Emotet Analysis

This repository contains a sanitized public report of an Emotet analysis.
No malicious binaries or exploit code are included.

Contents

• Executive_Summary.md - one-page summary
• ioc/ - sanitized indicators (files, domains, IPs, hashes)
• yara/ - sanitized YARA rules
• analysis/ - sanitized screenshots

Highlights

• Infection chain: DOC - PowerShell (Base64) - DLL (c2r64.dll) - loader EXE - memory-only payload
• Observed processes: ai.exe, msedgewebview2.exe
• Techniques: reflective DLL injection, API resolution (ZwAllocateVirtualMemory, GetProcAddress, LoadLibrary), anti-debugging

Indicators of Compromise

See ioc/ for full sanitized list:

ioc_domains

Key highlights

• Infection chain: DOC - VBA Macro - encoded PowerShell (payload redacted) - DLL (c2r64.dll) - loader EXE - in-memory reflective injection.
• Observed processes: WINWORD.EXE, ai.exe, msedgewebview2.exe.
• Techniques: reflective DLL injection, API resolution, process hollowing.

Images (examples)

Below are selected sanitized screenshots (see analysis/screenshots/):

Procmon snapshot Figure 1: Procmon snapshot showing powershell.exe executions (encoded command redacted).

IDA disassembly Figure 2: IDA disassembly (hex bytes and addresses redacted).

Process tree Figure 3: Process tree showing WINWORD.exe spawning ai.exe and msedgewebview2.exe (sensitive fields redacted).

File properties Figure 4: File properties for c2r64.dll (machine/user names redacted).

Loaded modules Figure 5: Loaded modules observed in the process.

Infection chain overview Figure 6: Infection chain overview (sanitized).

For full details, see Executive_Summary.md. Full raw artifacts are not published and can be shared under controlled request

Analyst

Ben Rubin — 2025

Connect: LinkedIn