Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Emmenhtal

87
Global rank
46 infographic chevron month
Month rank
31 infographic chevron week
Week rank
0
IOCs

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Loader
Type
Unknown
Origin
1 June, 2024
First seen
11 February, 2025
Last seen

How to analyze Emmenhtal with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
11 February, 2025
Last seen

IOCs

IP addresses
193.143.1.46
62.133.61.168
142.11.195.90
91.92.245.222
101.99.94.234
144.126.134.25
95.216.196.85
47.111.135.21
128.199.156.238
91.92.243.198
62.146.227.231
57.128.129.22
212.28.178.113
154.216.18.97
147.45.50.172
94.156.8.31
89.23.107.240
78.153.139.202
62.133.61.155
89.23.107.244
Domains
condmattes.b-cdn.net
ap-0182.cfd
human-verify-4r.pro
dbasopma.my
platfrm.b-cdn.net
sos-de-fra-1.exo.io
docu-sign.info
spredingrm2.duckdns.org
ump911.b-cdn.net
vmi1838661.contaboserver.net
renouv-maladie-enligne.com
mubjahuke.b-cdn.net
dbasopma.click
surficingpag.b-cdn.net
getfile420.b-cdn.net
acorsclouts.duckdns.org
burrkeklprinting.tech
indepopobkasgseves.duckdns.org
bkasgseves.duckdns.org
infinitys.b-cdn.net
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is Emmenhtal malware?

Emmenhtal is a loader malware first observed in early 2024, designed to deploy infostealers and remote access trojans (RATs) on compromised systems. Usually distributed through phishing campaigns involving fake downloads or deceptive email attachments, Emmenhtal embeds itself within modified legitimate Windows binaries.

Its key functionality includes executing malicious scripts via HTA (HTML Application) files and facilitating the distribution of malware such as CryptBot and Lumma Stealer.

According to research conducted by ANY.RUN, Emmenhtal utilizes LOLBAS (Living Off the Land Binaries and Scripts) to deliver malware as part of its campaigns.

The malware has been found distributing threats such as Arechclient2, Lumma Stealer, HijackLoader, and Amadey, with each sample relying heavily on malicious scripts. These scripts can be analyzed in-depth using ANY.RUN’s Script Tracer.

Simply upload the malicious sample inside the sandbox and observe its behavior in real time, without causing harm to your system. Analysis of Emmenhtal inside ANY.RUN sandbox Emmenhtal loader observed inside ANY.RUN sandbox

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Emmenhtal malware technical details

The primary functionalities and features of Emmenhtal loader include:

  • Utilizes legitimate Windows tools like Forfiles, HelpPane, and PowerShell to evade detection and execute payloads.
  • Employs a multi-stage process with AES-encrypted scripts to decrypt and execute the final malware payload.
  • Known to distribute various malware, including Arechclient2, Lumma Stealer, HijackLoader, and Amadey.
  • Heavily obfuscates scripts and payloads, employing AES encryption to avoid detection by security systems.
  • Typically distributed through phishing campaigns, fake downloads, and deceptive email attachments.
  • Relies heavily on malicious scripts for payload execution and persistence.
  • Ensures it remains on the system post-infection by integrating persistence mechanisms.
  • Functions as a flexible loader, adaptable to deliver a range of malware types.
  • Frequently launches payloads disguised as legitimate binaries, such as Updater.exe, to blend in with normal system activity.
  • Believed to be used by multiple financially motivated threat actors in global campaigns.

Emmenthal loader execution process

To see how Emmenthal operates, let’s upload its sample into ANY.RUN’s Interactive Sandbox.

Emmenhtal heavily relies on Living Off The Land (LOLBAS) techniques to deliver malware as part of its campaigns. The malware uses various execution methods. In our case, a .lnk file was crafted to appear as a PDF document, but in reality, it pointed to malicious scripts hosted on a remote server. These shortcuts execute scripts and initiate further actions without immediately raising security alerts.

Ssh.exe displayed inside ANY.RUN sandbox Ssh.exe displayed in ANY.RUN sandbox

The malware employs both PowerShell and Windows Management Instrumentation (WMI) commands to gather detailed information about the victim’s system. This includes language settings, antivirus products, operating system versions, and hardware specifications. Such reconnaissance enables attackers to tailor subsequent attacks and enhances their credibility when sending additional malicious emails within the targeted organization.

Ultimately, a final PowerShell script serves as the Emmenhtal loader. It launches a payload, often Updater.exe, but in our example R-Viewer.exe, along with a binary file that has a generated (random) name as its argument. After this process completes, the system is effectively compromised. During our analysis, we observed Emmenhtal delivering several malware families, including Arechclient2, Lumma, Hijackloader, and Amadey, each making extensive use of malicious scripting techniques.

Execution Chain:

  1. The .lnk file initiates SSH.
  2. SSH starts PowerShell.
  3. PowerShell launches Mshta with the AES-encrypted first-stage payload.
  4. Mshta decrypts and executes the downloaded payload.
  5. PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.

Process tree observed inside ANY.RUN sandbox Process tree observed inside ANY.RUN sandbox

Emmenhtal loader distribution methods

Emmenhtal loader employs several distribution methods:

  • Phishing campaigns: Emmenhtal is often disseminated through phishing emails containing malicious attachments or links that lead to the download of the loader.
  • Fake downloads: Users are tricked into downloading Emmenhtal by disguising it as legitimate software or video files, commonly hosted on compromised websites or through deceptive ads.
  • Compromised legitimate files: It is delivered through modified Windows binaries to appear legitimate.
  • Script-based delivery: Uses HTA (HTML Application) files and other scripts to execute malicious payloads.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering Threat Intelligence on Emmenhtal Malware

To stay informed about Emmenhtal and collect relevant intel, use Threat Intelligence Lookup.

This service grants access to an extensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can pinpoint data on threats, including IPs, domains, file names, and process artifacts.

Search results for Emmenhtal in Threat Intelligence Lookup Search results for Emmenhtal in Threat Intelligence Lookup

For example, you can search for Emmenhtal by its name or related artifacts. A query like threatName:"Emmenhtal" will retrieve all associated samples and sandbox results relevant to this loader malware.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Emmenhtal is a dangerous loader malware due to its use of LOLBAS tactics, heavy obfuscation, and ability to deliver multiple malware types. To combat such threats, integrating tools like ANY.RUN can help proactively analyze suspicious files and URLs before they cause damage.

ANY.RUN is an interactive malware analysis platform that offers real-time insights into malicious activity. Its features include visualized execution chains, script tracing, support for analyzing Windows and Linux-based threats, and much more.

Sign up for a free ANY.RUN account and start analyzing threats with confidence!

HAVE A LOOK AT

Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More