Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code. The original Tweet from AnyRun can be found at: https://twitter.com/anyrun_app/status/1326157565840023553 Analysis of an Emotet document that uses PowerShell from earlier this year can be found…

Read more

Malware Analysis – Triaging Emotet (Fall 2019)

This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up provides the tools/techniques for assessing the malicious samples and gathering initial indicators of compromise (IOCs). While Emotet will certainly continue to evolve, the approach outlined here will provide a solid foundation for anyone looking to continue to analyze Emotet (or similiar). Please Click Enable Content Since resuming operations in September 2019, Emotet has not failed in regaining a foothold as a dominent botnet.[1] To accomplish this, Emotet regularly utilizes macro-enabled Microsoft Office documents to retrieve and drop…

Read more