{
	"id": "a0fa402c-1965-40d8-b5c9-8617ade91797",
	"created_at": "2026-04-06T00:19:20.974184Z",
	"updated_at": "2026-04-10T03:35:44.212839Z",
	"deleted_at": null,
	"sha1_hash": "f2f20e3a3d733d5933dddbe65a12147df888b959",
	"title": "Hunting Emotet with Brim and Zeek",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2003761,
	"plain_text": "Hunting Emotet with Brim and Zeek\r\nBy Oliver Rochford\r\nPublished: 2020-12-08 · Archived: 2026-04-05 13:53:19 UTC\r\nThe US Cybersecurity and Infrastructure Security Agency recently released an advisory warning of a resurgence\r\nof the Emotet malware.\r\nEmotet started out in 2014 as a Banking Trojan, but has since evolved into a sophisticated malware, offered on the\r\nDarknet as a commercial Cybercrime-as-a-Service platform.\r\nVictims that are infected with Emotet are usually targeted with a phishing email containing a macro-enabled\r\nmalicious document, or a link to one hosted on a compromised website. The malware frequently acts as a\r\n“dropper” and downloads additional components and payloads. Emotet has worming capabilities and may attempt\r\nto enumerate and infect further victims on accessible networks. Command and Control (C2) is executed via HTTP\r\nPOST requests on ports 80, 443 and 8080 to randomized alphanumerical named directories on compromised C2\r\nservers.\r\nWhat makes Emotet really dangerous is that it is sold as an operational platform to a variety of different threat\r\nactors with diverse motivations. Further, the malware can deploy different payloads depending on the objective —\r\nfrom stealing banking credentials to ransomware. It is essentially infrastructure-as-a-service for hacking. In\r\npractise this means that it constantly evolves and can come in many guises.\r\nWith Emotet on the rise again, blue team and incident response teams should familiarise themselves with how this\r\ndangerous threat behaves and evaluate how best to detect and hunt it. Luckily, there are samples available. In this\r\narticle, we are specifically working with the following sample from the good people at Malware Traffic Analysis:\r\n2020–09–01-Emotet-epoch-3-infection-with-Trickbot-gtag-mor119.pcap.zip\r\nWe’ll also be using the Brim Desktop client. Let’s go hunt!\r\nTIP! You can find detailed installation instructions for Brim on Windows, Linux and macOS under\r\nhttps://github.com/brimsec/brim/wiki/Installation\r\nFinding Patient X\r\nAs we discussed in the first article, a good first step when investigating malware is to investigate the DNS activity,\r\nspecifically for which domains there are resolution requests. Zeek provides a DNS protocol analyzer specifically\r\nfor this purpose.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 1 of 13\n\nZeek’s DNS stream in Brim\r\nTo gain an overview of what’s going on, we’ll use a ZQL query to stack the queries by count\r\n_path=dns | count() by query | sort -r\r\nCount of unique DNS queries\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 2 of 13\n\nWe see a number of different windows network requests, for example for “WORKGROUP”, some legitimate\r\n“Microsoft.com” requests, and single requests to threat-intelligence related addresses such as for Spamhaus. We\r\ncan right-click on any domain we do not recognize and verify them using VirusTotal.\r\nRight-click on any domain to validate it using VirusTotal\r\nVirusTotal flags one of the domains, “ t-privat.de”, as malicious, and known to have hosted malware in the past.\r\nWe now have a trail to follow.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 3 of 13\n\nVirusTotal shows the suspicious URI as malicious\r\nPress enter or click to view image in full size\r\nDetails for the malicious Domain\r\nA nice little blind check at this point is to verify if the relevant Host A Record IP address “81.169.145.161” is\r\npresent anywhere else in our dataset.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 4 of 13\n\nHit! The IP address related to the VirusTotal alert matches our data\r\nThe search returns positive — we are looking at the same threat that was submitted to VirusTotal. Note the file\r\ntransfer via HTTP to an internal host. That’s something we want to investigate further.\r\nWe’ll revisit one of our Power Queries to show all of the relevant file activity within our data that has a complete\r\nfilename, but extend it to provide us with a tailored view showing us only the fields that are relevant to us at this\r\njuncture:\r\nfilename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1\r\nPress enter or click to view image in full size\r\nCurated File Activity view — the Plot thickens\r\nThere are a number of strange looking HTTP connections with filenames lacking any type of extension or MIME\r\ntype. We also find the full filename, “UR608.exe”, from our malicious internet host “81.169.145.161” (t-privat.de). Thanks to Zeek’s MD5 and SHA1 processors, we can harness VirusTotal again. Our Patient X is\r\n“10.9.1.101”.\r\nPress enter or click to view image in full size\r\nEmotet sighted! VirusTotal confirms the file is associated with known malware.\r\nIdentifying Command and Control\r\nNow that we’ve verified the initial point of access for the attack, we can follow how the attack unfolded. When we\r\nreviewed the files contained in our data, we saw three other connections originating from the infected system. If\r\nwe double-click on any of the records in question, we conjure up a detailed view showing a waterfall that includes\r\nall app transactions and file payloads throughout the life of a flow:\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 5 of 13\n\nPress enter or click to view image in full size\r\nConnection Diagram for the suspicious HTTP requests from our Patient X\r\nWe can see a connection over a three minute time period. If you’re familiar with Zeek, the “dpd” and “weird”\r\nevents immediately stick out. Let’s look into these. You can pivot right into the relevant details by clicking on any\r\nentry in the Connection Diagram. Zeek’s “Dynamic Protocol Detection” (dpd) stream processor detects network\r\nprotocol anomalies. The “weird” processor on the other hand alerts on unusual activity such as malformed\r\nrequests.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 6 of 13\n\nBrim’s detailed view for Zeek’s “dpd” stream\r\nBrim’s detailed view for Zeek’s “weird” stream\r\nBrim’s detailed view for Zeek’s “weird” stream\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 7 of 13\n\nZeek has detected that the connection in question does not appear to be standard HTTP. Of note is also the non-standard destination port “8080” under “id.resp_p”, commonly used for HTTP Proxying . We’d usually expect to\r\nsee port 443 for web traffic, or port 80 in rare legacy cases. Attackers will frequently attempt C2 via ports that\r\nhave a high probability of being permitted through any network access controls such as a firewall. VirusTotal also\r\nconfirms that the IP address “118.110.236.121” is malicious. Lastly, when we look at the Log Detail for the initial\r\nHTTP requests, we see it’s an HTTP POST request. The random character URI also seems suspicious:\r\nPress enter or click to view image in full size\r\nHTTP POST request to URI including randomized alphanumeric directory name\r\nA safe hunch would be that this is the command and control (C2) traffic we’re seeing here. When we filter for our\r\nsuspected C2 Server “118.110.236.121” with the HTTP POST method in the Zeek HTTP Stream, we can see the\r\nbeaconing:\r\nPress enter or click to view image in full size\r\nEmotet C2 Traffic\r\nEnumerating Command and Control\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 8 of 13\n\nTIP! To evade detection and provide redundancy against C2 servers being blocked by inclusion on\r\nthreat intelligence sources, Malware operators use a network of compromised systems for their\r\ncommand and control infrastructure. The list of C2 servers are constantly updated to try and always stay\r\none step ahead of threat researchers. If you’re interested in further details about how Malware C2\r\nworks, see this article: https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware\r\nIt would be unusual for Emotet to rely on a single C2 instance. One way we can quickly validate this is to search\r\nfor any additional HTTP POST requests Victim X may be sending:\r\nid.orig_h=10.9.1.101 method=POST | cut ts, uid, id, method, uri, status_code\r\nPress enter or click to view image in full size\r\nHTTP POST activity from Patient X\r\nVictim X is concerningly making a number of other successful suspicious HTTP POST requests. VirusTotal\r\nconfirms that all of the involved destination IP addresses are malicious.\r\nPress enter or click to view image in full size\r\nVirusTotal confirms our suspicious IP address is malicious\r\nA further search for the malicious IP addresses in our data yields no further results, but of course we can now take\r\nour list (45.230.228.26, 118.110.236.121, 195.123.242.119) and conduct further searches across other detection\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 9 of 13\n\nand search tools, for example a SIEM, as well as adding them to our access control deny list.\r\nEvaluating the spread of Infection\r\nAs Emotet is known to propagate via the network, we should also establish whether any other hosts have been\r\ninfected.\r\nGet Oliver Rochford’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFirst let’s see what sort of traffic our data contains. We can lean on Zeek’s streams here again, and generate a list\r\nof any contained in the packet capture with associated counts:\r\n_path | count() by _path | sort -r\r\nPress enter or click to view image in full size\r\nZeek Streams by count\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 10 of 13\n\nInterestingly enough, we don’t see any activity that would indicate internal reconnaissance or propagation. If\r\npresent, we’d typically expect to see something like Windows SMB and DCE/RPC activity here. This does not\r\nnecessarily mean that no further infection occurred — just that we don’t have any indicators in our data.\r\nLastly, just to be sure, we’ll enumerate any connections our patient X may have attempted on the internal network.\r\nFor this, we’re going to use ZQL’s rich data typing, specifically that there is an IP address data type that supports\r\nCIDR filtering:\r\nid.orig_h=10.9.1.101 id.resp_h=~10.0.0.0/8 | count() by id.resp_h,_path\r\nPress enter or click to view image in full size\r\nAll connections in the 10.0.0.0/8 subnet that patient X communicated with\r\nWe see there is some DNS traffic to two other hosts, which we may assume are DNS servers. Nothing in the data\r\nindicates further infections.\r\nPutting it all together\r\nWhile we didn’t see any propagation events, we did successfully pinpoint the initial infection, identified Patient X\r\nand enumerated the C2 servers. This will allow us to conduct further threat hunting, develop detections and create\r\nsignatures and watch lists for blocking the threat on the network. The diagram below outlines the activity we’ve\r\nbeen investigating:\r\nEmotet Sample observed activity\r\nPress enter or click to view image in full size\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 11 of 13\n\nEmotet Incident outline\r\nObserved Indicators of Compromise\r\nPress enter or click to view image in full size\r\nObserved MITRE ATT\u0026CK Techniques\r\nWe assume that the malicious file we observed being downloaded from “t-privat.de” was the tail end of an initial\r\nphishing attempt. That would entail the following MITRE ATT\u0026CK Techniques:\r\nT1566:002 Phishing: Spearphishing Link\r\nEmotet has been delivered by phishing emails containing links\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 12 of 13\n\nT1204:001 User Execution: Malicious Link\r\nEmotet has relied upon users clicking on a malicious link delivered through spearphishing.\r\nThe following MITRE ATT\u0026CK Tactic was also observed:\r\nTA0011:001 Command and Control: Web Protocols\r\nAdversaries may communicate using application layer protocols associated with web traffic to avoid\r\ndetection/network filtering by blending in with existing traffic. Commands to the remote system, and often the\r\nresults of those commands, will be embedded within the protocol traffic between the client and server.\r\nConclusion\r\nWe hope you enjoyed our little Emotet safari. There’s also a video version of this article, you can find it under\r\nhttps://www.youtube.com/watch?v=CW1rNrd7KYU.\r\nAlso, don’t forget to check out our last two articles, Five Elegant Brim Queries to Threat Hunt in Zeek Logs and\r\nPacket Captures and Investigating Network traffic activity using Brim and Zeek. And watch this space, there’s\r\nmore coming soon!\r\nIn the meantime, if you haven’t checked out Brim yet, go ahead. It’s free and it’s Open Source.\r\nhttps://www.brimsecurity.com/\r\nSource: https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nhttps://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff"
	],
	"report_names": [
		"hunting-emotet-with-brim-and-zeek-1000c2f5c1ff"
	],
	"threat_actors": [
		{
			"id": "47a8f6c7-5b29-4892-8f47-1d46be71714f",
			"created_at": "2025-08-07T02:03:24.599925Z",
			"updated_at": "2026-04-10T02:00:03.720795Z",
			"deleted_at": null,
			"main_name": "BRONZE FLEETWOOD",
			"aliases": [
				"APT5 ",
				"DPD ",
				"Keyhole Panda ",
				"Mulberry Typhoon ",
				"Poisoned Flight ",
				"TG-2754 "
			],
			"source_name": "Secureworks:BRONZE FLEETWOOD",
			"tools": [
				"Binanen",
				"Comfoo",
				"Gh0st RAT",
				"Isastart",
				"Leouncia",
				"Marade",
				"OrcaRAT",
				"PCShare",
				"Protux",
				"Skeleton Key",
				"SlyPidgin",
				"VinSelf"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434760,
	"ts_updated_at": 1775792144,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2f20e3a3d733d5933dddbe65a12147df888b959.pdf",
		"text": "https://archive.orkl.eu/f2f20e3a3d733d5933dddbe65a12147df888b959.txt",
		"img": "https://archive.orkl.eu/f2f20e3a3d733d5933dddbe65a12147df888b959.jpg"
	}
}