Protect Against Russia-Ukraine Cyber Activity

Emotet Summary: November 2021 Through January 2022

By

Category: Malware

Tags: , , , , ,

A conceptual image representing phishing - one of the primary delivery methods for Emotet malware, covered here.

This post is also available in: 日本語 (Japanese)

Executive Summary

Emotet is one of the most prolific email-distributed malware families in our current threat landscape. Although a coordinated law enforcement effort shut down this malware in January 2021, Emotet resumed operations in November 2021. Since then, Emotet has returned to its status as a prominent threat.

This blog provides a background on Emotet, and it reviews activity from this malware family since its return in November 2021. The information covers changes in Emotet operations from its revival through the end of January 2022. These examples will provide a more comprehensive picture and better indicate the worldwide threat Emotet currently poses.

Palo Alto Networks customers are protected from Emotet with Cortex XDR or our Next-Generation Firewall with WildFire and Threat Prevention subscriptions.

Primary Malware Discussed Emotet
Operating System Affected Windows
Related Unit 42 Topics Malware, macros, phishing

Table of Contents

Background on Emotet
Visual Timeline
Emotet in November 2021
Emotet Abuses Microsoft App Installer
Emotet in December 2021
Emotet in January 2022
Conclusion
Indicators of Compromise
Appendix A: Emotet epoch 4 activity on Nov. 18, 2021
Appendix B: Emotet epoch 4 abusing App Installer on Nov. 30, 2021
Appendix C: Emotet epoch 4 infection on Dec. 21, 2021
Appendix D: Emotet epoch 5 infection on Jan. 11, 2022
Additional Resources

Background on Emotet

Sometimes referred to as Geodo or Feodo, Emotet is Windows-based malware that first appeared in 2014 as a banking Trojan. Since then, Emotet has evolved into modular malware that performs various functions, including information stealing, spambot activity and loading other malware.

The threat actor behind Emotet is known through different designators, like Mealybug, MUMMY SPIDER or TA542.

Emotet’s primary method of distribution is through email.

Emotet is a prolific spammer. Emotet-infected computers often act as spambots, sending a dozen or more emails every minute that push more Emotet. This means thousands of Emotet emails can be sent by a single host every day. If hundreds of Emotet-infected hosts are active at any given time, this means hundreds of thousands of Emotet emails can be generated each day Emotet is actively spamming.

Emotet is evasive. Through a technique called hashbusting, Emotet generates different file hashes for malware distributed through its botnets. This ensures a malware sample’s SHA256 hash is different on each infected system. Emotet also uses obfuscated code in scripts used during its initial infection process.

Emotet is nimble. Its botnets frequently update IP addresses and TCP ports used for command and control (C2) communications. Emotet also frequently changes URLs hosting its malware, sometimes using dozens of different URLs each day.

Emails distributing Emotet contain malicious attachments, or they contain links to malicious files. These messages most often contain Microsoft Office files like Word documents or Excel spreadsheets. These Office documents contain malicious macro code. The code is designed to infect a vulnerable Windows host after a victim enables macros.

As it rose to prominence, Emotet began distributing other malware like Gootkit, IcedID, Qakbot and Trickbot.

By September 2019, Emotet's infrastructure was running on three separate botnets. These botnets were designated by the security research team Cryptolaemus as epoch 1, epoch 2 and epoch 3. The epoch designators are often abbreviated as E1, E2 and E3.

By 2020, a significant portion of malicious spam pushing Emotet used thread hijacking. Thread hijacking is a technique that utilizes legitimate messages stolen from infected computers' email clients. Emotet emails have frequently spoofed legitimate users and impersonated replies to these stolen emails.

Emotet occasionally takes a break from delivering malicious emails. Emotet's longest absence from the threat landscape occurred in early February 2020 and lasted more than five months. Emotet resumed operations in mid-July 2020, and it quickly surpassed other threats in sheer volume of malicious spam.

In January 2021, a collaborative effort by law enforcement agencies and other authorities disrupted Emotet operations. This effectively stopped the threat actor, and Emotet disappeared from our threat landscape.

Approximately 10 months later, Emotet resumed operations in mid-November 2021.

Visual Timeline

Figure 1 presents a timeline of Emotet operations from its return in mid-November 2021 through January 2022. The timeline highlights notable Emotet activity during the three month period covered in this blog.

Timeline of Emotet operations from November 2021-January 2022: Nov 14 - new Emotet binary seen from Trickbot infection, Nov 15 - Emotet resumes spamming (emails have attachments), Nov. 23 - batch files noted during Emotet infection process, Nov. 30 - Emotet starts abusing App Installer protocol, Dec. 7 - start seeing Cobalt Strike from Emotet infections, Dec 21 - Emotet emails primarily use links to download initial Office document, start seeing new infection method with .hta files and PowerShell script, Dec. 25 - Emotet spamming stops, Jan. 11 - Emotet spamming resumes, Jan. 21 - Emotet emails back to using attachments instead of links.
Figure 1. Timeline of Emotet operations from November 2021 through January 2022.

Emotet in November 2021

On Sunday, Nov. 14, 2021, security researcher Luca Ebach discovered a new Emotet binary delivered through a Trickbot infection. By Monday, Nov. 15, the Emotet infrastructure had resumed normal operations and began generating a large volume of malicious spam.

The new Emotet infrastructure is running on two separate botnets designated as epoch 4 and epoch 5. These designators are often abbreviated as E4 and E5.

On Nov. 15, malicious spam for Emotet had one of three types of attachments: a password-protected ZIP archive, a Word document or an Excel spreadsheet. This follows the same method we had typically seen with previous Emotet infections. Examples and more details can be found in my post, “Emotet Returns.” See Figure 2 for a flow chart documenting the chain of events.

Flow chart documenting the chain of events for Emotet infections seen on Monday, Nov. 15, 2021: thread hijacked email > password-protected ZIP or Office document > enable macros > web traffic for Emotet DLL > Emotet DLL > Emotet C2 traffic
Figure 2. Chain of events for Emotet infections seen on Monday, Nov. 15, 2021.

Appendix A lists indicators of compromise from an infection on Wednesday, Nov. 18.

By Monday, Nov. 23, a batch file was added to the infection process as shown below in Figure 3.

Chain of events for Emotet infections seen Monday, Nov. 23, 2021: threat hijacked email > password-protected ZIP or Office document > enable macros > batch file dropped to C:\ProgramData\directory > web traffic for Emotet DLL > Emotet DLL > Emotet C2 traffic
Figure 3. Chain of events for Emotet infections seen on Monday, Nov. 23, 2021.

Emotet targets include various areas around the world. But even if victims are non-English speakers, templates for the Office documents are still in English as shown below in Figures 4 and 5 from an email targeting Italy.

Emotet targets include various areas around the world. But even if victims are non-English speakers, templates for the Office documents are still in English as shown here in an email targeting Italy.
Figure 4. Screenshot of Emotet email targeting Italy on Nov. 23, 2021.
Emotet targets include various areas around the world. But even if victims are non-English speakers, templates for the Office documents are still in English as shown here in an attachment from an Italian email containing an Excel spreadsheet.
Figure 5. Attachment from Italian email contained Excel spreadsheet for Emotet with an English template.

At this time, enabling macros did not directly download and run the Emotet DLL. Instead, the macro code dropped a batch file shown in Figure 6 and ran it with the following command:

C:\WINDOWS\system32\cmd.exe /c c:\programdata\sdfhiuwu.bat

At this time, enabling macros did not directly download and run the Emotet DLL. Instead, the macro code dropped a batch file shown here and ran it with the following command: C:\WINDOWS\system32\cmd.exe /c c:\programdata\sdfhiuwu.bat
Figure 6. Batch file dropped after enabling macros for an Emotet infection on Nov. 23, 2021.

As an evasion technique, obfuscated script in the batch file generates a PowerShell command to retrieve an Emotet DLL and run it on the victim’s host. The PowerShell command uses a base64-encoded string as shown below in Figure 7.

As an evasion technique, obfuscated script in the batch file generates a PowerShell command to retrieve an Emotet DLL and run it on the victim’s host. The PowerShell command uses a base64-encoded string as shown
Figure 7. PowerShell command using base64 encoded string.

Converting the base64 string to ASCII text reveals the script shown below in Figure 8. This script is designed to retrieve an Emotet DLL from one of seven URLs and save it to the C:\ProgramData\ directory. The Emotet DLL is run with rundll32.exe using a random string of characters as the entry point.

Converting the base64 string to ASCII text reveals the script shown This script is designed to retrieve an Emotet DLL from one of seven URLs and save it to the C:\ProgramData\ directory. The Emotet DLL is run with rundll32.exe using a random string of characters as the entry point.
Figure 8. Deobfuscated script from the base64 string in Figure 4.

The new Emotet DLL is similar to Emotet DLLs before the January 2021 takedown. Emotet is made persistent under a randomly named folder under the infected user’s AppData\Local\Temp directory. The modified date of the persistent DLL is backdated exactly one week prior to the infection. Emotet is made persistent through a Windows Registry update. Figure 9 shows an example from Nov. 23.

Emotet is made persistent through a Windows Registry update, as shown.
Figure 9. Registry update to keep Emotet persistent after a reboot.

Since Emotet reappeared in November 2021, post-infection C2 activity consists of encrypted HTTPS traffic. Certificate issuer data for Emotet C2 HTTPS traffic uses generic values often seen with other malware families. Figure 10 shows an example of Emotet C2 activity filtered in Wireshark to reveal the certificate issuer data.

An example of Emotet C2 activity filtered in Wireshark to reveal the certificate issuer data. The key section is surrounded by a red box with a red arrow.
Figure 10. Reviewing certificate issuer data of Emotet HTTPS C2 traffic in Wireshark.

As shown above in Figure 10, certificate issuer data for Emotet C2 HTTPS traffic is:

id-at-countryName=GB
id-at-statOrProvinceName=London
id-at-localityName=London
id-at-organizationName=Global Security
id-at-organizationalUnitName=IT Department
id-at-commonName=example.com

Of note, other malware families have used similar certificate issuer data, so this is not necessarily unique to Emotet.

On Nov.r 30, Emotet switched tactics again and began abusing Microsoft’s App Installer as part of its infection chain.

Emotet Abuses Microsoft App Installer

Now disabled by Microsoft, App Installer is a protocol for Windows 10 used to install software directly from a web server, and it used XML-based app installer files with the extension .appinstaller. This protocol had been previously abused for BazarLoader malware attacks in November 2021. Figure 11 shows the flow chart for this type of Emotet infection.

Flow chart for Emotet infections abusing Microsoft's App Installer protocol: email > link from email > fake PDF report page > link from fake PDF report page > appinstaller (XML file) > web traffic generated by appinstaller > appxbundle (zip archive) > web traffic generated by files in appxbundle > Emotet DLL > Emotet C2 activity
Figure 11. Flow chart for Emotet infections abusing Microsoft’s App Installer Protocol.

The attack technique starts with complaint report-themed emails with links to malicious pages. These malicious pages are hosted on compromised websites, and they spoof Google Drive by using the same style of Google Drive pages, including a Google Drive icon that appears in the browser tab. The pages have links to supposedly preview a PDF-based complaint report. The link actually leads to a malicious .appinstaller file designed to infect a vulnerable Windows 10 host with Emotet.

Below, Figure 12 shows a thread-hijacked email from Nov. 30 with the malicious link, and Figure 13 shows the associated complaint page with a link to the malicious .appinstaller file.

Thread-hijacked email from Nov. 30. The malicious link appears toward the top and seems to be a PDF. The actual destination of the malicious link is superimposed in red over the screenshot.
Figure 12. Thread-hijacked email from Nov. 30 with link to page for malicious app installer.
Fake complaint report page links to .appinstaller file for Emotet. Red arrows show what happens if the user clicks the "Preview PDF" button shown in the screenshot. The malicious link that is the actual destination of the button is superimposed over the screenshot in red.
Figure 13. Fake complaint report page with link to .appinstaller file for Emotet.

As shown above in Figure 13, the .appinstaller file pretends to be an Adobe PDF component. In this case, criminals were abusing Microsoft Azure to host the malicious files. Below, Figure 14 shows a malicious .appinstaller file opened in a text editor.

A malicious .appinstaller file opened in a text editor. The file retrieves a malicious ZIP archive appended with an .appxbundle file extension from the same server.
Figure 14. Malicious .appinstaller file used for Emotet on Nov. 30.

The malicious .appinstaller file shown above in Figure 14 retrieves a malicious ZIP archive appended with an .appxbundle file extension from the same server. Below, Figure 15 shows contents of the malicious .appxbundle.

Contents of the malicious .appxbundle. It contains various files including ZIP archives with an .appx file extension. The entire .appxbundle is designed to retrieve an Emotet DLL and run it on a vulnerable Windows host.
Figure 15. Malicious .appxbundle used for Emotet infection on Nov. 30.

The malicious .appxbundle impersonating an Adobe program contains various files including ZIP archives with an .appx file extension. Together, the entire .appxbundle is designed to retrieve an Emotet DLL and run it on a vulnerable Windows host.

Indicators and further details from the Nov. 30 activity can be found at Malware Traffic Analysis. Due to the nature of these app installer files, this infection method was initially difficult to detect. Fortunately, Microsoft quickly shut down Azure file servers hosting the app installer files. Microsoft has also disabled the app installer protocol, so this no longer remains an avenue of attack for Emotet or other malware.

Appendix B lists indicators of compromise from an Emotet infection abusing Microsoft’s App Installer on Nov. 30.

Emotet in December 2021

Throughout November 2021, examples of Emotet infections revealed data exfiltration and spambot activity. No indicators of followup malware were publicly reported until December 2021. By Dec. 7, the Cryptolaemus research team confirmed Cobalt Strike had been deployed to Emotet-infected Windows hosts.

December 2021 saw at least one more wave of emails from Emotet attempting to abuse Microsoft’s App Installer protocol. However, Emotet quickly moved on to other infection patterns and used different templates for Office documents, mostly Excel spreadsheets.

In the week leading to Christmas day, Emotet emails contained links to web pages on various compromised websites. These pages also pretended to be from Google Drive, and they had links to download malicious Excel files. In this case, Emotet started using a new infection pattern as shown in Figure 16.

Emotet infection pattern seen from Dec. 21-Dec. 24: email > link from email > fake complaint report page > link from complaint report page > Excel file > enable macros > cmd.exe runs mshta.exe on HTML application (.hta) file hosted at a web URL > web traffic for .hta file > powershell.exe runs script hosted on another web URL > web traffic for PowerShell script > web traffic for Emotet DLL > Emotet DLL > Emotet C2 traffic.
Figure 16. Emotet infection pattern seen from Dec. 21-Dec. 24.

Above, Figure 16 reveals a process Emotet occasionally used through at least February 2022. We previously reported details on one such variation from January. Appendix C lists indicators of compromise from an Emotet infection using this method on Dec. 21.

Below, Figure 17 shows an email from Dec. 23 pushing Emotet, Figure 18 displays the website from the email link, and Figure 19 reveals the downloaded Excel spreadsheet.

Email from Dec. 23 pushing Emotet. A red arrow draws attention to the malicious link, and the malicious link's actual destination is shown in red.
Figure 17. Example of email from Dec. 23 pushing Emotet.
Web page delivering malicious Excel spreadsheet. the screenshot shows the option to open or save the malicious spreadsheet.
Figure 18. Web page delivering malicious Excel spreadsheet leading to Emotet on Dec. 23.
The malicious Excel spreadsheet, 8278500.xls. The screenshot shows that the spreadsheet opens with a request to enable macros.
Figure 19. Malicious Excel spreadsheet downloaded from page shown in Figure 17.

On Thursday, Dec. 24, we saw similar emails with Christmas-themed subject lines and holiday wishes in the message text. This wave of emails delivered the same style of Excel spreadsheet shown above in Figure 19.

Below, Figure 20 shows one of these Christmas-themed emails, and Figure 21 displays the associated web page that delivered an Excel spreadsheet.

Christmas-themed email from Dec. 24 pushing Emotet. A red arrow indicates the malicious link, and its actual destination is shown in red.
Figure 20. Example of Christmas-themed email from Dec. 24 pushing Emotet.
Website delivering a malicious Excel spreadsheet leading to Emotet. The page says, "File 'Christmas Greetings' is ready for open."
Figure 21. Web page delivering malicious Excel spreadsheet leading to Emotet on Dec. 24.

After Dec. 24, Emotet stopped spamming until after the new year.

Emotet in January 2022

On Tuesday, Jan. 11, 2022, Emotet resumed spamming after its holiday break. The emails continued with links to fake complaint pages, and the pages were sometimes customized to include the recipient’s name. This method was prevalent until Jan. 20.

Figures 22-24 show one such example from Jan. 20. In this example, the recipient’s name has been sanitized to read as “Solomon Grundy” with an AOL email address, and the spoofed sender has been sanitized to read as alan.scott@thegreenlantern[.]net.

Emotet email from Jan. 20. The malicious link is indicated by a red arrow. Its actual destination is shown in red.
Figure 22. Emotet email from Jan. 20.
Fake complaint report page attempts to deliver a malicious Excel spreadsheet as shown. The screenshot reads, "File 'Preview Complaint Report in XLS' is ready for open."
Figure 23. Fake complaint report page with recipient’s name sending Excel spreadsheet for Emotet.
Excel spreadsheet for Emotet downloaded from fake complaint report web page. Note that the spreadsheet attempts to trick the user into enabling macros.
Figure 24. Excel spreadsheet for Emotet downloaded from fake complaint report web page.

Appendix D lists indicators of compromise from an Emotet infection using this method on Jan. 11.

By Friday, Jan. 21, Emotet emails went back to using attached Excel spreadsheets or password-protected ZIP archives containing Excel spreadsheets. Throughout the rest of the month, Excel spreadsheets for Emotet alternated between the template shown above in Figure 24 and the template shown below in Figure 25.

Excel spreadsheet template for Emotet seen during the last full week of January 2022. The spreadsheet opens a window that says, "This document is protected. Previewing is not available for protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Figure 25. Excel spreadsheet template seen during the last full week of January 2022.

In January, we continued to see reports of Emotet pushing Cobalt Strike. During our lab tests, we routinely saw Emotet-infected hosts generate spambot activity starting from 35-45 minutes after the initial infection.

Conclusion

Since its return in November 2021, Emotet has once again become one of the most prolific malware families in our current threat landscape. Hundreds of thousands of emails can be generated each day Emotet is actively spamming. Hashbusting, code obfuscation and other evasion techniques make Emotet a significant threat.

Windows users can lower their risk from Emotet through spam filtering, proper system administration and ensuring their software is patched and up to date. Palo Alto Networks customers are further protected from Emotet through Cortex XDR and our Next-Generation Firewall with WildFire and Threat Prevention subscriptions.

Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Due to hashbusting, daily changes in malware URLs and frequent changes for infection patterns, we can see hundreds of new indicators for Emotet every day. These indicators are too numerous and changes are too frequent to be useful in any single list. However, abuse.ch is a research project that provides free trackers for Emotet botnet command and control servers, URLs hosting Emotet malware and Emotet malware samples.

Appendices A, B, C and D provide a small selection of indicators referenced in this blog post.

Appendix A: Emotet epoch 4 activity on Nov. 18, 2021

SHA256 hashes for seven examples of password-protected ZIP archives:

a1ab66a0fbb84a29e5c7733c42337bc733d8b3c11e2d9f9e4357f47fb337c4d5 3.zip
176cfa7f0742d5a79b9cfbf266c437b965fc763cf775415ca251c6bb2dd5e9e5 9.zip
6c34e373479e1a7485025dc3ffa5d23db999aea83e4f3759bd8381fb88e2bbbf 435.zip
8dc28ac1c66f3d17794bb0059445f4deb9db029eb6d4ea1adca734d035bdaecf 1811.zip
4668e7d6bdb00fb80807ed91eef5ac9f6ba0dfd50d260d3e0240847b0ec16f69 18112021.zip
bfdad57171267921a678ba9d86fd096c00197524698cc03a84d2cfeefdca5587 433492807279.zip
66c34636aaf73f74df8da9981ca6054eb4143d1761dbde8e0e83899805590db2 763325738862.zip

Passwords for the above ZIP archives:

3.zip password: 008
9.zip password: 3854
435.zip password: 636
1811.zip password: 9483
18112021.zip password: 2927
433492807279.zip password: 209
763325738862.zip password: 339

SHA256 hashes for seven extracted Word documents:

304fba4a048904744d6d1c4d8bfd5d7b4019c2c45aba0499d797ee0d6807dfa8 3.doc
e5f3a7e75c03d45462992b0a973e7e25b533e293724590c9eb34f5ee729039b0 9.doc
0cacc247469125b5e0977b9de9814db0eb642c109ca5d13ee9c336aef2ec4c19 435.doc
801ec1ec71051838efe75fd89344b676fa741d9e7718e534f119c57a899f4792 1811.doc
cbddc8fea92cdf40f8efac2fe8fa534d52d90cccecbb914f3827002f680da98a 18112021.doc
fccaf2af38484493d763b0ea37e68a40eb6def3030cfa975fa8d389e96b49378 433492807279.doc
d655ab6b9350ec4f64c735cd23be62ca87d49165b244cefe75ad0dbb061de3d4 763325738862.doc

URLs generated by the above Word documents:

hxxp://jamaateislami[.]com/wp-admin/FKyNiHeRz1/
hxxp://voltaicplasma[.]com/wp-includes/wkCYpDihyc8biTPn444B/
hxxp://linebot.gugame[.]net/images/RX6MVSCgGr/
hxxp://lpj917[.]com/wp-content/Cc4KG1MDR4xAWp91SjA/
hxxp://html.gugame[.]net/img/5xUBiRIQ4s3EtKEv67Ebn/
hxxp://xanthelasmaremoval[.]com/wp-includes/VVVcpYsRtGgjQqfgjxbS/
hxxp://giadinhviet[.]com/pdf/log_in/8kQBFUyohsDRGCJx/

Example of Emotet DLL file:

SHA256 hash:
555dff455242a5f82f79eecb66539bfd1daa842481168f1f1df911ac05a1cfba
File size: 485,376 bytes
File location: hxxp://jamaateislami[.]com/wp-admin/FKyNiHeRz1/
File location: C:\ProgramData\1245045870.dll
File location: C:\Users\[username]\AppData\Local\Tzbklmcf\ljkklzcncxkf.pgk
Run method from Windows Registry update: rundll32.exe [filename],truHNmRuL
Note 1: This was generated using 1811.doc
Note 2: The entry point used with rundll32.exe can be any alpha-numeric value

HTTPS Emotet C2 traffic from an infected Windows host:

51.178.61[.]60 port 443
103.161.172[.]108 port 443
122.129.203[.]163 port 443

Appendix B: Emotet epoch 4 abusing App Installer on Nov. 30, 2021

Link from email:

hxxp://hispanicaidgroup[.]org/ufay0vq/keWIgzwT/

Malicious App Installer:

SHA256 hash:
450cba4a0f2b8c14dee55c33c9c0f522a4dddd1b463e39e8e736ed37dc2fac74
File size: 472 bytes
File location: hxxps://locstorageinfo.z13.web.core.windows[.]net/ioocceneen.appinstaller

Malicious Appxbundle:

SHA256 hash:
7c55c3656184b145b3b3f6449c05d93fa389650ad235512d2f99ee412085cf3a
File size: 1,261,364 bytes
File location: hxxps://locstorageinfo.z13.web.core.windows[.]net/ioocceneen.appxbundle

Malicious executable contained in Appxbundle:

SHA256 hash:
36a81cd64e7649d9f91925194e89e8463c980682596eef19c4f5df6e1ac77b2a
File size: 192,800 bytes
In Appixbundle at:
ioocceneen.appxbundle/Adobe_1.2.0.0_x86/CustomParts/wsprotocol.exe

Example of Emotet DLL:

SHA256 hash:
a04714dcfad52b9dbf2f649810a6c489c5eb2a15118043f0173571310597b8cb
File size: 643,147 bytes
File location: hxxp://www.thebanditproject[.]com/wp-content/BvZK54PFsCqKio6/
File location: C:\Users\[username]\AppData\Local\Pvglfpllzel\bhryuac.wmn
Run method: rundll32.exe [filename],[any alpha-numeric value]

HTTPS Emotet C2 traffic from an infected Windows host:

46.55.222[.]11 port 443
163.172.50[.]82 port 443

Appendix C: Emotet epoch 4 infection on Dec. 21, 2021

Attached Excel file from email:

SHA256 hash:
fcf5500a8b46bf8c7234fb0cc4568e2bd65b12ef8b700dc11ff8ee507ba129da
File size: 194,273 bytes
File name: REP_1671971987654103376.xls

HTA file:

SHA256 hash:
97ebdff655fa111863fbd084f99187c9b6b369fe88fdb1333f8b89aac09fc48d
File size: 10,980 bytes
File location: hxxp://87.251.86[.]178/pp/_.html

Powershell script:

SHA256 hash:
a08271fe6d67cc6cf678683f58e22412e6872a985a03b8444584bea57aa3cbb7
File size: 721 bytes
File location: hxxp://87.251.86[.]178/pp/PP.PNG

URLs generated by the above Powershell script:

hxxp://mustache.webstory[.]sa/wp-includes/cRwe2Pkxasj/
hxxps://vdevigueta[.]com/wp-admin/qYOwD7kPD6JX/
hxxp://bujogradba[.]com/5tvjjl/qiP8H0W5GmR5P9fGIw/
hxxps://daxinghuo[.]com/get/oU8lM4P/
hxxp://masl[.]cn/1/4Ilcpoj6PjTsj3eAR/

Example of Emotet DLL:

SHA256 hash:
7c35902055f69af2cbb6c941821ceba3d79b2768dd2235c282b195eb48cc6c83
File size: 1,257,472 bytes
File location: hxxp://mustache.webstory[.]sa/wp-includes/cRwe2Pkxasj/
File location: C:\Users\Public\Documents\ssd.dll
File location: C:\Users\[username]\AppData\Local\Piqvlxzjzu\vrjlv.srn
Run method: rundll32.exe [filename],[any alpha-numeric value]

HTTPS Emotet C2 traffic from an infected Windows host:

54.37.212[.]235 port 80
144.202.34[.]169 port 443

Appendix D: Emotet epoch 5 infection on Jan. 11, 2022

Example of link in email for fake complaint page:

hxxp://goodmarketinggroup[.]com/newish/562_9559085/

URL to download Excel spreadsheet:

hxxp://goodmarketinggroup[.]com/newish/562_9559085/?i=1

Example of downloaded Emotet Excel file:

SHA256 hash:
292826fa66737d718d0d23f5842dc88e05c8ba5ade7e51212dded85137631b31
File size: 85,352 bytes
File name: 06028_2603.xlsm

Three URLs to download an Emotet DLL after enabling macros:

hxxp://mammy-chiro[.]com/case/ZTkBzbz/
hxxp://bluetoothheadsetreview[.]xyz/wp-includes/xmdHAGgfki/
hxxp://topline36[.]xyz/wp-includes/css/BB9Ajvjs89U9O/

Example of Emotet DLL:

SHA256 hash:
4978285fc20fb2ac2990a735071277302c9175d16820ac64f326679f162354ff
File size: 481,792 bytes
File location: hxxp://mammy-chiro[.]com/case/ZTkBzbz/
File location: C:\Users\[username]\dwa.ocx
File location: C:\Users\[username]\AppData\Local\Fhcnkauwkz\gavlgclbak.wwa
Run method: rundll32.exe [filename],[any alpha-numeric value]

HTTPS Emotet C2 traffic from an infected Windows host:

41.226.30[.]6 port 8080
45.138.98[.]34 port 80
62.141.45[.]103 port 443
161.97.77[.]73 port 443

Additional Resources