# Emotet C2 and Spam Traffic Video **netresec.com/** Erik Hjelmvik , Monday, 09 May 2022 06:50:00 (UTC/GMT) May 9, 2022 This video covers a life cycle of an Emotet infection, including initial infection, command-andcontrol traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect new victims. [The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my](https://netresec.com/?b=215d5b5) Windows PC with malware. **Initial Infection** Palo Alto's Unit 42 sent out a [tweet with screenshots and IOCs from an Emotet infection in](https://twitter.com/Unit42_Intel/status/1498802280992227330) [early March. A follow-up tweet by Brad Duncan linked to a PCAP file containing network](https://twitter.com/malware_traffic) traffic from the infection on Malware-Traffic-Analysis.net. ----- _[Image: Screenshot of original infection email from Unit 42](https://twitter.com/Unit42_Intel/status/1498802280992227330)_ Attachment MD5: 825e8ea8a9936eb9459344b941df741a **Emotet Download** The PCAP from Malware-Traffic-Analysis.net shows that the Excel spreadsheet attachment [caused the download of a DLL file classified as Emotet.](https://www.virustotal.com/gui/file/d9381d778e21373428040d10d06da1f739cd527686797aaeaae93a4a9698bb40/detection) _Image:_ _[CapLoader transcript of Emotet download](https://www.netresec.com/?page=CapLoader)_ DNS: diacrestgroup.com MD5: 99f59e6f3fa993ba594a3d7077cc884d **Emotet Command-and-Control** Just seconds after the Emotet DLL download completes the victim machine starts [communicating with an IP address classified as a botnet command-and-control server.](https://exchange.xforce.ibmcloud.com/ip/209.15.236.39) ----- _[Image: Emotet C2 sessions in CapLoader](https://www.netresec.com/?page=CapLoader)_ C2 IP: 209.15.236.39 C2 IP: 147.139.134.226 C2 IP: 134.209.156.68 JA3: 51c64c77e60f3980eea90869b68c58a8 JA3S: ec74a5c51106f0419184d0dd08fb05bc JA3S: fd4bc6cea4877646ccd62f0792ec0b62 **Emotet Spambot** The victim PC eventually started sending out spam emails. The spam bot used TLS encryption when possible, either through SMTPS (implicit TLS) or with help of STARTTLS (explicit TLS). ----- _[Image: Emotet spambot JA3 hash in NetworkMiner Professional](https://www.netresec.com/?page=BuyNetworkMiner)_ SMTPS JA3: 37cdab6ff1bd1c195bacb776c5213bf2 STARTTLS JA3: 37cdab6ff1bd1c195bacb776c5213bf2 **Transmitted Spam** Below is a spam email sent from the victim PC without TLS encryption. The attached zip file contains a [malicious Excel spreadsheet, which is designed to infect new victims with Emotet.](https://www.filescan.io/uploads/62739ce42b32b1c37c98089f/reports/f00a2b05-8838-4604-bb9b-090d088d1a33/overview) ----- _[Image: Spam email extracted from Emotet PCAP with NetworkMiner](https://www.netresec.com/?page=NetworkMiner)_ .zip Attachment MD5: 5df1c719f5458035f6be2a071ea831db .xlsm Attachment MD5: 79cb3df6c0b7ed6431db76f990c68b5b **Network Forensics Training** If you want to learn additional techniques for analyzing network traffic, then take a look at our [upcoming network forensic trainings.](https://www.netresec.com/?page=Training) Posted by Erik Hjelmvik on Monday, 09 May 2022 06:50:00 (UTC/GMT) [Tags: #Emotet #C2 #video #pcap #JA3 #JA3S #SMTP #SMTPS #Windows Sandbox](https://www.netresec.com/?page=Blog&tag=Emotet) ## Recent Posts » [Real-time PCAP-over-IP in Wireshark](https://www.netresec.com/?page=Blog&month=2022-05&post=Real-time-PCAP-over-IP-in-Wireshark) » [Emotet C2 and Spam Traffic Video](https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video) » [Industroyer2 IEC-104 Analysis](https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis) » [NetworkMiner 2.7.3 Released](https://www.netresec.com/?page=Blog&month=2022-04&post=NetworkMiner-2-7-3-Released) » [PolarProxy in Windows Sandbox](https://www.netresec.com/?page=Blog&month=2022-01&post=PolarProxy-in-Windows-Sandbox) » [PolarProxy 0.9 Released](https://www.netresec.com/?page=Blog&month=2022-01&post=PolarProxy-0-9-Released) ## Blog Archive ----- » [2022 Blog Posts](https://www.netresec.com/?page=Blog&year=2022) » [2021 Blog Posts](https://www.netresec.com/?page=Blog&year=2021) » [2020 Blog Posts](https://www.netresec.com/?page=Blog&year=2020) » [2019 Blog Posts](https://www.netresec.com/?page=Blog&year=2019) » [2018 Blog Posts](https://www.netresec.com/?page=Blog&year=2018) » [2017 Blog Posts](https://www.netresec.com/?page=Blog&year=2017) » [2016 Blog Posts](https://www.netresec.com/?page=Blog&year=2016) » [2015 Blog Posts](https://www.netresec.com/?page=Blog&year=2015) » [2014 Blog Posts](https://www.netresec.com/?page=Blog&year=2014) » [2013 Blog Posts](https://www.netresec.com/?page=Blog&year=2013) » [2012 Blog Posts](https://www.netresec.com/?page=Blog&year=2012) » [2011 Blog Posts](https://www.netresec.com/?page=Blog&year=2011) [List all blog posts](https://www.netresec.com/?page=Blog&blogPostList=true) ## NETRESEC on Twitter Follow [@netresec on twitter:](http://twitter.com/netresec) » [twitter.com/netresec](http://twitter.com/netresec) -----