2018-07-03 - EMOTET INFECTION TRAFFIC WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

  • 2018-07-03-Emotet-malspam-12-email-examples.txt   (11,850 bytes)
  • 2018-07-03-Emotet-malspam-infection-traffic.pcap   (7,684,057 bytes)/li>
  • 2018-07-03-Emotet-malware-binary.exe   (106,496 bytes)
  • 2018-07-03-Zeus-Panda-Banker-caused-by-Emotet.exe   (328,704 bytes)
  • 2018-07-03-downloaded-Word-doc-with-macro-for-Emotet.doc   (260,352 bytes)

 

NOTES:


Shown above:  Chain of events for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

 

EMAILS


Shown above:  Example of the malspam (raw text with headers and formatting).

 

DATA FROM 12 EMAIL EXAMPLES OF THE MALSPAM:

 

SPOOFED SENDERS:

 

SUBJECT LINES:

 


Shown above:  Word doc generated from link in the malspam.

 

INFECTION TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM THE MALSPAM TO DOWNLOAD THE INITIAL WORD DOCUMENT:

URLS FROM MACRO IN THE DOWNLOADED WORD DOC TO GRAB AN EMOTET BINARY:

EMOTET INFECTION TRAFFIC:

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.