Malware Analysis Spotlight: The Return of Emotet
July 22, 2020 | Malware Analysis
Figure 0: VMRay Analyzer Report showing verdict and process graph of a sample from Emotet campaign July 2020.
After a long time of being inactive, the infamous malware delivery framework Emotet is back – the three Emotet botnets started pushing malicious spam on Friday, July 17. In this Malware Analysis Spotlight, we will take a look at one of the Microsoft Word documents used in the campaign (Figure 1).
View the VMRay Analyzer Report for Emotet (July 2020)
The document uses a highly obfuscated macro (Figure 2) which upon the opening starts executing.
The macro starts a Powershell instance with encoded commands (Figure 3) as a program argument. These commands (Figure 3) then try to download Emotet from five hardcoded hosts and save it with a fixed name specified in the command itself (later moved to %AppData%\msvcr100\).
On success, a new process of Emotet is launched. (View the Full List of hosts)
To achieve persistence, Emotet uses the common registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Emotet still uses third-party software by NirSoft to steal credentials and gather information. These modules are injected into newly created processes of their own (Figure 5).
In addition to the injection information, the modules are visible in VMRay’s extracted function strings file (Figure 6).
The spyware behavior of Emotet is well recognized by VMRay Analyzer (Figure 7).
Compared to previous Emotet campaigns, the ongoing campaign uses a new template for the Word document attached in the spam emails. Nonetheless, the behavior of Emotet and of the downloaded modules within this analysis remains the same compared to previous campaigns.
List of IOCs
hxxp://www[.]20190607[.]com/wp-admin/ixyjozs/ |
hxxps://lovely-lollies[.]com/wp-admin/fgvid/ |
hxxps://www[.]angage[.]com/wp-content/mtincvc/ |
hxxps://connect-plus[.]co[.]uk/aspnet_client/3yey3rr/ |
hxxp://mapas[.]hoonicorns[.]pt/comp3/ly8cmti/ |
212[.]51[.]142[.]238 |
109[.]117[.]53[.]230 |
198[.]144[.]158[.]120 |
cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e |
8aee4d46b90f06e10635a7584d506d1dc1cd1b81adb6d7cca04a472af44881bd |
4110a2697e0ed0e8990847f3828f9b0e4078cff2e423500f69ea0e35228afb28 |