Emotet (Malware Family)

Emotet

aka: Geodo, Heodo

Actor(s): MUMMY SPIDER, Mealybug

URLhaus

There is no description at this point.

References

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/

http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/

https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html

https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/

https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage

https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/

https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/

https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/

https://github.com/d00rt/emotet_research

https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html

https://www.us-cert.gov/ncas/alerts/TA18-201A

https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack

https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/

https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html

http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1

https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service

https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/

https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/

https://research.checkpoint.com/emotet-tricky-trojan-git-clones/

https://www.cert.pl/en/news/single/analysis-of-emotet-v4/

https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/

https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html

https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes

https://persianov.net/emotet-malware-analysis-part-1

https://persianov.net/emotet-malware-analysis-part-2

https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol

https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/

https://paste.cryptolaemus.com

https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc

https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/

https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader

https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/

https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69

https://feodotracker.abuse.ch/?filter=version_e

https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus

https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/

https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/

Yara Rules

[TLP:WHITE] win_emotet_auto (20180607 | autogenerated rule brought to you by yara-signator)

rule win_emotet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { c1e807 41 83f87f 77f7 }
            // n = 4, score = 8000
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72a18

        $sequence_1 = { c1e807 46 83f87f 77f7 }
            // n = 4, score = 8000
            //   c1e807               | shr                 eax, 7
            //   46                   | inc                 esi
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72a00

        $sequence_2 = { b901000000 83f87f 7609 c1e807 }
            // n = 4, score = 6000
            //   b901000000           | mov                 ecx, 1
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7

        $sequence_3 = { c1e807 42 83f87f 77f7 }
            // n = 4, score = 6000
            //   c1e807               | shr                 eax, 7
            //   42                   | inc                 edx
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72997

        $sequence_4 = { 83f87f 7609 c1e807 41 }
            // n = 4, score = 6000
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx

        $sequence_5 = { 7907 83c107 3bf7 72e8 }
            // n = 4, score = 6000
            //   7907                 | jns                 0x1e72ab0
            //   83c107               | add                 ecx, 7
            //   3bf7                 | cmp                 esi, edi
            //   72e8                 | jb                  0x1e72a98

        $sequence_6 = { 7609 c1e807 41 83f87f }
            // n = 4, score = 6000
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f

        $sequence_7 = { 7609 c1e807 41 83f87f 77f7 }
            // n = 5, score = 6000
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0x1e72a18

        $sequence_8 = { b901000000 83f87f 7609 c1e807 41 }
            // n = 5, score = 6000
            //   b901000000           | mov                 ecx, 1
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx

        $sequence_9 = { 83f87f 7609 c1e807 41 83f87f }
            // n = 5, score = 6000
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0x1e72a21
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f

    condition:
        7 of them
}

Download all Yara Rules

Emotet Propose Change

References

Yara Rules

Emotet