Emotet

Malware Profile Updated 7 days ago
Download STIX
Preview STIX
Emotet is a notorious malware that has been active for over a decade, known for its ability to infiltrate and manipulate email accounts. It tricks individuals into downloading infected files or clicking on malicious links, thus spreading its influence. It was a major player in the malware delivery business until it was taken down by Europol and Eurojust in January 2021. Despite this, Emotet's influence continued as other threat actors adopted similar evasion techniques, such as binary padding, where both the dropper document and the Emotet DLL files are inflated to avoid security solutions. A group known as ITG23 has been associated with Emotet, along with other malware strains such as Trickbot, BazarLoader, IcedID, Conti, and Cobalt Strike. ITG23 has used crypters with these malware types and has been observed crypting malware on behalf of groups like Emotet and IcedID. The relationship between ITG23 and Emotet extends to seeding each other's malware, indicating a cooperative relationship. In 2023, Emotet was among the top three financial malware families affecting PCs, alongside Ramnit and Zbot. Its activity increased fourfold during a large-scale campaign that year. However, high-profile takedowns of Ransomware-as-a-Service (RaaS) groups and initial access trojans, including Emotet, have resulted in only temporary setbacks for their operators. Despite the takedown efforts, Emotet and similar threats continue to pose significant cybersecurity risks.
What's your take? (Question 1 of 5)
7247f8b4-a452-4c4e-8d8a-7e45be1ef68e Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
QakBot
9
Qakbot, also known as QBot, is a versatile and malicious software that can perform various harmful actions such as brute-forcing, web injects, and loading other malware. It is used to steal credentials and gather sensitive information. The malware is built by different groups including IcedID, Emote
Qbot
8
Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23
IcedID
8
IcedID, also known as BokBot, is a type of malware that was initially identified in 2017 as a banking trojan. Over time, it has evolved and is now used for various cybercrimes, including financial data theft. It is often associated with other malware types such as Qakbot, BazarLoader, CobaltStrike,
Ta542
4
TA542, also known as Mealybug or Mummy Spider, is a notable threat actor in the cybersecurity landscape that operates the Emotet malware family. Active since 2014, this group has evolved the initial banking Trojan into a sophisticated and profitable malware delivery vehicle. The group's operations a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Botnet
Trojan
Spam
Phishing
Payload
Loader
Cybercrime
Outlook
Windows
Exploit
Downloader
Infostealer
Antivirus
Polymorphic
Denial of Se...
Bot
exploitation
Cobalt Strike
Dropper
Crypter
Worm
Fraud
Police
Proxy
Banking
Financial
Encrypt
Ddos
Eset
Malwarebytes
Malware Loader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TrickBotUnspecified
13
TrickBot is a notorious malware that has gained prominence due to its destructive capabilities. This malicious software, designed to exploit and damage computer systems, infiltrates devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot c
ContiUnspecified
6
Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malicious software has been used in conjunction with other forms of malware such as Trickbot, BazarLoader, IcedID, and Cobalt S
RyukUnspecified
6
Ryuk is a potent form of malware, specifically ransomware, that has been deployed extensively by threat groups such as ITG23 and UNC1878. The malware's deployment often follows a sequence of infection initiated by Emotet, which then delivers the Trickbot malware, culminating in a Ryuk ransomware att
DridexUnspecified
6
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
BazarloaderUnspecified
4
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
FormbookUnspecified
3
Formbook is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
DoppelpaymerUnspecified
2
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.
Dave LoaderUnspecified
2
Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e
DarkgateUnspecified
2
DarkGate is a form of malware that has been causing significant issues in recent times. This malicious software, designed to exploit and damage computer systems, infiltrates devices through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal inf
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
Agent TeslaUnspecified
2
Agent Tesla is a type of malware that exploits vulnerabilities in systems to cause harm, often by stealing personal information, disrupting operations, or holding data for ransom. This malicious software has been spread through phishing attacks that exploit an old Microsoft Office flaw (CVE-2017-118
ZloaderUnspecified
2
ZLoader, also known as Terdot, DELoader, or Silent Night, is a modular trojan based on the leaked ZeuS source code. After nearly two years of inactivity, ZLoader resurfaced around September 2023 with new obfuscation techniques, a domain generation algorithm (DGA), and network communication methods.
CobaltstrikeUnspecified
2
CobaltStrike is a type of malware, or malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hol
MiraiUnspecified
2
Mirai is a notorious malware that targets Internet of Things (IoT) devices to form a botnet, which can then be used to launch distributed denial-of-service (DDoS) attacks. In early 2022, Mirai botnets accounted for over 7 million detections, highlighting the widespread nature of this threat. However
UrsnifUnspecified
2
Ursnif, also known as Gozi or ISFB, is a type of malware that is primarily used for information stealing. It is typically distributed through suspicious downloads, emails, or websites and can infect systems often without the user's knowledge. Once inside, it can steal personal information, disrupt o
Emotet, TrickbotUnspecified
2
None
LockbitUnspecified
2
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
GuLoaderUnspecified
2
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
HiveUnspecified
2
Hive is a malicious software, or malware, known for its disruptive capabilities and widespread damage. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Black BastaUnspecified
2
Black Basta is a malicious software (malware) known for its disruptive activities in the cyber world. This Russian-speaking ransomware-as-a-service group has been operational since early 2022, with an estimated accumulation of at least $107 million in Bitcoin ransom payments. The malware primarily i
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MealybugUnspecified
3
Mealybug, a cybercrime group also known as TA542, has been operating the Emotet malware family since 2014. In recent years, Mealybug has significantly enhanced its malicious activities by updating the Emotet malware to a 64-bit architecture and implementing multiple new obfuscations to protect their
AlphvUnspecified
3
AlphV, also known as BlackCat, is a significant threat actor within the cybercrime landscape. Throughout 2023, AlphV has been responsible for numerous high-profile ransomware attacks, stealing significant amounts of data from various organizations. The group claimed responsibility for hacking Clario
MUMMY SPIDERUnspecified
3
Mummy Spider, a known eCrime group, is recognized for its development of the Emotet malware. This threat actor has been linked to various names such as Gold Crestwood, TA542, and Mealbug, showcasing its extensive reach and influence in cybercrime activities. The cybersecurity industry has identified
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Emotet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
The Banking Trojan Emotet: Detailed Analysis
MITRE
a year ago
The Evolution of Emotet: From Banking Trojan to Threat Distributor
CERT-EU
8 months ago
Unmasking Emotet: A Step-By-Step Guide to How To Remove Emotet Malware
ESET
a year ago
What’s up with Emotet? | WeLiveSecurity
Recorded Future
a year ago
2022 Adversary Infrastructure Report
MITRE
a year ago
Emotet launches major new spam campaign | WeLiveSecurity
MITRE
a year ago
Emotet Malware | CISA
CERT Polska
a year ago
What’s up Emotet?
DARKReading
a year ago
Emotet Resurfaces Yet Again After 3-Month Hiatus
CERT-EU
a year ago
Emotet Rises Again: Evades Macro Security via OneNote Attachments
Krypos Logic
a year ago
Emotet Awakens With New Campaign of Mass Email Exfiltration
CERT Polska
a year ago
Analysis of Emotet v4
Krypos Logic
a year ago
North Korean APT(?) and recent Ryuk Ransomware attacks
SecurityIntelligence.com
7 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
MITRE
a year ago
MS-ISAC Security Primer- Emotet
CERT-EU
a year ago
Brand-new Emotet campaign socially engineers its way from detection | IT PRO
Trend Micro
a year ago
Emotet Returns, Now Adopts Binary Padding for Evasion
MITRE
a year ago
Stopping Emotet Before it Moves Laterally - Red Canary
CERT-EU
a year ago
Hunting Emotet: How Behavioural Hunting Trumps IOC Detection Every Time
CSO Online
a year ago
5 top threats from 2022 most likely to strike in 2023