Emotet is a sophisticated piece of modular malware that is primarily used as a downloader for follow-on malware. Emotet spreads through prolific spear phishing and malspam distributed by machines that it has infected. This malspam distributes Microsoft Office files containing a malicious macro which unpacks Emotet. Emotet is highly evasive: generating a new SHA256 hash every time a new machine is infected, ensuring that each malware sample’s hash is unique. Once Emotet infects a host, it establishes an encrypted C2 channel and attempts lateral movement within the network, leveraging the admin$ share once it has brute forced the admin password. Emotet is often unpacked with a hard-coded password dictionary used to brute force user accounts. Once C2 is established, Emotet can be used to download a variety of follow-on malware, most commonly TrickBot or IcedID. Emotet is also known to scrape significant data from the infected host, including Outlook data, local and browser passwords, and information on running processes, in addition to actively sniffing network traffic.

References
https://attack.mitre.org/software/S0367/
https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/