Emotet Loader Execution Via .LNK File
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign.
Sigma rule (View on GitHub)
1title: Emotet Loader Execution Via .LNK File
2id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
3status: experimental
4description: |
5 Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
6 The ".lnk" file was delivered via phishing campaign.
7references:
8 - https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338
9 - https://twitter.com/Cryptolaemus1/status/1517634855940632576
10 - https://tria.ge/220422-1pw1pscfdl/
11 - https://tria.ge/220422-1nnmyagdf2/
12author: '@kostastsale'
13date: 2022-04-22
14modified: 2024-08-15
15tags:
16 - attack.execution
17 - attack.t1059.006
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 ParentImage|endswith:
25 - '\cmd.exe'
26 - '\explorer.exe'
27 - '\powershell.exe'
28 Image|endswith:
29 - '\cmd.exe'
30 - '\powershell.exe'
31 CommandLine|contains|all:
32 - 'findstr'
33 - '.vbs'
34 - '.lnk'
35 condition: selection
36falsepositives:
37 - Unlikely
38level: high
References
-
“2022-04-22 (Friday) - #Emotet #epoch4 malspam sent zipped Windows shorcut (.LNK). LNK didn't work in my lab or online sandboxes. But the shortcut contains script that I copied into a .vbs file, which ran fine. LNK: https://t.co/zfiDZytclb VBS: https://t.co/PMKUrA7RIn”
Read More -
Check this report malware sample 082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203, with a score of 7 out of 10.
Read More -
Check this emotet report malware sample bc84d7201f37b0c02ff742f4b8c5d78412796676724fc0af530975dac2fff063, with a score of 10 out of 10.
Read More
Related rules
- FakeUpdates/SocGholish Activity
- Potential CVE-2022-29072 Exploitation Attempt
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird