Emotet Banking Trojan: Malware Analysis

Goal: Reverse the pervasive Trojan banking Trojan “Emotet.”

SHA-1: 2bda61456d64a2c509b19d49516f5c942be90d44
SHA256: 9bb033dc2815798cd2c8b1a496c319a190a29ca59ea1053ab0b6fcf809630036
Imphash: 4c523782bd5ed7ca8f9ac7efc2d8d75f
Other related samples based on the variant’s imphash:
  • 9bb033dc2815798cd2c8b1a496c319a190a29ca59ea1053ab0b6fcf809630036
  • 33441312c20fbeccffceb522e626aa47366a966c48be537d82d4ecc60858d14c
  • 3d41a652e368875bdf55653dc4c43237f4b0eb70c028fe43454be02309cfc11b
  • ff25f74c91530371232bb7f5350d14252499de9a748a5e76d4b40959e64cfd30
  • 8102bda902667eabb34ebaf84f6ff15fb01804811c4b5bc4d6ac1a3871ea985a
  • ae8ef4600413adc25b32d202a8e2a4042650c234cde969251861b9ea2b2391f9
  • f5b8507645d9a2b672515bc990d149566e6272802c339219c2bd9e0ee19a1b88
  • 38a7f6b64f72c9202489b7e028a65f19cf0ff7008de7330e9f6154223e7dda78
  • df277353e4ec5d69a24b570f31fbc2376f35e6e18457d1985f556efee633456c
Emotet queries HKCU and HKLM Shell Folder directories:
The malware copies itself into %APPDATA%\QuotaSms as “QuotaSms[.]exe”:
Emotet Trojan creates persistency as an lnk file in the Startup directory:
Emotet creates an identical process as “CREATE_SUSPENDED,” injects itself into it via WriteProcessMemory, launches the new ResumeThread and kills the main process.

Dynamic Analysis: Emotet Trojan
+ Utilizes dynamic API loading via GetProcAddress
+ Implements self-kill routine via CreateThread with WriteProcessMemory
+ Creates multiple suspended threads and writes malware into them using WriteProcessMemory
+ Creates persistency as a QuotaSms[.]exe lnk file in Startup directory
+ Copies itself into %APPDATA%
+ Queries SSL :443 server and get assigned a peer at :8080

0027s > AnalyzeProcess pid:5600 C:\Documents and Settings\Administrator\Desktop\emotet[.]exe
0059s >  WriteProcessMemory
File: emotet[.]exe
Size: 216576 Bytes
MD5: BCCF2BBA9CD34B2FFFA13BFAA9DD73D0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s