Emotet Malware


Systems Affected

Network Systems

Threat Level



Emotet is an advanced, modular banking Trojan that is costly and destructive and primarily functions as a downloader or dropper of other banking Trojans. Due to its self-replicating features it rapidly spreads and infects network-wide and therefore, difficult to combat.


Emotet spreads through phishing emails containing a malicious attachment or a malicious link pointing to malicious document which is used to download the payload. Once downloaded, it checks whether it is running in a sandboxing environment or not. If it is running in a sandbox then it will not proceed further.

If not as the further execution, to maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and it starts building a connection with its command and control server. Once the connection is established, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server

Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator


  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • s reputation.

Solution/ Workarounds

  • Use antivirus programs, with automatic updates of signatures and software, on clients and servers
  • Apply appropriate patches and updates immediately.
  • Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.
  • Provide employees training on social engineering and phishing.
  • Advise employees not to open suspicious emails, click links contained in such emails, not to open attachments in suspicious emails or post sensitive information online, and to never provide usernames, passwords, or personal information in answer to any unsolicited request.
  • s website directly through browser.
  • Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.