Emotet

Malware updated a month ago (2024-10-23T21:01:02.262Z)
Download STIX
Preview STIX
Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data hostage for ransom. Emotet has been associated with several other types of malware such as Trickbot, BazarLoader, IcedID, Conti, and Cobalt Strike, all crypters used by ITG23, a group known for its cybercriminal activities. Emotet and ITG23 have a history of seeding each other's malware, indicating a symbiotic relationship between these entities. Despite being disrupted by law enforcement in 2021, Emotet returned stronger and more functional than before. The malware has shown remarkable resilience, often reemerging after disruptions to cause further incidents. This resilience is characteristic of botnets, networks of infected computers under the control of criminals, which are used to carry out large-scale attacks. In fact, several botnet strains like Emotet have been observed to rise from the ashes after being taken down, demonstrating their robust nature. The Emotet botnet has been leveraged by various groups to distribute ransomware, including ALPHV affiliates initiating first-stage system breaches and groups suspected of being successors to DarkSide and BlackMatter. Given its dynamic nature, it is recommended to use Feodo Tracker from abuse.ch as an indicator of compromise (IOC) source. As of summer 2024, Emotet is considered one of the most dangerous and insidious types of malware that has become active again, further underscoring the need for vigilant cybersecurity measures.
Description last updated: 2024-10-23T18:02:45.770Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
QakBot is a possible alias for Emotet. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d
9
IcedID is a possible alias for Emotet. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d
8
Qbot is a possible alias for Emotet. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fi
8
Ta542 is a possible alias for Emotet. TA542, also known as Mealybug or Mummy Spider, is a notable threat actor in the cybersecurity landscape that operates the Emotet malware family. Active since 2014, this group has evolved the initial banking Trojan into a sophisticated and profitable malware delivery vehicle. The group's operations a
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Botnet
Trojan
Phishing
Spam
Payload
Loader
Cybercrime
Outlook
Windows
Infostealer
Downloader
Exploit
Dropper
Cobalt Strike
Polymorphic
Denial of Se...
Bot
exploitation
Antivirus
Crypter
Worm
Police
Malware Loader
Financial
Fraud
Malwarebytes
Banking
Encrypt
Eset
Ddos
Proxy
DNS
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The TrickBot Malware is associated with Emotet. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
13
The Ryuk Malware is associated with Emotet. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
6
The Dridex Malware is associated with Emotet. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
6
The Conti Malware is associated with Emotet. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several raUnspecified
6
The Bazarloader Malware is associated with Emotet. BazarLoader is a type of malware developed by the TrickBot group, primarily used to gain initial access to a victim's infrastructure in ransomware attacks. This malware has been associated with various threat groups, including ITG23, which has used BazarLoader alongside other malware like Trickbot aUnspecified
4
The Formbook Malware is associated with Emotet. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
3
The Dave Loader Malware is associated with Emotet. Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, eUnspecified
2
The Darkgate Malware is associated with Emotet. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
The Lokibot Malware is associated with Emotet. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
2
The Agent Tesla Malware is associated with Emotet. Agent Tesla is a well-known malware that primarily targets systems through phishing attacks, exploiting an outdated Microsoft Office vulnerability (CVE-2017-11882). This malicious software is designed to infiltrate computer systems, often without the user's knowledge, and can steal personal informatUnspecified
2
The Lockbit Malware is associated with Emotet. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
2
The Hive Malware is associated with Emotet. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagUnspecified
2
The Zloader Malware is associated with Emotet. ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal informUnspecified
2
The Cobaltstrike Malware is associated with Emotet. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunctUnspecified
2
The Ursnif Malware is associated with Emotet. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for raUnspecified
2
The Doppelpaymer Malware is associated with Emotet. DoppelPaymer is a type of malware, specifically ransomware, that was initially developed and operated by the GOLD DRAKE threat group under the name BitPaymer. The software was later reworked and renamed to DoppelPaymer by another threat group, GOLD HERON. This malicious software first appeared in miUnspecified
2
The Black Basta Malware is associated with Emotet. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Mirai Malware is associated with Emotet. Mirai, a malware that targets Internet of Things (IoT) devices, was responsible for over 7 million botnet detections in early 2022. This malicious software infiltrates systems often without the user's knowledge and can steal personal information, disrupt operations, or hold data hostage for ransom. Unspecified
2
The GuLoader Malware is associated with Emotet. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for rUnspecified
2
The REvil Malware is associated with Emotet. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
The malware Emotet, Trickbot is associated with Emotet. Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mealybug Threat Actor is associated with Emotet. Mealybug, a cybercrime group also known as TA542, has been operating the Emotet malware family since 2014. In recent years, Mealybug has significantly enhanced its malicious activities by updating the Emotet malware to a 64-bit architecture and implementing multiple new obfuscations to protect theirUnspecified
3
The Alphv Threat Actor is associated with Emotet. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
3
The MUMMY SPIDER Threat Actor is associated with Emotet. Mummy Spider, a known eCrime group, is recognized for its development of the Emotet malware. This threat actor has been linked to various names such as Gold Crestwood, TA542, and Mealbug, showcasing its extensive reach and influence in cybercrime activities. The cybersecurity industry has identifiedUnspecified
3
Source Document References
Information about the Emotet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
Unit42
3 months ago
ESET
3 months ago
CERT-EU
a year ago
BankInfoSecurity
5 months ago
RIA - Information System Authority
6 months ago
RIA - Information System Authority
6 months ago
RIA - Information System Authority
6 months ago
RIA - Information System Authority
6 months ago
RIA - Information System Authority
6 months ago
RIA - Information System Authority
6 months ago
DARKReading
6 months ago
BankInfoSecurity
6 months ago
BankInfoSecurity
6 months ago
Securelist
7 months ago
DARKReading
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
DARKReading
10 months ago