W64/Emotet.RES!tr
Analysis
W64/Emotet.RES!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W64/Emotet.RES!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is related to the Emotet Resurgence.
- W64/Emotet.RES!tr is a botnet to exploit vulnerabilities by sending spam emails with malicious attachments which leads to a download. The ".dll" file is inflated by the addition of zero bytes at the end of the document.
- It will attempt to gain access to a victim's system and wait for commands from the control server. The malware may perform malicious actions such as an information stealer.
- Below are some of the malware's capabilities:
- Figure 1: Adding zero bytes at end of malicious file.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: cb9e1acaf2bc27d3d63ab65fda4c5186
Sha256: bb444759e8d9a1a91a3b94e55da2aa489bb181348805185f9b26f4287a55df36 - Md5: f4239e545b7e85527babcf8cb130df6f
Sha256: 34cd4930c92f07ab22670452ab7ce227bbb5af1165472bd90b965fee6ab117b1 - Md5: 495402773d336dff327a1bfec34d4e0e
Sha256: 3d8f8f406a04a740b8abb1d92490afef2a9adcd9beecb13aecf91f53aac736b4 - Md5: 48e22ffd338e4992a7e2a58aabd9a7ae
Sha256: b7e817a14b6350c206f1565f64df81b9ec5baadda30915f2ec05676f2a5c4f94 - Md5: 1c303e684f6c3e7c290fcb8d69af758a
Sha256: 82f6277d83395b80a5938895242db48eb381e5d90148d9d36f1b8c5fd2fdf01f
- Md5: cb9e1acaf2bc27d3d63ab65fda4c5186
Outbreak Alert
Emotet, a Trojan that is distributed via spam emails, has been prevalent since its first appearance in 2014. With a network made up of multiple botnets, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |