What is Emmenhtal malware?

Emmenhtal is a loader malware first observed in early 2024, designed to deploy infostealers and remote access trojans (RATs) on compromised systems. Usually distributed through phishing campaigns involving fake downloads or deceptive email attachments, Emmenhtal embeds itself within modified legitimate Windows binaries.

Its key functionality includes executing malicious scripts via HTA (HTML Application) files and facilitating the distribution of malware such as CryptBot and Lumma Stealer.

According to research conducted by ANY.RUN, Emmenhtal utilizes LOLBAS (Living Off the Land Binaries and Scripts) to deliver malware as part of its campaigns.

The malware has been found distributing threats such as Arechclient2, Lumma Stealer, HijackLoader, and Amadey, with each sample relying heavily on malicious scripts. These scripts can be analyzed in-depth using ANY.RUN’s Script Tracer.

Simply upload the malicious sample inside the sandbox and observe its behavior in real time, without causing harm to your system. Emmenhtal loader observed inside ANY.RUN sandbox

Emmenhtal malware technical details

The primary functionalities and features of Emmenhtal loader include:

• Utilizes legitimate Windows tools like Forfiles, HelpPane, and PowerShell to evade detection and execute payloads.
• Employs a multi-stage process with AES-encrypted scripts to decrypt and execute the final malware payload.
• Known to distribute various malware, including Arechclient2, Lumma Stealer, HijackLoader, and Amadey.
• Heavily obfuscates scripts and payloads, employing AES encryption to avoid detection by security systems.
• Typically distributed through phishing campaigns, fake downloads, and deceptive email attachments.
• Relies heavily on malicious scripts for payload execution and persistence.
• Ensures it remains on the system post-infection by integrating persistence mechanisms.
• Functions as a flexible loader, adaptable to deliver a range of malware types.
• Frequently launches payloads disguised as legitimate binaries, such as Updater.exe, to blend in with normal system activity.
• Believed to be used by multiple financially motivated threat actors in global campaigns.

Emmenthal loader execution process

To see how Emmenthal operates, let’s upload its sample into ANY.RUN’s Interactive Sandbox.

Emmenhtal heavily relies on Living Off The Land (LOLBAS) techniques to deliver malware as part of its campaigns. The malware uses various execution methods. In our case, a .lnk file was crafted to appear as a PDF document, but in reality, it pointed to malicious scripts hosted on a remote server. These shortcuts execute scripts and initiate further actions without immediately raising security alerts.

Ssh.exe displayed in ANY.RUN sandbox

The malware employs both PowerShell and Windows Management Instrumentation (WMI) commands to gather detailed information about the victim’s system. This includes language settings, antivirus products, operating system versions, and hardware specifications. Such reconnaissance enables attackers to tailor subsequent attacks and enhances their credibility when sending additional malicious emails within the targeted organization.

Ultimately, a final PowerShell script serves as the Emmenhtal loader. It launches a payload, often Updater.exe, but in our example R-Viewer.exe, along with a binary file that has a generated (random) name as its argument. After this process completes, the system is effectively compromised. During our analysis, we observed Emmenhtal delivering several malware families, including Arechclient2, Lumma, Hijackloader, and Amadey, each making extensive use of malicious scripting techniques.

Execution Chain:

1. The .lnk file initiates SSH.
2. SSH starts PowerShell.
3. PowerShell launches Mshta with the AES-encrypted first-stage payload.
4. Mshta decrypts and executes the downloaded payload.
5. PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.

Process tree observed inside ANY.RUN sandbox

Emmenhtal loader distribution methods

Emmenhtal loader employs several distribution methods:

• Phishing campaigns: Emmenhtal is often disseminated through phishing emails containing malicious attachments or links that lead to the download of the loader.
• Fake downloads: Users are tricked into downloading Emmenhtal by disguising it as legitimate software or video files, commonly hosted on compromised websites or through deceptive ads.
• Compromised legitimate files: It is delivered through modified Windows binaries to appear legitimate.
• Script-based delivery: Uses HTA (HTML Application) files and other scripts to execute malicious payloads.

Gathering Threat Intelligence on Emmenhtal Malware

To stay informed about Emmenhtal and collect relevant intel, use Threat Intelligence Lookup.

This service grants access to an extensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can pinpoint data on threats, including IPs, domains, file names, and process artifacts.

Search results for Emmenhtal in Threat Intelligence Lookup

For example, you can search for Emmenhtal by its name or related artifacts. A query like threatName:"Emmenhtal" will retrieve all associated samples and sandbox results relevant to this loader malware.

Conclusion

Emmenhtal is a dangerous loader malware due to its use of LOLBAS tactics, heavy obfuscation, and ability to deliver multiple malware types. To combat such threats, integrating tools like ANY.RUN can help proactively analyze suspicious files and URLs before they cause damage.

ANY.RUN is an interactive malware analysis platform that offers real-time insights into malicious activity. Its features include visualized execution chains, script tracing, support for analyzing Windows and Linux-based threats, and much more.

Sign up for a free ANY.RUN account and start analyzing threats with confidence!