{
	"id": "938fd2f3-40ac-4213-aeec-2af590e37249",
	"created_at": "2026-04-06T00:18:13.09139Z",
	"updated_at": "2026-04-10T13:11:46.999073Z",
	"deleted_at": null,
	"sha1_hash": "88a9af327feda0bef58ea4cdea79c86fce26c351",
	"title": "Emotet infections and follow-up malware - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1476776,
	"plain_text": "Emotet infections and follow-up malware - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-02 12:34:36 UTC\r\nIntroduction\r\nThree major campaigns using malicious spam (malspam) to distribute malware stopped sending malspam before\r\nChristmas-sometime during the week ending on Sunday 2018-12-23.  These three campaigns are Emotet (also\r\nknown as Feodo), Hancitor (also known as Chanitor or Tordal), and Trickbot.  But this week, all three campaigns\r\nhave been sending out malspam again.\r\nAmong these campaigns, Emotet is by far the most active.  Dozens of indicators are discovered every day as\r\nvectors for Emotet infections.  Emotet also acts a distributor for other families of malware.  So far in 2019, I’ve\r\nseen Emotet retrieve Gootkit and the IcedID banking Trojan.  As 2019 progresses, I expect to find examples of\r\nEmotet distributing other families of malware like Qakbot and Trickbot, something we saw in 2018.\r\nToday’s diary examines recent Emotet malspam and two examples of infection traffic from Tuesday 2019-01-15.\r\nShown above:  Chain of events for Emotet malware distribution seen so far this year.\r\nThe malspam\r\nAs usual, emails pushing Emotet use Microsoft Word documents with malicious macros.  On vulnerable Windows\r\nhosts, opening these documents in Microsoft Word and enabling macros will attempt an Emotet infection.  So far\r\nthis week, Emotet malspam had a link to download the Word document, or it’s had a Word document directly\r\nattached to the email.  See the images below for examples.\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 1 of 8\n\nShown above:  Screenshot 1 of 3 - Emotet malspam with link for Word doc from Tuesday 2019-01-15.\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 2 of 8\n\nShown above:  Screenshot 2 of 3 - Emotet malspam with link for Word doc from Tuesday 2019-01-15.\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 3 of 8\n\nShown above:  Screenshot 3 of 3 - Emotet malspam with attached Word doc from Monday 2019-01-14.\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 4 of 8\n\nShown above:  Example of Word document with macro to infect a vulnerable Windows host with Emotet.\r\nThe traffic\r\nNetwork traffic is typical for what we’ve seen with recent Emotet infections from December 2018.  Emotet\r\nfrequently uses HTTP traffic over non-standard TCP ports (not TCP port 80).  This may cause issues when\r\nreviewing the infection traffic in Wireshark.  Traffic on ports like TCP port 53 (associated with DNS activity like\r\nzone transfers) and TCP port 22 (normally associated with SSH) may not be decoded as HTTP in Wireshark.  That\r\nwas the case with two examples of infection traffic I generated on Monday.\r\nPost-infection activity from the first run included Gootkit, which had similar in traffic patterns that I’ve previously\r\ndocumented.  Post-infection activity from the second run included IcedID (also known as Bokbot), something I’ve\r\nalso documented.\r\nIndicators of Compromise (IoCs)\r\nThe following are indicators from two infections on Tuesday 2019-01-15.  Any malicious URLs, IP addresses, and\r\ndomain names have been “de-fanged” to avoid issues when viewing today’s diary.\r\nMalware from the first run:\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 5 of 8\n\nSHA256 hash: 2b8c45af81889ce22ffaf3a78d79a307ce3ab4ebeabbd00bc5982d60a89a2c87\r\nFile size: 158,208 bytes\r\nFile location: hxxp://mdmshipping[.]org/wp-content/uploads/Clients_transactions/012019/\r\nFile name: 190115_invoice.doc\r\nFile description: Downloaded Word doc with macro for Emotet\r\nSHA256 hash: 4cb1c0ce3de256e671b096729ae35b65b5f4ac67fe0ca9bbdc27e84aaf25a4d3\r\nFile size: 151,552 bytes\r\nFile location: hxxp://www.al-bay[.]com/JbDEG76/\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\tablesvcs\\tablesvcs.exe\r\nFile description: Emotet executable retrieved by Word macro\r\nSHA256 hash: e1f60b891005dfd0f6738444406c8e57d644cc3ce0154f8d17454c886637dfbd\r\nFile size: 151,552 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\tablesvcs\\tablesvcs.exe\r\nFile description: Emotet executable updated after initial infection\r\nSHA256 hash: 9fd057d99bad388e08f3d71c1d78e90b308e0eb656ecaec88cd70d31f723118e\r\nFile size: 315,392 bytes\r\nFile location: C:\\ProgramData\\7gYMH.exe\r\nFile description: Gootkit executable retrieved by my Emotet-infected host\r\nMalware from the second run:\r\nSHA256 hash: abd3942b115eef97d1dca7bbc05022689ee78090b02fb930d202148b9218323c\r\nFile size: 153,088 bytes\r\nFile location: hxxp://ciblage-spain[.]es/Transactions/01_19/\r\nFile name: 012019_INV_0049.doc\r\nFile description: Downloaded Word doc with macro for Emotet\r\nSHA256 hash: a2d4ccd13954f43ab541b10f879f0d8b5fcf4fa24fffa1b08444bd2313242a78\r\nFile size: 155,648 bytes\r\nFile location: hxxp://starbilisim[.]net/umEgLOOKUD/\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\pesicy\\pesicy.exe\r\nFile description: Emotet executable retrieved by Word macro\r\nSHA256 hash: e1f60b891005dfd0f6738444406c8e57d644cc3ce0154f8d17454c886637dfbd\r\nFile size: 151,552 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\pesicy\\pesicy.exe\r\nFile description: Emotet executable updated after initial infection\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 6 of 8\n\nSHA256 hash: 4f519a9e1df4558336263f398c44796cb412e7ef56d3290f0f12b422eb325730\r\nFile size: 275,456 bytes\r\nFile location: C:\\ProgramData\\35YXoiR.exe\r\nFile description: IcedID executable retrieved by my Emotet-infected host\r\nSHA256 hash: 92352a5a9e473c8939e3a609253f65d3afaa392f872134ba73c3972d2c5e4830\r\nFile size: 275,456 bytes\r\nFile location: C:\\ProgramData\\{A2EE4104-C104-4A1F-9FCE-D86635165D72}\\floflbjnc.exe\r\nFile description: IcedID executable made persistent on my Emotet-infected host\r\nEmotet Infection traffic from the first run:\r\n92.222.210[.]16 port 80 - mdmshipping[.]org - GET /wp-content/uploads/Clients_transactions/012019/\r\n149.255.58[.]108 port 80 - www.al-bay[.]com - GET /JbDEG76\r\n149.255.58[.]108 port 80 - www.al-bay[.]com - GET /JbDEG76/\r\n189.146.157[.]111 port 20 - Attempted TCP connections (no response from the server)\r\n216.244.228[.]62 port 53 - 216.244.228[.]62:53 - GET /\r\n187.163.177[.]194 port 22 - Attempted TCP connections (no response from the server)\r\n181.164.8[.]8 port 22 - 181.164.8[.]8:22 - GET /\r\n189.129.134[.]124 port 20 - Attempted TCP connections (no response from the server)\r\n189.225.146[.]180 port 8443 - 189.225.146[.]180:8443 - GET /\r\nGootkit infection traffic from the first run:\r\n66.23.200[.]58 port 443 - mid.centralcoastbagels[.]com - HTTPS/SSL/TLS traffic\r\nDNS query for loredanusos[.]com - response: No such name\r\nDNS query for bigiterra[.]com - response: No such name\r\nDNS query for getlowfast[.]com - response: No such name\r\nEmotet infection traffic from the second run:\r\n87.98.154[.]146 port 80 - ciblage-spain[.]es - GET /Transactions/01_19\r\n87.98.154[.]146 port 80 - ciblage-spain[.]es - GET /Transactions/01_19/\r\n149.255.58[.]108 port 80 - www.al-bay[.]com - GET /JbDEG76\r\n149.255.58[.]108 port 80 - www.al-bay[.]com - GET /cgi-sys/suspendedpage.cgi\r\n159.253.42[.]200 port 80 - starbilisim[.]net - GET /umEgLOOKUD\r\n159.253.42[.]200 port 80 - starbilisim[.]net - GET /umEgLOOKUD/\r\n187.163.177[.]194 port 22 - Attempted TCP connections (no response from the server)\r\n181.164.8[.]8 port 22 - 181.164.8[.]8:22 - GET /\r\n189.129.134[.]124 port 20 - Attempted TCP connections (no response from the server)\r\n189.225.146[.]180 port 8443 - Attempted TCP connections (no response from the server)\r\n66.50.57[.]73 port 8080 - 66.50.57[.]73:8080 - GET /\r\n186.15.66[.]98 port 443 - 186.15.66[.]98:443 - GET /\r\n181.211.11[.]171 port 443 - 181.211.11[.]171:443 - GET /\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 7 of 8\n\nIcedID infection traffic from the second run:\r\n185.223.163[.]26 port 443 - kepleted[.]pw - HTTPS/SSL/TLS traffic\r\n194.165.3[.]3 port 80 - bestcontrol[.]at - GET /data2.php?45DD8E695E0FFFAB\r\n185.223.163[.]26 port 443 - stronour[.]host - HTTPS/SSL/TLS traffic\r\n194.165.3[.]3 port 443 - bestcontrol[.]at - HTTPS/SSL/TLS traffic\r\n194.165.3[.]3 port 443 - exeterol[.]host - HTTPS/SSL/TLS traffic\r\n194.165.3[.]3 port 443 - decretery[.]host - HTTPS/SSL/TLS traffic\r\nFinal words\r\nPcaps of the infection traffic and malware associated with today's diary can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nhttps://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/\r\nPage 8 of 8\n\n  https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/    \nShown above: Screenshot 1 of 3-Emotet malspam with link for Word doc from Tuesday 2019-01-15.\n   Page 2 of 8  \n\n  https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/    \nShown above: Screenshot 2 of 3-Emotet malspam with link for Word doc from Tuesday 2019-01-15.\n   Page 3 of 8  \n\n  https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/    \nShown above: Screenshot 3 of 3-Emotet malspam with attached Word doc from Monday 2019-01-14.\n   Page 4 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/"
	],
	"report_names": [
		"24532"
	],
	"threat_actors": [],
	"ts_created_at": 1775434693,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88a9af327feda0bef58ea4cdea79c86fce26c351.pdf",
		"text": "https://archive.orkl.eu/88a9af327feda0bef58ea4cdea79c86fce26c351.txt",
		"img": "https://archive.orkl.eu/88a9af327feda0bef58ea4cdea79c86fce26c351.jpg"
	}
}