{
	"id": "f5f504b8-708a-4208-8cb3-10f7f8ffd565",
	"created_at": "2026-04-06T00:18:57.829943Z",
	"updated_at": "2026-04-10T13:12:29.28469Z",
	"deleted_at": null,
	"sha1_hash": "c443c27e77581ac592afa6bc9d595e44715f7861",
	"title": "New EMOTET Hijacks a Windows API, Evades Sandbox",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94284,
	"plain_text": "New EMOTET Hijacks a Windows API, Evades Sandbox\r\nBy Rubio Wu ( words)\r\nPublished: 2017-11-15 · Archived: 2026-04-05 23:44:47 UTC\r\nWe discussed the re-emergence of banking malware EMOTET in September and how it has adopted a wider scope\r\nsince it wasn't picky about the industries it attacks. We recently discovered that EMOTET has a new iteration\r\n(detected as TSPY_EMOTET.SMD10) with a few changes in its usual behavior and new routines that allow it to\r\nelude sandbox and malware analysis.\r\nBased on our findings, EMOTET’s dropper changed from using RunPE to exploiting CreateTimerQueueTimer.\r\nCreateTimerQueueTimer is a Windows application programming interface (API)open on a new tab that creates a\r\nqueue for timersopen on a new tab. These timers are lightweight objects that enable the selection of a callback\r\nfunction at a specified time. The original functionopen on a new tab of the API is to be part of the process chain by\r\ncreating a timer routine, but here, the callback function of the API becomes EMOTET’s actual payload. EMOTET\r\nseems to have traded RunPE for a Windows API because the exploitation of the former has become popular while\r\nthe latter is lesser known, theoretically making it more difficult to detect by security scanners.\r\nintel\r\nFigure 1. A CreateTimerQueueTimer API document (from CreateTimerQueueTimer functionopen on a new tab)\r\nintel\r\nFigure 2. When the EMOTET dropper executes at Stage 4, the Stage 5 payload at 0x 0x428310 will be injected to\r\nCreateTimerQueueTimer.\r\nThis is not the first malware we've seen abusing CreateTimerQueueTimer. Hancitoropen on a new tab, a banking\r\nTrojan that dropped PONY and VAWTRAK, also exploited the API in its dropper, which is a malicious macro\r\ndocument.\r\nAnti-Analysis and Anti-Sandbox Techniques\r\nWe also observed a new behavior in this variant, which is its anti-analysis technique. Some malware are designed\r\nto sleep for a period of time to avoid detection from malware analysis products. The analysis platform will change\r\nits sleep period to a very short time to scan for malicious activities. EMOTET’s anti-analysis technique involves\r\nchecking when the scanner monitors activities to dodge detection. CreateTimerQueueTimer helps EMOTET do\r\nthe job every 0x3E8 milliseconds.\r\nThis variant has the ability to check if it’s inside a sandbox environment at the second stage of its payload. The\r\nEMOTET loader will not proceed if it sees that it’s running inside a sandbox environment.\r\nThe dropper will check for the following to discern whether it is running in a sandbox environment:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/\r\nPage 1 of 4\n\nWhen NetBIOS’ name is TEQUILABOOMBOOM.\r\nWhen UserName is Wilber, NetBIOS’ name starts with SC, and NetBIOS name starts with CW.\r\nWhen UserName is admin, DnsHostName is SystemIT, and if there’s a Debugger symbol file like\r\nC:\\\\Symbols\\aagmmc.pdb.\r\nWhen Username is admin, and NetBIOS name is KLONE_X64-PC\r\nWhen UserName is John Doe.\r\nWhen UserName is John and there are two files called C:\\\\take_screenshot.ps1 and C:\\\\loaddll.exe.\r\nWhen these files are present: C:\\\\email.doc, C:\\\\123\\\\email.doc, and C:\\\\123\\\\\\email.docx.\r\nWhen these files are present: C:\\\\a\\\\foobar.bmp, C:\\\\a\\\\foobar.doc, and C:\\\\a\\\\foobar.gif.\r\nintel\r\nFigure 3. When sample files are named sample., mlwr_smple. or artifact.exe, the malicious payload will also not\r\nbe launched.\r\nAs part of its unpacking technique, this variant will run itself through another process if it does not have admin\r\nprivilege. If the process has admin privilege, it will proceed with the following:\r\n1. Create new service as an auto start to make malware persistent\r\n2. Change the service description to “Provides support for 3rd party protocol plug-ins for Internet Connection\r\nSharing.”\r\n3. Start the service.\r\n4. Collect system information such as process name and system information\r\n5. Encrypt the collected information via the AES-128 algorithm and SHA1 hash algorithm.\r\n6. Encrypt the information and POST at the C\u0026C server.\r\nintel\r\nFigure 4. EMOTET collects system process information (left) and saves the result to memory (right)\r\nintel\r\nFigure 5. EMOTET collects information about the system version and current applications running under\r\nC:\\\\WOW64\\\r\nintel\r\nFigure 6. EMOTET C2 IP(RED):PORT(YELLOW) List\r\nInfection Chain\r\nintel\r\nFigure 7. The variant’s infection chain\r\nThe infection chain of this variant starts with a phishing email. The email contains a malicious URL that will drop\r\na document file containing a malicious macro.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/\r\nPage 2 of 4\n\nintel\r\nFigure 8. EMOTET phishing email\r\nintel\r\nFigure 9. Malicious EMOTET document\r\nintel\r\nFigure 10. The malicious macro inside the document will prompt cmd.exe and PowerShell to execute an encoded\r\nand obfuscated string.\r\nThe command downloads EMOTET from hxxp://bonn-medien[.]de/RfThRpWC/ and will execute the dropper PE\r\npayload from the malicious site.\r\nintel\r\nFigure 11. The network traffic of Powershell downloading the dropper from bonn-medien[.]de/RfThRpWC/\r\nEnterprises and end-users can avoid threats like EMOTET by following best practices for defending against\r\nphishing attacksopen on a new tab. Users should always be cautious of individuals or organizations that ask for\r\npersonal information. Most companies will not ask for sensitive data from its customers. When in doubt, users\r\nshould verify with the company to avoid any potential issues. Users should also avoid clicking links or\r\ndownloading files even if they come from seemingly “trustworthy” sources. In addition, enterprises can stay\r\nprotected by employing strong security policiesopen on a new tab to their email gateway and ensuring that their\r\nnetwork infrastructure can filter, validate, and block malicious traffic like anomalous data exfiltration.\r\nTrend Micro Solutions\r\nCombating threats against the likes of EMOTET call for a multilayered and proactive approach to security—from\r\nthe gatewayproducts, endpointsproducts, networksproducts, and serversproducts. Trend Micro endpoint solutions\r\nsuch as Trend Micro™ Smart Protection Suitesproducts and Worry-Free™ Business Securityworry free services\r\nsuites can protect users and businesses from these threats by detecting malicious files, and spammed messages as\r\nwell as blocking all related malicious URLs. Trend Micro Deep Discovery™products has an email inspection\r\nlayer that can protect enterprises by detecting malicious attachment and URLs.\r\nTrend Micro™ Hosted Email Securityproducts is a no-maintenance cloud solution that delivers continuously\r\nupdated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they\r\nreach the network. It protects Microsoft Exchange, Microsoft Office 365products, Google Apps, and other hosted\r\nand on-premises email solutions.\r\nTrend Micro XGen™ security productsprovides a cross-generational blend of threat defense techniques against a\r\nfull range of threats for data centersproducts, cloud environmentsproducts, networksproducts, and\r\nendpointsproducts. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions:\r\nHybrid Cloud Security, User Protection, and Network Defense.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/\r\nPage 3 of 4\n\nIndicators of Compromise (IoCs)\r\nSHA256\r\nMalicious document (W2KM_POWLOAD.AUSJTM)\r\n455be9278594633944bfdada541725a55e5ef3b7189ae13be8b311848d473b53\r\nDropper sample (TSPY_EMOTET.SMD10)\r\nfbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec\r\nMalicious macro (W2KM_EMOTET.DG)\r\n3f75ee07639bbcebf9b904debae1b40ae1e2f2cbfcef44caeda21a9dae71c982\r\nMalicious C\u0026Cs\r\n164[.]208[.]152[.]175:8080\r\n66[.]234[.]234[.]36:8080\r\n62[.]210[.]86[.]114:8080\r\n162[.]243[.]154[.]25:443\r\n37[.]187[.]57[.].57:443\r\n94[.]199[.]242[.]92:8080\r\n178[.]254[.]33[.]12:8080\r\n136[.]243[.]202[.]133:8080\r\nC\u0026C public key\r\n-----BEGIN RSA PUBLIC KEY-----\r\nMGcCYDeWo1m4l56rx8uAsn+gsDBAYoJARIdddsLOaiOf4oxe0GGy3IruKSmi\r\nRSMfzj93sIHm88vzhJOeUkLES+RuDXUwSfob8u8bx5TjoSmY2kdmx5rgkp8U NqD3z+P0m6bAxwIDAQAB -\r\n----END RSA PUBLIC KEY-----\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/"
	],
	"report_names": [
		"new-emotet-hijacks-windows-api-evades-sandbox-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434737,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c443c27e77581ac592afa6bc9d595e44715f7861.pdf",
		"text": "https://archive.orkl.eu/c443c27e77581ac592afa6bc9d595e44715f7861.txt",
		"img": "https://archive.orkl.eu/c443c27e77581ac592afa6bc9d595e44715f7861.jpg"
	}
}