2018-07-20 - EMOTET INFECTIONS WITH ZEUS PANDA BANKER AND TRICKBOT (GTAG: DEL34)

ASSOCIATED FILES:

  • 2018-07-20-Emotet-malspam-0751-UTC.eml   (1,730 bytes)
  • 2018-07-20-Emotet-malspam-1638-UTC.eml   (263,143 bytes)
  • 2018-07-20-Emotet-infection-traffic-with-Trickbot.pcap   (14,601,676 bytes)
  • 2018-07-20-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap   (1,586,907 bytes)
  • 2018-07-20-Emotet-binary-1-of-4.exe   (161,792 bytes)
  • 2018-07-20-Emotet-binary-2-of-4.exe   (163,328 bytes)
  • 2018-07-20-Emotet-binary-3-of-4.exe   (285,696 bytes)
  • 2018-07-20-Emotet-binary-4-of-4.exe   (184,320 bytes)
  • 2018-07-20-Trickbot-caused-by-Emotet-infection.exe   (439,296 bytes)
  • 2018-07-20-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (276,992 bytes)
  • 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-1-of-5.doc   (239,360 bytes)
  • 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-2-of-5.doc   (170,112 bytes)
  • 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-3-of-5.doc   (170,240 bytes)
  • 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-4-of-5.doc   (177,024 bytes)
  • 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-5-of-5.doc   (172,544 bytes)

 

NOTES:

 


Shown above:  Flowchart for recent Emotet infection traffic.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

TRAFFIC


Shown above:  Traffic from my first infection filtered in Wireshark (Emotet + Zeus Panda Banker).

 


Shown above:  Traffic from a later infection filtered in Wireshark (Emotet + Trickbot).

 

URLS FROM MALSPAM FOR THE WORD DOCUMENTS:

 

URLS GENERATED BY WORD MACROS TO RETRIEVE EMOTET BINARIES:

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + ZEUS PANDA BANKER):

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + TRICKBOT):

 

FILE HASHES

SHA256 HASHES FOR THE WORD DOCUMENTS:

 

SHA256 HASHES FOR THE FOLLOW-UP EMOTET BINARIES:

 

SHA256 HASH FOR ZEUS PANDA BANKER:

 

SHA256 HASH FOR TRICKBOT (GTAG: DEL34):

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.