{
	"id": "86e58ec1-a049-406e-9bde-483aabb96c42",
	"created_at": "2026-04-06T00:16:54.968518Z",
	"updated_at": "2026-04-10T13:12:39.315635Z",
	"deleted_at": null,
	"sha1_hash": "8c6de7cc5e3ea338a5a1d365925c2d3d8f10eda6",
	"title": "The Banking Trojan Emotet: Detailed Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 850928,
	"plain_text": "The Banking Trojan Emotet: Detailed Analysis\r\nBy Alexey Shulmin\r\nPublished: 2015-04-09 · Archived: 2026-04-05 16:34:14 UTC\r\nIntroduction\r\nIn the summer of 2014, the company Trend Micro announced the detection of a new threat – the banking Trojan\r\nEmotet.  The description indicated that the malware could steal bank account details by intercepting traffic.  We\r\ncall this modification version 1.\r\nIn the autumn of that year a new version of Emotet was found.  It caught our attention for the following reasons:\r\nThe developers of this Trojan had begun to use technology that stole money automatically from victims’\r\nbank accounts – so called “Automatic Transfer System (ATS)”.\r\nThe Trojan had a modular structure: it contained its own installation module, a banking module, a spam bot\r\nmodule, a module for stealing address books from MS Outlook and a module for organizing DDoS attacks\r\n(Nitol DDoS bot).\r\nThe creators made a significant effort to remain unnoticed: they didn’t attack users in the RU zone but\r\ntargeted the clients of a small number of German and Austrian banks (other well-known banking Trojans\r\nare less discerning in their choice of target),and the domain name of the ATS server changed frequently\r\n(once or several times a day).\r\nWe are going to refer to this modification as Emotet version 2. The bot contains and transfers the numbers one and\r\nseven to the command and control center (C\u0026C), which suggests that the Trojan’s authors considers this variant to\r\nbe version 1.7.\r\nBoth versions of the Trojan attacked clients of German and Austrian banks.\r\n#Trojan #Emotet targeted the clients of a small number of German, Austrian and Swiss banks\r\nTweet\r\nWe closely monitored Emotet version 2.  In December 2014 it ceased activity and the command servers stopped\r\nresponding to infected computers.  We recorded the last command sent from the command centers on 10/12/2014,\r\nat 11:33:43 Moscow time.\r\nHowever, the thoroughness with which the authors had approached the development of this Trojan and the high\r\nlevel of automation in its operation, left little doubt that this was not the end of the story.  And so it turned out –\r\nafter a short break in January 2015, Emotet reappeared!  We are calling this modification version 3 (the bot\r\ncontains and transfers the numbers one and 16 to the C\u0026C, which we assume means that the authors consider this\r\nvariant to be version 1.16).\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 1 of 22\n\nIn essence, Emotet version 3 is not that different to version 2 – the main differences are designed to make the\r\nTrojan less visible. Of the changes we noted, we would like to highlight the following:\r\nThe Trojan has a new built-in public RSA key and, although the communication protocols with the\r\ncommand center are identical for Emotet versions 2 and 3, if the old key is used the bot does not receive\r\nthe correct answer from the command center.\r\nThe ATS scripts are partially cleaned of debugging information and comments.\r\nNew targets! Emotet is now also targeting clients of Swiss banks.\r\nThere has been a slight change in the technology used to inject code into the address space of explorer.exe. \r\nVersion 2 used a classic model for code injection:\r\nOpenProcess+WriteProcessMemeory+CreateRemoteThread. Version 3 uses only two stages of the previous\r\nmodel:OpenProcess+WriteProcessMemory;  and the injected code is initiated with the help of modified\r\ncode of the ZwClose function in the address space of the explorer.exe process, which is also achieved using\r\nWriteProcessMemory.\r\nEmotet version 3 resists investigation: if the Trojan detects that it has been started in a virtual machine it\r\nfunctions as usual but uses a different address list for the command centers.  However, all these addresses\r\nare false and are used only to mislead investigators.\r\nThe Trojan contains very few lines of text:  all lines that could warn investigators are encrypted using RC4\r\nand are decrypted in allocated memory directly before use and deleted after use.\r\nOn the whole, we formed the impression that the main techniques used in version 3 of the banking Trojan were\r\ndeveloped “in the field” using version 2 as a basis, and with the addition of improved stealth techniques.\r\nKaspersky Lab products detect all versions of this Trojan as Trojan-Banker.Win32.Emotet.  We also detect the\r\nfollowing  modulesof Emotet:\r\nModule for modifying HTTP(S) traffic – Trojan-Banker.Win32.Emotet.\r\nSpam module – Trojan.Win32.Emospam.\r\nModule for the collection of email addresses – Trojan.Win32.Emograbber.\r\nModule for stealing email account data – Trojan-PSW.Win32.Emostealer.\r\nModule designed for organising DDoS attacks — Trojan.Win32.ServStart.\r\nWe have seen the last module used with other malware and assume that it was added to Emotet by a cryptor.  It is\r\nquite possible that Emotet’s authors are totally unaware of the presence of this module in their malware. \r\nWhatever the case may be, the command centers of this module do not respond and the module has not been\r\nupdated (its compilation date is 19 October 2014).\r\nInfection\r\nWe currently know of only one method of distribution for the Emotet banking Trojan: distribution of spam\r\nmailings that include malicious attachments or links.\r\nThe attached files are usually ZIP archives containing the Emotet loader.  The files in the archives have long\r\nnames, e.g. rechnung_november_2014_11_0029302375471_03_44_0039938289.exe.  This is done on purpose: a\r\nuser opening the archive in a standard Windows panel might not see the extension .exe, as the end of the file name\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 2 of 22\n\nmight not be displayed.  Sometimes there is no attachment and the text in the main body of the email contains a\r\nlink to a malicious executable file or archive.\r\n#Emotet banking #Trojan is distributed of spam mailings that include malicious attachments or links\r\nTweet\r\nExamples of emails used to spread Emotet are given below.\r\nVersion 2 (link to malware):\r\nVersion 2 (attached archive):\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 3 of 22\n\nVersion 3 (link to malware):\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 4 of 22\n\nThe emails we found are almost identical to ones from well-known companies – for example Deutsche Telekom\r\nAG and DHL International GmbH.  Even the images contained in the messages are loaded from the official\r\nservers telekom.de and dhl.com, respectively.\r\nWhen the email contains a link to malware, it downloads it from the addresses of compromised legitimate sites:\r\nhxxp://*******/82nBRaLiv (for version 2)\r\nor from the addresses\r\nhxxp://*******/dhl_paket_de_DE and hxxp://*******/dhl_paket_de_DE (for version 3).\r\nIn Emotet version 3, when addresses are contacted with the form hxxp://*/dhl_paket_de_DE, the user receives a\r\nZIP archive of the following form hxxp://*/dhl_paket_de_DE_26401756290104624513.zip.\r\nThe archive contains an exe-file with a long name (to hide the extension) and a PDF document icon.\r\nLoading the Trojan\r\nThe Trojan file is packed by a cryptor, the main purpose of which is to avoid detection by anti-virus programs. \r\nAfter being started and processed by the cryptor, control is passed to the main Emotet module – the loader.  This\r\nhas to embed itself in the system, link with the command server, download additional modules and then run them.\r\nConsolidation in the system is fairly standard — Emotet version 2 saves itself in %APPDATA%\\Identities with a\r\nrandom name of eight characters (for example — wlyqvago.exe); adds itself to the autoloader\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) and  then deletes its source file\r\nwith the help of a launched bat-file that is created in %APPDATA% with the name “ms[7_random_numbers].bat.\r\nEmotet version 3 saves itself in %APPDATA%\\Microsoft\\ with a name in the format msdb%x.exe” (for example –\r\nC:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\msdbfe1b033.exe); adds itself to the\r\nautoloader (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) and then deletes itself\r\nwith the help of a launched bat-file (which is created in %APPDATA%\\del%x.bat).\r\nAfter consolidating itself in the system, Emotet obtains a list of the names of all processes running and calculates\r\na hash from the name of every function, comparing the resulting value with the hardcoded  0xB316A779 (this\r\nhash corresponds to the process explorer.exe).  In this way, Emotet locates the process into which to inject itself. \r\nFurther, the Trojan unpacks its main code and injects it into the process explorer.exe.\r\nCommunication with the command center\r\nThe main module of the Trojan, the loader, communicates with the C\u0026C using RC4 encryption.\r\nThe port used by the loader is hardcoded into it – 8080.\r\nCommand center addresses\r\nThe IP addresses of Emotet’s command-and-control servers are hardcoded into the bot. There are several of these\r\n– one of the version 2 samples that we analyzed included 30 (note that 3 addresses on the list below belong to\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 5 of 22\n\nwell-known legitimate resources):\r\nhxxp://109.123.78.10\r\nhxxp://66.54.51.172\r\nhxxp://108.161.128.103\r\nhxxp://195.210.29.237\r\nhxxp://5.35.249.46\r\nhxxp://5.159.57.195\r\nhxxp://206.210.70.175\r\nhxxp://88.80.187.139\r\nhxxp://188.93.174.136\r\nhxxp://130.133.3.7\r\nhxxp://162.144.79.192\r\nhxxp://79.110.90.207\r\nhxxp://72.18.204.17\r\nhxxp://212.129.13.110\r\nhxxp://66.228.61.248\r\nhxxp://193.171.152.53\r\nhxxp://129.187.254.237\r\nhxxp://178.248.200.118\r\nhxxp://133.242.19.182\r\nhxxp://195.154.243.237\r\nhxxp://80.237.133.77\r\nhxxp://158.255.238.163\r\nhxxp://91.198.174.192\r\nhxxp://46.105.236.18\r\nhxxp://205.186.139.105\r\nhxxp://72.10.49.117\r\nhxxp://133.242.54.221\r\nhxxp://198.1.66.98\r\nhxxp://148.251.11.107\r\nhxxp://213.208.154.110\r\nIn the sample of version 3 we investigated there were 19 command centers:\r\nhxxp://192.163.245.236\r\nhxxp://88.80.189.50\r\nhxxp://185.46.55.88\r\nhxxp://173.255.248.34\r\nhxxp://104.219.55.50\r\nhxxp://200.159.128.19\r\nhxxp://198.23.78.98\r\nhxxp://70.32.92.133\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 6 of 22\n\nhxxp://192.163.253.154\r\nhxxp://192.138.21.214\r\nhxxp://106.187.103.213\r\nhxxp://162.144.80.214\r\nhxxp://128.199.214.100\r\nhxxp://69.167.152.111\r\nhxxp://46.214.107.142\r\nhxxp://195.154.176.172\r\nhxxp://106.186.17.24\r\nhxxp://74.207.247.144\r\nhxxp://209.250.6.60\r\nCommunication with the C\u0026C when run in a virtual machine\r\nEmotet version 3 contains another list of “command center” addresses, as given below:\r\nhxxp://142.34.138.90\r\nhxxp://74.217.254.29\r\nhxxp://212.48.85.224\r\nhxxp://167.216.129.13\r\nhxxp://91.194.151.38\r\nhxxp://162.42.207.58\r\nhxxp://104.28.17.67\r\nhxxp://8.247.6.134\r\nhxxp://5.9.189.24\r\nhxxp://78.129.213.41\r\nhxxp://184.86.225.91\r\nhxxp://107.189.160.196\r\nhxxp://88.208.193.123\r\nhxxp://50.56.135.44\r\nhxxp://184.106.3.194\r\nhxxp://185.31.17.144\r\nhxxp://67.19.105.107\r\nhxxp://218.185.224.231\r\nThe Trojan tries to contact these addresses if it detects that it is being run in a virtual machine.  But none of the\r\naddresses correspond to the bot’s command centers, and the bot is therefore unsuccessful in trying to establish\r\ncontact with them. This is probably done to confuse any investigators and give them the impression that the Trojan\r\ncommand centers are dead.  A similar approach was used previously in the high-profile banking Trojan, Citadel.\r\n#Trojan #Emotet tries to contact the wrong addresses of the C\u0026C if it is being run in a virtual machine\r\nTweet\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 7 of 22\n\nThe detection of a virtual machine is organized quite simply — by the names of processes that are usual for\r\nvarious virtual machines.  The following algorithm is used to calculate a hash value from the name of every\r\nprocess in the system:\r\nAlgorithm for calculation of a hash value from a process name\r\nThe resulting hash value is then compared with a list of values hardcoded into the Trojan:\r\nHashes from the names of processes used for the detection of virtual machines\r\nWe derived the names of the processes for several hashes. For example, hash 0xBCF398B5 corresponds to the\r\nprocess vboxservice.exe, hash 0x2C967737 to the process vmacthlp.exe, hash 0xE3EBFE44 to the process\r\nvmtoolsd.exe, and 0x61F15513 to the process vboxtray.exe.\r\nData transferred\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 8 of 22\n\nA request to the command center appears in the traffic as follows (the example given is from version 2, but a\r\nversion 3 request looks the same):\r\nDialogue between the Emotet bot and its command center\r\nThe URL-path that the bot communicates with appears as follows: /722ffc5e/355c7a0a/, where 722ffc5e is a\r\nnumber calculated on the basis of information from the access marker of the user, and  0x355c7a0a = 0x722ffc5e\r\nxor 0x47738654 (the value 0x47738654 is hardcoded into the bot).\r\nThe data sent by the bot and the command center are encrypted using RC4 and the answers received from the\r\ncommand center are signed with a digital signature.  Probably this is done to make it difficult to seize control over\r\nthe botnet: in order for the bot to accept a packet it must be signed and for that it is necessary to know the secret\r\nkey.\r\nThere is a public RSA key in the body of the bot. In PEM format for version 2 it appears as follows:\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 9 of 22\n\nPEM representation of the open RSA key coded into the bot in version 2\r\nAs noted above, in version 3 the key changed.  In PEM format it looks like this:\r\nPEM representation of the open RSA key coded into the bot in version 3\r\nA packet sent to the server is made up as follows:\r\nA request is generated containing the identifier of the infected computer, a value presumably indicating the\r\nversion of the bot; information about the system (OS version, service pack version, product type); a\r\nhardcoded dword (value in the investigated sample — seven); control sums for the banker module; and\r\ninformation about the web-injects.  Information about the web-injects contains: a page address (with\r\njokers), into which the injection is needed; data coming before the injected data; data coming after injected\r\ndata; and injected data.\r\nAn SHA1 hash is calculated from the generated request.\r\nThe request is encrypted with a randomly generated 128 bit RC4 key.\r\nThe generated RC4 key is encrypted using the public RSA key.\r\nThe total packet is the concatenation of the results obtained at steps 4, 2 and 3.\r\nThe request packet can be represented by the following diagram:\r\nStructure of a request from the bot to the server\r\nIn response the server sends a packet with the following structure:\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 10 of 22\n\nStructure of the server’s answer to the bot\r\nThe answer can contain information about the Emotet web-injects, Emotet modules and links for loading external\r\nmodules (for example a spam bot or an updated loader).\r\nModules\r\nLike most modern banking Trojans, Emotet has a modular structure.  To date we have detected the following\r\nmodules:\r\nName Description\r\nMethod of delivery to infected\r\nsystem\r\nloader loader In spam emails or by\r\ndownloading via a link from a\r\nnitol-like-ddos-module DDoS-bot compromised site (for updates).\r\nmss Spam module\r\nDownloaded from compromised\r\nsites by the loader module.\r\nemail_accounts_grabber\r\nEmail account grabber, uses Mail PassView\r\n– a legitimate program designed for\r\nrecovering forgotten passwords and mail\r\naccounts\r\nReceived by the loader module\r\nin the answer packet from the\r\ncommand center.\r\nbanker Module for modifying HTTP(S)-traffic\r\nReceived by the loader module\r\nin the answer packet from the\r\ncommand center.\r\noutlook_grabber Outlook address book grabber\r\nReceived by the loader module\r\nin the answer packet from the\r\ncommand center.\r\nSeveral modules can work independently of the loader module, as they don’t need to import anything from it.\r\nThe whole arrangement of the bot is evidence of a high level of automation: new email addresses are collected\r\nautomatically from the victims’ address books, spam with the Emotet loader is sent automatically, and money is\r\ntransferred automatically from the user.  Operator participation is kept to a minimum.\r\nAs an example, here is the report of the outlook_grabber module sent to the attacker (from Emotet version 2) with\r\na stolen Outlook address book:\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 11 of 22\n\nA stolen Outlook address book, transferred to the criminals’ server\r\nOne positive note is that when trying to contact one of the attackers’ servers an answer is obtained containing “X-Sinkhole: Malware sinkhole”, meaning that the stolen data will not reach the criminals — this domain, which is\r\nused by Emotet version 2, is no longer controlled by the authors of the Trojan.\r\nHowever, for version 3 things are different.  This is how the report of the email_accounts_grabber module appears\r\nfor Emotet version 3:\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 12 of 22\n\nReport containing data about the user’s email accounts\r\nIt is clear that the server answers “200 OK”. This means that the criminals have successfully received the data.\r\nStand and Deliver!\r\nInformation about the data for injection into the page that is received by Emotet after unpacking appears as\r\nfollows:\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 13 of 22\n\nDecrypted data on the web-injects of Emotet version 2\r\nDecrypted data in the web-injects of Emotet version 3\r\nThe significant difference in data on injects between the two versions is as follows: Emotet version 3 is\r\naimed at the clients of Swiss credit organizations.  To date we have not seen scripts for the automatic stealing of\r\nmoney from clients’ accounts in these credit organizations but we are certain that such scripts will be written soon.\r\nAlthough individual fragments of HTML code in the decrypted packet can be read easily, understanding the rules\r\nfor use of the web-injects from the deciphered data is difficult.  Below, in JSON format, several web-inject rules\r\nare given for one target — the site of a German bank (Emotet version 2).\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 14 of 22\n\nThe web-inject rules for the site of a German bank (Emotet version 2)\r\nThe use of this web-inject leads to the creation of a new element of type ‘div’, which will have the size of the\r\nwhole visible page, and to the addition of a new script in the HTML document.  In the example given the script is\r\nloaded from the address hxxps://*******.eu/birten/luck.php?lnk=js\u0026id=44.\r\nAnd an analogous view of several inject rules for a new target — the site of a large Austrian bank (Emotet version\r\n3).\r\nThe web-inject rules for the site of an Austrian bank (Emotet version 3)\r\nIt is clear that the configuration file with the web-injects has a classic structure, using fields conventionally called \r\ndata_before, data_after and data_inject.\r\nIt should be noted that the address of the host on which the file luck.php (for version 2) and a_00.php (for version\r\n3) is located is changed frequently.  The rest of the address of the script is constant.\r\nIf the investigator tries the script directly, only an error message is received.  However, in a real attack when the\r\nline\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 15 of 22\n\nis added to the real bank page, the script loads successfully.\r\nThis happens because the criminals’ server checks the “Referer” field of the header of the HTTP request and sends\r\nthe script only if the request came from a page of one of the banks attacked by Emotet.\r\nHaving supplied the necessary Referrer one can easily obtain the script code.\r\nAt Kaspersky Lab we obtained scripts designed for injection into the pages of the attacked banks.\r\nTable 1.  Targets of Emotet version 2, types of attacks and the identification numbers of scripts loaded for carrying\r\nout these attacks.\r\nTable 2. Targets of Emotet version 3, types of attacks and the identification numbers of scripts loaded for carrying\r\nout these attacks.\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 16 of 22\n\nIn one of the scripts of Emotet version 2 that was used to attack a German bank the comments contain the\r\nfollowing line:\r\nArtifact from the script for an attack on a German bank (Emotet version 2)\r\nClearly the script developers speak Russian.\r\nGetting round two-factor authentication\r\nThe main purpose of the scripts looked at above is to carry out the illicit transfer of money from the user’s\r\naccount.  However the bot cannot independently get round the system of two-factor authentication (Chip TAN or\r\nSMS TAN), it needs the user’s help.  To mislead the potential victim, social engineering techniques are used: the\r\nmessage injected into the webpage using the script informs the user that the site is introducing a new security\r\nsystem and normal operations cannot be continued until the user has tested it in the demo-regime.\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 17 of 22\n\nFalse message about new security system\r\nThis is followed by a request to enter real data from the Chip TAN or SMS TAN to carry out a “test transfer”:\r\nAnd finally – congratulations that the task has been completed successfully:\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 18 of 22\n\nIn fact, instead of a test transfer the malicious script carries out a real transfer of money from the victim’s account\r\nto the account of a nominated person — the so-called “drop”, and the user themselves confirms this transfer using\r\nthe Chip TAN or SMS TAN.\r\nDetails of the accounts for the transfer of the stolen money are not initially indicated in the script, but are received\r\nfrom the command server of the criminals using a special request.  In reply the command server returns a line with\r\ninformation about the “drop” for each specific transaction.  In the comments in one script we found the following\r\nline:\r\nClearly the criminals tested this script with a transfer of 1500.9 EUR to a test account.\r\nIn addition, this script contained the following information about the drop:\r\nIn the corresponding script in Emotet version 3, designed to attack the same bank, we also found information on\r\nthe drop, but this time another one:\r\nLet’s compare the fields JSON __DropParam and the fields in the legitimate form from a demo-access to the\r\nonline system of the attacked bank.\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 19 of 22\n\nOnline banking form for transfer of money within Germany or in the SEPA zone\r\nTable 3. Relationship between the drop data and the fields in the form for transfer of money and explanations of\r\nthese fields\r\nName of fields in\r\nthe __DropParam\r\nJSON\r\nName of\r\ncorresponding field in\r\nthe form\r\nTranslation Field contents\r\nname Empfängername Name of recipient\r\nReal name of drop who will\r\nreceive the stolen money\r\nibanorkonto IBAN/Konto-Nr.\r\nInternational bank\r\naccount number/\r\naccount number\r\nAccount number, international or\r\nlocal, to which money will be\r\ntransferred\r\nbicorblz BIC/BLZ BIC or BLZ code International bank identification\r\ncode or identification code used\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 20 of 22\n\nby German and Austrian banks\r\n(Bankleitzahl)\r\ndescription Verwendungszweck Purpose Purpose of payment\r\namount Betrag Amount Transferred amount\r\nThe JSON __DropParam fields correspond to the fields in the form.\r\nIn this way the bot receives all the necessary information about the drop from its server and draws up a transfer to\r\nit, and the misled user confirms the transfer using the Chip TAN or SMS TAN and waves goodbye to their money. \r\nConclusion\r\nThe Emotet Trojan is a highly automated and developing, territorially-targeted bank threat. Its small size, the\r\ndispersal methods used and the modular architecture, all make Emotet a very effective weapon for the cyber-criminal.\r\nThe #Emotet #Trojan is a highly automated and developing, territorially-targeted bank threat\r\nTweet\r\nHowever this banking Trojan doesn’t incorporate conceptually new technology and so the use of a modern anti-virus program can provide an effective defense against the threat.\r\nFurthermore, the Trojan cannot function effectively without the participation of the user — the Emotet creators\r\nhave actively used social engineering techniques to achieve their criminal ends.\r\nAnd so the alertness and technical awareness of the user, together with the use of a modern anti-virus program can\r\nprovide reliable protection against not only Emotet but other` new banking threats working in a similar way.\r\nSome MD5 hashes\r\nEmotet version 2:\r\n7c401bde8cafc5b745b9f65effbd588f\r\n34c10ae0b87e3202fea252e25746c32d\r\n9ab7b38da6eee714680adda3fdb08eb6\r\nae5fa7fa02e7a29e1b54f407b33108e7\r\n1d4d5a1a66572955ad9e01bee0203c99\r\ncdb4be5d62e049b6314058a8a27e975d\r\n642a9becd99538738d6e0a7ebfbf2ef6\r\naca8bdbd8e79201892f8b46a3005744b\r\n9b011c8f47d228d12160ca7cd6ca9c1f\r\n6358fae78681a21dd26f63e8ac6148cc\r\nac49e85de3fced88e3e4ef78af173b37\r\nc0f8b2e3f1989b93f749d8486ce6f609\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 21 of 22\n\n1561359c46a2df408f9860b162e7e13b\r\na8ca1089d442543933456931240e6d45\r\nEmotet version 3:\r\n177ae9a7fc02130009762858ad182678\r\n1a6fe1312339e26eb5f7444b89275ebf\r\n257e82d6c0991d8bd2d6c8eee4c672c7\r\n3855724146ff9cf8b9bbda26b828ff05\r\n3bac5797afd28ac715605fa9e7306333\r\n3d28b10bcf3999a1b317102109644bf1\r\n4e2eb67aa36bd3da832e802cd5bdf8bc\r\n4f81a713114c4180aeac8a6b082cee4d\r\n52f05ee28bcfec95577d154c62d40100\r\n772559c590cff62587c08a4a766744a7\r\n806489b327e0f016fb1d509ae984f760\r\n876a6a5252e0fc5c81cc852d5b167f2b\r\n94fa5551d26c60a3ce9a10310c765a89\r\nA5a86d5275fa2ccf8a55233959bc0274\r\nb43afd499eb90cee778c22969f656cd2\r\nb93a6ee991a9097dd8992efcacb3b2f7\r\nddd7cdbc60bd0cdf4c6d41329b43b4ce\r\ne01954ac6d0009790c66b943e911063e\r\ne49c549b95dbd8ebc0930ad3f147a4b9\r\nea804a986c02d734ad38ed0cb4d157a7\r\nThe author would like to express his thanks to Vladimir Kuskov, Oleg Kupreev and Yury Namestnikov for their\r\nassistance in the preparation of this article.\r\nSource: https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nhttps://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/\r\nPage 22 of 22\n\nCommand The IP addresses center addresses of Emotet’s command-and-control servers are hardcoded into the bot. There are several of these\n-one of the version 2 samples that we analyzed included 30 (note that 3 addresses on the list below belong to\n   Page 5 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/"
	],
	"report_names": [
		"the-banking-trojan-emotet-detailed-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434614,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c6de7cc5e3ea338a5a1d365925c2d3d8f10eda6.pdf",
		"text": "https://archive.orkl.eu/8c6de7cc5e3ea338a5a1d365925c2d3d8f10eda6.txt",
		"img": "https://archive.orkl.eu/8c6de7cc5e3ea338a5a1d365925c2d3d8f10eda6.jpg"
	}
}