2018-05-28 THRU 2018-05-31 - END OF MONTH ROUND-UP: EMOTET MALSPAM AND INFECTION TRAFFIC

ASSOCIATED FILES:

  • 2018-05-28-thru-2018-05-31-Emotet-malspam-tracker.csv   (2,411 bytes)
  • 2018-05-28-Emotet-malspam-0655-UTC.eml   (144,069 bytes)
  • 2018-05-28-Emotet-malspam-0725-UTC.eml   (176,276 bytes)
  • 2018-05-28-Emotet-malspam-1311-UTC.eml   (882 bytes)
  • 2018-05-28-Emotet-malspam-1436-UTC.eml   (135,700 bytes)
  • 2018-05-28-Emotet-malspam-1453-UTC.eml   (137,755 bytes)
  • 2018-05-29-Emotet-malspam-1934-UTC.eml   (1,264 bytes)
  • 2018-05-30-Emotet-malspam-0518-UTC.eml   (144,525 bytes)
  • 2018-05-31-Emotet-malspam-0500-UTC.eml   (141,913 bytes)
  • 2018-05-31-Emotet-malspam-1733-UTC.eml   (1,124 bytes)
  • 2018-05-31-Emotet-malspam-1812-UTC.eml   (723 bytes)
  • 2018-05-31-Emotet-malspam-1849-UTC.eml   (1,141 bytes)
  • 2018-05-31-Emotet-malspam-1853-UTC.eml   (1,262 bytes)
  • 2018-05-28-Emotet-malspam-infection-traffic.pcap   (2,042,912 bytes)
  • 2018-05-29-Emotet-malspam-infection-traffic.pcap   (16,325,445 bytes)
  • 2018-05-31-Emotet-malspam-infection-traffic.pcap   (5,484,485 bytes)
  • 2018-05-28-Emotet-malware-binary.exe   (172,032 bytes)
  • 2018-05-28-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (226,816 bytes)
  • 2018-05-28-downloaded-Word-doc-with-macro-for-Emotet.doc   (121,344 bytes)
  • 2018-05-29-Emotet-malware-binary-1-of-2.exe   (200,704 bytes)
  • 2018-05-29-Emotet-malware-binary-2-of-2.exe   (196,608 bytes)
  • 2018-05-29-downloaded-Word-doc-with-macro-for-Emotet.doc   (126,464 bytes)
  • 2018-05-31-Emotet-malware-binary.exe   (274,432 bytes)
  • 2018-05-31-downloaded-Word-doc-with-macro-for-Emotet.doc   (96,256 bytes)
  • COMET SIGNS PAYMENT NOTIFICATION 05.28.2018.doc   (99,840 bytes)
  • Facture-impayee0359594-0516-6306826.doc   (104,704 bytes)
  • INV #97046 FOR PO #143948250965.doc   (98,048 bytes)
  • MODIF-FACTURE0185982-06039-877324.doc   (102,400 bytes)
  • Rechnung_2018_05_033339468066239.doc   (104,448 bytes)
  • Rechnung_2018_05_5126136674.doc   (128,000 bytes)

 

NOTES:


Shown above:  Two infection paths.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS

12 EMAIL EXAMPLES:

(Read: date/time - sending address -- subject)

 

TRAFFIC

URLS FROM THE EMAILS:

 

URLS GENERATED BY THE WORD MARCOS:

 

TRAFFIC FROM AN INFECTED WINDOWS HOST ON 2018-05-28:

 

TRAFFIC FROM AN INFECTED WINDOWS HOST ON 2018-05-29 (PCAP RAN FOR SEVERAL HOURS):

 

TRAFFIC FROM AN INFECTED WINDOWS HOST ON 2018-05-31:

 

FILE HASHES

SHA256 HASHES FOR WORD DOCS WITH MACRO FOR EMOTET:

EMOTET MALWARE BINARIES:

ZEUS PANDA BANKER CAUSED BY EMOTET INFECTION:

 

IMAGES


Shown above:  Traffic from the 2018-05-28 infection filtered in Wireshark--Emotet, which also caused Zeus Panda Banker.

 


Shown above:  Traffic from the 2018-05-29 infection filtered in Wireshark--Emotet, which turned the infected host into an Emotet malspambot.

 


Shown above:  Traffic from the 2018-05-29 infection filtered in Wireshark to show sending addresses of the SMTP traffic from my infected Windows host.

 


Shown above:  An example of the emails from my infected Windows host on 2018-05-29.

 


Shown above:  Traffic from the 2018-05-31 infection filtered in Wireshark--Emotet, which turned the infected host into an Emotet malspambot.

 


Shown above:  An example of the emails from my infected Windows host on 2018-05-31.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.