{
	"id": "c3866d92-2a79-4314-b3bd-e2711cbfaf12",
	"created_at": "2026-04-06T00:09:41.132364Z",
	"updated_at": "2026-04-10T13:12:10.123155Z",
	"deleted_at": null,
	"sha1_hash": "bdbe9a048a6114e202a1e0d4892dc7023739f15a",
	"title": "Emotet infection with Cobalt Strike - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4346404,
	"plain_text": "Emotet infection with Cobalt Strike - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 15:44:38 UTC\r\nIntroduction\r\nAlthough I haven't been posting examples lately, Emotet has remained active since I last wrote an ISC diary about\r\nit in February 2022.  Today on Thursday 2022-07-07, I have a new example of an Emotet infection with Cobalt\r\nStrike to share.\r\nShown above:  Flow chart from today's Emotet activity on Thursday 2022-07-07.\r\nImages from the infection\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 1 of 9\n\nShown above:  Desktop from the Windows host in my lab used for today's Emotet infection.\r\nShown above:  Email client I had populated with messages before today's infection.  The last four messages with\r\nattachments are Emotet malspam based on a previous Emotet infection.\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 2 of 9\n\nShown above:  Emotet malspam used for today's infection.\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 3 of 9\n\nShown above:  Malicious Excel spreadsheet used for today's infection.\r\nShown above:  Traffic from the infection filtered in Wireshark (1 of 2).\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 4 of 9\n\nShown above:  Traffic from the infection filtered in Wireshark (2 of 2).\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 5 of 9\n\nShown above:  Process Hacker showing processes for both Emotet and Cobalt Strike.\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 6 of 9\n\nShown above:  Registry update and location of persistent Emotet directory with Cobalt Strike.\r\nIndicators of Compromise (IOCs)\r\nMalware from an infected Windows host:\r\nSHA256 hash: 25d4b42c98e6fb6ea5f91393252a446e0141074765e955b3e561d8b56454a73a\r\nFile size: 97,280 bytes\r\nFile name: INVOICE0004010160.xls\r\nFile description: Excel spreadsheet with macros for Emotet\r\nSHA256 hash: 1e8d9f532c2c5909ba3a8ec8d05fc8bed667dcc0c2592224827b614af7fa3ce1\r\nFile size: 346,112 bytes\r\nFile location: hxxps://www.yell[.]ge/nav_logo/cvLMav68/\r\nFile location: C:\\Users\\[username]\\soci1.ocx\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\QjPIBTDyAjEJA\\AMtPK.dll\r\nFile description: 64-bit DLL for Emotet\r\nRun method: regsvr32.exe [filename]\r\nSHA256 hash: aa4b22bf31692e70b63dfa0c93888e1795c2d861550f6926c720c3609df4c39a\r\nFile size: 346,112 bytes\r\nFile location: hxxp://airhobi[.]com/system/4Z6puOENN1DH2HYMzKLz/\r\nFile location: C:\\Users\\[username]\\soci2.ocx\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 7 of 9\n\nFile location: C:\\Users\\[username]\\AppData\\Local\\WuaJyi\\NPpaqh.dll\r\nFile description: 64-bit DLL for Emotet\r\nRun method: regsvr32.exe [filename]\r\nSHA256 hash: 2c7e18f64c2f229d03afc9b6231f950c0489b684ec0792e75baceb4a03833ff3\r\nFile size: 304,128 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\WuaJyi\\zqjwHhWLy.dll\r\nFile description: Updated 64-bit Emotet DLL persistent on the infected Windows host\r\nRun method: regsvr32.exe [filename]\r\nSHA256 hash: 6b4808050c2a6b80fc9945acdecec07a843436ea707f63555f6557057834333e\r\nFile size: 2,426,368 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\WuaJyi\\XAcCGhgSRbRFvGp.exe\r\nFile description: 64-bit EXE for Cobalt Strike sent to Emotet-infected host\r\nInfection traffic:\r\nURLs generated by Excel macros for Emotet DLL files:\r\n91.239.206[.]239 port 443 - hxxps://www.yell[.]ge/nav_logo/cvLMav68/\r\n193.53.245[.]52 port 80 - airhobi[.]com - GET /system/4Z6puOENN1DH2HYMzKLz/\r\n178.255.41[.]17 port 80 - zspwolawiazowa[.]pl - GET /images/Qb86rcUXgBHhg/\r\n112.78.112[.]34 port 80 - yudaisuzuki[.]jp - GET /150911pre/nsA8XrN93S/\r\nNote: The first two returned DLL files, but the second two did not\r\nEmotet C2 traffic:\r\n164.90.222[.]65 port 443 - HTTPS traffic\r\n144.202.108[.]116 port 8080 - HTTPS traffic\r\n138.197.68[.]35 port 8080 - HTTPS traffic\r\n34.80.191[.]247 port 7080 - HTTPS traffic\r\n201.73.143[.]120 port 8080 - HTTPS traffic\r\n146.59.151[.]250 port 443 - HTTPS traffic\r\n162.243.103[.]246 port 8080 - HTTPS traffic\r\nCobalt Strike traffic:\r\n52.18.235[.]51 port 443 - distinctive-obi-mgw.aws-euw1.cloud-ara.tyk[.]io - HTTPS traffic\r\nCobalt Strike URLs:\r\ndistinctive-obi-mgw.aws-euw1.cloud-ara.tyk[.]io - GET /api/v2/login\r\ndistinctive-obi-mgw.aws-euw1.cloud-ara.tyk[.]io - POST /api/v2/status?__cfduid=[19 characters, base64\r\nstring]\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 8 of 9\n\nFinal words\r\nWhile Emotet might not get much high-profile press lately, it remains a continuing presence in our threat\r\nlandscape.  A packet capture (pcap) of today's infection traffic with the email and associated malware samples can\r\nbe found here.\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nhttps://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/\r\nPage 9 of 9\n\n  https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/  \nShown above: Malicious Excel spreadsheet used for today's infection.\nShown above: Traffic from the infection filtered in Wireshark (1 of 2).\n   Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/"
	],
	"report_names": [
		"28824"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434181,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bdbe9a048a6114e202a1e0d4892dc7023739f15a.pdf",
		"text": "https://archive.orkl.eu/bdbe9a048a6114e202a1e0d4892dc7023739f15a.txt",
		"img": "https://archive.orkl.eu/bdbe9a048a6114e202a1e0d4892dc7023739f15a.jpg"
	}
}