2018-07-09 - EMOTET MALSPAM INFECTION TRAFFIC WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

  • 2018-07-09-Emotet-malspam-30-email-examples.txt   (31,493 bytes)
  • 2018-07-09-Emotet-malspam-infection-traffic-with-Zeus-Panda-Banker.pcap   (3,001,733 bytes)/li>
  • 2018-07-09-Emotet-malware-binary-1-of-2.exe   (110,592 bytes)
  • 2018-07-09-Emotet-malware-binary-2-of-2.exe   (106,496 bytes)
  • 2018-07-09-Zeus-Panda-Banker-loaded-by-Emotet.exe   (248,832 bytes)
  • 2018-07-09-downloaded-Word-doc-with-macro-for-Emotet.doc   (236,800 bytes)

 

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

 

EMAILS


Shown above:  Example of the malspam (raw text with headers and formatting).

 

DATA FROM 30 EMAIL EXAMPLES OF THE MALSPAM:

 

SPOOFED SENDERS:

 

SUBJECT LINES:

 


Shown above:  Word doc generated from link in the malspam.

 

INFECTION TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM THE MALSPAM TO DOWNLOAD THE INITIAL WORD DOCUMENT:

URLS FROM MACRO IN THE DOWNLOADED WORD DOC TO GRAB AN EMOTET BINARY:

EMOTET INFECTION TRAFFIC:

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.