2018-03-26 - EMOTET MALSPAM

ASSOCIATED FILES:

  • 2018-03-26-Emotet-malspam-tracker-20-examples.csv   (2,626 bytes)
  • 2018-03-26-Emotet-malspam-20-email-examples.txt   (22,114 bytes)
  • 2018-03-26-Emotet-malspam-infection-traffic.pcap   (608,865 bytes)
  • 2018-03-26-Word-doc-with-macro-for-Emotet.doc   (202,752 bytes)
  • 2018-03-26-Emotet-binary-example-1-of-2.exe   (139,264 bytes)
  • 2018-03-26-Emotet-binary-example-2-of-2.exe   (135,168 bytes)

 

NOTES:


Shown above:  Flow chart for an infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

20 EMAIL SAMPLES:

 

URLS FROM THE EMAILS TO DOWNLOAD THE INITIAL WORD DOCUMENT:

 


Shown above:  Word document downloaded from one of the email links.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM WORD DOCUMENT MACRO TO DOWNLOAD EMOTET BINARY (THANKS TO ANY.RUN FAKENET ANALYSIS)::

 

EMOTET POST-INFECION TRAFFIC (THANKS TO @pollo290987)::

NOTE: ** notes the post-infection traffic I saw on my infected lab host.

 

FILE HASHES

DOWNLOADED WORD DOCUMENT:

EMOTET BINARY EXAMPLE 1 OF 2:

EMOTET BINARY EXAMPLE 2 OF 2:

 

IMAGES


Shown above:  Emotet binary persistent on an infected Windows host in my lab.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.