Threat Analysis Unit

CB TAU Threat Intelligence Notification – Recent Emotet Campaign Leverages Phishing, PDFs & Droppers Impersonating Legitimate Applications

This past week, CB ThreatSight analysts were investigating suspicious events in an environment. This  customer had installed the CB Defense sensor on a subset of systems in monitor only mode for evaluation.  While investigating suspicious events, a CB ThreatSight analyst uncovered a new Emotet campaign that utilized a series of techniques and binaries masquerading as legitimate binaries that ultimately injected an Emotet variant into memory of the compromised system.  

Additional research by the CB Threat Analysis Unit (TAU) discovered at least 225 related samples that were used in two distinct campaigns. The first campaign occurred at the beginning of the year, and the latest campaign began around March 22. This information is being provided to assist researchers and practitioners that may be investigating this campaign.

This campaign highlights the importance of moving away from simple IOC detections and starting to leverage detections based on behavioral anomalies.  

Having visibility into your endpoints is the foundation, that the rest of your security and threat hunting efforts will be built upon. Once this foundation is in place, starting to identify behavioral characteristics that indicate different portions of an attack should be the next phase. Taking this approach is what allowed our analyst to quickly identify the initial phases of this attack, and protected the customer from a breach. Some of the specifics of this investigation showed that attackers are continuing to evolve and use new techniques to avoid detection, this is what they do.  

However focusing on characteristics and behaviors that are suspect regardless of the technique or novelty is what allows you to stay ahead of the curve. This campaign was quickly identified because TAU focuses on creating content and detections that identify these type of suspect behaviors. Having robust amounts of enriched data, allows us to understand at scale what is normal in most environments.  We can then leverage this information to formulate detections around sets of behaviors that are not typically observed under normal conditions. When new campaigns like this are discovered by existing detections in our products, we research them further to determine if we can continue to refine our methods, as well as write campaign specific detections.

The initial step of the campaign involves a phishing document being sent to a target.  Contained in the email is a PDF file that does not contain any malicious code or exploits.  The PDF purports to be a legitimate document, which request that the user follows a hyperlink to a legitimate website.  The actual hyperlink will direct the user to a compromised site, which will download different payloads, dependent upon what is being served at that time of the request.  In the scenario that was being investigated a zip file was downloaded and extracted. The content was a JavaScript file that was then executed. The JavaScript file was obfuscated to avoid detection and hamper analysis.

Ultimately the script would reach out to a set of different C2s which would reply with a binary that was saved to the user’s Temp directory and executed. It should be noted that Word documents were also being served up by the first download site, which resulted in the same outcome.  

This binary was masquerading as a legitimate application, NitroShare.exe in the latest campaign.  This executable contained several layers of unpacking. Ultimately it would decode necessary APIs, which were loaded, and finally it decoded an embedded PE file.  The different sections of this PE file, which is an Emotet variant, were then copied to different sections of the host file’s memory and executed.

fig1.png

Figure 1: Overview of Attack

Technical Details

Initial Detection and Investigation

CB ThreatSight analysts initially investigated an alert generated by the Predictive Security Cloud within the customer’s CB Defense console. Using heuristic analysis the PSC detected several highly suspicious behaviors being performed by applications with unknown reputations.  The image below depicts examples of the behavioral alerts that were generated and triaged. For specific information on Carbon Black product detections, please review the TAU-TIN writeup, which is listed on our User Exchange.

Figure 2:Behavior Alerts

Malicious Attachment

The image below is an example of a PDF document that was sent to targets as part of this campaign.  In this example the PDF is purporting to be from Citibank, and attempts to incite additional actions by informing the reader that their bank account has been suspended.  The hyperlink displays a link to citibank.com, however the actual link will take the compromised system to trinadi[.]my, which is compromised or malicious site. The response from this site was a Zip archive which contained a JavaScript that was then executed.

Figure 3: Phishing Email example

Dropper Analysis

JS File

The image below depicts how the JavaScript looks as is was downloaded from the malicious site.  The additional screenshots that are used in the section below have been altered and variables renamed for analysis.

Figure 4: Attack Overview

The script contains an array which has different strings that are required to provide a decoy error message, as well as download the final stage of this attack.  The area highlighted in blue below shows the string array, while the area in red highlights the decoy error message that is displayed to the user.


Figure 5: Attack Overview

The script will then build the necessary Objects to communicate with the embedded secondary C2s, which are highlighted in the images below in orange.


Figure 6: Attack Overview

The response will then be saved to the user’s Temp file location, as a randomly named .exe (e.g. 0urwf2lu5.exe), highlighted in yellow in the image below.  

Figure 7: Attack Overview

Malicious Dropper

The malicious dropper masquerades as a legitimate file.  The exif data, like copyright, original file name, version number, description, and company are for a legitimate tool.  However none of the code in the binaries is actually related to the executables it is impersonating. The list of file names that this campaign is impersonating is listed in the table below.

360DeskAna.exe

aswBoot.exe

NETSTREAM.EXE

NitroShare.exe

PDFCreator.exe

ScanOST.exe

TraceDestructor.exe

Trustedikstaller.exe

 Table 2: Dropper file names used in campaign

Once the malicious dropper is running on the system it only has a limited number of functions. All of these functions are related to injecting additional malicious code into the current process’ memory.  The image below shows the basic start function of the dropper, which will load the necessary libraries and decode the final payload.

Figure 8: Dropper Start function

In order to dynamically load the necessary APIs the dropper will build the strings in memory, which are obfuscated via string stacking and a simple XOR.  The payload itself is obfuscated using a simple series of mathematical operations on each word of the encoded binary, depicted in the image below.

Figure 9: Dropper decoding function

Once the embedded binary is decoded the sections of the binary are copied into different memory sections, which are made RWX.  This makes the code noncontiguous and harder to dump from memory. The memory area where the original decoded binary was located is the released. The Emotet code will then run and in this specific example, copy itself the C:\Windows\syswow64\ directory as startedavg.exe.

Larger Campaign

Research into this larger campaign shows that there were at least two distinct campaigns. In both, they leveraged the same type of dropper, which ultimately would run an Emotet variant on the system.  From the data available to TAU, the first campaign ran for a couple of weeks at the beginning of the year and appeared to mostly be targeting individuals or organizations in the United Kingdom and Germany.  The second campaign began around March 22, and was primarily targeting individuals or organizations in the United States and Canada. In the latest campaign TAU researchers continue to see new variants being used in the wild.  The names in the campaign blocks, are names that the Emotet droppers were using to impersonate legitimate applications.

Figure 10: Campaign Overviews

IOCs

Hashes

4ef82ed028ee1f35d55203d7025772432e1f36a01a0cffae5fae5ff81b0de59b d41956d3a861db7d3a26030915dacfa1 Emotet Dropper
23d133d8a10cd161ec4e8743c1738112819208cb3124c346ae26efd1bf86b1a1 ebbe0d98a31289c4fcdb50b7f93caa38 Emotet Dropper
8bbf0d854a2ca7f384fc64a246c7288a768f34b8affdb47ba95246573dc39cc8 09fc12b206553e6695a2901e71e20b08 Emotet Dropper
4a06740a5aa765130d5cd703c9802566675d8324df33c021a9206737c529e676 f2e4e1c93dd6d109008e3fe9b1044f1a Emotet Dropper
553c2b17b5c025db03b161aa835e9a4bbdf4411f153d35cf1393ca1fa7870d35 17c0f450b3b26ecd06a56534b8a8dac8 Emotet Dropper
81ab03f0c7d187b402c414bbf678530a6630276e71d01037a120ef5745efa783 6077735a36ced549f06fb1b0c0133c74 Emotet Dropper
bbbe49db1c4b8b8b6fcfe23b68cc0dbe56e8b3433ec972f52773dcef990e0a11 4e194079df4d23358e3422b6eb26d019 Emotet Dropper
c15d2b5641916a9d8fc81cefb17eda398295216e5897791afec273f62f03e929 dff204b06546a7aa5b1a04ab0df6ba9c Emotet Dropper
eb4383e2e0606f2d02af78829c59d614287fb3bcd116940de576790a16911e57 ababba73f7bcedf88ea1aba4156944c5 Emotet Dropper
9b44240a81d075c094f696a1d5a21e74c7306c85a36804a386b32ff1e223ebaa 35339640d845a17809be247fc2d59cc2 Emotet Dropper
30c2f7155015a245a82e3c96ea0082e437fcab506903ac99b9a61e082764349b dbbdf9c928d9019393b7493bce6ae5c6 Emotet Dropper
085cf8585ad18391b65adfea9a9402a9f931fef845431c36bb78ccb7c044b1ce bab3230b079ae443ca5ed8f350e57704 Emotet Dropper
7377d46ffdd35970a386931a17399165e9a0f7c5b872851d742c296d62103ea4 35ea4c695d05adb20ff2aedf591364c2 Emotet Dropper
a4ff36a8a39653daa66c1b9f3688b0936f8a45be4c79d7f3494287e145f51db1 346edfd406b309558b2c12f0b340bb00 Emotet Dropper
a9b41f27b2714035be665a3295f585068fb407c9be9d998cabb7cd3bb16d18d6 0330c266f7f2480ee3cbd7b5a878f9df Emotet Dropper
b2e5f1283d28a330cc1712f9cdfdf1077b120b61b53e33debfa96860a6f2c484 907f453e8d59c974122df513fe6fe730 Emotet Dropper
d1779879446cb1487fe27b33373009f7520101802fa023004de26b2a1799c69d 6da64fced53a62be34b1f28c58bc6b8c Emotet Dropper
7f3990e0cda612b708360a31e53a0e05d1860a2b15fba3ccda9ee4431efc3eed 294de3ca9a57a5335521822058ca2f5e Emotet Dropper
eafdd0774b2e9168cfb3bb25880811e0d74dd626387981909bb83829687d7a36 b2c98d110b68848e9eea775b4b5de3ce Emotet Dropper
88ceb4e52fd8ef04b5316d0e378f93eaaefeb880db0473f89c874a94bcaa5129 94970422e6681dcb9a4b8a51dbc9bfcd Emotet Dropper
1e168c77a0905a3704060c0a07e0a9c4ec5423db120914e2f7f8a7499820c4de 97cf8e69ca4c71da0b57ce82998c8e20 Emotet Dropper
7d4603705ee58a5874e9ee614bf125e23b3ef0261ce222401543b6ffa6e2087d 71faa8f8f6e07dd16a55164407865637 Emotet Dropper
5a253a7db9d1642c6da6bb95d9aa06d9ec7f2ac20e78257515b39b7dd48a6c1f cd20309479fb5459c78f6c40af60aea7 Emotet Dropper
d3fc2716c3139065613839e82e462fd64a0ba469a8176d0c78dbda53749334c1 9d1e1914189534e3e5403731b22fa89d Emotet Dropper
eae0cc4b2e3d96521cd6eb1412aece47f06ed5abe7ca45b89833707d1fbce1aa 31c72e1fa6773181653ad9a2997c8e02 Emotet Dropper
8977e6f54458b72ac4a2a9367e9843b392b44eb003f7d2f47cd9a1e30b443d5e a9a0e6e593d9eba6f0433ec1c46f3687 Emotet Dropper
ff133cd545df631d30b3de55b97ea863fa71fc88464509ccad826c333e527d1d fd4bfb99eed9987dc324ed8c5a7e000b Emotet Dropper
bc8066659588cb67d0eed594990a13860edf7231c65d67ef4aad14c01675cd43 75b47f252dfc3029012123ab41a9c980 Emotet Dropper
b03a5d889be077e4b5700bd7b23fa2e92f68022b6cfcb7acaeb9a7745545b0d6 e697f3f4d5ae146bc04169ad965429e4 Emotet Dropper
cf88eb41889c3d3b483a2bf621bfa3d641004b303845853a7a2f7c458642d079 0022a42cbe089651145e511fc8e3f6d9 Emotet Dropper
9a5eeabab0ea2de45a8bcf6d32e88e9dc45d2ff4192e1a424222e8d3b489c049 7ea63c817473668a95b474260e3618e0 Emotet Dropper
3be11f2c0b860f89cd39b0733430da9821f176a4a4c0a28ce6d5cd4bd31c7804 ac49883b8a7c779a9c695b397fad2760 Emotet Dropper
9cf2ab7e68381c08b59c7d6285995190488ab61baacf050c86ae280e76aa6407 1d1295022358aa7de1c4c711a6cf9d57 Emotet Dropper
2b4bad0890352f07e143c68ee61b0325ec8bf04506b61fd215aa4427dd4dd99e b835c88d43f58d5161baea0ad59fd895 Emotet Dropper
09218de3cc212568db336ac0298cec87aca24bf49d3e45e2d173f2c25d45f49b f793329554cbb502e84049e79e714248 Emotet Dropper
24110da796a4aa7ca063b51d4edd4b44e1856531d68f07403862f4613bb39177 6e06a2146ec1a275a0d9abdf9f4b1919 Emotet Dropper
69887acd5fd0370ee662a749673cf4b934bddf48defb22e6f5ec2674434dbc23 b9994bbd64de17368a1ebceeda6239ca Emotet Dropper
b2e8da3e178a08cef8ead6370a01a3f41804194f0ed6cfa4291cd6b9f44ee1e7 46c25a92c5b2cbc44223283bea1e5567 Emotet Dropper
118b105b2f883ba318a0c4204d0f01e32a17b979de820dab8c4e9eb44ea92ef9 2bd787345200cc70ce43afee89ccee94 Emotet Dropper
1e2ec4e7cb06d52be54dd8df08d86c12dedd612375671b6513def2d5474ca4a3 74f5e301dac5bbb784440129e2b4c149 Emotet Dropper
39ef088b97117dba9d4275e5aed7d36d75b15e08bc2ea2be3832ec773f1509b4 6e6cda01f3a6e3e4624f83a8406c8371 Emotet Dropper
56d719ad0522c58a24169e28dcbe884e8355830e30da29d3ffa29fdef5831af3 4d52988b7264a9479a898182a18115f3 Emotet Dropper
ad8b79ffe28d24e5333454ad6a142b127b46380f8d623a1d6d0985ac57b6ea8e fcdc4a000c93b8885e9b53408e82facb Emotet Dropper
8b90334f41c3321a74a8492114718749ad46bf069e5d1f04f9ba5ecaf8ef669d a745610f38ebdab09a09b5cdb93e3462 Emotet Dropper
639ab18855b1ca61e4f38559a6de05c7bbe88f7cbd2491f13a09e071a3ef37cf fe827f25b0b1716119d8611a1dd32776 Emotet Dropper
dec59b3c7cd8d00960296f161ee5bc5dbffb140a79f09dfb6758f23ffc6661af 4e20c1b8c5688e2dffbfc27368d0955f Emotet Dropper
35301d0d704ca0e54363c7a57947aa58b150182e973aaa982cc09d2695c0a378 fc4281f24304febfaae46ee0fd29241a Emotet Dropper
5a9ee6775cbd7f49d3863a541b172e5f2828f9c56f5320713ae8122966af074f feaa338caec549031ff90602cd04cccf Emotet Dropper
2357f018b427c167bbdb8cc472faec8d220479642709cda1a653c280c1c21e7c 64c4b5418716430b10ce764c1e6691cb Emotet Dropper
ddbbf054d77a3fe64a00310e7f7c2556683fe0f8726fe4c4424c75fa51ce9add 9667b3fff961257c921b05c0aade016c Emotet Dropper
345e28db1b0abc09b114d743aac9f42313d1dd23ba3d0cf933e9761a4b8556df 95749820dda01d5c70242db222faf2d4 Emotet Dropper
1674c004c5547cd1901561ce762eb079d1237081b66f889ae646453770e3f368 f1bb076523e1abf01988d3c32c217695 Emotet Dropper
6bfe1104dce611b9bd4d69dfd27143fe6b3e5aa8cb8a86e3bcf94322e9c4ce0a a90c721c8db2a01307dc74a8f310b37c Emotet Dropper
52e9d29be77794c9ffc3bee22e55c7a4d77c0c2fac8860b132421d9fee6e91a4 d9a1ac9d62f07fe5ffad9b762d0181d3 Emotet Dropper
45bab096914b0103f27ced1405d542ed5d1d6990e1411b516b601a6c771908b9 527ee1bd42456e83acd1eb49a75a019a Emotet Dropper
0e52cf547177feb4cf5ef4de0a554b66844638d07f6ab957abb2ded1843d1aff 44f5a817a88d0ae70d5f0c07b4a14022 Emotet Dropper
15fb3f8813c0b8f5cfa94a96d7d3abc27385431af10c8dd9129206f37f133ad9 2348e784d0e730cc580aac91dd427074 Emotet Dropper
f43504ae60444f5c87516655aa965f3acf2385207876bfa607644d5ed6ab0e07 28fed62b9ca5f842724226fac0cf6870 Emotet Dropper
211cb7644a1a033851de8e7201262cfebc779d3d88ba028d23a51a474c6d1f61 fc9faceefd2c0e29e849dd79b97f349f Emotet Dropper
2a74176b36bcc949469967ebc2875b8d0aa253318dbc3e6dde431f4868a6c995 4b7dc6a5581f7cb1e6a4ad20f7d61a9f Emotet Dropper
fe28928fdaeb8829fdec30fe9ea61e6094494b94e06f66f35fe00c19bb5f7000 bbe5fafca29a470c19089a1c320ee19a Emotet Dropper
68fbe58d9b2f8da1f3a44f122ae5c0b814db2ea80fb91524b9c7b333349571ca 404718bca442cfc49625a5b67015955d Emotet Dropper
ecfb7e3a324e1d0770a5115e76fe624c2ecf66f9d720fc2370f5b9581080b1b7 9736564ce74a07dcf295ae1b32ac6783 Emotet Dropper
0266dff285640967338602061dc34de83cfaf623384f58020eda58517730b20e 0890c16027a6738d01b3da4836ad8b39 Emotet Dropper
8532080b93d5543ccfd88217d9dbad76048a78dcc8363c61b6bd536bc332255d b7008a14c341eeef10105bb448a80a96 Emotet Dropper
93db9343462429e38592ca79b3fa916a09b80a5fd396eb68b024144d8455766f 736cd2a24d4d8aeca1befcc059ca8029 Emotet Dropper
697ae603b868715cc55f93b995395dd6384f0f9891c1c32be60ce6777142287c ee01312b94ca49e008801678de3a7163 Emotet Dropper
b123fe7880ed4f2abf47bdd0a9d415e22e587fce26a8151dc408d276445f4603 79bfa4fc4354322435f1e2fb874a33f8 Emotet Dropper
59857fdbfaa7c8932dd7287416ad264a8a7926a49e4262f281d910b80fd07bff 3de16fe38c145e1d126977e67e7ec1c6 Emotet Dropper
575f456ec012ba476c777b98c3d1dc2713c03d8b58bbb887d8d2c6d15b314037 7d1a69fdfdd414188540c890a6f44b29 Emotet Dropper
1e7f7bcd869f750bc3268753fdbeda4fb96b86d45c0cdb1641e8af99a29d58e3 7e6c40331afda90b40c5cb5d1754ca74 Emotet Dropper
0df891941fa6434c9d928d20143b14e4f646926fa6e26230493476f172cbd571 f7444f93bbd329c71cd1d3dc379fc66f Emotet Dropper
c2b79260b5276d920faf0e9cb31fe1c852d6abbba4dcb7365a16e62fcc37f534 ce9944553ae34f586147d5e610b2b31f Emotet Dropper
4e59de6ef62543f05b6e71f976ff20d6337c9447912bf986aa3635e58b0acb3e d75a782c9fbb1c5d567b352f828416d9 Emotet Dropper
682a58a642e7eb0ca976964afa2bdbe8b984c210940d448166283355be580ce2 d0ed4b64cb57ad4b3b771e6f2757cd41 Emotet Dropper
9eec718aebf3b98a626a2213c56af8cb6e54630074b095fa74af84e6775bc2df 65973f964b5bad4d569989c2d8985cc7 Emotet Dropper
23fdcc7da3132bba8f07dcd7f2aeabc2b8dc823108831e9ba2612f5a883e6282 f8c12b75c93b87950dcf79b36bfbb23d Emotet Dropper
9d32ffb779ecc44caeb0d14d18a861edff67996ca278d51df41ad1a12d8b34a7 efb629a548cf1726355a430c3df426f9 Emotet Dropper
633803ce01450da9ce2b53073a65021b3007c1814a877dcb139ebae1a712263d ac4a237f7e69539b25a62e929c25e819 Emotet Dropper
ec7df273dbf4c58b40a83e0c8eb06f5b09a11eca4cb711e559bd56df52320015 3c1b0de4315a784df029f9b47d2e3f54 Emotet Dropper
b747d07a713772e011fbb5a6e10b96b460cc6ca89d1583a36a0475a6be8a0e3a 8cf09c4d9612db091fe0bc584aa167c7 Emotet Dropper
c049016c3f05aba1da52146002199033207739c23e7940d5a3e7469c50091e24 0730bba8fb471dcd072fb6074dafba8a Emotet Dropper
4dc3d1a0d98cf405bff705dc79ef4ebd7652eb2b43dc15c88b5eb772c6af78f9 8f33111b68b7c0389885767a99136a11 Emotet Dropper
06d5f7ca4b9922d1114d5b981877391f0628e7f987a965174dcef1517046a7f8 cf9870f02b84600244ca3fdd64fac380 Emotet Dropper
4cce7f7015cdf028a5eeb7b9c6cb2db4dd14917ac1e73cb0b7aa538bbd160116 bf879be6fdc3688bcbffd42d2aeae907 Emotet Dropper
5e58620f02c1ba9b5bac33972e4f662d9472177c8b8d3f7cb4449df76d6fa84b 0802175696e7e925ebb5e865a7420428 Emotet Dropper
f0711132869db646cd847fc2466edb1c7b03e7d17090f3813be06775e56d3b59 9594f77f0b5039b34be8dcf37253b8e2 Emotet Dropper
3e86b1016f86c8fef2fab963d68d937ecd291b7300f74deb872366d262b76a3c 70a700d4283d4193ec53236cedbcf694 Emotet Dropper
319272a1eec35cc5c3b655a0c625108fc4f4bd023b2d0dedb717a44877dd4dc2 bf10ac79571d22a7c6fb7fab8e99ed3e Emotet Dropper
389a909cfd177ea3a973dbb1252713be834e3f6d6df5ae161b0b253e7ea2042b e8a9730ba3275a16091c4980710d1340 Emotet Dropper
1a96770c5dd333e5e13561c30d16c2b691658bc3bbc555cb34c17cb28b6c497a b70d7adc02638409af62e44adcc775ba Emotet Dropper
edc9e1d2103ea9bb3ccd817b6fedb78ebdf9b9c5e7280dadccf68747b3ff6055 0678eb3d5330b3d88fd73d05077d21da Emotet Dropper
3e6610f2722893e7510b1b75475e3d7a9ecb619766f7db27feda03e0e8782ca1 9451b38cbff554c2551057a1d269fee3 Emotet Dropper
ba07bcf7ffb95c9af845a5f4dfbf19396da146f74d4a1d69e1af990befe0a985 b2562bbe16d8fcaa633e3e98de6b7322 Emotet Dropper
395c7a22cc3d8c8aa88d13cae77987b74f0bad39355373278ebd44fbcc9fb3e2 6e6bc0b84ee45bff09f7586d99c869f9 Emotet Dropper
372f77d35bfe273b490b28558fc9c71f6f1a8e02e9fcf6d5b9aa7d1b5b34042d 328c73570611dd6ebe3a7c90c4275390 Emotet Dropper
b2dfa1ef9f4a77680f3d186fd4f7642bc7cbfcdc4df6c708754af7a292fac7c6 23fe818f9a8935e130b096b0fb446fb5 Emotet Dropper
6844ac37e36d34036088ed792d3425c933eeae349045cba13410333c61bd9e09 87bd0396ea1d83b455d3f17b28f977c5 Emotet Dropper
e7452dfea872899ab4e21f183acdd55c9237d5d9914301c5fc67127702205008 f38e8c9b51493368cb3195ebb61c8fd5 Emotet Dropper
f3c3012220c37a0da8efb00c5a6eab1f3ad04ac26914cd8ccedcfec24de12bf2 e884adbfcebde42354efbe6f27b14b46 Emotet Dropper
4567101158d21465a1e8b619dc6176587aa93dc13951a134d70af6a1ec673efd f1345590bb34c740e8757ea12be2bc41 Emotet Dropper
b8a38dab778039604b089ea057571606e5ab3696def486313a98cf316a6bae75 271acfb64c269c0ee74ad958359691a7 Emotet Dropper
f608e966b87e452aa8597d57965af7aef361580428f86e24a49edefdb1a21331 ba5f3192815a5179093d4b41bf7ce5c5 Emotet Dropper
1a75d27b85f81ed54e204f5fca42f864dc27a93cab5da8a1667aabd6cbda9b10 b072de60d01ee478d112cfb27a61d5de Emotet Dropper
50166abc6714052584d607f121fb4ae220aa29f85a254fc7ebb5d6398d043ae1 4accdfe5806496dbed0294778d117552 Emotet Dropper
b1ff9cbf39918284e0077fc40b011e43d1c47b4ac7eb0ca3f094c7bc020477fa d6f75f99ae190ec7ea735382ac6c769f Emotet Dropper
ad9e87aae19408cd7be135d1f7ad4e8370cf6e23833010f1ea9d8053a1ad580a 191f817ca14c0d3c82e643a29ca38506 Emotet Dropper
23a9baffebc2a344c17ee865a9f2b8b34f53e81e31492a2cbf6f5923197b6f07 bd4e1eaf1cb8ad27d5cf618471384c37 Emotet Dropper
a5e2b967251be8d9a9f49b04bebc9bf1c7b646e17b3afbddd29031b6b609d4b5 9136ee2a927c5f82949c01b96ec74b87 Emotet Dropper
8b9d20439998e9da5b5ab7b0051ae272d6a386c6d1758a89a79152c1247c2124 b913da5227270d8ac540235d81ea8d08 Emotet Dropper
f134aaf8d408f33b407f24b7f1f9c4e3c3a2e281edd620567354931ad6708e7b 38262641c8448d016590951f9af78402 Emotet Dropper
8e0f240dc6948913e748711d297fd1243431cb99050902940092bcbcb9e89c16 221f69fd788d47c2a1908a687a33d1ba Emotet Dropper
47876bf0a4307399ef6bcc967c36b8287bce3484e76a82bf7772ff7b6a23a448 6f180de94219d7c6d4159f3f5d696db2 Emotet Dropper
213fdb54058b1531d39aca6a922bcf438616e93e6179c1723e5cde7e50651e81 a3c6441da5df26fb957df3187074b7ec Emotet Dropper
13d9f6f0deb0da0cba7bcf5ca230f3afd1f2f76f80d2a0488a7d211208902ffd 784d71c71c7d74184f22d7da42e0b768 Emotet Dropper
68905dd94f60160853786ae7ea3785f34fff338992a285d30e3fd13f1e12c564 d351c2ea359c8fa9b051b3f75483046f Emotet Dropper
9f08ee507315f5f340cc15112ce462fc9e661a8394000837bf53d0c55b10942f 76989a61ef351a0fe05ba6d216846885 Emotet Dropper
b683ed3a54ef6ff4a20725be11255d8a55ee8c59636d3acfd331680bd31e8d38 bf23e6a8b6948679f17432a7a276ee67 Emotet Dropper
ed5945faf830095363b0a11221a267b74c54d0d2be1bfbb0dac306a92383634c 1f207467590fd3d4e33ffa474ae698ca Emotet Dropper
da9552278e535ec26419dc1e065abd669d9bda5e7d8000a18f8749aa4b34c808 92c84a20a83d8985a61d7c779cd835f6 Emotet Dropper
3fa4bb13348363f4cc461f3f5172151ff03004ecb476d61611be3311c38149e7 74c43328daa5daf9c432d5eaec4e5207 Emotet Dropper
6d40047d1ab3d60c860542efcd7dac044b3879a2da4bd1a5be9a26b649b6abbc bcd5ee2316ac2903d5adb0ec1b1f250b Emotet Dropper
9391e864b7c1c34020d5e747d84205ffd804cbdaeb81cc4d0a587d32a59ea516 97dd2431b05114c0427484556a8a7a3b Emotet Dropper
98436dcef078ee9f647993e3b2799b39de54641fc3c159e0bc9b4009c9fdd398 173b077e6e4538d1d9ead4f8cd847159 Emotet Dropper
c4b96cc41db4918545c00e61cc6750b543e20a0e11e9b897fb62e4ff681b6b55 79e675d5893e5f6aac3bdb6e1c05f0ec Emotet Dropper
5edb3b5c4f44c7378ede982f2d42ad5e55a31734c8d1bf68ffae59372e8c20d6 e09bc65008a554b49508e2301c6488ec Emotet Dropper
85b1169ffb9fe20594bde9a55f65d9d347074eba4a1d03b81193ad6f88a943f4 96a9f87506050c014bae9575c45c4800 Emotet Dropper
a663d67560a44921f5ab6f3bfe296cff9d91926ad9848038bd43cfa0fe904b56 cd7bffac25aa131e8658e569fa91b637 Emotet Dropper
431a72a087d4b5cf5d29fad3a748945007c0306af61867252237f032c369e6c1 685fe312f24166edcbbb1a83bfd362cd Emotet Dropper
ebd36972006b486c996c074ee69d8edc930d6b7e2f5c1fbafd6cac5f127ceff4 153caf10cb6b64f249a597d6ec0876b3 Emotet Dropper
1abd78b1d0cb0f23e15235de0ecf6e62fc2de37c8c8ab78573f6d76e19333123 36fe67adb03d3ed3027a117eaa375c2b Emotet Dropper
0da1c768a59a263a9c5975367a50b44dbdffff08d13bcea1a1ce9158ab9e295f 3fe8c232d553b61aa7aa2bf0c602463a Emotet Dropper
970a2569cec93c1a1e4f995653f2ba47243ff5899931b0d36b58f1cfca4556c0 0d6aac39ba141f242c0b5601a2fa3031 Emotet Dropper
5ea7500f272442f466ec4f37efbea2adf99859d76ea51351ad894366e5666f6d 75ec0ab7510147b3ac7025c1f001f0ca Emotet Dropper
a60c19edc4a6d343cf8f10bfabad8d80b488857020aa62c20669ca06ec795114 89d3aa50ce484bac92773047a55811ce Emotet Dropper
fc39e77993e7fcbcc80afd418337340d89ff609cdca51c4ad795f8f82bb41de2 511b85e364c8a428ef77d90d8246b39b Emotet Dropper
f28255490f45bcabee811ef376ba5a5c5e4e41af669de1dbab94a3aa594b068f 743555d8fb6f8b8c0cf5f2d1b8befd59 Emotet Dropper
2d57948bcd9c3d7da894af8d068c89975d4e114260a9c19f0202ff79541309d4 80ac6774f235a7193188e0c92b297877 Emotet Dropper
e5b909de6637915f413eda5e82b42e0c92fddf10d996e6da7230d2a47d7e9b18 11f4eda05c7ccd50ef1736a5b4c874dd Emotet Dropper
1cf0da02f2dee9c552c198784391ed96e8c50497728e30f43b49531bd6dbdbd7 877194a63f94f989b3d393018e016bb4 Emotet Dropper
f6d915a08dc5ba3b18c2952511e8eab2da86f9c8e72e4d81dffcf93d4dbffb50 38afa1717970ed27bee43d267ba22703 Emotet Dropper
51ded96d8012a567b0b4ddedaea604dd5e6bd6c55dd26c121584656d1eeca7d8 179d2c0cfe6c14a2e9492934eef96d72 Emotet Dropper
0398a3f104fc8e41d8652fa4c1aa3cd1161f881daf280c76243a2cf81e108326 6b7dff4d4503479ff56f651a3136aa89 Emotet Dropper
395387590a1ed905b46dae5fbe1de2c5a511038844f116b9d4fa57261165bec4 ee5b05f1cd1a502d113e8932bc2b48d6 Emotet Dropper
cbb135fb583355b31da7c80c1834a66f368ee13cdd813e4a9154be73a822aae7 c0a7d2c83a4dac60166429b0dd69c387 Emotet Dropper
70b33196e35e0aa8fe3e5a9cc8fff59016410b7da681fce69b5f5414befe400e f7840ac0730dedec9eb3352de813e827 Emotet Dropper
f7c52038933d12617fb56913aee632165c32fe9ada60835162912389c99351e6 6a82d8de966b76a0dcd67c2c9b8a8101 Emotet Dropper
284711f91c8ce69c21f71a296ff1fecc69612785a1f3bae14cb0e809a46674b4 aafa5dc3bd605691764ac72849f359dc Emotet Dropper
5d567f9a417676447b1d6c5964c96fd1c65d1c2c08583638f3e52cb6d71324ed e5c86ac336a6c4787a19267f73b9c2f3 Emotet Dropper
fa8a25c86b1d8abcfd3016956f995697946d5d5f5ca7db893beaa95db6207362 9d9ce4cd27c7fbd8f3ab43d4bb2d33cd Emotet Dropper
d8c70398aca2848960a82240347869cb449fcd8f58b23b25c49e81ba5db64156 f9cdc3bcd4434feaba40e9272cce7424 Emotet Dropper
4e87fc660790ae69cbc1f277a4fce74da11915ce249bf49de32f0cc1cadecc3d 2d2679b5074fd4ff259edff60fe51ac1 Emotet Dropper
1da5cc07a36ffa6f9ef56fa3bfb816bd5d383bbd175f9118002c2d6e30622a0a 556df6654e1602de66e4ca892949deea Emotet Dropper
cd27016ee10398ecfbf13a56faf3913721fb39c536c019dfee89a6384c10d4e1 9cab447e99d85697be997e1370bfc05c Emotet Dropper
47ebc1f10a672015280de22ceb4d9912a0e2c92c2fa45e7491a8494997cbbfa1 39fad0c57617cec4211fa3eff6130f4a Emotet Dropper
c7fcfac14d401662130a4d752418b0b1fd009c7f89d03eb95ec36be0d165d11d 6aefa7eae1b78c77303fb3005b76797b Emotet Dropper
e8e00026a34b70af6b1063e4d5d128079e3c81ebe4ab582126e14153c60cc781 9c090c7edd94eabdf5c9b2d5f098311d Emotet Dropper
af8e1c6506d6e651845c02a3ed14522b55d83704159fdc7eaf92fbc2f01b3a0b 28f00c005bde4f64d728813553ca269b Emotet Dropper
e47a2ab0953cfbc99a8ff73fa35ef731b331359da7fbac0af43217f9bdaa0ba3 3c1520e701563408745f7cb6a7d60404 Emotet Dropper
af1750a1e613e120ba19bb7534b416f7b695535866244443444f1461400a74e3 52c10664ca9280854a356f164e5d8e6b Emotet Dropper
6bbb9f4051c672655a43828fccd2b01c36fd6cdd2b589f71b90840c7f2a07ca6 f289b81939f8ef6db67182e953191f88 Emotet Dropper
d3034a180bc7c42c6639a4d2d103aa9444e9deadef93bc69b21aa5fafb844b68 1100b49eda9cce0d06b3ce48472eb850 Emotet Dropper
5198c282a99099910dd7cb97c87b4411b3d1b9672b309ed6dc23f0a9e94f46f5 8bb2e919ebf9b8c879d576480be74390 Emotet Dropper
69a951ac9717a37eb24c6fb687e465142db317c623514b9f42f9c7ed4343e176 6d9164260c64560b1922f0dc5665298d Emotet Dropper
b5e9c270a5375722b7e7f97867007a2332edd3dc511c237013b2edc373a6cf7f dc8dae4ce8bb4e400ab8e34a8e81adfd Emotet Dropper
916b3194c0923ef3fd31edbf8202a4a92071ff68bbd30bde90ba336263acb35c 53359689a366efb2c855a91517fb747d Emotet Dropper
71d2e81fa5dfb3233f88e9b4f5edb7a7f588c8e622838b25441b10f1d661f375 053608eddc4c4d08fff2441cf7ab62fd Emotet Dropper
a6e715eb6b059574fe6def8ebeb4c164b05ddf376356eb8609666d0a3d0a0d40 74c0a91f84e6783680ee010f40c5a9bc Emotet Dropper
3192b7bff4106267ba459e396195d0b2cd68a074caa8c3a3f381a576cc19b79f b9d00158accf3c195c8c19e00c10dde4 Emotet Dropper
cd6fb2c14c4b5abfee2fbb01549d5c712bbb559b6d742dadc24a093d491e796e 2c752c6918ed4af313ed6288a6687f4b Emotet Dropper
0fc2d059bf18f621bdafe5de079c0a9b17715eaf724f3f872b4dd60423ed105a b544cb3ece0ffbf08694b4d05d8d9f04 Emotet Dropper
e579bc9673154c2bab204f34f202aa3bf3f991faa2eb2eaae1380f99f637fa4d 03e200d20b40e894ee00867cc24f3002 Emotet Dropper
b50f76742a25cfd2c6c7ead08c7266237934f35fb8bec95f094ed003156285a8 3cea7357898039080361817300ab1f4a Emotet Dropper
e2b9951c7744decc4f473716c04dcff3cd5b4e2f980a0c056de55c9ddae71564 627cd2d2377969d00c75f1d34781c599 Emotet Dropper
73ee6f0556c41a09caa3a4b0f0a7bcd8ba4e144047fd570101b7519b31627590 eab05dc3d715fe83b4458373807dea79 Emotet Dropper
49ca8b8dfae71f67c6946401539861a2b5d7cbfdde160334ea15dc52b9afbf63 4cfab4359ff663b025fb5da50d48a32a Emotet Dropper
7ca82f07c0a44cf67d5d37d268f79e394c962aa5c906281dd81ffe6f33d9177e 1cae0e6a87a9adc482533582440364a1 Emotet Dropper
b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594 302b61562fd258c88ab0db3ffa640faf Emotet Dropper
14c7b74acc3c279e9b4773871fb7ed23c53402e0e2a083bae7c3553166cf4939 64f881bdd0c0b017d092b664fc2b6749 Emotet Dropper
95e00443b8510dbebcee675f2d8bec6f649027ac74856616d70b70cb11705652 470740b9774a68b8a49a10219a02f85e Emotet Dropper
163afe8bfbc76f46bfe1ccf7e7c0866ea8c1aa066f463a98dc266dc7ba07acff 845bd986a4cbc2e806155b2815aa8f49 Emotet Dropper
19f3b58bc659efce6f8cc7bf9115d54ef8d0540c6b76e0f30f1ca635f7739d01 e36a87e0f746695f53f60648f45f5f61 Emotet Dropper
2f4af5d08c3cb7ef69e86ebebe692192bf2fcbe51b019a08a72c30935cefcae3 33971404d2e66139968510e51dc278fb Emotet Dropper
313f6e9adf3ea40437f02a370556c0314f501154346abd7a9990bbe2fe87ce92 5217b14143b632ea3c34826bb674c2ee Emotet Dropper
14feeed2c125accc752fc1e4d226970dfcc55cf179cf971cf1126d9a012c7bc8 49a077c26add6a9ef31137f426c70d82 Emotet Dropper
17b6fb98db05ec5d69a57da1783869b715f53a9d6359432aaa9763fd120922f4 eb48ffe1054ccfbf513ab601f8a59901 Emotet Dropper
4ac60bcf148ba6134ede27481161d8cbebc941359f41024928cc03cb5ef91e63 72049bdac4103a319e67b29b3715b4d5 Emotet Dropper
ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96 372c6e99901e78019f5cd84e3eb9c09f Emotet Dropper
ba3715cdce2794e44af126e5fe52abf6d5d0201702d2f27ed559401a21c7ebd8 7cec4617ce4376078ed07ed94b28dfdf Emotet Dropper
27594c322ccd86df012a3d15d2f3d6d803d3c879ce566b4c627cef12e33bb064 4021d1dd02406c2a96cd761791103409 Emotet Dropper
c1db4b2578729a1faede84d2735eb8463bfd2c6b15d2fdf2de7a89f1954d0dfb 44b696079356579d250f716a37ca9b17 Emotet Dropper
56bf9739f74a8c2117ded3f90d9ef239870aa5ff29e78ae598d764d3e1941017 c06d7c0e75e27e90f46fc6e4c47f1f3e Emotet Dropper
7996da1050bd39278622e8bcab3f4bba3db31a3ec20a4b3fd2f1cfd374f98fd8 2cae4059fbc5e7ee565cbd8f43d24635 Emotet Dropper
7d08ef83244e8e522fbb82f41bde555a30289024f217afcbc6fe539e275cf81d 60ee35e82274c04775154a6b90e61f6b Emotet Dropper
a32656290bd3ef395858879ad72a83e435397683f78e09e74e5613cec1ac44c7 20860b4bce8178e6861019e374502f55 Emotet Dropper
53233707becabfdd849dfccf8c28465b086a295697e15b5e8b6dcdf6449a829a a49e689cd3ab06674cdb64170a19e873 Emotet Dropper
aa487e0948c099f058ddb7f2231e69f704030dd384b27c3a842f2194e6b88af9 c4c04d6976ffc8e8180909ea531cdc5c Emotet Dropper
3a0ee95818d47f498c028f2873fd96c8bff31a3c47c69d69ffeb93003bd56099 6d03051ff76f85c1d12ee3afdc0faf2c Emotet Dropper
69284ba7d6bd444cdaf05b1ae99d793e5a1f2a3fed5c42c7b18e329d80606d46 092a1dbd615311c9f75ad74f32269c35 Emotet Dropper
871f0a4b3ace0dbf42b1a5c36cf217868976ec8aa0d53266ea85ee3fb8832545 e25cb59242602b3df9a11393d53d88be Emotet Dropper
e2f22c9455b424c33bb042fdca19656999ee7292f62a1222c84a8358bfb0284c 48fd95eb47e236c13819ad1cbbd4b35a Emotet Dropper
7b97c1300ddc7c75fcea5b7b8793595d88dd999024d6d2132fd4971f903b689e b227b1f807c1db7c9dfbcf3912f1cdd4 Emotet Dropper
2485e60ebd7c1dfeeac8778d5f89677ebd5cfdd36d60e4a0415c301c19908821 fa6cf11d4761d266c57d58bd43b90dce Emotet Dropper
7a3e5ebdaa83f38a7fc86c36102489c9e98a24a14cb0e26905d74d54a0e80848 55f2ed72b2ef630373f450e9a522113e Emotet Dropper
4ad92a4205d20562428077543b9eb56ea7453b07a4a6ae116da5acf3a2a3e75e ec0b7189c9cefe9ed02fc07c0bcb73f4 Emotet Dropper
e120ce197e9d7cae8c598b46e212e8926119856d88473c3a520110448bc4c160 d323dfcce35371e2b8d9a5b14438c200 Emotet Dropper
b59f519267d88139c9b3c42495836582c33a6cbc5174f27fae031d3c15541857 6fbafce9f8a9626d97bc5325bcbb510f Emotet Dropper
069074539c5cda242b5b8f8ecfca69df2155d5f32553675b849a5e29486b5a00 394fe9a1df5e4be25aeb3930731b4009 Emotet Dropper
c00f4aea0bd3f2ec6aeb16696044770ccad45a2faf476b63b2061c4728fea501 a4353c23bfecdc4fa79f784fe985de06 Emotet Dropper
04ee03e074c08933010d54412936a5f5a1dad3fbbdd7ebbba2df2fea55727878 5e6b371bad8591a64113a831394dbe20 Emotet Dropper
7b18e83009cee3193268be9c6d523f0d0d06c0e35448b7d28752052580372351 3e3b489d34d7976622559e2a0f726945 Emotet Dropper
e795f3d92e12982f101ec9572c3aad8c28655aa2486caa4b38e3d02ee04ea5d2 d8da098591ad7352a18bce92b738c8ce Emotet Dropper
261242caef90babeef977cab85eb6a38209a19e7747f35287a6d3742bfe8a847 e7a4d3903a3cb8efb6d5c69b5262ba7e Emotet Dropper
c5a49d4d2619ad9a5be30d5495f51d189fadce620f3a5080c2211313cabd56eb 2bee10c5f5cbab62e260aa46306a9c20 Emotet Dropper
bf55878eaf9c748912568ec3f20a43f7c4a6bea8271b2c4e40e730ac39a6de62 0d52b231c6e953aacdde0dfc95883e3f Emotet Dropper
54427b368ffad28e3fc805a7a15e6c9cffc1f7417d5aec5bec8d4164c3bd1742 469b934991c0527bf7c992bab453c976 Emotet Dropper
acd6c51180722d25faf5c58c40afcf0e9c386c67da0a14a4b1c02dcb778afae4 8b952cfb5a69753fe108a51ab7b64a04 Emotet Dropper
0dac7c6c96908ed8326b06e4ac59716bbaaede6410ac7e2c201abe7d350dfeff 64c7415fec6bbb5241c17500de05a528 Emotet Dropper
cf5f8bd33ff24f5d689477fee4511d656437c154ade1e16420fc53c6cee35d0e b133066a393d6adfc5b73f6d8c526192 Emotet Dropper
04cca9e021fda92b6b2836c78e44cded572d4a3eab106386a049d9a753a62509 0f4cbcc61c2716f2aeb1ff555796df67 Emotet Code
f9a62efb31a05d343afa131c17514e663e28a59a31d1f514eb61e8bd3f3a3a80 08e7755ab0b4d6233e279c182db8d941 Emotet Code
e4ae4ec47495e75a118e9f0fffed7715f7a1c8ecd5cd1313245f1a3afc8fbb30 e168d79854ba4c348f384bfa89ad14ba Emotet Code
b0777f056ddb7e27a12ff7c68d6956766759c23bff80f552de41bdfee03d6979 4dc84fae5f4bd452d37c16d99e375bb0 Emotet Code
526c80dde5d68e84ae9328cbed9ada48bdbd3b29e2afb2ce8dae87b7c8b6d191 ef5388987d67a085ff172f5d57e3ceb9 Emotet Code
d395134f599e9c08ff93a5b0c92070c23b34d7ec232d7dd5088173938b1afc3d 194e9a1120cb639f1a5ffb32cad91d10 Emotet Code

Network

94.250.55[.]138

171.101.196[.]138

181.170.252[.]83

181.129.83[.]122

Trinadi[.]my – (108.179.235[.]109)

Table 3: Network IOCs

MITRE ATT&CK TIDs  

TID Tactic Description
T1193 Spear Phishing Original Email
T1204 User Execution User Clicking PDF hyperlink
T1192 Spear Phishing Link PDF hyperlink
T1055 Process Injection Emotet Code injected into memory
T1140 Decode Files Emotet Code decoded from embedded data
T1027 Obfuscated Information Obfuscated JavaScript files

Table 4: Network IOCs

Yara Sig

rule emotet_dropper_2019_Q2_campaign : TAU ecrime Emotet
{
    meta:
        author = "CarbonBlack Threat Research" // jmyers
        date = "2019-Mar-22"
        TID = "T1193, T1204, T1192, T1055, T1140, T1027"
        description = "Emotet Dropper"
        rule_version = 1
        yara_version = "3.7.0"
        exemplar_hashes = "b2e5f1283d28a330cc1712f9cdfdf1077b120b61b53e33debfa96860a6f2c484, a9b41f27b2714035be665a3295f585068fb407c9be9d998cabb7cd3bb16d18d6, 7377d46ffdd35970a386931a17399165e9a0f7c5b872851d742c296d62103ea4"
    
    strings:
        $s1 = "hknj]t34q"
        $s2 = "WdgfR111"
        $s3 = "GetPodu)eHa#dle"
        $s4 = {83 F? 41} //Portion of Decoding Routine
        $s5 = {83 F? 74} //Portion of Decoding Routine
        $s6 = {81 ?? ?? ?? ?? 00 2D 37 00 00}
        $s7 = {81 ?? ?? ?? ?? 00 2C 37 00 00}


   condition:
        6 of ($s*) and
        uint16(0) == 0x5a4d and
        filesize < 500KB  
}

Table 5: Yara Signature