{
	"id": "4ff7f597-efae-42cc-a62d-18b4e12bba56",
	"created_at": "2026-04-06T00:10:11.324731Z",
	"updated_at": "2026-04-10T03:23:52.174792Z",
	"deleted_at": null,
	"sha1_hash": "1a516cf6b243e4517a07a4f333fa427efd42c2f4",
	"title": "Examining Emotet’s Activities, Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53535,
	"plain_text": "Examining Emotet’s Activities, Infrastructure\r\nBy By: Trend Micro Nov 16, 2018 Read time: 6 min (1658 words)\r\nPublished: 2018-11-16 · Archived: 2026-04-05 15:37:02 UTC\r\nDiscovered by Trend Micro in 2014, the banking Trojan Emotet has been brought back to life by malware authors\r\nlast year with its own spamming module that has allowed it to spread, target new industries and regions, and evade\r\nsandbox and malware analysis techniques. This year, we examined Emotet’s activities to learn more about how\r\nthis modular malware wreaks havoc: We did a comprehensive research on Emotet’s artifacts — 8,528 unique\r\nURLs, 5,849 document droppers, and 571 executables collected between June 1, 2018 and September 15, 2018 —\r\nto discover Emotet’s infrastructure as well as possible attribution information.\r\nSome of the highlights of our research include the following:\r\n1. We discovered that there are at least two infrastructures running parallel to one another that\r\nsupport the Emotet botnet. By grouping the C\u0026C servers and the RSA keys of the malware, we were\r\nable to see two distinct groups of infrastructures. We also saw that the threat actors switched RSA keys on a\r\nmonthly basis. While the next-stage payloads each group pushed does not show any major difference in\r\nterms of purpose or targets, the differing infrastructures of both groups may be designed to make it more\r\ndifficult to track Emotet and minimize the possibility of failure.\r\n2. Multilayer operating mechanisms might have been adopted in the creation of Emotet’s artifacts. The\r\ninconsistency between the activity patterns show that the infrastructure used to create and spread document\r\ndroppers are different from those used to pack and deploy Emotet executables. The creation of document\r\ndroppers stops during the non-working hours between 1:00 to 6:00 (UTC). Meanwhile, there might be\r\nthree sets of machines that are used to pack and deploy Emotet’s executable payloads, two of which are\r\nprobably set to the time zones UTC +0 and UTC +7, respectively.\r\n3. The author of the Emotet malware may live somewhere in the UTC+10 time zone, or further east.\r\nAfter we grouped the executable samples by their unpacked payloads’ compilation timestamps, we found\r\ntwo sample groups that showed an inconsistency between the compilation timestamps and the\r\ncorresponding first-seen records in the wild. This might lead to the possibility that the compilation\r\ntimestamps are pointing to the local time on the malware author’s machine. The conclusion of the malware\r\nauthor probably staying in UTC +10 time zone or further east can therefore be drawn if the local time is\r\naccurate.\r\nEmotet’s two infrastructures\r\nWe have collected and analyzed 571 executable samples of Emotet. The configuration inside an executable\r\nincludes a list of C\u0026C servers and an RSA key for connection encryption.\r\nThere were only six unique RSA public keys extracted from the executable samples. Each RSA key has a 768-bit\r\nmodulus and uses the public exponent 65537. We calculated the CRC32 of each RSA key blob and gave each key\r\na name for easier identification.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/\r\nPage 1 of 5\n\nKey Name CRC32 Emotet Group\r\nA fcb2fb3b 1\r\nB 86e9acef 1\r\nC ceff5362 1\r\nD fc8e8aaa 2\r\nE 8f1eb5e 2\r\nF aef0def8 2\r\nTable 1. The RSA keys extracted from Emotet executables\r\nMeanwhile, Emotet’s C\u0026C server is an IP/port pair on top of its HTTP protocol.  We extracted 721 unique C\u0026C\r\nservers in total. On average, one Emotet sample contains 39 C\u0026C servers, with a maximum number of 44 and a\r\nminimum of 14. Based on our observation, only a few C\u0026C servers embedded in a single Emotet sample are\r\nactually active.\r\nWe found that most of the C\u0026C servers are located in the United States, Mexico, and Canada. The top 3 ASN\r\nconnected to Emotet are ASN7922, ASN8151 and ASN22773. intel\r\nFigure 1. Countries wherein Emotet C\u0026C servers are distributed\r\nintel\r\nFigure 2. Distribution of Emotet C\u0026C servers’ ports\r\nWe visualized the relationship between each RSA key and its set of C\u0026C servers and discovered that there were\r\ntwo RSA key groups. Keys A, B, and C were in one group (Group 1), and keys D, E, and F were in another\r\n(Group 2).\r\nintelFigure 3. Relationships between RSA keys and C\u0026C servers. Each blue dot represents a unique C\u0026C\r\nserver, while the red ones indicate RSA public keys.\r\nAs Figure 3 shows, these two distinct groups do not share C\u0026C servers. intel\r\nFigure 4. Timestamps when the RSA keys were received. The green dots represent the keys used by Group 1,\r\nwhile the orange dots represent the keys used by Group 2. Each dot represents the timestamp when each RSA key\r\nwas found in the configuration of a new sample.\r\nMonth June July August September\r\nKeys used by Group 1 fcb2fb3b (A) 86e9acef (B) 86e9acef (B) ceff5362 (C)\r\nKeys used by Group 2 fc8e8aaa (D) 8f1eb5e (E)   aef0def8 (F)\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/\r\nPage 2 of 5\n\nTable 2. Two groups of RSA keys and the corresponding months they have shown activity\r\nOur analysis shows a link between the dates the RSA keys were received and the two groups’ activities: each RSA\r\nkey was observed to have been used for one month before threat actors switched to another RSA key on the first\r\nworking day of the succeeding month (i.e. Jul. 2, 2018 and Sep. 3, 2018, both fall on a Monday).\r\nWe also observed that there were more artifacts belonging to Group 1 compared to those in Group 2. Based on our\r\ndata, we received 469 unpacked Emotet samples for Group 1 and 102 for Group 2, respectively. We also did not\r\nfind any activity for Group 2 for the month of August, as shown in Figure 4.\r\nTwo different Emotet groups, two different agendas?\r\nOur initial assumption was that the two Emotet groups were created for different purposes or are being utilized by\r\ndifferent operators. To prove this assumption, we referred to data from @malware_traffic and categorized the IoCs\r\nrespectively.  However, we did not find any major difference between the IoCs under these two groups. For\r\ninstance, TrickBot with gtag arz1 was found to have been sent by Group 1 on September 20 and by Group 2 the\r\nnext day. Without any strong evidence, we can only tell that the two groups might be different infrastructures\r\ndesigned to make tracking Emotet more difficult and help minimize the possibility of failure.\r\nDate Emotet Group RSA Key Next-stage Payload\r\n2018-07-03 2 E Panda Banker\r\n2018-07-09 1 B Panda Banker\r\n2018-07-16 2 E Panda Banker\r\n2018-07-19 2 E Panda Banker\r\n2018-07-30 1 B Panda Banker\r\n2018-07-31 1 B Panda Banker\r\n2018-08-08 1 B Trickbot\r\n2018-08-10 1 B Panda Banker\r\n2018-08-13 1 B Panda Banker\r\n2018-08-14 1 B Panda Banker\r\n2018-08-15 1 B Panda Banker\r\n2018-08-16 1 B Panda Banker\r\n2018-08-22 1 B Panda Banker\r\n2018-08-24 1 B Panda Banker\r\n2018-08-26 1 B Panda Banker\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/\r\nPage 3 of 5\n\n2018-09-04 2 F IcedID, TrickBot\r\n2018-09-05 2 F IcedID, AZORult\r\n2018-09-06 1 C IcedID, AZORult\r\n2018-09-14 1 C TrickBot gtag: del72\r\n2018-09-20 1 C TrickBot gtag: arz1\r\n2018-09-21 2 F TrickBot gtag: arz1, del77, jim316, lib316\r\nTable 3. The next-stage payload delivered by Emotet’s two infrastructures between July and September 2018\r\nCompiling Emotet’s Source Code for Each Infrastructure\r\nEmotet payloads are protected by customized packers and obfuscators. We studied the compilation of timestamps\r\nagainst each sample before and after packing and saw that some of the timestamps in packed samples were forged,\r\nwhile some seemed legitimate. The samples with legitimate timestamps show just a few minutes difference from\r\nbeing compiled to that of when they were found in the wild. For example, sample SHA256:\r\n648dce03ac4c32217ce5c0b279bc3775faf030cafb313c74009fe60ffde3c924 (Detected by Trend Micro as\r\nTSPY_EMOTET.NSFOGAH) was compiled at 2018-06-06 05:40:17 and was found in the wild four minutes later.\r\nHowever, sample SHA256: 07deb1b8a86d2a4c7a3015899383dcc4c15dfadcfafc3f2b8d1e3aa89a6c7ac4 (Detected\r\nby Trend Micro as TSPY_EMOTET.TTIBBJD) was compiled at 2035-07-30 21:36:11, which is obviously a fake\r\ntimestamp. Since it is difficult to distinguish legitimate timestamps from forged ones, research on the packed files’\r\ntimestamps may prove to be fruitless.\r\nEven though the compilation timestamp might be bogus, we decided to analyze the unpacked Emotet samples and\r\nsaw that their timestamps seem legitimate. Out of 571 unpacked Emotet samples, only 11 distinct compilation\r\ntimestamps were found. If the timestamp is forged during every compilation, the samples compiled with the same\r\npieces of code should contain identical code sections but with different compilation timestamps. However, we\r\nfound that the unpacked samples with the same timestamp share the identical code section, while differences can\r\nbe found among those with different timestamps. The changes between the different timestamps also seem to be\r\nnew-version updates.\r\nData in Table 4 show that the actor might have used automatic tools or scripts to compile Emotet’s source code for\r\neach infrastructure, since a number of unique samples share the same compilation timestamp. The data also shows\r\nthat the actors prepared the payload for Groups 1 and 2 sequentially. For example, on June 3, 2018, 46 Emotet\r\nsamples were generated at 20:08 UTC by using Group 1’s RSA public key and C\u0026C servers. Two minutes later,\r\n37 other Emotet samples were generated.\r\nWe noticed that the attackers tended to update Emotet samples on Monday or Wednesday (UTC). We also\r\nobserved that the code section is exactly the same among the samples that had the same compilation timestamp.\r\nThe only difference is the C\u0026C servers embedded in the data section. It is possible that each time a source code is\r\ncompiled, several C\u0026C servers on the attacker’s control list were chosen for generating a new sample.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/\r\nPage 4 of 5\n\nEmotet\r\nGroup\r\nRSA\r\nKey\r\nCompilation Timestamp\r\nin Epoch\r\nPayload's Compilation\r\nTimestamp (UTC)\r\nUnique Sample\r\nCount\r\n1 A 1528056487 2018-06-03 20:08:07 56\r\n2 D 1528056680 2018-06-03 20:11:20 38\r\n1 B 1530547690 2018-07-02 16:08:10 28\r\n2 E 1530547815 2018-07-02 16:10:15 25\r\n1 B 1531161666 2018-07-09 18:41:06 31\r\n2 E 1531161732 2018-07-09 18:42:12 18\r\n2 E 1531899206 2018-07-18 07:33:26 57\r\n2 E 1531906587 2018-07-18 09:36:27 5\r\n1 B 1532502303 2018-07-25 07:05:03 276\r\n1 C 1536011873 2018-09-03 21:57:53 21\r\n2 F 1536011945 2018-09-03 21:59:05 16\r\nTable 4. Unique samples collected in the wild with corresponding compilation timestamps\r\nWe will release more information about Emotet’s technical details and also possible attribution-related intelligence\r\nat a later time.  \r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/"
	],
	"report_names": [
		"exploring-emotet-examining-emotets-activities-infrastructure"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434211,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a516cf6b243e4517a07a4f333fa427efd42c2f4.pdf",
		"text": "https://archive.orkl.eu/1a516cf6b243e4517a07a4f333fa427efd42c2f4.txt",
		"img": "https://archive.orkl.eu/1a516cf6b243e4517a07a4f333fa427efd42c2f4.jpg"
	}
}