2018-08-16 - EMOTET INFECTIONS WITH ZEUS PANDA BANKER ON 2018-08-15 & 2018-08-16
ASSOCIATED FILES:
- 2018-08-14-thru-16-Emotet-malspam-9-email-examples.zip 420 kB (420,083 bytes)
- 2018-08-15-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap.zip 1.4 MB (1,352,380 bytes)
- 2018-08-16-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap.zip 4.2 MB (4,225,183 bytes)
- 2018-08-14-thru-16-malware-associated-with-Emotet-infections.zip 1.2 MB (1,152,372 bytes)
NOTES:
- Still seeing Zeus Panda Banker caused by Emotet, very similar to what I posted earlier this week on 2018-08-14.
- This ties into a recent Unit 42 blog I wrote last month, Malware Team Up: Malspam Pushing Emotet + Trickbot.
Shown above: Flow chart typical Emotet malspam infections.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- hxxp://whybowl.thebotogs.com/Wellsfargo/Commercial/Aug-15-2018
- hxxp://sharpconstructiontx.com/Wellsfargo/Business/Aug-14-2018
- hxxp://akademia.gnatyshyn.pl/WellsFargo/Smallbusiness/Aug-15-2018
- hxxp://akademia.gnatyshyn.pl/WellsFargo/Smallbusiness/Aug-15-2018
- hxxp://soportek.cl/FAm4eZY
- hxxp://duncanfalk.com/Wellsfargo/biz/Commercial/Aug-16-2018
- hxxp://psychedelicsociety.org.au/3mw
- theeunload.website
- mykeeptake.xyz
- hxxp://206.188.160.216:443/whoami.php
DATA FROM 9 MALSPAM EXAMPLES
Shown above: An example of Emotet malspam from Tuesday 2018-08-14.
Shown above: An example of Emotet malspam from Thursday 2018-08-16.
DATA FROM THE EMAILS:
- Date: Tue, 2018-08-14 09:42 UTC
- Date: Tue, 2018-08-14 10:28 UTC
- Date: Tue, 2018-08-14 14:30 UTC
- Date: Wed, 2018-08-15 05:23 UTC
- Date: Wed, 2018-08-15 07:30 UTC
- Date: Wed, 2018-08-15 10:55 UTC
- Date: Wed, 2018-08-15 12:36 UTC
- Date: Wed, 2018-08-15 14:57 UTC
- Date: Thu, 2018-08-16 09:05 UTC
- From: "[info removed]" <psanford@mhsi.us>
- From: "[info removed]" <psanford@mhsi.us>
- From: "Wellsfargo" <chefs@sevenseashotel.com>
- From: "Danielle Houliston" <ashish@greatlogicsinc.com>
- From: "Danielle Houliston" <farhan@revesoft.com>
- From: "[info removed]" <jesse@affolders.com>
- From: "Wells Fargo Personal" <factelectronica@impacsa.com>
- From: "Wells Fargo" <e.wendlandt@cablesurf.de>
- From: Robert <sciwindom@windomnet.com>
- Subject: Invoice Confirmation IF80406
- Subject: Rechnung 06521887908 [recipient's name]
- Subject: Account Alert - Due balance paid
- Subject: Rechnungs-Details TOAS - 011-AT0212
- Subject: Billing Invoice - Job # 8034344
- Subject: Your Reception - HPH invoice is ready
- Subject: Activity Alert: Due balance paid
- Subject: Activity Alert: Wire transfer info
- Subject: Rech 44177315677
- Attachment name: IF80406_2018_08_14.doc
- Attachment name: Rechnung 06521887908.doc
- URL for Word doc: hxxp://sharpconstructiontx.com/Wellsfargo/Business/Aug-14-2018
- Attachment name: Rechnungs-Details TOAS - 011-AT0212.doc
- Attachment name: MCO891938097_2018_08_15.doc
- Attachment name: 9P3018_2018_08_15.doc
- URL for Word doc: hxxp://whybowl.thebotogs.com/Wellsfargo/Commercial/Aug-15-2018
- URL for Word doc: hxxp://akademia.gnatyshyn.pl/WellsFargo/Smallbusiness/Aug-15-2018
- Attachment name: Rech 44177315677.doc
Shown above: Malicious Word doc downloaded from link in the malspam on Wednesday 2018-08-15.
Shown above: Malicious Word doc downloaded from link in the malspam on Thursday 2018-08-16.
TRAFFIC
Shown above: Traffic from an infection on Wednesday 2018-08-15 filtered in Wireshark.
Shown above: Traffic from an infection on Thursday 2018-08-16 filtered in Wireshark.
INFECTION TRAFFIC FROM WEDNESDAY 2018-08-15:
- 195.162.24.96 port 80 - akademia.gnatyshyn.pl - GET /WellsFargo/Smallbusiness/Aug-15-2018
- 195.162.24.96 port 80 - akademia.gnatyshyn.pl - GET /WellsFargo/Smallbusiness/Aug-15-2018/
- 201.148.107.187 port 80 - soportek.cl - GET /FAm4eZY
- 201.148.107.187 port 80 - soportek.cl - GET /FAm4eZY/
- 203.94.66.109 port 8080 - attempted TCP connections, but no response from the server
- 93.88.93.99 port 443 - 93.88.93.99:443 - GET /
- 130.0.236.141 port 443 - theeunload.website - HTTPS/SSL/TLS traffic [Zeus Panda Banker]
- port 443 - www.google.com - connectivity check by infected Windows host [Zeus Panda Banker]
- DNS query for mykeeptake.xyz - response: No such name A mykeeptake.xyz SOA ns0.centralnic.net
INFECTION TRAFFIC FROM THURSDAY 2018-08-16:
- 132.148.58.1 port 80 - duncanfalk.com - GET /Wellsfargo/biz/Commercial/Aug-16-2018/
- 45.76.123.144 port 80 - psychedelicsociety.org.au - GET /3mw
- 45.76.123.144 port 80 - psychedelicsociety.org.au - GET /3mw/
- 203.94.66.109 port 8080 - attempted TCP connections, but no response from the server
- 93.88.93.99 port 443 - attempted TCP connections, but no response from the server
- 98.220.219.68 port 8080 - 98.220.219.68:8080 - GET /
- 65.101.77.240 port 8443 - 65.101.77.240:8443 - GET /
- 178.132.7.106 port 443 - theeunload.website - HTTPS/SSL/TLS traffic [Zeus Panda Banker]
- port 443 - www.google.com - connectivity check by infected Windows host [Zeus Panda Banker]
- DNS query for mykeeptake.xyz - response: No such name A mykeeptake.xyz SOA ns0.centralnic.net
FILE HASHES
MALWARE FROM THE INFECTED WINDOWS HOSTS:
- SHA256 hash: fa24a0c05815300726dd268426b28397471f067cdedcdb2f3258df75af169c28
File size: 166,016 bytes
File description: Downloaded Word doc with macro for Emotet seen on 2018-08-15
- SHA256 hash: e6ffa5ea51404503dff2ed0a29efea67d086f4fdf8a62b63ebb0ec6935f97f60
File size: 93,056 bytes
File description: Downloaded Word doc with macro for Emotet seen on 2018-08-16
- SHA256 hash: 280e188cb3e5e0e8b541bab6a27ddd4d22b89060dcfe03efa21ba7d2d9a1702f
File size: 176,128 bytes
File description: Emotet malware binary seen on 2018-08-15
- SHA256 hash: 0e6ca1d86245ca02cd271555d1d776705e7f66fa52e953655eb34653b4f55997
File size: 172,032 bytes
File description: Emotet malware binary seen on 2018-08-16 (1 of 2)
- SHA256 hash: 713a749206310f2c848ecf477b3903475eaf8f30454ec3e2312efbba8ba674a6
File size: 176,128 bytes
File description: Emotet malware binary seen on 2018-08-16 (2 of 2)
- SHA256 hash: dd4ff33e8853e34480e820a3d2d11e6fc87bc75efbeebfe324664d4013dee0b0
File size: 249,344 bytes
File description: Zeus Panda Banker caused by Emotet infection on 2018-08-15
- SHA256 hash: 45c7c91ebb315a77dd28e0092913184cb6a4a8d0387d29384b273ebf9bce9a74
File size: 225,280 bytes
File description: Zeus Panda Banker caused by Emotet infection on 2018-08-16
MALICIOUS WORD DOCS ATTACHED TO THE EMAILS:
- SHA256 hash: e93367edd903d593c0ed475e31e8b433a5c5eaf3ec2472a0a31c758b4a85082f
File size: 135,936 bytes
File name: 9P3018_2018_08_15.doc
- SHA256 hash: 6c08db14bf40b0244a069834b523d8aac53caab33095b7d3f744615e15661cfd
File size: 119,296 bytes
File name: IF80406_2018_08_14.doc
- SHA256 hash: 55bdd3ff511c7751663cb3d95384fb0e583d47ab534d641f0953fda32f16dfca
File size: 119,680 bytes
File name: MCO891938097_2018_08_15.doc
- SHA256 hash: 63bd976a37fe2e7cdc3e3a53bd81b21c296a23626aa8aebe34624790552f62a6
File size: 90,496 bytes
File name: Rech 44177315677.doc
- SHA256 hash: c0101bfdea779570b17dbff46177664736788f46de6c4bcce5774a3546fdeced
File size: 115,712 bytes
File name: Rechnung 06521887908.doc
- SHA256 hash: 1a4ca08fb00aedb3b45ec4418539472eea22761aabe719e0e8021947305c4e6e
File size: 122,240 bytes
File name: Rechnungs-Details TOAS - 011-AT0212.doc
FINAL NOTES
Once again, here are the associated files:
- 2018-08-14-thru-16-Emotet-malspam-9-email-examples.zip 420 kB (420,083 bytes)
- 2018-08-15-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap.zip 1.4 MB (1,352,380 bytes)
- 2018-08-16-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap.zip 4.2 MB (4,225,183 bytes)
- 2018-08-14-thru-16-malware-associated-with-Emotet-infections.zip 1.2 MB (1,152,372 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.