Goal: Reverse the pervasive Trojan banking Trojan “Emotet.”
SHA-1: 2bda61456d64a2c509b19d49516f5c942be90d44
SHA–256: 9bb033dc2815798cd2c8b1a496c319a190a29ca59ea1053ab0b6fcf809630036
Imphash: 4c523782bd5ed7ca8f9ac7efc2d8d75f
Other related samples based on the variant’s imphash:
- 9bb033dc2815798cd2c8b1a496c319a190a29ca59ea1053ab0b6fcf809630036
- 33441312c20fbeccffceb522e626aa47366a966c48be537d82d4ecc60858d14c
- 3d41a652e368875bdf55653dc4c43237f4b0eb70c028fe43454be02309cfc11b
- ff25f74c91530371232bb7f5350d14252499de9a748a5e76d4b40959e64cfd30
- 8102bda902667eabb34ebaf84f6ff15fb01804811c4b5bc4d6ac1a3871ea985a
- ae8ef4600413adc25b32d202a8e2a4042650c234cde969251861b9ea2b2391f9
- f5b8507645d9a2b672515bc990d149566e6272802c339219c2bd9e0ee19a1b88
- 38a7f6b64f72c9202489b7e028a65f19cf0ff7008de7330e9f6154223e7dda78
- df277353e4ec5d69a24b570f31fbc2376f35e6e18457d1985f556efee633456c
Emotet queries HKCU and HKLM Shell Folder directories:
The malware copies itself into %APPDATA%\QuotaSms as “QuotaSms[.]exe”:
Emotet Trojan creates persistency as an lnk file in the Startup directory:
Emotet creates an identical process as “CREATE_SUSPENDED,” injects itself into it via WriteProcessMemory, launches the new ResumeThread and kills the main process.
Dynamic Analysis: Emotet Trojan
+ Utilizes dynamic API loading via GetProcAddress
+ Implements self-kill routine via CreateThread with WriteProcessMemory
+ Creates multiple suspended threads and writes malware into them using WriteProcessMemory
+ Creates persistency as a QuotaSms[.]exe lnk file in Startup directory
+ Copies itself into %APPDATA%
+ Queries SSL :443 server and get assigned a peer at :8080
0027s > AnalyzeProcess pid:5600 C:\Documents and Settings\Administrator\Desktop\emotet[.]exe
0059s > WriteProcessMemory
File: emotet[.]exe
Size: 216576 Bytes
MD5: BCCF2BBA9CD34B2FFFA13BFAA9DD73D0
Reverse Engineering, Malware Deep Insight 