Blog Post:

An Anatomy of Emotet Malware: A Live Sample Demonstration

Malware Analysis
Mar 2019

An Anatomy of Emotet Malware: A Live Sample Demonstration

Monday, March 11, 2019

Now we have been seeing this in the news everywherere, lets first understand what is Emotet and its behavior in detail.

Emotet is one of the most advanced, very modular banking Trojan dropper. It can function as a downloader of other banking Trojans or as a ransomeware downloader in some cases.

As per US-CERT Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. And Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet Infection Process


So we decided to test a sample in our Lab and see whether FSA (Forensic State Analysis) based malware threat hunting can detect this.

Live Malware Sample Testing Process

We have created a clean windows 7 system for testing this in our lab and run a scan using Infocyte threat hunting platform. You can see the system as clean and no threat is detected by Infocyte Forensic State Analysis (FSA) tool.

Clean system prior to infection

Now lets run a live sample (Macro Enabled Word) of Emotet in the system.

Running Emotet Malware

As usual, it asks for enabling the Macro - (And as usual, users fall for it every single time, don't they? :-))

Users prompted to enable Macro

Once we run macro we can quickly see winword.exe starts cmd.exe and it launches powershell.exe.

cmd launches Powershell

Upon looking at the powershell process arguments we can see it runs a obfuscated script. It tries to contact few domains one by one to download the payload from the internet. We have extracted all the domains for this variant below.

Once it downloads the file script renames it to 477.exe and keeps in temp ($env:temp) folder and runs it from there.

File gets renamed to 477.exe

Now we can check this from procmon, Once we enable Macro, immediately we can see it starts cmd.exe

In the next step it starts powershell.exe

At this point powershell.exe starts networks connection to to download the payload and creates 477.exe and drops in the temp folder and runs 477.exe from there.

Network connection being made to

Then 477.exe creates subsculture.exe and drops in C:\windows\system32

And then it creates a service with startupmode: Auto,Account: System,Name:subsculture and quits itself.

Services.exe starts the service and launches subsculture.exe and connects to command and control (

We are stopping the analysis at this point and move on to Infocyte. Now the malware has been run completely and it installs a persistence mechanism using windows services. If you look at the endpoint we have subsculture.exe process running in memory and a service created for persistence. Lets do a infocyte scan and see the results.

Compromise detected

Infocyte immediately flags the endpoint as compromised and detects 3 objects as compromised. We can see One Process, 1 Memory and  1 autostart object is compromised. Under process tab, Infocyte detects subsculture.exe as BAD with a score 10.

Under memory TAB infocyte unmaps a memory injection in subsculture.exe and marks it as BAD

Under accounts infocyte gves a threat score of COMPROMISED for the account system. (Since the service is running as system)

And in Autostarts infocyte also detects the malware auto start service as BAD.

Would like to know more or need assistance with this malware, please feel free to reach out to us.
Contributed By,

Raeez Abdullah
Principal Consulting Engineer
CodeGreen Systems

Posted on:

Monday, March 11, 2019


Malware Analysis


Read other latest posts

The Blog