Malware Analysis Spotlight: The Return of Emotet

July 22, 2020 |
Share this entry
Emotet_July_2020_process_graph

Figure 0: VMRay Analyzer Report showing verdict and process graph of a sample from Emotet campaign July 2020.

After a long time of being inactive, the infamous malware delivery framework Emotet is back – the three Emotet botnets started pushing malicious spam on Friday, July 17. In this Malware Analysis Spotlight, we will take a look at one of the Microsoft Word documents used in the campaign (Figure 1).

View the VMRay Analyzer Report for Emotet (July 2020)

Document template

Figure 1: Document template used by Emotet.

The document uses a highly obfuscated macro (Figure 2) which upon the opening starts executing.

Embedded obfuscated macro function

Figure 2: Obfuscated macro function

The macro starts a Powershell instance with encoded commands (Figure 3) as a program argument. These commands (Figure 3) then try to download Emotet from five hardcoded hosts and save it with a fixed name specified in the command itself (later moved to %AppData%\msvcr100\).

On success, a new process of Emotet is launched. (View the Full List of hosts)

Figure 3: Decoded Powershell program argument.

To achieve persistence, Emotet uses the common registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

VMRay Analyzer

Figure 4: VMRay Analyzer detects the achieved persistence of Emotet.

Emotet still uses third-party software by NirSoft to steal credentials and gather information. These modules are injected into newly created processes of their own (Figure 5).

Injection Information

Figure 5: Injection Information of process #16 that has NirSoft’s WebBrowserPassView injected.

In addition to the injection information, the modules are visible in VMRay’s extracted function strings file (Figure 6).

Excerpt of Extracted Function Strings file

Figure 6: Excerpts of VMRay’s extracted function strings files.

The spyware behavior of Emotet is well recognized by VMRay Analyzer (Figure 7).

Compared to previous Emotet campaigns, the ongoing campaign uses a new template for the Word document attached in the spam emails. Nonetheless, the behavior of Emotet and of the downloaded modules within this analysis remains the same compared to previous campaigns.

Detection

Figure 7: Detection of the spyware behavior of Emotet.

List of IOCs

hxxp://www[.]20190607[.]com/wp-admin/ixyjozs/
hxxps://lovely-lollies[.]com/wp-admin/fgvid/
hxxps://www[.]angage[.]com/wp-content/mtincvc/
hxxps://connect-plus[.]co[.]uk/aspnet_client/3yey3rr/
hxxp://mapas[.]hoonicorns[.]pt/comp3/ly8cmti/
212[.]51[.]142[.]238
109[.]117[.]53[.]230
198[.]144[.]158[.]120
cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e
8aee4d46b90f06e10635a7584d506d1dc1cd1b81adb6d7cca04a472af44881bd
4110a2697e0ed0e8990847f3828f9b0e4078cff2e423500f69ea0e35228afb28

About VMRay Labs Team

The VMRay Research Team provides in-depth technical content on malware analysis, incident response and threat intelligence.


Share this entry

Website designed and developed by Raincastle Communications, Inc.

Decoding the Verizon DBIR Report: An Insider’s Look Beyond the Headli... Dark Reading - DBIR