This past week, CB ThreatSight analysts were investigating suspicious events in an environment. This customer had installed the CB Defense sensor on a subset of systems in monitor only mode for evaluation. While investigating suspicious events, a CB ThreatSight analyst uncovered a new Emotet campaign that utilized a series of techniques and binaries masquerading as legitimate binaries that ultimately injected an Emotet variant into memory of the compromised system.
Additional research by the CB Threat Analysis Unit (TAU) discovered at least 225 related samples that were used in two distinct campaigns. The first campaign occurred at the beginning of the year, and the latest campaign began around March 22. This information is being provided to assist researchers and practitioners that may be investigating this campaign.
This campaign highlights the importance of moving away from simple IOC detections and starting to leverage detections based on behavioral anomalies.
Having visibility into your endpoints is the foundation, that the rest of your security and threat hunting efforts will be built upon. Once this foundation is in place, starting to identify behavioral characteristics that indicate different portions of an attack should be the next phase. Taking this approach is what allowed our analyst to quickly identify the initial phases of this attack, and protected the customer from a breach. Some of the specifics of this investigation showed that attackers are continuing to evolve and use new techniques to avoid detection, this is what they do.
However focusing on characteristics and behaviors that are suspect regardless of the technique or novelty is what allows you to stay ahead of the curve. This campaign was quickly identified because TAU focuses on creating content and detections that identify these type of suspect behaviors. Having robust amounts of enriched data, allows us to understand at scale what is normal in most environments. We can then leverage this information to formulate detections around sets of behaviors that are not typically observed under normal conditions. When new campaigns like this are discovered by existing detections in our products, we research them further to determine if we can continue to refine our methods, as well as write campaign specific detections.
The initial step of the campaign involves a phishing document being sent to a target. Contained in the email is a PDF file that does not contain any malicious code or exploits. The PDF purports to be a legitimate document, which request that the user follows a hyperlink to a legitimate website. The actual hyperlink will direct the user to a compromised site, which will download different payloads, dependent upon what is being served at that time of the request. In the scenario that was being investigated a zip file was downloaded and extracted. The content was a JavaScript file that was then executed. The JavaScript file was obfuscated to avoid detection and hamper analysis.
Ultimately the script would reach out to a set of different C2s which would reply with a binary that was saved to the user’s Temp directory and executed. It should be noted that Word documents were also being served up by the first download site, which resulted in the same outcome.
This binary was masquerading as a legitimate application, NitroShare.exe in the latest campaign. This executable contained several layers of unpacking. Ultimately it would decode necessary APIs, which were loaded, and finally it decoded an embedded PE file. The different sections of this PE file, which is an Emotet variant, were then copied to different sections of the host file’s memory and executed.
Figure 1: Overview of Attack
Technical Details
Initial Detection and Investigation
CB ThreatSight analysts initially investigated an alert generated by the Predictive Security Cloud within the customer’s CB Defense console. Using heuristic analysis the PSC detected several highly suspicious behaviors being performed by applications with unknown reputations. The image below depicts examples of the behavioral alerts that were generated and triaged. For specific information on Carbon Black product detections, please review the TAU-TIN writeup, which is listed on our User Exchange.
Figure 2:Behavior Alerts
Malicious Attachment
The image below is an example of a PDF document that was sent to targets as part of this campaign. In this example the PDF is purporting to be from Citibank, and attempts to incite additional actions by informing the reader that their bank account has been suspended. The hyperlink displays a link to citibank.com, however the actual link will take the compromised system to trinadi[.]my, which is compromised or malicious site. The response from this site was a Zip archive which contained a JavaScript that was then executed.
Figure 3: Phishing Email example
Dropper Analysis
JS File
The image below depicts how the JavaScript looks as is was downloaded from the malicious site. The additional screenshots that are used in the section below have been altered and variables renamed for analysis.
Figure 4: Attack Overview
The script contains an array which has different strings that are required to provide a decoy error message, as well as download the final stage of this attack. The area highlighted in blue below shows the string array, while the area in red highlights the decoy error message that is displayed to the user.
Figure 5: Attack Overview
The script will then build the necessary Objects to communicate with the embedded secondary C2s, which are highlighted in the images below in orange.
Figure 6: Attack Overview
The response will then be saved to the user’s Temp file location, as a randomly named .exe (e.g. 0urwf2lu5.exe), highlighted in yellow in the image below.
Figure 7: Attack Overview
Malicious Dropper
The malicious dropper masquerades as a legitimate file. The exif data, like copyright, original file name, version number, description, and company are for a legitimate tool. However none of the code in the binaries is actually related to the executables it is impersonating. The list of file names that this campaign is impersonating is listed in the table below.
360DeskAna.exe
aswBoot.exe NETSTREAM.EXE NitroShare.exe PDFCreator.exe ScanOST.exe TraceDestructor.exe Trustedikstaller.exe |
Table 2: Dropper file names used in campaign
Once the malicious dropper is running on the system it only has a limited number of functions. All of these functions are related to injecting additional malicious code into the current process’ memory. The image below shows the basic start function of the dropper, which will load the necessary libraries and decode the final payload.
Figure 8: Dropper Start function
In order to dynamically load the necessary APIs the dropper will build the strings in memory, which are obfuscated via string stacking and a simple XOR. The payload itself is obfuscated using a simple series of mathematical operations on each word of the encoded binary, depicted in the image below.
Figure 9: Dropper decoding function
Once the embedded binary is decoded the sections of the binary are copied into different memory sections, which are made RWX. This makes the code noncontiguous and harder to dump from memory. The memory area where the original decoded binary was located is the released. The Emotet code will then run and in this specific example, copy itself the C:\Windows\syswow64\ directory as startedavg.exe.
Larger Campaign
Research into this larger campaign shows that there were at least two distinct campaigns. In both, they leveraged the same type of dropper, which ultimately would run an Emotet variant on the system. From the data available to TAU, the first campaign ran for a couple of weeks at the beginning of the year and appeared to mostly be targeting individuals or organizations in the United Kingdom and Germany. The second campaign began around March 22, and was primarily targeting individuals or organizations in the United States and Canada. In the latest campaign TAU researchers continue to see new variants being used in the wild. The names in the campaign blocks, are names that the Emotet droppers were using to impersonate legitimate applications.
Figure 10: Campaign Overviews
IOCs
Hashes
4ef82ed028ee1f35d55203d7025772432e1f36a01a0cffae5fae5ff81b0de59b | d41956d3a861db7d3a26030915dacfa1 | Emotet Dropper | |
23d133d8a10cd161ec4e8743c1738112819208cb3124c346ae26efd1bf86b1a1 | ebbe0d98a31289c4fcdb50b7f93caa38 | Emotet Dropper | |
8bbf0d854a2ca7f384fc64a246c7288a768f34b8affdb47ba95246573dc39cc8 | 09fc12b206553e6695a2901e71e20b08 | Emotet Dropper | |
4a06740a5aa765130d5cd703c9802566675d8324df33c021a9206737c529e676 | f2e4e1c93dd6d109008e3fe9b1044f1a | Emotet Dropper | |
553c2b17b5c025db03b161aa835e9a4bbdf4411f153d35cf1393ca1fa7870d35 | 17c0f450b3b26ecd06a56534b8a8dac8 | Emotet Dropper | |
81ab03f0c7d187b402c414bbf678530a6630276e71d01037a120ef5745efa783 | 6077735a36ced549f06fb1b0c0133c74 | Emotet Dropper | |
bbbe49db1c4b8b8b6fcfe23b68cc0dbe56e8b3433ec972f52773dcef990e0a11 | 4e194079df4d23358e3422b6eb26d019 | Emotet Dropper | |
c15d2b5641916a9d8fc81cefb17eda398295216e5897791afec273f62f03e929 | dff204b06546a7aa5b1a04ab0df6ba9c | Emotet Dropper | |
eb4383e2e0606f2d02af78829c59d614287fb3bcd116940de576790a16911e57 | ababba73f7bcedf88ea1aba4156944c5 | Emotet Dropper | |
9b44240a81d075c094f696a1d5a21e74c7306c85a36804a386b32ff1e223ebaa | 35339640d845a17809be247fc2d59cc2 | Emotet Dropper | |
30c2f7155015a245a82e3c96ea0082e437fcab506903ac99b9a61e082764349b | dbbdf9c928d9019393b7493bce6ae5c6 | Emotet Dropper | |
085cf8585ad18391b65adfea9a9402a9f931fef845431c36bb78ccb7c044b1ce | bab3230b079ae443ca5ed8f350e57704 | Emotet Dropper | |
7377d46ffdd35970a386931a17399165e9a0f7c5b872851d742c296d62103ea4 | 35ea4c695d05adb20ff2aedf591364c2 | Emotet Dropper | |
a4ff36a8a39653daa66c1b9f3688b0936f8a45be4c79d7f3494287e145f51db1 | 346edfd406b309558b2c12f0b340bb00 | Emotet Dropper | |
a9b41f27b2714035be665a3295f585068fb407c9be9d998cabb7cd3bb16d18d6 | 0330c266f7f2480ee3cbd7b5a878f9df | Emotet Dropper | |
b2e5f1283d28a330cc1712f9cdfdf1077b120b61b53e33debfa96860a6f2c484 | 907f453e8d59c974122df513fe6fe730 | Emotet Dropper | |
d1779879446cb1487fe27b33373009f7520101802fa023004de26b2a1799c69d | 6da64fced53a62be34b1f28c58bc6b8c | Emotet Dropper | |
7f3990e0cda612b708360a31e53a0e05d1860a2b15fba3ccda9ee4431efc3eed | 294de3ca9a57a5335521822058ca2f5e | Emotet Dropper | |
eafdd0774b2e9168cfb3bb25880811e0d74dd626387981909bb83829687d7a36 | b2c98d110b68848e9eea775b4b5de3ce | Emotet Dropper | |
88ceb4e52fd8ef04b5316d0e378f93eaaefeb880db0473f89c874a94bcaa5129 | 94970422e6681dcb9a4b8a51dbc9bfcd | Emotet Dropper | |
1e168c77a0905a3704060c0a07e0a9c4ec5423db120914e2f7f8a7499820c4de | 97cf8e69ca4c71da0b57ce82998c8e20 | Emotet Dropper | |
7d4603705ee58a5874e9ee614bf125e23b3ef0261ce222401543b6ffa6e2087d | 71faa8f8f6e07dd16a55164407865637 | Emotet Dropper | |
5a253a7db9d1642c6da6bb95d9aa06d9ec7f2ac20e78257515b39b7dd48a6c1f | cd20309479fb5459c78f6c40af60aea7 | Emotet Dropper | |
d3fc2716c3139065613839e82e462fd64a0ba469a8176d0c78dbda53749334c1 | 9d1e1914189534e3e5403731b22fa89d | Emotet Dropper | |
eae0cc4b2e3d96521cd6eb1412aece47f06ed5abe7ca45b89833707d1fbce1aa | 31c72e1fa6773181653ad9a2997c8e02 | Emotet Dropper | |
8977e6f54458b72ac4a2a9367e9843b392b44eb003f7d2f47cd9a1e30b443d5e | a9a0e6e593d9eba6f0433ec1c46f3687 | Emotet Dropper | |
ff133cd545df631d30b3de55b97ea863fa71fc88464509ccad826c333e527d1d | fd4bfb99eed9987dc324ed8c5a7e000b | Emotet Dropper | |
bc8066659588cb67d0eed594990a13860edf7231c65d67ef4aad14c01675cd43 | 75b47f252dfc3029012123ab41a9c980 | Emotet Dropper | |
b03a5d889be077e4b5700bd7b23fa2e92f68022b6cfcb7acaeb9a7745545b0d6 | e697f3f4d5ae146bc04169ad965429e4 | Emotet Dropper | |
cf88eb41889c3d3b483a2bf621bfa3d641004b303845853a7a2f7c458642d079 | 0022a42cbe089651145e511fc8e3f6d9 | Emotet Dropper | |
9a5eeabab0ea2de45a8bcf6d32e88e9dc45d2ff4192e1a424222e8d3b489c049 | 7ea63c817473668a95b474260e3618e0 | Emotet Dropper | |
3be11f2c0b860f89cd39b0733430da9821f176a4a4c0a28ce6d5cd4bd31c7804 | ac49883b8a7c779a9c695b397fad2760 | Emotet Dropper | |
9cf2ab7e68381c08b59c7d6285995190488ab61baacf050c86ae280e76aa6407 | 1d1295022358aa7de1c4c711a6cf9d57 | Emotet Dropper | |
2b4bad0890352f07e143c68ee61b0325ec8bf04506b61fd215aa4427dd4dd99e | b835c88d43f58d5161baea0ad59fd895 | Emotet Dropper | |
09218de3cc212568db336ac0298cec87aca24bf49d3e45e2d173f2c25d45f49b | f793329554cbb502e84049e79e714248 | Emotet Dropper | |
24110da796a4aa7ca063b51d4edd4b44e1856531d68f07403862f4613bb39177 | 6e06a2146ec1a275a0d9abdf9f4b1919 | Emotet Dropper | |
69887acd5fd0370ee662a749673cf4b934bddf48defb22e6f5ec2674434dbc23 | b9994bbd64de17368a1ebceeda6239ca | Emotet Dropper | |
b2e8da3e178a08cef8ead6370a01a3f41804194f0ed6cfa4291cd6b9f44ee1e7 | 46c25a92c5b2cbc44223283bea1e5567 | Emotet Dropper | |
118b105b2f883ba318a0c4204d0f01e32a17b979de820dab8c4e9eb44ea92ef9 | 2bd787345200cc70ce43afee89ccee94 | Emotet Dropper | |
1e2ec4e7cb06d52be54dd8df08d86c12dedd612375671b6513def2d5474ca4a3 | 74f5e301dac5bbb784440129e2b4c149 | Emotet Dropper | |
39ef088b97117dba9d4275e5aed7d36d75b15e08bc2ea2be3832ec773f1509b4 | 6e6cda01f3a6e3e4624f83a8406c8371 | Emotet Dropper | |
56d719ad0522c58a24169e28dcbe884e8355830e30da29d3ffa29fdef5831af3 | 4d52988b7264a9479a898182a18115f3 | Emotet Dropper | |
ad8b79ffe28d24e5333454ad6a142b127b46380f8d623a1d6d0985ac57b6ea8e | fcdc4a000c93b8885e9b53408e82facb | Emotet Dropper | |
8b90334f41c3321a74a8492114718749ad46bf069e5d1f04f9ba5ecaf8ef669d | a745610f38ebdab09a09b5cdb93e3462 | Emotet Dropper | |
639ab18855b1ca61e4f38559a6de05c7bbe88f7cbd2491f13a09e071a3ef37cf | fe827f25b0b1716119d8611a1dd32776 | Emotet Dropper | |
dec59b3c7cd8d00960296f161ee5bc5dbffb140a79f09dfb6758f23ffc6661af | 4e20c1b8c5688e2dffbfc27368d0955f | Emotet Dropper | |
35301d0d704ca0e54363c7a57947aa58b150182e973aaa982cc09d2695c0a378 | fc4281f24304febfaae46ee0fd29241a | Emotet Dropper | |
5a9ee6775cbd7f49d3863a541b172e5f2828f9c56f5320713ae8122966af074f | feaa338caec549031ff90602cd04cccf | Emotet Dropper | |
2357f018b427c167bbdb8cc472faec8d220479642709cda1a653c280c1c21e7c | 64c4b5418716430b10ce764c1e6691cb | Emotet Dropper | |
ddbbf054d77a3fe64a00310e7f7c2556683fe0f8726fe4c4424c75fa51ce9add | 9667b3fff961257c921b05c0aade016c | Emotet Dropper | |
345e28db1b0abc09b114d743aac9f42313d1dd23ba3d0cf933e9761a4b8556df | 95749820dda01d5c70242db222faf2d4 | Emotet Dropper | |
1674c004c5547cd1901561ce762eb079d1237081b66f889ae646453770e3f368 | f1bb076523e1abf01988d3c32c217695 | Emotet Dropper | |
6bfe1104dce611b9bd4d69dfd27143fe6b3e5aa8cb8a86e3bcf94322e9c4ce0a | a90c721c8db2a01307dc74a8f310b37c | Emotet Dropper | |
52e9d29be77794c9ffc3bee22e55c7a4d77c0c2fac8860b132421d9fee6e91a4 | d9a1ac9d62f07fe5ffad9b762d0181d3 | Emotet Dropper | |
45bab096914b0103f27ced1405d542ed5d1d6990e1411b516b601a6c771908b9 | 527ee1bd42456e83acd1eb49a75a019a | Emotet Dropper | |
0e52cf547177feb4cf5ef4de0a554b66844638d07f6ab957abb2ded1843d1aff | 44f5a817a88d0ae70d5f0c07b4a14022 | Emotet Dropper | |
15fb3f8813c0b8f5cfa94a96d7d3abc27385431af10c8dd9129206f37f133ad9 | 2348e784d0e730cc580aac91dd427074 | Emotet Dropper | |
f43504ae60444f5c87516655aa965f3acf2385207876bfa607644d5ed6ab0e07 | 28fed62b9ca5f842724226fac0cf6870 | Emotet Dropper | |
211cb7644a1a033851de8e7201262cfebc779d3d88ba028d23a51a474c6d1f61 | fc9faceefd2c0e29e849dd79b97f349f | Emotet Dropper | |
2a74176b36bcc949469967ebc2875b8d0aa253318dbc3e6dde431f4868a6c995 | 4b7dc6a5581f7cb1e6a4ad20f7d61a9f | Emotet Dropper | |
fe28928fdaeb8829fdec30fe9ea61e6094494b94e06f66f35fe00c19bb5f7000 | bbe5fafca29a470c19089a1c320ee19a | Emotet Dropper | |
68fbe58d9b2f8da1f3a44f122ae5c0b814db2ea80fb91524b9c7b333349571ca | 404718bca442cfc49625a5b67015955d | Emotet Dropper | |
ecfb7e3a324e1d0770a5115e76fe624c2ecf66f9d720fc2370f5b9581080b1b7 | 9736564ce74a07dcf295ae1b32ac6783 | Emotet Dropper | |
0266dff285640967338602061dc34de83cfaf623384f58020eda58517730b20e | 0890c16027a6738d01b3da4836ad8b39 | Emotet Dropper | |
8532080b93d5543ccfd88217d9dbad76048a78dcc8363c61b6bd536bc332255d | b7008a14c341eeef10105bb448a80a96 | Emotet Dropper | |
93db9343462429e38592ca79b3fa916a09b80a5fd396eb68b024144d8455766f | 736cd2a24d4d8aeca1befcc059ca8029 | Emotet Dropper | |
697ae603b868715cc55f93b995395dd6384f0f9891c1c32be60ce6777142287c | ee01312b94ca49e008801678de3a7163 | Emotet Dropper | |
b123fe7880ed4f2abf47bdd0a9d415e22e587fce26a8151dc408d276445f4603 | 79bfa4fc4354322435f1e2fb874a33f8 | Emotet Dropper | |
59857fdbfaa7c8932dd7287416ad264a8a7926a49e4262f281d910b80fd07bff | 3de16fe38c145e1d126977e67e7ec1c6 | Emotet Dropper | |
575f456ec012ba476c777b98c3d1dc2713c03d8b58bbb887d8d2c6d15b314037 | 7d1a69fdfdd414188540c890a6f44b29 | Emotet Dropper | |
1e7f7bcd869f750bc3268753fdbeda4fb96b86d45c0cdb1641e8af99a29d58e3 | 7e6c40331afda90b40c5cb5d1754ca74 | Emotet Dropper | |
0df891941fa6434c9d928d20143b14e4f646926fa6e26230493476f172cbd571 | f7444f93bbd329c71cd1d3dc379fc66f | Emotet Dropper | |
c2b79260b5276d920faf0e9cb31fe1c852d6abbba4dcb7365a16e62fcc37f534 | ce9944553ae34f586147d5e610b2b31f | Emotet Dropper | |
4e59de6ef62543f05b6e71f976ff20d6337c9447912bf986aa3635e58b0acb3e | d75a782c9fbb1c5d567b352f828416d9 | Emotet Dropper | |
682a58a642e7eb0ca976964afa2bdbe8b984c210940d448166283355be580ce2 | d0ed4b64cb57ad4b3b771e6f2757cd41 | Emotet Dropper | |
9eec718aebf3b98a626a2213c56af8cb6e54630074b095fa74af84e6775bc2df | 65973f964b5bad4d569989c2d8985cc7 | Emotet Dropper | |
23fdcc7da3132bba8f07dcd7f2aeabc2b8dc823108831e9ba2612f5a883e6282 | f8c12b75c93b87950dcf79b36bfbb23d | Emotet Dropper | |
9d32ffb779ecc44caeb0d14d18a861edff67996ca278d51df41ad1a12d8b34a7 | efb629a548cf1726355a430c3df426f9 | Emotet Dropper | |
633803ce01450da9ce2b53073a65021b3007c1814a877dcb139ebae1a712263d | ac4a237f7e69539b25a62e929c25e819 | Emotet Dropper | |
ec7df273dbf4c58b40a83e0c8eb06f5b09a11eca4cb711e559bd56df52320015 | 3c1b0de4315a784df029f9b47d2e3f54 | Emotet Dropper | |
b747d07a713772e011fbb5a6e10b96b460cc6ca89d1583a36a0475a6be8a0e3a | 8cf09c4d9612db091fe0bc584aa167c7 | Emotet Dropper | |
c049016c3f05aba1da52146002199033207739c23e7940d5a3e7469c50091e24 | 0730bba8fb471dcd072fb6074dafba8a | Emotet Dropper | |
4dc3d1a0d98cf405bff705dc79ef4ebd7652eb2b43dc15c88b5eb772c6af78f9 | 8f33111b68b7c0389885767a99136a11 | Emotet Dropper | |
06d5f7ca4b9922d1114d5b981877391f0628e7f987a965174dcef1517046a7f8 | cf9870f02b84600244ca3fdd64fac380 | Emotet Dropper | |
4cce7f7015cdf028a5eeb7b9c6cb2db4dd14917ac1e73cb0b7aa538bbd160116 | bf879be6fdc3688bcbffd42d2aeae907 | Emotet Dropper | |
5e58620f02c1ba9b5bac33972e4f662d9472177c8b8d3f7cb4449df76d6fa84b | 0802175696e7e925ebb5e865a7420428 | Emotet Dropper | |
f0711132869db646cd847fc2466edb1c7b03e7d17090f3813be06775e56d3b59 | 9594f77f0b5039b34be8dcf37253b8e2 | Emotet Dropper | |
3e86b1016f86c8fef2fab963d68d937ecd291b7300f74deb872366d262b76a3c | 70a700d4283d4193ec53236cedbcf694 | Emotet Dropper | |
319272a1eec35cc5c3b655a0c625108fc4f4bd023b2d0dedb717a44877dd4dc2 | bf10ac79571d22a7c6fb7fab8e99ed3e | Emotet Dropper | |
389a909cfd177ea3a973dbb1252713be834e3f6d6df5ae161b0b253e7ea2042b | e8a9730ba3275a16091c4980710d1340 | Emotet Dropper | |
1a96770c5dd333e5e13561c30d16c2b691658bc3bbc555cb34c17cb28b6c497a | b70d7adc02638409af62e44adcc775ba | Emotet Dropper | |
edc9e1d2103ea9bb3ccd817b6fedb78ebdf9b9c5e7280dadccf68747b3ff6055 | 0678eb3d5330b3d88fd73d05077d21da | Emotet Dropper | |
3e6610f2722893e7510b1b75475e3d7a9ecb619766f7db27feda03e0e8782ca1 | 9451b38cbff554c2551057a1d269fee3 | Emotet Dropper | |
ba07bcf7ffb95c9af845a5f4dfbf19396da146f74d4a1d69e1af990befe0a985 | b2562bbe16d8fcaa633e3e98de6b7322 | Emotet Dropper | |
395c7a22cc3d8c8aa88d13cae77987b74f0bad39355373278ebd44fbcc9fb3e2 | 6e6bc0b84ee45bff09f7586d99c869f9 | Emotet Dropper | |
372f77d35bfe273b490b28558fc9c71f6f1a8e02e9fcf6d5b9aa7d1b5b34042d | 328c73570611dd6ebe3a7c90c4275390 | Emotet Dropper | |
b2dfa1ef9f4a77680f3d186fd4f7642bc7cbfcdc4df6c708754af7a292fac7c6 | 23fe818f9a8935e130b096b0fb446fb5 | Emotet Dropper | |
6844ac37e36d34036088ed792d3425c933eeae349045cba13410333c61bd9e09 | 87bd0396ea1d83b455d3f17b28f977c5 | Emotet Dropper | |
e7452dfea872899ab4e21f183acdd55c9237d5d9914301c5fc67127702205008 | f38e8c9b51493368cb3195ebb61c8fd5 | Emotet Dropper | |
f3c3012220c37a0da8efb00c5a6eab1f3ad04ac26914cd8ccedcfec24de12bf2 | e884adbfcebde42354efbe6f27b14b46 | Emotet Dropper | |
4567101158d21465a1e8b619dc6176587aa93dc13951a134d70af6a1ec673efd | f1345590bb34c740e8757ea12be2bc41 | Emotet Dropper | |
b8a38dab778039604b089ea057571606e5ab3696def486313a98cf316a6bae75 | 271acfb64c269c0ee74ad958359691a7 | Emotet Dropper | |
f608e966b87e452aa8597d57965af7aef361580428f86e24a49edefdb1a21331 | ba5f3192815a5179093d4b41bf7ce5c5 | Emotet Dropper | |
1a75d27b85f81ed54e204f5fca42f864dc27a93cab5da8a1667aabd6cbda9b10 | b072de60d01ee478d112cfb27a61d5de | Emotet Dropper | |
50166abc6714052584d607f121fb4ae220aa29f85a254fc7ebb5d6398d043ae1 | 4accdfe5806496dbed0294778d117552 | Emotet Dropper | |
b1ff9cbf39918284e0077fc40b011e43d1c47b4ac7eb0ca3f094c7bc020477fa | d6f75f99ae190ec7ea735382ac6c769f | Emotet Dropper | |
ad9e87aae19408cd7be135d1f7ad4e8370cf6e23833010f1ea9d8053a1ad580a | 191f817ca14c0d3c82e643a29ca38506 | Emotet Dropper | |
23a9baffebc2a344c17ee865a9f2b8b34f53e81e31492a2cbf6f5923197b6f07 | bd4e1eaf1cb8ad27d5cf618471384c37 | Emotet Dropper | |
a5e2b967251be8d9a9f49b04bebc9bf1c7b646e17b3afbddd29031b6b609d4b5 | 9136ee2a927c5f82949c01b96ec74b87 | Emotet Dropper | |
8b9d20439998e9da5b5ab7b0051ae272d6a386c6d1758a89a79152c1247c2124 | b913da5227270d8ac540235d81ea8d08 | Emotet Dropper | |
f134aaf8d408f33b407f24b7f1f9c4e3c3a2e281edd620567354931ad6708e7b | 38262641c8448d016590951f9af78402 | Emotet Dropper | |
8e0f240dc6948913e748711d297fd1243431cb99050902940092bcbcb9e89c16 | 221f69fd788d47c2a1908a687a33d1ba | Emotet Dropper | |
47876bf0a4307399ef6bcc967c36b8287bce3484e76a82bf7772ff7b6a23a448 | 6f180de94219d7c6d4159f3f5d696db2 | Emotet Dropper | |
213fdb54058b1531d39aca6a922bcf438616e93e6179c1723e5cde7e50651e81 | a3c6441da5df26fb957df3187074b7ec | Emotet Dropper | |
13d9f6f0deb0da0cba7bcf5ca230f3afd1f2f76f80d2a0488a7d211208902ffd | 784d71c71c7d74184f22d7da42e0b768 | Emotet Dropper | |
68905dd94f60160853786ae7ea3785f34fff338992a285d30e3fd13f1e12c564 | d351c2ea359c8fa9b051b3f75483046f | Emotet Dropper | |
9f08ee507315f5f340cc15112ce462fc9e661a8394000837bf53d0c55b10942f | 76989a61ef351a0fe05ba6d216846885 | Emotet Dropper | |
b683ed3a54ef6ff4a20725be11255d8a55ee8c59636d3acfd331680bd31e8d38 | bf23e6a8b6948679f17432a7a276ee67 | Emotet Dropper | |
ed5945faf830095363b0a11221a267b74c54d0d2be1bfbb0dac306a92383634c | 1f207467590fd3d4e33ffa474ae698ca | Emotet Dropper | |
da9552278e535ec26419dc1e065abd669d9bda5e7d8000a18f8749aa4b34c808 | 92c84a20a83d8985a61d7c779cd835f6 | Emotet Dropper | |
3fa4bb13348363f4cc461f3f5172151ff03004ecb476d61611be3311c38149e7 | 74c43328daa5daf9c432d5eaec4e5207 | Emotet Dropper | |
6d40047d1ab3d60c860542efcd7dac044b3879a2da4bd1a5be9a26b649b6abbc | bcd5ee2316ac2903d5adb0ec1b1f250b | Emotet Dropper | |
9391e864b7c1c34020d5e747d84205ffd804cbdaeb81cc4d0a587d32a59ea516 | 97dd2431b05114c0427484556a8a7a3b | Emotet Dropper | |
98436dcef078ee9f647993e3b2799b39de54641fc3c159e0bc9b4009c9fdd398 | 173b077e6e4538d1d9ead4f8cd847159 | Emotet Dropper | |
c4b96cc41db4918545c00e61cc6750b543e20a0e11e9b897fb62e4ff681b6b55 | 79e675d5893e5f6aac3bdb6e1c05f0ec | Emotet Dropper | |
5edb3b5c4f44c7378ede982f2d42ad5e55a31734c8d1bf68ffae59372e8c20d6 | e09bc65008a554b49508e2301c6488ec | Emotet Dropper | |
85b1169ffb9fe20594bde9a55f65d9d347074eba4a1d03b81193ad6f88a943f4 | 96a9f87506050c014bae9575c45c4800 | Emotet Dropper | |
a663d67560a44921f5ab6f3bfe296cff9d91926ad9848038bd43cfa0fe904b56 | cd7bffac25aa131e8658e569fa91b637 | Emotet Dropper | |
431a72a087d4b5cf5d29fad3a748945007c0306af61867252237f032c369e6c1 | 685fe312f24166edcbbb1a83bfd362cd | Emotet Dropper | |
ebd36972006b486c996c074ee69d8edc930d6b7e2f5c1fbafd6cac5f127ceff4 | 153caf10cb6b64f249a597d6ec0876b3 | Emotet Dropper | |
1abd78b1d0cb0f23e15235de0ecf6e62fc2de37c8c8ab78573f6d76e19333123 | 36fe67adb03d3ed3027a117eaa375c2b | Emotet Dropper | |
0da1c768a59a263a9c5975367a50b44dbdffff08d13bcea1a1ce9158ab9e295f | 3fe8c232d553b61aa7aa2bf0c602463a | Emotet Dropper | |
970a2569cec93c1a1e4f995653f2ba47243ff5899931b0d36b58f1cfca4556c0 | 0d6aac39ba141f242c0b5601a2fa3031 | Emotet Dropper | |
5ea7500f272442f466ec4f37efbea2adf99859d76ea51351ad894366e5666f6d | 75ec0ab7510147b3ac7025c1f001f0ca | Emotet Dropper | |
a60c19edc4a6d343cf8f10bfabad8d80b488857020aa62c20669ca06ec795114 | 89d3aa50ce484bac92773047a55811ce | Emotet Dropper | |
fc39e77993e7fcbcc80afd418337340d89ff609cdca51c4ad795f8f82bb41de2 | 511b85e364c8a428ef77d90d8246b39b | Emotet Dropper | |
f28255490f45bcabee811ef376ba5a5c5e4e41af669de1dbab94a3aa594b068f | 743555d8fb6f8b8c0cf5f2d1b8befd59 | Emotet Dropper | |
2d57948bcd9c3d7da894af8d068c89975d4e114260a9c19f0202ff79541309d4 | 80ac6774f235a7193188e0c92b297877 | Emotet Dropper | |
e5b909de6637915f413eda5e82b42e0c92fddf10d996e6da7230d2a47d7e9b18 | 11f4eda05c7ccd50ef1736a5b4c874dd | Emotet Dropper | |
1cf0da02f2dee9c552c198784391ed96e8c50497728e30f43b49531bd6dbdbd7 | 877194a63f94f989b3d393018e016bb4 | Emotet Dropper | |
f6d915a08dc5ba3b18c2952511e8eab2da86f9c8e72e4d81dffcf93d4dbffb50 | 38afa1717970ed27bee43d267ba22703 | Emotet Dropper | |
51ded96d8012a567b0b4ddedaea604dd5e6bd6c55dd26c121584656d1eeca7d8 | 179d2c0cfe6c14a2e9492934eef96d72 | Emotet Dropper | |
0398a3f104fc8e41d8652fa4c1aa3cd1161f881daf280c76243a2cf81e108326 | 6b7dff4d4503479ff56f651a3136aa89 | Emotet Dropper | |
395387590a1ed905b46dae5fbe1de2c5a511038844f116b9d4fa57261165bec4 | ee5b05f1cd1a502d113e8932bc2b48d6 | Emotet Dropper | |
cbb135fb583355b31da7c80c1834a66f368ee13cdd813e4a9154be73a822aae7 | c0a7d2c83a4dac60166429b0dd69c387 | Emotet Dropper | |
70b33196e35e0aa8fe3e5a9cc8fff59016410b7da681fce69b5f5414befe400e | f7840ac0730dedec9eb3352de813e827 | Emotet Dropper | |
f7c52038933d12617fb56913aee632165c32fe9ada60835162912389c99351e6 | 6a82d8de966b76a0dcd67c2c9b8a8101 | Emotet Dropper | |
284711f91c8ce69c21f71a296ff1fecc69612785a1f3bae14cb0e809a46674b4 | aafa5dc3bd605691764ac72849f359dc | Emotet Dropper | |
5d567f9a417676447b1d6c5964c96fd1c65d1c2c08583638f3e52cb6d71324ed | e5c86ac336a6c4787a19267f73b9c2f3 | Emotet Dropper | |
fa8a25c86b1d8abcfd3016956f995697946d5d5f5ca7db893beaa95db6207362 | 9d9ce4cd27c7fbd8f3ab43d4bb2d33cd | Emotet Dropper | |
d8c70398aca2848960a82240347869cb449fcd8f58b23b25c49e81ba5db64156 | f9cdc3bcd4434feaba40e9272cce7424 | Emotet Dropper | |
4e87fc660790ae69cbc1f277a4fce74da11915ce249bf49de32f0cc1cadecc3d | 2d2679b5074fd4ff259edff60fe51ac1 | Emotet Dropper | |
1da5cc07a36ffa6f9ef56fa3bfb816bd5d383bbd175f9118002c2d6e30622a0a | 556df6654e1602de66e4ca892949deea | Emotet Dropper | |
cd27016ee10398ecfbf13a56faf3913721fb39c536c019dfee89a6384c10d4e1 | 9cab447e99d85697be997e1370bfc05c | Emotet Dropper | |
47ebc1f10a672015280de22ceb4d9912a0e2c92c2fa45e7491a8494997cbbfa1 | 39fad0c57617cec4211fa3eff6130f4a | Emotet Dropper | |
c7fcfac14d401662130a4d752418b0b1fd009c7f89d03eb95ec36be0d165d11d | 6aefa7eae1b78c77303fb3005b76797b | Emotet Dropper | |
e8e00026a34b70af6b1063e4d5d128079e3c81ebe4ab582126e14153c60cc781 | 9c090c7edd94eabdf5c9b2d5f098311d | Emotet Dropper | |
af8e1c6506d6e651845c02a3ed14522b55d83704159fdc7eaf92fbc2f01b3a0b | 28f00c005bde4f64d728813553ca269b | Emotet Dropper | |
e47a2ab0953cfbc99a8ff73fa35ef731b331359da7fbac0af43217f9bdaa0ba3 | 3c1520e701563408745f7cb6a7d60404 | Emotet Dropper | |
af1750a1e613e120ba19bb7534b416f7b695535866244443444f1461400a74e3 | 52c10664ca9280854a356f164e5d8e6b | Emotet Dropper | |
6bbb9f4051c672655a43828fccd2b01c36fd6cdd2b589f71b90840c7f2a07ca6 | f289b81939f8ef6db67182e953191f88 | Emotet Dropper | |
d3034a180bc7c42c6639a4d2d103aa9444e9deadef93bc69b21aa5fafb844b68 | 1100b49eda9cce0d06b3ce48472eb850 | Emotet Dropper | |
5198c282a99099910dd7cb97c87b4411b3d1b9672b309ed6dc23f0a9e94f46f5 | 8bb2e919ebf9b8c879d576480be74390 | Emotet Dropper | |
69a951ac9717a37eb24c6fb687e465142db317c623514b9f42f9c7ed4343e176 | 6d9164260c64560b1922f0dc5665298d | Emotet Dropper | |
b5e9c270a5375722b7e7f97867007a2332edd3dc511c237013b2edc373a6cf7f | dc8dae4ce8bb4e400ab8e34a8e81adfd | Emotet Dropper | |
916b3194c0923ef3fd31edbf8202a4a92071ff68bbd30bde90ba336263acb35c | 53359689a366efb2c855a91517fb747d | Emotet Dropper | |
71d2e81fa5dfb3233f88e9b4f5edb7a7f588c8e622838b25441b10f1d661f375 | 053608eddc4c4d08fff2441cf7ab62fd | Emotet Dropper | |
a6e715eb6b059574fe6def8ebeb4c164b05ddf376356eb8609666d0a3d0a0d40 | 74c0a91f84e6783680ee010f40c5a9bc | Emotet Dropper | |
3192b7bff4106267ba459e396195d0b2cd68a074caa8c3a3f381a576cc19b79f | b9d00158accf3c195c8c19e00c10dde4 | Emotet Dropper | |
cd6fb2c14c4b5abfee2fbb01549d5c712bbb559b6d742dadc24a093d491e796e | 2c752c6918ed4af313ed6288a6687f4b | Emotet Dropper | |
0fc2d059bf18f621bdafe5de079c0a9b17715eaf724f3f872b4dd60423ed105a | b544cb3ece0ffbf08694b4d05d8d9f04 | Emotet Dropper | |
e579bc9673154c2bab204f34f202aa3bf3f991faa2eb2eaae1380f99f637fa4d | 03e200d20b40e894ee00867cc24f3002 | Emotet Dropper | |
b50f76742a25cfd2c6c7ead08c7266237934f35fb8bec95f094ed003156285a8 | 3cea7357898039080361817300ab1f4a | Emotet Dropper | |
e2b9951c7744decc4f473716c04dcff3cd5b4e2f980a0c056de55c9ddae71564 | 627cd2d2377969d00c75f1d34781c599 | Emotet Dropper | |
73ee6f0556c41a09caa3a4b0f0a7bcd8ba4e144047fd570101b7519b31627590 | eab05dc3d715fe83b4458373807dea79 | Emotet Dropper | |
49ca8b8dfae71f67c6946401539861a2b5d7cbfdde160334ea15dc52b9afbf63 | 4cfab4359ff663b025fb5da50d48a32a | Emotet Dropper | |
7ca82f07c0a44cf67d5d37d268f79e394c962aa5c906281dd81ffe6f33d9177e | 1cae0e6a87a9adc482533582440364a1 | Emotet Dropper | |
b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594 | 302b61562fd258c88ab0db3ffa640faf | Emotet Dropper | |
14c7b74acc3c279e9b4773871fb7ed23c53402e0e2a083bae7c3553166cf4939 | 64f881bdd0c0b017d092b664fc2b6749 | Emotet Dropper | |
95e00443b8510dbebcee675f2d8bec6f649027ac74856616d70b70cb11705652 | 470740b9774a68b8a49a10219a02f85e | Emotet Dropper | |
163afe8bfbc76f46bfe1ccf7e7c0866ea8c1aa066f463a98dc266dc7ba07acff | 845bd986a4cbc2e806155b2815aa8f49 | Emotet Dropper | |
19f3b58bc659efce6f8cc7bf9115d54ef8d0540c6b76e0f30f1ca635f7739d01 | e36a87e0f746695f53f60648f45f5f61 | Emotet Dropper | |
2f4af5d08c3cb7ef69e86ebebe692192bf2fcbe51b019a08a72c30935cefcae3 | 33971404d2e66139968510e51dc278fb | Emotet Dropper | |
313f6e9adf3ea40437f02a370556c0314f501154346abd7a9990bbe2fe87ce92 | 5217b14143b632ea3c34826bb674c2ee | Emotet Dropper | |
14feeed2c125accc752fc1e4d226970dfcc55cf179cf971cf1126d9a012c7bc8 | 49a077c26add6a9ef31137f426c70d82 | Emotet Dropper | |
17b6fb98db05ec5d69a57da1783869b715f53a9d6359432aaa9763fd120922f4 | eb48ffe1054ccfbf513ab601f8a59901 | Emotet Dropper | |
4ac60bcf148ba6134ede27481161d8cbebc941359f41024928cc03cb5ef91e63 | 72049bdac4103a319e67b29b3715b4d5 | Emotet Dropper | |
ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96 | 372c6e99901e78019f5cd84e3eb9c09f | Emotet Dropper | |
ba3715cdce2794e44af126e5fe52abf6d5d0201702d2f27ed559401a21c7ebd8 | 7cec4617ce4376078ed07ed94b28dfdf | Emotet Dropper | |
27594c322ccd86df012a3d15d2f3d6d803d3c879ce566b4c627cef12e33bb064 | 4021d1dd02406c2a96cd761791103409 | Emotet Dropper | |
c1db4b2578729a1faede84d2735eb8463bfd2c6b15d2fdf2de7a89f1954d0dfb | 44b696079356579d250f716a37ca9b17 | Emotet Dropper | |
56bf9739f74a8c2117ded3f90d9ef239870aa5ff29e78ae598d764d3e1941017 | c06d7c0e75e27e90f46fc6e4c47f1f3e | Emotet Dropper | |
7996da1050bd39278622e8bcab3f4bba3db31a3ec20a4b3fd2f1cfd374f98fd8 | 2cae4059fbc5e7ee565cbd8f43d24635 | Emotet Dropper | |
7d08ef83244e8e522fbb82f41bde555a30289024f217afcbc6fe539e275cf81d | 60ee35e82274c04775154a6b90e61f6b | Emotet Dropper | |
a32656290bd3ef395858879ad72a83e435397683f78e09e74e5613cec1ac44c7 | 20860b4bce8178e6861019e374502f55 | Emotet Dropper | |
53233707becabfdd849dfccf8c28465b086a295697e15b5e8b6dcdf6449a829a | a49e689cd3ab06674cdb64170a19e873 | Emotet Dropper | |
aa487e0948c099f058ddb7f2231e69f704030dd384b27c3a842f2194e6b88af9 | c4c04d6976ffc8e8180909ea531cdc5c | Emotet Dropper | |
3a0ee95818d47f498c028f2873fd96c8bff31a3c47c69d69ffeb93003bd56099 | 6d03051ff76f85c1d12ee3afdc0faf2c | Emotet Dropper | |
69284ba7d6bd444cdaf05b1ae99d793e5a1f2a3fed5c42c7b18e329d80606d46 | 092a1dbd615311c9f75ad74f32269c35 | Emotet Dropper | |
871f0a4b3ace0dbf42b1a5c36cf217868976ec8aa0d53266ea85ee3fb8832545 | e25cb59242602b3df9a11393d53d88be | Emotet Dropper | |
e2f22c9455b424c33bb042fdca19656999ee7292f62a1222c84a8358bfb0284c | 48fd95eb47e236c13819ad1cbbd4b35a | Emotet Dropper | |
7b97c1300ddc7c75fcea5b7b8793595d88dd999024d6d2132fd4971f903b689e | b227b1f807c1db7c9dfbcf3912f1cdd4 | Emotet Dropper | |
2485e60ebd7c1dfeeac8778d5f89677ebd5cfdd36d60e4a0415c301c19908821 | fa6cf11d4761d266c57d58bd43b90dce | Emotet Dropper | |
7a3e5ebdaa83f38a7fc86c36102489c9e98a24a14cb0e26905d74d54a0e80848 | 55f2ed72b2ef630373f450e9a522113e | Emotet Dropper | |
4ad92a4205d20562428077543b9eb56ea7453b07a4a6ae116da5acf3a2a3e75e | ec0b7189c9cefe9ed02fc07c0bcb73f4 | Emotet Dropper | |
e120ce197e9d7cae8c598b46e212e8926119856d88473c3a520110448bc4c160 | d323dfcce35371e2b8d9a5b14438c200 | Emotet Dropper | |
b59f519267d88139c9b3c42495836582c33a6cbc5174f27fae031d3c15541857 | 6fbafce9f8a9626d97bc5325bcbb510f | Emotet Dropper | |
069074539c5cda242b5b8f8ecfca69df2155d5f32553675b849a5e29486b5a00 | 394fe9a1df5e4be25aeb3930731b4009 | Emotet Dropper | |
c00f4aea0bd3f2ec6aeb16696044770ccad45a2faf476b63b2061c4728fea501 | a4353c23bfecdc4fa79f784fe985de06 | Emotet Dropper | |
04ee03e074c08933010d54412936a5f5a1dad3fbbdd7ebbba2df2fea55727878 | 5e6b371bad8591a64113a831394dbe20 | Emotet Dropper | |
7b18e83009cee3193268be9c6d523f0d0d06c0e35448b7d28752052580372351 | 3e3b489d34d7976622559e2a0f726945 | Emotet Dropper | |
e795f3d92e12982f101ec9572c3aad8c28655aa2486caa4b38e3d02ee04ea5d2 | d8da098591ad7352a18bce92b738c8ce | Emotet Dropper | |
261242caef90babeef977cab85eb6a38209a19e7747f35287a6d3742bfe8a847 | e7a4d3903a3cb8efb6d5c69b5262ba7e | Emotet Dropper | |
c5a49d4d2619ad9a5be30d5495f51d189fadce620f3a5080c2211313cabd56eb | 2bee10c5f5cbab62e260aa46306a9c20 | Emotet Dropper | |
bf55878eaf9c748912568ec3f20a43f7c4a6bea8271b2c4e40e730ac39a6de62 | 0d52b231c6e953aacdde0dfc95883e3f | Emotet Dropper | |
54427b368ffad28e3fc805a7a15e6c9cffc1f7417d5aec5bec8d4164c3bd1742 | 469b934991c0527bf7c992bab453c976 | Emotet Dropper | |
acd6c51180722d25faf5c58c40afcf0e9c386c67da0a14a4b1c02dcb778afae4 | 8b952cfb5a69753fe108a51ab7b64a04 | Emotet Dropper | |
0dac7c6c96908ed8326b06e4ac59716bbaaede6410ac7e2c201abe7d350dfeff | 64c7415fec6bbb5241c17500de05a528 | Emotet Dropper | |
cf5f8bd33ff24f5d689477fee4511d656437c154ade1e16420fc53c6cee35d0e | b133066a393d6adfc5b73f6d8c526192 | Emotet Dropper | |
04cca9e021fda92b6b2836c78e44cded572d4a3eab106386a049d9a753a62509 | 0f4cbcc61c2716f2aeb1ff555796df67 | Emotet Code | |
f9a62efb31a05d343afa131c17514e663e28a59a31d1f514eb61e8bd3f3a3a80 | 08e7755ab0b4d6233e279c182db8d941 | Emotet Code | |
e4ae4ec47495e75a118e9f0fffed7715f7a1c8ecd5cd1313245f1a3afc8fbb30 | e168d79854ba4c348f384bfa89ad14ba | Emotet Code | |
b0777f056ddb7e27a12ff7c68d6956766759c23bff80f552de41bdfee03d6979 | 4dc84fae5f4bd452d37c16d99e375bb0 | Emotet Code | |
526c80dde5d68e84ae9328cbed9ada48bdbd3b29e2afb2ce8dae87b7c8b6d191 | ef5388987d67a085ff172f5d57e3ceb9 | Emotet Code | |
d395134f599e9c08ff93a5b0c92070c23b34d7ec232d7dd5088173938b1afc3d | 194e9a1120cb639f1a5ffb32cad91d10 | Emotet Code |
Network
94.250.55[.]138
171.101.196[.]138 181.170.252[.]83 181.129.83[.]122 Trinadi[.]my – (108.179.235[.]109) |
Table 3: Network IOCs
MITRE ATT&CK TIDs
TID | Tactic | Description |
T1193 | Spear Phishing | Original Email |
T1204 | User Execution | User Clicking PDF hyperlink |
T1192 | Spear Phishing Link | PDF hyperlink |
T1055 | Process Injection | Emotet Code injected into memory |
T1140 | Decode Files | Emotet Code decoded from embedded data |
T1027 | Obfuscated Information | Obfuscated JavaScript files |
Table 4: Network IOCs
Yara Sig
rule emotet_dropper_2019_Q2_campaign : TAU ecrime Emotet { meta: author = "CarbonBlack Threat Research" // jmyers date = "2019-Mar-22" TID = "T1193, T1204, T1192, T1055, T1140, T1027" description = "Emotet Dropper" rule_version = 1 yara_version = "3.7.0" exemplar_hashes = "b2e5f1283d28a330cc1712f9cdfdf1077b120b61b53e33debfa96860a6f2c484, a9b41f27b2714035be665a3295f585068fb407c9be9d998cabb7cd3bb16d18d6, 7377d46ffdd35970a386931a17399165e9a0f7c5b872851d742c296d62103ea4" strings: $s1 = "hknj]t34q" $s2 = "WdgfR111" $s3 = "GetPodu)eHa#dle" $s4 = {83 F? 41} //Portion of Decoding Routine $s5 = {83 F? 74} //Portion of Decoding Routine $s6 = {81 ?? ?? ?? ?? 00 2D 37 00 00} $s7 = {81 ?? ?? ?? ?? 00 2C 37 00 00} condition: 6 of ($s*) and uint16(0) == 0x5a4d and filesize < 500KB } |
Table 5: Yara Signature