[SANS ISC] Emotet Returns, (Tue, Nov 16th)


Back in January 2021, law enforcement and judicial authorities worldwide took down the Emotet botnet.  Although some Emotet emails still went out in the weeks after that, those were remnants from the inactive botnet infrastructure.  We hadn’t seen any new Emotet since then.

But on Monday 2021-11-15, we saw indicators that Emotet has returned.  This diary reviews activity from a recent Emotet infection.

Shown above:  Chain of events for Emotet infection on Monday 2021-11-15.


We found some emails from a newly-revived Emotet botnet on Monday 2021-11-15 that have one of three types of attachments:

Microsoft Excel spreadsheet
Microsoft Word document
Password-protected zip archive (password: BMIIVYHZ) containing a Word document

These emails were all spoofed replies that used data from stolen email chains, presumably gathered from previously infected Windows hosts.

Shown above: Example of Emotet malspam with password protected zip attachment.

Shown above: Example of Emotet malspam with attached Word document.

Shown above: Example of Emotet malspam with attached Excel file.

Shown above: Screenshot of Word document for Emotet.

Shown above: Screenshot of Excel spreadsheet for Emotet.

Infection traffic

Infection traffic for Emotet is similar to what we saw before the takedown in January 2021.  The only real difference is Emotet post-infection C2 is now encrypted HTTPS instead of unencrypted HTTP.  My infected lab host turned into a spambot trying to push out more Emotet malspam.

Shown above:  Example of traffic generated by Excel or Word macros for an Emotet DLL.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above:  TCP stream of encrypted SMTP traffic from my infected Windows host.

Indicators of Compromise (IOCs)

The following are Word documents, Excel files, and a password-protected zip archive I saw from Emotet on Monday 2021-11-15.

SHA256 hash: 7c5690577a49105db766faa999354e0e4128e902dd4b5337741e00e1305ced24

File size: 143,401 bytes
File name: DOC_100045693068737895.docm
File name: DOC_10010148844855817699830.docm
File name: INF_10043023764772507433030.docm

SHA256 hash: bd9b8fe173935ad51f14abc16ed6a5bf6ee92ec4f45fd2ae1154dd2f727fb245

File size: 143,121 bytes
File name: FILE_24561806179285605525.docm

SHA256 hash: f7a4da96129e9c9708a005ee28e4a46af092275af36e3afd63ff201633c70285

File size: 132,317 bytes
File name: INF_4069641746481110.zip

SHA256 hash: d95125b9b82df0734b6bc27c426d42dea895c642f2f6516132c80f896be6cf32

File size: 143,108 bytes
File name: INF_4069641746481110.docm

SHA256 hash: 88b225f9e803e2509cc2b83c57ccd6ca8b6660448a75b125e02f0ac32f6aadb9

File size: 47,664 bytes
File name: FILE_10065732097649344691490.xlsm

SHA256 hash: 1abd14d498605654e20feb59b5927aa835e5c021cada80e8614e9438ac323601

File size: 47,660 bytes
File name: SCAN_1002996108727260055496.xlsm

The following are URLs generated by macros from the above files for an Emotet DLL file:


The Emotet DLL was first stored as a random file name with a .dll extension under the C:ProgramData directory.  Then it was moved to a randomly-named directory under the infected user’s AppDataLocal folder.  The DLL is then made persistent through a Windows registry update as shown below.

Shown above:  Example of registry update to keep Emotet persistent.

SHA256 hashes for 7 examples of Emotet DLL files:


HTTPS Emotet C2 traffic:

51.75.33[.]120 port 443
51.159.35[.]157 port 443
81.0.236[.]93 port 443
94.177.248[.]64 port 443
92.207.181[.]106 port 8080
109.75.64[.]100 port 8080
163.172.50[.]82 port 443

Final words

The emails examples and malware samples from Monday’s Emotet activity on 2021-11-15 can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] Cloud Application Security Firm Anjuna Raises $30 Million

All posts, Security Week

Anjuna, a provider of cloud application security, today announced that it has raised $30 million in Series B funding, which brings the total raised by the company to date to $42 million. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[TheRecord] Scammers steal $2.3 million from small US town

The Town of Peterborough, New Hampshire, said it lost $2.3 million after scammers tricked town employees into sending large payments to the wrong accounts. Town officials said they first learned of the losses on July 26 after the ConVal School District said it did not receive its $1.2 million monthly transfer. An investigation into the […]

Read More

Daily NCSC-FI news followup 2020-11-18

Hackers are actively probing millions of WordPress sites www.bleepingcomputer.com/news/security/hackers-are-actively-probing-millions-of-wordpress-sites/ Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150, 000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers. Hacking group exploits ZeroLogon in automotive, industrial attack wave www.zdnet.com/article/cicada-hacking-group-exploits-zerologon-launches-new-backdoor-in-automotive-industry-attack-wave/ The active cyberattack is thought […]

Read More