{
	"id": "97bcbc77-db26-462d-8484-01ea554f24bd",
	"created_at": "2026-04-06T00:22:14.191311Z",
	"updated_at": "2026-04-10T03:21:38.907131Z",
	"deleted_at": null,
	"sha1_hash": "d0664eb9d6cf81ca20cd0880be93c8f0f9a945cb",
	"title": "Wireshark Tutorial: Examining Emotet Infection Traffic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59101491,
	"plain_text": "Wireshark Tutorial: Examining Emotet Infection Traffic\r\nBy Brad Duncan\r\nPublished: 2021-01-19 · Archived: 2026-04-05 14:24:28 UTC\r\nExecutive Summary\r\nThis tutorial is designed for security professionals who investigate suspicious network activity and review packet\r\ncaptures (pcaps). Familiarity with Wireshark is necessary to understand this tutorial, which focuses on Wireshark\r\nversion 3.x.\r\nEmotet is an information-stealer first reported in 2014 as banking malware. It has since evolved with additional\r\nfunctions such as a dropper, distributing other malware families like Gootkit, IcedID, Qakbot and Trickbot.\r\nToday’s Wireshark tutorial reviews recent Emotet activity and provides some helpful tips on identifying this\r\nmalware based on traffic analysis.\r\nNote: These instructions assume you have customized Wireshark as described in our previous Wireshark tutorial\r\nabout customizing the column display.\r\nYou will need to access a GitHub repository with ZIP archives containing the pcaps used for this tutorial.\r\nWarning: Some of the pcaps used for this tutorial contain Windows-based malware. There is a risk of infection if\r\nusing a Windows computer. If possible, we recommend you review these pcaps in a non-Windows environment\r\nlike BSD, Linux or macOS.\r\nChain of Events for an Emotet Infection\r\nTo understand network traffic caused by Emotet, you must first understand the chain of events leading to an\r\ninfection. Emotet is commonly distributed through malicious spam (malspam) emails. The critical step in an\r\nEmotet infection chain is a Microsoft Word document with macros designed to infect a vulnerable Windows host.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 1 of 26\n\nFigure 1. Screenshot of a Word document used to cause an Emotet infection in January 2021.\r\nMalspam spreading Emotet uses different techniques to distribute these Word documents.\r\nThe malspam may contain an attached Microsoft Word document or have an attached ZIP archive containing the\r\nWord document. In recent months, we have seen several examples where these ZIP archives are password-protected. Some emails distributing Emotet do not have any attachments. Instead, they contain a link to download\r\nthe Word document.\r\nIn previous years, malspam pushing Emotet has also used PDF attachments with embedded links to deliver these\r\nEmotet Word documents.\r\nFigure 2 illustrates these four distribution techniques.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 2 of 26\n\nFigure 2. Various distribution paths for an Emotet Word document.\r\nAfter the Word document is delivered, if a victim opens the document and enables macros on a vulnerable\r\nWindows host, the host is infected with Emotet.\r\nFrom a traffic perspective, we see the following steps from an Emotet Word document to an Emotet infection:\r\nWeb traffic to retrieve the initial binary.\r\nEncoded/encrypted command and control (C2) traffic over HTTP.\r\nAdditional infection traffic if Emotet drops follow-up malware.\r\nSMTP traffic if Emotet uses the infected host as a spambot.\r\nFigure 3 shows a flowchart of network activity we might find during an Emotet infection.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 3 of 26\n\nFigure 3. Flowchart for an Emotet infection.\r\nSince Dec. 21, 2020, the initial binary for Emotet has been a Windows DLL file. Previously, this binary had been a\r\nWindows EXE file.\r\nEmotet C2 traffic consists of encoded or otherwise encrypted data sent over HTTP. This C2 activity can use either\r\nstandard or non-standard TCP ports associated with HTTP traffic. This C2 activity also consists of data exfiltration\r\nand traffic to update the initial Emotet binary.\r\nSince Emotet is also a malware dropper, the victim may become infected with other malware. Analysts should\r\nsearch for traffic from other malware when investigating traffic from an Emotet-infected host.\r\nFinally, an Emotet-infected host may also become a spambot generating large amounts of traffic over TCP ports\r\nassociated with SMTP like TCP ports 25, 465 and 587.\r\nPcaps of Emotet Infection Activity\r\nFive password-protected ZIP archives containing pcaps of recent Emotet infection traffic are available at this\r\nGitHub repository. Once on the GitHub page, click on each of the ZIP archive entries and download them, as\r\nshown in Figures 4 and 5.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 4 of 26\n\nFigure 4. GitHub repository with links to ZIP archives used for this tutorial.\r\nFigure 5. Downloading one of the ZIP archives for this tutorial.\r\nUse infected as the password to extract pcaps from these ZIP archives. This should give you the following five\r\npcap files:\r\nExample-1-2021-01-06-Emotet-infection.pcap\r\nExample-2-2021-01-05-Emotet-with-spambot-traffic-part-1.pcap\r\nExample-3-2021-01-05-Emotet-with-spambot-traffic-part-2.pcap\r\nExample-4-2021-01-05-Emotet-infection-with-Trickbot.pcap\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 5 of 26\n\nExample-5-2020-08-18-Emotet-infection-with-Qakbot.pcap\r\nExample 1: Emotet Infection Traffic\r\nOpen Example-1-2021-01-06-Emotet-infection.pcap in Wireshark and use a basic web filter as described in our\r\nprevious tutorial about Wireshark filters. The basic filter for Wireshark 3.x is:\r\n(http.request or tls.handshake.type eq 1) and !(ssdp)\r\nIf you’ve set up Wireshark according to our initial tutorial about customizing Wireshark displays, your display\r\nshould look similar to Figure 6.\r\nFigure 6. Our first pcap in this tutorial filtered in Wireshark.\r\nAs shown in Figure 6, the first five HTTP GET requests represent four URLs used to retrieve the initial Emotet\r\nDLL. The traffic is:\r\nhangarlastik[.]com GET /cgi-bin/Ui4n/\r\nhangarlastik[.]com GET /cgi-sys/suspendedpage.cgi\r\npadreescapes[.]com GET /blog/0I/\r\nsarture[.]com GET /wp-includes/JD8/\r\nseo.udaipurkart[.]com GET /rx-5700-6hnr7/Sgms/\r\nThe first two URLs indicate hangarlastik[.]com no longer had the Emotet DLL file it had been hosting. Follow\r\nTCP streams for each of these requests to see replies to each of the HTTP GET requests.\r\nAn easier way to see the HTTP responses is to update your Wireshark basic web filter to include HTTP responses:\r\n(http.request or http.response or tls.handshake.type eq 1) and !(ssdp)\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 6 of 26\n\nThis will show HTTP responses in the Info column, as illustrated in Figure 7.\r\nFigure 7. Adding HTTP responses to the Wireshark display filter.\r\nNow we have a clearer picture of what happened when the Word macro tried to retrieve an Emotet DLL:\r\nhangarlastik[.]com GET /cgi-bin/Ui4n/\r\nHTTP/1.1 302 Found\r\nhangarlastik[.]com GET /cgi-sys/suspendedpage.cgi\r\nHTTP/1.1 200 OK\r\npadreescapes[.]com GET /blog/0I/\r\nHTTP/1.1 401 Unauthorized\r\nsarture[.]com GET /wp-includes/JD8/\r\nHTTP/1.1 403 Forbidden\r\nseo.udaipurkart[.]com GET /rx-5700-6hnr7/Sgms/\r\nThe only 200 OK was a reply for a suspended page notification from hangarlastik[.]com.\r\nThe HTTP GET request to seo.udaipurkart[.]com does not show a response, so follow the TCP stream for this\r\nrequest, as shown in Figure 8.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 7 of 26\n\nFigure 8. Following TCP stream for the HTTP request to seo.udaipurkart[.]com.\r\nThe TCP stream shows indicators that\r\nseo.udaipurkart[.]com\r\nreturned a Windows DLL file, as shown in Figure 9.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 8 of 26\n\nFigure 9. Indicators of a DLL file returned from seo.udaipurkart[.]com.\r\nExport this DLL from the pcap by using the menu path:\r\nFile --\u003e Export Objects --\u003e HTTP,\r\nas shown in Figure 10. As always, we recommend you do not export this file in a Windows environment, since the\r\nDLL is Windows-based malware.\r\nFigure 10. Exporting the Emotet DLL from our first pcap.\r\nThe SHA256 hash for this extracted DLL is:\r\n8e37a82ff94c03a5be3f9dd76b9dfc335a0f70efc0d8fd3dca9ca34dd287de1b\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 9 of 26\n\nEmotet C2 traffic is encoded data sent using HTTP POST requests. You can easily find these requests in\r\nWireshark using the following filter:\r\nhttp.request.method eq POST\r\nThe results are shown in Figure 11.\r\nFigure 11. Filtering for HTTP POST requests in our first pcap.\r\nIn our first pcap, Emotet C2 traffic consists of HTTP POST requests to:\r\n5.2.136[.]90 over TCP port 80\r\n167.71.4[.]0 over TCP port 8080\r\nEmotet generates two types of HTTP POST requests for its C2 traffic. The first type of POST request ends with\r\nHTTP/1.1. The second type of POST request ends with HTTP/1.1 (application/x-www-form-urlencoded).\r\nFollow the TCP stream for the initial HTTP request to 5.2.136[.]90 at 16:42:34 UTC to see an example of the first\r\ntype of C2 POST request, as shown in Figure 12.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 10 of 26\n\nFigure 12. The first type of HTTP POST request for Emotet C2 traffic.\r\nFigure 12 shows this POST request sends approximately 6 KB of form-data that appears to be an encoded or\r\nencrypted binary. Scroll down to the HTTP response to see encoded data returned from the server. Figure 13\r\nshows the start of this encoded data.\r\nFigure 13. Encoded data returned from the server in response to the HTTP POST request.\r\nThis type of encoded or encrypted data is how Emotet botnet servers exchange data with an infected Windows\r\nhost. This is also the channel Emotet uses to update the Emotet DLL and drop follow-up malware.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 11 of 26\n\nThe second type of HTTP POST request for Emotet C2 traffic looks noticeably different than the first type. Use\r\nthe following filter in Wireshark to easily find the second type of HTTP POST request:\r\nurlencoded-form\r\nThis should return two HTTP POST requests to 167.71.4[.]0 over TCP port 8080, as shown in Figure 14.\r\nFigure 14. Filtering for the second type of HTTP POST request in Emotet C2 traffic.\r\nFollow the TCP stream for the first of these two HTTP POST requests at 16:58:43 UTC. Review the traffic. The\r\nresults are shown in Figure 15.\r\nFigure 15. TCP stream for the second type of HTTP POST request in Emotet C2 traffic.\r\nAs shown in Figure 15, some of the data sent in the POST request is encoded as a base64 string with some URL\r\nencoding. For example, %2B is used for a + symbol, %2F represents / and %3D is used for =.\r\nData sent in response from the server is encoded or otherwise encrypted.\r\nOur first pcap has no follow-up malware or other significant activity.\r\nThe only other activity is repeated connection attempts to 46.101.230[.]194 over TCP port 443. You can easily\r\nspot this activity by filtering on TCP SYN segments that are retransmissions. Use the following Wireshark filter:\r\ntcp.analysis.retransmission and tcp.flags eq 0x0002\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 12 of 26\n\nThe results are shown in Figure 16.\r\nFigure 16. Filtering on retransmissions of TCP SYN segments in Wireshark.\r\nAn Internet search on 46.101.230[.]194 should reveal this IP address has been used for Emotet C2 activity.\r\nThe remaining traffic in the pcap is system traffic generated by a Microsoft Windows 10 host.\r\nIn our next pcap, we examine an Emotet infection with spambot activity.\r\nExample 2: Emotet With Spambot Traffic, Part 1\r\nOpen Example-2-2021-01-05-Emotet-with-spambot-traffic-part-1.pcap in Wireshark and use a basic web filter,\r\nas shown in Figure 17.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 13 of 26\n\nFigure 17. Traffic from the second pcap filtered in Wireshark using our basic web filter.\r\nSimilar to our first example, we receive some HTTP GET requests before Emotet C2 traffic. These GET requests\r\nare attempts to download the initial Emotet DLL over web traffic. The first frame in the column display shows\r\nHTTPS traffic to obob[.]tv, which was probably a web request for the initial Emotet DLL, because this domain\r\nwas reported as hosting an Emotet binary on Jan. 5, 2021, the same date as the traffic in our pcap.\r\nFollow the TCP stream for the HTTP GET request to miprimercamino[.]com to confirm it returned an Emotet\r\nDLL. You should see indicators similar to Figure 9 from our first pcap. We can export the Emotet DLL returned\r\nfrom miprimercamino[.]com, as shown in Figure 18.\r\nFigure 18. Exporting the Emotet DLL from the pcap.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 14 of 26\n\nThe SHA256 hash for the extracted DLL from our second pcap is:\r\n963b00584d8d63ea84585f7457e6ddcac9eda54428a432f388a1ffee21137316\r\nAgain, we find two types of HTTP POST requests for Emotet C2 traffic. To filter for each type of Emotet C2\r\nHTTP POST request, use the following Wireshark filters:\r\nFirst type: http.request method eq POST and !(urlencoded-form)\r\nSecond type: urlencoded-form\r\nFollow TCP streams for the HTTP POST requests returned by these filters and confirm they follow the same\r\npatterns seen in our first pcap.\r\nAfter reviewing some examples of Emotet C2 traffic from this pcap, let’s move on to the spambot activity.\r\nIn this example, our infected host was turned into a spambot, so we also have SMTP traffic. The spambot SMTP\r\ntraffic is encrypted, but we can easily find it by using our basic web filter and scrolling down the column display.\r\nAt 20:06:20 UTC, the pcap starts showing SSL/TLS traffic to TCP ports associated with the SMTP email protocol,\r\nlike TCP ports 25, 465 and 587, as shown in Figure 19.\r\nFigure 19. Using the basic web filter and scrolling through the column display to find spambot\r\ntraffic.\r\nWe can filter on smtp to find some of the SMTP commands before encrypted SMTP tunnels are established.\r\nFigure 20 shows the results.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 15 of 26\n\nFigure 20. Filtering for SMTP traffic in our second pcap.\r\nWe can sometimes find unencrypted SMTP from spambot traffic generated by an Emotet-infected Windows host.\r\nUnencrypted SMTP will reveal its message content, but the volume of encrypted SMTP from a spambot host is far\r\ngreater than the volume of unencrypted SMTP. Therefore, most of the spambot messages from an Emotet-infected\r\nhost are hidden within the encrypted traffic.\r\nIn this example, you should only see encrypted SMTP traffic.\r\nBut our next example is later from this same infection, when we finally saw some unencrypted SMTP.\r\nExample 3: Emotet With Spambot Traffic, Part 2\r\nOpen Example-3-2021-01-05-Emotet-with-spambot-traffic-part-2.pcap in Wireshark and use a basic web filter,\r\nas shown in Figure 21.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 16 of 26\n\nFigure 21. Traffic from the third pcap filtered in Wireshark using our basic web filter.\r\nIn this pcap, we still see HTTP POST requests for Emotet C2 traffic, at least twice each minute. We can also find\r\nencrypted spambot activity similar to our previous pcap.\r\nSpambot activity frequently generates a large amount of traffic. This pcap consists of 4 minutes and 42 seconds of\r\nspambot activity from the infected Windows host, and it’s over 21 MB of traffic.\r\nWe can quickly identify any unencrypted SMTP traffic by using the following Wireshark filter:\r\nsmtp.data.fragment\r\nFigure 22 shows the results of this filter for our third pcap. The filter reveals five examples of Emotet malspam\r\ngenerated by the infected Windows host.\r\nFigure 22. Filtering for indicators of unencrypted SMTP from spambot traffic.\r\nFollow the TCP stream for the last email from: \"Gladisbel Miranda at 20:19:54 UTC. Examine what these\r\nmessages look like, as shown in Figure 23.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 17 of 26\n\nFigure 23. TCP stream for an example of Emotet malspam from our third pcap.\r\nWe can export these five items of Emotet malspam by using the menu path File --\u003e Export Objects --\u003e IMF, as\r\nshown in Figure 24.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 18 of 26\n\nFigure 24. Exporting Emotet malspam from our third pcap.\r\nExport these emails and examine them. Ideally, we recommend doing this in a non-Windows environment.\r\nThunderbird is a free email client you can use to see how a potential victim might view these emails.\r\nAs mentioned earlier, Emotet is also a malware downloader. Perhaps the most common malware distributed\r\nthrough Emotet is Trickbot.\r\nExample 4: Emotet Infection with Trickbot\r\nOpen Example-4-2021-01-05-Emotet-infection-with-Trickbot.pcap in Wireshark and use a basic web filter, as\r\nshown in Figure 25.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 19 of 26\n\nFigure 25. Traffic from the fourth pcap filtered in Wireshark using our basic web filter.\r\nThis pcap does not have an HTTP GET request for an initial Emotet DLL. However, the first frame in our column\r\ndisplay shows HTTPS traffic to fathekarim[.]com. This was probably a web request for the Emotet DLL, because\r\nthis domain was reported as hosting an Emotet binary on Jan. 5, 2021, the same date as the traffic in our pcap.\r\nYou should find the same two types of HTTP POST requests associated with Emotet C2, as described in our\r\nprevious two pcaps.\r\nThis pcap also contains indicators of a Trickbot infection. Use your basic web filter and scroll down to find\r\nTrickbot traffic, as shown in Figure 26.\r\nFigure 26. Scrolling down the column display to find Trickbot indicators in our fourth pcap using a\r\nbasic web filter.\r\nWe’ve reviewed Trickbot in our previous Wireshark tutorial on examining Trickbot infections, but here is a quick\r\nrefresher. The following are common indicators for Trickbot:\r\nHTTPS traffic over TCP ports 447 or 449 without an associated domain or hostname.\r\nHTTP POST requests over standard or non-standard TCP ports for HTTP traffic that end with /81/, /83/ or\r\n/90, which are associated with data exfiltration.\r\nWith Trickbot from Emotet infections, the above HTTP POST requests start with /mor followed by a\r\nnumber (only one or two digits seen so far).\r\nHTTP GET requests for URLs that end in .png that return additional Trickbot binaries.\r\nWe can easily find these indicators using the following Wireshark filters:\r\ntls.handshake.type eq 1 and (tcp.port eq 447 or tcp.port eq 449)\r\n(http.request.uri contains /81 or http.request.uri contains /83 or http.request.uri contains /90) and\r\nhttp.request.uri contains mor\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 20 of 26\n\nhttp.request.uri contains .png\r\nFigures 27-29 show the results from each of the above filters.\r\nFigure 27.: Filtering for Trickbot HTTPS traffic over TCP port 447 or TCP port 449.\r\nFigure 28. Filtering for HTTP POST requests associated with Trickbot data exfiltration.\r\nFollow TCP streams for each of the HTTP POST requests shown in Figure 28 to see if any password data was\r\nexfiltrated. The last HTTP POST request ending with /90 contains data about the infected Windows host and its\r\nenvironment.\r\nFigure 29. Filtering for HTTP GET requests ending in .png associated with additional Trickbot\r\nbinaries.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 21 of 26\n\nFollow TCP streams for each of the HTTP POST requests shown in Figure 29 to see if any Windows binaries were\r\nreturned. Doing so should reveal two Windows executable files. You can then export these binaries from the pcap\r\nusing File --\u003e Export Objects --\u003e HTTP, as discussed in our previous examples.\r\nSHA256 hashes for these two Windows binaries (both EXE files) are:\r\n59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461 for mingup.png\r\ned8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785 for saved.png\r\nTrickbot is the most common malware distributed by Emotet, but it is not the only one. Qakbot is another type of\r\nmalware frequently dropped on Emotet-infected Windows hosts.\r\nExample 5: Emotet Infection With Qakbot\r\nOpen Example-5-2020-08-18-Emotet-infection-with-Qakbot.pcap in Wireshark and use a basic web filter, as\r\nshown in Figure 30.\r\nFigure 30. Traffic from the fifth pcap filtered in Wireshark using our basic web filter.\r\nIn our fifth pcap, an Emotet Word document was retrieved from saketpranamam.mysquare[.]in at 21:23:50 UTC,\r\nwhich matches a URL reported as hosting an Emotet Word document on the same date. Export this Word\r\ndocument from the pcap using File --\u003e Export Objects --\u003e HTTP, as discussed in our previous examples.\r\nThe SHA256 hash for this extracted Word document is:\r\nc7f429dde8986a1b2fc51a9b3f4a78a92311677a01790682120ab603fd3c2fcb\r\nWe also see HTTPS traffic to samaritantec[.]com at 21:24:40 UTC. This domain was reported as hosting an\r\nEmotet binary on the same date.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 22 of 26\n\nAs in our previous examples, you should find the same two types of HTTP POST requests associated with Emotet\r\nC2 traffic.\r\nAdditionally, this pcap contains indicators of a Qakbot infection. Use your basic web filter and scroll down to find\r\nQakbot traffic, as shown in Figure 31.\r\nFigure 31. Scrolling down the column display to find Qakbot indicators in our fifth pcap using a\r\nbasic web filter.\r\nWe’ve reviewed Qakbot in our previous Wireshark tutorial on examining Qakbot infections, but here is a quick\r\nrefresher. The following are common indicators for Qakbot:\r\nHTTPS traffic over standard and non-standard TCP ports for HTTPS.\r\nCertificate data for Qakbot HTTPS traffic has unusual values for the issuer fields, and the certificate is not\r\nissued by an authority based in the United States.\r\nTCP traffic over TCP port 65400.\r\nPrior to late November 2020, Qakbot commonly generated HTTPS traffic to cdn.speedof[.]me.\r\nPrior to late November 2020, Qakbot commonly generated HTTP GET requests to a.strandsglobal[.]com.\r\nWe can easily find these indicators by using the following Wireshark filters:\r\ntls.handshake.type eq 11 and !(x509sat.CountryName == US)\r\ntcp.port eq 65400\r\ntls.handshake.extensions_server_name contains speedof\r\nhttp.host contains strandsglobal\r\nFigures 32-35 show the results from each of the above filters.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 23 of 26\n\nFigure 32. Filtering and searching for unusual certificate issuer data in HTTPS traffic generated by\r\nQakbot.\r\nIn Figure 32, the results of our first filter show several frames in the column display for traffic from\r\n71.80.66[.]107. Search through the frame details and find unusual certificate issuer data, as shown above.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 24 of 26\n\nFigure 33. Filtering for Qakbot traffic over TCP port 65400.\r\nIn the above image, we find a single TCP stream of Qakbot traffic over TCP port 65400. This stream contains the\r\npublic IP address and a botnet identification string for the Qakbot-infected Windows host.\r\nFigure 34. Filtering for traffic to cdn.speedof[.]me, which is not inherently malicious, but a\r\nconnectivity check caused by Qakbot prior to late November 2020.\r\nFigure 35. Filtering for traffic to a.stransglobal[.]com, typically generated by Qakbot prior to late\r\nNovember 2020.\r\nWhile Emotet has commonly dropped Trickbot and Qakbot, be aware that Emotet has also dropped other types of\r\nmalware such as Gootkit and IcedID.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 25 of 26\n\nSource: https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/"
	],
	"report_names": [
		"wireshark-tutorial-emotet-infection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434934,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0664eb9d6cf81ca20cd0880be93c8f0f9a945cb.pdf",
		"text": "https://archive.orkl.eu/d0664eb9d6cf81ca20cd0880be93c8f0f9a945cb.txt",
		"img": "https://archive.orkl.eu/d0664eb9d6cf81ca20cd0880be93c8f0f9a945cb.jpg"
	}
}