Emotet Malware Removal Guide

Signs of Infection

Emotet infections typically present multiple observable indicators across the file system, running processes, and network traffic. On the file system, look for suspicious executable files in user profile directories, especially within %AppData%, %LocalAppData%, and %Temp%. Emotet often uses randomly generated 8-character filenames (e.g., fghjklmn.exe) or names mimicking system processes. Check for recently created dynamic-link library (DLL) files in the %SystemRoot%\System32 directory with nonsensical names. Registry persistence is commonly achieved via Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run) or through scheduled tasks named with random strings.

Process behavior indicators include suspicious svchost.exe instances spawning from user directories, or unknown processes making high volumes of Windows Management Instrumentation (WMI) queries. Network signs are particularly telling. Emotet generates beacon traffic to command and control (C2) servers, often using HTTP/S requests with unique User-Agent strings that may contain the word “Emotet” or the infected machine’s name. There will also be spikes in outbound SMTP traffic on port 25, 465, or 587 as the malware attempts to spread via malicious emails. Connections to IP addresses associated with bulletproof hosting providers or recently registered domains are strong indicators.

Immediate Containment Steps

Within the first 15 minutes of confirmed or suspected Emotet infection, take these steps to prevent spread and data exfiltration. First, immediately isolate the infected host from the network. Disable its network adapter(s) physically or via administrative command. If the host is on a managed switch, quarantine its port via VLAN assignment or access control lists. Do not rely solely on software-based firewalls on the compromised machine.

Next, identify and terminate the primary Emotet process using a trusted endpoint detection and response (EDR) console or process explorer tool. Look for the suspicious processes noted in the infection signs. If you cannot terminate the process cleanly, consider forcing a system shutdown to prevent further execution. Concurrently, initiate an emergency password rotation for all user and service accounts that were active on or accessible from the infected machine. Prioritize domain administrator accounts, email account credentials, and any accounts used for remote access or financial systems. Ensure new passwords are strong and unique.

Finally, block the identified Emotet C2 IP addresses and domains at the network firewall or DNS filtering layer. Update your security information and event management (SIEM) platform to alert on any internal hosts attempting to communicate with these indicators.

Manual Removal Process

Warning: Manual removal is complex and carries risk of system instability. It is recommended only if antivirus or EDR tools fail. Use a clean, trusted system to download and transfer removal tools if needed.

1. Terminate Malicious Processes: Boot the infected system in Safe Mode with Networking. Use the system’s task manager or a trusted portable process management tool. End all processes associated with the suspicious executables found in %AppData%, %LocalAppData%, and %Temp%. Be cautious not to terminate legitimate system processes.

2. Delete Persistence Mechanisms:

   • Registry: Open the Registry Editor (regedit). Navigate to and delete any suspicious entries in:
     • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
     • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (on 64-bit systems) Look for entries with random names or pointing to the file paths of the Emotet executables.
   • Scheduled Tasks: Open Task Scheduler. Review the task library and delete any recently created tasks with random, gibberish names or tasks that execute a suspicious .vbs, .js, or .exe file from a user directory.
   • Services: Open the Services console (services.msc). Look for any newly created services with random display or service names. If found, stop the service, set its startup type to Disabled, and then delete its registry key under HKLM\SYSTEM\CurrentControlSet\Services\.

3. Remove Dropped Files: Navigate to the following directories and delete all suspicious files identified earlier (e.g., randomly named .exe, .dll, .tmp files):

   • %AppData%
   • %LocalAppData%
   • %Temp%
   • C:\Windows\System32\ (look for odd DLL names)
   • C:\Windows\SysWOW64\ (on 64-bit systems) Enable viewing of hidden files and protected operating system files in Folder Options to ensure nothing is missed.

4. Clean Registry Entries: Search the registry for references to the file paths of the deleted Emotet executables. Common locations include Run keys (already handled), and various entries under HKCU\Software\ and HKLM\SOFTWARE\ that may have been created by the malware. Proceed with extreme caution; backing up the registry before making changes is strongly advised.

Verifying Removal

After completing the removal steps, reboot the system into normal mode and begin verification. First, run a full system scan with an updated antivirus or EDR solution, ensuring it uses the latest definitions. Use a dedicated anti-malware scanner as a secondary check.

Monitor running processes and network connections using built-in tools like tasklist and netstat -ano or a trusted third-party utility. Verify that no unknown processes are running and that there are no unexplained outbound connections, particularly to high-risk ports (SMTP, 447, 8080) or known-bad IPs from the Current Emotet IOCs.

Check system logs in your SIEM or the Windows Event Viewer. Look for the absence of new, suspicious event IDs such as 4688 (process creation) for the deleted executables, or network connection events (Event ID 5156 in the Windows Filtering Platform) to the blocked C2 infrastructure. Persistent failed attempts to contact C2 servers may indicate remnant components.

Finally, monitor the host’s network traffic for at least 24-48 hours. Use a network detection and response (NDR) tool or packet capture to confirm the cessation of the characteristic Emotet HTTP beaconing and SMTP spam traffic.

Post-Removal Security Hardening

To prevent Emotet reinfection, implement layered defenses targeting its primary vectors. Email Security: Strengthen email gateway filtering to block emails with malicious macros, script attachments (.js, .vbs, .hta), and password-protected archives. Implement strict policies to disable Office macros from the internet and use attachment sandboxing.

Endpoint Configuration: Apply the principle of least privilege. Remove local administrator rights from standard users to hinder Emotet’s lateral movement and persistence attempts. Configure application allowlisting policies to prevent execution from %AppData% and %Temp% directories, common Emotet launch points. Ensure all systems have a modern EDR solution deployed and running.

Network Defenses: Segment the network to restrict unnecessary lateral movement, especially to critical servers. Enforce strong network access control (NAC) policies. Deploy and rigorously maintain a DNS filtering service to block connections to malicious domains.

Policy & Awareness: Update acceptable use policies to explicitly forbid enabling macros in documents received via email. Conduct regular, targeted security awareness training that includes hands-on exercises for identifying Emotet-like phishing lures. Review and test your incident response plan, incorporating the lessons learned from this infection.

Monitoring: Create specific alerts in your SIEM for the behavioral patterns of Emotet, such as processes spawning from %AppData% making outbound HTTP requests, or a single host generating high volumes of SMTP traffic. Regularly review the Detection Rate for updates on evasion techniques.

For more background on this threat, see the Emotet Overview.