【図表】

出典: https://www.cert.pl/en/news/single/analysis-of-emotet-v4/

【公開情報】

◆Analysis of Emotet v4 (CERT.PL, 2017/05/24)
https://www.cert.pl/en/news/single/analysis-of-emotet-v4/

【インディケータ情報】

■ハッシュ情報(Sha256)

c53956c95100c5c0ba342977f8fc44fcad35aabc24ec44cb12bb83eee1ed34fa

■ハッシュ情報(MD5)

0497c120248c6f00f1ac37513bd572e5
5b2d58b4104309ee9c93b455d39c7314
722268bad0d3a2e90aa148d52c60943e

■URL

hxxp://87.106.105.76:443
hxxp://173.255.229.121:443
hxxp://178.79.177.141:443
hxxp://79.170.95.202:7080
hxxp://206.214.220.79:8080
hxxp://88.198.50.221:8080
hxxp://5.39.84.48:8080
hxxp://188.68.58.8:7080
hxxp://162.214.11.56:7080
hxxp://5.196.73.150:8080
hxxp://203.121.145.40:7080
hxxp://46.165.212.76:7080

【Yara Rule】

rule emotet4_basic: trojan
{
meta:
author = "psrok1/mak"
module = "emotet"
strings:
$emotet4_rsa_public = { 8d ?? ?? 5? 8d ?? ?? 5? 6a 00 68 00 80 00 00 ff 35 [4] ff 35 [4] 6a 13 68 01 00 01 00 ff 15 [4] 85 }
$emotet4_cnc_list = { 39 ?? ?5 [4] 0f 44 ?? (FF | A3)}
condition:
all of them
}

rule emotet4: trojan
{
meta:
author = "psrok1"
module = "emotet"
strings:
$emotet4_x65599 = { 0f b6 ?? 8d ?? ?? 69 ?? 3f 00 01 00 4? 0? ?? 3? ?? 72 }
condition:
any of them and emotet4_basic
}

rule emotet4_spam : spambot
{
meta:
author="mak"
module="emotet"
strings:
$login="LOGIN" fullword
$startls="STARTTLS" fullword
$mailfrom="MAIL FROM:"
condition:
all of them and emotet4_basic
}
botnetdhlmalwaretrojan