{
	"id": "5cddf7e6-95d5-49fa-8149-cd0e67df1ef1",
	"created_at": "2026-04-06T00:19:36.367607Z",
	"updated_at": "2026-04-10T03:22:09.497812Z",
	"deleted_at": null,
	"sha1_hash": "063396100a235172fd02a3a2eea301db4dc8a7a2",
	"title": "Emotet’s Return: What's Different? | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 732029,
	"plain_text": "Emotet’s Return: What's Different? | HP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2021-12-09 · Archived: 2026-04-05 16:01:25 UTC\r\nOn 15 November 2021, Emotet returned after an almost 10-month hiatus and is currently being spread again in\r\nlarge malicious spam campaigns. The malware operation behind Emotet was disrupted in January 2021 by law\r\nenforcement, leading to a dramatic reduction in activity. However, this lull has proven temporary, with Emotet’s\r\nreturn demonstrating the resilience of botnets and their operators. The malware’s resurgence raises questions about\r\nwhat has changed in the new binaries being distributed, which we briefly explore in this article.\r\nCampaign Isolated by HP Wolf Security, November 2021\r\nIn November, HP Sure Click Enterprise – part of HP Wolf Security – isolated a large Emotet campaign against an\r\norganization. Figure 1 shows how a user opened an Excel email attachment containing a malicious macro. The\r\nmacro spawned cmd.exe, which attempted to download and run an Emotet payload from a web server. Since\r\nmalware delivered over email is extremely common, HP Sure Click automatically treats files delivered via email\r\nas untrusted. When the user opened the attachment, HP Sure Click isolated file in a micro-virtual machine (micro-VM), thereby preventing the host from being infected. HP Sure Click also detected potentially malicious behavior\r\nin the micro-VM, so generated and sent an alert to the customer’s security team containing an activity trace\r\ndescribing what happened inside the VM (Figure 2).\r\nFigure 1 – Alert timeline\r\nshowing user opening a malicious Emotet spreadsheet.\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 1 of 8\n\nFigure 2 – Snippet from behavioral trace captured by HP Sure Click.\r\nFinding code similarities\r\nUsing two unpacked Emotet samples, one from January 2021 and a second from mid-November 2021, we wanted\r\nto highlight the code differences to focus analysis on any new code. For this we used Threatray, which analyzes\r\nthe structure of malware and classifies it based on code similarities. The service can also find function differences\r\nbetween two malware samples and highlight them.\r\nUsing Threatray’s API to retreive code similarities returns a table of function addresses from both samples. If there\r\nare function addresses in the columns of both samples, this means a similar function was found. Analyzing our\r\ntwo Emotet samples identified 80 of 246 functions that were similar. This means that the remaining functions\r\ncould be code changes or obfuscation.\r\nFigure 3 – Threatray output table showing similar functions.\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 2 of 8\n\nTo streamline our analysis even further, we wrote an IDC script based on Threatray’s results, which colors known\r\nfunctions green. This way, we can concentrate on the unknown areas when reversing the malware.\r\nFigure 4 – IDA Pro disassembly of the November 2021 Emotet sample with known functions in green.\r\nWindows API function resolution technique\r\nOne of the ways Emotet hides its capabilities is by resolving Windows API functions at runtime. This means\r\nfunction names are hidden from the Import Address Table or as strings. To find the desired API function, Emotet\r\ninstead uses hashes. A hash is passed to a resolution routine, where it is compared to the hashes of all the exported\r\nfunctions of a DLL. If the two hashes match, the correct function and address in the DLL is found, enabling it to\r\nbe called without referencing its name.\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 3 of 8\n\nFigure 5 – Emotet’s Windows API wrapper\r\nfunction.\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 4 of 8\n\nSince these wrapper functions are not classified as similar, we wrote a Python script that resolves the Windows\r\nAPI functions. For the Emotet sample from 16 November, we were able to resolve and annotate 109 different\r\nfunctions. We also resolved the functions of the sample from January 2021 to compare the differences in API\r\nfunctions between the samples. The following table lists the API functions that are unique to each:\r\nJanuary 2021 November 2021\r\nCryptAcquireContextW BCryptCloseAlgorithmProvider\r\nCryptCreateHash BcryptCreateHash\r\nCryptDecrypt BcryptDecrypt\r\nCryptDuplicateHash BcryptDeriveKey\r\nCryptDestroyHash BcryptDestroyHash\r\nCryptDestroyKey BcryptDestroyKey\r\nCryptGenKey BcryptDestroySecret\r\nCryptEncrypt BcryptEncrypt\r\nCryptExportKey BcryptExportKey\r\nCryptGetHashParam BcryptFinalizeKeyPair\r\nCryptImportKey BcryptFinishHash\r\nCryptReleaseContext BcryptGenRandom\r\nCryptVerifySignatureW BcryptGenerateKeyPair\r\nCryptDecodeObjectEx BcryptGetProperty\r\nHeapAlloc BcryptHashData\r\nMultiByteToWideChar BcryptImportKey\r\nWideCharToMultiByte BcryptImportKeyPair\r\nRtlRandomEx BcryptOpenAlgorithmProvider\r\nBcryptSecretAgreement\r\nBcryptVerifySignature\r\nRtlAllocateHeap\r\nInternetQueryOptionW\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 5 of 8\n\nDifferences in the Emotet Samples\r\nOne difference in the API functions is that the newer Emotet sample now uses Bcrypt cryptography functions. The\r\nEmotet sample from January 2021 used cryptography functions from advapi32.dll. An explanation for this change\r\nis that Emotet’s developers switched to the newer cryptography API because Microsoft deprecated the old API and\r\nnow recommend switching to the newer one.\r\nFigure 6 – CryptDecrypt API documentation from Microsoft.\r\nIn addition to the changes in cryptography, Emotet now uses the function RtlAllocateHeap to allocate heap\r\nmemory. Normally a program calls HeapAlloc which then calls RtlAllocateHeap. Each Emotet binary contains\r\nencrypted configuration information that is decrypted at runtime and stored on the heap. Previously if we\r\ndebugged the malware, you could set a breakpoint on HeapAlloc and view unencrypted information like the\r\nmalware’s command and control (C2) addresses. But this does not work with the newer Emotet sample because\r\nthe malware calls RtlAllocateHeap instead. By simply changing the breakpoint to RtlAllocateHeap, we can\r\nachieve the desired result. However, this small change could mean that automated analysis systems are no longer\r\nable to extract unencrypted information from the malware and therefore they require updating.\r\nIf we add the green-colored wrapper functions to the functions identified by Threatray results, this gives us 167 of\r\n246 functions. Some of the remaining functions are very small auxiliary functions that are uninteresting, and\r\nothers are functions that can already be found in the older Emotet sample by comparing them manually. But why\r\nwere these functions not initially marked as similar? There are two possible reasons for this. First, Emotet uses\r\nswitch case statements to obfuscate the control flow, which calls the functions in the correct order, but these aren’t\r\neasy to resolve using static analysis.\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 6 of 8\n\nFigure 7 – Control flow graph showing switch case obfuscation.\r\nSecond, we noticed that the second Emotet sample contains more function flattening than the older sample. This\r\nmeans that more functions are called in one place and not nested in sub-functions. This leads to a change in the\r\ncontrol flow, which reduces the similarity to the older Emotet sample. Figure 8 shows the January 2021 sample\r\ncalling a sub-function that allocates memory on the heap, creates a string, then releases the memory.\r\nFigure 8 – Sample from January 2021 calling a sub-function leading to further execution and API calls.\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 7 of 8\n\nIn the more recent sample, the sub-function has been resolved and the function calls to allocate memory and\r\ncompose the string have been moved into the main function (Figure 9).\r\nFigure 9 – Sample from November 2021 using direct\r\nfunction calls instead of sub-functions.\r\nConclusion\r\nOur analysis shows that Emotet has changed during its almost 10-month break. As well as the use of an updated\r\ncryptography library, there have been small changes in memory allocation and in the functional structure of parts\r\nof Emotet’s code. However, large parts of the malware remain the same, indicating that its existing features are\r\nstill good enough to compromise systems. This is not a final analysis since our goal was to show how to quickly\r\nand efficiently highlight changes between two samples. To support the security community with further analysis\r\nof Emotet, we have shared the IDA database and Python script used in this article.\r\nSource: https://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nhttps://threatresearch.ext.hp.com/emotets-return-whats-different/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/emotets-return-whats-different/"
	],
	"report_names": [
		"emotets-return-whats-different"
	],
	"threat_actors": [],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/063396100a235172fd02a3a2eea301db4dc8a7a2.pdf",
		"text": "https://archive.orkl.eu/063396100a235172fd02a3a2eea301db4dc8a7a2.txt",
		"img": "https://archive.orkl.eu/063396100a235172fd02a3a2eea301db4dc8a7a2.jpg"
	}
}