2018-12-03 THRU 2018-12-07 - QUICK POST: MALSPAM PUSHING EMOTET + ICEDID (BOKBOT)

ASSOCIATED FILES:

  • 2018-12-04-Emotet-malspam-with-attached-doc-1516-UTC.eml   (191,422 bytes)
  • 2018-12-05-Emotet-malspam-with-attached-doc-1520-UTC.eml   (194,754 bytes)
  • 2018-12-05-Emotet-malspam-with-link-to-Word-doc-1446-UTC.eml   (21,754 bytes)
  • 2018-12-05-Emotet-malspam-with-link-to-Word-doc-2005-UTC.eml   (2,248 bytes)
  • 2018-12-06-Emotet-malspam-with-attached-Word-doc-1639-UTC.eml   (201,230 bytes)
  • 2018-12-06-Emotet-malspam-with-attached-Word-doc-2149-UTC.eml   (210,581 bytes)
  • 2018-12-07-Emotet-malspam-with-link-to-Word-doc-1550-UTC.eml   (2,565 bytes)
  • 2018-12-03-Emotet-infection-with-IcedID.pcap   (1,937,339 bytes)
  • 2018-12-05-Emotet-infection-with-IcedID.pcap   (2,966,350 bytes)
  • 2018-12-07-Emotet-infection-with-IcedID.pcap   (2,100,997 bytes)
  • 2018-12-03-downloaded-Word-doc-with-macro-for-Emotet.doc   (136,064 bytes)
  • 2018-12-03-Emotet-binary-retrieved-by-Word-macro.exe   (532,480 bytes)
  • 2018-12-03-IcedID-persistent-on-the-infected-host.exe   (585,728 bytes)
  • 2018-12-03-IcedID-retrieved-by-Emotet-infected-host.exe   (585,728 bytes)
  • 2018-12-05-downloaded-Word-doc-with-macro-for-Emotet.doc   (155,776 bytes)
  • 2018-12-05-Emotet-malware-binary.exe   (528,384 bytes)
  • 2018-12-05-IcedID-made-persistent-on-the-infected-host.exe   (286,208 bytes)
  • 2018-12-05-IcedID-retrieved-by-Emotet-infected-Windows-host.exe   (286,208 bytes)
  • 2018-12-07-downloaded-Word-doc-with-macro-for-Emotet.doc   (138,496 bytes)
  • 2018-12-07-Emotet-malware-binary.exe   (139,264 bytes)
  • 2018-12-07-IcedID-made-persistent-on-infected-host.exe   (184,320 bytes)
  • 2018-12-07-IcedID-retrieved-by-Emotet-infected-host.exe   (18,4320 bytes)

 

NOTES:

 

IMAGES:


Shown above:  Screenshot of the malspam with a link to the Word doc.

 


Shown above:  The downloaded Word doc with malicious macro to install Emotet.

 


Shown above:  Infection traffic filtered in Wireshark.

 


Shown above:  Emotet and IcedID persistent on the infected Windows host.

 

Click here to return to the main page.