[QuickNote] Emotet epoch4 & epoch5 tactics
Published: 2022-01-23 · Archived: 2026-04-05 18:27:39 UTC
This article is based on samples collected by Mr. Brad Duncan through his excellent lab: 2022-01-20
(THURSDAY) – EMOTET EPOCH 4 AND EPOCH 5 INFECTIONS
Emotet epoch4:
The time of the initial infection in the pcap file ( 2022-01-20-Emotet-epoch4-infection-with-spambot-activity.pcap ) is around 2022-01-20 19:37 UTC , when the victim clicks on the link in the spam mail, they will
access the address mangaloresoundandlights[.]com :
If the access is successful, the victim will be asked to download an Excel file similar to the image below (this file
will have a random name after each access. As in Mr. Brad Duncan’s summary, the file he downloaded has file
name: 12772684608453.xls ):
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 1 of 8

Analyzing the downloaded xls file , this file uses XLM macro, when the victim opens and allows macro for
executing, it will call mshta.exe to load the fe2.html file at the address hxxp://0xb907d607 :
The host contains a hexadecimal representation of the IP address. Using CyberChef, I can converted the
hexadecimal numbers to retrieve the real IP address: 185[.]7[.]214[.]7
The pcap file has result similar to the following:
The above html file contains javascript, so mshta.exe will execute this script:
Javascript when executed will spawn Powershell process to download the fe2.png file at the same address.
Based on the powershell command, it can be seen that the png file will also be a powershell script.
Looking at the pcap file:
Compare the content between the file provided by Mr. Brad Duncan and the file I downloaded:
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 2 of 8

Based on the content of the png file, it can be seen that this powershell script will iterate all the list of urls and try
download payload and save it under the name "C:\Users\Public\Documents\ssd.dll" . If the download is
successful, it will call rundll32.exe to execute ssd.dll .
I tried downloading the Dll from one of the urls in the fe2.png file:
In the pcap file, the result is similar to the following:
From the Dll file provided by Mr. Brad Duncan as well as the Dll file that I downloaded, it is easy to unpack the
emotet core Dll:
With Emotet’s core Dll unpacked, I can find and extract C2 configuration information as well as the keys used to
encrypt traffic and verify data:
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 3 of 8

The results obtained are similar to the analysis at https://tria.ge/220121-wxp5xaafb2. As described by Mr. Brad
Duncan, 33 minutes after the initial infection, the victim was turned into a spam-bot after being infected by the
malware.
Emotet epoch5:
The time of the initial infection in the pcap file ( 2022-01-20-Emotet-epoch5-infection-with-spambot-activity.pcap ) is around 2022-01-20 17:46 UTC , when the victim clicks on the link in the spam mail, they will
access the address mt.yoshimax[.]net :
At the time of blogging, this address is no longer accessible. Therefore, I will use the files that Mr. Brad Duncan
provided for further analysis:
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 4 of 8

Analyze excel file: 2022-01-20-Emotet-epoch5-Excel-file.bin . Similar to the above epoch4, its macro code is
as follows:
The javascript in the file 2022-01-20-Emotet-epoch5-fe1.html.txt when executed will spawn powershell
process to download the png file (also a powershell script):
The content of the file fe1.png is as follows:
Like above, this script also browses the urls to download the dll file and saves it as sdc.dll . Then, call
rundll32.exe to execute the sdc.dll file saved at the path "C:\Users\Public\Documents\ssd.dll" .
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 5 of 8

Easily unpack to get Emotet core Dll:
With Emotet’s core Dll unpacked, I can extract C2 configuration information as well as the keys used to encrypt
traffic and verify data:
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 6 of 8

The results obtained are similar to the analysis at https://tria.ge/220123-j3vw5afeel. As described by Mr. Brad
Duncan, 26 minutes after the initial infection, the victim was turned into a spam-bot after being infected by the
malware.
Other notes:
I also observed another Emotet spam campaigns using octal representations of IP addresses, the malicious Excel
file also uses XML macro to run the malware once the document is opened and enabled by victim.
With the help of CyberChef we can decode this IP address:
Refs:
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 7 of 8

Emotet: Dangerous Malware Keeps on Evolving
[RE019] From A to X analyzing some real cases which used recent Emotet samples
How the new Emotet differs from previous versions
OALabs – Emotet Analysis Note
Regards,
m4n0w4r
Source: https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/
Page 8 of 8