Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0367: Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[1]

EnterpriseS0367MalwareObject v1.7 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Emotet matters because ATT&CK describes it as modular Windows malware primarily used as a downloader for other malware, with relationships spanning credential access, discovery, execution, persistence, lateral movement, command and control, exfiltration, and evasion behaviors. For leaders, the key issue is not one malware name; it is whether the organization can quickly contain a Windows intrusion that may become a platform for follow-on tooling such as TrickBot or IcedID.

Executive priority

Treat Emotet-style behavior as a resilience and incident-readiness test for Windows environments. Priority questions: do we have evidence for credential theft attempts, SMB/admin-share movement, PowerShell/WMI execution, scheduled task persistence, and web-based C2; can we isolate affected hosts quickly; and can we prove control coverage for audit and incident review? Because ATT&CK provides no official detection text for this object, leadership should ask for validated telemetry and tested response procedures rather than relying on malware-name alerts alone.

Technical view

SOC and IR teams should validate coverage against the related ATT&CK techniques rather than only static indicators. Emotet is linked to LSASS memory access, Wi-Fi and user/process/email account discovery, SMB/Windows Admin Shares, WMI, scheduled tasks, PowerShell, Windows Command Shell, Visual Basic, DLL injection, process hollowing, packed/embedded/encoded/obfuscated payloads, web-protocol C2, and exfiltration over C2. Detection engineering should correlate suspicious Windows execution chains, credential-access signals, lateral SMB activity, persistence artifacts, and unusual outbound web traffic from hosts showing discovery or injection behavior.

Likely telemetry

  • Windows process creation events with command-line detail for PowerShell, cmd, Visual Basic/script hosts, WMI, and scheduled task execution
  • Windows security and endpoint telemetry for LSASS access, credential dumping indicators, process injection, DLL injection, and process hollowing
  • Scheduled task creation, modification, and execution records
  • Service/task naming and masquerading evidence
  • SMB/admin share access, remote logons, local account use, and lateral authentication patterns

Detection direction

  • Do not depend on Emotet signatures alone; ATT&CK relationships show behaviors that can change through obfuscation, packing, embedded payloads, and command obfuscation.
  • Tune detections around behavior chains: suspicious script or shell execution followed by discovery, LSASS access, scheduled task creation, SMB movement, and outbound web traffic.
  • Validate visibility for Windows administrative features that are commonly noisy, especially WMI, PowerShell, scheduled tasks, and SMB admin shares; separate normal administration from unusual parent processes, hosts, users, timing, and destinations.
  • Review false positives from legitimate IT automation, software deployment, backup activity, helpdesk tools, and administrative scripts before escalating broad detections.
  • Use relationship context carefully: ATT&CK links Emotet to Wizard Spider and multiple techniques, but local telemetry is required to determine whether any specific incident involves this malware or actor.

Mitigation priorities

  • Prioritize Windows endpoint hardening and monitoring around script execution, WMI, scheduled tasks, and command shells.
  • Reduce credential exposure by hardening LSASS access, limiting local administrator rights, and addressing local account/password reuse risk.
  • Constrain SMB/admin-share access and monitor remote administrative activity between workstations and servers.
  • Strengthen egress monitoring and filtering for unusual web-protocol traffic from endpoints, especially when paired with discovery or persistence signals.
  • Maintain incident response playbooks for rapid host isolation, credential reset decisions, lateral movement scoping, and follow-on malware investigation.
Analyst notes and limits

The most useful defensive framing is Emotet as a downloader and intrusion-enablement risk on Windows. Its ATT&CK relationships make it relevant to managed detection, IR readiness, identity protection, endpoint hardening, network monitoring, and compliance evidence for logging and response controls. The supplied object has no ATT&CK tactic list and no official detection guidance, so this take is driven by the official description, external references, and related techniques.

This summary uses only the supplied ATT&CK fields and relationships. It does not assert current activity, customer exposure, successful detection coverage, or actor attribution beyond the stated ATT&CK relationship that Wizard Spider uses this object. Platform claims are limited to the supplied Windows platform for Emotet, while related techniques may list broader platforms.

Official MITRE ATT&CK definition

Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

47 rows
Domain ID Name Relationship / procedure
Enterprise T1033 System Owner/User Discovery

Emotet has enumerated all users connected to network shares.
Enterprise T1570 Lateral Tool Transfer

Emotet has copied itself to remote systems using the `service.exe` filename.CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Emotet is known to use RSA keys for encrypting C2 traffic. [2]
Enterprise T1552.001 Credentials In Files Sub-technique

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [3][4]
Enterprise T1110.001 Password Guessing Sub-technique

Emotet has been observed using a hard coded list of passwords to brute force user accounts. [5][6][3][7][4]CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1047 Windows Management Instrumentation

Emotet has used WMI to execute powershell.exe.CitationCarbon Black Emotet Apr 2019
Enterprise T1571 Non-Standard Port

Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[8]CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1027.001 Binary Padding Sub-technique

Emotet inflates malicious files and malware as an evasion technique.Citationemotet_trendmicro_mar2023
Enterprise T1218.010 Regsvr32 Sub-technique

Emotet uses RegSvr32 to execute the DLL payload.Citationemotet_trendmicro_mar2023
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. [5]CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1204.002 Malicious File Sub-technique

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.[1]CitationCarbon Black Emotet Apr 2019CitationIBM IcedID November 2017
Enterprise T1134.001 Token Impersonation/Theft Sub-technique

Emotet has the ability to duplicate the user’s token.CitationBinary Defense Emotes Wi-Fi Spreader For example, Emotet may use a variant of Google’s ProtoBuf to send messages that specify how code will be executed.Citationemotet_hc3_nov2023
Enterprise T1078.003 Local Accounts Sub-technique

Emotet can brute force a local admin password, then use it to facilitate lateral movement.[5]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.[6][3][9]
Enterprise T1566.002 Spearphishing Link Sub-technique

Emotet has been delivered by phishing emails containing links. [1][10][11][5][6][3][8][8][9]
Enterprise T1132.001 Standard Encoding Sub-technique

Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server.CitationBinary Defense Emotes Wi-Fi Spreader Additionally, Emotet has used Base64 to encode data before sending to the C2 server.CitationFortinet Emotet May 2017
Enterprise T1135 Network Share Discovery

Emotet has enumerated non-hidden network shares using `WNetEnumResourceW`. CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1071.001 Web Protocols Sub-technique

Emotet has used HTTP for command and control.CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1041 Exfiltration Over C2 Channel

Emotet has exfiltrated data over its C2 channel.[2]CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1027.009 Embedded Payloads Sub-technique

Emotet has dropped an embedded executable at `%Temp%\setup.exe`.CitationBinary Defense Emotes Wi-Fi Spreader Additionally, Emotet may embed entire code into other files.Citationemotet_hc3_nov2023
Enterprise T1105 Ingress Tool Transfer

Emotet can download follow-on payloads and items via malicious `url` parameters in obfuscated PowerShell code.CitationPincus Emotet 2020
Enterprise T1210 Exploitation of Remote Services

Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.[6][3][7][12]
Enterprise T1114 Email Collection

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[4]CitationIBM IcedID November 2017CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1053.005 Scheduled Task Sub-technique

Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.[3]Citationemotet_hc3_nov2023
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

Emotet has been observed dropping browser password grabber modules. [2]CitationIBM IcedID November 2017
Enterprise T1059.001 PowerShell Sub-technique

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [6][2][9][12]CitationCarbon Black Emotet Apr 2019
Enterprise T1140 Deobfuscate/Decode Files or Information

Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1059.005 Visual Basic Sub-technique

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [6][8][2][9]CitationCarbon Black Emotet Apr 2019
Enterprise T1204.001 Malicious Link Sub-technique

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.[1]CitationCarbon Black Emotet Apr 2019
Enterprise T1036.004 Masquerade Task or Service Sub-technique

Emotet has installed itself as a new service with the service name `Windows Defender System Service` and display name `WinDefService`.CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1027.010 Command Obfuscation Sub-technique

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. [8][2][9]CitationESET Emotet Dec 2018
Enterprise T1003.001 LSASS Memory Sub-technique

Emotet has been observed dropping and executing password grabber modules including Mimikatz.[2]Citationemotet_hc3_nov2023
Enterprise T1040 Network Sniffing

Emotet has been observed to hook network APIs to monitor network traffic. [1]
Enterprise T1620 Reflective Code Loading

Emotet has reflectively loaded payloads into memory.CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Emotet uses obfuscated URLs to download a ZIP file.Citationemotet_trendmicro_mar2023
Enterprise T1059.003 Windows Command Shell Sub-technique

Emotet has used cmd.exe to run a PowerShell script. [9]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Emotet has been delivered by phishing emails containing attachments. [11][5][6][3][8][2][9]CitationCarbon Black Emotet Apr 2019CitationIBM IcedID November 2017
Enterprise T1087.003 Email Account Sub-technique

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[4]CitationIBM IcedID November 2017CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1027.002 Software Packing Sub-technique

Emotet has used custom packers to protect its payloads.[2]
Enterprise T1055.012 Process Hollowing Sub-technique

Emotet uses a copy of `certutil.exe` stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code.Citationemotet_trendmicro_mar2023
Enterprise T1057 Process Discovery

Emotet has been observed enumerating local processes.CitationASEC Emotet 2017
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

Emotet has been observed injecting in to Explorer.exe and other processes. [9][1][3]
Enterprise T1114.001 Local Email Collection Sub-technique

Emotet has been observed leveraging a module that scrapes email data from Outlook.[4]
Enterprise T1543.003 Windows Service Sub-technique

Emotet has been observed creating new services to maintain persistence.[3][7]CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1573 Encrypted Channel

Emotet has encrypted data before sending to the C2 server.CitationFortinet Emotet May 2017
Enterprise T1106 Native API

Emotet has used `CreateProcess` to create a new process to run its executable and `WNetEnumResourceW` to enumerate non-hidden shares.CitationBinary Defense Emotes Wi-Fi Spreader
Enterprise T1016.002 Wi-Fi Discovery Sub-technique

Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.CitationBinary Defense Emotes Wi-Fi Spreader
Associated objects

Groups, software, and campaigns

Group Enterprise

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1570: Lateral Tool Transfer Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1552.001: Credentials In Files Enterprise uses · Technique T1110.001: Password Guessing Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1571: Non-Standard Port Enterprise uses · Technique T1027.001: Binary Padding Enterprise uses · Technique T1218.010: Regsvr32 Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1134.001: Token Impersonation/Theft Enterprise uses · Technique T1078.003: Local Accounts Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1566.002: Spearphishing Link Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1027.009: Embedded Payloads Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1210: Exploitation of Remote Services Enterprise uses · Technique T1114: Email Collection Enterprise uses · Technique T1053.005: Scheduled Task Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.7
Created
Modified
Raw hash
7a8b5571d5e95e58...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.7 Current bundle 7a8b5571d5e9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trend Micro Banking Malware Jan 2019

    Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.

    Open source URL
  2. [2]
    Trend Micro Emotet Jan 2019

    Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.

    Open source URL
  3. [3]
    US-CERT Emotet Jul 2018

    US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.

    Open source URL
  4. [4]
    CIS Emotet Dec 2018

    CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.

    Open source URL
  5. [5]
    Malwarebytes Emotet Dec 2017

    Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.

    Open source URL
  6. [6]
    Symantec Emotet Jul 2018

    Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.

    Open source URL
  7. [7]
    Secureworks Emotet Nov 2018

    Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.

    Open source URL
  8. [8]
    Talos Emotet Jan 2019

    Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.

    Open source URL
  9. [9]
    Picus Emotet Dec 2018

    Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.

    Open source URL
  10. [10]
    Kaspersky Emotet Jan 2019

    Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.

    Open source URL
  11. [11]
    CIS Emotet Apr 2017

    CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.

    Open source URL
  12. [12]
    Red Canary Emotet Feb 2019

    Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.

    Open source URL
  13. [13]
    ESET Emotet Nov 2018

    ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.

    Open source URL
  14. [14]
    Emotet

    (Citation: Trend Micro Banking Malware Jan 2019)(Citation: Kaspersky Emotet Jan 2019)(Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: ESET Emotet Nov 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: CIS Emotet Dec 2018)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019)

  15. [15]
    Geodo

    (Citation: Trend Micro Emotet Jan 2019)

  16. [16]
    mitre-attack S0367
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use