Emotet Dissemination Campaign – July 2022


Since the end of June, Art Resilia detected an increasing volume of Maldoc campaigns associated with Emotet[1]. Although Emotet has been around for a while, this campaign is particularly relevant due to the impersonation of various entities, including public ones, and the abnormal volume of events focused on Portuguese cyberspace.

This article describes the analysis performed by ArtResilia’s SOC and It is intended to help in the detection and prevention of this campaign.

Both sender recipient and the conversation content were used as subversion mechanisms, being the “From” manipulated to known sender addresses (all cases), subject reused from previous email exchanges between the victims (majority of the cases) and, in some cases, the email thread content reused as body.

The campaign used a widely distributed support infrastructure, placing Brazil on the top of more than 20 different countries. Evidence of Cyrillic encoding being used are shown, the attack typology described as well as the TTPs.

At last, a set of seven recommended actions are proposed and a few of detection rules (YARA and SIGMA) shared.

Technical Analysis

During the analysis preparation phase a significant amount of different email types were collected by ArtResilia, with different senders, attachments and recipients. Details of the analysis process are described in the following sections.

Message headers

In the analyzed emails, the attacker manipulated the “From” field to give the appearance that the message had originated from email addresses trusted by the recipient, which is not the case.  However even the real senders of the message appear to have been sent through compromised accounts that were subverted for the dissemination of malicious messages. 

Furthermore, content of previous email threads between the involved victims was also rescued in the same cases, namely the subject and portions of the body itself.

Although several accounts were used, as shown in the chart below, most of the addresses used for dissemination belonged to organizations registered under the Top Level Domain (TLD) .br.

Body of emails

The language used in the body of emails varied between Portuguese and English. During the analysis process, several structures of the email body were observed, although they all had the same purpose – directing the attention of the recipient of the message to the attached file and usually giving a sense of urgency.

It should also be noted that several attached messages contained a transcript of emails, including the same subject with the prefix “FW:” or “RE:” and the message body, previously exchanged between the recipient and the sender (personified) of the message, which probably indicate that the author of the campaign had access to one or more mailboxes involved in the original conversation.


The messages were accompanied by a single attachment, whaich varies between the ZIP format and the XLS format.

The ZIP files (containing a single XLS format) were encrypted with a password, which was provided in the body of the email. This is a mechanism used regularly in malicious file dissemination attacks, since by encrypting the file, the attacker will have better chances to bypass malware filtering capabilities of e-mail solutions. The extracted XLS contained XLM Macros, whose purpose was to download second stage payloads from the internet and run them using the native Windows tool regsvr32 (LolBin[2]), used to register DLLs and execution of Scriptlets. The same pattern was found in the non-encrypted xls attachments.

When executed, these macros would download 4 remote files from the Internet, and later use regsvr32.exe to execute them.

Origin/Typology of attack

Regarding the addresses/URLs contacted during the infection chain, the vast majority appear to be infrastructures compromised by the attacker and subverted to host malicious files, with the infrastructure being geographically dispersed.

Most of the Websites used during this campaign appear to be sites that make use of the CMS WordPress, running outdated and/or improperly configured versions, thus being vulnerable to several different attacks.

As for the XLS files, the majority have the alias “Dream” as their author, and the last change was made by the alias “RGSGK”.

These aliases have already been observed in other campaigns related to the Emotet Trojan, which also had some kind of connection with infrastructures present in Brazil. 

It is also relevant the Cyrillic encoding found in the files, which can be an Indicator of the real origin of the Threat Actor.

It should also be noted that the same indicators observed in this campaign are being disseminated globally, which means that although some of the bodies of the emails are targeted and specific to the victims of this attack, the infrastructure and artifacts are being reused in other campaigns.


Recommended actions

Given the fact that the received messages contain content previously shared between the target entities, it is possible that this attack involved access to exchanged messages, thus implying an Identity Theft with implications in the Confidentiality of information. Therefore, we recommend the following actions:

  • Review logins to email accounts. Any abnormal session should be investigated. Grouping login events by origin, device and hours is an excellent starting point to find abnormal activity.
  • Review of automatic email redirection rules. Common technique used by adversaries to exfiltrate information.
  • Review of network logs, with special attention to the indicators shared in this report;
  • Review of EDR or EPP, with special attention to the indicators and TTPs shared in this report.
  • In a scenario of a massive email delivery, evaluate the possibility of blocking in your Secure Email Gateway messages with attachments from untrusted senders, particularly:
    • Encrypted Attachments
    • Office Files
    • Binaries
  • Disable Macros when possible or use a whitelist approach with signed ones.
  • Evaluate the possibility of using Attack Surface Reduction rules to prevent Office from creating child processes [3].

Detection Opportunities

YARA Rules

[Swipe left to scroll table contents]

rule maldoc_emotet_july
    	        $a1 = ".ocx"
    	        $a2 = "://"
    	        $a3 = "Dream"
    	        $a4 = "RGSGK"
    	        $a5 = "URLDownloadToFil"
    	        $a6 = "32.ex"
    5 of ($a1, $a2, $a3,$a4,$a5,$a6) and (uint32be(0) == 0xD0CF11E0 or uint32be(0) == 0x504b0304)


[Swipe left to scroll table contents]

title: Emotet - Regsvr32.exe loading from Appdata/Temp folder
description: Detects regsvr32.exe loading resources from temporary folders
status: experimental
author: Art Resilia
date: 2022/07/08
	- attack.execution
	- attack.t1059
	category: process_creation
	product: windows
        	       - '\regsvr32.exe'
        	    - '\Windows\Temp'
        	    - '\AppData\Local\'
        	    - '\AppData\Roaming\Temp'
	condition: selection
	- Custom binaries
level: high

In addition you can complement the detection capabilities with a generic Sigma Rule[4] that detects process creation of a LOLBin process from an Office Application.

Indicators of Compromise

Below you can find a list of collected indicators of compromise.

[Swipe left to scroll table contents]

Indicator Description
hxxps://enamsg[.]com/components/nLRKIxof/ Dropper URL
hxxps://curite[.]net/cgi-bin/MVlEWg5erc/ Dropper URL
hxxp://fontecmobile[.]com/pk/jINs/ Dropper URL
hxxp://corpuslender[.]com/wp-content/3lfRabuJe3/ Dropper URL
hxxps://aysbody[.]com/catalog/FlJ6iKCntAwF085/ Dropper URL
hxxps://hepsisifa[.]com/wp-content/T0kkNeOlvF/ Dropper URL
hxxps://hayakatibi[.]com/catalog/pJix6SFfnbNWFMuu8m/ Dropper URL
hxxps://fikti[.]bem[.]gunadarma[.]ac[.]id/wC256Xn/ Dropper URL
hxxps://decorusfinancial[.]com/wp-content/4E3HMlzDpriI3MZ0fp/ Dropper URL
hxxps://curite[.]net/cgi-bin/IXkx/ Dropper URL
hxxp://kairaliagencies[.]com/data_winning/kWV0fTwakEvHJUKF/ Dropper URL
hxxp://corporateissolutions[.]com/administrator/xOEXwASH3uUe/ Dropper URL
hxxp://francite[.]net/images/XI7zS0X1nY/ Dropper URL
hxxps://cointrade[.]world/receipts/Sa6fYJpecEVqiRf05/ Dropper URL
hxxp://gedebey-tvradio[.]info/wp-includes/nOmdPyUpDB/ Dropper URL
hxxp://haircutbar[.]com/cgi-bin/SpJT9OKPmUpJfkGqv/ Dropper URL
hxxps://educacionsanvicentefundacion[.]com/iplookup/wYEInbaN/ Dropper URL
hxxps://www[.]4monkeys[.]com/wp-admin/dNAuBEKo/ Dropper URL
hxxp://haircutbar[.]com/cgi-bin/dNfEA5F/ Dropper URL
hxxp://gedebey-tvradio[.]info/wp-includes/T0J9THbd5f2/ Dropper URL
hxxps://curite[.]net/cgi-bin/SJ2LI/ Dropper URL
hxxps://enamsg[.]com/components/juTBPJ0Jr6FMh5AuDf/ Dropper URL
hxxp://corpuslender[.]com/wp-content/jb4hyj9Ufawl/ Dropper URL
hxxps://akuntansi[.]itny[.]ac[.]id/asset/H10R0aWYC/ Dropper URL
hxxps://globartmag[.]com/images/8VAq5ZSSrbfHJFmzb/ Dropper URL
hxxp://gedebey-tvradio[.]info/wp-includes/ydPz/ Dropper URL
hxxps://educacionsanvicentefundacion[.]com/iplookup/NmUBGEds2KgV/ Dropper URL
hxxp://gtraff[.]com/wp-includes/fLx/ Dropper URL
hxxps://gumushaliyikama[.]com[.]tr/images/53K7VVUhrbL/ Dropper URL
hxxp://guvenliksepeti[.]net/ygzz/wIvF/ Dropper URL
hxxp://civcraft[.]net/0NB225K3VjLuJm/75nYicnqulFb/ Dropper URL
hxxp://cicerosd[.]com/wp-includes/KnC/ Dropper URL
hxxps://weboculta[.]com/css/4teU8698559ttLN/ Dropper URL
hxxp://chillpassion[.]com/wp-content/Qcl3YY1jmc/ Dropper URL
hxxp://ww[.]aseguradosaldia[.]com/wp-content/5xLOG2xKBT20s8e6Fs1/ Dropper URL
hxxp://akdalarabic[.]com/cgi-bin/WQ0nRFFi3/ Dropper URL
hxxps://construlandia[.]com/templates/SGbVH/ Dropper URL
hxxps://encuadernacionesartis[.]com/gcBjAvx/XFbc014fTyATJhss/ Dropper URL
hxxp://corpuslender[.]com/wp-content/1Ct3JyyZxKrywIr/ Dropper URL
hxxp://erp[.]pinaken[.]com/appPhoto/1nDHhHb7eso9uJhEDoX/ Dropper URL
56e665d85d3621e561d7848e2175ff184d81d0543ab5f84675b4a7e2ac7dfa86 SHA256 Dropper Document
f05e593b9dfcad614f81bbf13fdb9f269ce91711b56e8aeef3b9776825316723 SHA256 Dropper Document
9bc74075f7f482e4166f2cde5213948915b9d9f7885e49ab434c9c036486ba56 SHA256 Dropper Document
f44fe399c29bef0c9b77124c2fca257c90e2afb7aceae6af3e5c3410ac65sa0a SHA256 Dropper Document
d69450df6cd1f5533347c2578c54c49d858c38348ac107c561c5c09f3d07b400 SHA256 Dropper Document
63e685673dd7420c1f30255a504b0c17d792120dda8d63d0145c6acc81f836d3 SHA256 Dropper Document
56e7d1b3dccc03d9f849dae44fa2ac32091265eeb72980a3b8321d04fa2b21fb SHA256 Dropper Document
899118e672293842527408bd348fb923fb87e2c4fa7a4435c31f2db44a0c4f40 SHA256 Dropper Document
f59f154c3946ea5f6e2ad9f83652108848335389cf7d2af56b2f16cb7ea09101 SHA256 Dropper Document
3d1746bb329f7dc8a80100c46c5c623a9656886c414b08f570197b19c8e0e0fc SHA256 Dropper Document
effda7c3274178286dda423ce172b513d4c131ce946de5b287e17fc64bfaae32 SHA256 Dropper Document
1cc849f91a248a93d8380cfbdfb30fe3c8bb9f43fdd6aae38da8ebcbfd0cda23 SHA256 Dropper Document
0233a1924aadf85467618d09431ace435b047e4f5a84d0cc1764e891a4d2e0bb SHA256 Dropper Document
6ee17832d2b9845b90190eac1e21a22032a53ebecad609beb9b5cc5cbc69a07b SHA256 Dropper Document
63ed05fbcbfbde96961e39d097db0ba40f3b50a59d5f3cf0251e3208fe1edd16 SHA256 Dropper Document
ece2c40d6447e61b492854ae4552f41299b634ba9053b1eca81480d6165a8af1 SHA256 Dropper Document
4b7f2a6fdc19a3f6d6d9f2d109f6404566134a86161f0a2c0a373449b67a75c1 SHA256 Dropper Document
63c8dc25f6248bb23cd3aa929e5fa328503def472fbf3e43620b52f3058135b8 SHA256 Dropper Document
c3c32bba148d774af63ec71df48fc67fc5584f2c8d677a246344e0343cdb37e4 SHA256 Dropper Document
0dd37db0ef8d00d417f55218eb11aff0c87e15e057fe7862fee79d02192aa5d0 SHA256 Dropper Document
ec0bf98603d4ba5c0c411d8ec28a7b9f11666a64107518472e66125695331fbd SHA256 Dropper Document
78ec8c4f6aa999a0fd21e49116346a1df31f7467649ab6d8ac286ec413c9b684 SHA256 Dropper Document
3533f1ac5ba793543d0ce29052fa2118bb32305558c2fbcca8a21d090c841af7 SHA256 Dropper Document
643d3fb58f543e7e246927c3496760b346ce7a697695741a45c7c2c516e82d69 SHA256 Dropper Document
07fdd70253c6901b36feb4a77adcc22c72a9b17cf014ec0854dca0e397db6eda SHA256 Dropper Document
cc47bfbd4768079547f73ceee887b0cb3eb9c84968a24f3e5a7f7a0ebbf877af SHA256 Dropper Document
dfdfc3bf8ffe1381c2b1d2c24abcbbd95a3d3200fd7868a86746ebe27c5179c2 SHA256 Dropper Document
7be30979ccc94b041c9dd29bcab6ee23dbd1fbe59ab030a51fcf50e81c7a8c34 SHA256 Dropper Document
f1c030d1cc8a81014b1973a9fb53315ea6b50968f374760b43371d8bd64b1116 SHA256 Dropper Document
e8adb394da2ba84ddac938851b807596fb9845d5e9f69c4ee1c6a018f955a42b SHA256 Dropper Document
486eb7518e27b46fecb0003ffc5f0455553e1afb32e47f9d0f87abf3d9c75e51 SHA256 Dropper Document
8f2711d69fd3da52c9b938a93683984194c4626f0f1d123fcae629b58cc68ba6 SHA256 Dropper Document
45d28a4544789e4e8927b5f1bc732a3e4dd9f44484fc5ad0890dd31908aa8f62 SHA256 Dropper Document
c42e2e73b96b837890f4d58423f25b1181aed81eee5d123ea0d0d1295d21509c SHA256 Dropper Document
913fcd64e4456a262d8e473f1e233849f02ce98f9372664bc43cf61a9f3ea6c4 SHA256 Dropper Document
b1eb70b73847575abbed0dcb20f48be8f34c241f6cf155742e84195457be6d72 SHA256 Dropper Document
8b093cb48e06574729030ee4035c64b8603083975542867fc8ca8ca913a32ec7 SHA256 2nd Stage
0d35f8ef5c8c01cc4068014a12c09cf706c030180ad8ac04bfab7990ee5bd396 SHA256 2nd Stage
a06af6561396a65f717405d37d0096bf86237df280733cd3f2419486fb76fa09 SHA256 2nd Stage
3ee0501329a3f7eb4b4fe33ab2e5836ed88c552909f55497d9d4f960a9eefb9d SHA256 2nd Stage
77ec506e3d4b0b07354aaad70b488d4dd980c8e6666d49cd2d670eac379c0444 SHA256 2nd Stage
8253308893260349a56694801b89072b5889ab0c37b801c7fa2122c63c730f5b SHA256 2nd Stage
5df65a1e2861432f4824d69684bf15225a71fed57832312ae6ec012750788c3e SHA256 2nd Stage
276bf4b5da8cd487ab2ba76aa9e316d35a1f50e452f4bd00422ddfbfb37193f8 SHA256 2nd Stage
1dde15f32486b080671c12ce4828731a78293b637c432306b440be2a02043765 SHA256 2nd Stage
9ca9ac1c7bc09ee9e497e47cf54295625b00a3b74e2a1e3bea0b4034f401de10 SHA256 2nd Stage
27a886793c653bb69c886a3db1fb6753e9ecd184bd4459af9c315fa7ef29eeca SHA256 2nd Stage
c5069d761e2b7e12ede66bd96dfa631a82d3ed86e75ac476657e6d1e34997c61 SHA256 2nd Stage
402dec0383d1a678aab2e99b346fed596ec971fd75d33ab2312b34abf59e8eb9 SHA256 2nd Stage
94e7fa99a37f94780539cc68c0a355e1494c54ecb3b7d0b527d14048b7afd291 SHA256 2nd Stage
c395428377258b20ec5581905e0760df0e5eaff0fe7bd347a9dc1322922ce39c SHA256 2nd Stage
ed8a2f946d154ae11e23a6decc30a19d2594556e1401087d81246c025a88ea56 SHA256 2nd Stage
84814deb2e605139fea8a685e9cdd11f584222946cccec0eb3ab793934c9d8a7 SHA256 2nd Stage
258bb2b23c6ea7434eb8c965a168e7eb87257f5d3e4c4272c5ab29e873d6fbd3 SHA256 2nd Stage
5c41a1ed0740d5522ac4945650f1c1dc29bd2900a7886b4d80e7ca15029d9acf SHA256 2nd Stage


Tomás Ferraz
Sérgio Ribeiro





[4] New Lolbin Process by Office Applications (Sigma HQ / Github)