Update: 2021-02

“A statement from the German Federal Criminal Police Office about their participation in Operation Ladybird said prosecutors seized 17 servers in Germany that acted as Emotet controllers.”

and many bars of gold and cash were seized in Ukraine… as can be seen on youtube.


update: Emotet trying to spread by WIFI since 2018



on the heise security conference last year was said: Virus Scanners since around 10 years are not sufficient anymore.

(heise a computer focused news outlet itself was infected on Mai 2019 with emotet trojan probably via word.doc (src))

today that statement has become reality.

neither ClamAV nor Antivir were able to spot the virus or virus-loader in the word.doc attachment.

The “System” collects mails of hacked systems to send out pretty authentic SPAM Mails with Attachment Word.doc or File.pdf macro virus attachments.

(that’s what one is conviced… why are macros even allowed to be embedded in those formats? ? (M$, ADOBE WHAT WERE YOU THINKING?)

it was (phone call) confirmed that a dental practice has been virus infected which started sending mails with those auto generated spam word.doc via multiple servers.

with all this fancy AI + BigData = auto generating and mass mailing (emotet) very authentic


how emotet works:

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

  1. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
  2. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
  3. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
  4. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
  5. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).

src: https://www.us-cert.gov/ncas/alerts/TA18-201A

mail header2:

Return-path: <noc@maxnetonlinebd.com>
Envelope-to: user@domain.com
Delivery-date: Fri, 25 Oct 2019 13:00:21 +0200
Received: from mail.maxnetonlinebd.com ([] helo=smtp.banglalionmail.com)

address:       Aqua Tower(Level-5),43 Mohakhali C/A,Dhaka-1212
	by www314.your-server.de with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
	(envelope-from <noc@maxnetonlinebd.com>)
	id 1iNxKK-0002kM-UN
	for user@domain.com; Fri, 25 Oct 2019 13:00:21 +0200
Received: from [] (static. [])
	by smtp.banglalionmail.com (Postfix) with ESMTPSA id A3A4F1B40AA6
	for <user@domain.com>; Fri, 25 Oct 2019 17:00:01 +0600 (BDT)
Date: Fri, 25 Oct 2019 13:01:02 +0100
From: =?UTF-8?B?WmFobmtsaW5payBHw7xuemJ1cmcgS0ZP?= <noc@maxnetonlinebd.com>
To: <user@domain.com>
Subject: =?UTF-8?B?RG9rdW1lbnQgcGVyIE1haWwgdm9uIFphaG5rbGluaWsgR8O8bnpidXJnIEtGTw==?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_16315_3727703759.23889407221704219670"
X-Virus-Scanned: Clear (ClamAV 0.101.4/25613/Fri Oct 25 11:00:25 2019)
X-Spam-Score: -1.8 (-)
Delivered-To: user-user@domain.com

Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

mail header1:

Return-path: <m.ringel@alumont.com>
Envelope-to: user@domain.com
Delivery-date: Thu, 24 Oct 2019 10:32:47 +0200
Received: from lion.totocom.de ([])

address:        Schlittermann -- Internet & Unix Support
address:        D-01099 Dresden
	by www314.your-server.de with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
	(envelope-from <m.ringel@alumont.com>)
	id 1iNYY2-0005tE-Iq
	for user@domain.com; Thu, 24 Oct 2019 10:32:47 +0200
Received: from 109.red-81-32-27.dynamicip.rima-tde.net ([])
	by lion.totocom.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(envelope-from <m.ringel@alumont.com>)
	id 1iNYXy-0003Z9-I0
	for user@domain.com; Thu, 24 Oct 2019 10:32:43 +0200
Date: Thu, 24 Oct 2019 10:32:41 +0100
From: =?UTF-8?B?WmFobmtsaW5payBHw7xuemJ1cmcgQWJyZWNobnVuZw==?= <m.ringel@alumont.com>
To: <user@domain.com>
Subject: unsere Antwort
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_1914_1426462523.13408587673991828238"
X-Virus-Scanned: Clear (ClamAV 0.101.4/25611/Wed Oct 23 10:58:37 2019)
X-Spam-Score: -0.1 (/)
Delivered-To: user-user@domain.com

Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=0DAnbei erhalten Sie Ihre angeforderte Informationen f=C3=BCr Ihre Unterla=

=0DFreue mich von Ihnen zu h=C3=B6ren auf gute Zusammenarbeit.

=0DViele Gr=C3=BC=C3=9Fe

Ihr Zahnklinik  Abrechnung Team
=0DTelefon: 0800 XXX (kostenfrei)=0DMail:abrechnung@dr-XXX=

Content-Type: application/msword; name="INF 2019_10_  24_20.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="INF 2019_10_  24_20.doc"






pwd encrypted.zip: VirusInfectedMail

INF 2019_10_ 24_20.doc.zip

More RansomeWare News:

Ransomware Attack Affects Municipal Computer Systems in Johnson City, Tennessee

On Oct. 21, a Johnson City employee showed a ransom note left by the ransomware attackers to city IT Director Lisa Sagona. The message asked city officials to contact an email in exchange for payment instructions. Toward that end, the note claimed that the ransomware had encrypted the city government’s backups to dissuade the municipality from attempting to recover its data by any means other than paying for a decryption key.

Ransomware Attack: Cybercriminals Hit California School District – MSSP Alert

California’s San Bernardino City Unified School District (SBCUSD) has discovered that cybercriminals recently used ransomware to lock access to district files. The ransomware attack was launched against SBCUSD’s computer servers, and these servers are currently inaccessible.