2018-05-04 - MALSPAM PUSHING EMOTET MOVED FROM LINKS TO ATTACHMENTS THIS WEEK

ASSOCIATED FILES:

  • 2018-05-04-Emotet-malspam-infection-traffic.pcap   (1,148,850 bytes)
  • 2018-05-03-Emotet-malspam-1537-UTC.eml   (178,234 bytes)
  • 2018-05-03-Emotet-malspam-1627-UTC.eml   (178,116 bytes)
  • 2018-05-03-attached-Word-doc-with-macro-for-Emotet.doc   (129,536 bytes)
  • 2018-05-04-downloaded-Emotet-binary.exe   (142,848 bytes)

NOTES:


Shown above:  Flow chart for recent Emotet malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS, EXAMPLE 1 OF 2:

Received: from 10.0.0.22 (60.247.97.180) by [removed] for [removed];
        Thu, 3 May 2018 11:37:53 -0400
Date: Thu, 3 May 2018 23:37:53 +0800
From: "[removed]" <[removed]@[removed]>
To: [removed]
Message-ID: <134428643353.201853153753@[recipient's email domain]>
Subject: ACH Payment info
Attachment name: Outstanding Invoices.doc

 

EMAIL HEADERS, EXAMPLE 2 OF 2:

Received: from 10.0.0.52 ([200.94.97.237]) by [removed] for [removed];
        Thu, 03 May 2018 08:27:31 -0700
Date: Thu, 03 May 2018 10:27:30 -0600
From: "[removed]" <[removed]@[removed]>
To: [removed]
Message-ID: <16037604816.201853152730@[recipient's email domain]>
Subject: ACH Payment Advice
Attachment name: Scan.doc

 


Shown above:  Malicious Word document attached to one of the emails.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

FILE HASHES

MALWARE FROM AN INFECTED WINDOWS HOST:


Shown above:  Emotet malware persistent on my infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.