Sign In with your
Trend Micro Account

Sign in to MySupport

Need Help?

Need More Help?

Create a technical support case if you need further support.

Malware Awareness - EMOTET Resurgence

- Updated:
- 27 Jun 2019
- Product/Version:
- Deep Security 10.0
- Deep Security 10.1
- Deep Security 11.0
- Deep Security 12.0
- InterScan Messaging Security Virtual Appliance 9.0
- InterScan Messaging Security Virtual Appliance 9.1
- OfficeScan 11.0
- OfficeScan XG.All
- ScanMail for Exchange 12.0
- ScanMail for Exchange 12.5
- ScanMail for Exchange 14.0
- ScanMail for IBM Domino 5.6 Linux
- ScanMail for IBM Domino 5.6 Windows
- Worry-Free Business Security Standard/Advanced 8.0
- Worry-Free Business Security Standard/Advanced 9.0
- Worry-Free Business Security Standard/Advanced 9.5
- Platform:
- N/A N/A

Summary

EMOTET malware communicates with its C&C server to determine what payload to deliver. One possible payload is that the infected machine serves as a botnet that sends spam email to spread the malware. It is also capable of harvesting email addresses from the infected machine, and steals username and password found in installed browsers. For its persistence, the malware is installed either as a service or autorun registry entry is created.

Click image to enlarge.

Details

Capabilities

Information Theft: Yes
Rootkit Capability: Yes
File Infection: Yes
Propagation: Yes
Download Routine: Yes

Infection Chain

Available Solutions

VSAPI/SMART

Pattern	Detection/Policy/Rules	Pattern branch/version	Release date
TrendX	BKDR.Win32.TRX.XXPE50F13005 Ransom.Win32.TRX.XXPE50FFF027 TROJ.Win32.TRX.XXPE50F13005 TROJ.Win32.TRX.XXPE50F13005R2D6F Ransom.Win32.TRX.XXPE50F13005	N/A	October 4, 2018
VSAPI	TSPY_EMOTET.THJOBAH TSPY_EMOTET.THOIBEAL TSPY_EMOTET.OIBEAL TSPY_EMOTET.THJOAAH TSPY_EMOTET.THAOOAAH TSPY_EMOTET.THOIBEAK TSPY_EMOTET.OIBEAJ TSPY_EMOTET.THIBGAH TSPY_EMOTET.THOIBEAI PDF_EMOTET.THIBOAH PDF_EMOTET.THIAGAH	Ent OPR 14.541.04	October 2, 2018

Behavioral Monitoring

Pattern	Detection/Policy/Rules	Pattern branch/version	Release date
AEGIS	2980T (Binary)	Behavior Monitoring Pattern OPR 1797	June 15, 2018

Email Protection

Subject	MD5	Pattern branch/version	Release date
Statement & Request for Payment	86c5c99ebc40a1667414284bfecfaa90	AS 4134	October 4, 2018
Mike Ennis – Invoice	321bea21e092f4315f3162294f4e2ff7	AS 4134	October 4, 2018
Your Statement	2719ad188bb232b2364fd72b88a3e36d	AS 4134	October 4, 2018
Invoice 57/EHNW4050542441	13921dbf996f761844641abfb6a18c20	AS 4134	October 4, 2018
Statement & Request for Payment	86c5c99ebc40a1667414284bfecfaa90	AS 4134	October 4, 2018
Invoice Attached for your payment	9e8aab30b0c9b69af7b7900a6a498b77	AS 4134	October 4, 2018
Invoice 50/ZYPPR3276061784	aeca7613fb1eb0da239040c43f8eab66	AS 4134	October 4, 2018
[PMB] Pro-forma Invoice-8305328/13233994	c171910c441f776b47f2c6cf67d8e1a8	AS 4134	October 4, 2018
[GWE] INVOICE- Ref: 74002297	b0f192a12244c810debffc0851e22647	AS 4134	October 4, 2018

URL Protection

URL	Category	Blocking Date
hxxp://asuisp.cn/8P/	Malware Accomplice	August 14, 2018
hxxp://craftww.pl/BidC/	Malware Accomplice	August 11, 2018
hxxp://ecojusticepress.com/lRmU2Jt/	C&C Server	July 31, 2018
hxxp://daihyo.co.jp/IdAILl/	Malware Accomplice	August 11, 2018
hxxp://snowdoll.net/UAT/	Malware Accomplice	August 31, 2018
hxxp://ruralinnovationfund.varadev.com/lKKK1wruj/	Disease Vector	September 24, 2018
hxxp://hawkinscs.com/F/	Malware Accomplice	August 10, 2018
hxxp://peekaboorevue.com/vHVXwTU7T/	Disease Vector	September 24, 2018
hxxp://coroneisdavicente.com.br/jLk/	Malware Accomplice	August 17, 2018
hxxp://cotala.com/68vt/	C&C Server	July 31, 20188
hxxp://krever.jp/Ye5fzwm/	Disease Vector	September 20, 2018

Recommendation

Recommendations on how to best protect your network using Trend Micro products

Threat Report

Blogs

EMOTET Returns, Starts Spreading via Spam Botnet

Test Now

Rating:

Category:

Troubleshoot; Remove a Malware / Virus; Update

Solution Id:

1118391

Feedback

Did this article help you?

Thank you for your feedback!

What was the problem with this article?

The image(s) in the article did not display properly.

The article did not provide detailed procedure.

The article is hard to understand and follow.

The video did not play properly.

The article did not resolve my issue.

Others. Please specify.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

Thanks for voting.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.