{
	"id": "123d6d82-9bcb-42dd-af0b-e33e8ed3c762",
	"created_at": "2026-04-06T00:18:07.012722Z",
	"updated_at": "2026-04-10T03:21:37.959709Z",
	"deleted_at": null,
	"sha1_hash": "21181a4ee8ccc3d93fe37efa586cdcaaf842ac94",
	"title": "Emotet C2 and Spam Traffic Video",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 311814,
	"plain_text": "Emotet C2 and Spam Traffic Video\r\nBy Erik Hjelmvik\r\nPublished: 2022-05-09 · Archived: 2026-04-05 16:09:44 UTC\r\n, \r\nMonday, 09 May 2022 06:50:00 (UTC/GMT)\r\nThis video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and\r\nspambot activity sending emails with malicious spreadsheet attachments to infect new victims.\r\nThe video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with\r\nmalware.\r\nInitial Infection\r\nPalo Alto's Unit 42 sent out a tweet with screenshots and IOCs from an Emotet infection in early March. A follow-up tweet by Brad Duncan linked to a PCAP file containing network traffic from the infection on Malware-Traffic-Analysis.net.\r\n0:00 / 33:26\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video\r\nPage 1 of 5\n\nImage: Screenshot of original infection email from Unit 42\r\nAttachment MD5: 825e8ea8a9936eb9459344b941df741a\r\nEmotet Download\r\nThe PCAP from Malware-Traffic-Analysis.net shows that the Excel spreadsheet attachment caused the download\r\nof a DLL file classified as Emotet.\r\nImage: CapLoader transcript of Emotet download\r\nDNS: diacrestgroup.com\r\nMD5: 99f59e6f3fa993ba594a3d7077cc884d\r\nEmotet Command-and-Control\r\nJust seconds after the Emotet DLL download completes the victim machine starts communicating with an IP\r\naddress classified as a botnet command-and-control server.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video\r\nPage 2 of 5\n\nImage: Emotet C2 sessions in CapLoader\r\nC2 IP: 209.15.236.39\r\nC2 IP: 147.139.134.226\r\nC2 IP: 134.209.156.68\r\nJA3: 51c64c77e60f3980eea90869b68c58a8\r\nJA3S: ec74a5c51106f0419184d0dd08fb05bc\r\nJA3S: fd4bc6cea4877646ccd62f0792ec0b62\r\nEmotet Spambot\r\nThe victim PC eventually started sending out spam emails. The spam bot used TLS encryption when possible,\r\neither through SMTPS (implicit TLS) or with help of STARTTLS (explicit TLS).\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video\r\nPage 3 of 5\n\nImage: Emotet spambot JA3 hash in NetworkMiner Professional\r\nSMTPS JA3: 37cdab6ff1bd1c195bacb776c5213bf2\r\nSTARTTLS JA3: 37cdab6ff1bd1c195bacb776c5213bf2\r\nTransmitted Spam\r\nBelow is a spam email sent from the victim PC without TLS encryption. The attached zip file contains a malicious\r\nExcel spreadsheet, which is designed to infect new victims with Emotet.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video\r\nPage 4 of 5\n\nImage: Spam email extracted from Emotet PCAP with NetworkMiner\r\n.zip Attachment MD5: 5df1c719f5458035f6be2a071ea831db\r\n.xlsm Attachment MD5: 79cb3df6c0b7ed6431db76f990c68b5b\r\nNetwork Forensics Training\r\nIf you want to learn additional techniques for analyzing network traffic, then take a look at our upcoming network\r\nforensic trainings.\r\nPosted by Erik Hjelmvik on Monday, 09 May 2022 06:50:00 (UTC/GMT)\r\nTags: #Emotet#C2#video#pcap#JA3#JA3S#51c64c77e60f3980eea90869b68c58a8\r\n#ec74a5c51106f0419184d0dd08fb05bc#fd4bc6cea4877646ccd62f0792ec0b62#SMTP#SMTPS#Windows\r\nSandbox#videotutorial\r\nShort URL: https://netresec.com/?b=225196a\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netresec.com/?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video"
	],
	"report_names": [
		"?page=Blog\u0026month=2022-05\u0026post=Emotet-C2-and-Spam-Traffic-Video"
	],
	"threat_actors": [],
	"ts_created_at": 1775434687,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21181a4ee8ccc3d93fe37efa586cdcaaf842ac94.pdf",
		"text": "https://archive.orkl.eu/21181a4ee8ccc3d93fe37efa586cdcaaf842ac94.txt",
		"img": "https://archive.orkl.eu/21181a4ee8ccc3d93fe37efa586cdcaaf842ac94.jpg"
	}
}