Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Emmenhtal

87
Global rank
47 infographic chevron month
Month rank
30 infographic chevron week
Week rank
0
IOCs

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Loader
Type
Unknown
Origin
1 June, 2024
First seen
11 February, 2025
Last seen

How to analyze Emmenhtal with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
11 February, 2025
Last seen

IOCs

IP addresses
62.133.61.168
101.99.94.234
91.92.245.185
193.143.1.46
95.216.196.85
194.190.152.108
78.153.139.202
47.111.135.21
91.92.245.222
128.199.156.238
142.11.195.90
144.126.134.25
147.45.50.172
91.92.243.198
94.156.69.6
89.23.107.244
62.146.227.231
57.128.129.22
212.28.178.113
154.216.18.97
Domains
human-verify.shop
human-verify-4r.pro
condmattes.b-cdn.net
dbasopma.my
ap-0182.cfd
infinitys.b-cdn.net
acorsclouts.duckdns.org
surficingpag.b-cdn.net
platfrm.b-cdn.net
spredingrm2.duckdns.org
docu-sign.info
sos-de-fra-1.exo.io
vmi1838661.contaboserver.net
renouv-maladie-enligne.com
ump911.b-cdn.net
bkasgseves.duckdns.org
mubjahuke.b-cdn.net
dbasopma.click
trackmyshipang.site
kinbowex.b-cdn.net
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 220
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 596
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1488
comments 0

What is Emmenhtal malware?

Emmenhtal is a loader malware first observed in early 2024, designed to deploy infostealers and remote access trojans (RATs) on compromised systems. Usually distributed through phishing campaigns involving fake downloads or deceptive email attachments, Emmenhtal embeds itself within modified legitimate Windows binaries.

Its key functionality includes executing malicious scripts via HTA (HTML Application) files and facilitating the distribution of malware such as CryptBot and Lumma Stealer.

According to research conducted by ANY.RUN, Emmenhtal utilizes LOLBAS (Living Off the Land Binaries and Scripts) to deliver malware as part of its campaigns.

The malware has been found distributing threats such as Arechclient2, Lumma Stealer, HijackLoader, and Amadey, with each sample relying heavily on malicious scripts. These scripts can be analyzed in-depth using ANY.RUN’s Script Tracer.

Simply upload the malicious sample inside the sandbox and observe its behavior in real time, without causing harm to your system. Analysis of Emmenhtal inside ANY.RUN sandbox Emmenhtal loader observed inside ANY.RUN sandbox

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Emmenhtal malware technical details

The primary functionalities and features of Emmenhtal loader include:

  • Utilizes legitimate Windows tools like Forfiles, HelpPane, and PowerShell to evade detection and execute payloads.
  • Employs a multi-stage process with AES-encrypted scripts to decrypt and execute the final malware payload.
  • Known to distribute various malware, including Arechclient2, Lumma Stealer, HijackLoader, and Amadey.
  • Heavily obfuscates scripts and payloads, employing AES encryption to avoid detection by security systems.
  • Typically distributed through phishing campaigns, fake downloads, and deceptive email attachments.
  • Relies heavily on malicious scripts for payload execution and persistence.
  • Ensures it remains on the system post-infection by integrating persistence mechanisms.
  • Functions as a flexible loader, adaptable to deliver a range of malware types.
  • Frequently launches payloads disguised as legitimate binaries, such as Updater.exe, to blend in with normal system activity.
  • Believed to be used by multiple financially motivated threat actors in global campaigns.

Emmenthal loader execution process

To see how Emmenthal operates, let’s upload its sample into ANY.RUN’s Interactive Sandbox.

Emmenhtal heavily relies on Living Off The Land (LOLBAS) techniques to deliver malware as part of its campaigns. The malware uses various execution methods. In our case, a .lnk file was crafted to appear as a PDF document, but in reality, it pointed to malicious scripts hosted on a remote server. These shortcuts execute scripts and initiate further actions without immediately raising security alerts.

Ssh.exe displayed inside ANY.RUN sandbox Ssh.exe displayed in ANY.RUN sandbox

The malware employs both PowerShell and Windows Management Instrumentation (WMI) commands to gather detailed information about the victim’s system. This includes language settings, antivirus products, operating system versions, and hardware specifications. Such reconnaissance enables attackers to tailor subsequent attacks and enhances their credibility when sending additional malicious emails within the targeted organization.

Ultimately, a final PowerShell script serves as the Emmenhtal loader. It launches a payload, often Updater.exe, but in our example R-Viewer.exe, along with a binary file that has a generated (random) name as its argument. After this process completes, the system is effectively compromised. During our analysis, we observed Emmenhtal delivering several malware families, including Arechclient2, Lumma, Hijackloader, and Amadey, each making extensive use of malicious scripting techniques.

Execution Chain:

  1. The .lnk file initiates SSH.
  2. SSH starts PowerShell.
  3. PowerShell launches Mshta with the AES-encrypted first-stage payload.
  4. Mshta decrypts and executes the downloaded payload.
  5. PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.

Process tree observed inside ANY.RUN sandbox Process tree observed inside ANY.RUN sandbox

Emmenhtal loader distribution methods

Emmenhtal loader employs several distribution methods:

  • Phishing campaigns: Emmenhtal is often disseminated through phishing emails containing malicious attachments or links that lead to the download of the loader.
  • Fake downloads: Users are tricked into downloading Emmenhtal by disguising it as legitimate software or video files, commonly hosted on compromised websites or through deceptive ads.
  • Compromised legitimate files: It is delivered through modified Windows binaries to appear legitimate.
  • Script-based delivery: Uses HTA (HTML Application) files and other scripts to execute malicious payloads.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering Threat Intelligence on Emmenhtal Malware

To stay informed about Emmenhtal and collect relevant intel, use Threat Intelligence Lookup.

This service grants access to an extensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can pinpoint data on threats, including IPs, domains, file names, and process artifacts.

Search results for Emmenhtal in Threat Intelligence Lookup Search results for Emmenhtal in Threat Intelligence Lookup

For example, you can search for Emmenhtal by its name or related artifacts. A query like threatName:"Emmenhtal" will retrieve all associated samples and sandbox results relevant to this loader malware.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Emmenhtal is a dangerous loader malware due to its use of LOLBAS tactics, heavy obfuscation, and ability to deliver multiple malware types. To combat such threats, integrating tools like ANY.RUN can help proactively analyze suspicious files and URLs before they cause damage.

ANY.RUN is an interactive malware analysis platform that offers real-time insights into malicious activity. Its features include visualized execution chains, script tracing, support for analyzing Windows and Linux-based threats, and much more.

Sign up for a free ANY.RUN account and start analyzing threats with confidence!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More