Emotet Returns from Summer Vacation, Ramps Up Stolen Email Tactic - Identifying the infected machines - Detect files created by Trojan.Emotet using CIR's

You can create CIR's to scan for the files the malware creates and report on those files

CIR look for Emotet file 1o6     FileExists(c:\windows\syswow64\cbsmfidl.exe)     
CIR look for Emotet file 2o6     FileExists(c:\windows\syswow64\SERVERNV.EXE)    
CIR look for Emotet file 3o6     FileExists(c:\windows\syswow64\servicedcom.exe)    
CIR look for Emotet file 4o6     FileExists(c:\windows\12345678.EXE)    
CIR look for Emotet file 5o6     FileExists(C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE)    
CIR look for Emotet file 6o6     FileExists(C:\WINDOWS\TEMP\1A2B.TMP)    
CIR look for Emotet key 1o2     RegistryKeyExists(HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7)
CIR look for Emotet key 2o2     RegistryKeyExists(HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D)



  • genius! I'll definitely be implementing this!

    edit - added all of these just now. Here's to hoping my company is good to go lol - jonniipalos 4 years ago
  • Your link post got me looking, thanks. The first file is from a different site. There are variants on the file names so if anyone else finds other ones to look for please post comment. - SMal.tmcc 4 years ago
  • Glad I was able to help. Hopefully if there are other known files they'll get reported. - jonniipalos 4 years ago
This post is locked
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ