{
	"id": "241d13d0-e865-4360-9947-e4c67141419a",
	"created_at": "2026-04-06T00:17:54.298768Z",
	"updated_at": "2026-04-10T13:12:05.406413Z",
	"deleted_at": null,
	"sha1_hash": "8620dff6b78619154e722ef0292083f0b17c0018",
	"title": "Guess who's back | cyber.wtf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 189983,
	"plain_text": "Guess who's back | cyber.wtf\r\nArchived: 2026-04-05 19:56:23 UTC\r\ntl;dr: Emotet\r\nThe (slighty) longer story:\r\nOn Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot\r\ntried to download a DLL to the system. According to internal processing, these DLLs have been identified as\r\nEmotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and\r\nconducted an initial manual verification. Please find first results and IOCs below. Currently, we have high\r\nconfidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.\r\nWe are still conducting more in-depth analyses to raise the confidence even further. New information will be\r\nprovided as they become available.\r\nInitial Analysis\r\nSunday, November 14, 9:26pm: first occurence of the URLs being dropped; the URL we received was\r\nhxxp://141.94.176.124/Loader_90563_1.dll (SHA256 of the drop:\r\nc7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 ). Internal processing detected Emotet\r\nwhen executing the sample in our sandbox systems. Notably, the sample seems to have been compiled just before\r\nthe deployment via several Trickbot botnets was observed: Timestamp : 6191769A (Sun Nov 14 20:50:34 2021)\r\nThe network traffic originating from the sample closely resembles what has been observed previously (e.g. as\r\ndescribed by Kaspersky): the URL contains a random resource path and the bot transfers the request payload in a\r\ncookie (see image below). However, the encryption used to hide the data seems different from what has been\r\nobserved in the past. Additionally, the sample now uses HTTPS with a self-signed server certificate to secure the\r\nnetwork traffic.\r\nFigure 1: Network Traffic originating from the DLL\r\nhttps://cyber.wtf/2021/11/15/guess-whos-back/\r\nPage 1 of 6\n\nA notable characteristic of the last Emotet samples was the heavy use of control-flow flattening to obfuscate the\r\ncode. The current sample also contains flattened control flows. To illustrate the similarity in the style of the\r\nobfuscation, find two arbitrary code snippets below. Figure 2 is a sample from 2020, Figure 3 is a snippet from the\r\ncurrent sample:\r\nhttps://cyber.wtf/2021/11/15/guess-whos-back/\r\nPage 2 of 6\n\nhttps://cyber.wtf/2021/11/15/guess-whos-back/\r\nPage 3 of 6\n\nFigure 2: Emotet sample from 2020\r\nFigure 3: Current Emotet sample\r\nConclusion (so far)\r\nAs per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet -\r\nseems to be Emotet.\r\nWe are currently updating our internal tooling for the new sample to provide more indicators to strengthen the\r\nclaim that Emotet seems to be back.\r\nIOCs\r\nhttps://cyber.wtf/2021/11/15/guess-whos-back/\r\nPage 4 of 6\n\nURLs:\r\n hxxp://141.94.176.124/Loader_90563_1.dll\r\n \r\n Hashes:\r\n c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 - Loader_90563_1.dll\r\n \r\n Server List:\r\n 81.0.236.93:443\r\n 94.177.248.64:443\r\n 66.42.55.5:7080\r\n 103.8.26.103:8080\r\n 185.184.25.237:8080\r\n 45.76.176.10:8080\r\n 188.93.125.116:8080\r\n 103.8.26.102:8080\r\n 178.79.147.66:8080\r\n 58.227.42.236:80\r\n 45.118.135.203:7080\r\n 103.75.201.2:443\r\n 195.154.133.20:443\r\n 45.142.114.231:8080\r\n 212.237.5.209:443\r\n 207.38.84.195:8080\r\n 104.251.214.46:8080\r\n 138.185.72.26:8080\r\n 51.68.175.8:8080\r\n 210.57.217.132:8080\r\n \r\n String List:\r\n SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n POST\r\n %s\\rundll32.exe \"%s\",Control_RunDLL\r\n Control_RunDLL\r\n %s\\%s\r\n %s\\%s\r\n %s\\%s%x\r\n %s%s.exe\r\n %s\\%s\r\n SHA256\r\n HASH\r\n AES\r\n Microsoft Primitive Provider\r\n ObjectLength\r\n KeyDataBlob\r\n %s\\rundll32.exe \"%s\\%s\",%s\r\n Content-Type: multipart/form-data; boundary=%s\r\nhttps://cyber.wtf/2021/11/15/guess-whos-back/\r\nPage 5 of 6\n\nRNG\r\n %s%s.dll\r\n %s\\rundll32.exe \"%s\",Control_RunDLL\r\n %s%s.dll\r\n %s\\regsvr32.exe -s \"%s\"\r\n %s\\%s\r\n %s%s.exe\r\n SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n %s\\rundll32.exe \"%s\\%s\",%s\r\n ECCPUBLICBLOB\r\n ECDH_P256\r\n Microsoft Primitive Provider\r\n ECCPUBLICBLOB\r\n Cookie: %s=%s\r\n \r\n %s\\rundll32.exe \"%s\\%s\",%s\r\n %s:Zone.Identifier\r\n %u.%u.%u.%u\r\n %s\\%s\r\n %s\\*\r\n %s\\%s\r\n WinSta0\\Default\r\n %s\\rundll32.exe \"%s\",Control_RunDLL %s\r\n %s%s.dll\r\n ECCPUBLICBLOB\r\n ECDSA_P256\r\n Microsoft Primitive Provider\r\n %s\\%s\r\n SHA256\r\n Microsoft Primitive Provider\r\n ObjectLength\r\nSource: https://cyber.wtf/2021/11/15/guess-whos-back/\r\nhttps://cyber.wtf/2021/11/15/guess-whos-back/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyber.wtf/2021/11/15/guess-whos-back/"
	],
	"report_names": [
		"guess-whos-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434674,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8620dff6b78619154e722ef0292083f0b17c0018.pdf",
		"text": "https://archive.orkl.eu/8620dff6b78619154e722ef0292083f0b17c0018.txt",
		"img": "https://archive.orkl.eu/8620dff6b78619154e722ef0292083f0b17c0018.jpg"
	}
}