Rewterz Threat Alert – Emotet Malware – IoCs

Monday, November 11, 2019

Severity

High

Analysis Summary

Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.

Impact

Financial loss

Indicators of Compromise

SH256

  • 19af5bfb8decc32253875836c39031a7e8258d167af7d0332527d0bcecb0c2b2
  • 1a762540a795a8daa194322648a2d0072ed65da6e961989b284c31cb57f68405
  • 226a36d5c22d1222e1a29d9b1eb8a072e39c5901c7b34654dc303ee6aa19f577
  • 252dc0a071edf76775a0a954287fc0cc7ebb45e6f6849f210f747027d5cdeaf1
  • 47699a9bb49acddb8c3ccc90dd7059d9677c2337878972d289fe8b656d44119d
  • 56524c7f2264ebf2f309fc400eac6016df092c75c6871669d141fcab966fdb10
  • 66f0b3b78d41b0164d680f850808ae9133b8f01746662292209aa32588e5db08
  • 872e9f66d27895a16d84e9c2ab50708693dd85ae47ad01ccd62b884bfbb2ad56
  • a35c5cd847e920a0655e99c9886aab94c91a190b3d0ef81d077e91840aa7c17b
  • a3f8cb08735b481402bbe20ac0b2acfb827feac8f62d9d37db3aee0ae03c826f
  • a9b18b8eb2f84bac3e831bcead88b525e623e0a3b7c71fc54130b99b3c12969f
  • b6e62040ec8b2a92762f654d7f561c761235d6cb688e476c45e96b5355154759
  • cb1418e28836dca5fb61a788ce324e9e4d1c3b1e4de6cdada721786f4ea8e12c
  • e6d81855312d026966d95dd51dc09a23fa743d21bb2edb4f8943d767fff54a25
  • eaa809f6ebdc3ddceba5b7d61bfe29db87f098a4c7bec05243c59df51406dfa1
  • ffa68a8f6da85239d67cc3900d6ec7c573ae607cd9061389b260c2f5034dd4a0

URL

  • http[:]//altruisme[.]id/wp-admin/vZKnZqjMqsPuwinXFnaBOzVfQe/
  • http[:]//apple-doctor[.]co[.]kr/wp-includes/57ue8yxbj9cnltpw79ovgprc79mcgfwrg3g/
  • http[:]//blog[.]nalanchenye[.]cn/sjnx/ev7j3w2wuzw9c06sfnsl1pkxomci0k8tx/
  • http[:]//blog[.]yaobinjie[.]top/wp-admin/97e4bgd1ipa2xkuy2nmk5ebueof2rugff7/
  • http[:]//garatuonline[.]es/wp-admin/ayr56gh65xnuncin8l0ddkngn0gkt2/
  • http[:]//giftcatelogz[.]com/wp-admin/cb10wpgm89ysnysitilbbd084/
  • http[:]//jftwebmarketing[.]com/mcc/yrjdo5ui3iuvfcu9e1svri/
  • http[:]//korekortviborg[.]dk/wsxq66h/mnWlDLjshjGVzx/
  • http[:]//mynet07[.]com/wp-admin/bFEYqYEGLBypImyyjc/
  • http[:]//nirvana-memorial[.]co[.]th/cgi-bin/ih929uqqn27650xrm/
  • http[:]//puskesmasmanguharjo[.]madiunkota[.]go[.]id/hfoiawj24jr/zUbarcSMvgXc/
  • http[:]//quangcaogiaodich[.]com/wp-content/upgrade/jzkowiu4uobwywynyj7/
  • http[:]//sabzoabi[.]ir/abiosabz[.]ir/mj4qdtd83jid8ibxg9awoe/
  • http[:]//shreeharisales[.]org/wp-admin/oLJDQSyjhXrWuCkCUhpHETW/
  • http[:]//test[.]oeag[.]at/lare/xzfjglc0ygmm5869qhjlbil/
  • http[:]//www[.]awardglobal[.]cn/gsae9da/98ner0e6ynm8wp4jkyrnm4sixrufzjkddvg9/
  • http[:]//www[.]cyberoceans[.]ng/cgi-bin/5aua6r6yif7oi2adx2uvh3bq459429hape6ju/
  • http[:]//www[.]digitalsushi[.]it/wp-admin/MQlQnlzmtaX/
  • http[:]//www[.]dolphininsight[.]it/wp-includes/wIAxwfTVtpEDixSmDMrVE/
  • http[:]//www[.]dty5[.]com/aqs2q/i0vzxgxwb2qyiwopfw5x0xghz86b1/
  • http[:]//xe-logistics[.]com/san/lba70p8gsncc1fi4wy3cwugxbjrk/

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-14899 – New Linux Vulnerability Inferring and hijacking VPN-tunneled TCP connections
  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-18232 – ICS: Thales DIS SafeNet Sentinel LDK License Manager Runtime Privilege Escalation Vulnerability
  • 5, December 2019 Rewterz Threat Alert – “ZeroCleare” Targets Energy Sector in the Middle East
  • 5, December 2019 Rewterz Threat Alert – CStealer Trojan Targeting Chrome Passwords

Copyright © Rewterz. All rights reserved.