Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [1]

ID: S0367
Associated Software: Geodo
Type: MALWARE
Platforms: Windows
Contributors: Omkar Gudhate
Version: 1.3
Created: 25 March 2019
Last Modified: 24 November 2020

Associated Software Descriptions

Name Description
Geodo

[2]

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[3][4]

Enterprise T1560 Archive Collected Data

Emotet has been observed encrypting the data it collects before sending it to the C2 server. [5]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.[6][7][8]

Enterprise T1110 .001 Brute Force: Password Guessing

Emotet has been observed using a hard coded list of passwords to brute force user accounts. [9][6][7][10][3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [6][2][8][11][12]

.003 Command and Scripting Interpreter: Windows Command Shell

Emotet has used cmd.exe to run a PowerShell script. [8]

.005 Command and Scripting Interpreter: Visual Basic

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [6][13][2][8][12]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Emotet has been observed creating new services to maintain persistence. [7][10]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Emotet has been observed dropping browser password grabber modules. [2][4]

Enterprise T1114 .001 Email Collection: Local Email Collection

Emotet has been observed leveraging a module that scrapes email data from Outlook.[3]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Emotet is known to use RSA keys for encrypting C2 traffic. [2]

Enterprise T1041 Exfiltration Over C2 Channel

Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. [2]

Enterprise T1210 Exploitation of Remote Services

Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation. [6][7][10][11]

Enterprise T1040 Network Sniffing

Emotet has been observed to hook network APIs to monitor network traffic. [1]

Enterprise T1571 Non-Standard Port

Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[13]

Enterprise T1027 Obfuscated Files or Information

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. [13][2][8][14]

.002 Software Packing

Emotet has used custom packers to protect its payloads.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Emotet has been observed dropping password grabber modules including Mimikatz. [2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Emotet has been delivered by phishing emails containing attachments. [15][9][6][7][13][2][8][12][4]

.002 Phishing: Spearphishing Link

Emotet has been delivered by phishing emails containing links. [1][16][15][9][6][7][13][13][8]

Enterprise T1057 Process Discovery

Emotet has been observed enumerating local processes.[17]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Emotet has been observed injecting in to Explorer.exe and other processes. [8][1][7]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. [9]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Emotet has maintained persistence through a scheduled task. [7]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [7][3]

Enterprise T1204 .001 User Execution: Malicious Link

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.[1][12]

.002 User Execution: Malicious File

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.[1][12][4]

Enterprise T1078 .003 Valid Accounts: Local Accounts

Emotet can brute force a local admin password, then use it to facilitate lateral movement.[9]

Enterprise T1047 Windows Management Instrumentation

Emotet has used WMI to execute powershell.exe.[12]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[18][19]

References