2018-11-21 - QUICK POST: EMOTET INFECTION WITH GOOTKIT

ASSOCIATED FILES:

  • 2018-11-23-Emotet-infection-with-Gootkit.pcap   (6,681,966 bytes)
  • 2018-11-23-downloaded-Word-doc-with-macro-for-Emotet.doc   (97,024 bytes)
  • 2018-11-23-Emotet-malware-binary.exe   (135,168 bytes)
  • 2018-11-23-Gootkit-retrieved-by-Emotet-infected-host.exe   (2,283,008 bytes)
  • 2018-11-23-Gootkit.inf.txt   (224 bytes)

NOTES:

 


Shown above:  Flow chart for recent Ursnif malspam infections I've seen.

 

IMAGES


Shown above:  Traffic from today's infection filtered in Wireshark.

 


Shown above:  Certificate data from the Gootkit post-infection traffic.

 


Shown above:  More certificate data from the Gootkit post-infection traffic.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.