2015-04-09Kaspersky LabsAlexey Shulmin
@online{shulmin:20150409:banking:165b265, author = {Alexey Shulmin}, title = {{The Banking Trojan Emotet: Detailed Analysis}}, date = {2015-04-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/}, language = {English}, urldate = {2019-12-20} } The Banking Trojan Emotet: Detailed Analysis
Emotet
2013-01-18abuse.chabuse.ch
@online{abusech:20130118:feodo:5354db0, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2013-01-18}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/?filter=version_e}, language = {English}, urldate = {2020-01-13} } Feodo Tracker
Emotet
Yara Rules
[TLP:WHITE] win_emotet_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_emotet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb7c0 83c020 eb03 0fb7c0 69d23f000100 }
            // n = 5, score = 1800
            //   0fb7c0               | movzx               eax, ax
            //   83c020               | add                 eax, 0x20
            //   eb03                 | jmp                 5
            //   0fb7c0               | movzx               eax, ax
            //   69d23f000100         | imul                edx, edx, 0x1003f

        $sequence_1 = { 3903 5f 5e 0f95c0 5b 8be5 }
            // n = 6, score = 1600
            //   3903                 | cmp                 dword ptr [ebx], eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   0f95c0               | setne               al
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_2 = { 8d5801 f6c30f 7406 83e3f0 83c310 }
            // n = 5, score = 1500
            //   8d5801               | lea                 ebx, [eax + 1]
            //   f6c30f               | test                bl, 0xf
            //   7406                 | je                  8
            //   83e3f0               | and                 ebx, 0xfffffff0
            //   83c310               | add                 ebx, 0x10

        $sequence_3 = { c1e807 46 83f87f 77f7 }
            // n = 4, score = 1500
            //   c1e807               | shr                 eax, 7
            //   46                   | inc                 esi
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0xfffffff9

        $sequence_4 = { 03878c000000 50 ff15???????? 017758 }
            // n = 4, score = 1400
            //   03878c000000         | add                 eax, dword ptr [edi + 0x8c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   017758               | add                 dword ptr [edi + 0x58], esi

        $sequence_5 = { 83c40c 8b4d0c 8bc2 0bc1 83f8ff }
            // n = 5, score = 1400
            //   83c40c               | add                 esp, 0xc
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8bc2                 | mov                 eax, edx
            //   0bc1                 | or                  eax, ecx
            //   83f8ff               | cmp                 eax, -1

        $sequence_6 = { 8945fc 8d45f8 6a04 50 ff760c }
            // n = 5, score = 1400
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   6a04                 | push                4
            //   50                   | push                eax
            //   ff760c               | push                dword ptr [esi + 0xc]

        $sequence_7 = { 8901 8b477c 85c0 7448 }
            // n = 4, score = 1400
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b477c               | mov                 eax, dword ptr [edi + 0x7c]
            //   85c0                 | test                eax, eax
            //   7448                 | je                  0x4a

        $sequence_8 = { 8b4508 894dcc 8d4dc8 8945c8 8975d4 8955d8 }
            // n = 6, score = 1400
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   8975d4               | mov                 dword ptr [ebp - 0x2c], esi
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx

        $sequence_9 = { 8bf1 ff15???????? 8b17 83c40c 8b4d0c }
            // n = 5, score = 1400
            //   8bf1                 | mov                 esi, ecx
            //   ff15????????         |                     
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   83c40c               | add                 esp, 0xc
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_10 = { 56 57 8b780c 8bd9 83c70c 8b37 }
            // n = 6, score = 1100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b780c               | mov                 edi, dword ptr [eax + 0xc]
            //   8bd9                 | mov                 ebx, ecx
            //   83c70c               | add                 edi, 0xc
            //   8b37                 | mov                 esi, dword ptr [edi]

        $sequence_11 = { 7907 83c107 3bf7 72e8 }
            // n = 4, score = 1100
            //   7907                 | jns                 9
            //   83c107               | add                 ecx, 7
            //   3bf7                 | cmp                 esi, edi
            //   72e8                 | jb                  0xffffffea

        $sequence_12 = { c745fc04000000 50 8d45f8 81ca00000020 50 52 51 }
            // n = 7, score = 1000
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4
            //   50                   | push                eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   81ca00000020         | or                  edx, 0x20000000
            //   50                   | push                eax
            //   52                   | push                edx
            //   51                   | push                ecx

        $sequence_13 = { f7d8 1bc0 2345f8 8be5 5d }
            // n = 5, score = 900
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   2345f8               | and                 eax, dword ptr [ebp - 8]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_14 = { 83f87f 7609 c1e807 41 }
            // n = 4, score = 900
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0xb
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx

        $sequence_15 = { 83f87f 760d 8d642400 c1e807 }
            // n = 4, score = 900
            //   83f87f               | cmp                 eax, 0x7f
            //   760d                 | jbe                 0xf
            //   8d642400             | lea                 esp, [esp]
            //   c1e807               | shr                 eax, 7

        $sequence_16 = { c60158 41 803900 75dd }
            // n = 4, score = 800
            //   c60158               | mov                 byte ptr [ecx], 0x58
            //   41                   | inc                 ecx
            //   803900               | cmp                 byte ptr [ecx], 0
            //   75dd                 | jne                 0xffffffdf

        $sequence_17 = { 50 6a00 6a01 6a00 ff15???????? a3???????? }
            // n = 6, score = 800
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_18 = { 3c5a 7e03 c60158 41 }
            // n = 4, score = 800
            //   3c5a                 | cmp                 al, 0x5a
            //   7e03                 | jle                 5
            //   c60158               | mov                 byte ptr [ecx], 0x58
            //   41                   | inc                 ecx

        $sequence_19 = { 7e13 3c61 7c04 3c7a }
            // n = 4, score = 800
            //   7e13                 | jle                 0x15
            //   3c61                 | cmp                 al, 0x61
            //   7c04                 | jl                  6
            //   3c7a                 | cmp                 al, 0x7a

        $sequence_20 = { 6a00 6aff 50 51 ff15???????? }
            // n = 5, score = 800
            //   6a00                 | push                0
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_21 = { 52 52 52 68???????? 52 }
            // n = 5, score = 800
            //   52                   | push                edx
            //   52                   | push                edx
            //   52                   | push                edx
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_22 = { 3c30 7c04 3c39 7e13 }
            // n = 4, score = 800
            //   3c30                 | cmp                 al, 0x30
            //   7c04                 | jl                  6
            //   3c39                 | cmp                 al, 0x39
            //   7e13                 | jle                 0x15

        $sequence_23 = { 7c04 3c7a 7e0b 3c41 7c04 3c5a 7e03 }
            // n = 7, score = 800
            //   7c04                 | jl                  6
            //   3c7a                 | cmp                 al, 0x7a
            //   7e0b                 | jle                 0xd
            //   3c41                 | cmp                 al, 0x41
            //   7c04                 | jl                  6
            //   3c5a                 | cmp                 al, 0x5a
            //   7e03                 | jle                 5

        $sequence_24 = { 83ec48 53 56 57 6a44 }
            // n = 5, score = 700
            //   83ec48               | sub                 esp, 0x48
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a44                 | push                0x44

        $sequence_25 = { 56 ff15???????? 8bf8 85ff 743a }
            // n = 5, score = 700
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   743a                 | je                  0x3c

        $sequence_26 = { 8b5d08 b8afa96e5e 56 57 }
            // n = 4, score = 700
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   b8afa96e5e           | mov                 eax, 0x5e6ea9af
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_27 = { 0fb70a 8bc1 81e100f00000 25ff0f0000 }
            // n = 4, score = 700
            //   0fb70a               | movzx               ecx, word ptr [edx]
            //   8bc1                 | mov                 eax, ecx
            //   81e100f00000         | and                 ecx, 0xf000
            //   25ff0f0000           | and                 eax, 0xfff

        $sequence_28 = { 8b450c 8b4918 8908 33c0 }
            // n = 4, score = 700
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4918               | mov                 ecx, dword ptr [ecx + 0x18]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   33c0                 | xor                 eax, eax

        $sequence_29 = { 53 56 8bf1 bb00c34c84 }
            // n = 4, score = 600
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   bb00c34c84           | mov                 ebx, 0x844cc300

        $sequence_30 = { 8bec 83ec14 53 8b5d08 b8afa96e5e }
            // n = 5, score = 600
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   b8afa96e5e           | mov                 eax, 0x5e6ea9af

        $sequence_31 = { 57 00b807000000 008b45fc33d2 00b871800780 00558b ec }
            // n = 6, score = 500
            //   57                   | push                edi
            //   00b807000000         | add                 byte ptr [eax + 7], bh
            //   008b45fc33d2         | add                 byte ptr [ebx - 0x2dcc03bb], cl
            //   00b871800780         | add                 byte ptr [eax - 0x7ff87f8f], bh
            //   00558b               | add                 byte ptr [ebp - 0x75], dl
            //   ec                   | in                  al, dx

        $sequence_32 = { 83c604 8b7de0 8b4c0f04 83f900 }
            // n = 4, score = 500
            //   83c604               | add                 esi, 4
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   8b4c0f04             | mov                 ecx, dword ptr [edi + ecx + 4]
            //   83f900               | cmp                 ecx, 0

        $sequence_33 = { 00b871800780 00558b ec 8b450c 00558b ec }
            // n = 6, score = 500
            //   00b871800780         | add                 byte ptr [eax - 0x7ff87f8f], bh
            //   00558b               | add                 byte ptr [ebp - 0x75], dl
            //   ec                   | in                  al, dx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   00558b               | add                 byte ptr [ebp - 0x75], dl
            //   ec                   | in                  al, dx

        $sequence_34 = { 83ec10 53 6a00 8d45fc }
            // n = 4, score = 500
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_35 = { 8b4d0c 8b5508 befbffffff c600e9 29d6 01ce 897001 }
            // n = 7, score = 500
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   befbffffff           | mov                 esi, 0xfffffffb
            //   c600e9               | mov                 byte ptr [eax], 0xe9
            //   29d6                 | sub                 esi, edx
            //   01ce                 | add                 esi, ecx
            //   897001               | mov                 dword ptr [eax + 1], esi

        $sequence_36 = { 51 52 01c8 01d0 50 e8???????? 5a }
            // n = 7, score = 500
            //   51                   | push                ecx
            //   52                   | push                edx
            //   01c8                 | add                 eax, ecx
            //   01d0                 | add                 eax, edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   5a                   | pop                 edx

        $sequence_37 = { 83fe00 8945f0 894dec 8955e8 8975e4 }
            // n = 5, score = 500
            //   83fe00               | cmp                 esi, 0
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi

        $sequence_38 = { 6a00 6a03 6a00 6a00 ff7508 53 50 }
            // n = 7, score = 500
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_39 = { 8bf1 bb00c34c84 57 33ff }
            // n = 4, score = 500
            //   8bf1                 | mov                 esi, ecx
            //   bb00c34c84           | mov                 ebx, 0x844cc300
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi

        $sequence_40 = { 8b7020 8b7840 89c3 83c33c }
            // n = 4, score = 300
            //   8b7020               | mov                 esi, dword ptr [eax + 0x20]
            //   8b7840               | mov                 edi, dword ptr [eax + 0x40]
            //   89c3                 | mov                 ebx, eax
            //   83c33c               | add                 ebx, 0x3c

        $sequence_41 = { 31c9 89e2 31f6 89720c 897208 897204 }
            // n = 6, score = 200
            //   31c9                 | xor                 ecx, ecx
            //   89e2                 | mov                 edx, esp
            //   31f6                 | xor                 esi, esi
            //   89720c               | mov                 dword ptr [edx + 0xc], esi
            //   897208               | mov                 dword ptr [edx + 8], esi
            //   897204               | mov                 dword ptr [edx + 4], esi

        $sequence_42 = { e8???????? 84c0 75ba bf???????? e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   75ba                 | jne                 0xffffffbc
            //   bf????????           |                     
            //   e8????????           |                     

        $sequence_43 = { 48 8d0dcb4e0000 c744242880000000 89542420 45 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   8d0dcb4e0000         | lea                 ecx, [0x4ecb]
            //   c744242880000000     | mov                 dword ptr [esp + 0x28], 0x80
            //   89542420             | mov                 dword ptr [esp + 0x20], edx
            //   45                   | inc                 ebp

        $sequence_44 = { 84c0 75ed 48 8d4c2420 e8???????? 48 8d4c2420 }
            // n = 7, score = 100
            //   84c0                 | test                al, al
            //   75ed                 | jne                 0xffffffef
            //   48                   | dec                 eax
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8d4c2420             | lea                 ecx, [esp + 0x20]

        $sequence_45 = { 48 85c0 743e 8b5c2430 }
            // n = 4, score = 100
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   743e                 | je                  0x40
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]

        $sequence_46 = { 7409 57 50 8ac3 e8???????? 5f }
            // n = 6, score = 100
            //   7409                 | je                  0xb
            //   57                   | push                edi
            //   50                   | push                eax
            //   8ac3                 | mov                 al, bl
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_47 = { 50 8d8584fbffff 50 6a21 51 e8???????? 5f }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8584fbffff         | lea                 eax, [ebp - 0x47c]
            //   50                   | push                eax
            //   6a21                 | push                0x21
            //   51                   | push                ecx
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_48 = { 81fa50450000 0f44c1 89442460 8b442460 }
            // n = 4, score = 100
            //   81fa50450000         | cmp                 edx, 0x4550
            //   0f44c1               | cmove               eax, ecx
            //   89442460             | mov                 dword ptr [esp + 0x60], eax
            //   8b442460             | mov                 eax, dword ptr [esp + 0x60]

        $sequence_49 = { c3 83ec10 8b442414 8d0d6c30d800 31d2 890c24 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   83ec10               | sub                 esp, 0x10
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8d0d6c30d800         | lea                 ecx, [0xd8306c]
            //   31d2                 | xor                 edx, edx
            //   890c24               | mov                 dword ptr [esp], ecx

        $sequence_50 = { e8???????? 3d00100000 745f e8???????? e8???????? 84c0 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   3d00100000           | cmp                 eax, 0x1000
            //   745f                 | je                  0x61
            //   e8????????           |                     
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_51 = { f20f11442470 894c246c ffd2 83ec10 }
            // n = 4, score = 100
            //   f20f11442470         | movsd               qword ptr [esp + 0x70], xmm0
            //   894c246c             | mov                 dword ptr [esp + 0x6c], ecx
            //   ffd2                 | call                edx
            //   83ec10               | sub                 esp, 0x10

        $sequence_52 = { 8b6c2478 01dd 8b5924 89442424 89d8 c1e81e 83e001 }
            // n = 7, score = 100
            //   8b6c2478             | mov                 ebp, dword ptr [esp + 0x78]
            //   01dd                 | add                 ebp, ebx
            //   8b5924               | mov                 ebx, dword ptr [ecx + 0x24]
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   89d8                 | mov                 eax, ebx
            //   c1e81e               | shr                 eax, 0x1e
            //   83e001               | and                 eax, 1

        $sequence_53 = { e8???????? 0fb6d8 ff15???????? 48 8bce e8???????? 48 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb6d8               | movzx               ebx, al
            //   ff15????????         |                     
            //   48                   | dec                 eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   48                   | dec                 eax

        $sequence_54 = { f20f11842490000000 8984248c000000 0f843affffff e9???????? 8b442454 }
            // n = 5, score = 100
            //   f20f11842490000000     | movsd    qword ptr [esp + 0x90], xmm0
            //   8984248c000000       | mov                 dword ptr [esp + 0x8c], eax
            //   0f843affffff         | je                  0xffffff40
            //   e9????????           |                     
            //   8b442454             | mov                 eax, dword ptr [esp + 0x54]

        $sequence_55 = { c701???????? 8b4c241c 89442418 ffd1 83ec04 }
            // n = 5, score = 100
            //   c701????????         |                     
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   ffd1                 | call                ecx
            //   83ec04               | sub                 esp, 4

    condition:
        7 of them and filesize < 253952
}
Download all Yara Rules