{
	"id": "5acb23b7-9283-4c64-8c1a-02d0ad7cb38b",
	"created_at": "2026-04-06T00:12:48.067288Z",
	"updated_at": "2026-04-10T03:20:02.69612Z",
	"deleted_at": null,
	"sha1_hash": "767fe1eb536148eac797efb8109793accb734d36",
	"title": "Deep Analysis of New Emotet Variant – Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3316480,
	"plain_text": "Deep Analysis of New Emotet Variant – Part 1\r\nBy Xiaopeng Zhang\r\nPublished: 2017-05-03 · Archived: 2026-04-05 16:41:08 UTC\r\nBackground\r\nLast week, FortiGuard Labs captured a JS file that functions as a malware downloader to spread a new variant of\r\nthe Emotet Trojan. Its original file name is Invoice__779__Apr___25___2017___lang___gb___GB779.js.  A JS\r\nfile, as you may be aware, is a JavaScript file that can be executed by a Window Script Host (wscript.exe) simply\r\nby double-clicking on it. In this blog we will analyze how this new malware works by walking through it step by\r\nstep in chronological order.\r\nA JS file used to spread malware\r\nThe original JS code is obfuscated, and therefore hard to understand. Based on my analysis, its task is to generate\r\na new JS code into an array and execute it. The new code is easier to understand, as you can see in the code\r\nsnippet in Figure 1. As I mentioned, it’s a downloader tool that tries to download malware from five URLs onto\r\nthe affected device. Once one download is finished, the malware is saved to the system temporary folder as\r\n“random name.exe” and executed.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 1 of 14\n\nFigure 1. Snippet of the generated JS code\r\nRunning the downloaded exe file\r\nWhile the downloaded exe file is executed, it moves itself to “%LocalAppData%\\random name\\random\r\nname.exe” . A random name for the file is generated using local file names. You can treat it as any random name,\r\nhowever, in my environment, the name is “LatnParams.exe”.\r\nTo protect itself, once LatnParams.exe is executed it extracts code from itself, inserts it into a newly-created\r\nLatnParams.exe by calling the CreateProcessW function with a CREATE_SUSPENDED flag, and then restores\r\nthe second process to run. Once that is complete, the first process exits. Later, the LatnParams.exe’s lnk file is\r\ncreated inside the Startup folder in the system Start Menu so it can automatically run whenever the system starts.\r\nSee Figure 2.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 2 of 14\n\nFigure 2. Malware in Startup folder\r\nThe main function of the second process\r\nNext, we’ll look to see how the code works inside the second process that is created. There is a hidden window\r\ncreated for the second process. Its WindowProc function is to handle all windows messages for the window. This\r\nmalware uses a WM_TIMER message to initiate it. Calling the SetTimer function can generate such a message.\r\nOnce this window is created, a WM_CREATE message is sent to the WindowProc function, where it calls the\r\nSetTimer function to keep the system posting WM_TIMER messages every 200ms and then callback the\r\nwindow’s WindowProc function.\r\nFigure 3. Call SetTimer Function\r\nNext, we will examine this WindowProc function. Figure 4 is the structure of this function in pseudo code.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 3 of 14\n\nFigure 4. WindowProc Function\r\nCase 6 Code Branch\r\nIn the case 6 code branch, the malware collects system information from the affected device, including computer\r\nname, country name, the names of all running programs, and content about whether or not MS Office Outlook is\r\ninstalled. It then puts all the collected data together into a memory buffer and encrypts it. Figure 5 shows the data\r\nready for encryption.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 4 of 14\n\nFigure 5. Collected data from the victim’s system\r\nAs you can see, the first part is the computer name. Following “16 00 01 00” is the CPU information. The next\r\npart is the running process names, followed by the string “Microsoft Outlook,” which means that MS Office\r\nOutlook is installed on this machine. You may also notice that the debugger name “OllyDBG.exe” is also in the\r\nprocess name list. Through my analysis I found that the C\u0026C server checks the process names. If it learns that a\r\ndebugging-related tool (such as OllyDbg, WinDbg, IDA Pro, etc.) is being running on the victim’s machine, a\r\ndifferent response is returned. In this case, it replies with a new version of itself, causing itself to upgrade again\r\nand again until those tools exit.\r\nAfter encryption, it copies the encrypted data, the encryption key, and the hash value together into a new buffer. It\r\nthen sets the next case number to 7 and exits the case 6 branch.\r\nCase 7 Code Branch\r\nIn the case 7 code branch the main function is to connect to the C\u0026C server and send collected data to the server.\r\nIt also receives data from the C\u0026C server. We’ll take a look at how it works here.\r\nThe C\u0026C server’s IP and port are hard-coded. In this version there are eleven, as shown below:\r\n004175D0 ; DATA XREF: WindowProc+257r\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 5 of 14\n\n004175D0\r\n;sub_403AE0+Co\r\n004175D0dd 0D453A62Dh ;212.83.166.45\r\n004175D4 dd 1F90h ;8080\r\n004175D8 dd 0ADE68843h ;173.230.136.67\r\n004175DC dd 1BBh ;443\r\n004175E0 dd 0ADE0DA19h ;173.224.218.25\r\n004175E4 dd 1BBh ;443\r\n004175E8 dd 68E38922h ;104.227.137.34\r\n004175EC dd 1BA8h ;7080\r\n004175F0 dd 894AFE40h ;137.74.254.64\r\n004175F4 dd 1F90h ;8080\r\n004175F8 dd 0BCA5DCD6h ;188.165.220.214\r\n004175FC dd 1F90h ;8080\r\n00417600 dd 558FDDB4h ;85.143.221.180\r\n00417604 dd 1BA8h ;7080\r\n00417608 dd 77521BF6h ;119.82.27.246\r\n0041760C dd 1F90h ;8080\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 6 of 14\n\n00417610\r\ndd 0C258F607h ;194.88.246.7\r\n00417614dd 1F90h;8080\r\n00417618 dd 0CED6DC4Fh ;206.214.220.79\r\n0041761C dd 1F90h ;8080\r\n00417620 dd 68EC02FDh ;104.236.2.253\r\n00417624 dd 1BBh ;443\r\nIt gets the data generated in the case 6 branch and encodes it using base64. It then sends the base64-encoded data\r\nas a Cookie value to the C\u0026C server. Figure 6 shows the data in Wireshark.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 7 of 14\n\nFigure 6. Send collected system information to C\u0026C server\r\nIn Figure 6, the status of the response from C\u0026C server is “404 Not Found.” This message is used is to confuse\r\nanalysts. The body, however, is the encrypted data. After receiving all data from the server, it sets the next case\r\nnumber to 8 and exits this branch.\r\nCase 8 Code Branch\r\nThe only thing done in the case 8 branch is decrypt the data received in case 7. It then exits this branch and sets\r\nthe next case number to 9.\r\nCase 9 Code Branch\r\nThe case 9 branch is used to process the data decrypted in case 8. Figure 7 is a part of the pseudo code of case 9.\r\nFigure 7. Pseudo code of case 9\r\nThere are some sub-cases in the case 9 branch. The case number “v8” comes from decrypted data. Following are\r\ntwo examples of the decrypted data.\r\nIn Figure 8, “08 01” is about a sub-case. “08” is a kind of flag or C\u0026C command, and “01” refers to sub-case\r\nnumber 1. As you may know, the following data is an .exe file. In the sub-case 1 branch, this file is executed to\r\nupgrade the Emotet malware. Usually, it receives an upgrade command because the C\u0026C server has detected that\r\nthere is debugging-related tool in the running program names. It’s a way to both protect itself against debugging\r\nand confuse analysts. In sub-case 1 branch, it saves the .exe file into a system temporary folder and runs it by\r\ncalling the ShellExecuteW function. Meanwhile, the parent process exits to finish the upgrade.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 8 of 14\n\nFigure 8. Sub-case 1 example\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 9 of 14\n\nFigure 9. Sub-case 4 example\r\nI manually modified the “OllyDBG.exe” to another program name before encryption (refer back to Figure 5).\r\nThen I was able to get the response shown in Figure 9. The flag changes to “08 04”, where “04” means sub-case\r\nnumber 4. In my analysis, it contains 3 modules (.dll files) in the decrypted data. The flags for all of them are “08\r\n04”. Which means the modules are all processed in the sub-case 4 branch. As you can see in Figure 7, the sub-case\r\n4 calls the CreateThread function to create threads and run the modules in the ThreadFunction, with one thread for\r\none module.\r\nSo far, we have only finished the analysis of one of the three Emotet modules. We are still working on analyzing\r\nthe others, and will share that analysis in another blog.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 10 of 14\n\nSo next, let’s take a look at what this module is able to do.\r\nThe module loaded in a thread\r\nBased on my analysis, this module steals credential information from a victim’s machine. It then encrypts that\r\nstolen data and sends it to the C\u0026C server.\r\nWhen this module is loaded in the ThreadFunction, it inserts the code extracted from itself into a newly-created\r\nLathParams.exe process to run. The newly-created process has a command line parameter like\r\n“%temp%\\A98b.tmp”. This is a temporary file used to save the stolen credential information.\r\nIt is able to steal credentials for Google accounts, FTP accounts saved in IE, Google Talk, Office Outlook,\r\nIncrediMail, Group Mail, MSN Messenger, Mozilla Thunderbird, and many others. The following screenshot\r\nshows some of them.\r\nFigure 10. Targeted email-related credentials\r\nFor testing purposes, I added a test account into MS Office Outlook to see how it works. The account profile is\r\nshown here in Figure 11:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 11 of 14\n\nFigure 11. Test account added into Outlook\r\nThe stolen credential data is saved in the temporary file specified in the command line parameter, where it will be\r\nencrypted and sent to the C\u0026C server in the ThreadFunction.  In the following several figures you can see the\r\nstolen credential information in the temporary file, the data in memory before encryption, and the data sent to the\r\nC\u0026C server.\r\nFigure 12. Stolen credential\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 12 of 14\n\nFigure 13. Before encryption\r\nFigure 14. Data sent to the C\u0026C server\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 13 of 14\n\nSolution\r\nThe original JS file has been detected as JS/Nemucod.F436!tr and the downloaded Emotet exe has been detected\r\nas W32/GenKryptik.ADJR!tr by the FortiGuard Antivirus service.\r\nIoC\r\nURL:\r\n\"hxxp://willemberg.co.za/TwnZ36149pKUsr/\"\r\n\"hxxp://meanconsulting.com/K44975X/\"\r\n\"hxxp://microtecno.com/i17281nfryG/\"\r\n\"hxxp://thefake.com/Y96158yeXR/\"\r\n\"hxxp://cdoprojectgraduation.com/eaSz15612O/\"\r\nSample SHA256:\r\nInvoice__779__Apr___25___2017___lang___gb___GB779.js\r\nB392E93A5753601DB564E6F2DC6A945AAC3861BC31E2C1E5E7F3CD4E5BB150A4\r\nSource: https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html"
	],
	"report_names": [
		"deep-analysis-of-new-emotet-variant-part-1.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/767fe1eb536148eac797efb8109793accb734d36.pdf",
		"text": "https://archive.orkl.eu/767fe1eb536148eac797efb8109793accb734d36.txt",
		"img": "https://archive.orkl.eu/767fe1eb536148eac797efb8109793accb734d36.jpg"
	}
}