{
	"id": "188a3063-c021-4094-bec2-d25103b34efb",
	"created_at": "2026-04-06T00:21:34.889818Z",
	"updated_at": "2026-04-10T03:23:51.23096Z",
	"deleted_at": null,
	"sha1_hash": "b33339b4a0646ede4b2d40968ac2d61e3e64b6a8",
	"title": "From A to X analyzing some real cases which used recent Emotet samples - VinCSS Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 266888,
	"plain_text": "From A to X analyzing some real cases which used recent Emotet\r\nsamples - VinCSS Blog\r\nBy Yến Hứa\r\nPublished: 2021-05-12 · Archived: 2026-04-05 19:39:15 UTC\r\nTable of Contents\r\n1. Introduction\r\n2. Type of infection\r\n3. Document template and VBA code\r\n3.1. Sample 1\r\n3.2. Sample 2\r\n3.3. Sample 3\r\n4. Loader payload\r\n4.1. Execution flow of loaders\r\n4.2. Technical analysis of the loader\r\n4.2.1. Sample 1 and 2\r\n4.2.2. Sample 3\r\n5. Some techniques used in the main payload\r\n5.1. Control Flow Flattening\r\n5.2. Dynamic modules resolve\r\n5.3. Dynamic APIs resolve\r\n5.4. Decrypt strings\r\n5.5. List of C2 (IP \u0026 Port)\r\n5.6. RSA Public Key\r\n5.7. Enumerating running processes\r\n6. Conclusion\r\n7. References / Further Reading\r\n1. Introduction\r\nEmotet (also known as Heodo, Geodo) is one of the most dangerous Trojan today. Through mass email spam\r\ncampaigns, it targets mostly companies and organizations to steal sensitive information from victims. Recent\r\nrecords show that Emotetis often used as a downloader for other malware, and is an especially popular delivery\r\nmechanism for banking Trojans, such as Qakbot and TrickBot, and also lead to ransomware attacks using Ryuk.\r\nANY.RUN’s annualreport pointed out that the most active malware in 2020 is Emotet.\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 1 of 24\n\nFig 1. Statistics of top threats by uploads for 2020\r\nIn this article, we analyze in detail full attack flow in some real cases of recent Emotet samples which were\r\ndiscovered and handled by us while providing cyber security services to our customer:\r\n¨ Sample 1:\r\nDocument template: b836b13821f36bd9266f47838d3e853e\r\nLoader binary: 442506cc577786006da7073c0240ff59\r\n¨ Sample 2:\r\nDocument template: 7dbd8ecfada1d39a81a58c9468b91039\r\nLoader binary: e87553aebac0bf74d165a87321c629be\r\n¨ Sample 3:\r\nDocument template: d5ca36c0deca5d71c71ce330c72c76aa\r\nLoader binary: 825b74dfdb58b39a1aa9847ee6470979\r\n2. Type of infection\r\nThe main distribution method of Emotet malware is malicious email campaigns, using infected attachments, as\r\nwell as embedded URLs. These emails may appear to come from trusted sources (cause the victim’s email account\r\nwas taken over). This technique helps trick users into downloading the Trojan onto their machine. Some\r\nillustration image of emails spread Emotet:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 2 of 24\n\nFig 2. Examples of malicious emails with attachment\r\n3. Document template and VBA code\r\nEmotet templates are constantly changing, the final target of attackers for leveraging templates to trick the victims\r\ninto enabling macros to start the infection.\r\n3.1. Sample 1\r\nDocument template:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 3 of 24\n\nFig 3. Sample 1’s document template\r\nThis sample still acts in the usual way:\r\nExecute VBA code when opening document through Sub Document_open().\r\nVBA code spawns powershell to execute encoded Base64 script.\r\nFig 4. VBA code spawns powershell to execute script\r\nThe powershell script after decoding and deobfuscating usually look like the image below. It will download\r\nthe payload which is an exe file to execute:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 4 of 24\n\nFig 5. Powershell script downloads payload from the C2 list for execution\r\n3.2. Sample 2\r\nDocument template:\r\nFig 6. Sample 2’s document template\r\nThis template also uses VBA, but there are some differences with Sample 1 as follows:\r\nVBA code is executed after closing document through Sub Document_Close().\r\nInstead of using powershell, this sample spawns certutil.exe for decoding enncoded Base64 payload and\r\nthen call rundll32 for executing the decoded payload. The payload and related information are hidden in\r\nthe document in white font.\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 5 of 24\n\nFig 7. VBA code uses certutil for decoding payload and calls rundll32 to load payload\r\nDecode encoded base64 content will get VideoDownload.dll, this file has an exported function is In. This\r\nfunction is executed with the help of rundll32.exe.\r\nFig 8. Decoded payload is a DLL\r\nFig 9. The expored function of DLL\r\nThere is an embedded PE file in resource section of the above dll. The resource data is encoded.\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 6 of 24\n\nFig 10. DLL has a PE file that has been encoded\r\nThe dll’s code when executed will load the content of a porn site, then retrieve the link of the .mp4 file\r\n(which is a hot keyword-related leaked sex clip of Vietnamese figure). It read bytes from mp4, through the\r\nloop, by using the read bytes as xor_key for decoding the above resource to get the complete PE file. Then\r\nit saves the decoded file to %temp%/tmp_e473b4.exe and execute this payload.\r\nFig 11. Pseudocode performs decoding resource data and spawns new process\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 7 of 24\n\n3.3. Sample 3\r\nDocument Template:\r\nFig 12. Sample 3’s document template\r\nSame as Sample 1:\r\nExecute VBA code when opening document through Sub Document_open().\r\nVBA code also spawns powershell to execute encoded Base64 script.\r\nFig13. VBA code spawns powershell to execute script\r\nThe powershell script after decoding and deobfuscating will also performs the task of downloading the\r\npayload to execute:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 8 of 24\n\nFig 14. Powershell script downloads payload from the C2 list for execution\r\nDiffer from Sample 1 (use powershell to download loader is an exe file) and Sample 2 (decode DLL and\r\nuse this DLL to decrypt the loader as an exe file), in this Sample 3, the downloaded payload is a DLL file,\r\nexports Control_RunDLL function. Script uses rundll32 to execute this payload. So that, the downloaded\r\npayload is considered as a DLL loader.\r\n4. Loader payload\r\n4.1. Execution flow of loaders\r\nThe payloads of Sample 1 and 2 (PDB path information: eeegggggggrseb.pdb) were built with Visual Basic:\r\nFig 15. Loaders of Sample 1 and 2 were built with Visual Basic\r\nSample 3 was built with Visual C++ (PDB path information: E:WindowsSDK7-Samples-masterWindowsSDK7-Samples-masterwinuishellappshellintegrationRecipePropertyHandlerWin32ReleaseRecipePropertyHandler.pdb)\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 9 of 24\n\nFig 16. Loader of Sample 3 was built with Visual C++\r\nWhen first infected, the Emotet payload runs through two stages. During the first stage, it checks the victim\r\nsystem, if it’s running with high privilege, it drops binary to CSIDL_SYSTEMX86, otherwise to\r\nCSIDL_LOCAL_APPDATA. Finally, it launches the second instance. Payload running at the second stage will\r\ncommunicate with C\u0026C servers that embedded in its binary.\r\nFig 17.  Sample 1 execution flow\r\nFig 18. Sample 2 execution flow\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 10 of 24\n\nFig 19. Sample 3 execution flow\r\n4.2. Technical analysis of the loader\r\n4.2.1. Sample 1 and 2\r\nThese loaders when executed will allocate and unpack the main payload to the allocated memory and execute this\r\npayload:\r\nFig 20. Sample 1’s loader unpacks the main payload\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 11 of 24\n\nFig 21. Sample 2’s loader unpacks the main payload\r\nThese main payloads are quite small in size and were built with Visual C++:\r\nFig 22. The main payload of Sample 1 and 2\r\n4.2.2. Sample 3\r\nThis sample, when executed, will get the address of two undocumented functions LdrFindResource_U and\r\nLdrAccessResource from ntdll.dll. These functions are used to access resource data embedded in the loader:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 12 of 24\n\nFig 23. Sample 3’s loader accesses resource data\r\nNext, it computes the MD5 hash of the pre-initialized data and generates an RC4 key based on the computed\r\nhash. Then, use this RC4 key to decrypt the above resource data and execute the main payload:\r\nFig 24. Pseudocode performs decoding and executing the main payload\r\nThe main payload is another DLL and also has an exported function is Control_RunDLL:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 13 of 24\n\nFig 25. The main payload of Sample 3\r\n5. Some techniques used in the main payload\r\n5.1. Control Flow Flattening\r\nA program’s control flow is a path created out of the instructions that can be executed by the program.\r\nDisassemblers, like IDA, Ghidra, visualize control flow as a graph by creating a series of connected blocks (called\r\n“basic blocks”). In order to make reverse engineering more difficult, thwart the analysis and avoid detection, the\r\nmain payload of Emotet usuallu apply an obfuscation technique is Control-flow flattening.\r\nBasically, this is a technique used to break the flow of a program’s execution by flattening it. When the control\r\nflow is flattened, the program is divided into blocks, all of which are at the same level. Therefore, it will be\r\ndifficult to determine the execution order of the program at the first glance. After divided into blocks, there is a\r\ncontrol variable to determine which basic block should be executed. Its initial value is assigned before the loop. At\r\neach block, will update the value of the control variable to redirect the program flow to another branch.\r\nBelow is the illustration for the main function of each above payload:\r\nFig 26. The main function of the main payload of Sample 1\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 14 of 24\n\nFig 27. The main function of the main payload of Sample 2\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 15 of 24\n\nFig 28. The main function of the main payload of Sample 3\r\nIn order to deobfuscate this technique takes a lot of time and effort to do, so my personal experience as follows:\r\nTry using HexRaysDeob plugin that was developed by RolfRolles.\r\nPerform static analysis using IDA, trying to guess the purpose of the functions, and name them.\r\nPerform debug and synchronize function names, variables that set in IDA with debugger with the help of\r\nLabelessplugin. During debugging, note the order in which the functions are executed and make a\r\ncomment back to IDA.\r\n5.2. Dynamic modules resolve\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 16 of 24\n\nAll payloads will rely on a pre-computed hash by the names of the DLLs to retrieve the base address of these\r\nDLLs when it needs to be used. In Sample 1 and 2, these hashes are passed directly to a function responsible for\r\nobtaining the base address of the DLL (f_resolve_modules_from_hash):\r\nFig 29. Sampe 1 and 2 call f_resolve_modules_from_hash\r\nParticularly in Sample 3, there is a little bit of change, hash values are pre-computed according to the name of the\r\nDLL and the API function passed to the same function (f_get_api_funcs). Within this function, it uses these hash\r\nvalues to retrieve the base address of the DLL:\r\nFig 30. Sample 3 call f_resolve_modules_from_hash\r\nThe search algorithm in all three payloads is similar, only difference in the xored value:\r\nFig 31. Pseudocode performs looking up the hashes of the DLL name\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 17 of 24\n\nRewrite the hash function, combined with IDAPython to get a list of DLLs that Emotet uses:\r\nFig 32. Results when using IDAPython\r\nThe list of major DLLs that Emotet uses:\r\n[+] userenv.dll\r\n[+] wininet.dll\r\n[+] urlmon.dll\r\n[+] shlwapi.dll\r\n[+] shell32.dll\r\n[+] advapi32.dll\r\n[+] crypt32.dll\r\n[+] wtsapi32.dll\r\n[+] kernel32.dll\r\n[+] ntdll.dll\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 18 of 24\n\nFig 33. List of major DLLs that Emotet uses\r\n5.3. Dynamic APIs resolve\r\nIn all three payloads, when need to use which API function Emotet will search and call that function. Based on\r\nthe base address of the given DLL, payloads resolve APIs by looking up the pre-computed hash.\r\nIn Sample 1 and 2, , these hashes are passed directly to a function responsible for obtaining API address\r\n(f_resolve_apis_from_hash):\r\nFig 34. Sampe 1 and 2 call f_resolve_apis_from_hash\r\nIn Sample 3, as mentioned above, hash values are passed to the same function (f_get_api_funcs). Within this\r\nfunction calls to function (f_resolve_apis_from_hash) to retrieve the address of the API:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 19 of 24\n\nFig 35. Sample 3 call f_resolve_apis_from_hash\r\nThe search algorithm in all three payloads is similar, only difference in the xored value:\r\nFig 36. Pseudocode performs looking up the hashes of the API name\r\nRewrite the hash function that payload uses, combined with IDAPython to retrieve all APIs and annotate to related\r\ncode. The list of APIs used in these payloads are similar and similar to the other variants. The final result is as\r\nfollows:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 20 of 24\n\nFig 37. The final result when using IDAPython to annotate related code\r\n5.4. Decrypt strings\r\nAll strings are encrypted and only decrypt at runtime. The structure of the encrypted data is shown as below. The\r\ndecryption algorithm of the payloads is the same:\r\nFig 38. The payloads call the string decryption function\r\nBased on the above information, can use IDApython to create a script to decrypt data as follows:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 21 of 24\n\nFig 39. Python code is used for decrypting data\r\nThe list of strings obtained in payloads is quite similar:\r\nFig 40. List of strings obtained after using the script\r\n5.5. List of C2 (IP \u0026 Port)\r\nA list of C2 IP addresses and ports of Emotet payloads is stored in .data section as 8-byte blocks:\r\nFig 41. List of C2s is stored in each payload\r\nThrough script can quickly retrieve the entire list of this C2:\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 22 of 24\n\nFig 42. List of IP:Port used by payloads\r\n5.6. RSA Public Key\r\nThrough analysis, Emotet embeds an RSA public key in payloads. This RSA public key is also stored as a regular\r\nencrypted string and is decoded just like we did with strings. This key will then be used for the secure\r\ncommunication with the the C2 above.\r\nAll three payloads above after decrypt have the same RSA Public Key:\r\nFig 43. RSA Public Key after decrypted\r\n5.7. Enumerating running processes\r\nTo get the list of the processes running on the victim machine, the payloads use APIs function\r\nCreateToolhelp32Snapshot; Process32FirstW; Process32NextW. List the processes are guaranteed:\r\nNo process names where parent process ID is 0.\r\nNo process is executed by Emotet.\r\nNo duplicated process names.\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 23 of 24\n\nFig 44. The payloads collect a list of the processes running on the victim machine\r\n6. Conclusion\r\nEmotet was first discovered in 2014 as a banking Trojan, over time it continues to evolve and has always been a\r\nleading threat to organizations around the world. Emotet has once again proven to be an advanced threat capable\r\nof adapting and evolving quickly in order to wreak more havoc. This malware is mainly distributed through email\r\nspam campaigns, so to prevent it, organizations should regularly train information security awareness for end\r\nusers.\r\n7. References / Further Reading\r\nhttps://any.run/cybersecurity-blog/annual-report-2020/\r\nhttps://securelist.com/the-chronicles-of-emotet/99660/\r\nhttps://blog.talosintelligence.com/2020/12/2020-year-in-malware.html\r\nhttps://www.cert.pl/en/news/single/whats-up-emotet/\r\nhttps://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de\r\nhttps://www.malware-traffic-analysis.net/\r\nhttps://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/\r\nClick here for Vietnamese version.\r\nTran Trung Kien (aka m4n0w4r) \r\nMalware Analysis Expert\r\nR\u0026D Center – VinCSS (a member of Vingroup)\r\nSource: https://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nhttps://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/"
	],
	"report_names": [
		"re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434894,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b33339b4a0646ede4b2d40968ac2d61e3e64b6a8.pdf",
		"text": "https://archive.orkl.eu/b33339b4a0646ede4b2d40968ac2d61e3e64b6a8.txt",
		"img": "https://archive.orkl.eu/b33339b4a0646ede4b2d40968ac2d61e3e64b6a8.jpg"
	}
}