Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. 
Associated Software: Geodo
Contributors: Omkar Gudhate
Associated Software Descriptions
|Enterprise||T1110||Brute Force||Emotet has been observed using a hard coded list of passwords to brute force user accounts.     |
|Enterprise||T1059||Command-Line Interface||Emotet has used cmd.exe to run a PowerShell script. |
|Enterprise||T1043||Commonly Used Port||Emotet has used ports 20, 22, 80, 443, 8080, and 8443.    |
|Enterprise||T1003||Credential Dumping||Emotet has been observed dropping browser and password grabber modules including Mimikatz. |
|Enterprise||T1081||Credentials in Files||Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.  |
|Enterprise||T1094||Custom Command and Control Protocol||Emotet has been observed using an encrypted, modified protobuf-based protocol for command and control messaging.  |
|Enterprise||T1022||Data Encrypted||Emotet has been observed encrypting the data it collects before sending it to the C2 server. |
|Enterprise||T1114||Email Collection||Emotet has been observed leveraging a module that scrapes email data from Outlook. |
|Enterprise||T1041||Exfiltration Over Command and Control Channel||Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. |
|Enterprise||T1210||Exploitation of Remote Services||Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.   |
|Enterprise||T1040||Network Sniffing||Emotet has been observed to hook network APIs to monitor network traffic. |
|Enterprise||T1050||New Service||Emotet has been observed creating new services to maintain persistence.  |
|Enterprise||T1027||Obfuscated Files or Information||Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts.    |
|Enterprise||T1086||PowerShell||Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.     |
|Enterprise||T1057||Process Discovery||Emotet has been observed enumerating local processes. |
|Enterprise||T1055||Process Injection||Emotet has been observed injecting in to Explorer.exe and other processes.   |
|Enterprise||T1060||Registry Run Keys / Startup Folder||
Emotet has been observed adding the downloaded payload to the
|Enterprise||T1053||Scheduled Task||Emotet has maintained persistence through a scheduled task. |
|Enterprise||T1064||Scripting||Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.     |
|Enterprise||T1045||Software Packing||Emotet has used custom packers to protect its payloads. |
|Enterprise||T1193||Spearphishing Attachment||Emotet has been delivered by phishing emails containing attachments.        |
|Enterprise||T1192||Spearphishing Link||Emotet has been delivered by phishing emails containing links.         |
|Enterprise||T1032||Standard Cryptographic Protocol||Emotet is known to use RSA keys for encrypting C2 traffic. |
|Enterprise||T1065||Uncommonly Used Port||Emotet has been observed communicating over non standard ports, including 7080 and 50000.    |
|Enterprise||T1204||User Execution||Emotet has relied upon users clicking on a malicious link or attachment delivered through spearphishing.  |
|Enterprise||T1078||Valid Accounts||Emotet can brute force a local admin password, then use it to facilitate lateral movement. |
|Enterprise||T1077||Windows Admin Shares||Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. |
|Enterprise||T1047||Windows Management Instrumentation||Emotet has used WMI to execute powershell.exe. |
- Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
- Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
- Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
- US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
- Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
- CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
- Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
- Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
- Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
- Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019.
- CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
- Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
- Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.
- Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
- Brandt, A.. (2019, May 5). Emotet 101, stage 4: command and control. Retrieved April 16, 2019.
- Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.
- Manea, D.. (2019, May 25). Emotet v4 Analysis. Retrieved April 16, 2019.
- ASEC. (2017). ASEC REPORT VOL.88. Retrieved April 16, 2019.