2018-03-21 - EMOTET MALSPAM EXAMPLES AND INFECTION TRAFFIC

ASSOCIATED FILES:

  • 2018-03-21-Emotet-malspam-tracker-10-examples.csv   (2,138 bytes)
  • 2018-03-21-Emotet-malspam-0736-UTC.eml   (2,487 bytes)
  • 2018-03-21-Emotet-malspam-0819-UTC.eml   (2,053 bytes)
  • 2018-03-21-Emotet-malspam-1015-UTC.eml   (1,818 bytes)
  • 2018-03-21-Emotet-malspam-1018-UTC.eml   (2,190 bytes)
  • 2018-03-21-Emotet-malspam-1040-UTC.eml   (1,085 bytes)
  • 2018-03-21-Emotet-malspam-1233-UTC.eml   (1,813 bytes)
  • 2018-03-21-Emotet-malspam-1313-UTC.eml   (2,238 bytes)
  • 2018-03-21-Emotet-malspam-1359-UTC.eml   (1,986 bytes)
  • 2018-03-21-Emotet-malspam-1435-UTC.eml   (2,053 bytes)
  • 2018-03-21-Emotet-malspam-1522-UTC.eml   (1,972 bytes)
  • 2018-03-21-Emotet-malspam-infection-traffic.pcap   (969,538 bytes)
  • PivotMonet.exe   (139,264 bytes)
  • Tracking 5230576-PG-ASNX.doc   (214,016 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

10 EMAIL SAMPLES:

 

URLS FROM THE EMAILS TO DOWNLOAD THE INITIAL WORD DOCUMENT:

 


Shown above:  Word document downloaded from one of the email links.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM THE WORD MACRO TO DOWNLOAD EMOTET (FROM ANY.RUN ANALYSIS):

 

EMOTET BINARY ATTEMPTED TCP CONNECTIONS (FROM REVERSE.IT ANALYSIS):

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 

FILE HASHES

DOWNLOADED WORD DOCUMENT:

EMOTET BINARY:

 

IMAGES


Shown above:  Emotet made persistent on my infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.