Rewterz Threat Alert – Emotet Still Active – IoCs

Severity

High

Analysis Summary

Emotet is still active in the wild with its July 2020 campaign. The campaign uses a malicious Microsoft Word document, and gets creative with the appeal to enable content. Below is the attack flow.

VMRay Analyzer Report showing verdict and process graph of a sample from Emotet campaign July 2020.

The document uses a highly obfuscated macro that begins to be executed when opened. The macro starts a Powershell instance with encoded commands as a program argument. These commands then try to download Emotet from five hardcoded hosts and save it with a fixed name specified in the command itself (later moved to %AppData%\msvcr100\).

Impact

• Credential Theft
• Information Theft
• Financial Theft

Indicators of Compromise

Domain Name

• mapas[.]hoonicorns[.]pt
• www[.]20190607[.]com
• connect-plus[.]co[.]uk
• lovely-lollies[.]com

MD5

• d40863c1d11d96d51e09252558e09946

SHA-256

• cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e

SHA1

• f4a52b0eccaaebfeb65ee380be4c10c114d0fcfb

Source IP

• 212[.]51[.]142[.]238
• 198[.]144[.]158[.]120
• 109[.]117[.]53[.]230

URL

• http[:]//mapas[.]hoonicorns[.]pt/comp3/ly8cmti/
• https[:]//lovely-lollies[.]com/wp-admin/fgvid/
• https[:]//connect-plus[.]co[.]uk/aspnet_client/3yey3rr/
• https[:]//www[.]angage[.]com/wp-content/mtincvc/
• http[:]//www[.]20190607[.]com/wp-admin/ixyjozs/

Remediation

• Block the threat indicators at respective controls.
• Do not download email attachments coming from untrusted email addresses.
• Do not enable macros for untrusted files.