{
	"id": "2aa0da8e-37dc-4e5d-afe2-fbb3ea47066e",
	"created_at": "2026-04-06T00:21:58.547461Z",
	"updated_at": "2026-04-10T03:21:55.610773Z",
	"deleted_at": null,
	"sha1_hash": "b127fff6ce829cb6c68359eb5607ad900d13e1de",
	"title": "[QuickNote] Emotet epoch4 \u0026 epoch5 tactics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2523007,
	"plain_text": "[QuickNote] Emotet epoch4 \u0026 epoch5 tactics\r\nPublished: 2022-01-23 · Archived: 2026-04-05 18:27:39 UTC\r\nThis article is based on samples collected by Mr. Brad Duncan through his excellent lab: 2022-01-20\r\n(THURSDAY) – EMOTET EPOCH 4 AND EPOCH 5 INFECTIONS\r\nEmotet epoch4:\r\nThe time of the initial infection in the pcap file ( 2022-01-20-Emotet-epoch4-infection-with-spambot-activity.pcap ) is around 2022-01-20 19:37 UTC , when the victim clicks on the link in the spam mail, they will\r\naccess the address mangaloresoundandlights[.]com :\r\nIf the access is successful, the victim will be asked to download an Excel file similar to the image below (this file\r\nwill have a random name after each access. As in Mr. Brad Duncan’s summary, the file he downloaded has file\r\nname: 12772684608453.xls ):\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 1 of 8\n\nAnalyzing the downloaded xls file , this file uses XLM macro, when the victim opens and allows macro for\r\nexecuting, it will call mshta.exe to load the fe2.html file at the address hxxp://0xb907d607 :\r\nThe host contains a hexadecimal representation of the IP address. Using CyberChef, I can converted the\r\nhexadecimal numbers to retrieve the real IP address: 185[.]7[.]214[.]7\r\nThe pcap file has result similar to the following:\r\nThe above html file contains javascript, so mshta.exe will execute this script:\r\nJavascript when executed will spawn Powershell process to download the fe2.png file at the same address.\r\nBased on the powershell command, it can be seen that the png file will also be a powershell script.\r\nLooking at the pcap file:\r\nCompare the content between the file provided by Mr. Brad Duncan and the file I downloaded:\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 2 of 8\n\nBased on the content of the png file, it can be seen that this powershell script will iterate all the list of urls and try\r\ndownload payload and save it under the name \"C:\\Users\\Public\\Documents\\ssd.dll\" . If the download is\r\nsuccessful, it will call rundll32.exe to execute ssd.dll .\r\nI tried downloading the Dll from one of the urls in the fe2.png file:\r\nIn the pcap file, the result is similar to the following:\r\nFrom the Dll file provided by Mr. Brad Duncan as well as the Dll file that I downloaded, it is easy to unpack the\r\nemotet core Dll:\r\nWith Emotet’s core Dll unpacked, I can find and extract C2 configuration information as well as the keys used to\r\nencrypt traffic and verify data:\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 3 of 8\n\nThe results obtained are similar to the analysis at https://tria.ge/220121-wxp5xaafb2. As described by Mr. Brad\r\nDuncan, 33 minutes after the initial infection, the victim was turned into a spam-bot after being infected by the\r\nmalware.\r\nEmotet epoch5:\r\nThe time of the initial infection in the pcap file ( 2022-01-20-Emotet-epoch5-infection-with-spambot-activity.pcap ) is around 2022-01-20 17:46 UTC , when the victim clicks on the link in the spam mail, they will\r\naccess the address mt.yoshimax[.]net :\r\nAt the time of blogging, this address is no longer accessible. Therefore, I will use the files that Mr. Brad Duncan\r\nprovided for further analysis:\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 4 of 8\n\nAnalyze excel file: 2022-01-20-Emotet-epoch5-Excel-file.bin . Similar to the above epoch4, its macro code is\r\nas follows:\r\nThe javascript in the file 2022-01-20-Emotet-epoch5-fe1.html.txt when executed will spawn powershell\r\nprocess to download the png file (also a powershell script):\r\nThe content of the file fe1.png is as follows:\r\nLike above, this script also browses the urls to download the dll file and saves it as sdc.dll . Then, call\r\nrundll32.exe to execute the sdc.dll file saved at the path \"C:\\Users\\Public\\Documents\\ssd.dll\" .\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 5 of 8\n\nEasily unpack to get Emotet core Dll:\r\nWith Emotet’s core Dll unpacked, I can extract C2 configuration information as well as the keys used to encrypt\r\ntraffic and verify data:\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 6 of 8\n\nThe results obtained are similar to the analysis at https://tria.ge/220123-j3vw5afeel. As described by Mr. Brad\r\nDuncan, 26 minutes after the initial infection, the victim was turned into a spam-bot after being infected by the\r\nmalware.\r\nOther notes:\r\nI also observed another Emotet spam campaigns using octal representations of IP addresses, the malicious Excel\r\nfile also uses XML macro to run the malware once the document is opened and enabled by victim.\r\nWith the help of CyberChef we can decode this IP address:\r\nRefs:\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 7 of 8\n\nEmotet: Dangerous Malware Keeps on Evolving\r\n[RE019] From A to X analyzing some real cases which used recent Emotet samples\r\nHow the new Emotet differs from previous versions\r\nOALabs – Emotet Analysis Note\r\nRegards,\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nhttps://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/"
	],
	"report_names": [
		"quicknote-emotet-epoch4-epoch5-tactics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434918,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b127fff6ce829cb6c68359eb5607ad900d13e1de.pdf",
		"text": "https://archive.orkl.eu/b127fff6ce829cb6c68359eb5607ad900d13e1de.txt",
		"img": "https://archive.orkl.eu/b127fff6ce829cb6c68359eb5607ad900d13e1de.jpg"
	}
}