{
	"id": "f11a1f4c-130e-4ad4-ae07-2c3294e02563",
	"created_at": "2026-04-06T00:13:44.57592Z",
	"updated_at": "2026-04-10T03:21:59.142798Z",
	"deleted_at": null,
	"sha1_hash": "f7192bf9c1598d2c90d0e2fbb05a0b97449ee056",
	"title": "Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan - CloudSEK",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48401,
	"plain_text": "Emotet 2.0: Everything you need to know about the new Variant of the\r\nBanking Trojan - CloudSEK\r\nBy Co Authors\r\nPublished: 2021-12-22 · Archived: 2026-04-05 23:17:43 UTC\r\nSince it was first identified in 2014, the Emotet banking trojan has been a persistent threat that has affected over 1.6 million\r\ncomputers and led to millions of dollars in loss. However, in January 2021 a collaborative effort between law enforcement in\r\nseveral countries, coordinated by Europol and Eurojust, dismantled the operations of Emotet, which was followed by several\r\narrests in Ukraine. \r\nDespite the disruptions in their operations, within 9 months, in November 2021, new Emotet samples were discovered in the\r\nwild. Though the new variant of Emotet is very similar to the previous bot code, it differs in the encryption scheme used for\r\ncommand and control communications. \r\nIn this article, we delve into the technical aspects of the re-emerged Emotet malware dubbed Emotet 2.0. \r\nAfter almost a year-long hiatus, the Emotet malware has returned to the threat landscape through spamming campaigns.\r\nAdversaries are using weaponized Microsoft Word document files to spread the infection. \r\nAs shown in the image below, users are tricked into clicking “Enable Content” to execute the malicious Macros that\r\ndownloads Emotet malware hosted on various WordPress websites compromised by the attackers.\r\nThe images below illustrate the different Powershell payloads from multiple malicious documents:\r\nWhen the payload is DLL, the campaign uses Rundll32 to execute an exported function Control_RunDLL to deploy the\r\nEmotet payload.\r\nWhen the payload is a .exe executable file, the Powershell payload fetches the .exe file from the attacker’s infrastructure and\r\nexecutes on the victim’s system.\r\nAs seen in the image below, the memory permissions for the region 0x10000000 to 0x00028000 have been set to ERW\r\n(Execute, Read, Write).\r\nFile Hash – SHA256\r\nfc0d549104f2c18619758a5ca56847c65e16981121dfebc50b9a8eebc886573b f717350418d58d2ba6c0492794508bc7cd5d3cdfcb3c4334276dba9404\r\nf57b21a4d6338a3d3552216e1cd2a39cfdc58310bce524d8f63004ee71aa2938 f227c59532fa2aad62305a79cac5e13019a7d969765758a86218b85b00\r\nf023bf21ed5a54f84d75aa8ec2c0f40628dca0443b0e07375b52a657af838e3c ef4f5373736a876fbfa74f6e9904f6f23f9c052f3f474d3ba0638cafd5185\r\nef0ee0f3b035a9aff22171da5cb6ce2870aad3ff4482ff36dcc54e8ee9c9c4fe edf90b6422680bf15e95c8ce3fea26162fca3cfdf8dbb6c04f253089c0f7\r\ne383a83e1f5c3c207418d26d3bfd88fb176c4e83f54bc07b2c9c783e09e35a15 df68d5f7df57a1109b6a3a1c7b7295ef427a8a2542cee5bc8654eab0aad\r\ndc13a72e1e5325435158cc9151c2dc85a21b9f3f3e3bedc3f23a16ca8228dbd2 d7ba34224a23a54ced6d118e44c2cdebc7365cae81e168aa6f3cb72b546\r\nccda6d2b252f30164eb8947e2ec403bf84f023988e678cb91892a95bfc051131 cc73ad809eeba4440454fce00ee8d2076a57c6a64761af465f8f34cdc38\r\ncb5ac045795644ed2f7aeadc1526f438375248bb6cdedf300015a1978245a32a c9aaf815abe2d627ea9ac3ee7fa9fa62971a3710acd33a438a4581ee95af\r\nc436e7c76e37650fe6c6efb6ffb5836bbce8b192c2b750bfcb0f089b255a0e0f c3235d8500c49161130b852defb4963e68e78bd149714e7f7c850e9587\r\nc199e4c4607e53ad448227314fa7f31d7464e9d4138446d32ddf7e1390a3e794 bc1a988b403559ad5da8b393414bec3bbed8cc3016476d9dd63779947\r\nba3b47d0e52f983be9c585e9b30f4af080249836cd7c9e1b401d19b7db7cf939 b7bb028310c3e03f25ffb3955e2f9fd2018caaf2da268ed0eea2306981a9\r\nb243bf0122828c99bf083af2f324b5f336aa46769fd94349eb2a9828bbdefc86 ad278f4cf2e1eaa01f4a77db435f66f15cd49e6a8e3af5f04998fbeff8277\r\n9d4d9beaaeeac9fa7c3e6dcbcfa13da3619a28d20ec820de8ee9a6bfe952c148 9c2148eb0d49971908766b1c9c1875b7e8a627347ed19458ff2f8fa238\r\n9af62bbd1381d9566f907d99a7cfc9f532936cddb04f359736aa4bd3231ad020 9721c3df9f18b63c21f81604cf7b0d1ae45e603eb9d6d85189298b7e39\r\n918fb07d648cd5235b6361d30256c37c4bc07cd4c3312b713276d035e0004fa6 8d728385d57b0bcd128751ace9f7550c210e841a41ba366c09d8cbcd78\r\n88e8fa38140a1a3f906fac5b9a526132e978cc9c2de05ee3b5a49ff8f312c03e 86a6f7971fae83e42ff5af58c1364a66a9f40f0fbe6f88f536e8746aed051\r\n84e9eff680264b95cbc8fe0bb3850a9c0ac11a9d0e33d867744ec720fcef875f 83b01c1031a2f40d9d563363eded81373d19815ded57596bb467c0672\r\n82f9d9279b752c4c7b6ca40c737a09b55e4be09d96093351bb6b0614f12d08ed 824a6047233e2ac4af1ec01470fa6c92aafeb4edbe50170ffcd8a71fbdaa\r\nhttps://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/\r\nPage 1 of 2\n\n7b428765408589b1783d877924b1904c74036346a6d6561e064a50e68d25f9f3 7a36f90f9decaa862fad06b462cfe9756778e786345f84585fe0ce66e2a5\r\n77bfee9cb826154ed07a2d8aef0b58e434984185751a0c0b35d080f3d816bf0a 77bdae696540c67e4c9fa5243667723191f2c7724280c4a566f0bdafa29\r\n6d679474a78796803d07ce6fe31a215ac9f5de7e6cc4e29ccfff6cd809af2360 65b0db343f74c2d2df9af530ce27b7b4e80a9a4b644d6f422b139cbf787\r\n62bcc4f1d51e92b4bf4797acd41bd9bcb0d66750e5c90555f6cc5d0bfa105581 62792a0de7959a7e4352fecea08adc050e22c965f6bd100a246bde5fd8f\r\n5fef57576da8bcbb07d5858148f1fe0b70adddeed7394a4fa112ef9871b6b76d 5fc0e6c51016ae8e1e9fc0d6d96a28833947ce0872b333ef39f42e218c4\r\n59f5ce0c5422c95f739c094cd177f1149d4f8d0d3091f32c959d0dad34e3da98 54533a4f2c942c589c93b8f494a28804b42a8ee049d292faff2a247172b\r\n5246f80dc9da8cc6f40241f0846b0ba301604348005fe397704ec39b711c2fda 51ed1a79f300dd22a2fd558296df74cd0ca182d5301d1b22a31189d200\r\n4dedc2bfa4657a52c66b190bcf4ff3b35d492bf13f1c8a6705078932e6a4883c 4da56959d4d126c44efbb99be3da0edc21d2e530c91035f7e04d63184d\r\n47db58b63bcaa028cd345209a11e93334c0c9aad2b895e8a9a72b0c20be8adb6 45aecf95b1011751b81a88542fac64c2a747c445cef48b90b24f6303ea0\r\n3dc904b04fb0178bed08752004daf9fe3023ba01f5c6a5466b3cf657deb2b1bd 3d605a6edf9007ce53e65c78c62070afc7da2cd1658546fd2e119a4bc03\r\n3b940b1a3d79aeb998d24c750b1d8dd7b2813c0612ffaec14aff9c9761290483 3b51f9935edabda771bd7c33eba789c0552bff3240488e3daa4a1e7b39f\r\n3710b6a12451de36d8743766a129677c0e6f3a95996fdb16819c4fc1503ce0ec 36fcc3252115a11533c543d81f8acb92da975aebbf6593a75a5826765ab\r\n369e3867e57f226e567138dcafaf920c71bfb5ab959c6415f36fc16df1a56a0e 35347dd43af88f9adbbaff8dee84da9c6187bc3583246baa366c9dd6d25\r\n2c3812c81ed37982aff0b5a0becf00dffa537da56acca8792c96740ea42b7df3 2b9ad1e926df4c7a6af565fff49e4f1b7c9fad97672de67aad273d8142d2\r\n2717ddf8dc06e896ac9301202571353e2fa23acb4c9ba5978196e74c62c46909 20e25627fab8de69bac4e94599fab2767df36438697cccfc48e8539649b\r\n1ea47a5d3f11650fc755a28fe54e8ab6557b635145925c23e42fc5eda85e4b8a 1e9345ee7d442805a04bf6bd5eefea8e5de05fde2b60f1362f5d0239d76\r\n124449bd0b9097b454c35fa258bda625ff6ecf5bf6f1316d7abb46fad459a273 118aeefa04fb5338c15d7fa9fffa137fd3c1b6c86fb3b32fddf637b50aaa1\r\n100cc1e3bcc4f5ad7ee601ca99ecaf17bbcf4fbf3878d0375c87cee00dd24756 0e662c5e7cc88a55c15b44685eb78ba249e9164513baa865800e4e1e83\r\n073e41ee489ae16d60361a9abff708d92df0d3a2a5f7a4d1b05ecfa3880cbead 040760ffb0fb37f80a9654390879a12f036c614b5117f6fded7513db63d\r\n023549c2246838ebf7bbd91c2414de4950c3c0eaabb875e66e24baf410438aa6\r\nSource: https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/\r\nhttps://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/"
	],
	"report_names": [
		"emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434424,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7192bf9c1598d2c90d0e2fbb05a0b97449ee056.pdf",
		"text": "https://archive.orkl.eu/f7192bf9c1598d2c90d0e2fbb05a0b97449ee056.txt",
		"img": "https://archive.orkl.eu/f7192bf9c1598d2c90d0e2fbb05a0b97449ee056.jpg"
	}
}