Emotet loader execution via .lnk file

 1title: Emotet loader execution via .lnk file
 2description: Detects the latest emotet loader as reported by @malware_traffic. The .lnk file was delivered via phishing campaign.
 3status: experimental
 4date: 2022/04/22
 5author: \@kostastsale
 6references:
 7    - https://twitter.com/malware_traffic/status/1517622327000846338
 8    - https://twitter.com/Cryptolaemus1/status/1517634855940632576
 9    - https://tria.ge/220422-1pw1pscfdl/
10    - https://tria.ge/220422-1nnmyagdf2/
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection1:
16        ParentImage: 
17          - '*\cmd.exe'
18          - '*\powershell.exe'
19          - '*\explorer.exe'
20        Image: 
21          - '*\cmd.exe'
22          - '*\powershell.exe'
23        CommandLine|contains|all:
24          - 'findstr'
25          - '.vbs'
26          - '.lnk'
27    condition: selection1
28falsepositives:
29    - Unlikely
30level: high
31tags:
32    - attack.execution
33    - attack.T1059.006```

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• 082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203 | Triage

  Check this report malware sample 082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203, with a score of 7 out of 10.

  
  Read More

• emotet | bc84d7201f37b0c02ff742f4b8c5d78412796676724fc0af530975dac2fff063 | Triage

  

  Check this emotet report malware sample bc84d7201f37b0c02ff742f4b8c5d78412796676724fc0af530975dac2fff063, with a score of 10 out of 10.

  
  Read More

Related rules

• ChromeLoader Malware Detection