{
	"id": "2a4c5aab-2885-4118-9605-3e4597f6b631",
	"created_at": "2026-04-06T00:12:36.244977Z",
	"updated_at": "2026-04-10T03:21:34.867427Z",
	"deleted_at": null,
	"sha1_hash": "09fb9464f14ba1a90d339c832fcd3d778272907d",
	"title": "Attack Chain Overview: Emotet in December 2020 and January 2021",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1746728,
	"plain_text": "Attack Chain Overview: Emotet in December 2020 and January\r\n2021\r\nBy Chris Navarrete, Yanhui Jia, Matthew Tennis, Durgesh Sangvikar, Rongbo Shao\r\nPublished: 2021-03-08 · Archived: 2026-04-05 14:51:37 UTC\r\nExecutive Summary\r\nUnit 42 researchers have identified and analyzed a new update of Emotet, the notorious banking Trojan, that has\r\nbeen active in the wild since December 2020. Emotet has long been a thorn in the side of defenders with a\r\nreputation for its tenacity, longevity and resilient evasion techniques.\r\nRecent actions by international law enforcement have disrupted the Emotet threat actors and their infrastructure.\r\nHowever, the tactics, techniques and procedures (TTPs) employed in this Emotet update present an opportunity to\r\nexpose the inner workings of an active, prominent threat against all industries.\r\nIn this blog, we will detail the end-to-end attack chain of this Emotet update, including its first-stage malicious\r\ndocument lure, the deobfuscation of its payload into a second-stage PowerShell loader and the downloading of the\r\nthird-stage binary R43H.dll.\r\nWe will also detail the persistence mechanisms used by this Emotet update, as well as the command and control\r\n(C2) channel and its indicators of compromise (IOCs). Lastly, we will demonstrate the difficulties that security\r\nsolutions face against Emotet’s evasion techniques.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from Emotet with Threat Prevention and\r\nWildFire security subscriptions. Customers are also protected with Cortex XDR.\r\nAttack Chain Analysis\r\nEmotet is commonly distributed with a Word document attached in phishing emails. Below are the steps in an\r\nEmotet attack chain:\r\n1. Word doc distributed and opened with macros enabled.\r\n2. VBScript macro(s) runs to generate the malicious PowerShell script.\r\n3. The malicious PowerShell script downloads the initial DLL binary as a loader.\r\n4. The initial loader drops a follow-up DLL binary that updates itself.\r\n5. The final DLL steals victims’ sensitive data or conducts further attacks by communicating with C2 servers.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 1 of 15\n\nFirst-Stage Malware – Word Macro Launcher\r\n(Sha256: 2cb81a1a59df4a4fd222fbcb946db3d653185c2e79cf4d3365b430b1988d485f)\r\nThe analyzed sample is a Microsoft Office OLE2 Compound File Binary Word file. As with many spear-phishing\r\nattacks, this one also social-engineers the user to enable macro support to start the delivery of malicious Visual\r\nBasic for Applications (VBA) code.\r\nFigure 1. This malicious Word document contains an embedded macro that initiates an Emotet\r\nattack chain.\r\nThe embedded VBA macro code is executed when the user opens the lure document in Microsoft Word with\r\nmacros enabled, spawning a Document_Open() event.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 2 of 15\n\nFigure 2. The embedded VBA macro code is obfuscated to impede analysis efforts.\r\nThe next call is to a function named Jotxu6biv0471oy0(). The behavior of this function and further execution of\r\nthe first-stage malware is described below:\r\n1. Retrieve a single StoryRange of the wdMainTextStory type from the document’s StoryRanges.Item() method\r\nand store it in the variable mKbjhqs. The content of that variable is the obfuscated payload data that will be\r\ndeobfuscated later in the attack chain. A StoryRange in the VBA world is used to find or replace text inside a\r\ndocument.\r\nFigure 3. The obfuscated payload is extracted from the malicious document and stored.\r\n2. Collect obfuscated data through a series of GoTo calls, which stores data across several variables. The data is\r\nthen concatenated and assigned to variable C_tmpi32le9.\r\nFigure 4. The obfuscated payload is extracted from the malicious document and stored.\r\n3. The string stored in C_tmpi32le9 is deobfuscated and substituted in a series of function calls displayed in\r\nFigure 4.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 3 of 15\n\nFigure 5. Replace function and data before and after obfuscation.\r\nThe text payload stored in C_tmpi32le9 is deobfuscated with a call to function Lehj73snaqzhyepdw9(). This\r\nfunction works as a wrapper for function Jumkzxvtzz2s(), which implements a simple string substitution routine.\r\nThe function also calls the built-in function Replace(), which is passed the string ]b2[s as the delimiter to search\r\nand replace in the payload string. The resulting payload is the WMI moniker winmgmts:win32_process, which is\r\nstored in variable H4qcty67722xqmrmn.\r\n4. Generate a new object by making a call to the CreateObject() function and passing as parameter the\r\nwinmgmts:win32_process string. The resulting object value is stored in the Fcqv6woostm0 variable, which is an\r\nobject of the Win32_Process WMI Class. This variable is a handle to an object capable of spawning new\r\nprocesses.\r\nFigure 6. Call to CreateObject(“winmgmts:win32_process”) constructor.\r\n5. Perform a length correction routine and store the resulting data in variable Ma9hdg7q365lpb. A call to function\r\nLehj73snaqzhyepdw9() is made with Ma9hdg7q365lpb as a parameter.\r\nFigure 7. Deobfuscated final payload.\r\n6. A call to method Win32_Process.Create() is made by referencing the previously instantiated object and passing\r\nas first parameter the returning value of the previously executed Lehj73snaqzhyepdw9() function. The returning\r\nvalue contains the deobfuscated final payload (operating system and PowerShell commands).\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 4 of 15\n\nFigure 8. Create() function call with parameters.\r\nThe first stage of this Emotet attack chain ends with the execution of the deobfuscated payload originally\r\nembedded in the malicious document. The payload contains a series of calls to cmd.exe nested around an\r\nobfuscated call to PowerShell with base64 data passed as an argument.\r\nFigure 9. Deobfuscated OS and PowerShell commands.\r\nSecond-Stage Malware – PowerShell Downloader\r\nThe second stage of the attack chain begins with nested cmd.exe calls, the first of which invokes msg.exe. This\r\ndisplays a message window to the victim containing a decoy Word error, “Word experienced an error trying to\r\nopen the file.”\r\nNext, PowerShell is invoked with base64 encoded data as a parameter, and cmd.exe takes the string\r\nP^Ow^er^she^L^L as an argument. This argument is crafted using the caret escape character (^) to avoid static\r\ndetection. The -w option sets the PowerShell.exe process to start in the background. The -ENCOD option tells\r\nPowerShell to decode the base64 argument on the fly.\r\nFigure 10. Execution of msg.exe and powershell.exe.\r\nPowerShell - Base64 Analysis\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 5 of 15\n\nFigure 11. Decoded base64 PowerShell data.\r\nThe purpose of this obfuscated code is as follows:\r\n1. Set the security protocol used by the ServicePoint Manager to TLS 1.2.\r\n2. Set the absolute path of a randomly generated file.\r\n3. Generate an array of a total of seven Uniform Resource Identifiers (URIs).\r\nFigure 12. Deobfuscated URIs list.\r\n4. Instantiate a new object of the WebClient .NET Class, which leverages the DownloadFile() method to retrieve\r\nfiles from each item (URI) contained in the array generated in the previous step. The downloaded file will be\r\nsaved into a fixed absolute path and filename %USERPROFILE%\\Ygyhlqt\\Bx5jfmo\\R43H.dll.\r\nIt’s worth mentioning that the folder names used at this step are matched with the ones generated during macro\r\nexecution in the first stage of the attack chain.\r\n5. Perform a length check to equal 37652 bytes. This specific check is presumably made to ensure the binary\r\ncontent was transferred successfully.\r\n6. Execute the downloaded DLL file by executing the rundll32.exe command and providing the Control_RunDLL\r\nas an entrypoint function. The following picture shows the deobfuscated version of the entire command.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 6 of 15\n\nFigure 13. Execution of rundll32.exe in PowerShell.\r\nAs described above, the PowerShell script performs several HTTP requests to different URIs. The response from\r\nthe server shows that a DLL file has been downloaded. The name of the file is set to NK05DJ2yiA.dll.\r\nFigure 14. HTTP download request - First DLL (NK05DJ2yiA.dll).\r\nThird-Stage Malware – DLL Analysis\r\n(Sha256: bbb9c1b98ec307a5e84095cf491f7475964a698c90b48a9d43490a05b6ba0a79)\r\nKEY： \"k1\u003e@dY0V\u003co)afFNz7v68r^Kn6)h)OGcSc\"\r\nFigure 15 shows the process tree having a parent process powershell.exe and the consecutive runs of rundll32.exe.\r\nFigure 15. PowerShell.exe and rundll32.exe processes execution.\r\nThe first process is given the absolute path to R43H.dll as an argument, and the second process is given a path to a\r\nfile with a random path and filename. However, both processes begin with the same entrypoint function called\r\nControl_RunDLL. The following describes the inner workings of this DLL and its participation in the infection\r\nchain.\r\nOnce the downloader code receives the second-stage DLL file, it will be saved in the path\r\n%USERPROFILE%\\Ygyhlqt\\Bx5jfmo\\ and will be renamed to R43H.dll. According to the detection generated by\r\nthe ExeInfoPE tool, it shows that this is a Microsoft Visual C++ ver. ~6.0~7.10 executable file.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 7 of 15\n\nFigure 16. ExeInfoPE file identification on downloaded DLL file.\r\nDuring the third-stage malware execution, a new absolute path will be randomly generated. A call to the\r\nMoveFileExW() function will move the file from its original location to this new one. The absolute path format is\r\nas follows:\r\n%SYSTEMROOT%\\system32\\\u003crandom_folder_name\u003e\\\u003crandom_filename\u003e.\u003crandom_ext\u003e\r\nNext, as shown in Figure 17, a call to the CreateProcessW() function sets the value of the lpCommandLine\r\nparameter, which includes the absolute path of the recently moved DLL file, and the aforementioned entrypoint\r\nfunction Control-RunDLL.\r\nFigure 17. Execution of the second DLL file.\r\nThe actions performed by the second rundll32.exe execution will be described in the Fourth-Stage Malware\r\nsection.\r\nLocate and Load Resource Encrypted Data\r\nThe Emotet malware performs several actions, and one of those is the use of Resource Win32 API functions with\r\nthe objective of loading binary data from the executable resource section, decrypting it and dropping a newly\r\ncrafted malware.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 8 of 15\n\nFirst, at offset 0x10002119, a call to the VirtualAlloc() function is made. This will allocate 0x1B000 (110592d)\r\nbytes, a MEM_COMMIT allocation type and memory protection option as PAGE_EXECUTE_READWRITE.\r\nFigure 18. VirtualAlloc() and byte-copying (call 100045c0) function.\r\nAt offset 0x10002128, the function call 100045C0 copies the bytes from the resource section into the newly\r\ngenerated memory allocation from the previous step (see Figure 18). The following picture (Figure 19) shows a\r\ncomparison between the byte contents of the resources taken directly from the Resource Hacker tool and the\r\ncontents in memory taken directly from the running process.\r\nFigure 19. Encrypted binary resources data displayed in the Resource Hacker tool.\r\nDuring the execution of subsequent instructions, a call to the 0x10001D9A function is made. This function has a\r\nloop located at offset 0x10001E4D and performs several operations. One of these operations is a 1-byte XOR\r\ninstruction (xor byte ptr [esi+ecx], al) located at offset 0x10001E4D. Its purpose is to decrypt a total of 110591\r\nbytes of the executable’s resource data where the PE binary data is stored. The final result is an in-memory\r\nreconstructed executable file. In Figure 19, the encrypted and decrypted data in the process’s memory can be seen.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 9 of 15\n\nFigure 19. Encrypted data in PE and decryption of data in memory.\r\nAt offset 0x10002167, an indirect function pointer call is made to the address pointed to by the EAX register,\r\nwhich is the entrypoint of the Control_RunDLL function of the in-memory (dropped) executable file. Figure 20\r\nshows this in a graphical manner for reference.\r\nFigure 20. Indirect call – transferring control to in-memory data.\r\nOnce the call EAX instruction is executed, the execution control is transferred to the new executable file.\r\nPersistency Mechanism\r\nThe Emotet malware installs a new service by calling the CreateServiceW() function, which starts the copy of the\r\nmalware in an automated manner by the operating system. Figure 21 shows this new service already installed.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 10 of 15\n\nFigure 21. Installation of a new Windows service.\r\nThe service name is generated randomly and the below list contains different names used throughout several test\r\nruns.\r\nProvides Disk Defragmentation capabilities.\r\nWindows Media Center Service for TV and FM broadcast reception.\r\nProcesses application compatibility cache requests for applications as they are launched.\r\nStarts and stops recording of TV programs within Windows Media Center.\r\nTransfers files in the background using idle network bandwidth. If the service is disabled, then any\r\napplications that depend on BITS, such as Windows Update or MSN Explorer, will be unable to\r\nautomatically download programs and other information.\r\nFourth-Stage Malware – DLL Analysis\r\n(Sha256:bd1e56637bd0fe213c2c58d6bd4e6e3693416ec2f90ea29f0c68a0b91815d91a)\r\nAt this stage, the final payload is preparing the environment to submit information to the C2 server. To do so, it\r\nexecutes function calls to retrieve the required data to finally perform the HTTP request.\r\nThe following steps assume a base address of 0x2E1000 and describe the details and sequences followed by the\r\nEmotet malware until the delivery of the payload.\r\nFigure 22. Function calls that collect and prepare data for exfiltration.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 11 of 15\n\nFifth-Stage Malware – C2 Traffic\r\nAs can be seen in the function call list, the HttpSendRequestW() API function is used to send the data to the\r\nserver. This function allows the sender to exceed the amount of data that is being sent normally by HTTP clients.\r\nFigure 23. HTTP data in memory before being sent to the C2 server.\r\nFigure 24 shows the data after being sent and captured by Wireshark.\r\nFigure 24. Data being sent to the C2 server captured by Wireshark.\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 12 of 15\n\nEvasion Technology\r\n1. Uses multiple download links to download the first-stage loader. As long as one download link is not\r\nblocked or captured by a security product, the loader download will be successful.\r\n2. Uses multiple C2 server IP addresses to communicate with C2 servers. As long as one IP address is not\r\nblocked, the communication will be successful.\r\n3. The C2 communication uses standard HTTP with sensitive information encrypted with custom algorithms.\r\nFrom the perspective of security mitigations, it is difficult to differentiate this strain of C2 from benign\r\ntraffic.\r\nConclusion\r\nEmotet was a potent adversary before coordinated law enforcement action shut down its infrastructure in late\r\nJanuary 2021. The attack chain detailed above is elaborate and is designed to evade security detections. A single\r\nsecurity appliance is not equipped to prevent an Emotet attack. Only a combination of security solutions –\r\nfirewalls, sandboxes, endpoints and software to integrate all these components can help prevent an Emotet attack.\r\nAt the time of this writing, the samples listed in the IOCs section below were not publicly available. However, we\r\nhave created detections and coverage against their behavior and communication.\r\nPalo Alto Networks customers are protected from this kind of attack by the following:\r\n1. Next-Generation Firewalls with Threat Prevention signatures 21201, 21185 and 21167 identify HTTP C2\r\nrequests attempting to download the new payload and post sensitive information.\r\n2. WildFire, an NGFW security subscription, and Cortex XDR identify and block Emotet and its droppers.\r\nIndicators of Compromise\r\nSamples\r\n209a975429304f771ef8a619553ffd9b8fc525a254157cbba47f8e64ec30df79\r\n2a8dcfc8f1262e1c6b5f65c52cdccdbcd40ff6218f4f25f82bd3eb025593dbc0\r\n2cb81a1a59df4a4fd222fbcb946db3d653185c2e79cf4d3365b430b1988d485f\r\n36df660c8e323435d2bc7a5516adcadfbd0b220279f634725e407da9f2b9d4f5\r\n3788c8a783fbbd61fa60d41b78568c095a8587db728a61bff67c3ffebfad82a4\r\n704759a244e3f27481f6ad225a0e1c30ae46e411e01612d68ca76fe2fd8cee54\r\n7a18e87591637a8e962386b9c72aed584037a953ce7fe5ae51edba7a0ca57c1a\r\n96a1fea9853e6f77d4449da325dfdb1545b905bdb7ba227d24e6a1a5f8cb3bd4\r\na9668efdb68bf251dae8623cb4f3dc8b9b7f42d77927d287633af94a72e9d1dc\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 13 of 15\n\nfc3c1ce6491bca2b028ae8806ca84d4b9dcb577fb2551aa871ca23eca19b10f5\r\nDroppers\r\n0a0bf0cab20ec7fb530738c4e08f8cd5062ea44c5da3d8a3e6ce0768286d4c51\r\n2a0a1e12a8a948083abe2a0dcbf9128b8ec7f711251f399e730af6645e86d5c8\r\n3b3a9517b61d2af8758e60d067c08edd397ad76b25efe1cbd393229088567002\r\n3bbda08f5e15c5cb4472c6e610f2063eb68f54c0234a2197bc4633f4344ab27f\r\n3e2fd3a5d790a0d4efe1100af08e3e2011f26416154ec11f1315db2ca6ca71bd\r\n4eb1928c08d16a9407dbf89ad1279886379a0415bdd7760a3b2d0697f7d287c6\r\n95bc30b35aa2d2baa80b50e970707197a26bd19d7772cbf65ff3d0300fe8e789\r\n97c395e1bd0c35e9b8e6f9d97b470abdfdacec25e0e4e3b987e3813fb902de9f\r\nbbb9c1b98ec307a5e84095cf491f7475964a698c90b48a9d43490a05b6ba0a79\r\nbd1e56637bd0fe213c2c58d6bd4e6e3693416ec2f90ea29f0c68a0b91815d91a\r\nURLs\r\nhttp://abrillofurniture[.]com/bph-nclex-wygq4/a7nBfhs/\r\nhttp://allcannabismeds[.]com/unraid-map/ZZm6/\r\nhttp://ezi-pos[.]com/categoryl/x/\r\nhttp://giannaspsychicstudio[.]com/cgi-bin/PP/\r\nhttp://ienglishabc[.]com/cow/JH/\r\nhttps://etkindedektiflik[.]com/pcie-speed/U/\r\nhttps://vstsample[.]com/wp-includes/7eXeI/\r\nIPs\r\n5.2.136[.]90\r\n37.46.129[.]215\r\n70.32.89[.]105\r\n110.172.180[.]180\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 14 of 15\n\n132.248.38[.]158\r\n138.197.99[.]250\r\n152.170.79[.]100\r\n157.245.145[.]87\r\n161.49.84[.]2\r\n190.55.186[.]229\r\n190.247.139[.]101\r\n203.157.152[.]9\r\nSource: https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nhttps://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/"
	],
	"report_names": [
		"attack-chain-overview-emotet-in-december-2020-and-january-2021"
	],
	"threat_actors": [],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09fb9464f14ba1a90d339c832fcd3d778272907d.pdf",
		"text": "https://archive.orkl.eu/09fb9464f14ba1a90d339c832fcd3d778272907d.txt",
		"img": "https://archive.orkl.eu/09fb9464f14ba1a90d339c832fcd3d778272907d.jpg"
	}
}