2018-09-05 - EMOTET INFECTION WITH ICEDID BANKING TROJAN AND AZORULT

ASSOCIATED FILES:

NOTES:

  • Malspam with no attachments and a link to the Word doc in the message text.
  • Malspam with no links in the message text, but a PDF attachment with a link to the Word doc in that PDF file.
  • Malspam with no links in the message text, but a Word doc attached directly to the email.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from a malspam example on Wednesday 2018-09-05.

 

3 EXAMPLES OF EMOTET MALSPAM WITH PDF ATTACHMENTS:

 


Shown above:  Clicking on the link in the PDF document downloads the Word document used to infect a vulnerable Windows host.

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

INITIAL INFECTION TRAFFIC (EMOTET WORD DOC AND EXECUTABLE):

EMOTET POST-INFECTION TRAFFIC:

ICEDID BANKING TROJAN POST-INFECTION TRAFFIC:

POST-INFECTION TRAFFIC ASSOCIATED WITH AZORULT:

 

FILE HASHES

PDF ATTACHMENTS FROM THOSE 3 EXAMPLES:

 

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

MORE IMAGES


Shown above:  Websocket traffic caused by IcedID on the infected Windows host.

 


Shown above:  SSL/TLS certificate data consistent with previous samples of IcedID banking Trojan (1 of 2).

 


Shown above:  SSL/TLS certificate data consistent with previous samples of IcedID banking Trojan (2 of 2).

 


Shown above:  Scheduled task to keep IcedID persistent on the infected Windows host.

 


Shown above:  Locations of IcedID malware and artifacts on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.