Malware Analysis Spotlight: The Return of Emotet

Date: 2020-07-22

After a long time of being inactive, the infamous malware delivery framework Emotet is back – the three Emotet botnets started pushing malicious spam on Friday, July 17. In this Malware Analysis Spotlight, we will take a look at one of the Microsoft Word documents used in the campaign (Figure 1).

The document uses a highly obfuscated macro (Figure 2) which upon the opening starts executing.

The macro starts a Powershell instance with encoded commands (Figure 3) as a program argument. These commands (Figure 3) then try to download Emotet from five hardcoded hosts and save it with a fixed name specified in the command itself (later moved to %AppData%\msvcr100\).

On success, a new process of Emotet is launched. (View the Full List of hosts)

To achieve persistence, Emotet uses the common registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Emotet still uses third-party software by NirSoft to steal credentials and gather information. These modules are injected into newly created processes of their own (Figure 5).

In addition to the injection information, the modules are visible in VMRay’s extracted function strings file (Figure 6).

The spyware behavior of Emotet is well recognized by VMRay Analyzer (Figure 7).

Compared to previous Emotet campaigns, the ongoing campaign uses a new template for the Word document attached in the spam emails. Nonetheless, the behavior of Emotet and of the downloaded modules within this analysis remains the same compared to previous campaigns.

hxxp://www[.]20190607[.]com/wp-admin/ixyjozs/

hxxps://lovely-lollies[.]com/wp-admin/fgvid/

hxxps://www[.]angage[.]com/wp-content/mtincvc/

hxxps://connect-plus[.]co[.]uk/aspnet_client/3yey3rr/

hxxp://mapas[.]hoonicorns[.]pt/comp3/ly8cmti/

212[.]51[.]142[.]238

109[.]117[.]53[.]230

198[.]144[.]158[.]120

cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e

8aee4d46b90f06e10635a7584d506d1dc1cd1b81adb6d7cca04a472af44881bd

4110a2697e0ed0e8990847f3828f9b0e4078cff2e423500f69ea0e35228afb28

Tags : emotet, malware analysis spotlight

Get The Latest Update

Subscribe to our newsletter

Keep up to date with our weekly digest of articles. Get the latest news, invites to events, and threat alerts!

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

Malware Analysis Spotlight: The Return of Emotet

Get The Latest Update

Subscribe to our newsletter

Table of Contents

Share With Others:

You May Also Like:

Subscribe to our Newsletter:

Solutions

Products

Why VMRay

Resources

Missed the headlines?

We’re featured in:

ThreatFeed

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Malware Analysis Reports

cybersecurity glossary

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

Proudly Presenting: UniqueSignal VMRays New Threat Intelligence feed - Actionable Malware Intelligence, Without The Noise

60 Days Free Trial – Available for a limited time

Proudly Presenting: UniqueSignal
VMRays New Threat Intelligence feed -
Actionable Malware Intelligence, Without The Noise