Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [1]

ID: S0367
Associated Software: Geodo
Type: MALWARE
Platforms: Windows
Contributors: Omkar Gudhate
Version: 1.5
Created: 25 March 2019
Last Modified: 29 September 2023

Associated Software Descriptions

Name Description
Geodo

[2]

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Emotet has the ability to duplicate the user’s token.[3]

Enterprise T1087 .003 Account Discovery: Email Account

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[4][5][3]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Emotet has used HTTP for command and control.[3]

Enterprise T1560 Archive Collected Data

Emotet has been observed encrypting the data it collects before sending it to the C2 server. [6]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.[7][8][9]

Enterprise T1110 .001 Brute Force: Password Guessing

Emotet has been observed using a hard coded list of passwords to brute force user accounts. [10][7][8][11][4][3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [7][2][9][12][13]

.003 Command and Scripting Interpreter: Windows Command Shell

Emotet has used cmd.exe to run a PowerShell script. [9]

.005 Command and Scripting Interpreter: Visual Basic

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [7][14][2][9][13]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Emotet has been observed creating new services to maintain persistence.[8][11][3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Emotet has been observed dropping browser password grabber modules. [2][5]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.[3]

Enterprise T1114 Email Collection

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[4][5][3]

.001 Local Email Collection

Emotet has been observed leveraging a module that scrapes email data from Outlook.[4]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Emotet is known to use RSA keys for encrypting C2 traffic. [2]

Enterprise T1041 Exfiltration Over C2 Channel

Emotet has exfiltrated data over its C2 channel.[2][3]

Enterprise T1210 Exploitation of Remote Services

Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.[7][8][11][12]

Enterprise T1570 Lateral Tool Transfer

Emotet has copied itself to remote systems using the service.exe filename.[3]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Emotet has installed itself as a new service with the service name Windows Defender System Service and display name WinDefService.[3]

Enterprise T1106 Native API

Emotet has used CreateProcess to create a new process to run its executable and WNetEnumResourceW to enumerate non-hidden shares.[3]

Enterprise T1135 Network Share Discovery

Emotet has enumerated non-hidden network shares using WNetEnumResourceW. [3]

Enterprise T1040 Network Sniffing

Emotet has been observed to hook network APIs to monitor network traffic. [1]

Enterprise T1571 Non-Standard Port

Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[14][3]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Emotet has used custom packers to protect its payloads.[2]

.009 Obfuscated Files or Information: Embedded Payloads

Emotet has dropped an embedded executable at %Temp%\setup.exe.[3]

.010 Obfuscated Files or Information: Command Obfuscation

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. [14][2][9][15]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Emotet has been observed dropping password grabber modules including Mimikatz. [2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Emotet has been delivered by phishing emails containing attachments. [16][10][7][8][14][2][9][13][5]

.002 Phishing: Spearphishing Link

Emotet has been delivered by phishing emails containing links. [1][17][16][10][7][8][14][14][9]

Enterprise T1057 Process Discovery

Emotet has been observed enumerating local processes.[18]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Emotet has been observed injecting in to Explorer.exe and other processes. [9][1][8]

Enterprise T1620 Reflective Code Loading

Emotet has reflectively loaded payloads into memory.[3]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. [10][3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Emotet has maintained persistence through a scheduled task. [8]

Enterprise T1016 .002 System Network Configuration Discovery: Wi-Fi Discovery

Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.[3]

Enterprise T1033 System Owner/User Discovery

Emotet has enumerated all users connected to network shares.

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [8][4]

Enterprise T1204 .001 User Execution: Malicious Link

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.[1][13]

.002 User Execution: Malicious File

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.[1][13][5]

Enterprise T1078 .003 Valid Accounts: Local Accounts

Emotet can brute force a local admin password, then use it to facilitate lateral movement.[10]

Enterprise T1047 Windows Management Instrumentation

Emotet has used WMI to execute powershell.exe.[13]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[19][20]

References