New EmoCheck Tool Checks if You’re Infected With Emotet

Posted by & filed under Security News.

A new utility has been released by Japan CERT (computer emergency response team) that allows Windows users to easily check if they are infected with the Emotet Trojan.

The Emotet Trojan is one of the most actively distributed malware that is spread through phishing emails with malicious Word document attachments.

These emails pretend to be invoices, shipping notices, account reports, holiday party invites, and even information about the Coronavirus in the hopes that you will be enticed, or tricked, into opening the attachment.

Once installed, Emotet will utilize the infected computer to send further spam to potential victims and also download other malware onto the computer.

Emotet is particularly dangerous as it commonly downloads and installs the Trickbot banking Trojan, which steals saved credentials, cookies, browser history, SSH keys, and more while it attempts to spread to other computers on the network.

If the network is of high-value, TrickBot will also open a reverse shell back to the Ryuk Ransomware operators who will encrypt the network as a final payload.

Due to its severity, it is important that victims quickly find and remove the Emotet Trojan before it can download and install other malware onto an infected computer.

Using EmoCheck to check for the Emotet Trojan

When Emotet is installed by a malicious attachment, it will be stored in a semi-random folder under %LocalAppData%.

It is semi-random because it will not use random characters, but rather a folder name built out of two keywords from the following list:

duck, mfidl, targets, ptr, khmer, purge, metrics, acc, inet, msra, symbol, driver, sidebar, restore, msg, volume, cards, shext, query, roam, etw, mexico, basic, url, createa, blb, pal, cors, send, devices, radio, bid, format, thrd, taskmgr, timeout, vmd, ctl, bta, shlp, avi, exce, dbt, pfx, rtp, edge, mult, clr, wmistr, ellipse, vol, cyan, ses, guid, wce, wmp, dvb, elem, channel, space, digital, pdeft, violet, thunk

To check if you are infected with Emotet, you can download the EmoCheck utility from the Japan CERT GitHub repository.

Once downloaded, extract the zip file and double-click on the emocheck_x64.exe (64-bit version) or emocheck_x86.exe (32-bit version) depending on what you downloaded.

Once running, EmoCheck will scan for the Emotet Trojan and alert you if it is found, what process ID it is running under, and the location of the malicious file.

This information will also be saved to a log file located at [path of emocheck.exe]\yyyymmddhhmmss_emocheck.txt.

If you run EmoCheck and discover that you are infected, you should immediately open Task Manager and terminate the listed process.

You should then scan your computer with reputable antivirus software to make sure other malware has not already been downloaded and installed onto the computer.

This tool could also be useful for network administrators to use as part of a login script to quickly find machines that have been infected with Emotet to prevent a full-blown ransomware attack.


The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.