Rewterz Threat Alert – Emotet – IoCs

Severity

High

Analysis Summary

Emotet Malware is constantly being detected in the wild, targeting organizations from multiple sectors and countries. Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “YourInvoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers. Lately, Emotet infections have been used to distribute other malware like Qakbot. So these can be multi-stage attacks that bundle other malware with emotet. Emotet has also been found stealing email attachments to attack contacts of compromised victims. Fresher IoCs are retrieved almost every week.

Impact

• Financial loss  
• Exposure of sensitive data

Indicators of Compromise

MD5

• d0851bd296fdb1e052ce204f64b38b49
• afea8fd1b5a5c3c820ce49f3e370eedf
• 71005bba9e930be97b914b3bfd929c04
• 2162aad9b2931687eb751297b433c199
• 17010aa39a0e60153cd8572e9fa5d31d
• 3e7cce021364b177eb0da5bad60272cf
• 3c8ec3a1caf0c0bc7d43d2a0b6ba85f1
• d7efb7d5544a7d00dbd9785c25a7bd03
• 316b7458c52140e5ec5629c651a28021
• eb9ed896999869c79ce8d5b3c853a353
• dbe769c6ecf355f72a3ee2ad7a686a87
• 5d0b5413246638d197587ff625ebdbf6
• 680899fd7dad933fcfff230c21eba2d7
• 4b76ca36dc9ed5881852ffc4337755d1

SHA-256

• 27d78c103201c428e9df883bde0bc78a5c16f80e85b5adf2b1852b81734ee794
• 40a82e26e616195a4429c8b1e008256e2b7f0d5d7002ec991ae24afd0d2de9c1
• f7fd88be8ff1f87973a575b1efbc6e8b60028cda226981e3aef7d65b599561d0
• 3e13fb38709c9b50e6acf8344d11c971d0af6ecd415c7c2b06ffb70a2d897d31
• bf5f23421070e12af6f742d900893bda78ea5f7f48c1071ea295df8e7f8b42dc
• f83999085a95aef3a61f9a444628fb84cc199686775c3c4a4a160c5739e35333
• 91e5e7a2c36a3b991859ac87adf21bfe408a674d7108772b2bc957178ec5bf0e
• acd8d93a58c80d02dbd0b94a0ad12034fa6a9ef97b7a48836696a51bfda2f618
• 9bc189f98cc7d53ea248996b1c9ad33376354722a097120fb51039f77709efce
• d6192527b304d648dfff5cb4b0a48aecf434c0c2b6fa4a661ae446f6a7a126e8
• 7f8f4c3726cc5e462a92759d5d3e519b4985901d4093e032afab30575ced882e
• 1018b4f4a1e7cf144e2769c314899aaf7aadce2e94adccce3932d34c13bec98c
• 371fa3e3ea4614e459d18e8694dd26d5787a42179bd60bf2d05b381681eae29e
• 15e544e30ba7deddce46d0334a152eb1a400ceb7bba056f09b3904840255bf20

SHA1

• 5ed259962b4b07313cba89ee90939eaa5b897ef3
• 5dcb5e67184aa1dbf6074f7761748ebd2fd68a78
• 7336ec3323f0771e8b8f399d951c69301a1e8000
• 3a61cf864272e93e62099403b6488efda33a65bc
• e1edc69e30cb0e1826884e5e945a0137af95aedc
• 6cfd79fe2bb1b2de6ca6e56d0ace19226c542974
• 07bde773cfbfaad7239cd7306778be22d69ab0ee
• d5130c8e55f40d750eb083b29407dfe70ae43420
• 18467296b6c7fbc2b4fddabaa7fc47fcda581952
• e7e6ffc697665b9170d3b194ae6f02fa0a8fb372
• 634225ebb0cf036b0bbb9498f9acbf4f4fa0a74a
• 8ca08117cc190b99ad20746ced5e84c198f2fdab
• e5d01ff8c03675e57a16544d5492c0090a80b2bb
• 53850e1175fb2642760326478a3a2a3426d33188

Remediation

• Block the threat indicators at their respective controls. 
• Do not download email attachments from unknown senders.