^[2]

Emotet has the ability to duplicate the user’s token.^[3] For example,Emotet may use a variant of Google’s ProtoBuf to send messages that specify how code will be executed.^[4]

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.^[5][6][3]

Emotet has used HTTP for command and control.^[3]

Emotet has been observed adding the downloaded payload to theHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.^[7][8][9]

Emotet has been observed using a hard coded list of passwords to brute force user accounts.^{[10][7][8][11][5][3]}

Emotet has used Powershell to retrieve the malicious payload and download additional resources likeMimikatz.^{[7][2][9][12][13]}

Emotet has used cmd.exe to run a PowerShell script.^[9]

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.^{[7][14][2][9][13]}

Emotet has been observed creating new services to maintain persistence.^[8][11][3]

Emotet has been observed dropping browser password grabber modules.^[2][6]

Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server.^[3] Additionally,Emotet has used Base64 to encode data before sending to the C2 server.^[15]

Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.^[3]

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.^[5][6][3]

Emotet has been observed leveraging a module that scrapes email data from Outlook.^[5]

Emotet has encrypted data before sending to the C2 server.^[15]

Emotet is known to use RSA keys for encrypting C2 traffic.^[2]

Emotet has exfiltrated data over its C2 channel.^[2][3]

Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.^{[7][8][11][12]}

Emotet can download follow-on payloads and items via maliciousurl parameters in obfuscated PowerShell code.^[16]

Emotet has copied itself to remote systems using theservice.exe filename.^[3]

Emotet has installed itself as a new service with the service nameWindows Defender System Service and display nameWinDefService.^[3]

Emotet has usedCreateProcess to create a new process to run its executable andWNetEnumResourceW to enumerate non-hidden shares.^[3]

Emotet has enumerated non-hidden network shares usingWNetEnumResourceW.^[3]

Emotet has been observed to hook network APIs to monitor network traffic.^[1]

Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.^[14][3]

Emotet inflates malicious files and malware as an evasion technique.^[17]

Emotet has used custom packers to protect its payloads.^[2]

Emotet has dropped an embedded executable at%Temp%\setup.exe.^[3] Additionally,Emotet may embed entire code into other files.^[4]

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts.^{[14][2][9][18]}

Emotet uses obfuscated URLs to download a ZIP file.^[17]

Emotet has been observed dropping and executing password grabber modules includingMimikatz.^[2][4]

Emotet has been delivered by phishing emails containing attachments.^{[19][10][7][8][14][2][9][13][6]}

Emotet has been delivered by phishing emails containing links.^{[1][20][19][10][7][8][14][14][9]}

Emotet has been observed enumerating local processes.^[21]

Emotet has been observed injecting in to Explorer.exe and other processes.^[9][1][8]

Emotet uses a copy ofcertutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code.^[17]

Emotet has reflectively loaded payloads into memory.^[3]

Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement.^[10][3]

Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.^[8][4]

Emotet uses RegSvr32 to execute the DLL payload.^[17]

Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.^[3]

Emotet has enumerated all users connected to network shares.

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.^[8][5]

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.^[1][13]

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.^[1][13][6]

Emotet can brute force a local admin password, then use it to facilitate lateral movement.^[10]

Emotet has used WMI to execute powershell.exe.^[13]

^[22][23]