PowerShell Downloader – Emotet

Today I wanted to do a real quick post on a PowerShell downloader linked to Emotet. Here is a little background on what Emotet is according to Malwarebytes:

Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

The strain I will be looking at was delivered through this word document acquired from https://www.malware-traffic-analysis.net/2019/01/18/index.html

Screen Shot 2019-01-21 at 8.31.40 AM.png

Once the macros inside the document are launched by enabling the content cmd.exe will spawn a PowerShell process.

screen shot 2019-01-21 at 8.40.02 am

Lets’ take a look at the contents of the PowerShell script that was kicked off.

screen shot 2019-01-21 at 8.25.14 am

So here we can see that it is building a PowerShell download cradle that is iterating through the listed URL’s and attempting to download 477.exe and save it to the AppData\Local\Temp directory. Here is a look at what some of the variables contain.

screen shot 2019-01-21 at 8.48.10 am

So thank you for reading and until next time…

Happy hunting,

Marcus

 

References:

https://www.malwarebytes.com/emotet/

2 thoughts on “PowerShell Downloader – Emotet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s