{
	"id": "c74a4cd0-5f18-4685-add9-04fca767a4d9",
	"created_at": "2026-04-06T00:17:06.948038Z",
	"updated_at": "2026-04-10T03:21:55.737974Z",
	"deleted_at": null,
	"sha1_hash": "3b1c30c148ccf1f3ac9f34107fc73028f812e6f0",
	"title": "0.0.0.0 in Emotet Spambot Traffic - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3482217,
	"plain_text": "0.0.0.0 in Emotet Spambot Traffic - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 15:28:50 UTC\r\nIntroduction\r\nEmotet often uses information from emails and address books stolen from infected Windows hosts.  Malicious\r\nspam (malspam) from Emotet spoofs legitimate senders to trick potential victims into running malicious files.\r\nAdditionally, Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address\r\nof an Emotet-infected host.\r\nThis ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18.\r\nShown above:  0.0.0.0 in DNS queries from an Emotet-infected host.\r\nScenes from an infection\r\nBoth Emotet botnets (dubbed by researchers as \"epoch 4\" and \"epoch 5\") resumed activity after the recent holiday\r\nseason, and malicious spam started approximately one week ago on Tuesday 2022-01-11.\r\nMost Windows hosts I've infected with Emotet in my lab will start spamming within an hour or less after the\r\ninitial infection.  Refer to the images below for activity from a recent Emotet infection on 2022-01-18.\r\nhttps://isc.sans.edu/diary/rss/28254\r\nPage 1 of 6\n\nShown above:  Screenshot from malspam pushing Emotet on Tuesday 2022-01-18.\r\nShown above:  Web page from link in the malspam.\r\nhttps://isc.sans.edu/diary/rss/28254\r\nPage 2 of 6\n\nShown above:  Example of downloaded Excel spreadsheet for Emotet.\r\nEnable macros in a downloaded spreadsheet, and they will infect a vulnerable Windows host.  This is standard\r\noperating procedure for Emotet.\r\nShown above:  Traffic from an infection filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/rss/28254\r\nPage 3 of 6\n\nShown above:  Spambot activity started approximately 27 minutes after the initial infection.\r\nEmotet spambot traffic using 0.0.0.0\r\nRight as the spambot activity starts, the following DNS queries are made using domains related to spam filtering:\r\n0.0.0.0.spam.abuse.ch\r\n0.0.0.0.b.barracudacentral.org\r\n0.0.0.0.bl.mailspike.net\r\n0.0.0.0.spam.dnsbl.sorbs.net\r\n0.0.0.0.zen.spamhaus.org\r\nSimilar DNS queries, but without the 0.0.0.0, are generated during Trickbot infections.  However, Trickbot uses\r\nthe infected host's public IP address data in the DNS query.  Here is an example from analysis of a Trickbot\r\nsample (scroll down to the \"Domains\" list).\r\nShown above:  0.0.0.0-related DNS queries from an Emotet-infected host.\r\nhttps://isc.sans.edu/diary/rss/28254\r\nPage 4 of 6\n\nIn addition to DNS queries, Emotet uses 0.0.0.0 during SMTP communications.  This happens whenever an\r\nEmotet-infected host tries sending malspam to a targeted mailserver.  The SMTP command is EHLO [0.0.0.0].\r\nShown above:  SMTP traffic using EHLO [0.0.0.0].\r\nThis attempt does not hide the actual IP address of an Emotet-infected host, because it still appears elsewhere in\r\nthe SMTP traffic (blurred in the above image, for example).  But 0.0.0.0 can be an indicator of emails pushing\r\nEmotet or other malware.\r\nhttps://isc.sans.edu/diary/rss/28254\r\nPage 5 of 6\n\nShown above:  Example of Emotet malspam with 0.0.0.0 in the email headers.\r\nFinal words\r\nWhile 0.0.0.0 is an indicator for Emotet or other malware, you can find up-to-date indicators for Emotet malware\r\nsamples, URLs, and C2 IP addresses at:\r\nhttps://urlhaus.abuse.ch/browse/tag/emotet/\r\nhttps://feodotracker.abuse.ch/browse/emotet/\r\nhttps://bazaar.abuse.ch/browse/tag/Emotet/\r\nhttps://threatfox.abuse.ch/browse/malware/win.emotet/\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28254\r\nhttps://isc.sans.edu/diary/rss/28254\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28254"
	],
	"report_names": [
		"28254"
	],
	"threat_actors": [],
	"ts_created_at": 1775434626,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b1c30c148ccf1f3ac9f34107fc73028f812e6f0.pdf",
		"text": "https://archive.orkl.eu/3b1c30c148ccf1f3ac9f34107fc73028f812e6f0.txt",
		"img": "https://archive.orkl.eu/3b1c30c148ccf1f3ac9f34107fc73028f812e6f0.jpg"
	}
}