Summary
EMOTET malware communicates with its C&C server to determine what payload to deliver. One possible payload is that the infected machine serves as a botnet that sends spam email to spread the malware. It is also capable of harvesting email addresses from the infected machine, and steals username and password found in installed browsers. For its persistence, the malware is installed either as a service or autorun registry entry is created.
Click image to enlarge.
Details
Capabilities
- Information Theft: Yes
- Rootkit Capability: Yes
- File Infection: Yes
- Propagation: Yes
- Download Routine: Yes
Infection Chain
Available Solutions
VSAPI/SMART
| Pattern | Detection/Policy/Rules | Pattern branch/version | Release date |
|---|---|---|---|
| TrendX | BKDR.Win32.TRX.XXPE50F13005 Ransom.Win32.TRX.XXPE50FFF027 TROJ.Win32.TRX.XXPE50F13005 TROJ.Win32.TRX.XXPE50F13005R2D6F Ransom.Win32.TRX.XXPE50F13005 | N/A | October 4, 2018 |
| VSAPI | TSPY_EMOTET.THJOBAH TSPY_EMOTET.THOIBEAL TSPY_EMOTET.OIBEAL TSPY_EMOTET.THJOAAH TSPY_EMOTET.THAOOAAH TSPY_EMOTET.THOIBEAK TSPY_EMOTET.OIBEAJ TSPY_EMOTET.THIBGAH TSPY_EMOTET.THOIBEAI PDF_EMOTET.THIBOAH PDF_EMOTET.THIAGAH | Ent OPR 14.541.04 | October 2, 2018 |
Behavioral Monitoring
| Pattern | Detection/Policy/Rules | Pattern branch/version | Release date |
|---|---|---|---|
| AEGIS | 2980T (Binary) | Behavior Monitoring Pattern OPR 1797 | June 15, 2018 |
Email Protection
| Subject | MD5 | Pattern branch/version | Release date |
|---|---|---|---|
| Statement & Request for Payment | 86c5c99ebc40a1667414284bfecfaa90 | AS 4134 | October 4, 2018 |
| Mike Ennis – Invoice | 321bea21e092f4315f3162294f4e2ff7 | AS 4134 | October 4, 2018 |
| Your Statement | 2719ad188bb232b2364fd72b88a3e36d | AS 4134 | October 4, 2018 |
| Invoice 57/EHNW4050542441 | 13921dbf996f761844641abfb6a18c20 | AS 4134 | October 4, 2018 |
| Statement & Request for Payment | 86c5c99ebc40a1667414284bfecfaa90 | AS 4134 | October 4, 2018 |
| Invoice Attached for your payment | 9e8aab30b0c9b69af7b7900a6a498b77 | AS 4134 | October 4, 2018 |
| Invoice 50/ZYPPR3276061784 | aeca7613fb1eb0da239040c43f8eab66 | AS 4134 | October 4, 2018 |
| [PMB] Pro-forma Invoice-8305328/13233994 | c171910c441f776b47f2c6cf67d8e1a8 | AS 4134 | October 4, 2018 |
| [GWE] INVOICE- Ref: 74002297 | b0f192a12244c810debffc0851e22647 | AS 4134 | October 4, 2018 |
URL Protection
| URL | Category | Blocking Date |
|---|---|---|
| hxxp://asuisp.cn/8P/ | Malware Accomplice | August 14, 2018 |
| hxxp://craftww.pl/BidC/ | Malware Accomplice | August 11, 2018 |
| hxxp://ecojusticepress.com/lRmU2Jt/ | C&C Server | July 31, 2018 |
| hxxp://daihyo.co.jp/IdAILl/ | Malware Accomplice | August 11, 2018 |
| hxxp://snowdoll.net/UAT/ | Malware Accomplice | August 31, 2018 |
| hxxp://ruralinnovationfund.varadev.com/lKKK1wruj/ | Disease Vector | September 24, 2018 |
| hxxp://hawkinscs.com/F/ | Malware Accomplice | August 10, 2018 |
| hxxp://peekaboorevue.com/vHVXwTU7T/ | Disease Vector | September 24, 2018 |
| hxxp://coroneisdavicente.com.br/jLk/ | Malware Accomplice | August 17, 2018 |
| hxxp://cotala.com/68vt/ | C&C Server | July 31, 20188 |
| hxxp://krever.jp/Ye5fzwm/ | Disease Vector | September 20, 2018 |
Recommendation
Recommendations on how to best protect your network using Trend Micro products
Threat Report
- Trend Micro Threat Encyclopedia: TSPY_EMOTET
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJLA
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.SMD3
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJKW
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJKV
