{
	"id": "478ad310-e4ae-40ed-b6ac-dac23ea1deb0",
	"created_at": "2026-04-06T00:13:58.324332Z",
	"updated_at": "2026-04-10T03:22:07.884493Z",
	"deleted_at": null,
	"sha1_hash": "530b1699e84ddf04a099adf503832b4e2ada0933",
	"title": "Emotet Stops Using 0.0.0.0 in Spambot Traffic - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1662166,
	"plain_text": "Emotet Stops Using 0.0.0.0 in Spambot Traffic - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 14:19:19 UTC\r\nIntroduction\r\nLast week, I wrote a diary about Emotet using 0.0.0.0 in its spambot traffic instead of the actual IP address of the\r\ninfected Windows host (link).\r\nShortly after that diary, Emotet changed from using 0.0.0.0 to using the victim's IP address, but with the octet\r\nvalues listed in reverse order.\r\nDetails\r\nDuring a recent Emotet infection on Tuesday 2022-01-24, my infected Windows host was using 173.66.46.112 as\r\nits source IP.  Note that my source IP has been edited for this diary to sanitize/disguise the actual IP address.  See\r\nthe image below for DNS traffic representing a possible spam blocklist check by my infected Windows host.  In\r\nother malware families like Trickbot, the octet order is reversed.  But order is not reversed for this Emotet\r\ninfection.\r\nShown above:  Possibly spam blocklist check by my Emotet-infected host on Tuesday 2022-01-24.\r\nAs seen in the above image, the following DNS queries were made:\r\nhttps://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/\r\nPage 1 of 3\n\n173.66.46.112spam.abuse.ch\r\n173.66.46.112.b.barracudacentral.org\r\n173.66.46.112.bl.mailspike.net\r\n173.66.46.112.spam.dnsbl.sorbs.net\r\n173.66.46.112.zen.spamhaus.org\r\nAgain, I normally see the octet order reversed with other malware like Trickbot.  This reversed order also\r\nappeared during SMTP traffic with the command ELHO [112.46.66.173] as shown below.\r\nShown above:  Victim IP address in Emotet spambot traffic on Tuesday 2022-01-24.\r\nTwitter discussion for last week's diary indicates Emotet developers may have broken something in the spambot\r\nmodule to produce the previous 0.0.0.0 traffic.  I'm not sure if this new traffic--the reversed order of the victim's IP\r\naddress--is intentional or not.\r\nFinal words\r\nYou can find up-to-date indicators for Emotet malware samples, URLs, and C2 IP addresses at:\r\nhttps://urlhaus.abuse.ch/browse/tag/emotet/\r\nhttps://feodotracker.abuse.ch/browse/emotet/\r\nhttps://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/\r\nPage 2 of 3\n\nhttps://bazaar.abuse.ch/browse/tag/Emotet/\r\nhttps://threatfox.abuse.ch/browse/malware/win.emotet/\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/\r\nhttps://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/"
	],
	"report_names": [
		"28270"
	],
	"threat_actors": [],
	"ts_created_at": 1775434438,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/530b1699e84ddf04a099adf503832b4e2ada0933.pdf",
		"text": "https://archive.orkl.eu/530b1699e84ddf04a099adf503832b4e2ada0933.txt",
		"img": "https://archive.orkl.eu/530b1699e84ddf04a099adf503832b4e2ada0933.jpg"
	}
}