{
	"id": "1658337c-872a-4c79-a98e-bf3df15f2e23",
	"created_at": "2026-04-06T00:13:50.415805Z",
	"updated_at": "2026-04-10T03:20:41.859102Z",
	"deleted_at": null,
	"sha1_hash": "15e8040390702d04ce2cf53724232f97e379e574",
	"title": "A Deep Dive into the Emotet Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4977888,
	"plain_text": "A Deep Dive into the Emotet Malware\r\nBy Kai Lu\r\nPublished: 2019-06-06 · Archived: 2026-04-05 19:26:12 UTC\r\nEmotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few\r\niterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server.\r\nFortiGuard Labs has been tracking Emotet since it was first discovered, and in this blog, I will provide a deep\r\nanalysis of a new Emotet sample found in early May. This detailed analysis includes how to unpack the persistent\r\npayload, how Emotet malware communicates with its C2 servers, how to identify the hard-coded C2 server list\r\nand RSA key in the executable, as well as how it encrypts the data it gathers.\r\n0x01 Malicious Word Document\r\nThis sample is a Word document file. When you open it and enable the macro in Word, the malware starts to\r\nexecute.\r\nFigure 1. Executing a PowerShell script\r\nWe can see here that the VB script inside the malicious Word document file is able to create a new process with\r\nPowerShell. The option ‘-e’ in PowerShell indicates that it accepts a base64-encoded string version of commands.\r\nThe decoded PowerShell script is shown in Figure 2:    \r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 1 of 17\n\nFigure 2. Debugging the decoded PowerShell script\r\nThe variable $YBAAU_D is a list which includes five URLs. It uses them to download a payload from a remote\r\nserver and then execute it.  The following table lists each malicious URL, the name of the payload that can be\r\ndownloaded from the corresponding URL, the Sha256 value, and payload size.\r\nWhen I started to investigate this sample in early May, the first two URLs could not be accessed, while the three\r\nremaining URLs were all active. All three payloads are PE files. \r\nNext, we will choose one of them to do further investigation. In this blog, all analysis is based on the payload\r\np4xl0bbb85.exe (sha256:21145645cac74e0b590813eafd257a2c4af6c6be0bc86d873ad0e6c005c0911d).\r\n0x02 First Layer Payload\r\nThe payload p4xl0bbb85.exe is packed by a customized packer. After it executes, it creates three new processes,\r\nshown below:\r\nFigure 3. The process tree after executing the payload p4xl0bbb85.exe\r\nIt first launches the process (pid:2784) with the command line ‘--f02b3a38’. It then writes the PE file\r\n‘itsportal.exe’ into the folder C:\\Users\\[XXX]\\AppData\\Local\\itsportal\\. Next, it executes itsportal.exe without any\r\nparameters. After itsportal.exe is executed, it is able to launch the process (pid:1980) with the command line ‘--\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 2 of 17\n\nc6857361’. Finally, the first three created processes exit and the PE file p4xl0bbb85.exe is deleted the from hard\r\ndisk.  The PE file itsportal.exe is the persistent payload.\r\nFigure 4.  The persistent payload\r\n0x03 Analysis of Persistent Payload\r\nIn this section, we will continue to analyze the persistent payload itsportal.exe. This payload has a customized\r\npacker. After tracing a few steps from the entry point, the program goes into the function sub_4012E0().\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 3 of 17\n\nFigure 5. The function sub_4012E0()\r\nThe following is the pseudo C code of the function sub_4012E0().\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 4 of 17\n\nFigure 6. The pseudo C code of the function sub_4012E0()\r\nIn this function, the malware invokes the function sub_401440() to allocate a new memory region(0x1D0000)\r\nwith VirtualAllocEx(), and sets the starting address of this memory plus 0x102f0 as the trampoline address.\r\nThen, in the loop, it first copies the first 0x7B bytes of data from 0xf080f8 to the new memory region, then\r\ncontinues to copy data. When the byte reaches 0x37, it’s not copied to the new memory region. The size of data\r\ncopied into the memory region is 0x10600.\r\nNext, the function sub_401560() is used to decrypt the data in the new memory region, and at this point the\r\ntrampoline code is decrypted. Later, we will see that the program is going to jump to the trampoline code.  Finally,\r\nthe program jumps to 0x00401260 to execute its instructions.\r\nFigure 7. Jump to 0x00401260\r\nAs shown in Figure 8, the program will jump to 0x1E02F0 to execute the trampoline code.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 5 of 17\n\nFigure 8. Jump to the trampoline code\r\nThe trampoline code mainly does the following things:\r\n1. Allocates a new memory region (0x1F0000) with a size of 0x10000, and it is named memory region A.\r\n2. Copies 0xf600 bytes of data from 0x1D0124 to the memory region A.\r\n3. Decrypts the data of memory region A set up in step 2. The decryption algorithm is shown below.\r\n4. Allocates a new memory region(0x200000), whose size is 0x14000. It is named memory region B.\r\n5. Copies the first 0x400 bytes of data from memory region A to the start of memory region B.\r\n6. Copies all segments of data from memory region A to memory region B.\r\n7. Calls the function UnmapViewofFile(0x400000) that enables it to unmap a mapped view of a file by calling a\r\nprocess’s address space.\r\n8. Calls the function VirtualAlloc(0x400000,0x14000,MEM_COMMIT|MEM_RESERVE,\r\nPAGE_EXECUTE_READWRITE) to enable execute, read/write access to the memory region.\r\n9. Copies the 0x14000 bytes of data from memory region B to 0x400000.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 6 of 17\n\n10. Jumps back to the real entry point (0x4CA90) from the trampoline to execute instructions. At this point, the\r\nunpacking work is finished.\r\nThe following screenshot is the memory map. I highlight three allocated memory regions as well as the unpacked\r\nprogram.\r\nFigure 9. Highlight of three allocated memory regions and the unpacked program\r\nFinally, the program jumps to the real entry point 0x4C9A0. (NOTE: At this time, you could use the plugin\r\nOllyDumpEx to dump the unpacked program in x64dbg. Once you get the unpacked program, you could perform\r\nstatic analysis on it with IDA Pro.)\r\nFigure 10. Jump to the real entry point\r\nSo far, we have demonstrated how to unpack the Emotet malware. In the unpacked program, the C2 server list is\r\nhard-coded at offset 0x40F710, and the public key is hard-coded at offset 0x40FBF0.\r\n0x04 Communication with C2 Server\r\nIn order to investigate its communication with the C2 server, we first need to obtain the C2 server list. As\r\nmentioned in section 3, the C2 server list is hard-coded in the executable file.  After unpacking, we can see that\r\nthe buffer starting at offset 0x40F710 stores the C2 server list, as shown in Figure 11:\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 7 of 17\n\nFigure 11. The hard-coded C2 server list\r\nA global variable is stored at 0x004124A0. It has the following structure in the C programming language.\r\nstruct g_ip_port_list\r\n{\r\n                  DWORD *c2_list;\r\n                  DWORD *current_c2;\r\n                  DWORD size;\r\n                  DWORD current_c2_index;\r\n}\r\nThe member variable c2_list points to the hard-coded C2 server list buffer. Each item in this list includes a pair of\r\nan IP address and port. Its size is 8 bytes, with the first four bytes representing the IP address, followed by the two\r\nbytes that represent the port.  The member variable current_c2 points to the currently selected C2 server. The\r\nmember variable size is the size of the C2 server list. The member variable current_c2_index represents the index\r\nof the current selected C2 server in the C2 server list.\r\nThis sample has 61 C2 servers, which are listed below.\r\n200.58.171.51:80\r\n189.196.140.187:80\r\n222.104.222.145:443\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 8 of 17\n\n115.132.227.247:443\r\n190.85.206.228:80\r\n216.98.148.136:4143\r\n111.67.12.221:8080\r\n185.94.252.27:443\r\n139.59.19.157:80\r\n159.69.211.211:8080\r\n107.159.94.183:8080\r\n72.47.248.48:8080\r\n24.150.44.53:80\r\n176.58.93.123:8080\r\n186.139.160.193:8080\r\n217.199.175.216:8080\r\n181.199.151.19:80\r\n85.132.96.242:80\r\n51.255.50.164:8080\r\n103.213.212.42:443\r\n192.155.90.90:7080\r\n66.209.69.165:443\r\n109.104.79.48:8080\r\n181.142.29.90:80\r\n77.82.85.35:8080\r\n190.171.230.41:80\r\n144.76.117.247:8080\r\n187.188.166.192:80\r\n201.203.99.129:8080\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 9 of 17\n\n200.114.142.40:8080\r\n43.229.62.186:8080\r\n189.213.208.168:21\r\n181.37.126.2:80\r\n109.73.52.242:8080\r\n181.29.101.13:80\r\n190.180.52.146:20\r\n82.226.163.9:80\r\n200.28.131.215:443\r\n213.172.88.13:80\r\n185.86.148.222:8080\r\n190.117.206.153:443\r\n192.163.199.254:8080\r\n103.201.150.209:80\r\n181.30.126.66:80\r\n200.107.105.16:465\r\n165.227.213.173:8080\r\n81.3.6.78:7080\r\n5.9.128.163:8080\r\n69.163.33.82:8080\r\n196.6.112.70:443\r\n37.59.1.74:8080\r\n23.254.203.51:8080\r\n190.147.116.32:21\r\n200.45.57.96:143\r\n91.205.215.57:7080\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 10 of 17\n\n189.205.185.71:465\r\n219.94.254.93:8080\r\n186.71.54.77:20\r\n175.107.200.27:443\r\n66.228.45.129:8080\r\n62.75.143.100:7080\r\nNext, let’s take a look at the traffic sent to the C2 servers. In this sample, it sends an HTTP POST request to the\r\nC2 server.\r\nFigure 12. The captured traffic that is sent to the C2 servers\r\nThe HTTP session is shown below. The HTTP body data is encoded with the URL Encode algorithm.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 11 of 17\n\nFigure 13. The HTTP session data\r\nAfter performing URL decoding, we can see the data is encoded with Base64. After Base64 decoding, we can\r\nfinally see the real data that is encrypted. In this next section, let’s dive into the encryption algorithm of the HTTP\r\nbody data.\r\nFigure 14. The Decoded HTTP body data with URL decoding and Base64 decoding\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 12 of 17\n\n0x05 Encryption Algorithm\r\nThe Emotet malware can gather some system info, such as host name, the list of all processes running on the\r\ninfected machine, etc. The following is the set of gathered data.\r\nFigure 15. The structure of the gathered data\r\nNext, the gathered data is compressed with the Deflate algorithm.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 13 of 17\n\nFigure 16. The data compressed using the Deflate algorithm\r\nNext, the malware encrypts the compressed data in Figure 16 with a session key, and packs the session key (AES),\r\nthat is encrypted using an RSA public key, along with a hash value and the encrypted data, into the following\r\nstructure.\r\nFigure 17. The packed data structure    \r\nThe size of the session key encrypted by RSA public key is 0x60 in bytes. The size of the hash value is 0x14.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 14 of 17\n\nAfter packing these three data elements, the malware continues to encode the packed data with Base64, and then\r\nencodes it with a URL encoding algorithm. It finally forms the http body data that will be sent to the C2 server.\r\nFigure 18.  The HTTP body data    \r\nWe have now finished the deep analysis of the data encryption algorithm of the Emotet malware in\r\ncommunication with C2 servers.\r\nFor the other half of this communication, where the program has to handle the response data from the C2 server, it\r\nfirst decrypts the HTTP response data and the decodes the corresponding data with Deflate algorithm.\r\nAdditionally, the RSA key is hard-coded at offset 0x0040FBF0 in the unpacked program as DER Encoding of\r\nASN.1. Its size is 0x6A in bytes.\r\nFigure 19. The hard-coded RSA key in DER format\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 15 of 17\n\n0x06 Solution\r\nThis malicious Word document has been detected as “VBA/Agent.NRN!tr.dldr”, and the payload file has been\r\ndetected as “W32/Kryptik.GSJJ!tr” by the FortiGuard AntiVirus service.\r\nFortinet has also developed an IPS signature named “Emotet.Botnet” to detect the traffic between the C2 server\r\nand the infected machine.\r\nThe URLs used to download Emotet have been rated as “Malicious Websites” by the FortiGuard WebFilter\r\nservice.\r\n0x07 Conclusion\r\nEmotet is a sophisticated malware that uses an advanced custom packer and complicated encryption algorithm to\r\ncommunicate with its C2 server, as well as other advanced functionalities. It could retrieve attack payload or other\r\nrelated malware payloads from C2 servers. Those attack payloads are designed to steal sensitive data from the\r\nvictim.\r\nWe will continue to monitor the activities between Emotet and its C2 servers.\r\nIn the next blog, I will document some interesting research regarding how to programmatically unpack the Emotet\r\nexecutable and extract the hard-coded C2 server list and RSA key from the executable. My goal is to help\r\nresearchers quickly identify traffic from Emotet, as well as save more time on reverse engineering. You’re\r\nwelcome to stay tuned!\r\nReference\r\nSHA256 Hash:\r\n45b3a138f08570ca324abd24b4cc18fc7671a6b064817670f4c85c12cfc1218f(Word document)\r\n30bb20ed402afe7585bae4689f75e0e90e6d6580a229042c3a51eecefc153db7(1n592ynn2ys9gg0.exe)\r\n2c9b8ed7cb7ce9b49579453283292ddf478c6ab2953b66c27aac8dfc84c6fb2b(s9cbyx.exe)\r\n21145645cac74e0b590813eafd257a2c4af6c6be0bc86d873ad0e6c005c0911d(p4xl0bbb85.exe)\r\n21145645cac74e0b590813eafd257a2c4af6c6be0bc86d873ad0e6c005c0911d(itsportal.exe)\r\nURLs:\r\nhxxp://webaphobia[.]com/images/72Ca/ \r\nhxxps://montalegrense[.]graficosassociados.com/keywords/FOYo/\r\nhxxp://purimaro[.]com/1/ww/\r\nhxxp://jpmtech[.]com/css/GOOvqd/\r\nhxxp://118.89.215.166/wp-includes/l5/\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 16 of 17\n\nSource: https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html\r\nPage 17 of 17\n\nIn order to investigate mentioned in its communication section 3, the C2 with server list is hard-coded the C2 server, we in the executable first need to obtain the file. After unpacking, C2 server list. As we can see that\nthe buffer starting at offset 0x40F710 stores the C2 server list, as shown in Figure 11:\n   Page 7 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html"
	],
	"report_names": [
		"deep-dive-into-emotet-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/15e8040390702d04ce2cf53724232f97e379e574.pdf",
		"text": "https://archive.orkl.eu/15e8040390702d04ce2cf53724232f97e379e574.txt",
		"img": "https://archive.orkl.eu/15e8040390702d04ce2cf53724232f97e379e574.jpg"
	}
}