Emotet

1
Global rank
21
Month rank
22
Week rank
9585
IOCs

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Trojan
Type
ex-USSR
Origin
1 June, 2014
First seen
2 June, 2023
Last seen
Also known as
Heodo
Geodo

How to analyze Emotet with ANY.RUN

Trojan
Type
ex-USSR
Origin
1 June, 2014
First seen
2 June, 2023
Last seen

IOCs

IP addresses
213.186.33.40
213.186.33.16
190.92.39.2
87.249.43.129
67.68.210.95
217.160.0.236
217.160.0.94
31.220.2.120
181.119.30.35
96.126.101.6
195.2.88.86
202.134.4.210
23.240.26.210
94.102.209.63
97.107.135.148
112.213.89.186
43.231.112.68
5.189.171.136
92.53.96.118
46.182.4.120
Hashes
003a6be25aed1e04592c3f6a153055b6c2e50f136315a079e99140d0f00c953a
82fa35d4f8552c453b7ae2603738478cc22a266e687e481d02473ace810c7e1a
08e5ddd2da63a49e4b83c7debc94a4f57600e8235db51cf6848e87bc8901e866
2e6be33bfbdb3570634d6a4c59bce5e1024445f31484222ad0c9ee7f87b15175
83b24c192072dd0d6d2c03b6d21bd875fe8dd99a8875096a81a2a8d5039f6e71
5257e5ee643ceeaff1c7188b37ce41a77debe3f704f47e45a6862dfcb501a1a2
bfdc3d72a69f8b5d91dcd726788840e6aa5d3c748f71ef0cd047de44f85e2798
6b822efac2de6532c4d638c11002382704e6ce27c2549667abe0ca3cf047b56c
4c4df0964e806a37f38f63c4eec8c5320639c93d943456c3aed7aec2f1f888d6
d23f53a191681337acdc6a863b9723e57fca7708254db29efa2382896e6df2bd
f371fe43d8bd779a60cc05ead471184917049323b51189f5928554a5a5f4d8dd
a28996c8f0341ddb44b4f7a54e3fe70c08ba6b96ece7e4fd5d012a9ea3e187a8
9ff1b7bf5fdd2a147e33375c1fc474df6a031b385030a4faed2603468a22fb39
97d33de9d0e612b0e98394c77b554deffe9da498a897f4bc82dfc7870a6f6e9a
1fd6a68446f637c3086b6b58babd44654fb1cbf668b4c8cf1fdf9da49b5961c4
11016da37745e9b3ff82dde5f472698abf171e8465a822c9c5f08c1bfe967560
dc2103177fadaa40d37057eedb2077ec903545089996f110ebc2968736308256
65ae4ef20cbb69c0fa6dac9843842c910a10e2281f69214f94036fcd1581c70a
ab822b8ded80a84059219c522956b000fc75d715da40ac6679569c29a5ee4138
2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
Domains
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
frederikkempe.com
majul.com
njxyro.ddns.net
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
qxq.ddns.net
vcctggqm3t.dattolocal.net
hublosk.com
www.sifma.org
dayvo.com
www.usbfund.com
theartofhair.com
9anime.id
searchkn1.sima-land.ru
atwservice.com
www.atwservice.com
isns.net
krupskaya.com
m-onetrading-jp.com
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5380
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is Emotet Trojan?

Emotet is a highly sophisticated and destructive Trojan used to download and install other malware. First recorded in 2014, it was classified as a banking trojan, but Emotet has gained advanced capabilities throughout its lifetime and evolved into an entire malware distribution service.

So what makes the Emotet virus so dangerous? Based on the analysis, Emotet can act like a worm and spread using local networks, which makes it extremely hard to clean up. In addition to this, the trojan has advanced persistence and anti-evasion mechanics, such as detecting sandboxes and virtual machines with an option to generate false indicators to throw research off.

On top of that, the trojan has a polymorphic design – meaning that it can change its code to bypass signature-based detection, making this cyber defense strategy useless against its' attacks. Besides that, Emotet receives updates from the control server, performing this operation as if an operating system update is being installed. This allows the trojan to drop additional malware onto the infected machine stealthily.

It should also be noted that the Emotet trojan has a modular design which makes it possible to adapt this malware to various tasks and customize it for every particular campaign, giving the attackers maximum flexibility. Emotet's main targets are governments, corporations, small businesses, and individuals, focusing on Europe, America, and Canada.

General description of Emotet virus

The first version of Emotet malware which was spotted in the wild back in 2014, was designed to steal banking credentials by intercepting internet traffic and was much more basic than the beast of a Trojan which we know today. When Emotet was first spotted in the wild, the malware targeted mainly banks from Germany and Austria using only its native information stealing toolset.

Version two followed shortly after, this time carrying several additional modules such as a money transfer, mail spam, DDoS, and address book stealing modules. The third iteration of Emotet was released in 2015. This time attackers focused on upgrading the anti-evasion functionality of the malware and introducing banks from Switzerland into the list of potential victims.

The next overhaul of the Emotet malware followed in December 2016, changing the attack vector of the virus. At the beginning of its lifetime, Version 4 of the virus heavily relied on the RIG 4.0 exploit kit to make its way into the victims' computers, later switching primarily to mail spam. The same iteration of the malware also marked the moment when the primary use case of the malware started shifting from using its own banking module to dropping other Trojans onto infected machines.

Speaking of modules, Emotet malware can perform a large number of malicious activities that vary depending on the modules used in a particular campaign. Most versions of the virus included a spam module that can be used to continue the spread of the malware by sending out a series of malicious emails from the infected machine. Another typically included module is the one used for credential stealing, allowing Emotet to steal sensitive information from web browsers and mail clients.

In 2017, Emotet trojan was equipped with a spreader module, allowing the malware to infect all machines connected via a local network. The virus also gained the address book stealer module – this one is interesting. It analyzes the relationship between email senders and receivers and uses the collected information to enhance the effectiveness of subsequent campaigns originating from the users' PC, targeting friends, family members, and colleagues of the victim with personalized spam emails.

Not only does Emotet malware provide flexible functionality through the use of modules and has several anti-evasion functions, but it also puts a heavy emphasis on persistence. To ensure that the malware stays in the infected machine, it injects into running processes, downloads additional payloads, often targeting the Explorer.exe. In addition to that, the malware uses Scheduled Tasks and makes registry key changes.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

In January 2021, the Emotet botnet was taken down by law enforcement. The global effort, known as Operation Ladybird, located the malware infrastructure around the globe. They arrested at least two of the cybercriminal gang members in Ukraine. Their attackers' names were not uncovered.

Security experts teamed up and simultaneously hijacked hundreds of Emotet command-and-control servers and disrupted its backups, too. Researchers placed their own machines at the IP addresses of crooks' computers and made the payload inactive to prevent connection with the botnet.

These actions led to the fact that Emotet's C2 servers didn't work for almost ten months.

On November 14, 2021, Emotet came back with a new version. The botnet started to spread numerous maldocs. Moreover, it changed its tactics. The Emotet virus used to drop Trickbot or Qbot. But right now, the malware is also dealing with Cobalt Strike. It means that the time between the initial infection and a ransomware attack shortens significantly.

Also, researchers noticed that Emotet brings up more and more C2 servers to life. The botnet's new version acquired ECC encryption, modified communication protocols - ​​ new initial check-in, etc.

It should be noted that the mentioned Trojan versions are extremely destructive, and their attacks can have several consequences. For example, malware can cause loss of private data, inability to operate the infected PC up to its total disability, and financial losses associated with restoring the damaged infrastructure. In fact, one company was forced to spend an excess of one million dollars in order to deal with the aftermath of an Emotet attack.

Emotet malware analysis

A video recorded in the ANY.RUN malware hunting service, displays the execution process of Emotet, allowing to perform the analysis of the malware behavior in a lot of detail. You can also investigate other malware like FlawedAmmyy or Agent Tesla.

emotet execution process tree

Figure 1: Displays the processes list generated by the ANY.RUN malware hunting service

text report of the Emotet analysis

Figure 2: Even more information about the execution of Emotet can be found in customizable text reports generated by ANY.RUN

Emotet execution process

The Emotet trojan's primary distribution is through malicious email spam campaigns. The first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user actions.

Downloaded files contain malicious VBA code that runs after a document has been opened. One of the possible options of the infection process is when the VBA code utilizes WMI to launch a Powershell code which downloads the payload – a malicious executable file from the webserver. Notably, the Powershell script is encoded.

Emotet makes steps to maintain a presence in the infected system - it copies itself into %AppData% subfolders and changes the autorun value in the registry. Besides that, the malware allows its attackers to download additional payloads. The malware sends information to and from a server through all infection processes. As the last execution step, Emotet waits for commands from command-and-control servers.

Prevention of Emotet attacks

To minimize the risk of Emotet virus infection and potential destruction if such infection does occur, users are advised to follow a set of standard best practices, such as not downloading files from suspicious emails and keeping an updated version of antivirus on the machine at all times.

For organizations, it is advised to restrict inbound SMB communication between client systems to prevent Emotet from spreading from one machine to another within the local network, provide security training for personnel and instruct employees about the danger of mail spam as well as take all possible precautions to filter out potentially malicious emails at the firewall.

How does Emotet spread?

According to the analysis, the main distribution method of Emotet malware is malicious email campaigns. The trojan uses its address book stealer module in order to pull the contacts from the email account of its victim and send its payloads to the contacts found from the hijacked account.

Bearing in mind that potential victims are receiving an email from somebody they know and trust, Emotet has a very high chance of a successful attack. The received email usually contains a link to a malicious URL that downloads the malware and launches the payload when clicked.

However, email spam is not the only distribution Method that this malware utilizes. It may also take advantage of certain Windows vulnerabilities, thus the malware can make its way into a machine completely "silently," without the user ever knowing about it.

How to collect Emotet's IOCs using ANY.RUN?

For your detailed Emotet malware analysis ANY. RUN's "Fake Net" feature will be very useful. It intercepts HTTP requests and returns a 404 error, forcing malware to reveal its command-and-control server links.

To turn it on in the "Advanced mode" of the "New task" window, check the box next to the "Fake net" in the "Network" section.

fake net emotet Figure 3: Run Emotet sample with turn on "Fake net" feature

Conclusion

Emotet malware is one of the most sophisticated and destructive trojans. Since its first introduction back in 2014, the malware has underground a substantial evolution gaining a lot of anti-evasion features, obtaining worm-like functionality, and even changing the main focus from information-stealing to installing other trojans onto infected machines. With the ability to spread to adjacent systems, Emotet can easily infect all machines in a single network, making dealing with the consequences of an attack a true nightmare.

The situation is further worsened by the fact that the malware is equipped with a series of anti-evasion tricks that make analyzing it quite tricky. As a result, the process of developing countermeasures is much more complicated in comparison to more straightforward trojans.

Thankfully, modern online hunting services like ANY.RUN are equipped with equally advanced research functions and allow professionals to study cyber threats with maximum efficiency, helping researchers battle evasive malware like Emotet.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy