{
	"id": "aacea347-fc34-4b0b-a855-1f0c3078601c",
	"created_at": "2026-04-06T00:12:29.304787Z",
	"updated_at": "2026-04-10T13:11:49.877905Z",
	"deleted_at": null,
	"sha1_hash": "fad3c4ca2317fb2c7e9a28c71ff37509024d8f6c",
	"title": "Emotet Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61450,
	"plain_text": "Emotet Malware | CISA\r\nPublished: 2020-01-23 · Archived: 2026-04-05 15:58:08 UTC\r\nSystems Affected\r\nNetwork Systems\r\nOverview\r\nEmotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other\r\nbanking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local,\r\ntribal, and territorial (SLTT) governments, and the private and public sectors.\r\nThis joint Technical Alert (TA) is the result of Multi-State Information Sharing \u0026 Analysis Center (MS-ISAC)\r\nanalytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and\r\nCommunications Integration Center (NCCIC).\r\nEmotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections\r\nhave cost SLTT governments up to $1 million per incident to remediate.\r\nEmotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other\r\nbanking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based\r\ndetection. It has several methods for maintaining persistence, including auto-start registry keys and services. It\r\nuses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore,\r\nEmotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.\r\nEmotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding\r\nfamiliar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent\r\ncampaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC.\r\nInitial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft\r\nWord document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to\r\npropagate the local networks through incorporated spreader modules.\r\nFigure 1: Malicious email distributing Emotet\r\nCurrently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView,\r\nOutlook scraper, and a credential enumerator.\r\n1. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a\r\nsystem for the current logged-on user. This tool can also recover passwords stored in the credentials file of\r\nexternal drives.\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-201A\r\nPage 1 of 4\n\n2. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and\r\nuses that information to send out additional phishing emails from the compromised accounts.\r\n3. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer,\r\nMozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.\r\n4. Mail PassView is a password recovery tool that reveals passwords and account details for various email\r\nclients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail\r\nand passes them to the credential enumerator module.\r\n5. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a\r\nservice component. The bypass component is used for the enumeration of network resources and either\r\nfinds writable share drives using Server Message Block (SMB) or tries to brute force user accounts,\r\nincluding the administrator account. Once an available system is found, Emotet writes the service\r\ncomponent on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the\r\ninfection of entire domains (servers and clients).\r\nFigure 2: Emotet infection process\r\nTo maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect\r\nsensitive information, including system name, location, and operating system version, and connects to a remote\r\ncommand and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once\r\nEmotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads\r\nand runs files, receives instructions, and uploads data to the C2 server.\r\nEmotet artifacts are typically found in arbitrary paths located off of the AppData\\Local and AppData\\Roaming\r\ndirectories. The artifacts usually mimic the names of known executables. Persistence is typically maintained\r\nthrough Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system\r\nroot directories that are run as Windows services. When executed, these services attempt to propagate the malware\r\nto adjacent systems via accessible administrative shares.\r\nNote: it is essential that privileged accounts are not used to log in to compromised systems during\r\nremediation as this may accelerate the spread of the malware.\r\nExample Filenames and Paths:\r\nC:\\Users\\\u003cusername\u003e\\AppData \\Local\\Microsoft\\Windows\\shedaudio.exe\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia\\bin\\flashplayer.exe\r\nTypical Registry Keys:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSystem Root Directories:\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-201A\r\nPage 2 of 4\n\nC:\\Windows\\11987416.exe\r\nC:\\Windows\\System32\\46615275.exe\r\nC:\\Windows\\System32\\shedaudio.exe\r\nC:\\Windows\\SysWOW64\\f9jwqSbS.exe\r\nImpact\r\nNegative consequences of Emotet infection include\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nSolution\r\nNCCIC and MS-ISAC recommend that organizations adhere to the following general best practices to limit the\r\neffect of Emotet and similar malspam:\r\nUse Group Policy Object to set a Windows Firewall rule to restrict inbound SMB communication between\r\nclient systems. If using an alternative host-based intrusion prevention system (HIPS), consider\r\nimplementing custom modifications for the control of client-to-client SMB communication. At a minimum,\r\ncreate a Group Policy Object that restricts inbound SMB connections to clients originating from clients.\r\nUse antivirus programs, with automatic updates of signatures and software, on clients and servers.\r\nApply appropriate patches and updates immediately (after appropriate testing).\r\nImplement filters at the email gateway to filter out emails with known malspam indicators, such as known\r\nmalicious subject lines, and block suspicious IP addresses at the firewall.\r\nIf your organization does not have a policy regarding suspicious emails, consider creating one and\r\nspecifying that all suspicious emails should be reported to the security or IT department.\r\nMark external emails with a banner denoting it is from an external source. This will assist users in\r\ndetecting spoofed emails.\r\nProvide employees training on social engineering and phishing. Urge employees not to open suspicious\r\nemails, click links contained in such emails, or post sensitive information online, and to never provide\r\nusernames, passwords, or personal information in answer to any unsolicited request. Educate users to hover\r\nover a link with their mouse to verify the destination prior to clicking on the link.\r\nConsider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and\r\nattachments that cannot be scanned by antivirus software, such as .zip files.\r\nAdhere to the principle of least privilege, ensuring that users have the minimum level of access required to\r\naccomplish their duties. Limit administrative credentials to designated administrators.\r\nImplement Domain-Based Message Authentication, Reporting \u0026 Conformance (DMARC), a validation\r\nsystem that minimizes spam emails by detecting email spoofing using Domain Name System (DNS)\r\nrecords and digital signatures.\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-201A\r\nPage 3 of 4\n\nIf a user or organization believes they may be infected, NCCIC and MS-ISAC recommend running an antivirus\r\nscan on the system and taking action to isolate the infected workstation based on the results. If multiple\r\nworkstations are infected, the following actions are recommended:\r\nIdentify, shutdown, and take the infected machines off the network;\r\nConsider temporarily taking the network offline to perform identification, prevent reinfections, and stop the\r\nspread of the malware;\r\nDo not log in to infected systems using domain or shared local administrator accounts;\r\nReimage the infected machine(s);\r\nAfter reviewing systems for Emotet indicators, move clean systems to a containment virtual local area\r\nnetwork that is segregated from the infected network;\r\nIssue password resets for both domain and local credentials;\r\nBecause Emotet scrapes additional credentials, consider password resets for other applications that may\r\nhave had stored credentials on the compromised machine(s);\r\nIdentify the infection source (patient zero); and\r\nReview the log files and the Outlook mailbox rules associated with the infected user account to ensure\r\nfurther compromises have not occurred. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach.\r\nReporting\r\nMS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s SLTT\r\ngovernments. More information about this topic, as well as 24/7 cybersecurity assistance for SLTT governments,\r\nis available by phone at 866-787-4722, by email at SOC@cisecurity.org , or on MS-ISAC’s website at\r\nhttps://msisac.cisecurity.org/ .\r\nTo report an intrusion and request resources for incident response or technical assistance, contact CISA Central by\r\nemail at SayCISA@cisa.dhs.gov or by phone at 1-844-Say-CISA.\r\nRevisions\r\nJuly 20, 2018: Initial version|January 23, 2020: Fixed typo\r\nSource: https://www.us-cert.gov/ncas/alerts/TA18-201A\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-201A\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA18-201A"
	],
	"report_names": [
		"TA18-201A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fad3c4ca2317fb2c7e9a28c71ff37509024d8f6c.pdf",
		"text": "https://archive.orkl.eu/fad3c4ca2317fb2c7e9a28c71ff37509024d8f6c.txt",
		"img": "https://archive.orkl.eu/fad3c4ca2317fb2c7e9a28c71ff37509024d8f6c.jpg"
	}
}