SilentBuilder is a campaign that is being used to launch bankers such as Emotet to increase the Epoch5 botnet as well as the usual tasks of this malware. The similarities between other loaders that launch Emotet and that, once the banker is in our computer, tries to contact C&C, we could understand that this is a typical modus operandi of the criminal group Mummy Spider or TA542.

_How it Works

The attacker will access our system after a phishing email, more specifically SpearPhishing [T1566.002], as it will contain an attachment such as an XLS or DOCX, after this, since the document will contain macros or hidden functions, it will download a file, usually a dll, once downloaded it will be launched on the computer abusing Regsvr32.exe to search a list of C&C servers.


_Static Analysis

Once the document is downloaded, we find, in my case, an xls, which after a glance we can see that it contains interesting functions that will run automatically when opened.


An interesting fact is that in this sample we see that it has the usual warning that will launch the functions and, in addition, another warning made by the attacker that will be a simple image.


After this, we see a completely blank document, with no pages, no macros… Inquiring, we see that it does have internally pages with characteristic names and that they were hidden.


Once again the sheets are empty… After reviewed the document and by changing the color of all the pages we found all the functions obfuscated and disordered.


In one of the sheets, we find the most important function, which would deobfuscate most of the functionality that will have the functions of the document.

We obtain, as we can see, functionalities for downloading a supposed library (nhth.dll) from different domains:


_Dynamic Analysis

Once we have an idea of how the document is going to work internally, let’s check if we are right.

We see that once the excel is launched, it makes a request to a domain and downloads a file (we observe in the network traffic the MZ header typical of Windows PE). After this, we can see that it downloads the dll in \users\< YourUser >\ , and then it will move it to the path \AppData\Local\< RandomName >\ with another name < RandomName >.adj


We can see that if we compare the file obtained from the network traffic and the one found in \users\ or in \AppData\ , it is the same file.


After this, we will see that the dll will try to contact a list of C&C servers.


If we look at the origin of all the addresses it tries to contact, we can see that it has servers in most of America, Europe and Asia, among others.


How long will they continue to exploit Emotet? Who knows…


_Download Emotet