win.emotet (Back to overview)

Emotet

aka: Geodo, Heodo

Actor(s): MUMMY SPIDER, Mealybug

URLhaus                                  

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.

References
2020-01-17 ⋅ Hiroaki Ogawa, Manabu Niseki
@techreport{ogawa:20200117:100:035a7dd, author = {Hiroaki Ogawa and Manabu Niseki}, title = {{100 more behind cockroaches?}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf}, language = {English}, urldate = {2020-01-17} } 100 more behind cockroaches?
MoqHao Emotet Predator The Thief
2020-01-14 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } United Nations Targeted With Emotet Malware Phishing Attack
Emotet
2020-01-13 ⋅ GigamonWilliam Peteroy, Ed Miles
@online{peteroy:20200113:emotet:60abae1, author = {William Peteroy and Ed Miles}, title = {{Emotet: Not your Run-of-the-mill Malware}}, date = {2020-01-13}, organization = {Gigamon}, url = {https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/}, language = {English}, urldate = {2020-01-17} } Emotet: Not your Run-of-the-mill Malware
Emotet
2020-01-10 ⋅ CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-07 ⋅ Hatching.ioTeam
@online{team:20200107:powershell:fb8264e, author = {Team}, title = {{Powershell Static Analysis & Emotet results}}, date = {2020-01-07}, organization = {Hatching.io}, url = {https://hatching.io/blog/powershell-analysis}, language = {English}, urldate = {2020-01-12} } Powershell Static Analysis & Emotet results
Emotet
2019-12-10 ⋅ JPCERT/CCJPCERT/CC
@online{jpcertcc:20191210:updated:86aee30, author = {JPCERT/CC}, title = {{[Updated] Alert Regarding Emotet Malware Infection}}, date = {2019-12-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/english/at/2019/at190044.html}, language = {English}, urldate = {2020-01-09} } [Updated] Alert Regarding Emotet Malware Infection
Emotet
2019-12-04 ⋅ JPCERT/CCKen Sajo
@online{sajo:20191204:how:60225fe, author = {Ken Sajo}, title = {{How to Respond to Emotet Infection (FAQ)}}, date = {2019-12-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html}, language = {English}, urldate = {2020-01-13} } How to Respond to Emotet Infection (FAQ)
Emotet
2019-11-06 ⋅ Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-14 ⋅ Marco Ramilli
@online{ramilli:20191014:is:de28de6, author = {Marco Ramilli}, title = {{Is Emotet gang targeting companies with external SOC?}}, date = {2019-10-14}, url = {https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/}, language = {English}, urldate = {2019-12-20} } Is Emotet gang targeting companies with external SOC?
Emotet
2019-09-16 ⋅ MalwarebytesThreat Intelligence Team
@online{team:20190916:emotet:9c6c8f3, author = {Threat Intelligence Team}, title = {{Emotet is back: botnet springs back to life with new spam campaign}}, date = {2019-09-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/}, language = {English}, urldate = {2019-12-20} } Emotet is back: botnet springs back to life with new spam campaign
Emotet
2019-08-13 ⋅ AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-08-12 ⋅ Schweizerische EidgenossenschaftSchweizerische Eidgenossenschaft
@online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } Trojaner Emotet greift Unternehmensnetzwerke an
Emotet
2019-06-06 ⋅ FortinetKai Lu
@online{lu:20190606:deep:0ac679a, author = {Kai Lu}, title = {{A Deep Dive into the Emotet Malware}}, date = {2019-06-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html}, language = {English}, urldate = {2020-01-07} } A Deep Dive into the Emotet Malware
Emotet
2019-05-15 ⋅ ProofpointAxel F, Proofpoint Threat Insight Team
@online{f:20190515:threat:06b415a, author = {Axel F and Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA542, From Banker to Malware Distribution Service}}, date = {2019-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service}, language = {English}, urldate = {2019-12-20} } Threat Actor Profile: TA542, From Banker to Malware Distribution Service
Emotet MUMMY SPIDER
2019-05-09 ⋅ GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-04-29 ⋅ BluelivBlueliv Labs Team
@online{team:20190429:where:8c3db39, author = {Blueliv Labs Team}, title = {{Where is Emotet? Latest geolocation data}}, date = {2019-04-29}, organization = {Blueliv}, url = {https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/}, language = {English}, urldate = {2020-01-08} } Where is Emotet? Latest geolocation data
Emotet
2019-04-25 ⋅ Trend MicroTrendmicro
@online{trendmicro:20190425:emotet:04884ca, author = {Trendmicro}, title = {{Emotet Adds New Evasion Technique}}, date = {2019-04-25}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/}, language = {English}, urldate = {2019-11-26} } Emotet Adds New Evasion Technique
Emotet
2019-04-22 ⋅ int 0xcc blogRaashid Bhat
@online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } Dissecting Emotet’s network communication protocol
Emotet
2019-04-12 ⋅ SpamTitantitanadmin
@online{titanadmin:20190412:emotet:12ca0e7, author = {titanadmin}, title = {{Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates}}, date = {2019-04-12}, organization = {SpamTitan}, url = {https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/}, language = {English}, urldate = {2020-01-09} } Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates
Emotet
2019-04-07 ⋅ Sveatoslav Persianov
@online{persianov:20190407:emotet:0aeaa67, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 2}}, date = {2019-04-07}, url = {https://persianov.net/emotet-malware-analysis-part-2}, language = {English}, urldate = {2020-01-05} } Emotet malware analysis. Part 2
Emotet
2019-04 ⋅ Cafe Babe
@online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } Analyzing Emotet with Ghidra — Part 1
Emotet
2019-03-27 ⋅ SpamhausSpamhaus Malware Labs
@online{labs:20190327:emotet:388559f, author = {Spamhaus Malware Labs}, title = {{Emotet adds a further layer of camouflage}}, date = {2019-03-27}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage}, language = {English}, urldate = {2020-01-06} } Emotet adds a further layer of camouflage
Emotet
2019-03-17 ⋅ Persianov on SecuritySveatoslav Persianov
@online{persianov:20190317:emotet:ee3ed0b, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 1}}, date = {2019-03-17}, organization = {Persianov on Security}, url = {https://persianov.net/emotet-malware-analysis-part-1}, language = {English}, urldate = {2019-12-17} } Emotet malware analysis. Part 1
Emotet
2019-03-15 ⋅ CofenseThreat Intelligence
@online{intelligence:20190315:flash:c7544fd, author = {Threat Intelligence}, title = {{Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication}}, date = {2019-03-15}, organization = {Cofense}, url = {https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/}, language = {English}, urldate = {2019-10-23} } Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication
Emotet
2019-03-08 ⋅ The Daily SwigJames Walker
@online{walker:20190308:emotet:f1a68de, author = {James Walker}, title = {{Emotet trojan implicated in Wolverine Solutions ransomware attack}}, date = {2019-03-08}, organization = {The Daily Swig}, url = {https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack}, language = {English}, urldate = {2019-07-10} } Emotet trojan implicated in Wolverine Solutions ransomware attack
Emotet
2019-02-16 ⋅ Max Kersten's BlogMax Kersten
@online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } Emotet droppers
Emotet
2019-01-17 ⋅ SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } Emotet infections and follow-up malware
Emotet
2019-01-05 ⋅ Github (d00rt)d00rt
@online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } Emotet Research
Emotet
2019 ⋅ D00RT_RM
@online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } Emutet
Emotet
2018-12-18 ⋅ Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-11-16 ⋅ Trend MicroTrend Micro
@online{micro:20181116:exploring:be1e153, author = {Trend Micro}, title = {{Exploring Emotet: Examining Emotet’s Activities, Infrastructure}}, date = {2018-11-16}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/}, language = {English}, urldate = {2020-01-12} } Exploring Emotet: Examining Emotet’s Activities, Infrastructure
Emotet
2018-11-09 ⋅ ESET ResearchESET Research
@online{research:20181109:emotet:b12ec91, author = {ESET Research}, title = {{Emotet launches major new spam campaign}}, date = {2018-11-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/}, language = {English}, urldate = {2019-11-14} } Emotet launches major new spam campaign
Emotet
2018-10-31 ⋅ Kryptos LogicKryptos Logic
@online{logic:20181031:emotet:ab7226f, author = {Kryptos Logic}, title = {{Emotet Awakens With New Campaign of Mass Email Exfiltration}}, date = {2018-10-31}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html}, language = {English}, urldate = {2020-01-08} } Emotet Awakens With New Campaign of Mass Email Exfiltration
Emotet
2018-09-12 ⋅ Cryptolaemus PastedumpCryptolaemus
@online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } Emotet IOC
Emotet
2018-08-01 ⋅ Kryptos LogicKryptos Logic
@online{logic:20180801:inside:e5a8e2c, author = {Kryptos Logic}, title = {{Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads}}, date = {2018-08-01}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html}, language = {English}, urldate = {2020-01-09} } Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads
Emotet
2018-07-26 ⋅ IntezerItai Tevet
@online{tevet:20180726:mitigating:30dc2fb, author = {Itai Tevet}, title = {{Mitigating Emotet, The Most Common Banking Trojan}}, date = {2018-07-26}, organization = {Intezer}, url = {https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/}, language = {English}, urldate = {2019-12-31} } Mitigating Emotet, The Most Common Banking Trojan
Emotet
2018-07-24 ⋅ Check PointOfer Caspi, Ben Herzog
@online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } Emotet: The Tricky Trojan that ‘Git Clones’
Emotet
2018-07-23 ⋅ MalFindLasq
@online{lasq:20180723:deobfuscating:dd200d6, author = {Lasq}, title = {{Deobfuscating Emotet’s powershell payload}}, date = {2018-07-23}, organization = {MalFind}, url = {https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/}, language = {English}, urldate = {2020-01-09} } Deobfuscating Emotet’s powershell payload
Emotet
2018-07-20 ⋅ NCCICNational Cybersecurity, Communications Integration Center
@online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } Alert (TA18-201A) Emotet Malware
Emotet
2018-07-18 ⋅ SymantecSecurity Response Attack Investigation Team
@online{team:20180718:evolution:25e5d39, author = {Security Response Attack Investigation Team}, title = {{The Evolution of Emotet: From Banking Trojan to Threat Distributor}}, date = {2018-07-18}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor}, language = {English}, urldate = {2019-11-27} } The Evolution of Emotet: From Banking Trojan to Threat Distributor
Emotet
2018-02-08 ⋅ CrowdStrikeAdam Meyers
@online{meyers:20180208:meet:39f25b3, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER}}, date = {2018-02-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/}, language = {English}, urldate = {2019-12-20} } Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER
Emotet MUMMY SPIDER
2018 ⋅ Quick HealQuick Heal
@techreport{heal:2018:complete:96388ed, author = {Quick Heal}, title = {{The Complete story of EMOTET Most prominent Malware of 2018}}, date = {2018}, institution = {Quick Heal}, url = {https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf}, language = {English}, urldate = {2020-01-13} } The Complete story of EMOTET Most prominent Malware of 2018
Emotet
2017-11-15 ⋅ Trend MicroRubio Wu
@online{wu:20171115:new:dde35b0, author = {Rubio Wu}, title = {{New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis}}, date = {2017-11-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/}, language = {English}, urldate = {2019-10-14} } New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis
Emotet
2017-11-06 ⋅ MicrosoftMicrosoft Defender ATP Research Team
@online{team:20171106:mitigating:f52d1d9, author = {Microsoft Defender ATP Research Team}, title = {{Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks}}, date = {2017-11-06}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc}, language = {English}, urldate = {2019-12-18} } Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Emotet
2017-10-12 ⋅ G DataG Data
@online{data:20171012:emotet:c99dec0, author = {G Data}, title = {{Emotet beutet Outlook aus}}, date = {2017-10-12}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus}, language = {English}, urldate = {2019-12-05} } Emotet beutet Outlook aus
Emotet
2017-09-07 ⋅ Trend MicroDon Ladores
@online{ladores:20170907:emotet:bf3075c, author = {Don Ladores}, title = {{EMOTET Returns, Starts Spreading via Spam Botnet}}, date = {2017-09-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/}, language = {English}, urldate = {2019-11-28} } EMOTET Returns, Starts Spreading via Spam Botnet
Emotet
2017-05-24 ⋅ CERT.PLPaweł Srokosz
@online{srokosz:20170524:analysis:1d591e7, author = {Paweł Srokosz}, title = {{Analysis of Emotet v4}}, date = {2017-05-24}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/analysis-of-emotet-v4/}, language = {English}, urldate = {2020-01-09} } Analysis of Emotet v4
Emotet
2017-05-03 ⋅ FortinetXiaopeng Zhang
@online{zhang:20170503:deep:4b1f7c7, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Emotet Variant - Part 1}}, date = {2017-05-03}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1}, language = {English}, urldate = {2019-07-08} } Deep Analysis of New Emotet Variant - Part 1
Emotet
2015-04-09 ⋅ Kaspersky LabsAlexey Shulmin
@online{shulmin:20150409:banking:165b265, author = {Alexey Shulmin}, title = {{The Banking Trojan Emotet: Detailed Analysis}}, date = {2015-04-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/}, language = {English}, urldate = {2019-12-20} } The Banking Trojan Emotet: Detailed Analysis
Emotet
2013-01-18 ⋅ abuse.chabuse.ch
@online{abusech:20130118:feodo:5354db0, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2013-01-18}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/?filter=version_e}, language = {English}, urldate = {2020-01-13} } Feodo Tracker
Emotet
Yara Rules
[TLP:WHITE] win_emotet_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_emotet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 83c020 eb03 0fb7c0 69d23f000100 }
            // n = 4, score = 1600
            //   83c020               | add                 eax, 0x20
            //   eb03                 | jmp                 5
            //   0fb7c0               | movzx               eax, ax
            //   69d23f000100         | imul                edx, edx, 0x1003f

        $sequence_1 = { c1e807 46 83f87f 77f7 }
            // n = 4, score = 1500
            //   c1e807               | shr                 eax, 7
            //   46                   | inc                 esi
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0xfffffff9

        $sequence_2 = { 3903 5f 5e 0f95c0 5b 8be5 }
            // n = 6, score = 1300
            //   3903                 | cmp                 dword ptr [ebx], eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   0f95c0               | setne               al
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_3 = { 03d0 0fb701 6685c0 75d6 }
            // n = 4, score = 1300
            //   03d0                 | add                 edx, eax
            //   0fb701               | movzx               eax, word ptr [ecx]
            //   6685c0               | test                ax, ax
            //   75d6                 | jne                 0xffffffd8

        $sequence_4 = { 0fb7c0 69d23f000100 83c102 03d0 0fb701 }
            // n = 5, score = 1300
            //   0fb7c0               | movzx               eax, ax
            //   69d23f000100         | imul                edx, edx, 0x1003f
            //   83c102               | add                 ecx, 2
            //   03d0                 | add                 edx, eax
            //   0fb701               | movzx               eax, word ptr [ecx]

        $sequence_5 = { 6685c0 7430 8d9b00000000 6683f841 720e 6683f85a }
            // n = 6, score = 1300
            //   6685c0               | test                ax, ax
            //   7430                 | je                  0x32
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   6683f841             | cmp                 ax, 0x41
            //   720e                 | jb                  0x10
            //   6683f85a             | cmp                 ax, 0x5a

        $sequence_6 = { 8d5801 f6c30f 7406 83e3f0 }
            // n = 4, score = 1300
            //   8d5801               | lea                 ebx, [eax + 1]
            //   f6c30f               | test                bl, 0xf
            //   7406                 | je                  8
            //   83e3f0               | and                 ebx, 0xfffffff0

        $sequence_7 = { 0fb701 33d2 6685c0 7430 }
            // n = 4, score = 1300
            //   0fb701               | movzx               eax, word ptr [ecx]
            //   33d2                 | xor                 edx, edx
            //   6685c0               | test                ax, ax
            //   7430                 | je                  0x32

        $sequence_8 = { 2b4770 8901 8b477c 85c0 7448 }
            // n = 5, score = 1200
            //   2b4770               | sub                 eax, dword ptr [edi + 0x70]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b477c               | mov                 eax, dword ptr [edi + 0x7c]
            //   85c0                 | test                eax, eax
            //   7448                 | je                  0x4a

        $sequence_9 = { 8b4d0c 8bc2 0bc1 83f8ff }
            // n = 4, score = 1200
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8bc2                 | mov                 eax, edx
            //   0bc1                 | or                  eax, ecx
            //   83f8ff               | cmp                 eax, -1

        $sequence_10 = { 8b4508 894dcc 8d4dc8 8945c8 }
            // n = 4, score = 1200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax

        $sequence_11 = { ff15???????? 017758 83c40c 29775c 8b477c }
            // n = 5, score = 1200
            //   ff15????????         |                     
            //   017758               | add                 dword ptr [edi + 0x58], esi
            //   83c40c               | add                 esp, 0xc
            //   29775c               | sub                 dword ptr [edi + 0x5c], esi
            //   8b477c               | mov                 eax, dword ptr [edi + 0x7c]

        $sequence_12 = { 7907 83c107 3bf7 72e8 }
            // n = 4, score = 1100
            //   7907                 | jns                 9
            //   83c107               | add                 ecx, 7
            //   3bf7                 | cmp                 esi, edi
            //   72e8                 | jb                  0xffffffea

        $sequence_13 = { 83f87f 760d 8d642400 c1e807 }
            // n = 4, score = 900
            //   83f87f               | cmp                 eax, 0x7f
            //   760d                 | jbe                 0xf
            //   8d642400             | lea                 esp, [esp]
            //   c1e807               | shr                 eax, 7

        $sequence_14 = { b901000000 83f87f 7609 c1e807 41 83f87f 77f7 }
            // n = 7, score = 900
            //   b901000000           | mov                 ecx, 1
            //   83f87f               | cmp                 eax, 0x7f
            //   7609                 | jbe                 0xb
            //   c1e807               | shr                 eax, 7
            //   41                   | inc                 ecx
            //   83f87f               | cmp                 eax, 0x7f
            //   77f7                 | ja                  0xfffffff9

        $sequence_15 = { 6a00 6aff 50 51 ff15???????? }
            // n = 5, score = 800
            //   6a00                 | push                0
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_16 = { 50 6a00 6a01 6a00 ff15???????? a3???????? }
            // n = 6, score = 800
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_17 = { 8b5d08 b8afa96e5e 56 57 }
            // n = 4, score = 700
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   b8afa96e5e           | mov                 eax, 0x5e6ea9af
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_18 = { 56 ff15???????? 8bf8 85ff 743a }
            // n = 5, score = 700
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   743a                 | je                  0x3c

        $sequence_19 = { 53 56 8bf1 bb00c34c84 }
            // n = 4, score = 600
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   bb00c34c84           | mov                 ebx, 0x844cc300

        $sequence_20 = { 8bec 83ec14 53 8b5d08 b8afa96e5e }
            // n = 5, score = 600
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   b8afa96e5e           | mov                 eax, 0x5e6ea9af

        $sequence_21 = { 6a03 6a00 6a00 ff7508 53 }
            // n = 5, score = 500
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   53                   | push                ebx

        $sequence_22 = { 8b45f0 8b8880000000 8b55f4 01ca 89d6 83c60c 8b7df4 }
            // n = 7, score = 500
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b8880000000         | mov                 ecx, dword ptr [eax + 0x80]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   01ca                 | add                 edx, ecx
            //   89d6                 | mov                 esi, edx
            //   83c60c               | add                 esi, 0xc
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]

        $sequence_23 = { 89d6 83c604 8b7de0 8b4c0f04 83f900 }
            // n = 5, score = 500
            //   89d6                 | mov                 esi, edx
            //   83c604               | add                 esi, 4
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   8b4c0f04             | mov                 ecx, dword ptr [edi + ecx + 4]
            //   83f900               | cmp                 ecx, 0

        $sequence_24 = { 8bf1 bb00c34c84 57 33ff }
            // n = 4, score = 500
            //   8bf1                 | mov                 esi, ecx
            //   bb00c34c84           | mov                 ebx, 0x844cc300
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi

        $sequence_25 = { 0f97c7 08fb f6c301 89f0 }
            // n = 4, score = 500
            //   0f97c7               | seta                bh
            //   08fb                 | or                  bl, bh
            //   f6c301               | test                bl, 1
            //   89f0                 | mov                 eax, esi

        $sequence_26 = { 0fb74c3814 03c7 53 55 8b6c240c 56 8d740118 }
            // n = 7, score = 500
            //   0fb74c3814           | movzx               ecx, word ptr [eax + edi + 0x14]
            //   03c7                 | add                 eax, edi
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]
            //   56                   | push                esi
            //   8d740118             | lea                 esi, [ecx + eax + 0x18]

        $sequence_27 = { 8b5de8 39df 0f97c3 8945a8 }
            // n = 4, score = 500
            //   8b5de8               | mov                 ebx, dword ptr [ebp - 0x18]
            //   39df                 | cmp                 edi, ebx
            //   0f97c3               | seta                bl
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax

        $sequence_28 = { 8b450c 8b4d08 31d2 8945f4 894df0 }
            // n = 5, score = 500
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   31d2                 | xor                 edx, edx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

        $sequence_29 = { 8b45e8 83c001 3dff000000 8945ec }
            // n = 4, score = 500
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   83c001               | add                 eax, 1
            //   3dff000000           | cmp                 eax, 0xff
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_30 = { 83ec10 53 6a00 8d45fc }
            // n = 4, score = 500
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_31 = { 83ec48 53 56 57 6a44 }
            // n = 5, score = 500
            //   83ec48               | sub                 esp, 0x48
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a44                 | push                0x44

        $sequence_32 = { 8b7020 8b7840 89c3 83c33c }
            // n = 4, score = 300
            //   8b7020               | mov                 esi, dword ptr [eax + 0x20]
            //   8b7840               | mov                 edi, dword ptr [eax + 0x40]
            //   89c3                 | mov                 ebx, eax
            //   83c33c               | add                 ebx, 0x3c

        $sequence_33 = { 31f6 89720c 897208 897204 }
            // n = 4, score = 200
            //   31f6                 | xor                 esi, esi
            //   89720c               | mov                 dword ptr [edx + 0xc], esi
            //   897208               | mov                 dword ptr [edx + 8], esi
            //   897204               | mov                 dword ptr [edx + 4], esi

        $sequence_34 = { 31c9 89e2 31f6 89720c }
            // n = 4, score = 200
            //   31c9                 | xor                 ecx, ecx
            //   89e2                 | mov                 edx, esp
            //   31f6                 | xor                 esi, esi
            //   89720c               | mov                 dword ptr [edx + 0xc], esi

        $sequence_35 = { 48 8d4c2440 48 89442420 ff15???????? 48 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   8d4c2440             | lea                 ecx, [esp + 0x40]
            //   48                   | dec                 eax
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     
            //   48                   | dec                 eax

        $sequence_36 = { 52 56 b828000000 e8???????? 84c0 }
            // n = 5, score = 100
            //   52                   | push                edx
            //   56                   | push                esi
            //   b828000000           | mov                 eax, 0x28
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_37 = { 41 83c4fc 45 8bc4 e8???????? 48 8b8dd8000000 }
            // n = 7, score = 100
            //   41                   | inc                 ecx
            //   83c4fc               | add                 esp, -4
            //   45                   | inc                 ebp
            //   8bc4                 | mov                 eax, esp
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b8dd8000000         | mov                 ecx, dword ptr [ebp + 0xd8]

        $sequence_38 = { 745c 0fb74e14 8b450c 8b54312c 8938 8b4508 8d7c3118 }
            // n = 7, score = 100
            //   745c                 | je                  0x5e
            //   0fb74e14             | movzx               ecx, word ptr [esi + 0x14]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b54312c             | mov                 edx, dword ptr [ecx + esi + 0x2c]
            //   8938                 | mov                 dword ptr [eax], edi
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d7c3118             | lea                 edi, [ecx + esi + 0x18]

        $sequence_39 = { 51 ff15???????? 85c0 740c 8b55e4 46 663b7206 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   46                   | inc                 esi
            //   663b7206             | cmp                 si, word ptr [edx + 6]

        $sequence_40 = { 7463 6683f80b 7573 0fb706 c1e010 99 8bf8 }
            // n = 7, score = 100
            //   7463                 | je                  0x65
            //   6683f80b             | cmp                 ax, 0xb
            //   7573                 | jne                 0x75
            //   0fb706               | movzx               eax, word ptr [esi]
            //   c1e010               | shl                 eax, 0x10
            //   99                   | cdq                 
            //   8bf8                 | mov                 edi, eax

        $sequence_41 = { 8b45f4 83c0fc 50 8d4b04 51 57 }
            // n = 6, score = 100
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83c0fc               | add                 eax, -4
            //   50                   | push                eax
            //   8d4b04               | lea                 ecx, [ebx + 4]
            //   51                   | push                ecx
            //   57                   | push                edi

        $sequence_42 = { 89e8 894c247c 8b8c2480000000 01c8 83c1c0 81f9c00f0000 }
            // n = 6, score = 100
            //   89e8                 | mov                 eax, ebp
            //   894c247c             | mov                 dword ptr [esp + 0x7c], ecx
            //   8b8c2480000000       | mov                 ecx, dword ptr [esp + 0x80]
            //   01c8                 | add                 eax, ecx
            //   83c1c0               | add                 ecx, -0x40
            //   81f9c00f0000         | cmp                 ecx, 0xfc0

        $sequence_43 = { 8b542444 8b723c 8b7e3c 89f3 }
            // n = 4, score = 100
            //   8b542444             | mov                 edx, dword ptr [esp + 0x44]
            //   8b723c               | mov                 esi, dword ptr [edx + 0x3c]
            //   8b7e3c               | mov                 edi, dword ptr [esi + 0x3c]
            //   89f3                 | mov                 ebx, esi

        $sequence_44 = { f20f11942480000000 f20f114c2458 89442454 0f84fcfeffff e9???????? }
            // n = 5, score = 100
            //   f20f11942480000000     | movsd    qword ptr [esp + 0x80], xmm2
            //   f20f114c2458         | movsd               qword ptr [esp + 0x58], xmm1
            //   89442454             | mov                 dword ptr [esp + 0x54], eax
            //   0f84fcfeffff         | je                  0xffffff02
            //   e9????????           |                     

        $sequence_45 = { 81c490030000 5b c3 32c0 48 81c490030000 }
            // n = 6, score = 100
            //   81c490030000         | add                 esp, 0x390
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   32c0                 | xor                 al, al
            //   48                   | dec                 eax
            //   81c490030000         | add                 esp, 0x390

        $sequence_46 = { 8b442444 890424 f20f11442410 e8???????? 31c9 8b542444 8b723c }
            // n = 7, score = 100
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   890424               | mov                 dword ptr [esp], eax
            //   f20f11442410         | movsd               qword ptr [esp + 0x10], xmm0
            //   e8????????           |                     
            //   31c9                 | xor                 ecx, ecx
            //   8b542444             | mov                 edx, dword ptr [esp + 0x44]
            //   8b723c               | mov                 esi, dword ptr [edx + 0x3c]

        $sequence_47 = { f20f11442470 894c246c ffd2 83ec10 }
            // n = 4, score = 100
            //   f20f11442470         | movsd               qword ptr [esp + 0x70], xmm0
            //   894c246c             | mov                 dword ptr [esp + 0x6c], ecx
            //   ffd2                 | call                edx
            //   83ec10               | sub                 esp, 0x10

    condition:
        7 of them
}
Download all Yara Rules