Emotet New Techniques for 2022
Emotet continues to evolve its techniques and has been observed using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. With recent changes for Macro execution being impleted by Microsoft I’m sure new tactics will begin appearing.
Traces of Emotet were observed as arbitrarily dropping Cobalt Strike beacons between November and December 2021. The family of droppers was relatively selective on which targets the beacons were dropped. Evasion techniques like these could also be considered evidence of attackers continuing to innovate to evade pattern based rule detection systems.
URL Hosting Emotet
hxxp://unifiedpharma[.]com/wp-content/5arxM/
hxxp://hotelamerpalace[.]com/Fox-C404/LEPqPJpt4Gbr8BHAn/
hxxps://connecticutsfinestmovers[.]com/Fox-C/mVwOqxT17gVWaE8E/
hxxp://icfacn[.]com/runtime/n7qA2YStudp/
hxxps://krezol-group[.]com:443/images/PmLGLKYeCBs5d/
hxxp://ledcaopingdeng[.]com/wp-includes/Qq39yj7fpvk/
hxxp://autodiscover.karlamejia[.]com/wp-admin/hcdnVlRIiwvTVrJjJEE/
hxxps://crmweb[.]info:443/bitrix/rc9XjtwF/
hxxp://accessunited-bank[.]com/admin/hzIgVwq8btak/
hxxp://pigij[.]com/wp-admin/MVW5/
hxxp://artanddesign[.]one/wp-content/uploads/A2cZL7/
hxxp://strawberry.kids-singer[.]net/assets_c/WAdvNT84Dmu/
hxxps://eleccom[.]shop:443/services/AEjSDj/
hxxps://izocab[.]com/nashi-klienty/B5SC/
Example of Emotet
SHA256 hash: 2de72908e0a1ef97e4e06d8b1ba3dc0d76f580cdf36f96b5c919bea770b2805f
File size: 516,096 bytes
File location: hxxp://unifiedpharma[.]com/wp-content/5arxM/
File location: C:\Users\Public\Documents\ssd.dll
File location: C:\Users\[username]\AppData\Local\[random characters]\[random characters].[random characters]
Run method: rundll32.exe [filename],[any string]
Indicators of Compromise
| artanddesign.one |
| 9f22626232934970e4851467b7b746578f0f149984cd0e4e1a156b391727fac9 |
| 9bda03babb0f2c6aa9861eca95b33af06a650e2851cce4edcc1fc3abd8e7c2a1 |
| e492f31ca20d99888b2434dcb4d9af1f93ed4c485b9bd2bc550ce8ae8021b9cd |
| 3e9701129f13f13f7b873f55dc3d43d04cbd1dd3f85814270bb1b177394926b5 |
| 3d1fb09a9a05ab6cf83c4e7cdf5fe40e67064063 |
| 526215dda9d0e85bcb6bce827f3f85d2 |
| 6d55f25222831cce73fd9a64a8e5a63b002522dc2637bd2704f77168c7c02d88 |
| 1b23b966249a1da92300f3b857b40da8d8cd549a |
| dfcb2501be0a877c79c6abfb9cf17397 |
| strawberry.kids-singer.net |
| krezol-group.com |
| izocab.com |
| crmweb.info |
| eleccom.shop |
| icfacn.com |
| ledcaopingdeng.com |
| autodiscover.karlamejia.com |
| 2de72908e0a1ef97e4e06d8b1ba3dc0d76f580cdf36f96b5c919bea770b2805f |
| 5bd4987db7e6946bf2ca3f73e17d6f75e2d8217df63b2f7763ea9a6ebcaf9fed |
| 193[.]42[.]36[.]245 |
| 46[.]105[.]81[.]76 |
| 91[.]240[.]118[.]168 |
| hotelamerpalace.com |
| unifiedpharma.com |
| accessunited-bank.com |
| pigij.com |
| connecticutsfinestmovers.com |