Rewterz Threat Alert – Emotet is Back

Severity

High

Analysis Summary

Emotet Malware is constantly being detected in the wild, targeting organizations from multiple sectors and countries. Emotetis a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “YourInvoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers. Lately, Emotet infections have been used to distribute other malware like Qakbot. So these can be multi-stage attacks that bundle other malware with emotet. Emotet has also been found stealing email attachments to attack contacts of compromised victims.
Fresher IoCs are retrieved almost every week.

Impact

• Financial loss 
• Exposure of sensitive data

Indicators of Compromise

MD5

• 440d59c4b0c5b895fbdf0f51eb4331c9
• 9c35a1e522b8d9d48313ab8f8117b4c9
• 8ac33329a0c0bb720796874ab42121e7
• eea9730c8b427009251cf310bd8c99ef
• 2609135b06c30cf497bf3220df302616
• a5f973505a28aeedb5439640bb4cbe69
• 2d98edc676e04e12a849ca903143ccdd
• 3f2701c3e98289d3a8e130a805d60901
• c5b878437a358ad0ccfa2b2ad41c12b7
• 9ec91db1243cf707f6d4d83841d851dd
• 466985f20b50a18a2e808d2b98c24331
• 87bc7f98760a5a72c2fd5511497e746d
• c2783eaaa3ae107ceb4c2e8c65684ddb
• 36e7f2ae31e2b5e623529122a18ba76c
• e7a5d832a01eb6ff32429c24c4cfd19d
• e5d47be2d6835ffbf9273183a165d4d4
• 17b5b7460675ed260d3cf6842e402024
• bce42e917ba1e7bcac4bef98d32c114a

SHA-256

• e9b5c069a0bb351288d1b3bd1d9894cc07e4287c139474e753b42441b486f6f3
• d52ef6e08cb90154fa0195d24be9e05559846bc1451e29494dd76db3231fee8a
• d07c1c5fd6d07a34fc89c87e410cc14d53971671d76106599e56822fe826cebe
• bff93708db43d3d6449a7c41c9f193fd28333d1f06d7caa3f7af0442a6b531c6
• b01dfb00fd48daf8ef000afe014c4a46e824565f6b0b2f8b22347f7d69693fb1
• ace5ddc10143a31cc2df2146715a6f06aabce2bc62283d744129cad0df6caf24
• 86ea1c96f66e3590e2945dc29582652a320f73579a67d87d35d05729e21d3078
• 7b5a1638e8de53886681a7b38e2ff6c736820efc872dc2022311b186fa50a28a
• 72c6870e4a0bf0f72461e933fefeea9ee46cd202142ad7ca6394b59431150e8d
• 6a89a182a06e603883dbfaeddfc0d63906412d87d83b565117d9d5f8d2c8e80d
• 5eadfa4dd6b036fb7cc42f1c023fde4579c2d2ab49e4c84b93f6e207272b07b3
• 5d1c5406a90ca4ba7c5078c9f70aa0b3529b881307a5c7dcdd36c5078fdac5a7
• 55575706fa5962eb566bd22d46e44c4512ae7f68dc97732a8bf5f220524e215f
• 47b014bad2d24296b2d07b3f69a9ce0b7249d11097fc09044a34755ae7be7810
• 40262cc016ac77ac410894f3dfd8a1c4a3fcbb3725a583d6defd2ea4d556df5a
• 3bf02147cc6adcb05dfbfa2b38035a502d63ccd755fc75d3b84e906faaa6d8e0
• 2fe68792156de00f51f5ba6eb2654c68939c82bade8d874bf40ef874995aaf30
• 12b570ed04bcef22ec41a8b940c3578aad3997f5f0dd91ce114a3a110b867fe8

SHA1

• 374e6f97a7e07844dbdbca0c4eef9a6669633637
• 61bc7f076227298c2d103bab377c2eb7da9f1611
• b44397171d089cd72271aade9641d4e84e8d6932
• b4c0fbeb2dafa99d68d08bab07fbe992654d85e1
• 0afb7a94f87826d60c4343e45311ba66dd5a87f3
• cb0b0411f9c201377fcc3569dba02ebd43da9222
• e5723e4f8dc982e873e1b325f7e3209298860742
• 777d9654ff9312d713b657f2e7fc528409b090f9
• cf8c190de3aa10fb6b09de62b6ba7038f7a39bda
• 87ea48f4d66630fa838815e04756f26a1a8ce725
• 52ac3c024b0c6ab9cfed38c426d2c4c1d9876aba
• ac19d67f5193fa5d80a130bf21ee5c7eac04e3db
• 9115ac040561a6dde9367856fd94cef4e8760e34
• a162721627d23fe6870f25675961322491944f6c
• fafdbaf599191bf46e35281a9dfd334ca45eaf90
• b173d0c34b45eec70d5e91191e8ce02f042df4e3
• ca001e4f669b48f91879165fe1fcc0751dba8672
• 17c0fd5c68bfeae1924eefaac710191067241b69

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.