Register to stream ATT&CKcon 2.0 October 29-30


Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [1]

ID: S0367
Associated Software: Geodo
Platforms: Windows
Contributors: Omkar Gudhate
Version: 1.1

Associated Software Descriptions

Name Description
Geodo [7]

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force Emotet has been observed using a hard coded list of passwords to brute force user accounts. [2] [3] [4] [5] [6]
Enterprise T1059 Command-Line Interface Emotet has used cmd.exe to run a PowerShell script. [9]
Enterprise T1043 Commonly Used Port Emotet has used ports 20, 22, 80, 443, 8080, and 8443. [11] [8] [7] [12]
Enterprise T1003 Credential Dumping Emotet has been observed dropping browser and password grabber modules including Mimikatz. [7]
Enterprise T1081 Credentials in Files Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [4] [6]
Enterprise T1094 Custom Command and Control Protocol Emotet has been observed using an encrypted, modified protobuf-based protocol for command and control messaging. [15] [17]
Enterprise T1022 Data Encrypted Emotet has been observed encrypting the data it collects before sending it to the C2 server. [16]
Enterprise T1114 Email Collection Emotet has been observed leveraging a module that scrapes email data from Outlook. [6]
Enterprise T1041 Exfiltration Over Command and Control Channel Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. [7]
Enterprise T1210 Exploitation of Remote Services Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation. [4] [5] [13]
Enterprise T1040 Network Sniffing Emotet has been observed to hook network APIs to monitor network traffic. [1]
Enterprise T1050 New Service Emotet has been observed creating new services to maintain persistence. [4] [5]
Enterprise T1027 Obfuscated Files or Information Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. [8] [7] [9] [10]
Enterprise T1086 PowerShell Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [3] [7] [9] [13] [12]
Enterprise T1057 Process Discovery Emotet has been observed enumerating local processes. [18]
Enterprise T1055 Process Injection Emotet has been observed injecting in to Explorer.exe and other processes. [9] [1] [4]
Enterprise T1060 Registry Run Keys / Startup Folder Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence. [3] [4] [9]
Enterprise T1053 Scheduled Task Emotet has maintained persistence through a scheduled task. [4]
Enterprise T1064 Scripting Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [3] [8] [7] [9] [12]
Enterprise T1045 Software Packing Emotet has used custom packers to protect its payloads. [7]
Enterprise T1193 Spearphishing Attachment Emotet has been delivered by phishing emails containing attachments. [11] [2] [3] [4] [8] [7] [9] [12]
Enterprise T1192 Spearphishing Link Emotet has been delivered by phishing emails containing links. [1] [14] [11] [2] [3] [4] [8] [8] [9]
Enterprise T1032 Standard Cryptographic Protocol Emotet is known to use RSA keys for encrypting C2 traffic. [7]
Enterprise T1065 Uncommonly Used Port Emotet has been observed communicating over non standard ports, including 7080 and 50000. [14] [9] [15] [8]
Enterprise T1204 User Execution Emotet has relied upon users clicking on a malicious link or attachment delivered through spearphishing. [1] [12]
Enterprise T1078 Valid Accounts Emotet can brute force a local admin password, then use it to facilitate lateral movement. [2]
Enterprise T1077 Windows Admin Shares Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. [2]
Enterprise T1047 Windows Management Instrumentation Emotet has used WMI to execute powershell.exe. [12]