{
	"id": "9e7319be-bfce-45e9-82c0-eed1ac3b56ac",
	"created_at": "2026-04-06T00:06:55.160099Z",
	"updated_at": "2026-04-10T13:13:04.176429Z",
	"deleted_at": null,
	"sha1_hash": "f25b0947c04f0601eecc69ae21b4872ac4110185",
	"title": "Emotet modules and recent attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 606665,
	"plain_text": "Emotet modules and recent attacks\r\nBy AMR\r\nPublished: 2022-04-13 · Archived: 2026-04-05 16:46:30 UTC\r\nEmotet was first found in the wild in 2014. Back then its main functionality was stealing user banking credentials.\r\nSince then it has survived numerous transformations, started delivering other malware and finally became a\r\npowerful botnet. In January 2021 Emotet was disrupted by a joint effort of different countries’ authorities. It took\r\nthe threat actors almost 10 months to rebuild the infrastructure, whereupon Emotet returned in November. At that\r\ntime, Trickbot malware was used to deliver Emotet. Now, Emotet is spreading by itself in malicious spam\r\ncampaigns.\r\nBased on recent Emotet protocol analysis and C2 responses, we can say that now Emotet can download 16\r\nadditional modules. We were able to retrieve 10 of them (including two different copies of the Spam module),\r\nused by Emotet for Credential/Password/Account/E-mail stealing and spamming. In this post, we provide a brief\r\nanalysis of these modules, as well as statistics on recent Emotet attacks.\r\nEmotet technical analysis\r\nInfection chain\r\nA typical Emotet infection begins with spam e-mails delivered with Microsoft Office (Word, Excel) attachments.\r\nMalicious macros are used to start PowerShell, and download and execute an Emotet DLL. Depending on the\r\navailable access, Emotet creates a subdirectory with a random name in the %Windows%SysWOW64 or\r\n%User%AppDataLocal directory, and copies itself there under a randomly generated name and extension. The\r\nexported Control_RunDLL function is used to run the main activity of the Emotet DLL.\r\nEmotet infection execution chain\r\nAfter being run, the Emotet malware creates a service by calling the CreateServiceW() function. A randomly\r\ngenerated name and extension, which were used to create a copy, act as service names.\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 1 of 11\n\nCreateServiceW() function with arguments\r\nIf the attempt to create a new service fails, Emotet creates a new registry key in\r\nHKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun with the same names that were\r\nused when creating the service.\r\nAutostart key in registry\r\nAs soon as the Emotet DLL is launched, it registers with one of the 20 C2 IPs that are hardcoded in encrypted\r\nform into the malware body. Downloaded modules can also include additional C2 IPs. The following data is used\r\nfor bot registration:\r\nRegistration data\r\nTogether with the registration data, the victim’s public key that is generated in every run is also sent to the C2.\r\nUnlike previous versions that used RSA to encrypt the generated AES key, this newest Emotet sample uses the\r\nECDH (Elliptic curve Diffie–Hellman) algorithm, using the victim’s generated key pair together with Emotet’s\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 2 of 11\n\npublic key hardcoded into the code to derive the AES key for encrypting the communication. This is done with use\r\nof the Windows API BCryptSecretAgreement.\r\nDuring our monitoring we have observed that after registration the C2 replies with the Process List module\r\npayload. The module comes in the form of a DLL that is parsed and loaded directly into the Rundll32 process. Its\r\nentry point is called by passing a specific structure to its DllMain function. It is also worth noting that Emotet uses\r\nthe ECDSA (Elliptic Curve Digital Signature Algorithm) to verify the payload integrity before loading it.\r\nPseudo code to load Emotet’s second-stage DLL directly into memory\r\nAside from loading the DLL into memory, there are other ways to run the payload. For example:\r\nwrite the DLL payload to disk and run it through regsvr32.exe -s “%s” or rundll32.exe\r\n“%s”,Control_RunDLL\r\nwrite the payload to disk and attempt to call CreateProcess or duplicate the user token to call\r\nCreateProcessAsUser\r\nDuring communication, C2 returns the module bodies and configuration. Based on the configuration, the malware\r\nselects the way to run the payload module. During our research, all the modules we retrieved were launched in the\r\nparent process, but a separate thread is started for each new module. Each module has its own numeric ID, and\r\ncontains its own C2 list. However, all the modules we retrieved contained the same list of C2, except the Spam\r\nmodule. Emotet modules are delivered on demand, and there are always a few junk bytes that vary in different\r\nsamples of the same module. This is likely to avoid cloud scanning or file hash detection.\r\nRandom bytes changed between “Process List” module binaries\r\nProcess List module\r\nThis module sends the list of running processes back to C2. Usually C2 does not send any other modules until it\r\ngets a response from this one.\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 3 of 11\n\nEmotet Process List module request\r\nMail PassView module\r\nThe module contains an embedded executable called Nir Sofer’s Mail PassView, a password recovery tool that\r\nreveals passwords and account details for various e-mail clients. In order to execute the password recovery tool,\r\nthe Emotet module copies certutil.exe into a %Temp% directory under a random name with the .exe extension,\r\nstarts the copied executable and uses the process hollowing technique to inject the password recovery tool\r\nexecutable into the newly created process. The CertUtil process is started with command line arguments to force\r\nthe recovery tool to save the results to file.\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 4 of 11\n\nCertUtil with command line for password recovery tool\r\nAccording to the official website, the utility is capable of revealing passwords and other account details for\r\nvarious e-mail clients, including Outlook and Thunderbird.\r\nWebBrowser PassView module\r\nThis module is mostly the same as the previous one, except it uses  the Nir Sofer’s WebBrowser PassView\r\npassword recovery tool for revealing passwords and account details in browsers.\r\nAccording to the official website, the utility is capable of revealing passwords and other account details in various\r\nweb browsers, including Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera.\r\nPseudocode of function from WebBrowser PassView module\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 5 of 11\n\nEmotet has used code obfuscation for years, and this module is no exception. In the figure above, we can see that\r\nthe control flow obfuscation technique is used with the variable ‘state’ (yellow-colored). Also, all API calls are\r\nresolved during runtime. This is why this API resolution layer can use junk arguments (red-framed). Code listings\r\ncan be larger and more obfuscated, which is why it makes no sense to show them for all modules.\r\nOutlook Address Grabber module\r\nA data exfiltration module for Outlook. The module uses the Outlook Messaging API interface, iterates through\r\nOutlook profiles and extracts all displayed names and mail addresses from each found mail. It then sends the\r\ncollected e-mail addresses to C2.\r\nOutlook E-mails Grabber module\r\nA data exfiltration module for Outlook. The module uses the Outlook Messaging API interface, iterates through all\r\npersonal folders (Inbox, Sent items, Deleted Items, etc), extracts all displayed names and mail addresses of sender\r\nand recipient, and extracts the e-mail subject and body. It then sends the collected e-mails to C2.\r\nThunderbird Address Grabber module\r\nA data exfiltration module for Thunderbird. The module iterates through Thunderbird profiles located in\r\n%AppData%RoamingThunderbirdProfiles, parses Thunderbird data files and extracts displayed names and mail\r\naddresses. It then sends the collected e-mail addresses to C2.\r\nThunderbird E-mails Grabber module\r\nA data exfiltration module for Thunderbird. The module iterates through Thunderbird profiles located in\r\n%AppData%RoamingThunderbirdProfiles, parses Thunderbird data files and extracts displayed names and mail\r\naddresses of sender and recipient, and extracts the e-mail subject and body. It then sends the collected e-mails to\r\nC2.\r\nSpam module\r\nThe module is responsible for sending spam. It queries C2 until it receives a response with a spam task that\r\nusually consist of three parts:\r\nA list of e-mail servers and compromised accounts to be used to send spam; dozens of compromised\r\naccounts are stored in a single task.\r\nA list of targeted e-mails, recipient e-mail and name, sender e-mail and name.\r\nA spam template with subject, body and attachments.\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 6 of 11\n\nRedacted list of email servers, compromised accounts used for spamming\r\nTwo of the 10 modules we were able to obtain were spam modules. Their functionality is one and the same, but\r\nthe module IDs differ.\r\nUPnP module\r\nAn auxiliary module for testing the possibility of connecting to the infected system from the outside. In the\r\nsettings of this module, which are sent by C2, together with the module itself, the external IP address of the\r\ninfected system is transmitted. The first thing this module does is enumerate the network interfaces and compare\r\ntheir addresses with the IP address obtained from the module’s configuration settings. If a suitable network\r\ninterface is found, the module opens ports for listening and waits for an incoming connection. The module can\r\nopen the following ports: 80, 443, 8080, 8090, 7080, 8443, 20, 21, 22, 53, 143, 465, 990, 993, 995. If a suitable\r\nnetwork interface is not found, it uses the SSDP protocol to find devices (modem, router, etc.) with Internet\r\naccess. If suitable devices are found, the module tries to reconfigure them using AddPortMapping to allow port\r\nforwarding.\r\nExample of AddPortMapping for 443 port forwarding\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 7 of 11\n\nStatistics\r\nSince Emotet’s return in November 2021, we have observed its activity gradually increase. In March 2022,\r\nhowever, based on our telemetry, the number of attacked users shot up from 2,847 in February to 9,086 — more\r\nthan threefold growth.\r\nDynamics of the number of attacked users in recent Emotet attacks, November 2021–March 2022 (download)\r\nA similar upsurge we observed in March in the number of Emotet detections.\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 8 of 11\n\nDynamics of the number of Emotet detections, November 2021–March 2022 (download)\r\nVictimology\r\nEmotet infects computers of companies and individual users all over the world. In Q1 2022, according to our\r\ntelemetry, users of the following countries were most often targeted by Emotet: Italy (10.04%), Russia (9.87%),\r\nJapan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China\r\n(2.62), Germany (2.19%) and Malaysia (2.13%).\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 9 of 11\n\nGeographical distribution of Emotet targets, Q1 2022 (download)\r\nConclusion\r\nThe current set of modules is capable of performing a large set of malicious actions: stealing e-mails, passwords\r\nand login data from various sources; sending spam. All these modules, except those for Thunderbird, in one form\r\nor another, have been used before by Emotet. However, there are still modules that we have not been able to\r\nobtain yet. In addition, our telemetry shows significant growth in the number of attacked users in March. We\r\ncontinue to actively monitor the Emotet family. More information about the malware we provide in our private\r\nreports on Kaspersky Threat Intelligence Portal.\r\nIndicators of Compromise\r\nNote: Because Emotet is polymorphic malware, there are no IOC hashes.\r\nC2 IP addresses\r\n70[.]36.102.35:443\r\n197[.]242.150.244:8080\r\n188[.]44.20.25:443\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 10 of 11\n\n45[.]118.135.203:7080\r\n92[.]240.254.110:8080\r\n103[.]43.46.182:443\r\n1[.]234.2.232:8080\r\n50[.]116.54.215:443\r\n51[.]91.76.89:8080\r\n206[.]188.212.92:8080\r\n153[.]126.146.25:7080\r\n178[.]79.147.66:8080\r\n217[.]182.25.250:8080\r\n196[.]218.30.83:443\r\n51[.]91.7.5:8080\r\n72[.]15.201.15:8080\r\n119[.]193.124.41:7080\r\n5[.]9.116.246:8080\r\n151[.]106.112.196:8080\r\n101[.]50.0.91:8080\r\n45[.]142.114.231:8080\r\n185[.]157.82.211:8080\r\n46[.]55.222.11:443\r\n103[.]75.201.2:443\r\n176[.]56.128.118:443\r\n176[.]104.106.96:8080\r\n107[.]182.225.142:8080\r\n31[.]24.158.56:8080\r\n51[.]254.140.238:7080\r\n159[.]65.88.10:8080\r\n82[.]165.152.127:8080\r\n146[.]59.226.45:443\r\n173[.]212.193.249:8080\r\n212[.]24.98.99:8080\r\n212[.]237.17.99:8080\r\n110[.]232.117.186:8080\r\n131[.]100.24.231:80\r\n209[.]250.246.206:443\r\n195[.]201.151.129:8080\r\n138[.]185.72.26:8080\r\nSource: https://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nhttps://securelist.com/emotet-modules-and-recent-attacks/106290/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/emotet-modules-and-recent-attacks/106290/"
	],
	"report_names": [
		"106290"
	],
	"threat_actors": [],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f25b0947c04f0601eecc69ae21b4872ac4110185.pdf",
		"text": "https://archive.orkl.eu/f25b0947c04f0601eecc69ae21b4872ac4110185.txt",
		"img": "https://archive.orkl.eu/f25b0947c04f0601eecc69ae21b4872ac4110185.jpg"
	}
}