{
	"id": "7596b8c4-5297-4fc1-8ba2-09a514414a3d",
	"created_at": "2026-04-06T00:21:19.219462Z",
	"updated_at": "2026-04-10T03:20:39.351666Z",
	"deleted_at": null,
	"sha1_hash": "062ed42ea6d639318cfe3d674d7881610d89cf69",
	"title": "The return of the Emotet as the world unlocks!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1286494,
	"plain_text": "The return of the Emotet as the world unlocks!\r\nBy Prashant Tilekar\r\nPublished: 2020-09-29 · Archived: 2026-04-05 14:53:55 UTC\r\nA threat actor named Emotet Trojan has been in the wild for more than 5 years, and now it is back after a 5 months\r\nbreak. It has spread globally, infecting new as well as old targets. It is re-launched with multiple Malspam\r\nCampaigns to distribute in all sectors.\r\nWe observed through our detection telemetry that Emotet campaigns have targeted a variety of sectors. It is spread\r\nthrough SpamMail with hot topics like Covid-19, Vaccine for Covid-19 and few other generic keywords like\r\nHealth Insurance, Payment, Invoice, Job Update/Opening, Cyberattack, Shipping and many more.\r\nInfection chain\r\nFig 1: Infection chain\r\nThe infection chain starts by sending crafted emails to the target organization or person. The attacker uses the\r\nHijacking email method for sending the crafted mails with an attachment. The attachment may contain a word\r\ndocument a macro file or a PDF. Sometimes the email body contains URLs too. As mailbox is hijacked,\r\nattachment is sent replying to old email threads or forwarding to an existing mail list, due to which the victim\r\neasily opens the attachment as the mail comes from a trusted mail id.\r\nWe encountered extensive count of spam mails, few of the examples are listed below-Spam Mails\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 1 of 11\n\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 2 of 11\n\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 3 of 11\n\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 4 of 11\n\nFig 2. Example of Spam mails.\r\nThe attacker has done a silly mistake here, we can see in the mail that the subject and the attachment name doesn’t\r\nmatch. In most of the cases, an attachment name contains “Medical report Covid-19″.\r\nDocument Analysis\r\nOffice Document attachment contains a macro which contains a heavily obfuscated VBA code responsible to\r\ndeliver payload in the chain.\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 5 of 11\n\nFig 3. Macro code in an attachment.\r\nAfter some de-obfuscation, the “Qndiwjphrk8an6x” function code is as below\r\n{Qndiwjphrk8an6x = “winmgmt” + “:win32_” + “p” + “rocess”}\r\nwhich translates into winmgmts:win32_process. Once we removed the chunked data we got a readable code with\r\nfunctions and reference variables.\r\nOne interesting part in the directory in Macros\\Ofbszpwp168r\\o.stm is that we can see some obfuscated data\r\nagain.\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 6 of 11\n\nFig 4: Obfuscation in Doc file\r\nAfter the initial level of de-obfuscation, we got base64 encoded PowerShell script as shown in below figure.\r\nFig 5: base64 Encoded PowerShell code\r\nAfter decoding with base64 and processing data, we got the  below PowerShell script-https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 7 of 11\n\nFig 6: Base64 Decoded PowerShell script\r\nIt contains malicious domains or URLs which serves Emotet executables. Using PowerShell commands Emotet\r\nexecutable is downloaded at “%temp%” directory in the victim’s machine.\r\nPayload Analysis\r\nThe payload downloaded from the above file has a customized packer. The unpacking is done at runtime. Emotet’s\r\npacker code is polymorphic which makes it difficult for signature-based detection tools to detect it based on the\r\npacker code.\r\nIts resource (.rsrc) section has significant data which seems to be an indication that the malware might be packed.\r\nIn the below Fig. we can see that RCData has an encrypted code.\r\nFig 7: File having encrypted data in resource\r\nWhile debugging the file, we observed that the data will be decrypted using a slightly modified version of RC4.\r\nKey for RC4 is hardcoded in the file. After decryption, the control goes to the decrypted shellcode.\r\nFig 8: RC4 used for decryption\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 8 of 11\n\nIn some files, we have seen the use of VirtualAllocExNuma to allocate new memory. This is used for fast\r\nprocessing. The beginning of an obfuscated shellcode is copied to the new address after being decrypted using the\r\nmodified RC4 algorithm. In addition to the relatively short shellcode, an additional PE can be seen in the memory.\r\nFig 9: Decrypted shellcode and PE File\r\nThe Shellcode deobfuscates several API calls at runtime, such as LoadLibraryA, GetProcAddress, VirtualAlloc\r\nand VirtualProtect, all of which will be used to resolve APIs and allocate memory to run the additional PE.\r\nFig 10: API Resolved\r\nAfter this, the malware allocates memory and copies the data of decrypted file and calls  VirtualProtect and finally,\r\nthe program jumps to the real entry point of the decrypted file.\r\nSpreading mechanism of Emotet campaign remains almost the same that we had already discussed in our previous\r\nblog. Read it here in the link below.\r\nThe evolution of a 4-year-old-threat Emotet: From an infamous Trojan to a complex threat distributer\r\nAfter executing the Emotet, it will exfiltrate the data to the CnC server. While sending, the data is encoded and\r\nsent with some random name of the file and random path to the server.\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 9 of 11\n\nFig11: CnC traffic\r\nDetection hits stats\r\nIn Quick Heal detection, we have successfully detected such Emotet trojans. We have multiple detection layers\r\nlike Email protection, Online protection and Behaviour detection to protect our customers.\r\nHere is the detection stats number of hits per day in the last 45 days.\r\nFig 12: Graph\r\nConclusion\r\nEmotet is a persistent threat actor and highly successful in delivering email-based malware, with a major focus on\r\nemail theft and sending additional malware. It has moderate obfuscated code to deliver and bypass the detection\r\ntechnique.\r\nWith the global impact of COVID-19, threat actors are likely to continue to use COVID-19-themed emails to\r\ndeliver malware broadly in support of their objectives for all sectors.\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 10 of 11\n\nQuick Heal customers have long been protected from Emotet and other COVID-19-themed emails. We continue to\r\ntrack and report such attacks to keep our customers safe.\r\nSubject Matter Experts:\r\nPrashant Tilekar\r\nPreksha Saxena\r\nSource: https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/"
	],
	"report_names": [
		"the-return-of-the-emotet-as-the-world-unlocks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434879,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/062ed42ea6d639318cfe3d674d7881610d89cf69.pdf",
		"text": "https://archive.orkl.eu/062ed42ea6d639318cfe3d674d7881610d89cf69.txt",
		"img": "https://archive.orkl.eu/062ed42ea6d639318cfe3d674d7881610d89cf69.jpg"
	}
}