Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [1]

ID: S0367
Associated Software: Geodo

Contributors: Omkar Gudhate

Platforms: Windows

Version: 1.0

Associated Software Descriptions


Techniques Used

EnterpriseT1110Brute ForceEmotet has been observed using a hard coded list of passwords to brute force user accounts. [2][3][4][5][6]
EnterpriseT1059Command-Line InterfaceEmotet has used cmd.exe to run a PowerShell script.[7]
EnterpriseT1043Commonly Used PortEmotet has used ports 20, 22, 80, 443, 8080, and 8443.[8][9][10]
EnterpriseT1003Credential DumpingEmotet has been observed dropping browser and password grabber modules including Mimikatz.[10]
EnterpriseT1081Credentials in FilesEmotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.[4][6]
EnterpriseT1094Custom Command and Control ProtocolEmotet has been observed using an encrypted, modified protobuf-based protocol for command and control messaging.[11][12]
EnterpriseT1022Data EncryptedEmotet has been observed encrypting the data it collects before sending it to the C2 server.[13]
EnterpriseT1114Email CollectionEmotet has been observed leveraging a module that scrapes email data from Outlook.[6]
EnterpriseT1041Exfiltration Over Command and Control ChannelEmotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers.[10]
EnterpriseT1210Exploitation of Remote ServicesEmotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation. [4][5][14]
EnterpriseT1040Network SniffingEmotet has been observed to hook network APIs to monitor network traffic.[1]
EnterpriseT1050New ServiceEmotet has been observed creating new services to maintain persistence. [4][5]
EnterpriseT1027Obfuscated Files or InformationEmotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts.[9][10][7][15]
EnterpriseT1086PowerShellEmotet has used using Powershell to retrieve the malicious payload and download additional resources like Mimikatz.[3][10][7][14]
EnterpriseT1057Process DiscoveryEmotet has been observed enumerating local processes.[16]
EnterpriseT1055Process InjectionEmotet has been observed injecting in to Explorer.exe and other processes.[7][1][4]
EnterpriseT1060Registry Run Keys / Startup FolderEmotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.[3][4][7]
EnterpriseT1053Scheduled TaskEmotet has maintained persistence through a scheduled task.[4]
EnterpriseT1064ScriptingEmotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.[3][9][10][7]
EnterpriseT1045Software PackingEmotet has used custom packers to protect its payloads.[10]
EnterpriseT1193Spearphishing AttachmentEmotet has been delivered by phishing emails containing attachments.[8][2][3][4][9][10][7]
EnterpriseT1192Spearphishing LinkEmotet has been delivered by phishing emails containing links.[1][17][8][2][3][4][9][9][7]
EnterpriseT1032Standard Cryptographic ProtocolEmotet is known to use RSA keys for encrypting C2 traffic.[10]
EnterpriseT1065Uncommonly Used PortEmotet has been observed communicating over non standard ports, including 7080 and 50000.[17][7][11][9]
EnterpriseT1204User ExecutionEmotet has relied upon users clicking on a malicious link or attachment delivered through spearphishing.[1]
EnterpriseT1078Valid AccountsEmotet can brute force a local admin password, then use it to facilitate lateral movement.[2]
EnterpriseT1077Windows Admin SharesEmotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. [2]