2018-11-16 - EMOTET NOW USING XML FILES AS WORD DOCS


Shown above:  The new Emotet infection chain.

 

NOTES:

 

EXAMPLES OF NEW EMOTET XML ATTACHMENTS:

 

EMOTET INFECTION TRAFFIC AND MALWARE:

  • 2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap   (9,138,140 bytes)
  • 2018-11-15-AZORult-from-hermes.travel.pl.exe   (407,040 bytes)
  • 2018-11-15-downloaded-Word-doc-with-macro-for-Emotet.doc   (85,632 bytes)
  • 2018-11-15-Emotet-malware-binary.exe   (475,136 bytes)
  • 2018-11-15-IcedID-persistent-on-infected-Windows-host.exe   (513,024 bytes)
  • 2018-11-15-IcedID-retrieved-by-Emotet-infected-host.exe   (513,024 bytes)
  • 2018-11-16-Emotet-infection-with-IcedID-and-AZORult.pcap   (9,916,890 bytes)
  • 2018-11-16-Emotet-malware-binary.exe   (1,212,416 bytes)
  • 2018-11-16-IcedID-persistent-on-infected-Windows-host.exe   (376,832 bytes)
  • 2018-11-16-IcedID-retrieved-by-Emotet-infected-host.exe   (376,832 bytes)
  • 2018-11-17-Emotet-infection-with-IcedID-and-AZORult.pcap   (9,753,943 bytes)
  • 2018-11-17-downloaded-XML-doc-with-macro-for-Emotet.doc   (136,413 bytes)
  • 2018-11-17-Emotet-malware-binary-initial.exe   (1,212,416 bytes)
  • 2018-11-17-Emotet-malware-binary-updated.exe   (847,872 bytes)
  • 2018-11-17-IcedID-persistent-on-infected-Windows-host.exe   (376,832 bytes)
  • 2018-11-17-IcedID-retrieved-by-Emotet-infected-host.exe   (376,832 bytes)

 

MALWARE

SHA256 HASHES FOR 8 EXAMPLES OF THE ATTACHED XML DOCUMENTS:

 

SHA256 HASHES FOR THE 2018-11-15 INFECTION (PREVIOUS STYLE WORD DOC):

 

SHA256 HASHES FOR THE 2018-11-16 INFECTION (WHERE I DOWNLOADED AN EMOTET EXE DIRECTLY):

 

SHA256 HASHES FOR THE 2018-11-17 INFECTION (NEW STYLE XML DOC):

 

MALWARE NOTES:

 

IMAGES


Shown above:  The new Emotet XML docs still work the same way with a macro.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.