{
	"id": "2a551a44-1454-4608-a3cf-04360f4e0737",
	"created_at": "2026-04-06T00:08:40.72965Z",
	"updated_at": "2026-04-10T03:21:11.456621Z",
	"deleted_at": null,
	"sha1_hash": "a7e78a343c4f9175272cebde6eaffa403de9dcb2",
	"title": "Deep Analysis of New Emotet Variant – Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4092444,
	"plain_text": "Deep Analysis of New Emotet Variant – Part 2\r\nBy Xiaopeng Zhang\r\nPublished: 2017-05-09 · Archived: 2026-04-05 15:54:26 UTC\r\nBackground\r\nThis is the second part of FortiGuard Labs’ deep analysis of the new Emotet variant. In the first part of the\r\nanalysis we demonstrated that by bypassing the server-side Anti-Debug or Anti-Analysis technique we could\r\ndownload three or four modules (.dll files) from the C\u0026C server. In that first blog we only analyzed one module (I\r\nnamed it ‘module2’). In this blog, we’ll review how the other modules work. Here we go.\r\nStealing email addresses from MS Outlook PST files\r\nAs I detailed in Part 1 of this blog, the first module we’re looking at here (I’ve named it ‘module1’) is loaded in a\r\nThreadFunction, whose main function is to go through all Outlook accounts by reading the PST files. A PST file is\r\na personal folder file in Microsoft Outlook that stores your email messages, calendar, tasks, and other items. PST\r\nfiles are usually located in the “Documents\\Outlook Files” folder on your computer. See Figure 1.\r\nFigure 1. PST files\r\nMicrosoft has provided a group of APIs called MAPI (Microsoft Outlook Messaging API), which is the messaging\r\narchitecture for Microsoft Outlook. Using the MAPIs you can operate PST files.  The MAPIs are used in the\r\nmodule1 file.\r\nOnce module1 file is executed it creates a temporary file that is used to store the stolen Outlook version\r\ninformation and email addresses that have been collected.  Loading MAPI functions is the next step. Figure 2\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 1 of 10\n\nshows how, along with what it loads.\r\nFigure 2. Loading MAPI functions\r\nIt then starts reading all PST files according to the Outlook accounts on the computer, going through all email\r\nmessages with an unread status in every folder (Inbox, Deleted Items, Junk E-mail, Sent Items, etc.) under one\r\nemail account. It steals the sender name and the email address from each unread email. Figure 3 shows a sample\r\nunread email about a Facebook notification that was sent to me.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 2 of 10\n\nFigure 3. Sample unread email message\r\nFigure 4 shows what module1 has stolen from the unread email message shown in Figure 3. “Facebook” is the\r\nsender name, and “notification+kr4yxeragnmn@facebookmail.com” is the sender’s email address.\r\nFigure 4. The stolen email information in the memory buffer\r\nAs I mentioned before, the stolen data is saved in a temporary file. In this case, it’s “AE74.tmp.” It will be read\r\nwhen module1 prepares to encrypt and send the stolen information to its C\u0026C server. Figure 5 shows the data\r\nbefore encryption, which is read from “AE74.tmp.”\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 3 of 10\n\nFigure 5. Data before encryption\r\nAs you can see, it contains the Outlook version and stolen email information. Once encrypted, the data will be\r\nsent to the C\u0026C server through a “POST” request. Figure 6 is the packet screenshot from WireShark.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 4 of 10\n\nFigure 6. Sending the encrypted data to the C\u0026C server\r\nSending spam using the C\u0026C server template\r\nThis is the largest Emotet module (I have named it ‘module4’) of the malware’s four modules. Its main function is\r\nto send spam to the email addresses which were stolen and sent to the C\u0026C server. When it is executed in a thread\r\nit generates a GUID by calling the CoCreateGuid function. It then base64-encodes the GUID and sends it as a\r\ncookie to the C\u0026C server. The response provides the encrypted spam message, as well as the  email addresses that\r\nthe spam will be sent to. The two figures below show the packet from the C\u0026C server, as well as the content after\r\ndecryption.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 5 of 10\n\nFigure 7. Sent GUID and response from the C\u0026C server\r\nFigure 8. Decrypted spam template and email addresses\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 6 of 10\n\nOnce module4 receives the decrypted data, it reads out the spam template and the email addresses the spam\r\nmessage is being sent to. In module4, it supports SMTP protocol over both port 25 (regular) and port 587 (SSL).\r\nThe figures below show how it uses the SMTP protocol to spread this spam, and what the spam looks like in an\r\nemail client.\r\nFigure 9. Related code and data generating SMTP packets\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 7 of 10\n\nFigure 10. Spam shown in Wireshark\r\nFigure 11. Spam shown in email client\r\nAs you can see in Figure 11, the spam attempts to trick the email recipients into opening a URL, that points to a\r\nmalicious Word file. Figure 12 shows its Antivirus detection rating on VirusTotal.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 8 of 10\n\nFigure 12. Antivirus detection rate on VirusTotal\r\nConclusion\r\nFrom this deep analysis of the new Emotet variant we can see that it focuses on stealing email-related data from a\r\nvictim’s device, and then uses that device and the email addresses it has collected from it to send spam that can\r\nspread other malware.\r\nNOTE: at the end of my analysis, I noticed that the Anti-Debug technique on the server side sometimes worked,\r\nand sometimes didn’t.\r\nThe URL attached to the spam generated by this malware has been detected as Malicious Websites by the\r\nFortiGuard Webfilter service, and the downloaded Word file has been detected as WM/Agent.DEA!tr.dldr by the\r\nFortiGuard Antivirus service.\r\nSummary of the four Received Modules\r\nModule1 (size 1c000H): steals email addresses and the recipients’ names from Outlook PST files.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 9 of 10\n\nModule2 (size 32000h): steals credentials from installed Office Outlook, IncrediMail, Group Mail, MSN\r\nMessenger, Mozilla ThunderBird, etc. The analysis of this module was provided in the first blog.\r\nModule3 (size 70000h): steals saved information in browsers. Since it’s simple, I chose to not provide any\r\nanalysis.\r\nModule4 (size 0F0000h): sends spams to spread other malware.\r\nIoC\r\nURL:\r\n\"hxxp:// hand-ip.com/Cust-Document-5777177439/\"\r\nSample SHA256:\r\nORDER.-Document-7023299286.doc\r\nD8CFE351DAA5276A277664630F18FE1E61351CBF3B0A17B6A8EF725263C0CAB4\r\nReference\r\nhttps://support.office.com/en-us/article/Introduction-to-Outlook-Data-Files-pst-and-ost-6d4197ec-1304-4b81-\r\na17d-66d4eef30b78\r\nhttps://support.microsoft.com/en-us/help/287070/how-to-manage-.pst-files-in-microsoft-outlook\r\nhttps://msdn.microsoft.com/en-us/library/office/cc765775(v=office.14).aspx\r\nSource: https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html\r\nPage 10 of 10\n\n https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html  \nFigure 7. Sent GUID and response from the C\u0026C server\nFigure 8. Decrypted spam template and email addresses \n   Page 6 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html"
	],
	"report_names": [
		"deep-analysis-of-new-emotet-variant-part-2.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7e78a343c4f9175272cebde6eaffa403de9dcb2.pdf",
		"text": "https://archive.orkl.eu/a7e78a343c4f9175272cebde6eaffa403de9dcb2.txt",
		"img": "https://archive.orkl.eu/a7e78a343c4f9175272cebde6eaffa403de9dcb2.jpg"
	}
}