2018-06-14 - EMOTET INFECTION WITH TRICKBOT (GTAG: DEL8)

ASSOCIATED FILES:

  • 2018-06-14-Emotet-malspam-1137-UTC.eml   (161,938 bytes)
  • 2018-06-14-Emotet-malspam-1349-UTC.eml   (1,351 bytes)
  • 2018-06-14-Emotet-malspam-1356-UTC.eml   (912 bytes)
  • 2018-06-14-Emotet-malspam-1423-UTC.eml   (869 bytes)
  • 2018-06-14-Emotet-malspam-1429-UTC.eml   (928 bytes)
  • 2018-06-14-Emotet-malspam-1519-UTC.eml   (166,466 bytes)
  • 2018-06-14-Emotet-malspam-1642-UTC.eml   (1,769 bytes)
  • 2018-06-14-Emotet-malspam-1647-UTC.eml   (1,626 bytes)
  • 2018-06-14-Emotet-malspam-1649-UTC.eml   (1,299 bytes)
  • 2018-06-14-Emotet-malspam-1657-UTC.eml   (1,646 bytes)
  • 2018-06-14-Emotet-malspam-1702-UTC.eml   (1,689 bytes)
  • 2018-06-14-Emotet-malspam-1713-UTC.eml   (1,176 bytes)
  • 2018-06-14-Emotet-malspam-1722-UTC.eml   (1,117 bytes)
  • 2018-06-14-Emotet-malspam-1731-UTC.eml   (1,757 bytes)
  • 2018-06-14-Emotet-malspam-1845-UTC.eml   (1,344 bytes)
  • 2018-06-14-Emotet-malspam-1943-UTC.eml   (1,795 bytes)
  • 2018-06-14-Emotet-malspam-1946-UTC.eml   (1,681 bytes)
  • 2018-06-14-Emotet-malspam-2004-UTC.eml   (1,307 bytes)
  • 2018-06-14-Emotet-malspam-2057-UTC.eml   (168,514 bytes)
  • 2018-06-14-Emotet-malspam-2103-UTC.eml   (1,803 bytes)
  • 2018-06-14-Emotet-malspam-2121-UTC.eml   (176,153 bytes)
  • 2018-06-14-Emotet-malspam-2151-UTC.eml   (1,735 bytes)
  • 2018-06-14-Emotet-infection-traffic-with-Trickbot.pcap   (16,313,354 bytes)/li>
  • 2018-06-14-Emotet-malware-binary.exe   (330,752 bytes)
  • 2018-06-14-Trickbot-gtag-del8.exe   (457,216 bytes)
  • 2018-06-14-attached-PDF-document-1-of-4.pdf   (2,692 bytes)
  • 2018-06-14-attached-PDF-document-2-of-4.pdf   (2,617 bytes)
  • 2018-06-14-attached-PDF-document-3-of-4.pdf   (7,734 bytes)
  • 2018-06-14-attached-PDF-document-4-of-4.pdf   (7,702 bytes)
  • 2018-06-14-attached-Word-doc-with-macro-for-Emotet-1-of-4.doc   (121,856 bytes)
  • 2018-06-14-attached-Word-doc-with-macro-for-Emotet-2-of-4.doc   (116,224 bytes)
  • 2018-06-14-attached-Word-doc-with-macro-for-Emotet-3-of-4.doc   (119,808 bytes)
  • 2018-06-14-attached-Word-doc-with-macro-for-Emotet-4-of-4.doc   (116,480 bytes)
  • 2018-06-14-downloaded-Word-doc-with-macro-for-Emotet.doc   (105,728 bytes)

 

NOTES:

 


Shown above:  Sometimes there's also a PDF document with an attached Word document.  In this case, the PDF documents were harmless.

 

WEB TRAFFIC BLOCK LIST

The following are URLs on legitimate (but compromised) websites serving Emotet Word docs or malware:

 

EMAILS


Shown above:  Example of the IRS-themed Emotet malspam from today.

 

DATA FROM 22 EMAIL EXAMPLES OF THE MALSPAM:

 

SPOOFED SENDERS:

 

SUBJECT LINES:

 

ATTACHMENT NAMES (IN EMAILS THAT ONLY HAD ATTACHMENTS):

 


Shown above:  One of the downloaded (or attached) Word docs.

 

INFECTION TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

EMOTET INFECTION TRAFFIC:

FOLLOW-UP TRICKBOT INFECTION TRAFFIC:

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

SHA256 HASHES FOR ATTACHED WORD DOCS IN 4 EMAILS FROM MY 22 MALSPAM SAMPLES:

 

SHA256 HASHES FOR ATTACHED PDF DOCS IN 4 EMAILS FROM MY 22 MALSPAM SAMPLES:

NOTE: These PDFs are all harmless.  From what I can tell, they don't contain any malware or exploits.

 

IMAGES


Shown above:  Emotet made persistent through the registry and Trickbot through a scheduled task.

 


Shown above:  Screenshot of directories with Trickbot malware/artifacts.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.