TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

トップ > Malware: Emotet > How the new Emotet differs from previous versions

How the new Emotet differs from previous versions

Malware: Emotet **必読レポート

【図表】

f:id:tanigawa:20211211060712p:plain
Emotet Email Lure
f:id:tanigawa:20211211060905p:plain
Emotet Document Lure
f:id:tanigawa:20211211061306p:plain
Emotet の 初期チェックイン の構造
出典: https://intel471.com/blog/emotet-returns-december-2021


【概要】

■内包するモジュール

・SPAMモジュール
・電子メールの認証情報を盗むモジュール
・Outlook電子メール・アドレス収集
・ブラウザの認証情報を盗む
・ウェブインジェクター
・認証情報のブルートフォースとラテラルムーブメントモジュール

オペコード
コマンド名
説明
1 バイナリの更新 modlist/drop ディレクトリを展開し、base64 でコマンドラインに追加した後、バイナリをドロップして起動します。
2 モジュールのロード モジュールをメモリにインジェクトします。
3 EXE 実行 実行ファイルをドロップして実行します。
4 Execute EXE as user 特定のユーザーとして実行ファイルをドロップして実行します。
5 エクスポート付きDLLのインジェクト DLLをメモリにインジェクトし、export DllRegisterServerをマッピングして実行します。
6 regsvr32[.]exeでDLLを実行する "regsvr32[.]exe -s "でDLLを落として実行します。
7 rundll32[.]exeでDLLを実行する "rundll32[.]exe , Control_RunDLL. "でDLLを落として実行します。


【ブログ】

◆How the new Emotet differs from previous versions (Intel471, 2021/12/09)
[新エモテットと従来のエモテットとの違い]

Intel 471 researchers have found distinct differences that will allow security teams can fine-tune their defenses against Emotet.
[Intel 471の研究者は、セキュリティチームがEmotetに対する防御を微調整できるような明確な違いを発見しました。]

https://intel471.com/blog/emotet-returns-december-2021


【関連まとめ記事】

全体まとめ
 ◆マルウェア / Malware (まとめ)
  ◆バンキングマルウェア (まとめ)

◆復活版 Emotet (まとめ)
https://malware-log.hatenablog.com/entry/Emotet_2


【インディケータ情報】

■url情報 - Epoch 4 -

hxxps://41.76.108.46:8080
hxxps://45.118.135.203:7080
hxxps://45.142.114.231:8080
hxxps://50.116.54.215:443
hxxps://51.68.175.8:8080
hxxps://58.227.42.236:80
hxxps://81.0.236.90:443
hxxps://91.200.186.228:443
hxxps://103.75.201.2:443
hxxps://103.8.26.102:8080
hxxps://103.8.26.103:8080
hxxps://104.251.214.46:8080
hxxps://107.182.225.142:8080
hxxps://110.232.117.186:8080
hxxps://138.185.72.26:8080
hxxps://158.69.222.101:443
hxxps://176.104.106.96:8080
hxxps://178.79.147.66:8080
hxxps://185.184.25.237:8080
hxxps://188.165.214.166:7080
hxxps://191.252.196.221:8080
hxxps://195.154.133.20:443
hxxps://207.38.84.195:8080
hxxps://210.57.217.132:8080
hxxps://212.237.17.99:8080
hxxps://212.237.5.209:443
hxxps://212.237.56.116:7080
hxxps://216.158.226.206:443

(以上は Intel471 の情報: 引用元は https://intel471.com/blog/emotet-returns-december-2021 )


■url情報 - Epoch 5 -

hxxps://37.44.244.177:8080
hxxps://37.59.209.141:8080
hxxps://45.79.33.48:8080
hxxps://51.178.61.60:443
hxxps://51.210.242.234:8080
hxxps://54.37.228.122:443
hxxps://54.38.242.185:443
hxxps://66.42.57.149:443
hxxps://78.46.73.125:443
hxxps://78.47.204.80:443
hxxps://85.214.67.203:8080
hxxps://142.4.219.173:8080
hxxps://168.197.250.14:80
hxxps://177.72.80.14:7080
hxxps://185.148.169.10:8080
hxxps://191.252.103.16:80
hxxps://195.154.146.35:443
hxxps://195.77.239.39:8080
hxxps://196.44.98.190:8080
hxxps://207.148.81.119:8080

(以上は Intel471 の情報: 引用元は https://intel471.com/blog/emotet-returns-december-2021 )


【検索】

■Epoch 4

google: "41.76.108.46"
google: "45.118.135.203"
google: "45.142.114.231"
google: "50.116.54.215"
google: "51.68.175.8"
google: "58.227.42.236"
google: "81.0.236.90"
google: "91.200.186.228"
google: "103.75.201.2"
google: "103.8.26.102"
google: "103.8.26.103"
google: "104.251.214.46"
google: "107.182.225.142"
google: "110.232.117.186"
google: "138.185.72.26"
google: "158.69.222.101"
google: "176.104.106.96"
google: "178.79.147.66"
google: "185.184.25.237"
google: "188.165.214.166"
google: "191.252.196.221"
google: "195.154.133.20"
google: "207.38.84.195"
google: "210.57.217.132"
google: "212.237.17.99"
google: "212.237.5.209"
google: "212.237.56.116"
google: "216.158.226.206"


■Epoch 5

google: "37.44.244.177"
google: "37.59.209.141"
google: "45.79.33.48"
google: "51.178.61.60"
google: "51.210.242.234"
google: "54.37.228.122"
google: "54.38.242.185"
google: "66.42.57.149"
google: "78.46.73.125"
google: "78.47.204.80"
google: "85.214.67.203"
google: "142.4.219.173"
google: "168.197.250.14"
google: "177.72.80.14"
google: "185.148.169.10"
google: "191.252.103.16"
google: "195.154.146.35"
google: "195.77.239.39"
google: "196.44.98.190"
google: "207.148.81.119"


【VT検索】

■Epoch 4

https://www.virustotal.com/gui/ip-address/41.76.108.46
https://www.virustotal.com/gui/ip-address/45.118.135.203
https://www.virustotal.com/gui/ip-address/45.142.114.231
https://www.virustotal.com/gui/ip-address/50.116.54.215
https://www.virustotal.com/gui/ip-address/51.68.175.8
https://www.virustotal.com/gui/ip-address/58.227.42.236
https://www.virustotal.com/gui/ip-address/81.0.236.90
https://www.virustotal.com/gui/ip-address/91.200.186.228
https://www.virustotal.com/gui/ip-address/103.75.201.2
https://www.virustotal.com/gui/ip-address/103.8.26.102
https://www.virustotal.com/gui/ip-address/103.8.26.103
https://www.virustotal.com/gui/ip-address/104.251.214.46
https://www.virustotal.com/gui/ip-address/107.182.225.142
https://www.virustotal.com/gui/ip-address/110.232.117.186
https://www.virustotal.com/gui/ip-address/138.185.72.26
https://www.virustotal.com/gui/ip-address/158.69.222.101
https://www.virustotal.com/gui/ip-address/176.104.106.96
https://www.virustotal.com/gui/ip-address/178.79.147.66
https://www.virustotal.com/gui/ip-address/185.184.25.237
https://www.virustotal.com/gui/ip-address/188.165.214.166
https://www.virustotal.com/gui/ip-address/191.252.196.221
https://www.virustotal.com/gui/ip-address/195.154.133.20
https://www.virustotal.com/gui/ip-address/207.38.84.195
https://www.virustotal.com/gui/ip-address/210.57.217.132
https://www.virustotal.com/gui/ip-address/212.237.17.99
https://www.virustotal.com/gui/ip-address/212.237.5.209
https://www.virustotal.com/gui/ip-address/212.237.56.116
https://www.virustotal.com/gui/ip-address/216.158.226.206


■Epoch 5

https://www.virustotal.com/gui/ip-address/37.44.244.177
https://www.virustotal.com/gui/ip-address/37.59.209.141
https://www.virustotal.com/gui/ip-address/45.79.33.48
https://www.virustotal.com/gui/ip-address/51.178.61.60
https://www.virustotal.com/gui/ip-address/51.210.242.234
https://www.virustotal.com/gui/ip-address/54.37.228.122
https://www.virustotal.com/gui/ip-address/54.38.242.185
https://www.virustotal.com/gui/ip-address/66.42.57.149
https://www.virustotal.com/gui/ip-address/78.46.73.125
https://www.virustotal.com/gui/ip-address/78.47.204.80
https://www.virustotal.com/gui/ip-address/85.214.67.203
https://www.virustotal.com/gui/ip-address/142.4.219.173
https://www.virustotal.com/gui/ip-address/168.197.250.14
https://www.virustotal.com/gui/ip-address/177.72.80.14
https://www.virustotal.com/gui/ip-address/185.148.169.10
https://www.virustotal.com/gui/ip-address/191.252.103.16
https://www.virustotal.com/gui/ip-address/195.154.146.35
https://www.virustotal.com/gui/ip-address/195.77.239.39
https://www.virustotal.com/gui/ip-address/196.44.98.190
https://www.virustotal.com/gui/ip-address/207.148.81.119

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2023