Decoding and Extracting URLs from Emotet Powershell (December 2020 Variant)

Some of the latest samples I've been seeing for Emotet look like the this app.any.run report.

Using CyberChef, we can decode the powershell from this sample to extract the download links for the malware

From_Base64('A-Za-z0-9+/=',true)

Remove_null_bytes()

Find_/_Replace({'option':'Regex','string':'[`\'+()]'},'',true,false,true,false)

Find_/_Replace({'option':'Regex','string':'\\]e1r\\[S'},'http',true,false,true,false)

Extract_URLs(false)

Find_/_Replace({'option':'Simple string','string':'@'},'\\r',true,false,true,false)

>

Of course some of the "replace strings" will vary, so this recipe will have to be changed in certain places at times.

Some other additional items to look at, from an EDR perspective might be:

Rule 1: ParentProcess contains Rundll32.exe AND process contains Rundll32.exe AND ProcessParentCommandLine contains '\users\' AND ProcessCommandLine contains '\users\'

For additional reduction of false positives, you may want to include NetworkPort is '80' or NetworkkPort is '443'

Rule 2: Simple ProcessCommandLine contains "-ENCOD\x20""

Rule 3: WmiPrvse.exe as a GrandParent Process, CMD.exe as a parent process and Powershell as a Running Process.

WmiPrvse.exe > Cmd.exe > Powershell.exe

Rule 4: Look for Office processes launching WMI images. The following has fantasic information about this, and I have seen it work nicely.

https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html