2018-08-08 - QUICK POST: EMOTET INFECTION WITH TRICKBOT (GTAG: TOT285)

NOTICE:

ASSOCIATED FILES:

 

IMAGE


Shown above:  Traffic from an infection filtered in Wireshark.

 

INFO FROM 9 EMAIL EXAMPLES

SUBJECT LINES:

- Subject: Accounts - Invoice
- Subject: Customer Invoice -- Martin N.
- Subject: Invoice from Steve Smith
- Subject: New Address and payment details
- Subject: New payment   notice
- Subject: New Wells Fargo payment notice
- Subject: Recent money transfer details
- Subject: Your   new payment notification
- Subject: Your new JPMorgan Chase payment notice

SIX OF THEM HAVE LINKS TO A WORD DOC:

- hxxp[:]//alberguetaull[.]com/tmp/80XPAYMENT/QH267128XQTOYI/Aug-08-2018-553373571/OBRU-XUN
- hxxp[:]//jswebtechnologies[.]com/3KTPAYMENT/BBLL822448665BB/23062884/XS-EDO-Aug-08-2018
- hxxp[:]//relaxmens[.]ir/INFO/DA31632349268CVB/0441507/IUCY-CMT-Aug-08-2018
- hxxp[:]//sprachkurse-drjung[.]at/PAYMENT/EZNZ54945686LZU/Aug-07-2018-465301/XGHT-AKTN
- hxxp[:]//thecontemporaries[.]org/FILE/TTL4855971867FEC/42835411768/AWD-KFHR
- hxxp[:]//thefindersclub[.]org/5CCorporation/YBS31666762MD/Aug-08-2018-6064890/SQA-DOF-Aug-08-2018

THREE OF THEM HAVE A WORD DOC DIRECTLY ATTACHED TO THE EMAIL:

- SHA256 hash: da94aadcc205de0ffc3be2832be93bcf01bc1d6186c155133c85f9a0a755b0a5
- Attachment name: GW47441.doc

- SHA256 hash: f6e4c93b53aa09a6220087d89fbf0d9d960f6ede206e678e638f688c2c49bdb9
- Attachment name: MYB887988461316.doc

- SHA256 hash: 84396e633158c3c36ad11cf087c90e8522c4b4143d86a7778dad201815edd36f
- Attachment name: WPV165689810229115.doc

 

Click here to return to the main page.