Emotet – Page 2 – Lost in Security (and mostly everything else)

Deobfuscating an Emotet MalDoc Script

Herbie December 5, 2017 December 5, 2017Code

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it – manually without any programs or scripts. I wanted to do it this way and document it since I have no talent or skill in the ways of developing programs/scripts to do this kind of work and to show that it is possible to those of us that are “code…

2017-11-15 Another Malspam Message Leads to New Emotet

Herbie November 16, 2017 November 16, 2017Packet Analysis

This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean VM to get that file. The file 73077.exe should be the same as the one listed below – 12961.exe. The artifacts from this can be found over at my Github here. IOCs: ===== 172.81.117.237 / xanaxsleepingpills.website (GET /Invoice-number-588962/) 162.221.188.251 / www.medicinedistributor.com (GET /UVRJ/) 41.72.140.141:8080 (POST /) 69.43.168.196:443 (POST /) Artifacts:…

2017-08-28 Malspam Leads To Emotet Malware

Herbie August 28, 2017 August 28, 2017Code, Packet Analysis

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running the maldoc in my test VM showed that the initial link was still working and downloaded an executable. When running that executable on my test VM, I saw a couple of POST requests going to dead sites. First I will walk through the script that I deobfuscated and then the…

2017-07-25 Malspam Leading To Emotet Malware

Herbie July 25, 2017 July 25, 2017Packet Analysis

Today’s post is based on a malicious email that I saw in out email filters. The email (seen below) had a simple link in it that took the user to a site that automatically started a download of a malicious Word document. Odd thing is that when you visited the site in IE8, it would not allow you to connect. The link seemed to work just fine in Chrome or via Malzilla. From what I am able to gather based on the network traffic within the PCAP files along with the results from the Virustotal and Hybrid-Analysis links, it looks…

2017-07-03 Malspam Leading To Geodo/Emotet Malware

Herbie July 4, 2017 July 4, 2017Packet Analysis

This write up stems from a user getting a malicious Word document via an email for an invoice. Running the PCAP file through Network Total, I saw that that this was tagged as Geodo/Emotet malware. Googling around for Emotet, I came across a Forcepoint article in which they did a great walk-through which you can read about here. Their article seems to cover most of what I was seeing from the network traffic perspective. Fortinet has two more articles (http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 and http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-2) that goes into really good detail about how this malware works. For the artifacts from this investigation, check…