Emotet Loader Detection Guide
Behavioral Indicators
Emotet exhibits several distinctive behavioral patterns during execution that can be detected through process monitoring and API hooking. The malware typically injects its payload into legitimate system processes to evade detection. Look for rundll32.exe, regsvr32.exe, or wscript.exe spawning from suspicious parent processes like email clients or document readers, which may indicate initial execution from a malicious macro or script. Emotet will often spawn svchost.exe or explorer.exe and perform process hollowing to run its malicious code within these trusted processes.
Key API calls to monitor include VirtualAllocEx and WriteProcessMemory for code injection, CreateRemoteThread to execute the injected code, and RegSetValueEx for persistence establishment. Credential access behavior is a hallmark of Emotet. It uses Windows API functions like CredEnumerateW and CredReadW to harvest stored credentials from the Credential Manager. It also accesses the %AppData%\\Microsoft\\Credentials\\ and %AppData%\\Microsoft\\Protect\\ directories to extract cached domain credentials. The malware may spawn cmd.exe with whoami /all and net commands to enumerate user privileges and network shares. Look for unusual access to the LSASS process memory through OpenProcess calls targeting PID of lsass.exe.
Network Indicators
Emotet uses encrypted HTTPS communication with its command-and-control (C2) servers, making traditional payload inspection difficult. However, several network patterns remain detectable. The malware generates distinctive User-Agent strings that often contain random words or misspellings, such as variations of “Mozilla/4.0” with unusual formatting. DNS queries typically resolve to newly-registered domains with algorithmically generated names, often using dictionary words combined with numbers (e.g., “secureupdate123[.]com” or “data-center45[.]net”).
Beaconing intervals vary but often follow a pseudo-random pattern between 5 to 30 minutes initially, with increased frequency after successful infection. The initial handshake involves a GET request to a URI like /gate.php or /panel.php with encoded parameters. Emotet may also use fallback communication channels including SMTP over TLS on port 587 or 465 to exfiltrate data or receive commands, mimicking legitimate email traffic. Data exfiltration occurs through POST requests with encrypted form data sent to the C2. Network signatures include specific SSL/TLS certificate attributes from known Emotet infrastructure and JA3/JA3S fingerprints that remain consistent across campaigns.
File System Artifacts
Emotet drops multiple files in various locations to maintain persistence and functionality. Primary payloads are typically written to %AppData%\\Local\\ or %AppData%\\Roaming\\ with names mimicking legitimate software or using random alphanumeric strings. Common filenames include variations of update.exe, setup.exe, mshta.exe, or strings like qwertyuiop.dll. The malware also creates directories with names like Microsoft\\ or Windows\\ within AppData to appear legitimate.
Temporary files are often created in %Temp%\\ with .dat, .tmp, or .log extensions containing encrypted configuration data or additional payloads. Emotet may download and execute secondary modules, which are saved with .dll or .exe extensions in subdirectories named after version numbers or dates. File sizes vary significantly (from 100KB to several megabytes) due to packing and obfuscation, but unpacked payloads often fall between 250-500KB. Timestamps are frequently manipulated to match system files or show creation dates years in the past to avoid suspicion. Look for files with recent modification times but old creation times.
Registry and Persistence Mechanisms
Emotet establishes persistence through multiple registry entries and scheduled tasks. Common registry locations include:
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\with random value namesHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\(requires administrative privileges)HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\
The malware often creates services via HKLM\\System\\CurrentControlSet\\Services\\ with display names mimicking Windows components like “Windows Update Manager” or “Network Security Service”. Scheduled tasks are created through the Task Scheduler with names like “GoogleUpdateTask” or “OneDriveSync” pointing to the malicious executable. Tasks are typically configured to run at user logon or at specific intervals.
Emotet also uses file association hijacking, modifying HKCU\\Software\\Classes\\ keys for .txt, .lnk, or .exe extensions to execute its payload when these file types are opened. For system-wide persistence on reboot, the malware may write to HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit or Shell keys. Additionally, look for suspicious COM object registrations in HKCR\\ and HKLM\\Software\\Classes\\ that load malicious DLLs.
YARA Rule Guidance
When creating YARA rules for Emotet detection, focus on both static strings and structural characteristics. Target embedded strings related to its functionality, including:
- API function names used for injection and persistence (
VirtualAlloc,CreateRemoteThread,RegSetValue) - Network-related strings (
/gate.php,User-Agent:, specific HTTP headers) - Error messages in various languages (German strings appear frequently in older variants)
- Mutex names with patterns like
Global\\followed by hexadecimal strings
Look for specific byte patterns in the PE header, such as unusual section names (.text, .data may be misspelled or duplicated) and high entropy in specific sections indicating packing. Emotet often uses custom encoding routines - identify the decoding loops by looking for XOR operations with shifting keys or arithmetic operations on byte arrays. Target the resource section for encrypted configurations, which often have resource names like “SETTINGS” or “CONFIG”. Also consider file hash-based detection for known Emotet components, though this should be supplemented with behavioral rules due to frequent hash changes.
For current samples and indicators, refer to: