{
	"id": "c29d9ad6-36be-4f83-82f3-4c501944a562",
	"created_at": "2026-04-06T00:22:31.981363Z",
	"updated_at": "2026-04-10T03:21:15.062228Z",
	"deleted_at": null,
	"sha1_hash": "8dc2ad538d0db27a3f94b43822801b59ceeb6047",
	"title": "Evolution of Emotet: From Banking Trojan to Malware Distributor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 384437,
	"plain_text": "Evolution of Emotet: From Banking Trojan to Malware\r\nDistributor\r\nBy The Hacker News\r\nPublished: 2020-11-19 · Archived: 2026-04-05 18:46:20 UTC\r\nEmotet is one of the most dangerous and widespread malware threats active today.\r\nEver since its discovery in 2014—when Emotet was a standard credential stealer and banking Trojan, the malware\r\nhas evolved into a modular, polymorphic platform for distributing other kinds of computer viruses.\r\nBeing constantly under development, Emotet updates itself regularly to improve stealthiness, persistence, and add\r\nnew spying capabilities.\r\nThis notorious Trojan is one of the most frequently malicious programs found in the wild. Usually, it is a part of a\r\nphishing attack, email spam that infects PCs with malware and spreads among other computers in the network.\r\nIf you'd like to find out more about the malware, collect IOCs, and get fresh samples, check the following article\r\nin the Malware trends tracker, the service with dynamic articles.\r\nEmotet is the most uploaded malware throughout the past few years. Here below is the rating of uploads to\r\nANY.RUN service in 2019, where users ran over 36000 interactive sessions of Emotet malware analysis online.\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 1 of 8\n\nThe malware has changed a lot over time, and with every new version, it gets more and more threatening for\r\nvictims. Let's have a closer look at how it evolved.\r\nWhen it was just like any other standard banking Trojan, the malware's main goal was to steal small companies'\r\ncredentials, mainly in Germany and Austria. By faking invoices or other financial documents, it made users click\r\non the links and let the malware in.\r\nLater that year, it acquired a diverse modular architecture, whose primary focuses were downloading a malware\r\npayload, spreading onto as many machines as possible, and sending malicious emails to infect other organizations.\r\nIn early 2015 after a little break, Emotet showed up again. The public RSA key, new address lists, RC4 encryption\r\nwere among the new features of Trojan. From this point, the victims' range started to increase — Swiss banks\r\njoined it. And overall, evasion techniques were improved a lot.\r\nIn recent versions, a significant change in the strategy has happened. Emotet has turned into polymorphic\r\nmalware, downloading other malicious programs to the infected computer and the whole network as well. It steals\r\ndata, adapts to various detection systems, rents the infected hosts to other cybercriminals as a Malware-as-a-Service model.\r\nSince Emotet uses stolen emails to gain victims' trust, spam has consistently remained the primary delivery\r\nmethod for Emotet—making it convincing, highly successful, and dangerous.\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 2 of 8\n\nFor example, in 2018, the government system suffered an Emotet infection in Allentown, a city in eastern\r\nPennsylvania, which cost them $1 million for recovery.\r\nThe whole city of Frankfurt had to shut down the network because of Emotet in 2019. Different kinds of\r\norganizations, from the government to small businesses, all public services were forced to stop their work via IT.\r\nAccording to the latest research, Emotet is a worldwide threat that affects all kinds of spheres. Just look at the\r\nfollowing map, Italy, Spain, and the United Arab Emirates are the top countries with the most attacked users.\r\nRecently France, Japan, and New Zealand's cybersecurity companies have announced a rise in Emotet attacks\r\ntargeting their countries.\r\nEmotet then and now\r\nAccording to a graph of the Emotet samples uploaded to ANY.RUN service, you can see the behavior of the\r\nmalware in 2019 and 2020.\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 3 of 8\n\nWe can notice some similarities in its activity. For example, in June, Emotet tends to be on the decline. However,\r\nit seems to show an increasing trend from August till October. In 2019 the end of the year was very active for this\r\nkind of attack, so we can expect it to be on the rise this year as well.\r\nEmotet has remained a threat for years as it changes permanently. Early versions differ from the current one, even\r\nby its intentions — Emotet has developed from the banking Trojan to the loader. When it comes to execution\r\nevolution and document templates, we will describe only versions that come after 2018. There were changes even\r\nover these two years, but the only thing that remains unchanged is delivery.\r\nFor distribution and user execution, Emotet is using malicious spam and documents with VBA macros. After a\r\ntarget downloads the attached malicious documents from an email and opens it, the Office document tricks the\r\nuser into enabling the macro. After that, the embedded macro starts its execution, and subsequent scenarios may\r\nvary. The most common variant over the past years is that macros start a Base64 encoded Powershell script that\r\nlater downloads an executable. But at this point, Emotet brings a lot of different executions.\r\nMany variants come to its life when we talk about the initial steps after a maldoc was opened. VBA macro in\r\nOffice documents can start cmd, Powershell, WScript, and, lately, for the first time, Сertutil was used by the\r\nEmotet's execution chain.\r\nOther changes in the execution process happened in the chain between malicious documents and\r\ndropped/downloaded executable files.\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 4 of 8\n\nNot only has the execution chain transformed over time, but also the Emotet's executable file itself — registry\r\nkeys, files, and child processes in the file system. For example, in the 2018-2019 years, Emotet dropped its\r\nexecutable at the folder under a particular path and generated a filename and the name of a folder using a\r\nparticular algorithm.\r\nIt changed the file name generation algorithm, process tree, and path generation algorithm for C2 communication.\r\nAnother big part that characterizes this malware family is the maldocs' templates it uses. They are continually\r\nchanging, and most of the time, Emotet uses its own ones. But between them can also be found templates that\r\npreviously were used to distribute other malware families such as Valak and Icedid.\r\nEmotet from the ANY.RUN's perspective\r\nOf course, the main challenge with Emotet is to find a way to identify it and understand its behavior, so after that,\r\nyou could improve the weak points in security.\r\nThere is a tool that can give you a hand with that. ANY.RUN is an interactive online sandbox that detects,\r\nanalyzes, and monitors cybersecurity threats, necessary if you deal with Emotet.\r\nMoreover, ANY.RUN has a special tool — the research of public submissions. It's a vast database where users\r\nshare their investigations. And quite often, Emotet becomes the \"hero\" of the day: it has a leading position of the\r\nmost downloaded samples into ANY.RUN. That's why ANY.RUN's experience with the malware is interesting.\r\nThe first step of protecting your infrastructure from Emotet infection is — detecting the malware. ANY.RUN\r\nsandbox has outstanding tools for Emotet detection and analysis.\r\nThe online service deals with Emotet regularly. So, let's try the interactive approach for Emotet detection and\r\ninvestigate one of the samples together:\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 5 of 8\n\nHere is a malicious attachment from the phishing email that we uploaded to ANY.RUN and immediately get the\r\nfirst results. The process tree on the right reflects all operations that were made.\r\nAs shown, the first process starts to create new files in the user directory. Then POwersheLL.exe connects to the\r\nnetwork and downloads executable files from the Internet. The last one, winhttp.exe changes the autorun value in\r\nthe registry and connects to the command-and-control server, both to retrieve instructions for subsequent\r\nmalicious activities and exfiltrate stolen data.\r\nAnd finally, Emotet was detected by network activity. Fresh Suricata rulesets from premium providers such as\r\nProofpoint (Emerging Threats) and Positive Technologies are a big part of the detection process.\r\nIn addition, ANY.RUN offers a useful Fake Net feature. When turned on, it returns a 404 error that forces malware\r\nto reveal its C2 links that help collect Emotet's IOCs more efficiently. That helps malware analysts optimize their\r\ntime as there is no need to deobfuscate it manually.\r\nInterestingly, a set of malicious documents with the same template can have embedded VBA macro, leading to\r\ncreating different execution chains. All of them have the main goal to trick a user who opened this maldoc to\r\nenable VBA macro.\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 6 of 8\n\nIf you'd like to take a look at all of those templates, just search by tag \"emotet-doc\" in ANY. RUN's public\r\nsubmissions — these maldocs are clustered by content similarity.\r\nConclusion\r\nThis kind of tendency proves that Emotet isn't going to give up or lose the ground. Its evolution showed that the\r\nmalware develops very quickly and adapts to everything.\r\nIf your enterprise is connected to the Internet, the risks may be broader and deeper than you realize. That's why it's\r\ntrue that combating sophisticated threats like Emotet requires a concerted effort from both individuals and\r\norganizations.\r\nMoreover, the goal of services like ANY.RUN is to be aware of such potential threats and help companies\r\nrecognize malware early and avoid infections at any cost.\r\nAnalysis and detection with ANY.RUN is easy, and anyone can analyze a bunch of fresh samples every day.\r\nWhat's more, the service is free to use and for downloading samples, and there is no doubt you can make use of\r\nANY.RUN — just give it a try!\r\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on\r\nGoogle News, Twitter and LinkedIn to read more exclusive content we post.\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 7 of 8\n\nSource: https://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nhttps://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html"
	],
	"report_names": [
		"anyrun-emotet-malware-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434951,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8dc2ad538d0db27a3f94b43822801b59ceeb6047.pdf",
		"text": "https://archive.orkl.eu/8dc2ad538d0db27a3f94b43822801b59ceeb6047.txt",
		"img": "https://archive.orkl.eu/8dc2ad538d0db27a3f94b43822801b59ceeb6047.jpg"
	}
}