Emotets

Hunt Hypothesis

Emotets is a sophisticated malware that spreads through phishing emails and network vulnerabilities, often serving as a delivery vector for other malicious payloads. SOC teams should proactively hunt for Emotets in Azure Sentinel to detect early-stage infections and prevent lateral movement and data exfiltration.

YARA Rule

rule Emotets{
meta:
  author = "pekeinfo"
  date = "2017-10-18"
  description = "Emotets"
strings:
  $mz = { 4d 5a }
  $cmovnz={ 0f 45 fb 0f 45 de }
  $mov_esp_0={ C7 04 24 00 00 00 00 89 44 24 0? }
  $_eax={ 89 E? 8D ?? 24 ?? 89 ?? FF D0 83 EC 04 }
condition:
  ($mz at 0 and $_eax in( 0x2854..0x4000)) and ($cmovnz or $mov_esp_0)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a new software update across the network.
  Filter/Exclusion: Exclude PowerShell scripts that match known update deployment patterns (e.g., Invoke-Command with msiexec or setup.exe).

• Scenario: A scheduled job runs nightly to clean up temporary files using a script that mimics Emotets behavior (e.g., deleting files in a temporary directory).
  Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe) or files in known temporary directories (e.g., C:\Windows\Temp).

• Scenario: A system backup tool (e.g., Veeam Backup & Replication) is copying files to a network share, which triggers the rule due to file transfer activity.
  Filter/Exclusion: Exclude processes related to backup tools (e.g., VeeamBackup.exe) or network shares used for backups (e.g., \\backupserver\backup).

• Scenario: An IT admin is using Windows Task Scheduler to run a script that configures firewall rules, which includes modifying registry keys or file system entries.
  Filter/Exclusion: Exclude processes launched via Task Scheduler (e.g., schtasks.exe) or registry modifications performed by known administrative tools.

• Scenario: A remote desktop session is being used to execute a script that configures user profiles or system settings, which may trigger the rule due to file system activity.
  Filter/Exclusion: Exclude processes initiated from RDP sessions (e.g., mstsc.exe) or user-specific file modifications in the C:\Users\ directory.