2018-05-28 THRU 2018-05-31 - END OF MONTH ROUND-UP: EMOTET MALSPAM AND INFECTION TRAFFIC
ASSOCIATED FILES:
- Zip archive of the spreadsheet tracker: 2018-05-28-thru-2018-05-31-Emotet-malspam-tracker.csv.zip 1.4 kB (1,394 bytes)
- 2018-05-28-thru-2018-05-31-Emotet-malspam-tracker.csv (2,411 bytes)
- Zip archive of 10 email examples: 2018-05-28-thru-2018-05-31-Emotet-malspam-12-email-examples.zip 381 kB (381,474 bytes)
- 2018-05-28-Emotet-malspam-0655-UTC.eml (144,069 bytes)
- 2018-05-28-Emotet-malspam-0725-UTC.eml (176,276 bytes)
- 2018-05-28-Emotet-malspam-1311-UTC.eml (882 bytes)
- 2018-05-28-Emotet-malspam-1436-UTC.eml (135,700 bytes)
- 2018-05-28-Emotet-malspam-1453-UTC.eml (137,755 bytes)
- 2018-05-29-Emotet-malspam-1934-UTC.eml (1,264 bytes)
- 2018-05-30-Emotet-malspam-0518-UTC.eml (144,525 bytes)
- 2018-05-31-Emotet-malspam-0500-UTC.eml (141,913 bytes)
- 2018-05-31-Emotet-malspam-1733-UTC.eml (1,124 bytes)
- 2018-05-31-Emotet-malspam-1812-UTC.eml (723 bytes)
- 2018-05-31-Emotet-malspam-1849-UTC.eml (1,141 bytes)
- 2018-05-31-Emotet-malspam-1853-UTC.eml (1,262 bytes)
- Zip archive with 3 examples of infection traffic: 2018-05-28-thru-2018-05-31-Emotet-malspam-infection-traffic-3-examples.zip 14.1 MB (14,055,672 bytes)
- 2018-05-28-Emotet-malspam-infection-traffic.pcap (2,042,912 bytes)
- 2018-05-29-Emotet-malspam-infection-traffic.pcap (16,325,445 bytes)
- 2018-05-31-Emotet-malspam-infection-traffic.pcap (5,484,485 bytes)
- Zip archive with the associated Word docs and malware binaries: 2018-05-28-thru-2018-05-31-word-docs-and-malware-binaries.zip 928 kB (928,401 bytes)
- 2018-05-28-Emotet-malware-binary.exe (172,032 bytes)
- 2018-05-28-Zeus-Panda-Banker-caused-by-Emotet-infection.exe (226,816 bytes)
- 2018-05-28-downloaded-Word-doc-with-macro-for-Emotet.doc (121,344 bytes)
- 2018-05-29-Emotet-malware-binary-1-of-2.exe (200,704 bytes)
- 2018-05-29-Emotet-malware-binary-2-of-2.exe (196,608 bytes)
- 2018-05-29-downloaded-Word-doc-with-macro-for-Emotet.doc (126,464 bytes)
- 2018-05-31-Emotet-malware-binary.exe (274,432 bytes)
- 2018-05-31-downloaded-Word-doc-with-macro-for-Emotet.doc (96,256 bytes)
- COMET SIGNS PAYMENT NOTIFICATION 05.28.2018.doc (99,840 bytes)
- Facture-impayee0359594-0516-6306826.doc (104,704 bytes)
- INV #97046 FOR PO #143948250965.doc (98,048 bytes)
- MODIF-FACTURE0185982-06039-877324.doc (102,400 bytes)
- Rechnung_2018_05_033339468066239.doc (104,448 bytes)
- Rechnung_2018_05_5126136674.doc (128,000 bytes)
NOTES:
- Half of the email examples I gathered have links to the malicious Word docs.
- The other half have malicious Word doc attatchments and no link.
Shown above: Two infection paths.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- adshiepkhach.top
- hxxp://alicicek.com.tr/9DK4OC/
- hxxp://charcalla.com/BjmQyaB/
- hxxp://dgnet.com.br/t5wb/
- hxxp://foodstyle.de/kNKqO/
- hxxp://ginca.jp/9wBp2v8c/
- hxxp://grupoaire.com.ar/ups.com/WebTracking/EAP-74807878/
- hxxp://heuveling.net/v6jtVz0i/
- hxxp://innervation.com/0RtgC6R/
- hxxp://jamesddunn.com/FbXTIwq/
- hxxp://jpol.com/li8CyWi/
- hxxp://lidoconchiglie.com/Tqqk/
- hxxp://lucasweb.com.br/eQJO3Dr/
- hxxp://muzykomani.pl/lenqx/
- hxxp://myorganicflowers.com/sJXE/
- hxxp://ncpll1392.ir/5p24y/
- hxxp://novaplaza.com/ups.com/WebTracking/OWN-4968735410370/
- hxxp://onlychild.org/Z3QNxOMmX2/
- hxxp://pjbuys.co.za/n9yk1/
- hxxp://prokeyboardist.com/cciXI/
- hxxp://raffaelli.com.br/Y3CVrb/
- hxxp://reborntechnology.co.uk/STATUS/Direct-Deposit-Notice/
- hxxp://slytec.com/0FzJB/
- hxxp://smpadvance.com/fHOIVS2/
- hxxp://sr-design.com/ups.com/WebTracking/KJ-465732741078/
- hxxp://stormny.com/zsYYd/
- hxxp://thebluefront.com/u5kTmV/
- hxxp://thebluefront.com/ups.com/WebTracking/EK-76505310/
- hxxp://timetopatent.com/djjgFG1/
- hxxp://transitraum.de/NXkK7n/
- hxxp://triadic.com/HZToLm/
- hxxp://uhlandstrasse.de/67Vl28/
- hxxp://uptondesignbuild.com/Jvw0ZX/
- hxxp://utopiaroad.com/ups.com/WebTracking/AV-65238624/
- hxxp://136.243.206.64:8080/whoami.php
- hxxp://138.68.13.161:8080/whoami.php
EMAILS
12 EMAIL EXAMPLES:
(Read: date/time - sending address -- subject)
- 2018-05-28 06:55 UTC -- Telekom Leiter Kundenservice <[removed]@[removed]> -- Ihre Telekom Mobilfunk RechnungOnline Monat Mai 2018 (Nr. 033339468066239)
- 2018-05-28 07:25 UTC -- Kundenservice Rechnungonline Telekom <[removed]@[removed]> -- Rechnung 5126136674
- 2018-05-28 13:11 UTC -- UPS View <[removed]@[removed]> -- UPS Express Domestic
- 2018-05-28 14:36 UTC -- Kenneth Strohmeyer <[removed]@[removed]> -- Kenneth Strohmeyer invoice is available
- 2018-05-28 14:53 UTC -- matt guler <[removed]@[removed]> -- Your Monthly Statement Is Now Available for Review
- 2018-05-29 19:34 UTC -- UPS View <[removed]@[removed]> -- UPS Ship Notification, Tracking Number 9VCC40073620813573
- 2018-05-30 05:18 UTC -- [removed] -- Vos facture impayee du 30 mai 0359594
- 2018-05-31 05:00 UTC -- sandro.mannarino@sheratonparco.com <[removed]@[removed]> -- Facturation du 31 mai 0185982
- 2018-05-31 17:33 UTC -- UPS <[removed]@[removed]> -- UPS Delivery Notification, Tracking Number 7LR31170567701951
- 2018-05-31 18:12 UTC -- Microvellum <[removed]@[removed]> -- New Invoice / BD9259 / VX# 5642
- 2018-05-31 18:49 UTC -- UPS Quantum View <[removed]@[removed]> -- UPS Invoice Notification
- 2018-05-31 18:53 UTC -- UPS Quantum View <[removed]@[removed]> -- Your UPS Invoice is Ready
TRAFFIC
URLS FROM THE EMAILS:
- hxxp://grupoaire.com.ar/ups.com/WebTracking/EAP-74807878/
- hxxp://novaplaza.com/ups.com/WebTracking/OWN-4968735410370/
- hxxp://reborntechnology.co.uk/STATUS/Direct-Deposit-Notice/
- hxxp://sr-design.com/ups.com/WebTracking/KJ-465732741078/
- hxxp://thebluefront.com/ups.com/WebTracking/EK-76505310/
- hxxp://utopiaroad.com/ups.com/WebTracking/AV-65238624/
URLS GENERATED BY THE WORD MARCOS:
- hxxp://alicicek.com.tr/9DK4OC/
- hxxp://charcalla.com/BjmQyaB/
- hxxp://dgnet.com.br/t5wb/
- hxxp://foodstyle.de/kNKqO/
- hxxp://ginca.jp/9wBp2v8c/
- hxxp://heuveling.net/v6jtVz0i/
- hxxp://innervation.com/0RtgC6R/
- hxxp://jamesddunn.com/FbXTIwq/
- hxxp://jpol.com/li8CyWi/
- hxxp://lidoconchiglie.com/Tqqk/
- hxxp://lucasweb.com.br/eQJO3Dr/
- hxxp://muzykomani.pl/lenqx/
- hxxp://myorganicflowers.com/sJXE/
- hxxp://ncpll1392.ir/5p24y/
- hxxp://onlychild.org/Z3QNxOMmX2/
- hxxp://pjbuys.co.za/n9yk1/
- hxxp://prokeyboardist.com/cciXI/
- hxxp://raffaelli.com.br/Y3CVrb/
- hxxp://slytec.com/0FzJB/
- hxxp://smpadvance.com/fHOIVS2/
- hxxp://stormny.com/zsYYd/
- hxxp://thebluefront.com/u5kTmV/
- hxxp://timetopatent.com/djjgFG1/
- hxxp://transitraum.de/NXkK7n/
- hxxp://triadic.com/HZToLm/
- hxxp://uhlandstrasse.de/67Vl28/
- hxxp://uptondesignbuild.com/Jvw0ZX/
TRAFFIC FROM AN INFECTED WINDOWS HOST ON 2018-05-28:
- 209.59.186.42 port 80 - novaplaza.com - GET /ups.com/WebTracking/OWN-4968735410370/
- 197.242.78.3 port 80 - pjbuys.co.za - GET /n9yk1/
- 216.105.170.139 port 4143 - 216.105.170.139:4143 - GET /
- 136.243.206.64 port 8080 - 136.243.206.64:8080 - GET /whoami.php
- 136.243.206.64 port 8080 - 136.243.206.64:8080 - GET /
- 91.243.81.13 port 443 - adshiepkhach.top - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 443 - www.google.com - probable connectivity check caused by Zeus Panda Banker
TRAFFIC FROM AN INFECTED WINDOWS HOST ON 2018-05-29 (PCAP RAN FOR SEVERAL HOURS):
- 74.220.207.118 port 80 - utopiaroad.com - GET /ups.com/WebTracking/AV-65238624/
- 69.89.31.120 port 80 - uptondesignbuild.com - GET /Jvw0ZX/
- 69.89.31.120 port 80 - uptondesignbuild.com - GET /cgi-sys/suspendedpage.cgi
- 81.169.145.93 port 80 - uhlandstrasse.de - GET /67Vl28/
- 24.217.117.217 port 80 - 24.217.117.217 - GET /
- 138.68.13.161 port 8080 - 138.68.13.161:8080 - GET /whoami.php
- 138.68.13.161 port 8080 - 138.68.13.161:8080 - GET /
- 62.159.33.122 port 20 - 62.159.33.122:20 - GET /
- 216.105.170.139 port 4143 - 216.105.170.139:4143 - GET /
- 72.52.216.110 port 8080 - 72.52.216.110:8080 - GET /
- 205.178.137.221 port 8080 - 205.178.137.221:8080 - GET /
- 149.62.173.247 port 8080 - 149.62.173.247:8080 - GET /
- 50.84.95.206 port 80 - 50.84.95.206 - GET /
- 199.189.228.60 port 80 - 199.189.228.60 - GET /
- 158.181.186.171 port 8080 - 158.181.186.171:8080 - GET /
- 179.42.195.195 port 80 - 179.42.195.195 - GET /
- 98.191.195.92 port 8080 - 98.191.195.92:8080 - GET /
- 74.139.102.161 port 443 - 74.139.102.161:443 - GET /
- 50.84.214.74 port 8080 - 50.84.214.74:8080 - GET /
- 98.172.71.14 port 80 - 98.172.71.14 - GET /
- 65.34.131.135 port 80 - 65.34.131.135 - GET /
- 24.248.225.107 port 80 - 24.248.225.107 - GET /
- 66.61.15.55 port 80 - 66.61.15.55 - GET /
- 207.68.223.75 port 8080 - 207.68.223.75:8080 - GET /
- 70.183.98.85 port 8080 - 70.183.98.85:8080 - GET /
- 173.78.254.86 port 8080 - 173.78.254.86:8080 - GET /
- 125.129.212.89 port 8080 - 125.129.212.89:8080 - GET /
- 5.9.252.80 port 8080 - 5.9.252.80:8080 - GET /
- 46.4.100.178 port 8080 - 46.4.100.178:8080 - GET /
- 139.162.216.32 port 8080 - 139.162.216.32:8080 - GET /
- 46.38.238.8 port 8080 - 46.38.238.8:8080 - GET /
- 23.239.2.11 port 8080 - 23.239.2.11:8080 - GET /
- 50.31.146.101 port 8080 - 50.31.146.101:8080 - GET /
- 166.63.0.27 port 8080 - 166.63.0.27:8080 - GET /
- 46.101.205.45 port 4143 - 46.101.205.45:4143 - GET /
- various IP addresses on TCP ports 25, 465 or 587 - various domains - SMTP or encrypted SMTP traffic
TRAFFIC FROM AN INFECTED WINDOWS HOST ON 2018-05-31:
- 200.43.192.5 port 80 - grupoaire.com.ar - GET /ups.com/WebTracking/EAP-74807878/
- 46.245.165.4 port 80 - alicicek.com.tr - GET /9DK4OC/
- 24.217.117.217 port 80 - 24.217.117.217 - GET /
- 216.105.170.139 port 4143 - 216.105.170.139:4143 - GET /
- 138.68.13.161 port 8080 - 138.68.13.161:8080 - GET /whoami.php
- 166.63.0.27 port 8080 - 166.63.0.27:8080 - GET /
- various IP addresses on TCP ports 25, 465 or 587 - various domains - SMTP or encrypted SMTP traffic
FILE HASHES
SHA256 HASHES FOR WORD DOCS WITH MACRO FOR EMOTET:
- 5694549a92dcc6caf112623531aa90c5dac914e5ff11d64cd5f3072a75fc5555 -- 121,344 bytes -- Downloaded Word doc on 2018-05-28
- 6302ab4b2f00b904a2f3dc9a003525646b6d836aa71b52cd6531b325b4c7674a -- 126,464 bytes -- Downloaded Word doc on 2018-05-29
- 3a39ef1275746d1ada47d5902f0ae8c08230a38c4b0e6ff9a17050141c9bdb92 -- 96,256 bytes -- Downloaded Word doc on 2018-05-31
- d0377f18aaf57aa4e772de6417d16ef9f49a82cbec30508cc26fb38048d7aa7c -- 99,840 bytes -- COMET SIGNS PAYMENT NOTIFICATION 05.28.2018.doc
- c2f1ced730a6cc7ae64c9e4c753145a54f8e1fbdd6bf55c7c79ebde9d24637c7 -- 104,704 bytes -- Facture-impayee0359594-0516-6306826.doc
- 07ba0789841e71d4c4c030bd30768eab9ae52a0555276c3c2d97f5c38ea6dc79 -- 98,048 bytes -- INV #97046 FOR PO #143948250965.doc
- d51aa2a02a96775c8ac40795248154ed6dd745472c2e7595c8c8dda938df6e8c -- 102,400 bytes -- MODIF-FACTURE0185982-06039-877324.doc
- 32e2219517c127435fa66775ffa5c5abcf40a197d10d73556066a363cd991221 -- 104,448 bytes -- Rechnung_2018_05_033339468066239.doc
- cd35cb4686a14264a70890c9e4cd1852f85104c61ce6441b86ddbf67fe120af6 -- 128,000 bytes -- Rechnung_2018_05_5126136674.doc
EMOTET MALWARE BINARIES:
- 9ffa5669fdc8dca6a46f33a098c01382e3a12c00ff7bb3d1360ad8f1ca422408 -- 172,032 bytes -- Emotet malware binary on 2018-05-28
- a79b185a903ea50f52c0262d58e9cf25aed90c2af6ef8484bbc4a243077d278e -- 226,816 bytes -- Emotet malware binary (1 of 2) on 2018-05-29
- 102be05e2d4824a18ccbd7a898ef267760957fba7263169cf966d8efc961ffbf -- 200,704 bytes -- Emotet malware binary (2 of 2) on 2018-05-29
- dfb0164104a02cfa58ab14fefc48c38425daa1866d898baf49450fca066aa22e -- 196,608 bytes -- Emotet malware binary on 2018-05-31
- Location I saw for the above files on my infected Windows hosts: C:\Users\[username]\AppData\Local\Microsoft\Windows\vsdgbatt.exe
ZEUS PANDA BANKER CAUSED BY EMOTET INFECTION:
- SHA256 hash: 1e2753d3e917e1bb3fd0ace5320df965f18c8e49660e3814ddc5d1c4048affca
File size: 226,816 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker binary caused by Emotet infection on 2018-05-28
IMAGES
Shown above: Traffic from the 2018-05-28 infection filtered in Wireshark--Emotet, which also caused Zeus Panda Banker.
Shown above: Traffic from the 2018-05-29 infection filtered in Wireshark--Emotet, which turned the infected host into an Emotet malspambot.
Shown above: Traffic from the 2018-05-29 infection filtered in Wireshark to show sending addresses of the SMTP traffic from my infected Windows host.
Shown above: An example of the emails from my infected Windows host on 2018-05-29.
Shown above: Traffic from the 2018-05-31 infection filtered in Wireshark--Emotet, which turned the infected host into an Emotet malspambot.
Shown above: An example of the emails from my infected Windows host on 2018-05-31.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the spreadsheet tracker: 2018-05-28-thru-2018-05-31-Emotet-malspam-tracker.csv.zip 1.4 kB (1,394 bytes)
- Zip archive of 10 email examples: 2018-05-28-thru-2018-05-31-Emotet-malspam-12-email-examples.zip 381 kB (381,474 bytes)
- Zip archive with 3 examples of infection traffic: 2018-05-28-thru-2018-05-31-Emotet-malspam-infection-traffic-3-examples.zip 14.1 MB (14,055,672 bytes)
- Zip archive with the associated Word docs and malware binaries: 2018-05-28-thru-2018-05-31-word-docs-and-malware-binaries.zip 928 kB (928,401 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.