{
	"id": "9595bb4f-c4c8-4b5c-8f5c-07d0ce897bc6",
	"created_at": "2026-04-06T00:21:47.205012Z",
	"updated_at": "2026-04-10T13:11:25.796722Z",
	"deleted_at": null,
	"sha1_hash": "c5ac072cab1671651a60626e3acdb99c7be85974",
	"title": "Emotet Returns - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3520730,
	"plain_text": "Emotet Returns - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 21:35:12 UTC\r\nIntroduction\r\nBack in January 2021, law enforcement and judicial authorities worldwide took down the Emotet botnet. \r\nAlthough some Emotet emails still went out in the weeks after that, those were remnants from the inactive botnet\r\ninfrastructure.  We hadn't seen any new Emotet since then.\r\nBut on Monday 2021-11-15, we saw indicators that Emotet has returned.  This diary reviews activity from a recent\r\nEmotet infection.\r\nShown above:  Chain of events for Emotet infection on Monday 2021-11-15.\r\nEmails\r\nWe found some emails from a newly-revived Emotet botnet on Monday 2021-11-15 that have one of three types\r\nof attachments:\r\nMicrosoft Excel spreadsheet\r\nMicrosoft Word document\r\nPassword-protected zip archive (password: BMIIVYHZ) containing a Word document\r\nThese emails were all spoofed replies that used data from stolen email chains, presumably gathered from\r\npreviously infected Windows hosts.\r\nhttps://isc.sans.edu/diary/28044\r\nPage 1 of 10\n\nShown above: Example of Emotet malspam with password protected zip attachment.\r\nhttps://isc.sans.edu/diary/28044\r\nPage 2 of 10\n\nShown above: Example of Emotet malspam with attached Word document.\r\nhttps://isc.sans.edu/diary/28044\r\nPage 3 of 10\n\nShown above: Example of Emotet malspam with attached Excel file.\r\nhttps://isc.sans.edu/diary/28044\r\nPage 4 of 10\n\nShown above: Screenshot of Word document for Emotet.\r\nShown above: Screenshot of Excel spreadsheet for Emotet.\r\nInfection traffic\r\nInfection traffic for Emotet is similar to what we saw before the takedown in January 2021.  The only real\r\ndifference is Emotet post-infection C2 is now encrypted HTTPS instead of unencrypted HTTP.  My infected lab\r\nhttps://isc.sans.edu/diary/28044\r\nPage 5 of 10\n\nhost turned into a spambot trying to push out more Emotet malspam.\r\nShown above:  Example of traffic generated by Excel or Word macros for an Emotet DLL.\r\nhttps://isc.sans.edu/diary/28044\r\nPage 6 of 10\n\nShown above: Traffic from an infection filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/28044\r\nPage 7 of 10\n\nShown above:  TCP stream of encrypted SMTP traffic from my infected Windows host.\r\nIndicators of Compromise (IOCs)\r\nThe following are Word documents, Excel files, and a password-protected zip archive I saw from Emotet on\r\nMonday 2021-11-15.\r\nSHA256 hash: 7c5690577a49105db766faa999354e0e4128e902dd4b5337741e00e1305ced24\r\nFile size: 143,401 bytes\r\nFile name: DOC_100045693068737895.docm\r\nFile name: DOC_10010148844855817699830.docm\r\nFile name: INF_10043023764772507433030.docm\r\nSHA256 hash: bd9b8fe173935ad51f14abc16ed6a5bf6ee92ec4f45fd2ae1154dd2f727fb245\r\nFile size: 143,121 bytes\r\nFile name: FILE_24561806179285605525.docm\r\nSHA256 hash: f7a4da96129e9c9708a005ee28e4a46af092275af36e3afd63ff201633c70285\r\nFile size: 132,317 bytes\r\nFile name: INF_4069641746481110.zip\r\nSHA256 hash: d95125b9b82df0734b6bc27c426d42dea895c642f2f6516132c80f896be6cf32\r\nhttps://isc.sans.edu/diary/28044\r\nPage 8 of 10\n\nFile size: 143,108 bytes\r\nFile name: INF_4069641746481110.docm\r\nSHA256 hash: 88b225f9e803e2509cc2b83c57ccd6ca8b6660448a75b125e02f0ac32f6aadb9\r\nFile size: 47,664 bytes\r\nFile name: FILE_10065732097649344691490.xlsm\r\nSHA256 hash: 1abd14d498605654e20feb59b5927aa835e5c021cada80e8614e9438ac323601\r\nFile size: 47,660 bytes\r\nFile name: SCAN_1002996108727260055496.xlsm\r\nThe following are URLs generated by macros from the above files for an Emotet DLL file:\r\nhxxp://av-quiz[.]tk/wp-content/k6K/\r\nhxxp://devanture[.]com[.]sg/wp-includes/XBByNUNWvIEvawb68/\r\nhxxp://ranvipclub[.]net/pvhko/a/\r\nhxxp://visteme[.]mx/shop/wp-admin/PP/\r\nhxxps://goodtech.cetxlabs[.]com/content/5MfZPgP06/\r\nhxxps://newsmag.danielolayinkas[.]com/content/nVgyRFrTE68Yd9s6/\r\nhxxps://team.stagingapps[.]xyz/wp-content/aPIm2GsjA/\r\nThe Emotet DLL was first stored as a random file name with a .dll extension under the C:\\ProgramData\r\ndirectory.  Then it was moved to a randomly-named directory under the infected user's AppData\\Local folder.  The\r\nDLL is then made persistent through a Windows registry update as shown below.\r\nShown above:  Example of registry update to keep Emotet persistent.\r\nSHA256 hashes for 7 examples of Emotet DLL files:\r\n0b132c7214b87082ed1fc2427ba078c3b97cbbf217ca258e21638cab28824bfa\r\n373398e4ae50ecb20840e6f8a458501437cfa8f7b75ad8a62a84d5c0d14d3e59\r\n29de2e527f736d4be12b272fd8b246c96290c7379b6bc2d62c7c86ebf7f33cd4\r\n632447a94c590b3733e2e6ed135a516428b0bd1e57a7d254d5357b52668b41f1\r\n69efec4196d8a903de785ed404300b0bf9fce67b87746c0f3fc44a2bb9a638fc\r\n9c345ee65032ec38e1a29bf6b645cde468e3ded2e87b0c9c4a93c517d465e70d\r\nb95a6218777e110578fa017ac14b33bf968ca9c57af7e99bd5843b78813f46e0\r\nhttps://isc.sans.edu/diary/28044\r\nPage 9 of 10\n\nHTTPS Emotet C2 traffic:\r\n51.75.33[.]120 port 443\r\n51.159.35[.]157 port 443\r\n81.0.236[.]93 port 443\r\n94.177.248[.]64 port 443\r\n92.207.181[.]106 port 8080\r\n109.75.64[.]100 port 8080\r\n163.172.50[.]82 port 443\r\nFinal words\r\nThe emails examples and malware samples from Monday's Emotet activity on 2021-11-15 can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/28044\r\nhttps://isc.sans.edu/diary/28044\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/28044"
	],
	"report_names": [
		"28044"
	],
	"threat_actors": [],
	"ts_created_at": 1775434907,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5ac072cab1671651a60626e3acdb99c7be85974.pdf",
		"text": "https://archive.orkl.eu/c5ac072cab1671651a60626e3acdb99c7be85974.txt",
		"img": "https://archive.orkl.eu/c5ac072cab1671651a60626e3acdb99c7be85974.jpg"
	}
}