W64/Emotet.RES!tr

Analysis

W64/Emotet.RES!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W64/Emotet.RES!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the Emotet Resurgence.


• W64/Emotet.RES!tr is a botnet to exploit vulnerabilities by sending spam emails with malicious attachments which leads to a download. The ".dll" file is inflated by the addition of zero bytes at the end of the document.


• It will attempt to gain access to a victim's system and wait for commands from the control server. The malware may perform malicious actions such as an information stealer.


• Below are some of the malware's capabilities:
  

  Figure 1: Adding zero bytes at end of malicious file.

  
  
• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5: cb9e1acaf2bc27d3d63ab65fda4c5186
    Sha256: bb444759e8d9a1a91a3b94e55da2aa489bb181348805185f9b26f4287a55df36
  • Md5: f4239e545b7e85527babcf8cb130df6f
    Sha256: 34cd4930c92f07ab22670452ab7ce227bbb5af1165472bd90b965fee6ab117b1
  • Md5: 495402773d336dff327a1bfec34d4e0e
    Sha256: 3d8f8f406a04a740b8abb1d92490afef2a9adcd9beecb13aecf91f53aac736b4
  • Md5: 48e22ffd338e4992a7e2a58aabd9a7ae
    Sha256: b7e817a14b6350c206f1565f64df81b9ec5baadda30915f2ec05676f2a5c4f94
  • Md5: 1c303e684f6c3e7c290fcb8d69af758a
    Sha256: 82f6277d83395b80a5938895242db48eb381e5d90148d9d36f1b8c5fd2fdf01f

Outbreak Alert

Emotet, a Trojan that is distributed via spam emails, has been prevalent since its first appearance in 2014. With a network made up of multiple botnets, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.

View the full Outbreak Alert Report

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.