2018-07-02 - EMOTET INFECTION TRAFFIC WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

  • 2018-07-02-Emotet-malspam-16-email-examples.txt   (15,796 bytes)
  • 2018-07-02-Emotet-malspam-infection-traffic-in-AD-environment.pcap   (5,303,730 bytes)/li>
  • 2018-07-02-downloaded-Word-doc-with-macro-for-Emotet.doc   (232,192 bytes)
  • 2018-07-02-Emotet-malware-binary-1-of-2.exe   (208,896 bytes)
  • 2018-07-02-Emotet-malware-binary-2-of-2.exe   (203,776 bytes)
  • 2018-07-02-Zeus-Panda-Banker-caused-by-Emotet.exe   (223,744 bytes)

 

NOTES:


Shown above:  Chain of events for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

 

EMAILS


Shown above:  Example of the malspam (raw text with headers and formatting).

 

DATA FROM 16 EMAIL EXAMPLES OF THE MALSPAM:

 

SPOOFED SENDERS:

 

SUBJECT LINES:

 


Shown above:  Word doc generated from link in the malspam.

 

INFECTION TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM THE MALSPAM TO DOWNLOAD THE INITIAL WORD DOCUMENT:

URLS FROM MACRO IN THE DOWNLOADED WORD DOC TO GRAB AN EMOTET BINARY:

EMOTET INFECTION TRAFFIC:

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.