2018-06-11 - EMOTET DATA DUMP

ASSOCIATED FILES:

• 2018-06-05-Emotet-malspam-8-email-examples.txt.zip   2.7 kB (2,708 bytes)
• 2018-06-05-Emotet-malspam-infection-traffic.pcap.zip   41 MB (41,006,134 bytes)
• 2018-06-05-malware-from-Emotet-infection.zip   336 kB (335,885 bytes)

• 2018-06-06-Emotet-malspam-5-email-examples.txt.zip 2.4 kB (2,385 bytes)
• 2018-06-06-Emotet-malspam-infection-traffic.pcap.zip   136 kB (135,785 bytes)
• 2018-06-06-malware-from-Emotet-infection.zip   293 kB (292,829 bytes)

• 2018-06-08-Emotet-malspam-8-email-examples.txt.zip   122 kB (121,912 bytes)
• 2018-06-08-Emotet-malspam-infection-traffic.pcap.zip   3.2 MB (3,230,372 bytes)
• 2018-06-08-malware-from-Emotet-infection.zip   113 kB (112,535 bytes)

• 2018-06-11-Emotet-malspam-infection-traffic.pcap.zip   1.4 MB (1,443,390 bytes)
• 2018-06-11-malware-from-Emotet-infection.zip   118 kB (118,189 bytes)

 

NOTES:

• I collected some Emotet malspam examples, infection traffic, and malware samples while I was in Japan last week.
• Didn't have time to post anything until today.
• I also generated some Emotet traffic today, but I didn't find any emails from today's wave of malspam.
• Traffic from 2018-06-05 and 2018-06-08 contains spambot traffic from my infected lab host sending out more Emotet malspam.
• Included below is a list of 54 URLs I found today (2018-06-11) to download an Emotet Word document.  These presumably came from Emotet malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp://aspaud.com/IRS-Accounts-Transcipts-473/
• hxxp://bechner.com/IRS-Transcripts-June-2018-039T/8/
• hxxp://bestwigs.eu/IRS-Accounts-Transcipts-09Q/5/
• hxxp://carricusa.com/ssfm/ups.com/WebTracking/YUI-32489460846/
• hxxp://cninin.com/IRS-Accounts-Transcipts-062018-1266/
• hxxp://decorazon.com.br/IRS-Letters-591/
• hxxp://detss.com/IRS-Accounts-Transcipts-463/
• hxxp://doc-japan.com/cms/IRS-Transcripts-065/4/
• hxxp://feelgud8.com/IRS-Letters-730/
• hxxp://flewer.pl/unicode_maps/IRS-Tax-Transcipts-4842/
• hxxp://fourshells.com/FILE/Invoice-518087/
• hxxp://generalgauffin.se/IRS-Tax-Transcipts-049M/99/
• hxxp://hansetravel.de/IRS-Transcripts-062018-0101/
• hxxp://healthyrevelations.com/IRS-Transcripts-June-2018-038K/5/
• hxxp://hygienic.co.th/components/com_photo/IRS-Tax-Transcipts-062018-06X/5/
• hxxp://innerlinkdesign.com/IRS-Letters-099/87/
• hxxp://invizza.com/IRS-Transcripts-05/93/
• hxxp://japanism.org/senkyo/lib/PEAR/Mail/FILE/Invoice-2688878/
• hxxp://live-etutor.com/IRS-Transcripts-062018-3588/
• hxxp://llupa.com/IRS-Transcripts-01D/79/
• hxxp://montecarloclub.com/IRS-Accounts-Transcipts-361/
• hxxp://nustyle.de/IRS-Tax-Transcipts-June-2018-014F/54/
• hxxp://pentox.hu/IRS-Letters-062018-09/04/
• hxxp://planitsolutions.co.nz/IRS-Tax-Transcipts-062018-004S/13/
• hxxp://r-klecker.de/IRS-Accounts-Transcipts-062018-05B/8/
• hxxp://s-kotobuki.co.jp/IRS-TRANSCRIPTS-062018-047L/4/
• hxxp://satutitik.com/sms/manager/generated/IRS-Letters-062018-642/
• hxxp://sia-gmbh.de/ups.com/WebTracking/RA-901282484434720/
• hxxp://signsdesigns.com.au/IRS-Tax-Transcipts-062018-1197/
• hxxp://speedscenewiring.com/IRS-TRANSCRIPTS-8894/
• hxxp://spoonfedgroup.com/IRS-Transcripts-09N/98/
• hxxp://stafffinancial.com/For-Check/
• hxxp://stevebrown.nl/IRS-TRANSCRIPTS-08W/5/
• hxxp://synchronus.de/IRS-Transcripts-June-2018-5347/
• hxxp://tagtea.com/Fakturierung/IRS-Letters-June-2018-022/44/
• hxxp://tenislam.com/IRS-Letters-June-2018-04E/5/
• hxxp://trevorchristensen.com/ACCOUNT/ACCOUNT19213228/
• hxxp://turski.eu/IRS-Letters-03/3/
• hxxp://tutorial9.net/IRS-Transcripts-07/4/
• hxxp://vermeer-oomens.nl/IRS-Accounts-Transcipts-June-2018-344/
• hxxp://viciousenterprises.com/IRS-Transcripts-04W/6/
• hxxp://visuelle-sprache.de/GAS/IRS-Accounts-Transcipts-062018-013G/3/
• hxxp://waisir.com/IRS-Accounts-Transcipts-062018-00/2/
• hxxp://webimr.com/IRS-TRANSCRIPTS-241/
• hxxp://wernerkirchner.de/IRS-TRANSCRIPTS-062018-00/8/
• hxxp://www.fluorescent.cc/IRS-Accounts-Transcipts-June-2018-433/
• hxxp://www.izmir-teknik-kombi.com/IRS-Transcripts-June-2018-09/18/
• hxxp://www.neodream-design.com/IRS-Accounts-Transcipts-062018-09/1/
• hxxp://www.nobleartproject.pl/IRS-Transcripts-062018-300/
• hxxp://www.palavrasaovento.com.br/IRS-Accounts-Transcipts-June-2018-7673/
• hxxp://www.prkanchang.com/IRS-Tax-Transcipts-062018-010/5/
• hxxp://www.scorpioncontrollers.com/IRS-Accounts-Transcipts-118/
• hxxp://www.signal49.dev.dusit.ac.th/IRS-Tax-Transcipts-897/
• hxxp://www.tangentsolutions.co.in/IRS-Letters-062018-04U/73/

 

FINAL NOTES

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.