2018-06-20 - MALSPAM PUSHES EMOTET & EMOTET PUSHES ICEDID BANKING MALWARE (AGAIN)

ASSOCIATED FILES:

• 2018-06-20-Emotet-malspam-101-email-examples.txt.zip   17.4 kB (17,384 bytes)
• 2018-06-20-Emotet-malspam-IOCs-and-notes.txt.zip   6.8 kB (6,798 bytes)
• 2018-06-20-Emotet-malspam-infection-malware-and-artifacts.zip   647 kB (646,730 bytes)
• 2018-06-20-Emotet-malspam-infection-traffic-both-pcaps.zip   3.3 MB (3,253,415 bytes)

 

NOTES:

• This one is a quick post.  IOCs are in one of the above archives.
• I generated 2 pcaps of infection traffic.
• One pcap is as a normal home user on an isolated Windows host.
• The other pcap is on a Windows client logged into a domain controller in an Active Directory (AD) environment.
• Today, I only saw IcedID in the pcap with the AD environment.

• Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Malware from this infection persistent on the infected Windows host.

 

Click here to return to the main page.