2018-08-08 - QUICK POST: EMOTET INFECTION WITH TRICKBOT (GTAG: TOT285)
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2018-08-08-Emotet-malspam-9-email-examples.zip 201 kB (200,971 bytes)
- 2018-08-08-Emotet-infection-traffic-with-Trickbot.pcap.zip 4.4 MB (4,426,111 bytes)
- 2018-08-08-Emotet-and-Trickbot-malware.zip 480 kB (480,019 bytes)
IMAGE
Shown above: Traffic from an infection filtered in Wireshark.
INFO FROM 9 EMAIL EXAMPLES
SUBJECT LINES: - Subject: Accounts - Invoice - Subject: Customer Invoice -- Martin N. - Subject: Invoice from Steve Smith - Subject: New Address and payment details - Subject: New payment notice - Subject: New Wells Fargo payment notice - Subject: Recent money transfer details - Subject: Your new payment notification - Subject: Your new JPMorgan Chase payment notice SIX OF THEM HAVE LINKS TO A WORD DOC: - hxxp[:]//alberguetaull[.]com/tmp/80XPAYMENT/QH267128XQTOYI/Aug-08-2018-553373571/OBRU-XUN - hxxp[:]//jswebtechnologies[.]com/3KTPAYMENT/BBLL822448665BB/23062884/XS-EDO-Aug-08-2018 - hxxp[:]//relaxmens[.]ir/INFO/DA31632349268CVB/0441507/IUCY-CMT-Aug-08-2018 - hxxp[:]//sprachkurse-drjung[.]at/PAYMENT/EZNZ54945686LZU/Aug-07-2018-465301/XGHT-AKTN - hxxp[:]//thecontemporaries[.]org/FILE/TTL4855971867FEC/42835411768/AWD-KFHR - hxxp[:]//thefindersclub[.]org/5CCorporation/YBS31666762MD/Aug-08-2018-6064890/SQA-DOF-Aug-08-2018 THREE OF THEM HAVE A WORD DOC DIRECTLY ATTACHED TO THE EMAIL: - SHA256 hash: da94aadcc205de0ffc3be2832be93bcf01bc1d6186c155133c85f9a0a755b0a5 - Attachment name: GW47441.doc - SHA256 hash: f6e4c93b53aa09a6220087d89fbf0d9d960f6ede206e678e638f688c2c49bdb9 - Attachment name: MYB887988461316.doc - SHA256 hash: 84396e633158c3c36ad11cf087c90e8522c4b4143d86a7778dad201815edd36f - Attachment name: WPV165689810229115.doc
Click here to return to the main page.