2018-03-21 - EMOTET MALSPAM EXAMPLES AND INFECTION TRAFFIC

ASSOCIATED FILES:

• Zip archive of the spreadsheet tracker:  2018-03-21-Emotet-malspam-tracker-10-examples.csv.zip   1.4 kB (1,408 bytes)

• 2018-03-21-Emotet-malspam-tracker-10-examples.csv   (2,138 bytes)

• Zip archive of 10 email examples:  2018-03-21-Emotet-malspam-10-email-examples.zip   13.6 kB (13,587 bytes)

• 2018-03-21-Emotet-malspam-0736-UTC.eml   (2,487 bytes)
• 2018-03-21-Emotet-malspam-0819-UTC.eml   (2,053 bytes)
• 2018-03-21-Emotet-malspam-1015-UTC.eml   (1,818 bytes)
• 2018-03-21-Emotet-malspam-1018-UTC.eml   (2,190 bytes)
• 2018-03-21-Emotet-malspam-1040-UTC.eml   (1,085 bytes)
• 2018-03-21-Emotet-malspam-1233-UTC.eml   (1,813 bytes)
• 2018-03-21-Emotet-malspam-1313-UTC.eml   (2,238 bytes)
• 2018-03-21-Emotet-malspam-1359-UTC.eml   (1,986 bytes)
• 2018-03-21-Emotet-malspam-1435-UTC.eml   (2,053 bytes)
• 2018-03-21-Emotet-malspam-1522-UTC.eml   (1,972 bytes)

• Zip archive of the infection traffic:  2018-03-21-Emotet-malspam-infection-traffic.pcap.zip   795 kB (794,752 bytes)

• 2018-03-21-Emotet-malspam-infection-traffic.pcap   (969,538 bytes)

• Zip archive of the associated malware:  2018-03-21-Emotet-maldoc-and-binary.zip   207 kB (207,155 bytes)

• PivotMonet.exe   (139,264 bytes)
• Tracking 5230576-PG-ASNX.doc   (214,016 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp://icetest.gectcr.ac.in/Mar-21-10-35-45/View/
• hxxp://nisargseafood.com/Mar-21-10-00-51/Express-Domestic/
• hxxp://piripiriveiculos.com/galerias/Past-Due-Invoice/
• hxxp://www.angelhunter.club/Past-Due-Invoices/
• hxxp://www.grandemacelleriaegidio.com/Information/
• hxxp://www.i99point.com/wp-content/Past-Due-Invoices/
• hxxp://www.parquenaturaldelmontgo.com/Rechnung/
• hxxp://www.studiodilauro.com/RECHNUNG-24925/
• hxxp://www.tgpitalia.com/Mar-21-08-39-37/Quantum-View/
• hxxp://www.visit-cape-verde.com/Mar-21-05-59-20/Ship-Notification/
• hxxp://aeksingolot.com/Z86ja4Q/
• hxxp://mplus-sr.jp/029I80m/
• hxxp://www.bharanihomoeoclinic.com/k8Ig/
• hxxp://www.breakfasttravel.com/F3enp7s/
• hxxp://www.cchc.org.pe/YTma/

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

10 EMAIL SAMPLES:

• (Read: Date/Time - Sending address - Subject line)

• 2018-03-21 07:36 UTC - "Kundenservice Rechnungonline Telekom" <panya_amphone@student.friends.edu> - RechnungOnline Marz 2018 (Buchungs-Kto.: 4891167142)
• 2018-03-21 08:19 UTC - "Telekom Deutschland GmbH {NoReply}" <thomasj@elitetherapycenters.com> - RechnungOnline Marz 2018 - Buchungsaccount: 1003895617
• 2018-03-21 10:15 UTC - <terrence_mckinnon@student.friends.edu> - Scan MB - 443-TFP3456
• 2018-03-21 10:18 UTC - "UPS US" <blanton@insiteprops.com> - Tracking Number 4FT88977984781873
• 2018-03-21 10:40 UTC - <kssglobal@europe.com> - Past Due Invoices
• 2018-03-21 12:33 UTC - <vuqar.qurbanov@ascca.gov.az> - Outstanding Invoices
• 2018-03-21 13:13 UTC - "DHL" <ahmed_hefny@travelcodeegypt.com> - DHL Shipment 703124474618: Delivery scheduled for tomorrow
• 2018-03-21 13:59 UTC - "[fname lname]" <collins@nfcafrica.com> - Invoice for y/a 03/21/2018
• 2018-03-21 14:35 UTC - "UPS" <kellir@eccobella.com> - UPS Express Domestic
• 2018-03-21 15:22 UTC - "DHL Express" <rt@tinchband.com> - DHL Ship Notification, Tracking Number 619697968601

 

URLS FROM THE EMAILS TO DOWNLOAD THE INITIAL WORD DOCUMENT:

• hxxp://icetest.gectcr.ac.in/Mar-21-10-35-45/View/
• hxxp://nisargseafood.com/Mar-21-10-00-51/Express-Domestic/
• hxxp://piripiriveiculos.com/galerias/Past-Due-Invoice/
• hxxp://www.angelhunter.club/Past-Due-Invoices/
• hxxp://www.grandemacelleriaegidio.com/Information/
• hxxp://www.i99point.com/wp-content/Past-Due-Invoices/
• hxxp://www.parquenaturaldelmontgo.com/Rechnung/
• hxxp://www.studiodilauro.com/RECHNUNG-24925/
• hxxp://www.tgpitalia.com/Mar-21-08-39-37/Quantum-View/
• hxxp://www.visit-cape-verde.com/Mar-21-05-59-20/Ship-Notification/

 

Shown above:  Word document downloaded from one of the email links.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM THE WORD MACRO TO DOWNLOAD EMOTET (FROM ANY.RUN ANALYSIS):

• hxxp://aeksingolot.com/Z86ja4Q/
• hxxp://mplus-sr.jp/029I80m/
• hxxp://www.bharanihomoeoclinic.com/k8Ig/
• hxxp://www.breakfasttravel.com/F3enp7s/
• hxxp://www.cchc.org.pe/YTma/

 

EMOTET BINARY ATTEMPTED TCP CONNECTIONS (FROM REVERSE.IT ANALYSIS):

• 2.20.193.233 port 80
• 88.221.182.110 port 80
• 94.23.45.119 port 4143
• 92.122.122.136 port 80
• 92.122.122.155 port 80

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 62.149.140.138 port 80 - www.tgpitalia.com - GET /Mar-21-08-39-37/Quantum-View/
• 210.190.148.152 port 80 - mplus-sr.jp - GET /029I80m/
• 94.23.45.119 port 4143 - 94.23.45.119:4143 - POST /

 

FILE HASHES

DOWNLOADED WORD DOCUMENT:

• SHA256 hash:  fa33ed5509519fabc4126386f289e58a8b863358e8173991ad857d3745bc8aa6
  File size:  214,016 bytes
  File name:  Tracking 5230576-PG-ASNX.doc
  File description:  Word document with malicious macro to download/install Emotet

EMOTET BINARY:

• SHA256 hash:  a0fb30c1542dee5eb3889233cb8fed4a9e30d6900012b27379c7495ce7529148
  File size:  139,264 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\PivotMonet.exe
  File description:  Emotet malware binary

 

IMAGES

Shown above:  Emotet made persistent on my infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the spreadsheet tracker:  2018-03-21-Emotet-malspam-tracker-10-examples.csv.zip   1.4 kB (1,408 bytes)
• Zip archive of 10 email examples:  2018-03-21-Emotet-malspam-10-email-examples.zip   13.6 kB (13,587 bytes)
• Zip archive of the infection traffic:  2018-03-21-Emotet-malspam-infection-traffic.pcap.zip   795 kB (794,752 bytes)
• Zip archive of the associated malware:  2018-03-21-Emotet-maldoc-and-binary.zip   207 kB (207,155 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.