{
	"id": "f1016754-4426-4e9c-b505-8447af4b1904",
	"created_at": "2026-04-06T00:13:15.335388Z",
	"updated_at": "2026-04-10T13:12:12.999703Z",
	"deleted_at": null,
	"sha1_hash": "5538278e3786a284c7ddc707007af9f2c0f9ceb7",
	"title": "The chronicles of Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2005475,
	"plain_text": "The chronicles of Emotet\r\nBy Oleg Kupreev\r\nPublished: 2020-12-04 · Archived: 2026-04-05 14:14:30 UTC\r\nMore than six years have passed since the banking Trojan Emotet was first detected. During this time it has\r\nrepeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of\r\nhigh-profile incidents and multimillion-dollar losses. The malware is still in fine fettle, and remains one of the\r\nmost potent cybersecurity threats out there. The Trojan is distributed through spam, which it sends itself, and can\r\nspread over local networks and download other malware.\r\nAll its “accomplishments” have been described thoroughly in various publications and reports from companies\r\nand independent researchers. This being the case, we decided to summarize and collect in one place everything\r\nthat is currently known about Emotet.\r\n2014\r\nJune\r\nEmotet was first discovered in late June 2014 by TrendMicro. The malware hijacked user banking credentials\r\nusing the man-in-the-browser technique. Even in those early days, the malware was multicomponent: browser\r\ntraffic was intercepted by a separate module downloaded from the C\u0026C server. Its configuration file with web\r\ninjections was also loaded from there. The banker’s main targets were clients of German and Austrian banks, and\r\nits main distribution vector was spam disguised as bank emails with malicious attachments or links to a ZIP\r\narchive containing an executable file.\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 1 of 18\n\nExamples of malicious emails with link and attachment\r\nNovember\r\nIn the fall of 2014, we discovered a modification of Emotet with the following components:\r\nModule for modifying HTTP(S) traffic\r\nModule for collecting email addresses in Outlook\r\nModule for stealing accounts in Mail PassView (a password recovery tool)\r\nSpam module (downloaded additionally as an independent executable file from addresses not linked to\r\nC\u0026C)\r\nModule for organizing DDoS attacks\r\nWe came across the latter bundled with other malware, and assume that it was added to Emotet with a cryptor\r\n(presumably back then Emotet’s authors did not have their own and so used a third-party one, possibly hacked or\r\nstolen). It is entirely possible that the developers were unaware of its presence in their malware. In any event, this\r\nmodule’s C\u0026C centers were not responsive, and it itself was no longer updated (compilation date: October 19,\r\n2014).\r\nIn addition, the new modification had begun to employ techniques to steal funds from victims’ bank accounts\r\nautomatically, using the so-called Automatic Transfer System (ATS). You can read more about this modification in\r\nour report.\r\nDecember\r\nThe C\u0026C servers stopped responding and the Trojan’s activity dropped off significantly.\r\n2015\r\nJanuary\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 2 of 18\n\nIn early 2015, a new Emotet modification was released, not all that different from the previous one. Among the\r\nchanges were: new built-in public RSA key, most strings encrypted, ATS scripts for web injection cleared of\r\ncomments, targets included clients of Swiss banks.\r\nJune\r\nThe C\u0026C servers again became unavailable, this time for 18 months. Judging by the configuration file with web\r\ninjects, the Trojan’s most recent victims were clients of Austrian, German and Polish banks.\r\n2016\r\nDecember\r\nEmotet redux: for the first time in a long while, a new modification was discovered. This version infected web-surfing victims using the RIG-E and RIG-V exploit kits. This distribution method was not previously used by the\r\nTrojan, and, fast-forwarding ahead, would not be employed again. We believe that this was a trial attempt at a new\r\ndistribution mechanism, which did not pass muster with Emotet’s authors.\r\nThe C\u0026C communication protocol in this modification was also changed: for amounts of data less than 4 KB, a\r\nGET request was used, and the data itself was transmitted in the Cookie field of the HTTP header. For larger\r\namounts, a POST request was used. The RC4 encryption algorithm had been replaced by AES, with the protocol\r\nitself based on a slightly modified Google Protocol Buffer. In response to the request, the C\u0026C servers returned a\r\nheader with a 404 Not Found error, which did not prevent them from transmitting the encrypted payload in the\r\nbody of the reply.\r\nExamples of GET and POST requests used by Emotet\r\nThe set of modules sent to the Trojan from C\u0026C was different too:\r\nOut was the module for intercepting and modifying HTTP(S) traffic\r\nIn was a module for harvesting accounts and passwords from browsers (WebBrowserPassView)\r\n2017\r\nFebruary\r\nUp until now, we had no confirmation that Emotet could send spam independently. A couple of months after the\r\nC\u0026C servers kicked back into life, we got proof when a spam module was downloaded from there.\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 3 of 18\n\nApril\r\nIn early April, a large amount of spam was seen targeting users in Poland. Emails sent in the name of logistics\r\ncompany DHL asked recipients to download and open a “report” file in JavaScript format. Interestingly, the\r\nattackers did not try the further trick of hiding the executable JavaScript as a PDF. The calculation seemed to be\r\nthat many users would simply not know that JavaScript is not at all a document or report file format.\r\nExample of JS file names used:\r\n dhl__numer__zlecenia___4787769589_____kwi___12___2017.js (MD5:7360d52b67d9fbb41458b3bd21c7f4de)\r\nIn April, a similar attack involving fake invoices targeted British-German users.\r\ninvoice__924__apr___24___2017___lang___gb___gb924.js (MD5:e91c6653ca434c55d6ebf313a20f12b1)\r\ntelekom_2017_04rechnung_60030039794.js (MD5:bcecf036e318d7d844448e4359928b56)\r\nThen in late April, the tactics changed slightly when the spam emails were supplemented with a PDF attachment\r\nwhich, when opened, informed the user that the report in JavaScript format was available for download via the\r\ngiven link.\r\nDocument_11861097_NI_NSO___11861097.pdf (MD5: 2735A006F816F4582DACAA4090538F40)\r\nExample of PDF document contents\r\nDocument_43571963_NI_NSO___43571963.pdf (MD5: 42d6d07c757cf42c0b180831ef5989cb)\r\nExample of PDF document contents\r\nAs for the JavaScript file itself, it was a typical Trojan-Downloader that downloaded and ran Emotet. Having\r\nsuccessfully infected the system, the script showed the user a pretty error window.\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 4 of 18\n\nError message displayed by the malicious JavaScript file\r\nMay\r\nIn May, the scheme for distributing Emotet via spam changed slightly. This time, the attachment contained an\r\nOffice document (or link to it) with an image disguised as an MS Word message saying something about the\r\nversion of the document being outdated. To open the document, the user was prompted to enable macros. If the\r\nvictim did so, a malicious macro was executed that launched a PowerShell script that downloaded and ran Emotet.\r\nScreenshot of the opened malicious document ab-58829278.dokument.doc (MD5:\r\n21542133A586782E7C2FA4286D98FD73)\r\nAlso in May, it was reported that Emotet was downloading and installing the banking Trojan Qbot (or QakBot).\r\nHowever, we cannot confirm this information: among the more than 1.2 million users attacked by Emotet, Qbot\r\nwas detected in only a few dozen cases.\r\nJune\r\nStarting June 1, a tool for spreading malicious code over a local network (Network Spreader), which would later\r\nbecome one of the malware modules, began being distributed from Emotet C\u0026C servers.  The malicious app\r\ncomprised a self-extracting RAR archive containing the files bypass.exe (MD5:\r\n341ce9aaf77030db9a1a5cc8d0382ee1) and service.exe (MD5: ffb1f5c3455b471e870328fd399ae6b8).\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 5 of 18\n\nSelf-extracting RAR archive with bypass.exe and service.exe\r\nbypass.exe:\r\nSearches network resources by brute-forcing passwords using a built-in dictionary\r\nCopies service.exe to a suitable resource\r\nCreates a service on the remote system to autorun service.exe\r\nScreenshot of the function for creating the service (bypass.exe)\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 6 of 18\n\nScreenshot with a list of brute-force passwords (bypass.exe)\r\nIn terms of functionality, service.exe is extremely limited and only sends the name of the computer to the\r\ncybercriminals’ server.\r\nFunction for generating data to be sent to C\u0026C\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 7 of 18\n\nFunction for sending data to C\u0026C\r\nThe mailing was obviously a test version, and the very next day we detected an updated version of the file. The\r\nself-extracting archive had been furnished with a script for autorunning bypass.exe (MD5:\r\n5d75bbc6109dddba0c3989d25e41851f), which had not undergone changes, while service.exe (MD5:\r\nacc9ba224136fc129a3622d2143f10fb) had grown in size by several dozen times.\r\nSelf-extracting RAR archive with bypass.exe and service.exe\r\nThe updated service.exe was larger because its body now contained a copy of Emotet. A function was added to\r\nsave Emotet to disk and run it before sending data about the infected machine to C\u0026C.\r\nNew functions in service.exe for saving Emotet to disk and running it\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 8 of 18\n\nJuly\r\nAn update to the Emotet load module was distributed over the botnet. One notable change: Emotet had dropped\r\nGET requests with data transfer in the Cookie field of the HTTP header. Henceforth, all C\u0026C communication\r\nused POST (MD5: 643e1f4c5cbaeebc003faee56152f9cb).\r\nAugust\r\nNetwork Spreader is included in the Emotet “distribution kit” as a DLL (MD5:\r\n9c5c9c4f019c330aadcefbb781caac41), the compilation date of the new module is July 24, 2017, but it was\r\nobtained only in August. Recall that it used to be a self-extracting RAR archive with two files: bypass.exe and\r\nservice.exe. The distribution mechanism did not change much, but the list of brute-force passwords was expanded\r\nsignificantly to exactly 1,000.\r\nScreenshot of the decrypted password list\r\nNovember\r\nIn November 2017, IBM X-Force published a report about the new IcedId banker. According to the researchers,\r\nEmotet had been observed spreading it. We got our hands on the first IcedId sample (MD5:\r\n7e8516db16b18f26e504285afe4f0b21) in April, and discovered back then that it was wrapped in a cryptor also\r\nused in Emotet. The cryptor was not just similar, but a near byte-for-byte copy of the one in the Emotet sample\r\n(MD5: 2cd1ef13ee67f102cb99b258a61eeb20), which was being distributed at the same time.\r\n2018\r\nJanuary\r\nEmotet started distributing the banking Trojan Panda (Zeus Panda, first discovered in 2016 and based on the\r\nleaked Zbot banker source code, carries out man-in-the-browser attacks and intercepts keystrokes and input form\r\ncontent on websites).\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 9 of 18\n\nApril\r\nApril 9\r\nIn early April, Emotet acquired a module for distribution over wireless networks (MD5:\r\n75d65cea0a33d11a2a74c703dbd2ad99), which tried to access Wi-Fi using a dictionary attack. Its code resembled\r\nthat of the Network Spreader module (bypass.exe), which had been supplemented with Wi-Fi connection\r\ncapability. If the brute-force was successful, the module transmitted data about the network to C\u0026C.\r\nLike bypass.exe, the module was distributed as a separate file (a.exe) inside a self-extracting archive (MD5:\r\n5afdcffca43f8e7f848ba154ecf12539). The archive also contained the above-described service.exe (MD5:\r\n5d6ff5cc8a429b17b5b5dfbf230b2ca4), which, like its first version, could do nothing except send the name of the\r\ninfected computer to C\u0026C.\r\nSelf-extracting RAR archive with a component for distribution over Wi-Fi\r\nThe cybercriminals quickly updated the module, and within a few hours of detecting the first version we received\r\nan updated self-extracting archive (MD5: d7c5bf24904fc73b0481f6c7cde76e2a) containing a new service.exe\r\nwith Emotet inside (MD5: 26d21612b676d66b93c51c611fa46773).\r\nSelf-extracting RAR archive with updated service.exe\r\nThe module was first publicly described only in January 2020, by Binary Defense. The return to the old\r\ndistribution mechanism and the use of code from old modules looked a little strange, since back in 2017\r\nbypass.exe and service.exe had been merged into one DLL module.\r\nApril 14\r\nEmotet again started using GET requests with data transfer in the Cookie field of the HTTP header for data\r\ntransfer sizes of less than 1 KB simultaneously with POST requests for larger amounts of data. (MD5:\r\n38991b639b2407cbfa2e7c64bb4063c4). Also different was the template for filling the Cookie field. If earlier it\r\ntook the form Cookie: %X=, now it was Cookie: %u =. The newly added space between the numbers and the\r\nequals sign helped to identify Emotet traffic.\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 10 of 18\n\nExample of a GET request\r\nApril 30\r\nThe C\u0026C servers suspended their activity and resumed it only on May 16, after which the space in the GET\r\nrequest had gone.\r\nExample of a corrected GET request\r\nJune\r\nYet another banking Trojan started using Emotet to propagate itself. This time it was Trickster (or Trickbot) — a\r\nmodular banker known since 2016 and the successor to the Dyreza banker.\r\nJuly\r\nThe so-called UPnP module (MD5: 0f1d4dd066c0277f82f74145a7d2c48e), based on the libminiupnpc package,\r\nwas obtained for the first time. The module enabled port forwarding on the router at the request of a host in the\r\nlocal network. This allowed the attackers not only to gain access to local network computers located behind NAT,\r\nbut to turn an infected machine into a C\u0026C proxy.\r\nAugust\r\nIn August, there appeared reports of infections by the new Ryuk ransomware — a modification of the Hermes\r\nransomware known since 2017. It later transpired that the chain of infection began with Emotet, which\r\ndownloaded Trickster, which in turn installed Ryuk. Both Emotet and Trickster by this time had been armed with\r\nfunctions for distribution over a local network, plus Trickster exploited known vulnerabilities in SMB, which\r\nfurther aided the spread of the malware across the local network. Coupled with Ryuk, it made for a killer\r\ncombination.\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 11 of 18\n\nAt the end of the month, the list of passwords in the Network Spreader module was updated. They still numbered\r\n1,000, but about 100 had been changed (MD5: 3f82c2a733698f501850fdf4f7c00eb7).\r\nScreenshot of the decrypted password list\r\nOctober\r\nOctober 12\r\nThe C\u0026C servers suspended their activity while we registered no distribution of new modules or updates. Activity\r\nresumed only on October 26.\r\nOctober 30\r\nThe data exfiltration module for Outlook (MD5:64C78044D2F6299873881F8B08D40995) was updated. The key\r\ninnovation was the ability to steal the contents of the message itself. All the same, the amount of stealable data\r\nwas restricted to 16 KB (larger messages were truncated).\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 12 of 18\n\nComparison of the code of the old and new versions of the data exfiltration module for Outlook\r\nNovember\r\nThe C\u0026C servers suspended their activity while we registered no distribution of new modules or updates. Activity\r\nresumed only on December 6.\r\nDecember\r\nMore downtime while C\u0026C activity resumed only on January 10, 2019.\r\n2019\r\nMarch\r\nMarch 14\r\nEmotet again modified a part of the HTTP protocol, switching to POST requests and using a dictionary to create\r\nthe path. The Referer field was now filled, and Content-Type: multipart/form-data appeared.  (MD5:\r\nbeaf5e523e8e3e3fb9dc2a361cda0573)\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 13 of 18\n\nCode of the POST request generation function\r\nExample of a POST request\r\nMarch 20\r\nYet another change in the HTTP part of the protocol. Emotet dropped Content-Type: multipart/form-data. The\r\ndata itself was encoded using Base64 and UrlEncode (MD5: 98fe402ef2b8aa2ca29c4ed133bbfe90).\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 14 of 18\n\nCode of the updated POST request generation function\r\nExample of a POST request\r\nApril\r\nThe first reports appeared that information stolen by the new data exfiltration module for Outlook was being used\r\nin Emotet spam mailings: the use of stolen topics, mailing lists and message contents was observed in emails.\r\nMay\r\nThe C\u0026C servers stopped working for quite some time (three months). Activity resumed only on August 21, 2019.\r\nOver the following few weeks, however, the servers only distributed updates and modules with no spam activity\r\nbeing observed. The time was likely spent restoring communication with infected systems, collecting and\r\nprocessing data, and spreading over local networks.\r\nNovember\r\nA minor change to the HTTP part of the protocol. Emotet dropped the use of a dictionary to create the path, opting\r\nfor a randomly generated string (MD5: dd33b9e4f928974c72539cd784ce9d20).\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 15 of 18\n\nExample of a POST request\r\nFebruary\r\nFebruary 6\r\nYet another change in the HTTP part of the protocol. The path now consisted not of a single string, but of several\r\nrandomly generated words. Content-Type again became multipart/form-data.\r\nExample of a POST request\r\nAlong with the HTTP part, the binary part was also updated. The encryption remained the same, but Emotet\r\ndropped Google Protocol Buffer and switched to its own format. The compression algorithm also changed, with\r\nzlib replaced by liblzf. More details about the new protocol can be found in the Threat Intel and CERT Polska\r\nreports.\r\nFebruary 7\r\nC\u0026C activity started to decline and resumed only in July 2020. During this period, the amount of spam fell to\r\nzero. At the same time, Binary Defense, in conjunction with various CERTs and the infosec community, began to\r\ndistribute EmoCrash, a PowerShell script that creates incorrect values for system registry keys used by Emotet.\r\nThis caused the malware to “crash” during installation. This killswitch worked until August 6, when the actors\r\nbehind Emotet patched the vulnerability.\r\nJuly\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 16 of 18\n\nOnly a few days after the resumption of spam activity, online reports appeared that someone was substituting the\r\nmalicious Emotet payload on compromised sites with images and memes. As a result, clicking the links in spam\r\nemails opened an ordinary picture instead of a malicious document. This did not last long, and by July 28 the\r\nmalicious files had stopped being replaced with images.\r\nConclusion\r\nDespite its ripe old age, Emotet is constantly evolving and remains one of the most current threats out there. Save\r\nfor the explosive growth in distribution after five months of inactivity, we have yet to see anything previously\r\nunobserved; that said, a detailed analysis always takes time, and we will publish the results of the study in due\r\ncourse. On top of that, we are currently observing the evolution of third-party malware that propagates using\r\nEmotet, which we will certainly cover in future reports.\r\nOur security solutions can block Emotet at any stage of attack. The mail filter blocks spam, the heuristic\r\ncomponent detects malicious macros and removes them from Office documents, while the behavioral analysis\r\nmodule makes our protection system resistant not only to statistical analysis bypass techniques, but to new\r\nmodifications of program behavior as well.\r\nTo mitigate the risks, it is vital to receive accurate, reliable, before-the-fact information about all information\r\nsecurity matters. Scanning IP addresses, file hashes and domains/URLs on opentip can determine if an object\r\nposes a genuine threat based on risk levels and additional contextual information. Analyzing files with opentip,\r\nusing our proprietary technologies, including dynamic, statistical and behavioral analysis, as well as our global\r\nreputation system, can help detect advanced mass and latent threats.\r\nAnd Kaspersky Threat Intelligence is there to track constantly evolving cyberthreats, analyze them, respond to\r\nattacks in good time, and minimize the consequences.\r\nIOC\r\nMost active C\u0026Cs in November 2020:\r\n173.212.214.235:7080\r\n167.114.153.111:8080\r\n67.170.250.203:443\r\n121.124.124.40:7080\r\n103.86.49.11:8080\r\n172.91.208.86:80\r\n190.164.104.62:80\r\n201.241.127.190:80\r\n66.76.12.94:8080\r\n190.108.228.27:443\r\nhxxp://tudorinvest[.]com/wp-admin/rGtnUb5f/\r\nhxxp://dp-womenbasket[.]com/wp-admin/Li/\r\nhxxp://stylefix[.]co/guillotine-cross/CTRNOQ/\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 17 of 18\n\nhxxp://ardos.com[.]br/simulador/bPNx/\r\nhxxps://sangbadjamin[.]com/move/r/\r\nhxxps://asimglobaltraders[.]com/baby-rottweiler/duDm64O/\r\nhxxp://sell.smartcrowd[.]ae/wp-admin/CLs6YFp/\r\nhxxps://chromadiverse[.]com/wp-content/OzOlf/\r\nhxxp://rout66motors[.]com/wp-admin/goi7o8/\r\nhxxp://caspertour.asc-florida[.]com/wp-content/gwZbk/\r\nMD5s of malicious Office documents downloading Emotet\r\n59d7ae5463d9d2e1d9e77c94a435a786\r\n7ef93883eac9bf82574ff2a75d04a585\r\n4b393783be7816e76d6ca4b4d8eaa14a\r\nMD5s of Emotet executable files\r\n4c3b6e5b52268bb463e8ebc602593d9e\r\n0ca86e8da55f4176b3ad6692c9949ba4\r\n8d4639aa32f78947ecfb228e1788c02b\r\n28df8461cec000e86c357fdd874b717e\r\n82228264794a033c2e2fc71540cb1a5d\r\n8fc87187ad08d50221abc4c05d7d0258\r\nb30dd0b88c0d10cd96913a7fb9cd05ed\r\nc37c5b64b30f2ddae58b262f2fac87cb\r\n3afb20b335521c871179b230f9a0a1eb\r\n92816647c1d61c75ec3dcd82fecc08b2\r\nSource: https://securelist.com/the-chronicles-of-emotet/99660/\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/the-chronicles-of-emotet/99660/"
	],
	"report_names": [
		"99660"
	],
	"threat_actors": [],
	"ts_created_at": 1775434395,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5538278e3786a284c7ddc707007af9f2c0f9ceb7.pdf",
		"text": "https://archive.orkl.eu/5538278e3786a284c7ddc707007af9f2c0f9ceb7.txt",
		"img": "https://archive.orkl.eu/5538278e3786a284c7ddc707007af9f2c0f9ceb7.jpg"
	}
}