{
	"id": "ecd3f5cd-2180-4d75-a674-e533735c8282",
	"created_at": "2026-04-06T00:06:35.066326Z",
	"updated_at": "2026-04-10T03:35:43.370923Z",
	"deleted_at": null,
	"sha1_hash": "a5eea2a8616df2aaa823c9b01cd01811bec6fa83",
	"title": "Emotet Summary: November 2021 Through January 2022",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9250352,
	"plain_text": "Emotet Summary: November 2021 Through January 2022\r\nBy Brad Duncan\r\nPublished: 2022-05-17 · Archived: 2026-04-02 10:42:53 UTC\r\nExecutive Summary\r\nEmotet is one of the most prolific email-distributed malware families in our current threat landscape. Although a\r\ncoordinated law enforcement effort shut down this malware in January 2021, Emotet resumed operations in\r\nNovember 2021. Since then, Emotet has returned to its status as a prominent threat.\r\nThis blog provides a background on Emotet, and it reviews activity from this malware family since its return in\r\nNovember 2021. The information covers changes in Emotet operations from its revival through the end of January\r\n2022. These examples will provide a more comprehensive picture and better indicate the worldwide threat Emotet\r\ncurrently poses.\r\nPalo Alto Networks customers are protected from Emotet with Cortex XDR or our Next-Generation Firewall with\r\nWildFire and Threat Prevention subscriptions.\r\nBackground on Emotet\r\nSometimes referred to as Geodo or Feodo, Emotet is Windows-based malware that first appeared in 2014 as a\r\nbanking Trojan. Since then, Emotet has evolved into modular malware that performs various functions, including\r\ninformation stealing, spambot activity and loading other malware.\r\nThe threat actor behind Emotet is known through different designators, like Mealybug, MUMMY SPIDER or\r\nTA542.\r\nEmotet’s primary method of distribution is through email.\r\nEmotet is a prolific spammer. Emotet-infected computers often act as spambots, sending a dozen or more emails\r\nevery minute that push more Emotet. This means thousands of Emotet emails can be sent by a single host every\r\nday. If hundreds of Emotet-infected hosts are active at any given time, this means hundreds of thousands of\r\nEmotet emails can be generated each day Emotet is actively spamming.\r\nEmotet is evasive. Through a technique called hashbusting, Emotet generates different file hashes for malware\r\ndistributed through its botnets. This ensures a malware sample’s SHA256 hash is different on each infected\r\nsystem. Emotet also uses obfuscated code in scripts used during its initial infection process.\r\nEmotet is nimble. Its botnets frequently update IP addresses and TCP ports used for command and control (C2)\r\ncommunications. Emotet also frequently changes URLs hosting its malware, sometimes using dozens of different\r\nURLs each day.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 1 of 22\n\nEmails distributing Emotet contain malicious attachments, or they contain links to malicious files. These messages\r\nmost often contain Microsoft Office files like Word documents or Excel spreadsheets. These Office documents\r\ncontain malicious macro code. The code is designed to infect a vulnerable Windows host after a victim enables\r\nmacros.\r\nAs it rose to prominence, Emotet began distributing other malware like Gootkit, IcedID, Qakbot and Trickbot.\r\nBy September 2019, Emotet's infrastructure was running on three separate botnets. These botnets were designated\r\nby the security research team Cryptolaemus as epoch 1, epoch 2 and epoch 3. The epoch designators are often\r\nabbreviated as E1, E2 and E3.\r\nBy 2020, a significant portion of malicious spam pushing Emotet used thread hijacking. Thread hijacking is a\r\ntechnique that utilizes legitimate messages stolen from infected computers' email clients. Emotet emails have\r\nfrequently spoofed legitimate users and impersonated replies to these stolen emails.\r\nEmotet occasionally takes a break from delivering malicious emails. Emotet's longest absence from the threat\r\nlandscape occurred in early February 2020 and lasted more than five months. Emotet resumed operations in mid-July 2020, and it quickly surpassed other threats in sheer volume of malicious spam.\r\nIn January 2021, a collaborative effort by law enforcement agencies and other authorities disrupted Emotet\r\noperations. This effectively stopped the threat actor, and Emotet disappeared from our threat landscape.\r\nApproximately 10 months later, Emotet resumed operations in mid-November 2021.\r\nVisual Timeline\r\nFigure 1 presents a timeline of Emotet operations from its return in mid-November 2021 through January 2022.\r\nThe timeline highlights notable Emotet activity during the three month period covered in this blog.\r\nFigure 1. Timeline of Emotet operations from November 2021 through January 2022.\r\nEmotet in November 2021\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 2 of 22\n\nOn Sunday, Nov. 14, 2021, security researcher Luca Ebach discovered a new Emotet binary delivered through a\r\nTrickbot infection. By Monday, Nov. 15, the Emotet infrastructure had resumed normal operations and began\r\ngenerating a large volume of malicious spam.\r\nThe new Emotet infrastructure is running on two separate botnets designated as epoch 4 and epoch 5. These\r\ndesignators are often abbreviated as E4 and E5.\r\nOn Nov. 15, malicious spam for Emotet had one of three types of attachments: a password-protected ZIP archive,\r\na Word document or an Excel spreadsheet. This follows the same method we had typically seen with previous\r\nEmotet infections. Examples and more details can be found in my post, “Emotet Returns.” See Figure 2 for a flow\r\nchart documenting the chain of events.\r\nFigure 2. Chain of events for Emotet infections seen on Monday, Nov. 15, 2021.\r\nAppendix A lists indicators of compromise from an infection on Wednesday, Nov. 18.\r\nBy Monday, Nov. 23, a batch file was added to the infection process as shown below in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 3 of 22\n\nFigure 3. Chain of events for Emotet infections seen on Monday, Nov. 23, 2021.\r\nEmotet targets include various areas around the world. But even if victims are non-English speakers, templates for\r\nthe Office documents are still in English as shown below in Figures 4 and 5 from an email targeting Italy.\r\nFigure 4. Screenshot of Emotet email targeting Italy on Nov. 23, 2021.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 4 of 22\n\nFigure 5. Attachment from Italian email contained Excel spreadsheet for Emotet with an English\r\ntemplate.\r\nAt this time, enabling macros did not directly download and run the Emotet DLL. Instead, the macro code\r\ndropped a batch file shown in Figure 6 and ran it with the following command:\r\nC:\\WINDOWS\\system32\\cmd.exe /c c:\\programdata\\sdfhiuwu.bat\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 5 of 22\n\nFigure 6. Batch file dropped after enabling macros for an Emotet infection on Nov. 23, 2021.\r\nAs an evasion technique, obfuscated script in the batch file generates a PowerShell command to retrieve an\r\nEmotet DLL and run it on the victim’s host. The PowerShell command uses a base64-encoded string as shown\r\nbelow in Figure 7.\r\nFigure 7. PowerShell command using base64 encoded string.\r\nConverting the base64 string to ASCII text reveals the script shown below in Figure 8. This script is designed to\r\nretrieve an Emotet DLL from one of seven URLs and save it to the C:\\ProgramData\\ directory. The Emotet DLL is\r\nrun with rundll32.exe using a random string of characters as the entry point.\r\nFigure 8. Deobfuscated script from the base64 string in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 6 of 22\n\nThe new Emotet DLL is similar to Emotet DLLs before the January 2021 takedown. Emotet is made persistent\r\nunder a randomly named folder under the infected user’s AppData\\Local\\Temp directory. The modified date of the\r\npersistent DLL is backdated exactly one week prior to the infection. Emotet is made persistent through a Windows\r\nRegistry update. Figure 9 shows an example from Nov. 23.\r\nFigure 9. Registry update to keep Emotet persistent after a reboot.\r\nSince Emotet reappeared in November 2021, post-infection C2 activity consists of encrypted HTTPS traffic.\r\nCertificate issuer data for Emotet C2 HTTPS traffic uses generic values often seen with other malware families.\r\nFigure 10 shows an example of Emotet C2 activity filtered in Wireshark to reveal the certificate issuer data.\r\nFigure 10. Reviewing certificate issuer data of Emotet HTTPS C2 traffic in Wireshark.\r\nAs shown above in Figure 10, certificate issuer data for Emotet C2 HTTPS traffic is:\r\nid-at-countryName=GB\r\nid-at-statOrProvinceName=London\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 7 of 22\n\nid-at-localityName=London\r\nid-at-organizationName=Global Security\r\nid-at-organizationalUnitName=IT Department\r\nid-at-commonName=example.com\r\nOf note, other malware families have used similar certificate issuer data, so this is not necessarily unique to\r\nEmotet.\r\nOn Nov.r 30, Emotet switched tactics again and began abusing Microsoft’s App Installer as part of its infection\r\nchain.\r\nEmotet Abuses Microsoft App Installer\r\nNow disabled by Microsoft, App Installer is a protocol for Windows 10 used to install software directly from a\r\nweb server, and it used XML-based app installer files with the extension .appinstaller. This protocol had been\r\npreviously abused for BazarLoader malware attacks in November 2021. Figure 11 shows the flow chart for this\r\ntype of Emotet infection.\r\nFigure 11. Flow chart for Emotet infections abusing Microsoft’s App Installer Protocol.\r\nThe attack technique starts with complaint report-themed emails with links to malicious pages. These malicious\r\npages are hosted on compromised websites, and they spoof Google Drive by using the same style of Google Drive\r\npages, including a Google Drive icon that appears in the browser tab. The pages have links to supposedly preview\r\na PDF-based complaint report. The link actually leads to a malicious .appinstaller file designed to infect a\r\nvulnerable Windows 10 host with Emotet.\r\nBelow, Figure 12 shows a thread-hijacked email from Nov. 30 with the malicious link, and Figure 13 shows the\r\nassociated complaint page with a link to the malicious .appinstaller file.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 8 of 22\n\nFigure 12. Thread-hijacked email from Nov. 30 with link to page for malicious app installer.\r\nFigure 13. Fake complaint report page with link to .appinstaller file for Emotet.\r\nAs shown above in Figure 13, the .appinstaller file pretends to be an Adobe PDF component. In this case,\r\ncriminals were abusing Microsoft Azure to host the malicious files. Below, Figure 14 shows a malicious\r\n.appinstaller file opened in a text editor.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 9 of 22\n\nFigure 14. Malicious .appinstaller file used for Emotet on Nov. 30.\r\nThe malicious .appinstaller file shown above in Figure 14 retrieves a malicious ZIP archive appended with an\r\n.appxbundle file extension from the same server. Below, Figure 15 shows contents of the malicious .appxbundle.\r\nFigure 15. Malicious .appxbundle used for Emotet infection on Nov. 30.\r\nThe malicious .appxbundle impersonating an Adobe program contains various files including ZIP archives with an\r\n.appx file extension. Together, the entire .appxbundle is designed to retrieve an Emotet DLL and run it on a\r\nvulnerable Windows host.\r\nIndicators and further details from the Nov. 30 activity can be found at Malware Traffic Analysis. Due to the\r\nnature of these app installer files, this infection method was initially difficult to detect. Fortunately, Microsoft\r\nquickly shut down Azure file servers hosting the app installer files. Microsoft has also disabled the app installer\r\nprotocol, so this no longer remains an avenue of attack for Emotet or other malware.\r\nAppendix B lists indicators of compromise from an Emotet infection abusing Microsoft’s App Installer on Nov.\r\n30.\r\nEmotet in December 2021\r\nThroughout November 2021, examples of Emotet infections revealed data exfiltration and spambot activity. No\r\nindicators of followup malware were publicly reported until December 2021. By Dec. 7, the Cryptolaemus\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 10 of 22\n\nresearch team confirmed Cobalt Strike had been deployed to Emotet-infected Windows hosts.\r\nDecember 2021 saw at least one more wave of emails from Emotet attempting to abuse Microsoft’s App Installer\r\nprotocol. However, Emotet quickly moved on to other infection patterns and used different templates for Office\r\ndocuments, mostly Excel spreadsheets.\r\nIn the week leading to Christmas day, Emotet emails contained links to web pages on various compromised\r\nwebsites. These pages also pretended to be from Google Drive, and they had links to download malicious Excel\r\nfiles. In this case, Emotet started using a new infection pattern as shown in Figure 16.\r\nFigure 16. Emotet infection pattern seen from Dec. 21-Dec. 24.\r\nAbove, Figure 16 reveals a process Emotet occasionally used through at least February 2022. We previously\r\nreported details on one such variation from January. Appendix C lists indicators of compromise from an Emotet\r\ninfection using this method on Dec. 21.\r\nBelow, Figure 17 shows an email from Dec. 23 pushing Emotet, Figure 18 displays the website from the email\r\nlink, and Figure 19 reveals the downloaded Excel spreadsheet.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 11 of 22\n\nFigure 17. Example of email from Dec. 23 pushing Emotet.\r\nFigure 18. Web page delivering malicious Excel spreadsheet leading to Emotet on Dec. 23.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 12 of 22\n\nFigure 19. Malicious Excel spreadsheet downloaded from page shown in Figure 17.\r\nOn Thursday, Dec. 24, we saw similar emails with Christmas-themed subject lines and holiday wishes in the\r\nmessage text. This wave of emails delivered the same style of Excel spreadsheet shown above in Figure 19.\r\nBelow, Figure 20 shows one of these Christmas-themed emails, and Figure 21 displays the associated web page\r\nthat delivered an Excel spreadsheet.\r\nFigure 20. Example of Christmas-themed email from Dec. 24 pushing Emotet.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 13 of 22\n\nFigure 21. Web page delivering malicious Excel spreadsheet leading to Emotet on Dec. 24.\r\nAfter Dec. 24, Emotet stopped spamming until after the new year.\r\nEmotet in January 2022\r\nOn Tuesday, Jan. 11, 2022, Emotet resumed spamming after its holiday break. The emails continued with links to\r\nfake complaint pages, and the pages were sometimes customized to include the recipient’s name. This method was\r\nprevalent until Jan. 20.\r\nFigures 22-24 show one such example from Jan. 20. In this example, the recipient’s name has been sanitized to\r\nread as “Solomon Grundy” with an AOL email address, and the spoofed sender has been sanitized to read as\r\nalan.scott@thegreenlantern[.]net.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 14 of 22\n\nFigure 22. Emotet email from Jan. 20.\r\nFigure 23. Fake complaint report page with recipient’s name sending Excel spreadsheet for Emotet.\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 15 of 22\n\nFigure 24. Excel spreadsheet for Emotet downloaded from fake complaint report web page.\r\nAppendix D lists indicators of compromise from an Emotet infection using this method on Jan. 11.\r\nBy Friday, Jan. 21, Emotet emails went back to using attached Excel spreadsheets or password-protected ZIP\r\narchives containing Excel spreadsheets. Throughout the rest of the month, Excel spreadsheets for Emotet\r\nalternated between the template shown above in Figure 24 and the template shown below in Figure 25.\r\nFigure 25. Excel spreadsheet template seen during the last full week of January 2022.\r\nIn January, we continued to see reports of Emotet pushing Cobalt Strike. During our lab tests, we routinely saw\r\nEmotet-infected hosts generate spambot activity starting from 35-45 minutes after the initial infection.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 16 of 22\n\nSince its return in November 2021, Emotet has once again become one of the most prolific malware families in\r\nour current threat landscape. Hundreds of thousands of emails can be generated each day Emotet is actively\r\nspamming. Hashbusting, code obfuscation and other evasion techniques make Emotet a significant threat.\r\nWindows users can lower their risk from Emotet through spam filtering, proper system administration and\r\nensuring their software is patched and up to date. Palo Alto Networks customers are further protected from Emotet\r\nthrough Cortex XDR and our Next-Generation Firewall with WildFire and Threat Prevention subscriptions.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nDue to hashbusting, daily changes in malware URLs and frequent changes for infection patterns, we can see\r\nhundreds of new indicators for Emotet every day. These indicators are too numerous and changes are too frequent\r\nto be useful in any single list. However, abuse.ch is a research project that provides free trackers for Emotet botnet\r\ncommand and control servers, URLs hosting Emotet malware and Emotet malware samples.\r\nAppendices A, B, C and D provide a small selection of indicators referenced in this blog post.\r\nAppendix A: Emotet epoch 4 activity on Nov. 18, 2021\r\nSHA256 hashes for seven examples of password-protected ZIP archives:\r\na1ab66a0fbb84a29e5c7733c42337bc733d8b3c11e2d9f9e4357f47fb337c4d5 3.zip\r\n176cfa7f0742d5a79b9cfbf266c437b965fc763cf775415ca251c6bb2dd5e9e5 9.zip\r\n6c34e373479e1a7485025dc3ffa5d23db999aea83e4f3759bd8381fb88e2bbbf 435.zip\r\n8dc28ac1c66f3d17794bb0059445f4deb9db029eb6d4ea1adca734d035bdaecf 1811.zip\r\n4668e7d6bdb00fb80807ed91eef5ac9f6ba0dfd50d260d3e0240847b0ec16f69 18112021.zip\r\nbfdad57171267921a678ba9d86fd096c00197524698cc03a84d2cfeefdca5587 433492807279.zip\r\n66c34636aaf73f74df8da9981ca6054eb4143d1761dbde8e0e83899805590db2 763325738862.zip\r\nPasswords for the above ZIP archives:\r\n3.zip password: 008\r\n9.zip password: 3854\r\n435.zip password: 636\r\n1811.zip password: 9483\r\n18112021.zip password: 2927\r\n433492807279.zip password: 209\r\n763325738862.zip password: 339\r\nSHA256 hashes for seven extracted Word documents:\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 17 of 22\n\n304fba4a048904744d6d1c4d8bfd5d7b4019c2c45aba0499d797ee0d6807dfa8 3.doc\r\ne5f3a7e75c03d45462992b0a973e7e25b533e293724590c9eb34f5ee729039b0 9.doc\r\n0cacc247469125b5e0977b9de9814db0eb642c109ca5d13ee9c336aef2ec4c19 435.doc\r\n801ec1ec71051838efe75fd89344b676fa741d9e7718e534f119c57a899f4792 1811.doc\r\ncbddc8fea92cdf40f8efac2fe8fa534d52d90cccecbb914f3827002f680da98a 18112021.doc\r\nfccaf2af38484493d763b0ea37e68a40eb6def3030cfa975fa8d389e96b49378 433492807279.doc\r\nd655ab6b9350ec4f64c735cd23be62ca87d49165b244cefe75ad0dbb061de3d4 763325738862.doc\r\nURLs generated by the above Word documents:\r\nhxxp://jamaateislami[.]com/wp-admin/FKyNiHeRz1/\r\nhxxp://voltaicplasma[.]com/wp-includes/wkCYpDihyc8biTPn444B/\r\nhxxp://linebot.gugame[.]net/images/RX6MVSCgGr/\r\nhxxp://lpj917[.]com/wp-content/Cc4KG1MDR4xAWp91SjA/\r\nhxxp://html.gugame[.]net/img/5xUBiRIQ4s3EtKEv67Ebn/\r\nhxxp://xanthelasmaremoval[.]com/wp-includes/VVVcpYsRtGgjQqfgjxbS/\r\nhxxp://giadinhviet[.]com/pdf/log_in/8kQBFUyohsDRGCJx/\r\nExample of Emotet DLL file:\r\nSHA256 hash:\r\n555dff455242a5f82f79eecb66539bfd1daa842481168f1f1df911ac05a1cfba\r\nFile size: 485,376 bytes\r\nFile location: hxxp://jamaateislami[.]com/wp-admin/FKyNiHeRz1/\r\nFile location: C:\\ProgramData\\1245045870.dll\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Tzbklmcf\\ljkklzcncxkf.pgk\r\nRun method from Windows Registry update: rundll32.exe [filename],truHNmRuL\r\nNote 1: This was generated using 1811.doc\r\nNote 2: The entry point used with rundll32.exe can be any alpha-numeric value\r\nHTTPS Emotet C2 traffic from an infected Windows host:\r\n51.178.61[.]60 port 443\r\n103.161.172[.]108 port 443\r\n122.129.203[.]163 port 443\r\nAppendix B: Emotet epoch 4 abusing App Installer on Nov. 30, 2021\r\nLink from email:\r\nhxxp://hispanicaidgroup[.]org/ufay0vq/keWIgzwT/\r\nMalicious App Installer:\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 18 of 22\n\nSHA256 hash:\r\n450cba4a0f2b8c14dee55c33c9c0f522a4dddd1b463e39e8e736ed37dc2fac74\r\nFile size: 472 bytes\r\nFile location: hxxps://locstorageinfo.z13.web.core.windows[.]net/ioocceneen.appinstaller\r\nMalicious Appxbundle:\r\nSHA256 hash:\r\n7c55c3656184b145b3b3f6449c05d93fa389650ad235512d2f99ee412085cf3a\r\nFile size: 1,261,364 bytes\r\nFile location: hxxps://locstorageinfo.z13.web.core.windows[.]net/ioocceneen.appxbundle\r\nMalicious executable contained in Appxbundle:\r\nSHA256 hash:\r\n36a81cd64e7649d9f91925194e89e8463c980682596eef19c4f5df6e1ac77b2a\r\nFile size: 192,800 bytes\r\nIn Appixbundle at:\r\nioocceneen.appxbundle/Adobe_1.2.0.0_x86/CustomParts/wsprotocol.exe\r\nExample of Emotet DLL:\r\nSHA256 hash:\r\na04714dcfad52b9dbf2f649810a6c489c5eb2a15118043f0173571310597b8cb\r\nFile size: 643,147 bytes\r\nFile location: hxxp://www.thebanditproject[.]com/wp-content/BvZK54PFsCqKio6/\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Pvglfpllzel\\bhryuac.wmn\r\nRun method: rundll32.exe [filename],[any alpha-numeric value]\r\nHTTPS Emotet C2 traffic from an infected Windows host:\r\n46.55.222[.]11 port 443\r\n163.172.50[.]82 port 443\r\nAppendix C: Emotet epoch 4 infection on Dec. 21, 2021\r\nAttached Excel file from email:\r\nSHA256 hash:\r\nfcf5500a8b46bf8c7234fb0cc4568e2bd65b12ef8b700dc11ff8ee507ba129da\r\nFile size: 194,273 bytes\r\nFile name: REP_1671971987654103376.xls\r\nHTA file:\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 19 of 22\n\nSHA256 hash:\r\n97ebdff655fa111863fbd084f99187c9b6b369fe88fdb1333f8b89aac09fc48d\r\nFile size: 10,980 bytes\r\nFile location: hxxp://87.251.86[.]178/pp/_.html\r\nPowershell script:\r\nSHA256 hash:\r\na08271fe6d67cc6cf678683f58e22412e6872a985a03b8444584bea57aa3cbb7\r\nFile size: 721 bytes\r\nFile location: hxxp://87.251.86[.]178/pp/PP.PNG\r\nURLs generated by the above Powershell script:\r\nhxxp://mustache.webstory[.]sa/wp-includes/cRwe2Pkxasj/\r\nhxxps://vdevigueta[.]com/wp-admin/qYOwD7kPD6JX/\r\nhxxp://bujogradba[.]com/5tvjjl/qiP8H0W5GmR5P9fGIw/\r\nhxxps://daxinghuo[.]com/get/oU8lM4P/\r\nhxxp://masl[.]cn/1/4Ilcpoj6PjTsj3eAR/\r\nExample of Emotet DLL:\r\nSHA256 hash:\r\n7c35902055f69af2cbb6c941821ceba3d79b2768dd2235c282b195eb48cc6c83\r\nFile size: 1,257,472 bytes\r\nFile location: hxxp://mustache.webstory[.]sa/wp-includes/cRwe2Pkxasj/\r\nFile location: C:\\Users\\Public\\Documents\\ssd.dll\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Piqvlxzjzu\\vrjlv.srn\r\nRun method: rundll32.exe [filename],[any alpha-numeric value]\r\nHTTPS Emotet C2 traffic from an infected Windows host:\r\n54.37.212[.]235 port 80\r\n144.202.34[.]169 port 443\r\nAppendix D: Emotet epoch 5 infection on Jan. 11, 2022\r\nExample of link in email for fake complaint page:\r\nhxxp://goodmarketinggroup[.]com/newish/562_9559085/\r\nURL to download Excel spreadsheet:\r\nhxxp://goodmarketinggroup[.]com/newish/562_9559085/?i=1\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 20 of 22\n\nExample of downloaded Emotet Excel file:\r\nSHA256 hash:\r\n292826fa66737d718d0d23f5842dc88e05c8ba5ade7e51212dded85137631b31\r\nFile size: 85,352 bytes\r\nFile name: 06028_2603.xlsm\r\nThree URLs to download an Emotet DLL after enabling macros:\r\nhxxp://mammy-chiro[.]com/case/ZTkBzbz/\r\nhxxp://bluetoothheadsetreview[.]xyz/wp-includes/xmdHAGgfki/\r\nhxxp://topline36[.]xyz/wp-includes/css/BB9Ajvjs89U9O/\r\nExample of Emotet DLL:\r\nSHA256 hash:\r\n4978285fc20fb2ac2990a735071277302c9175d16820ac64f326679f162354ff\r\nFile size: 481,792 bytes\r\nFile location: hxxp://mammy-chiro[.]com/case/ZTkBzbz/\r\nFile location: C:\\Users\\[username]\\dwa.ocx\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Fhcnkauwkz\\gavlgclbak.wwa\r\nRun method: rundll32.exe [filename],[any alpha-numeric value]\r\nHTTPS Emotet C2 traffic from an infected Windows host:\r\n41.226.30[.]6 port 8080\r\n45.138.98[.]34 port 80\r\n62.141.45[.]103 port 443\r\n161.97.77[.]73 port 443\r\nAdditional Resources\r\nEmotet Malware - United States Department of Homeland Security, Cybersecurity \u0026 Infrastructure\r\nSecurity Agency (CISA)\r\nCase Study: Emotet Thread Hijacking, an Email Attack Technique - Unit 42, Palo Alto Networks\r\nWorld’s most dangerous malware EMOTET disrupted through global action - Europol\r\nEmotet Returns - Internet Storm Center\r\nEmotet hashbusting - Tweet by @MalwareTechBlog\r\nEmotet uses appinstaller for infection - malware-traffic-analysis.net\r\nEmotet now spreads via fake Adobe Windows App Installer packages - BleepingComputer\r\nEmotet dropping Cobalt Strike - Tweet by @Cryptolaemus1\r\nNew Emotet Infection Method - Unit 42, Palo Alto Networks\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 21 of 22\n\nSource: https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nhttps://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/"
	],
	"report_names": [
		"emotet-malware-summary-epoch-4-5"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775792143,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5eea2a8616df2aaa823c9b01cd01811bec6fa83.pdf",
		"text": "https://archive.orkl.eu/a5eea2a8616df2aaa823c9b01cd01811bec6fa83.txt",
		"img": "https://archive.orkl.eu/a5eea2a8616df2aaa823c9b01cd01811bec6fa83.jpg"
	}
}