2018-11-06 - EMOTET INFECTION WITH TRICKBOT

ASSOCIATED FILES:

  • 2018-11-06-Emotet-malspam-with-PDF-attachment.eml   (29,068 bytes)
  • 2018-11-06-Emotet-malspam-with-Word-attachment-1-of-2.eml   (101,605 bytes)
  • 2018-11-06-Emotet-malspam-with-Word-attachment-2-of-2.eml   (96,946 bytes)
  • 2018-11-06-Emotet-infection-with-Trickbot.pcap   (7,919,501 bytes)
  • 2018-11-06-downloaded-Word-doc-with-macro-for-Emotet.doc   (78,592 bytes)
  • 2018-11-06-Emotet-malware-binary.exe   (143,360 bytes)
  • 2018-11-06-Trickbot-malware-binary-retrieved-by-Emotet-gtag-del90.exe   (393,728 bytes)
  • 2018-11-06-radiance.png-from-192.227.186.151.exe   (331,776 bytes)

NOTES:

 


Shown above:  Flow chart for recent Emotet malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and partial URL:

 

EMAILS


Shown above:  Example of an email from Emotet malspam with a PDF attachment.

 


Shown above:  Link in the PDF attachment to download the initial Word doc.

 


Shown above:  Downloading the initial Word document and enabling macros to infect a victim's host.

 

TRAFFIC

URLS TO DOWNLOAD THE INITIAL WORD DOCUMENT (FROM PDF FILES OR LINKS IN THE EMAILS):

NOTE:  Items marked with ** means these URLs did not deliver the malware when I checked earlier (probably taken off-line).

URLS GENERATED BY MACROS IN THE INITIAL WORD DOC TO DOWNLOAD THE EMOTET BINARY:

 


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE US:

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.