Emotet is back. Here's what we know. | Intel471 Skip to content
blog article

Emotet is back. Here's what we know.

This marks the first time we observed Emotet malware activity after a takedown was announced in January.

Nov 16, 2021
Adobe Stock 464699220 min

Months after law enforcement agencies took down the notorious Emotet botnet, Intel 471 observed the Trickbot banking trojan downloading and executing possible updated Emotet binaries. This marks the first time we observed Emotet malware activity after the takedown was announced in January.

Bots associated with Trickbot, tagged several different gtags (lip125, fat2, top118 and others), received a download-and-execute command.

The distribution URL was:

 hxxp://141.94.176.124/Loader_90563_1.dll

The sample hash:

c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01


Embedded Emotet C2 addresses:

  • hxxp://103.8.26.102:8080
  • hxxp://94.177.248.64:443
  • hxxp://207.38.84.195:8080
  • hxxp://185.184.25.237:8080
  • hxxp://212.237.5.209:443
  • hxxp://138.185.72.26:8080
  • hxxp://81.0.236.93:443
  • hxxp://58.227.42.236:80
  • hxxp://178.79.147.66:8080
  • hxxp://66.42.55.5:7080
  • hxxp://103.8.26.103:8080
  • hxxp://51.68.175.8:8080
  • hxxp://104.251.214.46:8080
  • hxxp://195.154.133.20:443
  • hxxp://188.93.125.116:8080
  • hxxp://45.118.135.203:7080
  • hxxp://103.75.201.2:443
  • hxxp://45.142.114.231:8080
  • hxxp://45.76.176.10:8080
  • hxxp://210.57.217.132:8080


Our analysis is ongoing, but differences we've discovered so far between this new Emotet sample and the older version are mostly around the communication protocol. New Emotet uses elliptic-curve cryptography (ECC) where the older Emotet favored RSA.

We said back in January that “time will tell if the takedown will have a long-term impact on Emotet operations. The groups who run these botnets are sophisticated and resilient, and will most likely have some sort of inherent recovery in place.” While that recovery took months, the resiliency displayed here shows that the cat-and-mouse game with Emotet’s developers will continue into 2022.

We can’t definitively say if Emotet is back for real or if this is some sort of test, but this shows that the actors that control Emotet’s source code are not done with it yet.

Intel 471 is performing an in-depth analysis of the collected sample and will provide an update when additional information is obtained.

Related Blogs

Targeted Phishing Linked to 'The Com' Surges
Targeted Phishing Linked to 'The Com' Surges
Countering Cyber Extortion and Hacktivism
Countering Cyber Extortion and Hacktivism
Cybercrime Exposed Podcast: Crypto Heist
Cybercrime Exposed Podcast: Crypto Heist
What Lies Ahead After LockBit’s Disruption?
What Lies Ahead After LockBit’s Disruption?
Featured Resource
Rsz adobestock 463542729

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.

© 2024 Intel471  |  Privacy Policy  |  Terms of Service  |  End User Agreement  |  Modern Slavery and Human Trafficking Statement