Emotet detection tool for Windows OS.
- Download EmoCheck from the Releases page.
- Run EmoCheck on the host.
- Check the exported report.
Please download from the Releases page.
Latest hash:
emocheck_x86.exe
MD5 : 89863A79D531E2730D450F2D1C99EB6C
SHA256: 5A459538DE0A5B1C270C0617191A71D23EA6C705650761EF9B7095A736AF7301
emocheck_x64.exe
MD5 : 94005A6447CA810619FF24D67EF67A93
SHA256: 65838C35D03FE36E9DBA1408E2278F8BC282B1319FEFAABEE4491B45E1254163
(since v0.0.2)
- Specify output directory for the report (default: current directory)
/output [your output directory]
or-output [your output directory]
- No console output
/quiet
or-quiet
- Export the report in JSON style
/json
or-json
- Debug mode (no report)
/debug
or-debug
- Show help
/help
or-help
(v0.0.1)
Emotet generates their process name from a specific word dictionary and C drive serial number.
EmoCheck scans the running process on the host, and find Emotet process from their process name.
(added in v0.0.2)
Emotet keeps their encoded process name in a specific registry key.
EmoCheck looks up and decode the registry value, and find it from the process list.
Text stlye:
[Emocheck v0.0.2]
Scan time: 2020-02-10 13:06:20
____________________________________________________
[Result]
Detected Emotet process.
[Emotet Process]
Process Name : mstask.exe
Process ID : 716
Image Path : C:\Users\[username]\AppData\Local\mstask.exe
____________________________________________________
Please remove or isolate the suspicious execution file.
JSON style (added in v0.0.2):
{
"scan_time":"2020-02-10 13:06:20",
"hostname":"[your hostname]",
"emocheck_version":"0.0.2",
"is_infected":"yes",
"emotet_processes":[
{
"process_name":"mstask.exe",
"process_id":"716",
"image_path":"C:\\Users\\[username]\\AppData\\Local\\mstask.exe"
}
]
}
The report will be exported to the following path.
(v0.0.1)
[current directory]\yyyymmddhhmmss_emocheck.txt
(since v0.0.2)
[output path]\[computer name]_yyyymmddhhmmss_emocheck.txt
[output path]\[computer name]_yyyymmddhhmmss_emocheck.json
(v0.0.1)
- (Feb. 3, 2020) v0.0.1
- Initial release
- (Feb. 10, 2020) v0.0.2
- update detecting method
- add options
- Windows 10 1809 64bit Japanese Edition
- Windows 8.1 64bit Japanese Edition
- Windows 7 SP1 32bit Japanese Edition
- Windows 7 SP1 64bit Japanese Edition
- Windows 10 1809 64bit Japanese Edition
- Microsoft Visual Studio Community 2017