Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Emmenhtal

89
Global rank
60 infographic chevron month
Month rank
78 infographic chevron week
Week rank
0
IOCs

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Loader
Type
Unknown
Origin
1 June, 2024
First seen
10 October, 2025
Last seen

How to analyze Emmenhtal with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
10 October, 2025
Last seen

IOCs

IP addresses
91.92.243.198
57.128.129.22
101.99.94.234
92.255.57.75
185.66.91.17
185.66.91.23
147.45.179.37
84.200.24.34
147.45.50.250
185.66.91.182
195.211.191.120
141.98.6.14
62.133.61.56
62.146.227.231
154.216.18.97
144.126.134.25
196.251.116.154
93.113.25.151
45.137.99.210
51.89.158.77
Domains
reply-youtube.com
downloadsbeta.com
continuedownloader.com
8eh18dhq9wd.click
8fhd2idhacas.click
8fnuawbfuac.click
downloadstep.com
8hdfiqowchq.click
8nioqhxciwoqc.click
pivqmane.com
cndef1.green-pathways.shop
infomsghub.com
cdn-defac18.artcollective-snapclick.com
static.klipxuhaq.shop
klipdesak.shop
sharethewebs.shop
klipderiq.shop
rodgersluciecassy.com
goatstuff.shop
green-pathways.shop
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 396
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 2170
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 5110
comments 0

What is Emmenhtal malware?

Emmenhtal is a loader malware first observed in early 2024, designed to deploy infostealers and remote access trojans (RATs) on compromised systems. Usually distributed through phishing campaigns involving fake downloads or deceptive email attachments, Emmenhtal embeds itself within modified legitimate Windows binaries.

Its key functionality includes executing malicious scripts via HTA (HTML Application) files and facilitating the distribution of malware such as CryptBot and Lumma Stealer.

According to research conducted by ANY.RUN, Emmenhtal utilizes LOLBAS (Living Off the Land Binaries and Scripts) to deliver malware as part of its campaigns.

The malware has been found distributing threats such as Arechclient2, Lumma Stealer, HijackLoader, and Amadey, with each sample relying heavily on malicious scripts. These scripts can be analyzed in-depth using ANY.RUN’s Script Tracer.

Simply upload the malicious sample inside the sandbox and observe its behavior in real time, without causing harm to your system. Analysis of Emmenhtal inside ANY.RUN sandbox Emmenhtal loader observed inside ANY.RUN sandbox

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Emmenhtal malware technical details

The primary functionalities and features of Emmenhtal loader include:

  • Utilizes legitimate Windows tools like Forfiles, HelpPane, and PowerShell to evade detection and execute payloads.
  • Employs a multi-stage process with AES-encrypted scripts to decrypt and execute the final malware payload.
  • Known to distribute various malware, including Arechclient2, Lumma Stealer, HijackLoader, and Amadey.
  • Heavily obfuscates scripts and payloads, employing AES encryption to avoid detection by security systems.
  • Typically distributed through phishing campaigns, fake downloads, and deceptive email attachments.
  • Relies heavily on malicious scripts for payload execution and persistence.
  • Ensures it remains on the system post-infection by integrating persistence mechanisms.
  • Functions as a flexible loader, adaptable to deliver a range of malware types.
  • Frequently launches payloads disguised as legitimate binaries, such as Updater.exe, to blend in with normal system activity.
  • Believed to be used by multiple financially motivated threat actors in global campaigns.

Emmenthal loader execution process

To see how Emmenthal operates, let’s upload its sample into ANY.RUN’s Interactive Sandbox.

Emmenhtal heavily relies on Living Off The Land (LOLBAS) techniques to deliver malware as part of its campaigns. The malware uses various execution methods. In our case, a .lnk file was crafted to appear as a PDF document, but in reality, it pointed to malicious scripts hosted on a remote server. These shortcuts execute scripts and initiate further actions without immediately raising security alerts.

Ssh.exe displayed inside ANY.RUN sandbox Ssh.exe displayed in ANY.RUN sandbox

The malware employs both PowerShell and Windows Management Instrumentation (WMI) commands to gather detailed information about the victim’s system. This includes language settings, antivirus products, operating system versions, and hardware specifications. Such reconnaissance enables attackers to tailor subsequent attacks and enhances their credibility when sending additional malicious emails within the targeted organization.

Ultimately, a final PowerShell script serves as the Emmenhtal loader. It launches a payload, often Updater.exe, but in our example R-Viewer.exe, along with a binary file that has a generated (random) name as its argument. After this process completes, the system is effectively compromised. During our analysis, we observed Emmenhtal delivering several malware families, including Arechclient2, Lumma, Hijackloader, and Amadey, each making extensive use of malicious scripting techniques.

Execution Chain:

  1. The .lnk file initiates SSH.
  2. SSH starts PowerShell.
  3. PowerShell launches Mshta with the AES-encrypted first-stage payload.
  4. Mshta decrypts and executes the downloaded payload.
  5. PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.

Process tree observed inside ANY.RUN sandbox Process tree observed inside ANY.RUN sandbox

Emmenhtal loader distribution methods

Emmenhtal loader employs several distribution methods:

  • Phishing campaigns: Emmenhtal is often disseminated through phishing emails containing malicious attachments or links that lead to the download of the loader.
  • Fake downloads: Users are tricked into downloading Emmenhtal by disguising it as legitimate software or video files, commonly hosted on compromised websites or through deceptive ads.
  • Compromised legitimate files: It is delivered through modified Windows binaries to appear legitimate.
  • Script-based delivery: Uses HTA (HTML Application) files and other scripts to execute malicious payloads.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering Threat Intelligence on Emmenhtal Malware

To stay informed about Emmenhtal and collect relevant intel, use Threat Intelligence Lookup.

This service grants access to an extensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can pinpoint data on threats, including IPs, domains, file names, and process artifacts.

Search results for Emmenhtal in Threat Intelligence Lookup Search results for Emmenhtal in Threat Intelligence Lookup

For example, you can search for Emmenhtal by its name or related artifacts. A query like threatName:"Emmenhtal" will retrieve all associated samples and sandbox results relevant to this loader malware.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Emmenhtal is a dangerous loader malware due to its use of LOLBAS tactics, heavy obfuscation, and ability to deliver multiple malware types. To combat such threats, integrating tools like ANY.RUN can help proactively analyze suspicious files and URLs before they cause damage.

ANY.RUN is an interactive malware analysis platform that offers real-time insights into malicious activity. Its features include visualized execution chains, script tracing, support for analyzing Windows and Linux-based threats, and much more.

Sign up for a free ANY.RUN account and start analyzing threats with confidence!

HAVE A LOOK AT

MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
XRed screenshot
XRed
xred
XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications.
Read More