2018-07-09 - EMOTET MALSPAM INFECTION TRAFFIC WITH ZEUS PANDA BANKER
ASSOCIATED FILES:
- 2018-07-09-Emotet-malspam-30-email-examples.txt.zip 7.6 kB (7,560 bytes)
- 2018-07-09-Emotet-malspam-30-email-examples.txt (31,493 bytes)
- 2018-07-09-Emotet-malspam-infection-traffic-with-Zeus-Panda-Banker.pcap.zip 2.7 MB (2,719,587 bytes)
- 2018-07-09-Emotet-malspam-infection-traffic-with-Zeus-Panda-Banker.pcap (3,001,733 bytes)/li>
- 2018-07-09-malware-associated-with-Emotet-infection.zip 497 kB (497,129 bytes)
- 2018-07-09-Emotet-malware-binary-1-of-2.exe (110,592 bytes)
- 2018-07-09-Emotet-malware-binary-2-of-2.exe (106,496 bytes)
- 2018-07-09-Zeus-Panda-Banker-loaded-by-Emotet.exe (248,832 bytes)
- 2018-07-09-downloaded-Word-doc-with-macro-for-Emotet.doc (236,800 bytes)
NOTES:
- My Emotet infection followed-up with Zeus Panda Banker today.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs and domain:
- hxxp://avocap.eu/Rechnung/Fakturierung/Rechnung-0846-5845/
- hxxp://calendar.bubnov.ru/newsletter/EN_en/DOC/Invoice-93422/
- hxxp://irisoil.com/Dokumente/Fakturierung/Rechnung-scan-Nr028435/
- hxxp://stylethemonkey.com/newsletter/US/STATUS/Invoice-5225260/
- hxxp://www.adventuredsocks.com/sites/En/ACCOUNT/Pay-Invoice/
- hxxp://www.altinbronz.com.tr/default/En/FILE/Customer-Invoice-CM-3772286/
- hxxp://www.arlab21.com/Rechnung/FORM/Rechnung/
- hxxp://www.autoplasrecyclingltd.co.uk/files/En/New-Order-Upcoming/HRI-Monthly-Invoice/
- hxxp://www.ayvalikfotografcisi.com/newsletter/US_us/Client/Invoice-83453/
- hxxp://www.bazaltbezpeka.com.ua/Rechnungs-Details/RECHNUNG/Unsere-Rechnung-vom-09-Juli-033-880/
- hxxp://www.bursabesevlernakliyat.com/Rechnung/Rechnungszahlung/Rechnung-fur-Zahlung-Nr080000/
- hxxp://www.certiagro.com/Jul2018/EN_en/Client/Invoice-431495/
- hxxp://www.clean.vanzherke.ru/Jul2018/US/Order/Auditor-of-State-Notification-of-EFT-Deposit/
- hxxp://www.crackbros.com/files/En/FILE/Invoice-157212/
- hxxp://www.dessertcake.com.ua/files/US/Purchase/Pay-Invoice/
- hxxp://www.dilema.si/files/EN_en/OVERDUE-ACCOUNT/Direct-Deposit-Notice/
- hxxp://www.dokassessoria.com.br/Rechnungs-Details/DETAILS/Erinnerung-an-die-Rechnungszahlung-002817/
- hxxp://www.dom-stroy52.ru/default/EN_en/STATUS/20352/
- hxxp://www.eshop9ja.com/default/US_us/STATUS/Invoice-574161/
- hxxp://www.hilalkentasm.com/sites/En_us/STATUS/Invoices/
- hxxp://www.ingpk.ru/sites/EN_en/STATUS/Services-07-09-18-New-Customer-RS/
- hxxp://www.interfrazao.com.br/pdf/En/DOC/Past-Due-invoice/
- hxxp://www.lutz-nachhilfe.de/sites/En_us/Payment-and-address/Invoice-79627/
- hxxp://www.malwaeduskills.com/pdf/US/Client/Auditor-of-State-Notification-of-EFT-Deposit/
- hxxp://www.missaost.com.br/files/En_us/FILE/Payment/
- hxxp://www.segmaster.pagina-oficial.ws/sites/En/Purchase/Invoice-94754212-070918/
- hxxp://www.sunnybeach05.ru/Jul2018/EN_en/ACCOUNT/Invoice-989633/
- hxxp://www.wadhwawisecitypanvel.info/default/US/STATUS/New-Invoice-KY95015-UI-9687/
- hxxp://www.xn--dieglcksspirale-3vb.net/pdf/En_us/Client/Invoice-533946/
- hxxp://www.yildirimcatering.org/newsletter/En/OVERDUE-ACCOUNT/Invoices/
- hxxp://primerplano.org/Yb/
- hxxp://ave-ant.com/u/
- hxxp://muaithai.pl/bdwsab/
- hxxp://jmamusical.jp/wordpress/wp-content/Ec0SS/
- hxxp://nagoyamicky.com/cacheqblog/bDWJMUD/
- airconhero.xyz
EMAILS
Shown above: Example of the malspam (raw text with headers and formatting).
DATA FROM 30 EMAIL EXAMPLES OF THE MALSPAM:
- Date/Time: Monday 2018-07-09 as early as: 06:48 UTC through 16:08 UTC
- Received: from ([83.61.6.192])
- Received: from ([176.203.64.58])
- Received: from ([189.165.238.227])
- Received: from ([197.234.39.146])
- Received: from ([202.189.252.90])
- Received: from ([221.163.32.101])
- Received: from 10.0.0.0 ([185.129.0.187])
- Received: from 10.0.0.0 ([221.163.32.101])
- Received: from 10.0.0.3 ([115.42.222.210])
- Received: from 10.0.0.7 ([118.97.173.18])
- Received: from 10.0.0.12 ([77.16.77.89])
- Received: from 10.0.0.16 ([114.143.224.98])
- Received: from 10.0.0.18 ([178.16.162.59])
- Received: from 10.0.0.19 ([89.207.118.10])
- Received: from 10.0.0.20 ([221.163.32.101])
- Received: from 10.0.0.21 ([221.163.32.101])
- Received: from 10.0.0.23 ([103.83.245.139])
- Received: from 10.0.0.23 ([221.163.32.101])
- Received: from 10.0.0.25 ([103.105.64.146])
- Received: from 10.0.0.30 ([113.172.215.181])
- Received: from 10.0.0.40 ([122.161.196.95])
- Received: from 10.0.0.44 ([221.163.32.101])
- Received: from 10.0.0.46 ([221.163.32.101])
- Received: from 10.0.0.49 ([115.135.234.201])
- Received: from 10.0.0.50 ([203.110.85.178])
- Received: from 10.0.0.53 ([46.185.230.184])
- Received: from 10.0.0.54 ([117.240.223.250])
- Received: from 10.0.0.55 ([83.61.6.192])
- Received: from 10.0.0.57 ([221.163.32.101])
- Received: from 10.0.0.59 ([178.22.144.86])
SPOOFED SENDERS:
- From: CRAIG@[recipient's email domain] <[spoofed email address]>
- From: Neusser@[recipient's email domain] <[spoofed email address]>
- From: ralf.litschel@[recipient's email domain] <[spoofed email address]>
- From: rketter@caleres.com <[spoofed email address]>
- From: rscavello@precisionautomationinc.com <[spoofed email address]>
- From: stolz@[recipient's email domain] <[spoofed email address]>
- From: Arroyo, Inaki (CRONIMET Hispania) <[spoofed email address]>
- From: Barbara Knill <[spoofed email address]>
- From: Batterson, Richard <[spoofed email address]>
- From: Bob Murphy <[spoofed email address]>
- From: Bolton Plant <[spoofed email address]>
- From: Catherine Bolton <[spoofed email address]>
- From: Chris Hardy <[spoofed email address]>
- From: Craig Albers <[spoofed email address]>
- From: David Broadhurst <[spoofed email address]>
- From: Dianne Decker <[spoofed email address]>
- From: Helen Palmer <[spoofed email address]>
- From: Jenson Harry <[spoofed email address]>
- From: Joyce Lynch <[spoofed email address]>
- From: Lucas Ezell <[spoofed email address]>
- From: M&CP - Port Health <[spoofed email address]>
- From: Mike Toozer <[spoofed email address]>
- From: Mingkwan Charoenporn <[spoofed email address]>
- From: Nathan Neally <[spoofed email address]>
- From: PEDROSA Mariana Sofia <[spoofed email address]>
- From: PoolCar Sales <[spoofed email address]>
- From: Richard Cartwright <[spoofed email address]>
- From: Sian Moffat <[spoofed email address]>
- From: Tilly Watkins <[spoofed email address]>
- From: Timo Hofstetter <[spoofed email address]>
SUBJECT LINES:
- Subject: Joyce Lynch: 901597
- Subject: CRAIG@[recipient's email domain] / Inv. 3653869422
- Subject: =?UTF-8?B?SWhyZSBSZWNobnVuZyB2b20gMDkuMDcuMjAxOCDihJYwMTM1MzI=?=
- Subject: =?UTF-8?B?UmVjaG51bmcgZsO8ciBaYWhsdW5nIE5yLiAwOTk2NzE=?=
- Subject: =?UTF-8?B?UmVjaG51bmcgZsO8ciBEaWVuc3RsZWlzdHVuZ2VuIA==?=
- Subject: 0999639 Survey questions
- Subject: Awaiting for your confirmation
- Subject: Bezahlen Sie die Rechnung 528924152756594
- Subject: Final Account
- Subject: Invoice
- Subject: Invoice 07.09.18
- Subject: Invoice 73861846 Invoice date 070918 Order no. 43953870628
- Subject: Invoices
- Subject: Invoices Overdue
- Subject: MKN3-97971776420
- Subject: Order Confirmation
- Subject: Outstanding INVOICE TQET/355619/7536
- Subject: Outstanding INVOICE WJLLK/877387/1763
- Subject: Overdue payment
- Subject: Pay Invoice
- Subject: Payment status
- Subject: PoolCar Sales invoice
- Subject: Purchases 2018
- Subject: RE: Outstanding INVOICE LFX/348779/395
- Subject: Rechnung scan 251580728
- Subject: Sales Invoice
- Subject: Seperate Remittance Advice Layout - paper document A4
- Subject: Zahlungserinnerung vom Juli
Shown above: Word doc generated from link in the malspam.
INFECTION TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
URLS FROM THE MALSPAM TO DOWNLOAD THE INITIAL WORD DOCUMENT:
- hxxp://avocap.eu/Rechnung/Fakturierung/Rechnung-0846-5845/
- hxxp://calendar.bubnov.ru/newsletter/EN_en/DOC/Invoice-93422/
- hxxp://irisoil.com/Dokumente/Fakturierung/Rechnung-scan-Nr028435/
- hxxp://stylethemonkey.com/newsletter/US/STATUS/Invoice-5225260/
- hxxp://www.adventuredsocks.com/sites/En/ACCOUNT/Pay-Invoice/
- hxxp://www.altinbronz.com.tr/default/En/FILE/Customer-Invoice-CM-3772286/
- hxxp://www.arlab21.com/Rechnung/FORM/Rechnung/
- hxxp://www.autoplasrecyclingltd.co.uk/files/En/New-Order-Upcoming/HRI-Monthly-Invoice/
- hxxp://www.ayvalikfotografcisi.com/newsletter/US_us/Client/Invoice-83453/
- hxxp://www.bazaltbezpeka.com.ua/Rechnungs-Details/RECHNUNG/Unsere-Rechnung-vom-09-Juli-033-880/
- hxxp://www.bursabesevlernakliyat.com/Rechnung/Rechnungszahlung/Rechnung-fur-Zahlung-Nr080000/
- hxxp://www.certiagro.com/Jul2018/EN_en/Client/Invoice-431495/
- hxxp://www.clean.vanzherke.ru/Jul2018/US/Order/Auditor-of-State-Notification-of-EFT-Deposit/
- hxxp://www.crackbros.com/files/En/FILE/Invoice-157212/
- hxxp://www.dessertcake.com.ua/files/US/Purchase/Pay-Invoice/
- hxxp://www.dilema.si/files/EN_en/OVERDUE-ACCOUNT/Direct-Deposit-Notice/
- hxxp://www.dokassessoria.com.br/Rechnungs-Details/DETAILS/Erinnerung-an-die-Rechnungszahlung-002817/
- hxxp://www.dom-stroy52.ru/default/EN_en/STATUS/20352/
- hxxp://www.eshop9ja.com/default/US_us/STATUS/Invoice-574161/
- hxxp://www.hilalkentasm.com/sites/En_us/STATUS/Invoices/
- hxxp://www.ingpk.ru/sites/EN_en/STATUS/Services-07-09-18-New-Customer-RS/
- hxxp://www.interfrazao.com.br/pdf/En/DOC/Past-Due-invoice/
- hxxp://www.lutz-nachhilfe.de/sites/En_us/Payment-and-address/Invoice-79627/
- hxxp://www.malwaeduskills.com/pdf/US/Client/Auditor-of-State-Notification-of-EFT-Deposit/
- hxxp://www.missaost.com.br/files/En_us/FILE/Payment/
- hxxp://www.segmaster.pagina-oficial.ws/sites/En/Purchase/Invoice=-94754212-070918/
- hxxp://www.sunnybeach05.ru/Jul2018/EN_en/ACCOUNT/Invoice-989633/
- hxxp://www.wadhwawisecitypanvel.info/default/US/STATUS/New-Invoice-KY95015-UI-9687/
- hxxp://www.xn--dieglcksspirale-3vb.net/pdf/En_us/Client/Invoice-533946/
- hxxp://www.yildirimcatering.org/newsletter/En/OVERDUE-ACCOUNT/Invoices/
URLS FROM MACRO IN THE DOWNLOADED WORD DOC TO GRAB AN EMOTET BINARY:
- hxxp://primerplano.org/Yb/
- hxxp://ave-ant.com/u/
- hxxp://muaithai.pl/bdwsab/
- hxxp://jmamusical.jp/wordpress/wp-content/Ec0SS/
- hxxp://nagoyamicky.com/cacheqblog/bDWJMUD/
EMOTET INFECTION TRAFFIC:
- 94.138.202.230 port 80 - www.hilalkentasm.com - GET /sites/En_us/STATUS/Invoices/ (returned Word doc)
- 65.99.252.112 port 80 - primerplano.org - GET /Yb/ (returned Emotet malware binary)
- 24.121.176.48 port 443 - 24.121.176.48:443 - POST / (Emotet post-infection traffic)
- 24.173.127.246 port 443 - 24.173.127.246:443 - POST / (Emotet post-infection traffic)
- 74.79.26.193 port 990 - attempted TCP connections, but no response from the server (Emotet post-infection traffic)
- 110.10.176.124 port 443 - airconhero.xyz - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
MALWARE
MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:
- SHA256 hash: 369382490deaf9246e39d07c57db6b56fa3fd9454671ec728bf81a4c4a1a549e
File size: 236,800 bytes
File name: MG-921280152.doc (random file names)
File description: Word doc downloaded from link in one of the emails. Has macro to retrieve Emotet.
- SHA256 hash: 2f93c8c97f99c77880027b149d257268f45bce1255aeaefdc4f21f5bd744573f
File size: 110,592 bytes
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
File description: Emotet malware binary (1 of 2)downloaded by macro in downloaded Word doc
- SHA256 hash: e90cbb0729e523bc8647e2437cd7f91ed4dafe131b945599aca1e64058fe76e7
File size: 106,496 bytes
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
File description: Updated Emotet malware binary (2 of 2)
- SHA256 hash: f0138f78c1fd8b47be240bb779b32dda0be2e681145b50765f5bb5715be9d5eb
File size: 248,832 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
File description: Zeus Panda Banker downloaded by my Emotet-infected host
FINAL NOTES
Once again, here are the associated files:
- 2018-07-09-Emotet-malspam-30-email-examples.txt.zip 7.6 kB (7,560 bytes)
- 2018-07-09-Emotet-malspam-infection-traffic-with-Zeus-Panda-Banker.pcap.zip 2.7 MB (2,719,587 bytes)
- 2018-07-09-malware-associated-with-Emotet-infection.zip 497 kB (497,129 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.