Report this app



The textual content under is a joint work of Maria Jose Erquiaga, Onur Erdogan and Adela Jezkova from Cisco Cognitive staff

Emotet (often known as Geodo and Heodo) is a banking trojan, however additionally it is a modular malware that can be utilized to obtain different malware as Trickbot and IcedID [8, 9, 13]. Emotet was noticed for the primary time in 2014 [9]. In January 2021, in a mixed effort by Interpol and Eurojust, Emotet was taken down [12]. Nonetheless, Emotet rose once more in November 2021, and it has proven extra exercise since 2022) [6, 7].

Despite the fact that Emotet was born as a banking trojan, it developed in time and have become extremely modular risk. This evolution granted adversaries a device for various functions. Emotet can be utilized as an preliminary payload and stay inactive for prolonged intervals of time till the adversaries determine to leverage it [10]. This function of Emotet offers the adversaries the pliability to hold out a multi-stage an infection course of. Because of this Emotet can act as banking trojan, but in addition has been noticed to drop further malware within the contaminated programs [1]. Emotet has the potential to gathering info of the contaminated programs and the adversaries can consider the worth of the asset [14, 15] Some evaluation reveals that Emotet can drop CobaltStrike, which then drops ransomware [11]. For instance, one of many ransomware dropped by Emotet is Ryuk [9].

Previously few months, Emotet malware has been noticed within the wild, and its detection progress significantly [1]. Despite the fact that this Emotet re-appearance occurred at (nearly) the identical time as Log4J vulnerability was found, there’s not sufficient proof that these two issues are associated. Nonetheless, CobaltStrike, which is thought to be associated to Emotet, was utilizing Log4J vulnerability [4].

The reappearance of Emotet motivated our deeper analysis and energy to replace the detection capability for International Risk Alerts  prospects. Because of it, the purchasers of Cisco Safe Community Analytics and Safe Endpoint utilizing GTA get higher protection of the risk now.

We summarize on this weblog Emotet risk, it’s lifecycle and typical detectable patterns. Within the second a part of the weblog we present methods to use GTA to detect the Emotet.

Abstract of Emotet traits

  • Modular banking trojan
  • Downloader/Dropper
  • Polymorphic – can evade signature-based detection
  • Digital machine conscious

Emotet habits

The assault circulation is detailed in Determine 1. In line with the evaluation offered by Brad Duncan [2], the assault vector appears to be phishing, through an e mail with an hooked up file (1). The file contained within the phishing e mail, is an Workplace doc (2). When the victims open the workplace doc information and allow macros (3) the Emotet DLL is downloaded within the sufferer’s machine (4). After downloaded, this DLL file is executed (5) and it generates the reference to Emotet Command and management (6) [5, 7].

Determine 1. Emotet assault circulation

Hooked up information and PowerShell execution

As soon as the sufferer opens and executes the contaminated information and permits the macros (primarily with docx or xml extensions), a command is executed to acquire and execute a HTML software. The sample of the URL noticed for this step is the next:

hxxp://{IP handle}/[yy]/[y].png

The place “yy” are normally two alphabetical characters.

For instance, one of many of the URLs based within the wild:


Then, it downloads PowerShell payload then it results in downloading Emotet binary, which is a dll file from any of the given URLs contained within the URL described above. The format, on this case can fluctuate, a number of the URL’s patterns appear to be this:


The place the regex is:

One other sample associated to Emotet was


In the course of the obtain of the Emotet payload, person agent sample was, Mozilla/5.0 (Home windows NT; Home windows NT %; en-US) WindowsPowerShell/5.1.%

DLL execution and Emotet C2

As soon as the DLL information is within the contaminated system, it downloads a PE file after which establishes a communication with its Command and Management, utilizing HTTP or HTTPS protocols, on ports 80, 8080 and 443 [2]. Despite the fact that some researchers declare there isn’t a relationship between Log4J vulnerability and Emotet, there are some frequent behaviours, as the usage of the identical IPs for C2. For instance, these IP addresses are each associated to Emotet and Log4j:

  • 250.21[.]2 and 116.124.128[.]206 based in [4]
  • 94.252[.]3
  • 31.163[.]17
  • 178.186[.]134
  • 79.205[.]117

Detecting Emotet with International Risk Alerts

GTA (International Risk Alerts) detects Emotet as a Excessive-risk risk. The risk description contains the MITRE software program code and the strategies utilized by Emotet.

Determine 2. Element of Emotet description in GTA

The risk element (see Determine 3) accommodates additionally additional info relating to the information that would have been modified, deleted, or created by a specific risk. This info is enriched with the evaluation of Emotet samples in Cisco Risk Grid [16].  The patterns of the information that would have been modified by Emotet, the likelihood of the malware behaviour, and the severity degree for every one of many occasions are supplied. This additional info helps community directors and safety groups to mitigate the risk not solely within the community, but in addition within the gadgets.

Determine 3. Data relating to the behaviour of Emotet in endpoints, primarily based on samples from Emotet. Consists of likelihood of the occasion incidence and severity degree.

Figures 4, 5, and 6, present completely different asset particulars from Emotet Alerts. It’s potential to look at there the site visitors from the contaminated machine to malicious IPs, hosts, and domains which are recognized to be associated to Emotet. Within the first case, the asset established communication with the hostnames 201.213.32[.]59, 45.55.82[.]2 and 89.32.150[.]160 (Determine 4). Within the second instance, the asset communicated with the hostnames robertmchilespe[.]com and vbaint[.]com (Determine 5). Within the third instance, the detection discovered communication to the area 104.131.148[.]38 (Determine 6).

Determine 4. Communication from the asset to hostnames 201.213.32[.]59, 45.55.82[.]2 and 89.32.150[.]160 associated to Emotet
Determine 5. Communication from the asset to hostnames robertmchilespe[.]com and vbaint[.]com, associated to Emotet
Determine 6. Communication from the asset to the area 104.131.148[.]38, associated to Emotet

To confirm if Emotet was detected in your surroundings, click on Emotet Risk element.

Emotet mitigation

To forestall Emotet, we advise the next measures:

  • Block emails with any attachment information which are suspicious
  • Scan suspicious information earlier than opening them
  • Isolate the contaminated gadgets from the remainder of the community to keep away from spreading
  • Prohibit the usage of PowerShell and distant instruments if potential
  • Reset all of the person’s passwords within the contaminated gadgets
  • Think about use 2FA (comparable to Cisco DUO)


We carried out analysis to search out not solely new IOCs (IPs, domains and samples) but in addition URL patters associated to this new Emotet wave to maintain our prospects updated on the newest threats evolutions. The processed IOCs are additionally seeds to machine studying GTA algorithms which assist to additional enrich the detections. GTA customers of Safe Endpoint and Safe Community Analytics can detect Emotet of their programs, execute mitigation actions and keep secure from the evolution of this risk.


  1. Again from the lifeless: Emotet re-emerges, begins rebuilding to wrap up 2021. Talos report, November 2021.
  2. Emotet Return. Revealed: 2021-11-16. Brad Duncan
  3. Reply to Apache Log4j utilizing Cisco Safe Analytics. Robert Harris
  4. Emotet epoch 5 IOCs record, Brad Duncan. 2022
  5. New Emotet An infection Technique. By Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan. February 15, 2022
  6. Cybersecurity Risk Highlight: Emotet, RedLine Stealer, and Magnat Backdoor. By Artsiom Holub. February 3, 2022
  7. Emotet description. Malpedia. Fraunhofer Institut. Germany
  8. Emotet description, Wikipedia
  9. Again from trip: Analyzing Emotet’s exercise in 2020. November 2020. Cisco Talos.
  10. Detecting Emotet Malware with Cognitive Intelligence
  11. Company Loader “Emotet”: Historical past of “X” Challenge Return for Ransomware. By Yelisey Boguslavskiy & Vitali Kremez. December 2021
  12. World’s most harmful malware EMOTET disrupted by world motion. January 2021. Europol
  13. Emotet Software program description. MITRE
  14. The Commoditization of Multistage Malware Assaults. Chris Gerritz. DarkReading, July 2019.
  15. Emotet rising slowly however steadily since November resurgence. Invoice Toulas. Bleeping laptop. March 2022
  16. Cisco Safe Malware Analytics (Risk Grid)

We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels




Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.