Threat Research

A DEEP DIVE INTO NEW 64 BIT EMOTET MODULES

Securonix

Emotet has re-emerged as a 64-bit variant with a multi-stage decryption and C2 communications workflow. The analysis highlights its loading sequence, encrypted resources, inner DLLs, and cryptographic changes (ECC and bcrypt.dll) compared with earlier versions. #Emotet #Epoch5 #ECC #ECDH #bcrypt.dll

Keypoints

  • 64-bit Emotet variant analyzed with a specific MD5 (da045fce83afdcb9920a0a38b279d33d) and emphasis on the first export function usage.
  • Encrypted data in the resource section with high entropy is decrypted into shell code for execution.
  • The decrypted inner file is moved to a virtually allocated memory region without a PE header, and this memory is protected.
  • The inner DLL has a single export; the loader DLL’s first export calls the inner DLL’s first export function, enabling stealthy execution.
  • Anti-analysis techniques include control flow flattening and API hashing to hinder reverse engineering.
  • New cryptography and C2 model use bcrypt.dll, ECC for key exchange, AES derived via SHA-256, and base64-encoded data sent to C2, with runtime decryption of C2 data.

MITRE Techniques

  • [T1566.001] Phishing – “Emotet is usually delivered by SPAM campaigns containing document files.” – Emotet delivery via spam campaigns with document attachments.
  • [T1027] Obfuscated/Compressed Files and Information – “This DLL uses Control Flow flattening and API hashing to make reverse engineering difficult.”
  • [T1055] Process Injection – “The decrypted inner file is moved to another virtually allocated memory without PE Header. This memory is virtually protected.”
  • [T1132] Data Encoding – “base64 encoded and sent.” – Data (keys and payload) encoded before transmission.
  • [T1041] Exfiltration Over C2 Channel – “The malware collects information such as Computer name, Volume ID, Version info, Execution path, etc., and sends it to C2.”
  • [T1071] Command and Control – “C2 communication” and encrypted runtime data exchanged with C2 servers.

Indicators of Compromise

  • [MD5] Emotet variant hash – da045fce83afdcb9920a0a38b279d33d
  • [IP] Decrypted C2 List – 103.8.26.17, 134.122.119.23

Read more: https://blogs.quickheal.com/a-deep-dive-into-new-64-bit-emotet-modules/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint