rule MAL_Emotet_JS_Dropper_Oct19_1 { meta: description = "Detects Emotet JS dropper" author = "Florian Roth (Nextron Systems)" reference = "https://app.any.run/tasks/aaa75105-dc85-48ca-9732-085b2ceeb6eb/" date = "2019-10-03" hash1 = "38295d728522426672b9497f63b72066e811f5b53a14fb4c4ffc23d4efbbca4a" hash2 = "9bc004a53816a5b46bfb08e819ac1cf32c3bdc556a87a58cbada416c10423573" id = "34605452-8f3d-540a-b66f-4f68d9187003" strings: $xc1 = { FF FE 76 00 61 00 72 00 20 00 61 00 3D 00 5B 00 27 00 } condition: uint32(0) == 0x0076feff and filesize <= 700KB and $xc1 at 0 } import "pe" rule MAL_Emotet_Jan20_1 { meta: description = "Detects Emotet malware" author = "Florian Roth (Nextron Systems)" reference = "https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/" date = "2020-01-29" hash1 = "e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d" id = "334ae7e5-0a46-5e95-bf53-0f343db4e4de" strings: $op0 = { 74 60 8d 34 18 eb 54 03 c3 50 ff 15 18 08 41 00 } $op1 = { 03 fe 66 39 07 0f 85 2a ff ff ff 8b 4d f0 6a 20 } $op2 = { 8b 7d fc 0f 85 49 ff ff ff 85 db 0f 84 d1 } condition: uint16(0) == 0x5a4d and filesize <= 200KB and ( pe.imphash() == "009889c73bd2e55113bf6dfa5f395e0d" or 1 of them ) } rule MAL_Emotet_BKA_Quarantine_Apr21 { meta: author = "press inquiries , technical contact " reference = "https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html" descripton = "The modified emotet binary replaces the original emotet on the system of the victim. The original emotet is copied to a quarantine for evidence-preservation." note = "The quarantine folder depends on the scope of the initial emotet infection (user or administrator). It is the temporary folder as returned by GetTempPathW under a filename starting with UDP as returned by GetTempFileNameW. To prevent accidental reinfection by a user, the quarantined emotet is encrypted using RC4 and a 0x20 bytes long key found at the start of the quarantined file (see $key)." sharing = "TLP:WHITE" date = "2021-03-23" id = "22c27d82-00cb-5d2f-a1cc-9f8b4c60aecd" strings: $key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 } condition: $key at 0 } rule MAL_Emotet_BKA_Cleanup_Apr21 { meta: author = "press inquiries , technical contact " reference = "https://www.bka.de/DE/IhreSicherheit/RichtigesVerhalten/StraftatenImInternet/FAQ/FAQ_node.html" descripton = "This rule targets a modified emotet binary deployed by the Bundeskriminalamt on the 26th of January 2021." note = "The binary will replace the original emotet by copying it to a quarantine. It also contains a routine to perform a self-deinstallation on the 25th of April 2021. The three-month timeframe between rollout and self-deinstallation was chosen primarily for evidence purposes as well as to allow remediation." sharing = "TLP:WHITE" date = "2021-03-23" id = "10d93918-8a5e-54a3-81c6-f6ff68562e13" strings: $key = { c3 da da 19 63 45 2c 86 77 3b e9 fd 24 64 fb b8 07 fe 12 d0 2a 48 13 38 48 68 e8 ae 91 3c ed 82 } condition: filesize > 300KB and filesize < 700KB and uint16(0) == 0x5A4D and $key } rule EXT_MAL_SystemBC_Mar22_1 { meta: author = "Thomas Barabosch, Deutsche Telekom Security" date = "2022-03-11" description = "Detects unpacked SystemBC module as used by Emotet in March 2022" score = 85 malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc" reference = "https://twitter.com/Cryptolaemus1/status/1502069552246575105" reference2 = "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6" hash1 = "c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5" id = "39e1a131-bd2c-56e9-961f-2b2c31f29e85" strings: $sx1 = "-WindowStyle Hidden -ep bypass -file" ascii $sx2 = "BEGINDATA" ascii $sx3 = "GET %s HTTP/1.0" ascii /* $s1 = "TOR:" ascii $s2 = "PORT1:" ascii $s3 = "HOST1:" ascii */ $s5 = "User-Agent:" ascii /* $s6 = "powershell" ascii */ $s8 = "ALLUSERSPROFILE" ascii condition: ( uint16(0) == 0x5a4d and filesize < 30KB and 2 of ($sx*) ) or all of them }