2018-07-31 - TWO EMOTET INFECTIONS: EMOTET + TRICKBOT AND EMOTET + ZEUS PANDA BANKER

ASSOCIATED FILES:

• 2018-07-30-and-31-three-Emotet-malspam-examples.zip   3.9 kB (3,961 bytes)

• 2018-07-30-Emotet-malspam-0825-UTC.eml   (967 bytes)
• 2018-07-30-Emotet-malspam-2031-UTC.eml   (7,116 bytes)
• 2018-07-31-Emotet-malspam-0945-UTC.eml   (1,347 bytes)

• 2018-07-31-Emotet-infection-traffic-both-pcaps.zip   7.5 MB (7,527,214 bytes)

• 2018-07-31-Emotet-infection-with-Trickbot.pcap   (5,767,774 bytes)
• 2018-07-31-Emotet-infection-with-Zeus-Panda-Banker.pcap   (2,336,550 bytes)

• 2018-07-31-malware-associated-with-Emotet-infection.zip   880 kB (879,859 bytes)

• 2018-07-31-Emotet-malware-binary-1-of-3.exe   (131,584 bytes)
• 2018-07-31-Emotet-malware-binary-2-of-3.exe   (131,584 bytes)
• 2018-07-31-Emotet-malware-binary-3-of-3.exe   (133,120 bytes)
• 2018-07-31-Trickbot-retrieved-suing-Emotet-infection.exe   (327,168 bytes)
• 2018-07-31-Zeus-Panda-Banker-retrieved-suing-Emotet-infection.exe   (136,704 bytes)
• 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-1-of-4.doc   (101,248 bytes)
• 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-2-of-4.doc   (93,440 bytes)
• 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-3-of-4.doc   (100,224 bytes)
• 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-4-of-4.doc   (88,576 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URLs:

• humoronoff.top
• hxxp://aktuelldata-ev.de/files/US/Address-Update/
• hxxp://bodycorporatecollective.com.au/newsletter/EN_en/Address-Update/
• hxxp://canadary.com/JyblntYRbo/
• hxxp://connievoigt.cl/sites/Rechnung/FORM/Rechnung-UX-31-60671/
• hxxp://consultorialyceum.com.br/loDjMtPpTaavXhB3pME9/
• hxxp://eco3academia.com.br/default/de/Zahlung/RechnungsDetails-DW-03-40777/
• hxxp://elkasen.szczecin.pl/newsletter/En_us/OVERDUE-ACCOUNT/invoice/
• hxxp://hostile-gaming.fr/DHL-Express/US/
• hxxp://it-club.kg/doc/En/Payment-details/
• hxxp://kermain-valley.com/default/Rechnungs-Details/FORM/RechnungScan-BBK-64-93981/
• hxxp://khanandmuezzin.com/doc/En/Invoice-for-sent/Account-35484/
• hxxp://klvanrental.com.my/djwVH7ITcXQs63j0Nu/
• hxxp://milesaway.pl/Jul2018/US/Payment-with-a-new-address/
• hxxp://myworkathomesite.com/files/US_us/Payment-details/
• hxxp://new.allfn.com/sites/En/New-Address/
• hxxp://nz.dilmah.com/doc/US/Change-of-Address/
• hxxp://ordos.su/DHL-Express/En_us/
• hxxp://prosourcedpartners.com/Jul2018/US/New-payment-details-and-address-update/
• hxxp://relib.fr/Jul2018/Rech/Fakturierung/RechnungsDetails-YQ-22-72307/
• hxxp://restauracja.wislaa.pl/newsletter/EN_en/New-payment-details-and-address-update/
• hxxp://satyam.cl/plugins/doc/Rechnungs-Details/Rechnungszahlung/Erinnerung-an-die-Rechnungszahlung-LMW-42-41967/
• hxxp://sesisitmer.com/wp-content/Q90wNLaF01HWQa6oHAp/
• hxxp://sevgidugunsalonu.net/files/En_us/Address-Changed/
• hxxp://shopinterbuild.com/sqlbak/9rSN69yzI4Vdv894/
• hxxp://silver-n-stone.com/default/En/Payment-details/
• hxxp://solvensplus.co.rs/DHL-Express/En/
• hxxp://theboomworks.com/default/En_us/Address-and-payment-info/
• hxxp://thonglorpetblog.com/petcare/DHL-Tracking/EN_en/
• hxxp://tiendaepica.com/newsletter/US/Address-Update/
• hxxp://www.ultigamer.com/wp-admin/includes/Jul2018/Dokumente/Hilfestellung/Rechnungszahlung-TY-65-37307/
• hxxp://weliketomoveit.ca/default/EN_en/Address-Update/
• hxxp://www.shopinterbuild.com/sqlbak/9rSN69yzI4Vdv894/
• hxxp://agrocoeli.com/chfEBi
• hxxp://canevazzi.com.br/R7v
• hxxp://challengerballtournament.com/E
• hxxp://consultoresyempresas.com/QQRLe5a
• hxxp://cranmorelodge.co.uk/aU0o0
• hxxp://fundacionafanic.com/TsZLHoZU
• hxxp://fufu.com.mx/UQANpB
• hxxp://nonglek.net/7CR
• hxxp://tonysmarineservice.co.uk/gbsi00
• hxxp://www.leathershop77.com/bweFbo9
• hxxp://188.124.167.132:8082/mon1/
• hxxp://71.202.205.235/whoami.php

 

EMAILS

Shown above:  Example of the malspam (1 of 3).

 

Shown above:  Example of the malspam (2 of 3).

 

Shown above:  Example of the malspam (3 of 3).

 

INFECTION TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark (Emotet + Trickbot).

 

Shown above:  Traffic from an infection filtered in Wireshark (Emotet + Zeus Panda Banker).

 

LINKS IN THE EMAILS TO DOWNLOAD THE MALICIOUS WORD DOCUMENT:

• hxxp://aktuelldata-ev.de/files/US/Address-Update/
• hxxp://bodycorporatecollective.com.au/newsletter/EN_en/Address-Update/
• hxxp://canadary.com/JyblntYRbo/
• hxxp://connievoigt.cl/sites/Rechnung/FORM/Rechnung-UX-31-60671/
• hxxp://consultorialyceum.com.br/loDjMtPpTaavXhB3pME9/
• hxxp://eco3academia.com.br/default/de/Zahlung/RechnungsDetails-DW-03-40777/
• hxxp://elkasen.szczecin.pl/newsletter/En_us/OVERDUE-ACCOUNT/invoice/
• hxxp://hostile-gaming.fr/DHL-Express/US/
• hxxp://it-club.kg/doc/En/Payment-details/
• hxxp://kermain-valley.com/default/Rechnungs-Details/FORM/RechnungScan-BBK-64-93981/
• hxxp://khanandmuezzin.com/doc/En/Invoice-for-sent/Account-35484/
• hxxp://klvanrental.com.my/djwVH7ITcXQs63j0Nu/
• hxxp://milesaway.pl/Jul2018/US/Payment-with-a-new-address/
• hxxp://myworkathomesite.com/files/US_us/Payment-details/
• hxxp://new.allfn.com/sites/En/New-Address/
• hxxp://nz.dilmah.com/doc/US/Change-of-Address/
• hxxp://ordos.su/DHL-Express/En_us/
• hxxp://prosourcedpartners.com/Jul2018/US/New-payment-details-and-address-update/
• hxxp://relib.fr/Jul2018/Rech/Fakturierung/RechnungsDetails-YQ-22-72307/
• hxxp://restauracja.wislaa.pl/newsletter/EN_en/New-payment-details-and-address-update/
• hxxp://satyam.cl/plugins/doc/Rechnungs-Details/Rechnungszahlung/Erinnerung-an-die-Rechnungszahlung-LMW-42-41967/
• hxxp://sesisitmer.com/wp-content/Q90wNLaF01HWQa6oHAp/
• hxxp://sevgidugunsalonu.net/files/En_us/Address-Changed/
• hxxp://shopinterbuild.com/sqlbak/9rSN69yzI4Vdv894/
• hxxp://silver-n-stone.com/default/En/Payment-details/
• hxxp://solvensplus.co.rs/DHL-Express/En/
• hxxp://theboomworks.com/default/En_us/Address-and-payment-info/
• hxxp://thonglorpetblog.com/petcare/DHL-Tracking/EN_en/
• hxxp://tiendaepica.com/newsletter/US/Address-Update/
• hxxp://www.ultigamer.com/wp-admin/includes/Jul2018/Dokumente/Hilfestellung/Rechnungszahlung-TY-65-37307/
• hxxp://weliketomoveit.ca/default/EN_en/Address-Update/
• hxxp://www.shopinterbuild.com/sqlbak/9rSN69yzI4Vdv894/

 

URLS FOR THE FOLLOW-UP EMOTET MALWARE:

• hxxp://agrocoeli.com/chfEBi
• hxxp://canevazzi.com.br/R7v
• hxxp://challengerballtournament.com/E
• hxxp://consultoresyempresas.com/QQRLe5a
• hxxp://cranmorelodge.co.uk/aU0o0
• hxxp://fundacionafanic.com/TsZLHoZU
• hxxp://fufu.com.mx/UQANpB
• hxxp://nonglek.net/7CR
• hxxp://tonysmarineservice.co.uk/gbsi00
• hxxp://www.leathershop77.com/bweFbo9

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + TRICKBOT):

• 81.88.48.95 port 80 - kermain-valley.com - GET /default/Rechnungs-Details/FORM/RechnungScan-BBK-64-93981/
• 82.145.53.206 port 80 - tonysmarineservice.co.uk - GET /gbsi00
• 191.252.137.134 port 80 - canevazzi.com.br - GET /R7v
• 50.87.105.242 port 80 - fufu.com.mx - GET /UQANpB
• 50.87.105.242 port 80 - fufu.com.mx - GET /cgi-sys/suspendedpage.cgi
• 176.32.230.49 port 80 - cranmorelodge.co.uk - GET /aU0o0
• 176.32.230.49 port 80 - cranmorelodge.co.uk - GET /aU0o0/
• 173.175.250.244 port 443 - 173.175.250.244:443 - GET /
• 181.142.74.233 port 80 - 181.142.74.233 - GET /
• 186.71.61.91 port 80 - 186.71.61.91 - GET /
• 50.19.229.252 port 80 - api.ipify.org - GET /   (IP address check caused by Trickbot)
• 85.9.212.117 port 443 - SSL/TLS traffic caused by Trickbot
• 109.234.35.101 port 447 - SSL/TLS traffic caused by Trickbot
• 158.58.131.54 port 443 - SSL/TLS traffic caused by Trickbot
• 37.230.114.206 port 447 - SSL/TLS traffic caused by Trickbot
• 188.124.167.132 port 8082 - 188.124.167.132:8082 - POST /mon1/[string with Trickbot-infected host info]
• 74.141.205.116 port 443 - attempted TCP connections, but no response from the server
• 71.202.205.235 port 80 - 71.202.205.235 - GET /whoami.php
• 71.202.205.235 port 80 - 71.202.205.235 - POST /

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + ZEUS PANDA BANKER):

• 72.55.167.110 port 80 - weliketomoveit.ca - GET /default/EN_en/Address-Update/
• 144.208.71.103 port 80 - fundacionafanic.com - GET /TsZLHoZU
• 144.208.71.103 port 80 - fundacionafanic.com - GET /TsZLHoZU/
• 173.175.250.244 port 443 - 173.175.250.244:443 - GET /
• 181.142.74.233 port 80 - 181.142.74.233 - GET /
• 186.71.61.91 port 80 - 186.71.61.91 - GET /
• 74.141.205.116 port 443 - attempted TCP connections, but no response from the server
• 71.202.205.235 port 80 - 71.202.205.235 - GET /whoami.php
• 71.202.205.235 port 80 - 71.202.205.235 - POST /
• 186.71.61.91 port 80 - 186.71.61.91 - GET /
• 185.216.35.22 port 443 - humoronoff.top - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker

 

MALWARE

SHA256 HASHES FOR THE INITIAL WORD DOCUMENTS:

• 84e0cff85d83a1b143026811ff2963411f7d91f54520a6a5ac9e2dce47d0c97f
• db8419615c36095c6d01676af677a983827a52ed6d2d42335308b3cfc5c7b7ea
• dec66f17d2a766f0eba273d27f53155a81818a28425318a07055ae79f94337f9
• e82e999ee89cb83818e29fece183fe8649671e8bfad1e042d347fed827177765

SHA256 HASHES FOR THE FOLLOW-UP EMOTET MALWARE:

• 10810ac39fa23e7e64330b95724cd649040729705b9fbeba03064fb81ab6346a
• e0295b10fb3dd50e67a54d05ebd20e6b5367d47c5e4baf3cacddb24845fd570b
• e28f181c92cb68931972ec0b7c61b3fe54ba76d12c5cd251777bde6f9f01ce09

SHA256 HASH FOR TRICKBOT CAUSED BY EMOTET INFECTION (GTAG: MON1):

• 3dc3fa64dd957bfe083203a98e6a7af8494bf5de444428ad6fa2da55b9891436

SHA256 HASH FOR ZEUS PANDA BANKER CAUSED BY EMOTET INFECTION:

• 20f4445b40dc0cd1830dee6031a7342284e51dc4c399d331507b28f74ba0727b

 

FINAL NOTES

Once again, here are the associated files:

• 2018-07-30-and-31-three-Emotet-malspam-examples.zip   3.9 kB (3,961 bytes)
• 2018-07-31-Emotet-infection-traffic-both-pcaps.zip   7.5 MB (7,527,214 bytes)
• 2018-07-31-malware-associated-with-Emotet-infection.zip   880 kB (879,859 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.