Emotet Downloader: Major Changes In New Version

Vishal Thakur
Article by Vishal Thakur

InfoSec researcher specialising in Incident Response and Malware Analysis.

The latest version of Emotet downloader has a few new updates. In this post we'll have a look at these updates.

These are the new updates:

  1. Obfuscation pattern is different to that in the past (3942 lines of VBS code)
  2. Powershell.exe is copied over to Temp and executed from there (evasion technique)
  3. Only one payload URI - this is a major change

Let's take a look at the malware and analyse it.

Infection vector is the usual phishing email with a Word document attachment.

Once you open the document, it asks you to enable the macros. Once enabled, the code executes.

Malicious Word Document

Here's a look at a part of the code:

VBS code snippet

Now, let's start analysing the code. We start by inserting breaks at main code sections, and starting with the function AutoOpen().

There's a fair bit going on here but we focus on the interesting parts of the code. The first function we analyse is the one that creates a new folder in the Temp directory and then copies over the contents of the Powershell folder into it.

Have a look at the animation below - you can clearly see the new folder 'ie_u_nd_iua_m' being created.

The contents of the WindowsPowerShell\v1.0 folder are then copied into this folder, as you can see in the images below:

PowerShell contents are copied over to Temp

The images above show us the function that copies the files over to the new folder, with the variables and their values (loaded) highlighted. Now, take a look at the animation below to see the content from WindowsPowerShell\v1.0 being copied over to the new folder in Temp.

After the files have been copied over, the Powershell executable is copied to a new file, in this case, wznwtyeizh.exe, look at the animation and images below.

This new executable (which is Powershell.exe) is then launched to execute the rest of the code, which downloads and executes the final payload.

There could be a few reasons for this added process. It could be effectively used for bypassing security controls, for example, basic default-type Application Whitelisting, that rely on process names or paths to block network traffic for a specific application.

It definitely bypasses the Windows Firewall, if you're using it for blocking PowerShell from downloading files off the internet (which, by the way, was a great way of thwarting a lot of malware, at least up until now).

New PS executable is created

Copy PS as the new file
Copy PS as the new file
New executable created, ready for execution

And finally, here's the heavily obfuscated code (new pattern in this version) that is executed via this newly created PS executable.

Complete code to be executed in PowerShell:

To decode the final commands that are run to download, save and execute the final payload, we follow the same technique I explained previously in this post.

Since it doesn't use AES encryption for encrypting the code, the decoding part is faster. Follow the steps in the image below to decode the commands and extract the IOC (Download URI).

Decoding Flow

This is the first major version change after the authors dropped AES encryption for the encrypting the commands.

Sample Reference and IoCs

MD5: f1faea2acde5d161fb9430d06787bbc5

SHA256: 670dd6b227d15e3dd636185e9a8a79ecf7371b42ba2ca30f0f70cc0221393b2d

URI IoC: hxxp://sportfingers[.]org/hmlopfgosu.exe

VBS code for this downloader

Script for decoding the commands