Severity

Medium

Analysis Summary

Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via maliciousscript, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “YourInvoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.

Impact

• Financial loss 
• Exposure of sensitive data

Indicators of Compromise

URL

• http[:]//amcoitsystems[.]com/wp/ZxXBfZxSe/
• http[:]//iraniansk[.]com/open_array/y95o2z97gsw3_nk9buc_profile/8iowzk2_z150t43sy3y/
• http[:]//bswinformatica[.]com[.]br/EmailMKT/private_array/close_CxUlww_PuqO4dNtDETT4q/d9in9vwcj25lrkk_127134t79/
• http[:]//admvero[.]com[.]br/minhaagua/personal_box/close_lcdwnop_iedanuwfbxoc/LqmhQ1I_novvbhnpju/
• http[:]//rccarcare[.]com[.]au/cgi-bin/multifunctiona
• http[:]//gh[.]xahpyy120[.]com/phpmyadmin/doc/fPJxu81Tt/
• http[:]//ocelliptigo[.]com/undrag/FRg446071/
• https[:]//novaerahost[.]com[.]br/wp-includes/esp/cjh1v1g/1z9142818156815sx04kesjmn9zre/
• https[:]//cafeponton[.]nl/bin/parts_service/a72xoqz31937247035rgmoh6edecbdwqiwa8f/

Remediation

• Block all threat indicators at your respective controls. 
• Search for IOCs in your environment.