Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Malware Awareness - EMOTET Resurgence

    • Updated:
    • 22 Oct 2018
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • OfficeScan 11.0
    • OfficeScan XG.All
    • ScanMail for Exchange 12.0
    • ScanMail for IBM Domino 5.6 Linux
    • ScanMail for IBM Domino 5.6 Windows
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • N/A N/A
Summary

EMOTET malware communicates with its C&C server to determine what payload to deliver. One possible payload is that the infected machine serves as a botnet that sends spam email to spread the malware. It is also capable of harvesting email addresses from the infected machine, and steals username and password found in installed browsers. For its persistence, the malware is installed either as a service or autorun registry entry is created.

EMOTET

Click image to enlarge.

Details
Public

Capabilities

  • Information Theft: Yes
  • Rootkit Capability: Yes
  • File Infection: Yes
  • Propagation: Yes
  • Download Routine: Yes

Infection Chain

infection chain

Available Solutions

VSAPI/SMART

PatternDetection/Policy/RulesPattern branch/versionRelease date
TrendXBKDR.Win32.TRX.XXPE50F13005
Ransom.Win32.TRX.XXPE50FFF027
TROJ.Win32.TRX.XXPE50F13005
TROJ.Win32.TRX.XXPE50F13005R2D6F
Ransom.Win32.TRX.XXPE50F13005
N/AOctober 4, 2018
VSAPITSPY_EMOTET.THJOBAH
TSPY_EMOTET.THOIBEAL
TSPY_EMOTET.OIBEAL
TSPY_EMOTET.THJOAAH
TSPY_EMOTET.THAOOAAH
TSPY_EMOTET.THOIBEAK
TSPY_EMOTET.OIBEAJ
TSPY_EMOTET.THIBGAH
TSPY_EMOTET.THOIBEAI
PDF_EMOTET.THIBOAH
PDF_EMOTET.THIAGAH
Ent OPR 14.541.04October 2, 2018

Behavioral Monitoring

PatternDetection/Policy/RulesPattern branch/versionRelease date
AEGIS2980T (Binary)Behavior Monitoring Pattern OPR 1797June 15, 2018

Email Protection

SubjectMD5Pattern branch/versionRelease date
Statement & Request for Payment86c5c99ebc40a1667414284bfecfaa90AS 4134October 4, 2018
Mike Ennis – Invoice321bea21e092f4315f3162294f4e2ff7AS 4134October 4, 2018
Your Statement2719ad188bb232b2364fd72b88a3e36dAS 4134October 4, 2018
Invoice 57/EHNW405054244113921dbf996f761844641abfb6a18c20AS 4134October 4, 2018
Statement & Request for Payment86c5c99ebc40a1667414284bfecfaa90AS 4134October 4, 2018
Invoice Attached for your payment9e8aab30b0c9b69af7b7900a6a498b77AS 4134October 4, 2018
Invoice 50/ZYPPR3276061784aeca7613fb1eb0da239040c43f8eab66AS 4134October 4, 2018
[PMB] Pro-forma Invoice-8305328/13233994c171910c441f776b47f2c6cf67d8e1a8AS 4134October 4, 2018
[GWE] INVOICE- Ref: 74002297b0f192a12244c810debffc0851e22647AS 4134October 4, 2018

URL Protection

URLCategoryBlocking Date
hxxp://asuisp.cn/8P/Malware AccompliceAugust 14, 2018
hxxp://craftww.pl/BidC/Malware AccompliceAugust 11, 2018
hxxp://ecojusticepress.com/lRmU2Jt/C&C ServerJuly 31, 2018
hxxp://daihyo.co.jp/IdAILl/Malware AccompliceAugust 11, 2018
hxxp://snowdoll.net/UAT/Malware AccompliceAugust 31, 2018
hxxp://ruralinnovationfund.varadev.com/lKKK1wruj/Disease VectorSeptember 24, 2018
hxxp://hawkinscs.com/F/Malware AccompliceAugust 10, 2018
hxxp://peekaboorevue.com/vHVXwTU7T/Disease VectorSeptember 24, 2018
hxxp://coroneisdavicente.com.br/jLk/Malware AccompliceAugust 17, 2018
hxxp://cotala.com/68vt/C&C ServerJuly 31, 20188
hxxp://krever.jp/Ye5fzwm/Disease VectorSeptember 20, 2018

Recommendation

Recommendations on how to best protect your network using Trend Micro products

Threat Report

Blogs

EMOTET Returns, Starts Spreading via Spam Botnet

Premium
Internal
Rating:
Category:
Troubleshoot; Remove a Malware / Virus; Update
Solution Id:
1118391
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.