4/24 rebuilt Import tables

1. Emotet 4/24 Import tables rebuilt
2.  
3. E1-77KB variant
4. e350efd69893b28033dfa6ba293f402c04281453c766022a266ae6be6fbe31aa - https://www.virustotal.com/#/file/348ab4f95a0324cbc92ca541fbee4efaa26b1dc890ca38b2ffbd7326e04787a1/detection
5.  
6. E1 - 106KB variant
7. 323154c4cb75b02983bc4e076be06997644eb8852384aa8d92b48131bc085f00 - https://www.virustotal.com/#/file/d4fa9b54460411f881c9a65b40cc387bdf77ab0da1e045dc4f950f0a8b8417c9/detection
8. E2 - 77KB Variant
9. 6d54d5e52aecdd7abca8d6c5ac9fda1464595b96df9bd6b629604bc289cf6ffe - https://www.virustotal.com/#/file/cd96bf0b1ab66d08981e8cda4dd140f46d9b37c59194f91f70374759da85fb84/detection
10. E2 - 106KB variant
11. a9f333b29971aff0de5b070be765e3e81135f6477f02afba879bd2638183d563 - https://www.virustotal.com/#/file/961dc51e00e2d5fb850574151b5bec629b4bc0a198d48e05cf064153fa0e6d63/detection
12. ~~~~~~~~~~~~~~~~~~~~~
13. Notes: Yesterday, we began seeing a new loader variant for emotet. Following the trend of heavy obfuscation, this loader also exhibited a new behavior in which it loads obscure windows dlls in order to check if the environment is actually windows or if it is something like WINE. If the dll is not found, the program refuses to open. Additionally, as a new added behavior these variants are using the heaven's gate exploit to inject code into the 64bit address space. They also attempt to close Windows defender from the command line. Very sneaky variants.