This article is based on samples collected by Mr. Brad Duncan through his excellent lab: 2022-01-20 (THURSDAY) – EMOTET EPOCH 4 AND EPOCH 5 INFECTIONS
Emotet epoch4:
The time of the initial infection in the pcap file (2022-01-20-Emotet-epoch4-infection-with-spambot-activity.pcap
) is around 2022-01-20 19:37 UTC
, when the victim clicks on the link in the spam mail, they will access the address mangaloresoundandlights[.]com
:
If the access is successful, the victim will be asked to download an Excel file similar to the image below (this file will have a random name after each access. As in Mr. Brad Duncan’s summary, the file he downloaded has file name: 12772684608453.xls
):