2019-03-13 - QUICK POST: EMOTET INFECTION WITH TRICKBOT

ASSOCIATED FILES:

  • Mar 13 16:14 2019-03-12-Emotet-malspam-with-link-1943-UTC.eml   (7,458 bytes)
  • 2019-03-12-Emotet-malspam-with-link-2119-UTC.eml   (6,309 bytes)
  • 2019-03-13-Emotet-malspam-with-PDF-attachment-2100-UTC.eml   (437,916 bytes)
  • 2019-03-13-Emotet-malspam-with-link-1725-UTC.eml   (2,579 bytes)
  • Zip archive of the infection traffic:  2019-03-13-Emotet-infection-with-Trickbot.pcap.zip   7.2 MB (7,159,563 bytes)
    • 2019-03-13-Emotet-infection-with-Trickbot.pcap   (8,425,714 bytes)
  • Zip archive of the malware/artifacts:  2019-03-13-Emotet-with-Trickbot-malware-and-artifacts.zip   15.2 MB (15,223,963 bytes)
    • 2019-03-13-Emotet-retrieved-by-macro.exe   (309,000 bytes)
    • 2019-03-13-Emotet-updated-after-initial-infection.exe   (184,072 bytes)
    • 2019-03-13-Trickbot-retrieved-by-Emotet-infected-host.exe   (428,544 bytes)
    • 2019-03-13-downloaded-Word-doc-with-macro-for-Emotet.doc   (206,976 bytes)
    • 2019-03-13-registry-update-to-keep-Emotet-persistent.txt   (632 bytes)
    • 2019-03-13-sched-task-to-keep-Trickbot-persistent.xml.txt   (3,798 bytes)
    • wnetwork/Data/importDll64   (8,952,080 bytes)
    • wnetwork/Data/injectDll64   (716,224 bytes)
    • wnetwork/Data/injectDll64_configs/dinj   (121,440 bytes)
    • wnetwork/Data/injectDll64_configs/dpost   (976 bytes)
    • wnetwork/Data/injectDll64_configs/sinj   (85,040 bytes)
    • wnetwork/Data/mailsearcher64   (27,824 bytes)
    • wnetwork/Data/mailsearcher64_configs/mailconf   (240 bytes)
    • wnetwork/Data/networkDll64   (22,704 bytes)
    • wnetwork/Data/networkDll64_configs/dpost   (976 bytes)
    • wnetwork/Data/psfin64   (22,192 bytes)
    • wnetwork/Data/psfin64_configs/dpost   (976 bytes)
    • wnetwork/Data/pwgrab64   (1,304,928 bytes)
    • wnetwork/Data/pwgrab64_configs/dpost   (976 bytes)
    • wnetwork/Data/shareDll64   (12,512 bytes)
    • wnetwork/Data/systeminfo64   (24,240 bytes)
    • wnetwork/Data/tabDll64   (2,640,224 bytes)
    • wnetwork/Data/tabDll64_configs/dpost   (976 bytes)
    • wnetwork/Data/wormDll64   (55,584 bytes)
    • wnetwork/ESsW.exe   (428,544 bytes)
    • wnetwork/settings.ini   (30,831 bytes)
    • wnetwork/tetuq.exe   (405,504 bytes)

    NOTES:

     

    IMAGES


    Shown above:  Screenshot from Emotet malspam with a PDF attachment.

     


    Shown above:  PDF attachment merely links to a document with a macro for Emotet.

     


    Shown above:  Traffic from the infection filtered in Wireshark.

     

    Click here to return to the main page.