Emotet Rebirth with New Features and how to Spot them

One of the most deadly and well-known threats has reappeared. The botnet was decommissioned by global authorities in January 2021. The Emotet’s executables received a destructive upgrade from law enforcement. And it appeared that the trojan’s story had come to a close.

But the malware never stopped surprising me.

It was reported in November 2021 that TrickBot no longer operates alone and delivers Emotet. And ANY.RUN, along with industry peers, were among the first to notice the appearance of Emotet’s malicious documents.

Emotet Botnet Malware
First Emotet malicious documents

And in February, we can expect to see a very active wave of crooks running numerous attacks and climbing to the top of the rankings. If you are interested in this subject or are studying malware, you can take advantage of ANY.RUN, the interactive sandbox for cyber threat detection and analysis.

Let’s take a look at the changes that this disruptive malware introduced this time.

A brief History of Emotet

Emotet is a sophisticated, dynamic modular botnet. In 2014, the malware was merely a financial trojan. Since then, it has added new tools, modules, and campaigns:

  • 2014. Money transfer, mail spam, DDoS, and address book stealing modules.
  • 2015. Evasion functionality.
  • 2016. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
  • 2017. A spreader and address book stealer module.

Emotet’s polymorphic character and abundance of modules enable it to remain undetected. The malware’s creators continuously modify their strategies, methods, and practices in order to render the detection rules that are currently in place useless. In numerous steps, it downloads additional payloads to remain inside the compromised system. Malware is virtually impossible to eradicate due to its behavior. It spreads quickly, produces false indicators, and changes to suit the demands of assailants.

And on November 14, 2021, a new version of Emotet was created.

Why was Emotet reborn?

Throughout Emotet’s history, it got several breaks. But after the global police operations in January 2021, we were ready that it would be gone for good. Joint enforcement arrested several gang members, took over servers, and destroyed backups.

However, the malware came back even stronger. It is just as dangerous as it was in the past because it is skilled at evasion tactics and employs multiple methods to compromise networks.

Get Legit Cash App Money Transfer  Now

What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.


  • Cashtag $name
  • Cashapp Email
  • Cashapp Account Holder’s Full Name (To help us send with description to the holder)
  • Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it

Trickbot was observed attempting to transfer a dynamic link library (DLL) to the computer system. And it was later determined by researchers that the DLLs were Emotet.

After making a comeback in 2021, Emotet topped the list of uploaders in ANY.RUN sandbox. Even after such a protracted hiatus, it gained popularity. Malware Trends Tracker contains all Emotet trend information, and the data is derived from user submissions.

AVvXsEjfU8A37HHbrmEEdjn5xy6qH70wnqh8WI1PmyNRlDYZI4ahyDnxbte9ygDyT3JLAd48GjgcJsyxawulD 3iJRBZ3cAPb8MtkJKu55zYLiqHzkoJpROPjd6s7FGu0lBMnjNs9X5QwWhkRXtuAejJR9sCkf IRWHkdnOkxPHKnvmq PMhvbfFp vi NDYQ
Top malware uploads for the last week

No wonder now when its operations are back on rails, ANY. RUN’s database gets almost 3 thousand malicious samples per week. And it’s getting clear that you need to get ready for this kind of attack anytime.

What are the new features of Emotet? 

The trojan is already a serious threat to any company. Knowing all malware updates can help avoid such a threat and be cautious. Let’s investigate what features a new version brings and how it differs from the previous ones.


The Malicious Document (weaponized Microsoft Office documents) or hyperlinks linked to the phishing email, which is widely disseminated and tricks recipients into opening malicious attachments, are the first step in the Emotet campaigns. The armed Microsoft Office document uses an AutoOpen macro and VBA code to carry out its operations. The only user input needed to start the attack is when the Emotet group entices its victims to activate the macros. Bypassing sandbox tests and verifications is made possible by this user activity.

Malicious email campaigns that typically include Office Documents are used to spread Emotet. Furthermore, the malware uses very inventive themes for its maldocs. The botnet is continually changing them; it mimics messages, files, and program updates. And the content creates various execution chains and embeds the VBA code that has been encrypted. Users are tricked into enabling macros by the malware’s creators, who then launch the assault.

Get Legit Cash App Money Transfer  Now

What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.


  • Cashtag $name
  • Cashapp Email
  • Cashapp Account Holder’s Full Name (To help us send with description to the holder)
  • Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it

There is a twist in a fresh version as well. Emotet used a document with an Office 365 communication in the summer of 2020. It converted to the XLS format but left the image alone. The IP address from which the second step was downloaded was also represented in this new version by the first time in hexadecimal and octal formats.

AVvXsEiJKp4d6tqqhik7Z5WpkvyaZcUOmGH8CMW0jtn6qG0NqxrcDqdZU2IneZeiqZJmLUvleJ1WyWahpdQkL8DHI Cob0ke9BDeF5ma10MGa7Prb74vPuXcEDC3BJ6yXPpfpqSLzFd5pXSsAb04GIVGOefzvMw09nefBzOf7SwqLJq qhmWfoKEagd7eVs3zA
Emotet templates in February

New techniques 

As a polymorphic creature, Emotet continually raises the bar by learning new skills. Minor tactical adjustments have been made in the most recent malware variant, which once more makes use of MSHTA. Generally, Macro 4.0 uses Excel to launch CMD, Wscript, or Powershell, which launches another process like MSHTA or one of the ones listed above, which downloads and executes the main payload by rundll32.

The botnet is particularly good at hiding malicious strings and content, including IP addresses, instructions, and shellcodes. However, occasionally you can extract the IP and URL information from the script of the file. If you use ANY RUN’s Static Discovering, you can certainly find it on your own.

Emotet Botnet Malware
URLs list from the Emotet’s fake PNG file


We are aware that Emotet frequently scatters other malware to exacerbate the infection. It was discovered in November that the compromised servers were infected by the Trickbot banking trojan thanks to the botnet.

We can see that Emotet currently functions with Cobalt Strike. Penetration testers and crooks both use this C2 system. The scenario with Cobalt Strike shortens the interval between the original infection and the ransomware attack.

AVvXsEjJM0G UspGsX2 n Us545Q5Fmpt5D0SDZTzlSTGB2P zSVO5oF lv2Rq0htyZ2fl8jZ5eXtzRMOKyO hmsHgfttolNzcWyJLqYHNr2jQAgECySEInk479jRs4LZTLIONuwLjj8n5GJh7HRJcFyevJ6mbT6jpbh yhPbIarJAUaAZzj7tdX3hf4t XD7Q
A list of Cobalt Strike IOCs from Emotet infection

Process tree 

The chain of execution also got some modifications. In most cases, we can notice a CMD child process, a PowerShell, and Rundll32, and various samples prove that authors prefer to mix processes, constantly changing their order. The main goal behind it is to avoid detection by rulesets that identify a threat by child processes of an application.

AVvXsEgkcL 6tpuKTTsCfHYvBu7M36oNadJF8qHwH9g6 xYit8YbRhbpbofJwEGvgPrdKxMJzTz0CGGBdVkNXbiqYPrNK54dAxz RM9vjsVWPwQyEVEsAYKFQOt8wwXR6RaDr42 9tHIuI5uDTxMcYoP wXCRcj3fh9PWeGLU7gorcHkgUJd2T8cm fV ZDBHw
Emotet process tree


The primary payload was executed by Rundll32 because Emotet long ago switched from EXE files to DLL files. Powershell and CMD are still used extensively:

Emotet Botnet Malware
Emotet command-line

How to detect and protect against Emotet? 

Use contemporary tools if you require a quick and easy method to obtain all the information on the Emotet sample. The interactive sandbox ANY.RUN enables real-time process monitoring and provides all required statistics right away.

Emotet is effectively recognized by Suricata rulesets along with other malicious programs. Furthermore, a malicious sample’s C2 links can be revealed using the Fake Net function. This capability also aids in collecting IOCs for viruses.

Emotet samples come and go, and it’s hard to keep up with them. So, we advise you to check out fresh samples that are updated daily in our public submissions.

Among the most serious online dangers currently in existence, Emotet stands out as a monster. The malware tries to evade detection and enhances its functionality. Because of this, using powerful tools like ANY.RUN is important.

Click Here to Get Legit Cash App Money Transfer


Get $500 Cashapp Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp Get $5k Cashapp  | Get $4k CAshapp 

cashapp flip legit store

Leave a Comment

Your email address will not be published. Required fields are marked *