Protect your network from Emotet Trojan

Document created by asmith Employee on Dec 22, 2017Last modified by jyamada on Dec 28, 2017
Version 4Show Document
  • View in full screen mode

Emotet is a banking Trojan that can steal data by eavesdropping on your network traffic.  Its goal is to steal user credentials.  Emotet is commonly spread by email, both using infected attachments as well as by embedded URLs in the email that download this Trojan.


Due to the way Emotet spreads through your network, any infected machine on the network will re-infect machines which have been cleaned when they rejoin the network. 



Malwarebytes products protect you from Emotet


If you have Malwarebytes Endpoint Protection or Malwarebytes Endpoint Security installed on all endpoints/machines that are connected to your network, you are protected.


If a protected endpoint encounters one of the following real-time protection notifications, it may be an indication there is an infected machine on your network. 





You will need to:

  • Identify the infected machine
  • Disable Administer Shares
  • Remove the Emotet Trojan
  • Change account credentials


Detecting infected Emotet machines


If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC).  Besides verifying an infection, FRST can be used to verify removal before bringing an endpoint/machine back into the network.  Refer to KB article for details on how to install and run a FRST scan, Farbar Recovery Scan Tool instructions.


Search the FRST.txt file for the following IOCs:

  • (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
  • C:\WINDOWS\12345678.EXE


The blue entries are randomly generated for obfuscation from hashed detection.


Disable Administrator Shares


Windows server shares by default install hidden share folders specifically for administrative access to other machines.  These are the Admin$ shares and are separate from the well-known C$ shares.


The Admin$ shares are used by the Emotet worm once it has brute forced the local administrator password. These Admin$ shares are normally protected via UAC, however Windows will allow the local administrator through with no prompt.


It is recommended to disable these Admin$ shares via the registry as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.


How to remove Emotet infection with Malwarebytes Endpoint Security


You can use Malwarebytes Anti-Malware v1.80, which is included in your Malwarebytes Endpoint Security deployment to scan and remove Emotet.


Option 1
  1. Remove the infected endpoint from the network.
  2. On the infected machine, right click the system tray icon and click on Start Scanner.

  3. Select Perform full scan.

  4. Click on Scan button.


Option 2
  1. Open CMD
  2. CD to C:\Program Files (x86)\Malwarebytes’ Anti-Malware
  3. Run mbamapi /scan –full –remove -reboot


It is recommended to follow the MBAM scan with an Anti-Rootkit (MBAR) tool scan. 

  1. From a safe computer, download the Anti-Rootkit tool.
    For detailed instructions, refer to KB article How do I use Malwarebytes Anti-Rookit?
  2. Once Anti-Rootkit is updated (steps 1 – 4), copy it to a flash drive.
  3. Go to an infected machine which has been scanned/cleaned with Anti-Malware and is still off the network.
  4. Copy the Anti-Rootkit files from the flash drive to the machine.
  5. Turn off Anti-Malware. Right click the Anti-Malware system tray icon and select Exit.
  6. Run the Anti-Rootkit program to scan for threats. Refer to How do I use Malwarebytes Anti-Rookit? steps 5 – 12 for instructions.


How to remove Emotet infection with Malwarebytes Endpoint Protection


  1. Go to Malwarebytes Cloud conso
  2. To allow you to invoke a scan while the machine is off the network.
    Go to Settings > Policies > your policy > General
  1. Under Endpoint Interface Options turn ON:
    1. Show Malwarebytes icon in notification area
    2. Allow users to run a Threat Scan (all threats will be quarantined automatically)
  2. Temporarily enable Anti-Rootkit scanning for all invoked threat scans.
    Go to Settings > Policies > your policy > Endpoint Protection > Scan Options
  3. Set Scan Rootkits to ON.

  4. Once the endpoint has been updated with the latest policy changes:
    1. Take the client off the network
    2. From the system tray icon, run an Anti-Rootkit threat scan.

If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Emotet with our Breach Remediation tool (MBBR).


  1. Log into your My Account page and copy your license key. The key is needed to activate MBBR tool.
  2. Open your Cloud console.
  3. From a clean and safe machine, go to Endpoints > Add > Malwarebytes Breach Remediation. This will download the MBBR zip package.
  4. Unzip the package.
  5. Access a Windows command line prompt and issue the following commands:
    mbbr register –key:<prodkey> 
    mbbr update 
    Note: You must substitute your license key for <prodkey>.
  6. Copy the MBBR folder to a flash drive.
  7. From an infected, offline machine, copy the MBBR folder from the flash drive.
  8. Start a scan using the following command:
    mbbr scan –full –ark –remove –noreboot
  9. Refer to the Malwarebytes Breach Remediation Windows Administrator Guide for all supported scanning commands.


Change account credentials


It is essential to change account credentials for all user accounts on infected machines.  If you have an active directory (AD) domain, change the account’s credentials from a known clean computer.  If you are on a workgroup, wait until your machine is clean to change the account credentials.


Additional Information