Emotet is outdated, but it is still evolving and has always been one of the most threatened Trojans.


Emotet Technology Iterative History (2014-2017)



Emotet starts to propagate bank Trojans Panda (Zeuspanda, for the first time in 2016, and attacking the leak-based ZBOT Bank Wood Horse source code, and intercepts the keystrokes and input form content on the website).


April 9:

At the beginning of April, the Emotet received a module (MD5: 75D65CEA0A33D11A2A74C703DBD2AD99) propagated through the wireless network, which tried to access Wi-Fi through a dictionary attack. Its code is similar to the NetworkSpreader module (bypass.exe with Wi-Fi connection). If the violent attack is successful, the module will transfer the data about the network to C & C.

As with bypass.exe, the module is also propagated as a separate file (a.exe) to the self-extracting file (MD5: 5AFDCFFCA43F8E7F848BA154ECF12539). The archive file also includes the above Service.exe (MD5: 5D6FFBF230B2CA4), as in the first release, in addition to the name of the infected computer sent to C & C, what can be done.

Self-extracting RAR file with components that can be propagated by Wi-Fi

The hacker quickly updated the module, detected the first version within a few hours, the researchers received an updated self-extract file (MD5: D7C5BF24904FC73B0481F6C7CDE76E2A), which included a new service.exe, which included Emotet (MD5: 26D21612B676D66B93C51C611FA46773).

Self-extracting RAR file with updated service.exe

BinaryDefense did not describe the module until January 2020, returning to the old communication mechanism and using the old module code looks a bit strange, because in 2017 byPass.exe and Service.exe have merged into a DLL module .

April 14:

The Emotet starts using the GET request again in the cookie field of the HTTP header to achieve less than 1 kb data transfer size, while starting the POST request to obtain a large amount of data (MD5: 3891B639B2407CBFA2E7C64BB4063C4). The templates that populate the cookie field are also different. If you used a cookie:% x =, you are now cookie:% u =. Newly added spaces between numbers and equal numbers help identify Emotet traffic.

GET request example

April 30:

The C & C server suspended their activities until May 16 recovered, and the space in the GET request disappeared.

Updated GET request example


Another bank Trojan began to use Emotet to self-propagate, this is Trickster (or Trickbot), which is a modular bank Trojan since the beginning of 2016, and is also the best alternative to Dyreza. In 2019, Trickster’s online banking horses column, accounting for 12% of all discovered financial threats. In 2015, more than 40% of users attacked by bank Trojans were attacked by Dyreza. DYREZA steals data and online banking system entrances through effective network implantation.


The so-called UPnP module based on the libminiupnPC package is first obtained (MD5: 0F1D4DD066C0277F82F74145A7D2C48E). The module enables port forwarding on the router based on the request of the host in the local network. This not only allows an attacker to access a local network computer after NAT, but also transform the infected computer into a C & C proxy.


In August, there was reported that the new Ryuk leso software was infected with viruses, which was revised by Hermes lesso software since 2017. Later, I found that the infected link was started at Emotet, and the latter downloaded Trickster, which contained Ryuk installed. At this point, Emotet and Trickster are equipped with the functionality of local network propagation, and Trickster uses known vulnerabilities in SMB, which further promotes the spread of malware in the local network. Coupled with Ryuk, this is a combination of very strong attack power. The Ryuk futon family can trace back to August 2018, originated from the Hermes futon family, which is mainly transmitted by spam, zombie network, RDP blasting, and vulnerability, using RSA + AES to encrypt user files, in selflessness The file cannot be recovered without the key. At the end of the month, the password list of the network extension module is updated. They still numbered 1000, but about 100 have been changed (MD5: 3F82C2A733698F501850FDF4F7C00EB7).

Decrypted password list


October 12:

When the researchers are not registered to disseminate new modules or updates, the C & C server will suspend their activities until October 26th is recovered.

October 30th:

Outlook’s data filter module (MD5: 64C78044D2F6299873881F8B08D40995) is updated. The key innovation is to steal the content itself. Despite this, the number of stolen data is limited to 16KB (larger messages being truncated).

Outlook Data Export Module New Old Release Code Comparison


When the researchers are not registered to disseminate new modules or updates, the C & C servers suspend their activities. The event was not recovered until January 6.


C & C activities are only recovered on January 10, 2019, so the downtime is longer.



March 14:

Emotet changes part of the HTTP protocol, switch to the POST request, and use the dictionary to create a path. The Referer field is now filled, and Content-Type: Multipart / Form-Data Appered is appeared. (MD5: beaf5e523e8e3e3fb9dc2a361cda0573):

POST request to generate a function of the function

Example of POST request

March 20th

Another change in the HTTP section of the protocol, Emotet deletes Content-Type: Multipart / Form-Data. The data itself encodes using Base64 and Urlencode (MD5: 98FE402EF2B8AA2 CA29C4ED133BBFE90).

Updated POST request to generate a function of a function

Example of POST request


The initial report seems to indicate that Emotet spam is using Outlook’s new data leak module: The use of the stolen theme, mailing list, and mail content is observed in email.


The C & C server stopped working for a long time (three months). The event recovered on August 21, 2019. However, in the next few weeks, the server only propagates updates and modules, and no spam activities are found. These times may be used to recover communication, collecting, and processing data from the infected system, and propagating on the local network.


The developer has made tiny changes to the HTTP section of the protocol. At this time, Emotet gives up using the dictionary to create a path, select the randomly generated string (MD5: DD33B9E4F928974C72539CD784CE9D20).

Example of POST request


February 6:

This is another change in the HTTP section of the agreement. Now, the path is not composed of a single string, but consists of several randomly generated words. Content-Type is again a multi-segment / form data.

Example of POST request

As the HTTP part is updated, the binary part is also updated. Encryption remains unchanged, but Emotet deletes Google Protocol buffers and switches to their format. The compression algorithm has also changed, and the liblzf replaces ZLIB. More details about the new agreement can be found in Intel and Certpolska reports.


February 7th

C & C activities are not recovered until July 2020.During this time, the number of spam is reduced to zero.At the same time, binarydefense starts spreading Emocrash with various CERT and Infosec communities. This is a PowerShell script that creates an incorrect value for the system registry key used by Emotet.This leads to the malware “crash” during the installation process.This killswitch has been lasted until August 6th, and the developers behind Emotet have repaired the vulnerability.July

Just a few days after the spam activity recovered, there was a report show that some people used the picture and the expression to replace the malicious expression package of the attack site.Therefore, click on the link to the spam, open is a normal picture, not a malicious document.This did not last too long. By July 28, malicious files have no longer replaced with images.


Although Emotet is outdated, it is still evolving and has always been one of the most threatened Trojans.

The most active C & C in November 2020:

This article is translated from: https://securelist.com/the-chronicles-of-emotet/99660/