Emotet Malware


Systems Affected

Network Systems

Threat Level



Emotet is an advanced, modular banking Trojan that is costly and destructive and primarily functions as a downloader or dropper of other banking Trojans. Due to its self-replicating features it rapidly spreads and infects network-wide and therefore, difficult to combat.


Emotet spreads through phishing emails containing a malicious attachment or a malicious link pointing to malicious document which is used to download the payload. Once downloaded, it checks whether it is running in a sandboxing environment or not. If it is running in a sandbox then it will not proceed further.

If not as the further execution, to maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and it starts building a connection with its command and control server. Once the connection is established, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server

Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator


  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • s reputation.

Solution/ Workarounds

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.