Emotet
Emotet is a malware family first identified in 2014 as a banking Trojan that later evolved into a major malware loader and botnet. The provided content describes it as a robust global botnet and polymorphic banking trojan that loads third-party malware and its own modules for spamming, credential stealing, network spreading, and email harvesting. It has been used to distribute additional malware including TrickBot, ransomware, information stealers, and cryptocurrency miners, and it was one of the most prolific malware distributors enabling ransomware infections between 2018 and 2020.
Delivery has heavily relied on spearphishing and malicious attachments. The content states Emotet relied on users clicking malicious attachments delivered through spearphishing, historically using Microsoft Word and Excel documents with VBA or XL4 macros. After macro-based delivery became easier to detect or block, Emotet operators adopted additional methods including HTML smuggling, XLL files, zipped LNK attachments, and broader LNK-based delivery. TA542 is identified as the actor delivering Emotet in multiple campaigns.
On infected Windows systems, Emotet operates in two stages: a first-stage dropper and a second-stage bot. The analyzed variant uses anti-analysis and obfuscation techniques including control flow flattening, runtime decryption of strings and resources, and dynamic API resolution via hashed DLL and API names. It can derive dropped filenames from system characteristics, move or clone itself into system or local application data paths, and maintain persistence either by creating a Windows service when running with elevated privileges or by creating a Run key under HKCU when running with lower privileges. The content also states Emotet has been observed creating new services to maintain persistence.
For command and control, Emotet uses embedded C2 IP address and port pairs stored in the binary and communicates over HTTP, including HTTP POST with multipart/form-data in the analyzed variant. Communications are protected using an embedded RSA public key together with AES-128-CBC and SHA-1. The malware can receive commands to download and execute binaries, launch payloads in another Terminal Services session, and download and execute plugin modules.
Post-compromise behavior described in the content includes enumerating all users connected to network shares, using WMI to execute powershell.exe, and using PowerShell to retrieve malicious payloads and additional tools such as Mimikatz. The content also notes lateral movement or network spreading capability and email harvesting. Emotet has been associated with large-scale global infrastructure, with several hundred servers supporting victim management, propagation, criminal service delivery, and resilience.
Aliases present in the content include Geodo and Heodo. Mentioned indicators and technical artifacts include the sample SHA-256 aa0cbe599839db940f6cc2f4ca1383dbb9937b8c7dd6460847c983523cd63c39 for an analyzed Emotet variant, synchronization object naming patterns Global\I%X, Global\M%X, and Global\E%X derived from the Windows volume serial number, and use of registry storage under HKLM or HKCU for the dropped filename. The content also references historical tracking of Emotet C2 infrastructure via Feodo Tracker.
The malware was disrupted in a coordinated international law enforcement operation in January 2021, during which authorities took control of infrastructure and redirected infected machines to law-enforcement-controlled systems. The content also states Emotet resurfaced later with new polymorphic variants, including activity noted in 2023.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Emotet has been known to move from machine to machine by leveraging a server message block (SMB) vulnerability exploit like ETERNALBLUE or by brute-forcing credentials for access to Windows Administrative Shares.
In late 2023, Microsoft and the U.S. National Institute of Standards and Technology (NIST) reported that attackers were using a Windows vulnerability to distribute malware, including Emotet... The technique involved phishing emails with malicious attachments that leveraged a Windows feature known as the App Installer... To reduce the risk of exploitation, Microsoft updated the software to disable the affected functionality by default.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA542, the actor delivering the Emotet malware, conducted more campaigns with higher volumes of messages than preceding months. Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros. Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add In (XLL) files and zipped LNK attachments in subsequent campaigns.
Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.
The versatile and disruptive malware Emotet previously served as one of the most prolific distributors of malware enabling costly ransomware infections between 2018 and 2020.
Le 11 mars 2022, le compte Twitter @Cryptolaemus1 a identifié la distribution d’un implant SystemBC par le botnet Epoch 5 lié au Malware-as-a-Service (MaaS) Emotet.
"...MUMMY SPIDER’s Emotet was leveraged by MALLARD SPIDER and WIZARD SPIDER."
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.
Execution
5 techniques
Execution
Command ID 03: Downloads a module/plugin, loads it and calls to its main function
XL4 macros are specific to the Excel application but can also be weaponized by threat actors. | VBA macros are used by threat actors to automatically run malicious content when a user has actively enabled macros in Office applications.
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself.
The most notable shift in campaign data is the emergence of LNK files; at least 10 tracked threat actors have begun using LNK files since February 2022. | When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute... When opened, container files may contain additional content such as LNKs, DLLs, or executable (.exe) files that lead to the installation of a malicious payload.
Persistence
3 techniques
Persistence
For its next step, Emotet checks the registry value name (is volume serial number) in: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer ... If this registry value is not available, it means that the Emotet sample is running in its first stage and it will set this value for use in the second instance.
Privilege Escalation
3 techniques
Privilege Escalation
Calls API WTSQueryUserToken to obtain the Primary User token of the requested Terminal Service session - Calls API CreateProcessAsUser to launch process
Stealth
7 techniques
Stealth
All strings and other resources (such as RSA public key) are encrypted and only decrypt at runtime. | The first thing we noticed is that Emotet has updated its techniques for obfuscating its flow of code. This anti-analysis technique makes it more difficult to analyze and track modifications between variant binaries. This Emotet binary (unpacked) is using an obfuscation technique called Control Flow Flattening. | In this version, Emotet resolves API(s) by looking up the hashes of the API name and DLL name once it needs-to-use instead of loading them all at one time as previous versions.
MITRE ATT&CK Mapping | Defense Evasion | T1027.006 | HTML smuggling, payload assembled client-side
This sample will scan in CSIDL_SYSTEM, only filenames with the extensions .dll and .exe are selected... Emotet then makes a path to drop itself to... The path of the dropped file is: “(CSIDL_SYSTEMX86|CSIDL_LOCAL_APPDATA)\\%s\\%s.exe”
Calls API WTSQueryUserToken to obtain the Primary User token of the requested Terminal Service session - Calls API CreateProcessAsUser to launch process
Finally, Emotet launches the second instance by calling API CreateProcessW to the dropped file.
Defense Impairment
1 technique
Defense Impairment
For its next step, Emotet checks the registry value name (is volume serial number) in: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer ... If this registry value is not available, it means that the Emotet sample is running in its first stage and it will set this value for use in the second instance.
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Emotet enumerates running process names (no duplicated process names, no process names where parent process ID is 0, and not including Emotet’s process name) puts them in buffer, separated by comma, and in ASCII.
The plaintext packet has the following format ... victim_id ... system_info ... procname_buffer ... module_id_array ... Emotet is generating VICTIM_ID based on computer name and volume serial number ... calculating system info value based on OS version, product type, and processor architecture.
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Examples in the content include malware extracting or unpacking ZIP, RAR, CAB, tar.gz, and other archived content, such as 'Emotet has used a self-extracting RAR file to deliver modules to victims' and 'Rocke has extracted tar.gz files after downloading them from a C2 server.'
Command and Control
5 techniques
Command and Control
Kapeka utilizes JSON objects to send and receive information from command and control nodes. Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server. Remcos can serialize collected data with Protobuf.
Finally, Emotet performs encryption on the command packet (by AES-128-CBC) to generate a final packet, which is posted to the C&C servers through HTTP POST.
Currently, this Emotet sample receives three commands from the C&C server: Command ID 01: Downloads an executable file and executes it ... Command ID 03: Downloads a module/plugin, loads it and calls to its main function
IOCs tracked for this family
203 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as malware that adopted HTML smuggling as an alternative delivery technique when macro-based delivery became less effective.
Banking trojan family whose C2 infrastructure is tracked by Abuse.ch Feodo Tracker.
He has worked extensively on identifying and systematically monitoring major botnet families, including the infamous Emotet and Trickbot.
Referenced as a major botnet family in the author biography; no campaign-specific details are provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.