2018-07-19 - EMOTET INFECTION TRAFFIC WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

• Zip archive of 4 email examples:  2018-07-17-thru-19-Emotet-malspam-4-email-examples.zip   384 kB (384,423 bytes)

• 2018-07-17-Emotet-malspam-1153-UTC.eml   (1,153 bytes)
• 2018-07-18-Emotet-malspam-0716-UTC.eml   (247,503 bytes)
• 2018-07-19-Emotet-malspam-1058-UTC.eml   (493,762 bytes)
• 2018-07-19-Emotet-malspam-1703-UTC.eml   (1,022 bytes)

• Zip archive of the infection traffic:  2018-07-19-Emotet-infection-with-Zeus-Panda-Banker.pcap.zip   4.1 MB (4,064,731 bytes)

• 2018-07-19-Emotet-infection-with-Zeus-Panda-Banker.pcap   (4,568,407 bytes)

• Zip archive of the malware:  2018-07-19-malware-from-Emotet-infection.zip   689 kB (689,283 bytes)

• 2018-07-19-downloaded-Word-doc-with-macro-for-Emotet.doc   (343,296 bytes)
• 2018-07-19-Emotet-malware-binary-1-of-2.exe   (283,648 bytes)
• 2018-07-19-Emotet-malware-binary-2-of-2.exe   (280,576 bytes)
• 2018-07-19-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (265,728 bytes)

 

NOTES:

• I recently did a blog for Palo Alto Networks titled Malware Team Up: Malspam Pushing Emotet + Trickbot.
• It focuses on Emotet + Trickbot, but today it was Emotet + Zeus Panda Banker.

 

Shown above:  Flowchart for recent Emotet infection traffic.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URLs:

• hxxp://aulacloud.com.br/pdf/EN_en/New-Order-Upcoming/Please-pull-invoice-984495/
• hxxp://zazz.com.br/Documentos/
• hxxp://astraclinic.com/Facturas-pendientes/
• hxxp://trustsoft.ro/NFjd6T/
• hxxp://181.129.60.162/whoami.php
• tailbackuisback.xyz

 

EMAILS

DATA FROM 4 EMAIL EXAMPLES:

• Date: Tuesday, 2018-07-17 11:53 UTC
• Received: from 10.3.23.36 (UnknownHost [1.6.26.234])
• From: benji@overyondr.com <[removed]@[removed]>
• Subject: CUST. JFD-55-17335
• Link: hxxp://aulacloud.com.br/pdf/EN_en/New-Order-Upcoming/Please-pull-invoice-984495/

• Date: Wednesday, 2018-07-18 07:16 UTC
• Received: from [196.250.41.122] (port=49278 helo=10.0.0.52)
• From: SAV AITICA <> <almacen@francachela.com.mx>>
• Subject: Outstanding invoice
• Attachment name: INV-EB51776.doc

• Date: Thursday, 2018-07-19 10:58 UTC
• Received: from 10.0.0.51 (fixed-187-190-248-34.totalplay.net [187.190.248.34])
• From: Raj Jhamb <> <marcs@svtv.com>
• Subject:  Inv. no. 1ZVO1641
• Attachment name: INV-1ZVO1641.doc

• Date: Thursday, 2018-07-19 10:58 UTC
• Received: from [189.232.17.251] (port=58245 helo=10.0.0.28)
• From: Kasaiah Amirisetty <> <edgar@dgforensiks.mx>
• Subject: Kasaiah Amirisetty Factura de servicio y soporte F4179871 de 19 julio
• Link: hxxp://zazz.com.br/Documentos/

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 37.187.38.98 port 80 - astraclinic.com - GET /Facturas-pendientes/
• 86.35.15.70 port 80 - trustsoft.ro - GET /NFjd6T/
• 67.68.235.25 port 50000 - attempted TCP connections, but no response from the server
• 187.192.180.144 port 995 - 187.192.180.144:995 - GET /
• 154.16.37.53 port 443 - tailbackuisback.xyz - post-infection traffic caused by Zeus Panda Banker
• port 443 - www.google.com - connectivity check caused by Zeus Panda Banker
• 5.188.231.137 port 443 - attempted TCP connections, but no response from the server
• 91.243.80.2 port 443 - attempted TCP connections, but no response from the server
• 201.232.42.151 port 8443 - attempted TCP connections, but no response from the server
• 181.129.60.162 port 80 - 181.129.60.162 - GET /whoami.php
• 181.129.60.162 port 80 - 181.129.60.162 - POST /

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  7bad900ea5cb2044726bd474d9b7f642c279425144e73b99463279fc83a95981
  File size:  343,296 bytes
  File name:  FACTURA-QMO-39839388.doc   (random file names)
  File description:  Word doc downloaded from a link in Emotet malspam.  Doc has macro to retreive Emotet.

• SHA256 hash:  3dd27b20b2ab85c95f8e9e1b5f4944e277ab018b3c663a8bf6262aa36183b0cf
  File size:  283,648 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
  File description:  Emotet malware binary downloaded by macro in downloaded Word doc

• SHA256 hash:  5482557ca490c50f5f383c6d6d3b51efd4b215b22ee3dde51a811a4f490735cc
  File size:  280,576 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
  File description:  Updated Emotet malware binary after the host was infected for a while

• SHA256 hash:  200dd176eccfe11a3456193bf1fe7d46d23408834e172991b883d59aa59ce259
  File size:  265,728 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
  File description:  Zeus Panda Banker downloaded by my Emotet-infected host

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of 4 email examples:  2018-07-17-thru-19-Emotet-malspam-4-email-examples.zip   384 kB (384,423 bytes)
• Zip archive of the infection traffic:  2018-07-19-Emotet-infection-with-Zeus-Panda-Banker.pcap.zip   4.1 MB (4,064,731 bytes)
• Zip archive of the malware:  2018-07-19-malware-from-Emotet-infection.zip   689 kB (689,283 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.