Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Malware Awareness - EMOTET Resurgence

    • Updated:
    • 26 Sep 2017
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • OfficeScan 11.0
    • OfficeScan XG.All
    • ScanMail for Exchange 12.0
    • ScanMail for IBM Domino 5.6 Linux
    • ScanMail for IBM Domino 5.6 Windows
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • N/A N/A
Summary

EMOTET malware communicates with its C&C server to determine what payload to deliver. One possible payload is that the infected machine serves as a botnet that sends spam email to spread the malware. It is also capable of harvesting email addresses from the infected machine, and steals username and password found in installed browsers. For its persistence, the malware is installed either as a service or autorun registry entry is created.

EMOTET

Click image to enlarge.

Details
Public

PRESCRIBED SOLUTION

VSAPI Pattern (Malicious File Detection)

LayerPatternPattern branch/versionReleased date/time (GMT+8)
InfectionTSPY_EMOTET.AUSJLC13.625.008/30/2017
InfectionHS_EMOTET.SMD013.625.008/30/2017
InfectionTROJ_HPEMOTET.SMF13.623.008/29/2017
InfectionTSPY_EMOTET.SMD513.623.008/29/2017
InfectionTSPY_EMOTET.SMD613.623.008/29/2017
InfectionTSPY_HPEMOTET.SMDX013.623.008/29/2017
InfectionTSPY_EMOTET.SMDX13.617.008/26/2017
InfectionTSPY_EMOTET.AUSJLA13.615.008/25/2017
InfectionTSPY_EMOTET.SMD413.615.008/25/2017
InfectionTSPY_EMOTET.SMD313.601.008/18/2017
InfectionTSPY_HPEMOTET.SMQ13.601.008/18/2017
InfectionTSPY_EMOTET.SML313.599.008/17/2017
InfectionTSPY_EMOTET.SMD213.597.008/16/2017
InfectionTSPY_EMOTET.SMD113.589.008/12/2017
InfectionTSPY_EMOTET.SMD13.581.008/8/2017
InfectionTSPY_EMOTET.SMQ13.569.008/2/2017
InfectionTSPY_EMOTET.SMQ113.569.008/2/2017
InfectionTSPY_EMOTET.SMR13.555.007/26/2017
InfectionTSPY_EMOTET.SMO13.505.007/1/2017
InfectionTSPY_EMOTET.SMC13.499.006/28/2017
InfectionTSPY_HPEMOTET.SME13.445.006/6/2017
InfectionTSPY_EMOTET.SMB13.437.005/28/2017

TRENDX Detection

TSPY_EMOTET Detections
  • ADW.Win32.TRX.XXPE002FF018
  • HKTL.Win32.TRX.XXPE002FF018
  • PE.Win32.TRX.XXPE002FF018
  • Ransom.Win32.TRX.XXPE002FF018
  • Ransom.Win32.TRX.XXPE002FF018P0005
  • TROJ.Win32.TRX.XXPE002FF018
  • TROJ.Win32.TRX.XXPE002FF018P0005
  • TSPY.Win32.TRX.XXPE002FF018
  • Troj.Win32.TRX.XXPE002FF018
  • Troj.Win32.TRX.XXPE002FF018P0002
  • Troj.Win32.TRX.XXPE002FF018P0005

WEB REPUTATION (Malicious URLs and Classification)

URLs blocked
Total of 165 URLs related to EMOTET were already blocked.
(See complete list)

ANTISPAM Pattern

LayerDetectionPattern branch/versionReleased date/time (GMT+8)
ArrivalSpam MailAS32748/21/2017

AEGIS Pattern (Behavior Monitoring Pattern)

LayerDetectionPattern branch/versionReleased date/time (GMT+8)
Aegis2958T / 2959QTMTD 16958/31/2017

DCT Pattern (System Clean Pattern)

LayerDetectionPattern branch/versionReleased date/time (GMT+8)
CLEAN-UPTSC_GENCLEANlatest DCT OPRBuilt-in
 
Make sure to always use the latest pattern available to detect the old and new variants of EMOTET.

SOLUTION MAP

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern

OfficeScan

11 SP1 and above












Update pattern via web console.



Update pattern via web console.












Enable Web Reputation Service.*




Update pattern via web console.

(not applicable)
Update pattern via web console.

Worry Free Business Suite
Standard
(not applicable)
Advanced/MSAUpdate pattern via web console.
Hosted

Deep Security

8.0 and above







(not applicable)

(not applicable)
Update pattern via web console.


ScanMail
SMEX 10 and later





(not applicable)


Update pattern via web console.



(not applicable)
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later

Deep Discovery

DDI 3.0 and later

(not applicable)
Update pattern via web console.
 
* Refer to the product Administrator’s Guide on how to enable Email Reputation or Web Reputation services.

RECOMMENDATION

THREAT REPORT

BLOGS

Read the KB article on Submitting suspicious or undetected virus for file analysis to Technical Support.

Premium
Internal
Rating:
Category:
Troubleshoot; Remove a Malware / Virus; Update
Solution Id:
1118391
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.