Emotet Still Evolving—New Variants Detected

by Maharlito Aquino and Kervin Alintanahin

Emotet malware campaigns continue to evolve, below we share a breakdown of samples of two new malicious downloader variants that appeared toward the end of January, including lists of IOCs and payload detections for each. To give a sense of timing, you can see in this chart the samples detected by Cyren per day during the month of January for the first variant, Downldr.IE.gen, which appeared in greater volume. 

1st Variant

This variant Cyren detects as PP97M/Downldr.IE.gen!Eldorado. It appeared in very small volumes during January, suggesting it was just being initially tested.

This is what attachment looks like that delivers Emotet onto the user’s system when the macro runs:

The macro retrieves the text in the Form properties, in this case the Tag.

A large amount of text, 10660 bytes, is retrieved.

They get the malicious code from the string content, a combination of reverse, split, & join methods were used.

The outcome is a PowerShell command line with its script encoded.

Decoding the script reveals a downloader code.

Indicators of Compromise (IOC) Listing

053fe92b89e3cce048dcbbe6452a52a6fc6317c39f32d3d2e2d5d9ec387e3012 Downloader
hxxp://dewakartu.info/wp-includes/BRVMFYvIR/ Payload Download URL
hxxp://drhuzaifa.com/wp-includes/2i48k7-evv28gw-205510/ Payload Download URL
hxxp://dewarejeki.info/wp-includes/up58jauc-pum2w-630352/ Payload Download URL
hxxp://erasmus-plius.tomasjs.com/wp-admin/KfesPCcG/ Payload Download URL
hxxp://easytogets.com/xfxvqq/UXbKAbm/ Payload Download URL

2nd Variant

The following sample, which we detect as PP97M/Powload.C.gen!Eldorado, was first seen at the end of January.

Here is analysis of a sample that uses WScript Shell to execute the downloaded payload. The attachment to this variant also presents a Word document with the same text as the first sample.

But here, opening the file and enabling the macro, we can see that the there is a comment in the actual file.

This comment is the malicious script retrieved by the macro.

The toP argument is the random filename which has a .jse extension, where it will copy the contents.  The file is dropped in the APPDATA folder and executed.

The dropped .jse file is obfuscated. It also has an anti-debugging and anti-console-logging features. This sample is similar to variants spotted last year. 

The b function is responsible for decrypting the strings.

Here are some of the strings it will try to decrypt. It includes some of the URLs it will use to download the payload.

This part of the function hooks into the console logging. It monitors for the different types of console logs and returns a call to an empty function.


For any analysts so inclined to attempt to debug the script using the developer tools on browsers like Chrome, be aware the script has a function to make it a little bit difficult to analyze. Here we can see that it tries to make a call to the Gg function. Once initialized, the value of aS will be the function h9.

Below is an excerpt of the code for the gG function that shows a scenario in what could happen if debugging the script in chrome. The h9 function is part of it.

We remove some parts of the code just to show the scenario when h9(0) is called when debugging in chrome. It will execute an anonymous function to call the debugger. And create a loop with h9(++ha). So it will loop calling the debugger.

Indicators of Compromise (IOC) Listing

5452b9448c3310adaa86f6020c32d6ae4727fce5049f613ad9242e2f35e94eff Downloader
hxxp://andarealestate.com.au/kqmfgn/PTNzCb/ Payload Download URL
hxxp://copytak.ir/wordpress/iBzrxYetL/ Payload Download URL
hxxp://nicewebs.ir/wp-includes/4479qjck6-bso-9081935/ Payload Download URL
hxxp://kanok.co.th/wp-content/TDykCnZIC/ Payload Download URL
hxxp://essensetech.com/cpyzf0/9wgwtrg-w2d3p8-322443/ Payload Download URL

Payload Detections


Go back