2018-06-11 - EMOTET DATA DUMP
ASSOCIATED FILES:
- 2018-06-05-Emotet-malspam-8-email-examples.txt.zip 2.7 kB (2,708 bytes)
- 2018-06-05-Emotet-malspam-infection-traffic.pcap.zip 41 MB (41,006,134 bytes)
- 2018-06-05-malware-from-Emotet-infection.zip 336 kB (335,885 bytes)
- 2018-06-06-Emotet-malspam-5-email-examples.txt.zip 2.4 kB (2,385 bytes)
- 2018-06-06-Emotet-malspam-infection-traffic.pcap.zip 136 kB (135,785 bytes)
- 2018-06-06-malware-from-Emotet-infection.zip 293 kB (292,829 bytes)
- 2018-06-08-Emotet-malspam-8-email-examples.txt.zip 122 kB (121,912 bytes)
- 2018-06-08-Emotet-malspam-infection-traffic.pcap.zip 3.2 MB (3,230,372 bytes)
- 2018-06-08-malware-from-Emotet-infection.zip 113 kB (112,535 bytes)
- 2018-06-11-Emotet-malspam-infection-traffic.pcap.zip 1.4 MB (1,443,390 bytes)
- 2018-06-11-malware-from-Emotet-infection.zip 118 kB (118,189 bytes)
NOTES:
- I collected some Emotet malspam examples, infection traffic, and malware samples while I was in Japan last week.
- Didn't have time to post anything until today.
- I also generated some Emotet traffic today, but I didn't find any emails from today's wave of malspam.
- Traffic from 2018-06-05 and 2018-06-08 contains spambot traffic from my infected lab host sending out more Emotet malspam.
- Included below is a list of 54 URLs I found today (2018-06-11) to download an Emotet Word document. These presumably came from Emotet malspam.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs:
- hxxp://aspaud.com/IRS-Accounts-Transcipts-473/
- hxxp://bechner.com/IRS-Transcripts-June-2018-039T/8/
- hxxp://bestwigs.eu/IRS-Accounts-Transcipts-09Q/5/
- hxxp://carricusa.com/ssfm/ups.com/WebTracking/YUI-32489460846/
- hxxp://cninin.com/IRS-Accounts-Transcipts-062018-1266/
- hxxp://decorazon.com.br/IRS-Letters-591/
- hxxp://detss.com/IRS-Accounts-Transcipts-463/
- hxxp://doc-japan.com/cms/IRS-Transcripts-065/4/
- hxxp://feelgud8.com/IRS-Letters-730/
- hxxp://flewer.pl/unicode_maps/IRS-Tax-Transcipts-4842/
- hxxp://fourshells.com/FILE/Invoice-518087/
- hxxp://generalgauffin.se/IRS-Tax-Transcipts-049M/99/
- hxxp://hansetravel.de/IRS-Transcripts-062018-0101/
- hxxp://healthyrevelations.com/IRS-Transcripts-June-2018-038K/5/
- hxxp://hygienic.co.th/components/com_photo/IRS-Tax-Transcipts-062018-06X/5/
- hxxp://innerlinkdesign.com/IRS-Letters-099/87/
- hxxp://invizza.com/IRS-Transcripts-05/93/
- hxxp://japanism.org/senkyo/lib/PEAR/Mail/FILE/Invoice-2688878/
- hxxp://live-etutor.com/IRS-Transcripts-062018-3588/
- hxxp://llupa.com/IRS-Transcripts-01D/79/
- hxxp://montecarloclub.com/IRS-Accounts-Transcipts-361/
- hxxp://nustyle.de/IRS-Tax-Transcipts-June-2018-014F/54/
- hxxp://pentox.hu/IRS-Letters-062018-09/04/
- hxxp://planitsolutions.co.nz/IRS-Tax-Transcipts-062018-004S/13/
- hxxp://r-klecker.de/IRS-Accounts-Transcipts-062018-05B/8/
- hxxp://s-kotobuki.co.jp/IRS-TRANSCRIPTS-062018-047L/4/
- hxxp://satutitik.com/sms/manager/generated/IRS-Letters-062018-642/
- hxxp://sia-gmbh.de/ups.com/WebTracking/RA-901282484434720/
- hxxp://signsdesigns.com.au/IRS-Tax-Transcipts-062018-1197/
- hxxp://speedscenewiring.com/IRS-TRANSCRIPTS-8894/
- hxxp://spoonfedgroup.com/IRS-Transcripts-09N/98/
- hxxp://stafffinancial.com/For-Check/
- hxxp://stevebrown.nl/IRS-TRANSCRIPTS-08W/5/
- hxxp://synchronus.de/IRS-Transcripts-June-2018-5347/
- hxxp://tagtea.com/Fakturierung/IRS-Letters-June-2018-022/44/
- hxxp://tenislam.com/IRS-Letters-June-2018-04E/5/
- hxxp://trevorchristensen.com/ACCOUNT/ACCOUNT19213228/
- hxxp://turski.eu/IRS-Letters-03/3/
- hxxp://tutorial9.net/IRS-Transcripts-07/4/
- hxxp://vermeer-oomens.nl/IRS-Accounts-Transcipts-June-2018-344/
- hxxp://viciousenterprises.com/IRS-Transcripts-04W/6/
- hxxp://visuelle-sprache.de/GAS/IRS-Accounts-Transcipts-062018-013G/3/
- hxxp://waisir.com/IRS-Accounts-Transcipts-062018-00/2/
- hxxp://webimr.com/IRS-TRANSCRIPTS-241/
- hxxp://wernerkirchner.de/IRS-TRANSCRIPTS-062018-00/8/
- hxxp://www.fluorescent.cc/IRS-Accounts-Transcipts-June-2018-433/
- hxxp://www.izmir-teknik-kombi.com/IRS-Transcripts-June-2018-09/18/
- hxxp://www.neodream-design.com/IRS-Accounts-Transcipts-062018-09/1/
- hxxp://www.nobleartproject.pl/IRS-Transcripts-062018-300/
- hxxp://www.palavrasaovento.com.br/IRS-Accounts-Transcipts-June-2018-7673/
- hxxp://www.prkanchang.com/IRS-Tax-Transcipts-062018-010/5/
- hxxp://www.scorpioncontrollers.com/IRS-Accounts-Transcipts-118/
- hxxp://www.signal49.dev.dusit.ac.th/IRS-Tax-Transcipts-897/
- hxxp://www.tangentsolutions.co.in/IRS-Letters-062018-04U/73/
FINAL NOTES
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.