Emotet

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected, Emotet provides a service to other malicious groups, allowing them to use its infrastructure to send their malware to a computer to steal sensitive data or mailbox contents, or later infect the computer with ransomware that encrypts files. It constantly evolves, with recent reports from CERT-EE indicating the use of password-controlled ZIP files that contain an MS Office file and the Emotet. The group ITG23, suspected of being a successor to DarkSide and BlackMatter with ties to former REvil members, has a history with Emotet. They have used crypters in conjunction with Trickbot, BazarLoader, and Conti malware — all attributed to ITG23 — and have also crypted malware on behalf of groups such as IcedID and Emotet. Furthermore, ITG23 and the Emotet group have a history of seeding each other’s malware, with X-Force observing the analyzed crypters used repeatedly by Emotet and IcedID malware samples, indicating ITG23 is also crypting malware for these groups. Given the widespread use of Emotet, companies are advised to inspect and, if necessary, strengthen their information security measures. While high-end and consistently updated antivirus programs can often identify attachments containing malware, user awareness and carefulness are critical. Emotet-infected computers have been reported in various countries, including Finland and Latvia. The malware continues to adapt and supplement itself, making it one of the most active threats currently facing cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
QakBot
9
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Qbot
8
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
IcedID
8
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Ta542
4
TA542, also known as Mealybug or Mummy Spider, is a notable threat actor in the cybersecurity landscape that operates the Emotet malware family. Active since 2014, this group has evolved the initial banking Trojan into a sophisticated and profitable malware delivery vehicle. The group's operations a
Nokoyawa
1
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Botnet
Trojan
Phishing
Spam
Payload
Loader
Cybercrime
Outlook
Windows
Exploit
Downloader
Infostealer
Cobalt Strike
Bot
exploitation
Antivirus
Crypter
Polymorphic
Worm
Denial of Se...
Dropper
Malware Loader
Proxy
Encrypt
Police
DNS
Banking
Ddos
Eset
Malwarebytes
Financial
Fraud
Espionage
Vpn
Beacon
Fbi
Trojan Malware
Encryption
Remcos
Credentials
Crypting
Linux
Poc
T1055
Hydra Market
RaaS
Loader Malware
Scams
Apt
Insurance
Finance
Proofpoint
Hp
Macros
Fortiguard
State Sponso...
Ransom
Vulnerability
Lateral Move...
PowerShell
Secureworks
Symantec
Evasive
Breachforums
Telegram
Microsoft
Backdoor
Ransomware P...
Chrome
Reconnaissance
t1592.001
t1592.004
t1592.002
t1589.001
t1589.002
t1586.002
t1584.005
t1587.001
t1588.002
T1566
t1566.001
Spearphishing
t1059.005
t1204.002
T1140
t1027.002
t1027.007
t1555.003
T1555
t1114.001
t1071.003
t1573.002
t1573.001
T1571
Malware Payl...
Decoy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TrickBotUnspecified
13
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
DridexUnspecified
6
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
RyukUnspecified
6
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
ContiUnspecified
6
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
BazarloaderUnspecified
4
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
FormbookUnspecified
3
Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
REvilUnspecified
2
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
HiveUnspecified
2
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
CobaltstrikeUnspecified
2
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
ZloaderUnspecified
2
ZLoader is a type of malware, malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the capacity to steal personal information, disrupt operations, or even ho
Agent TeslaUnspecified
2
Agent Tesla is a malicious software (malware) that exploits and damages computer systems, often infiltrating the system through suspicious downloads, emails, or websites. This malware can steal personal information, disrupt operations, and potentially hold data for ransom. Agent Tesla has been obser
GuLoaderUnspecified
2
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
UrsnifUnspecified
2
Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
Dave LoaderUnspecified
2
Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e
MiraiUnspecified
2
Mirai is a type of malware that primarily targets Internet of Things (IoT) devices to form botnets, which are networks of private computers infected with malicious software and controlled as a group without the owners' knowledge. In early 2022, Mirai botnets accounted for over 7 million detections g
Black BastaUnspecified
2
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
DoppelpaymerUnspecified
2
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.
DarkgateUnspecified
2
DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
Emotet, TrickbotUnspecified
2
None
LockbitUnspecified
2
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
GoziUnspecified
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Godzilla LoaderUnspecified
1
None
DiceloaderUnspecified
1
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
AzorultUnspecified
1
Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
AgentteslaUnspecified
1
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
HijackloaderUnspecified
1
HijackLoader is a new type of malware that has been rapidly gaining popularity within the cybercrime community. As with other types of malicious software, it is designed to exploit and damage computer systems. It can infiltrate these systems through suspicious downloads, emails, or websites, often u
Gameover ZeusUnspecified
1
Gameover ZeuS, also known as P2P ZeuS, is a notorious piece of malware designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even
NetwalkerUnspecified
1
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
BlackbastaUnspecified
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
GodzillaUnspecified
1
Godzilla is a potent malware that allows attackers to remotely control compromised servers, execute arbitrary commands, upload and download files, manipulate databases, and perform other malicious activities. The malware was linked to a group known as Ethereal Panda by CrowdStrike due to their simil
ZeusUnspecified
1
Zeus is a type of malware, short for malicious software, designed to exploit and damage computers or devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Zeus can steal personal information, disrupt operations, or even hold da
BitPaymerUnspecified
1
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
gh0st RATUnspecified
1
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
MazeUnspecified
1
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
DarkCometUnspecified
1
DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es
EgregorUnspecified
1
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
Ragnar LockerUnspecified
1
Ragnar Locker is a type of malware, specifically a ransomware, that has been designed to infiltrate computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, or websites and once inside, it has the capability to steal personal information, disru
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
3
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
MUMMY SPIDERUnspecified
3
Mummy Spider, a known eCrime group, is recognized for its development of the Emotet malware. This threat actor has been linked to various names such as Gold Crestwood, TA542, and Mealbug, showcasing its extensive reach and influence in cybercrime activities. The cybersecurity industry has identified
MealybugUnspecified
3
Mealybug, a cybercrime group also known as TA542, has been operating the Emotet malware family since 2014. In recent years, Mealybug has significantly enhanced its malicious activities by updating the Emotet malware to a 64-bit architecture and implementing multiple new obfuscations to protect their
TA551Unspecified
1
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Emotet GangUnspecified
1
None
DarkSideUnspecified
1
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
BlackmatterUnspecified
1
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
SodinokibiUnspecified
1
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
Trickbot GroupUnspecified
1
The Trickbot Group, also known as ITG23, Wizard Spider, and DEV-0193, is a threat actor group notorious for its malicious activities. The group has been consistently analyzed by IBM Security X-Force researchers due to their development and use of several crypters. In the fall of 2020, efforts were m
Ta544Unspecified
1
TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
KimsukyUnspecified
1
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
SideCopyUnspecified
1
SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applicat
ITG23Unspecified
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxylogonUnspecified
1
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
EternalblueUnspecified
1
EternalBlue is a significant software vulnerability that exists in the design or implementation of certain systems. This flaw has been exploited by various cyber threats, with one notable instance being its use as an enabler for the widespread WannaCry ransomware attack. The exploit allows attackers
CVE-2021-40444Unspecified
1
None
Source Document References
Information about the Emotet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
24 days ago
Millions Affected by Prudential Ransomware Hack in February
RIA - Information System Authority
2 months ago
A new wave of the malware network Emotet has arrived in Estonia
RIA - Information System Authority
2 months ago
The Emotet malware may steal your data
RIA - Information System Authority
2 months ago
Topics of RIA’s quarterly overview: a clever Trojan is taking over Estonians’ computers and the HOIA app is safe
RIA - Information System Authority
2 months ago
Estonia was hit by a third wave of malware – always verify the sender’s address before clicking!
RIA - Information System Authority
2 months ago
November 2020 in the Estonian cyberspace: attacks on government networks and DDoS attacks for extortion
RIA - Information System Authority
2 months ago
The new yearbook of the Information System Authority (RIA) on cyber security summarises the most influential incidents in cyber space
DARKReading
2 months ago
Europol's Hunt Begins for Emotet Malware Mastermind
BankInfoSecurity
2 months ago
European Police Take Down Botnet Servers, Make Arrests
BankInfoSecurity
2 months ago
Breach Roundup: Fluent Bit Flaw Is Risky for Cloud Providers
Securelist
3 months ago
Financial threat report 2023: phishing, PC and mobile malware
DARKReading
4 months ago
LockBit Ransomware Takedown Strikes Deep Into Brand's Viability
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #computerhacker - Am I Hacker Proof
CERT-EU
5 months ago
Secure email gateways struggle to keep pace with sophisticated phishing campaigns - Help Net Security
DARKReading
6 months ago
Threat Actors Team Up for Post-Holiday Phishing Email Surge
CERT-EU
6 months ago
Destroying a Botnet - Panda Security Mediacenter
CERT-EU
6 months ago
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over
InfoSecurity-magazine
7 months ago
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over
RIA - Information System Authority
7 months ago
A new wave of the malware network Emotet has arrived in Estonia | RIA