Emotet loader execution via .lnk file

 1title: Emotet loader execution via .lnk file
 2id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
 3description: Detects the latest emotet loader as reported by @malware_traffic. The .lnk file was delivered via phishing campaign.
 4status: experimental
 5date: 2022/04/22
 6author: \@kostastsale
 7references:
 8    - https://twitter.com/malware_traffic/status/1517622327000846338
 9    - https://twitter.com/Cryptolaemus1/status/1517634855940632576
10    - https://tria.ge/220422-1pw1pscfdl/
11    - https://tria.ge/220422-1nnmyagdf2/
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection1:
17        ParentImage: 
18          - '*\cmd.exe'
19          - '*\powershell.exe'
20          - '*\explorer.exe'
21        Image: 
22          - '*\cmd.exe'
23          - '*\powershell.exe'
24        CommandLine|contains|all:
25          - 'findstr'
26          - '.vbs'
27          - '.lnk'
28    condition: selection1
29falsepositives:
30    - Unlikely
31level: high
32tags:
33    - attack.execution
34    - attack.T1059.006```

References

• x.com

  
  Read More

• x.com

  
  Read More

• 082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203 | Triage

  Check this report malware sample 082d5935271abf58419fb5e9de83996bd2f840152de595afa7d08e4b98b1d203, with a score of 7 out of 10.

  
  Read More

• emotet | bc84d7201f37b0c02ff742f4b8c5d78412796676724fc0af530975dac2fff063 | Triage

  

  Check this emotet report malware sample bc84d7201f37b0c02ff742f4b8c5d78412796676724fc0af530975dac2fff063, with a score of 10 out of 10.

  
  Read More

Related rules

• Abuse of the Windows Server Update Services (WSUS) for lateral movement.
• ChromeLoader Malware Detection
• Detecting Ammy Admin RMM Agent Execution
• Detection of CMD Execution via AnyViewer RMM
• Detection of Suspicious triggering of ErrorHandler.cmd Execution