2018-09-21 - EMOTET INFECTIONS WITH TRICKBOT (UK AND US)

ASSOCIATED FILES:

• 2018-09-21-Emotet-infection-with-Trickbot-from-UK-location.pcap.zip   13.8 MB (13,776,822 bytes)

• 2018-09-21-Emotet-infection-with-Trickbot-from-UK-location.pcap   (17,525,561 bytes)

• 2018-09-21-Emotet-infection-with-Trickbot-from-US-location.pcap.zip   3.2 MB (3,202,102 bytes)

• 2018-09-21-Emotet-infection-with-Trickbot-from-US-location.pcap   (3,419,428 bytes)

• 2018-09-21-Emotet-and-Trickbot-malware-and-artifacts.zip   1.5 MB (1,514,298 bytes)

• 2018-09-21-downloaded-Word-doc-with-macro-for-Emotet-from-UK-infection.doc   (91,008 bytes)
• 2018-09-21-downloaded-Word-doc-with-macro-for-Emotet-from-US-infection.doc   (84,864 bytes)
• 2018-09-21-Emotet-malware-binary-from-UK-infection.exe   (139,264 bytes)
• 2018-09-21-Emotet-malware-binary-from-US-infection.exe   (139,264 bytes)
• 2018-09-21-Trickbot-gtag-arz1-caused-by-Emotet-infection-from-US-location.exe   (483,438 bytes)
• 2018-09-21-Trickbot-gtag-del77-caused-by-Emotet-infection-from-UK-location.exe   (494,641 bytes)
• 2018-09-21-Trickbot-gtag-jim316-found-on-client-during-UK-infection.exe   (536,576 bytes)
• 2018-09-21-Trickbot-gtag-lib316-found-on-DC-during-UK-infection.exe   (536,576 bytes)
• 2018-09-21-other-Trickbot-related-binary-found-on-DC-during-UK-infection.exe   (115,712 bytes)
• 2018-09-21-scheduled-task-for-Trickbot-on-DC-Msntcs.xml.txt   (3,602 bytes)
• 2018-09-21-scheduled-task-for-Trickbot-on-client-Msntcs.xml.txt   (3,734 bytes)

NOTES:

• For some background, see this Palo Alto Networks blog post I wrote that was published in July 2018.
• Today's pcap for the UK-based infection also has Trickbot propagating from the Windows client to the domain controller over SMB.

 

Shown above:  Updated flow chart for what I've been seeing from Emotet malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and partial URLs:

• hxxp://artiliriklagudaerah.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://astroxh.ru/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://bahoma.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://bamarketing.ru/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://bernee.net/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018/
• hxxp://bfxplode.de/newfolde_r/389CJSP/PAYMENT/Commercial
• hxxp://blondesalons.in/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://cahayaprint.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://canetafixa.com.br/142WBMS/PAYROLL/Smallbusiness
• hxxp://ccdwdelaware.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://classbrain.net/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://coocihem.ru/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://cosmictone.com.au/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://cukkuc.net/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://danforshaw.com/63SMSMM/biz/Business
• hxxp://dat24h.vip/4797SDVCPDS/WIRE/US
• hxxp://deckenhoff.de/743208ZSA/BIZ/Personal
• hxxp://eletelephant.com/2KGZSVMIW/SWIFT/Commercial
• hxxp://emicontrol.com/7FBPPXLW/PAY/Personal
• hxxp://enhancepotential.com/39FEH/com/US
• hxxp://esteticabrasil.com.br/logssite/9391814NAVSB/WIRE/US
• hxxp://flashhospedagem.com.br/31OVJJL/SWIFT/US
• hxxp://fpc-partner.ru/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018/
• hxxp://gaun.de/typo3conf/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://georgew.com.br/00390WTU/SEP/Smallbusiness
• hxxp://gsverwelius.nl/26581BRMJO/ACH/Smallbusiness
• hxxp://hannael.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://hciot.net/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://imcfilmproduction.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://infoges.es/41906JK/PAYROLL/Business
• hxxp://jimmyphan.net/63003FSTWJNUN/oamo/US
• hxxp://johnscevolaseo.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://kh-ghohestan.ir/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://kinebydesign.com/9T/biz/Personal
• hxxp://klezmerpodcast.com/35BIKT/oamo/Business
• hxxp://lukomore-alupka.ru/wp-content/uploads/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18/
• hxxp://madisonda.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://mitsuobrasil.com.br/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://na-alii.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://neurocoachingkm.com.br/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://nigelkarikari.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18/
• hxxp://nurulquraan.net/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://old.gkinfotechs.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://pancare-sd.org/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18/
• hxxp://pembi.net/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• hxxp://pnsolco.com/3683DPDQ/biz/US
• hxxp://rethinkpylons.org/16YZTG/BIZ/Business/
• hxxp://soldeyanahuara.com/9035QQNXD/BIZ/Commercial
• hxxp://webartikelbaru.web.id/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://www.omelhordeportoalegre.com.br/82TMPB/PAYROLL/Personal
• hxxp://www.ultigamer.com/wp-admin/includes/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
• hxxp://yblfood.com.au/workmode/FUNC/40KVCX/BIZ/Business
• hxxp://www.gymbolaget.se/4IQcsWOes
• hxxps://www.gymbolaget.se/4IQcsWOes
• hxxp://fenja.com/wwvvv/xIGjcbS5Pc
• hxxp://thepinkonionusa.com/G54zZtja
• hxxp://192.161.54.60/radiance.png
• hxxp://192.161.54.60/table.png
• hxxp://192.161.54.60/worming.png
• hxxp://173.32.244.79:8082/arz1/
• hxxp://173.32.244.79:8082/del77/
• hxxp://173.32.244.79:8082/lib316/
• hxxp://31.167.248.50:443/whoami.php

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE UK - EMOTET:

• 185.94.99.3 port 80 - kh-ghohestan.ir - GET /urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018/
• 132.148.61.184 port 80 - thepinkonionusa.com - GET /G54zZtja
• 132.148.61.184 port 80 - thepinkonionusa.com - GET /G54zZtja/
• 95.6.64.119 port 8080 - attempted TCP connections
• 187.193.161.58 port 8080 - attempted TCP connections
• 201.242.55.19 port 8080 - attempted TCP connections
• 77.86.23.44 port 8443 - attempted TCP connections
• 100.17.27.26 port 80 - 100.17.27.26 - GET /
• 201.111.8.75 port 50000 - attempted TCP connections
• 31.167.248.50 port 443 - 31.167.248.50:443 - GET /whoami.php
• 31.167.248.50 port 443 - 31.167.248.50:443 - POST /

TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE UK - TRICKBOT:

• port 80 - myexternalip.com - GET /raw   [IP address check by infected client]
• port 80 - icanhazip.com - GET /   [IP address check by infected DC]
• 47.49.168.50 port 443 - SSL/TLS traffic generated by Trickbot
• 95.154.80.154 port 449 - SSL/TLS traffic generated by Trickbot
• 107.175.46.219 port 447 - SSL/TLS traffic generated by Trickbot
• 109.199.231.116 port 443 - SSL/TLS traffic generated by Trickbot
• 192.161.54.60 port 80 - 192.161.54.60 - GET /radiance.png
• 192.161.54.60 port 80 - 192.161.54.60 - GET /worming.png
• 192.161.54.60 port 80 - 192.161.54.60 - GET /table.png
• 173.32.244.79 port 8082 - 173.32.244.79:8082 - POST /del77/[long string with infected host's info]
• 173.32.244.79 port 8082 - 173.32.244.79:8082 - POST /lib316/[long string with infected DC's info]

TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE US - EMOTET:

• 192.254.237.11 port 80 - bahoma.com - GET /urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
• 192.254.237.11 port 80 - bahoma.com - GET /urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18/
• 213.115.245.123 port 80 - gymbolaget.se - GET /4IQcsWOes
• 213.115.245.123 port 443 - www.gymbolaget.se - HTTPS/SSL/TLS traffic caused by previous HTTP request
• 87.118.13.222 port 80 - fenja.com - GET /wwvvv/xIGjcbS5Pc
• 87.118.13.222 port 80 - fenja.com - GET /wwvvv/xIGjcbS5Pc/
• 95.6.64.119 port 8080 - attempted TCP connections
• 187.193.161.58 port 8080 - attempted TCP connections
• 201.242.55.19 port 8080 - attempted TCP connections
• 77.86.23.44 port 8443 - 77.86.23.44:8443 - GET /
• 100.17.27.26 port 80 - 100.17.27.26 - GET /

TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE US - TRICKBOT:

• port 80 - icanhazip.com - GET /   [IP address check by infected client]
• 51.254.241.249 port 447 - attempted TCP connections
• 96.43.142.42 port 447 - attempted TCP connections
• 107.181.174.177 port 447 - attempted TCP connections
• 155.94.239.167 port 447 - attempted TCP connections
• 89.46.223.139 port 447 - SSL/TLS traffic generated by Trickbot
• 92.223.105.95 port 447 - SSL/TLS traffic generated by Trickbot
• 178.116.83.49 port 443 - SSL/TLS traffic generated by Trickbot
• 190.145.74.84 port 449 - SSL/TLS traffic generated by Trickbot
• 173.32.244.79 port 8082 - 173.32.244.79:8082 - POST /arz1/[long string with infected DC's info]

 

MALWARE

MALWARE FROM THE INFECTED WINDOWS HOSTS:

• SHA256 hash: d40f5ae2f85b62351f2e8b0f068a8c3695d228b0f06b8015a513eb919b70f5bb
• File description: Downloaded Word doc with macro for Emotet

• SHA256 hash: fa4f251ef1152b59d5a66b1148202ead8cffd57140ac8cc8b5ce9ec9ffb32c9c
• File description: Downloaded Word doc with macro for Emotet

• SHA256 hash: 48fedd8eb8fd95b1c3f3a43fe0ed4ff6e769902b1b7db1f07953455b5ff2c662
• File description: Emotet malware binary

• SHA256 hash: f5abca2b0bad74970347f9f4ed09eff1df1dd9f6ee1866e76b2a3003e06ebaae
• File description: Trickbot gtag: arz1 caused by Emotet infection from US location

• SHA256 hash: 1407a8aec04f8f1ce801602d132d420220191e2194e3d7e7895c8fe3d726d717
• File description: Trickbot gtag: del77 caused by Emotet infection from UK location

• SHA256 hash: 8e14cd3e9f8070f1d7966043bf988b5f6708eaa40f584077a0a6eec754ca6f5a
• File description: Trickbot gtag: jim316 found on client during UK infection

• SHA256 hash: 57fe92b7c8c19a22c158bc941895fa5ab33f87d4b16b01d0dab6751c75ae6990
• File description: Trickbot gtag: lib316 found on DC during UK infection

• SHA256 hash: cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560
• File description: Other Trickbot-related binary found on DC during UK infection

 

IMAGES

Shown above:  Traffic from the US-based infection filtered in Wireshark.

 

Shown above:  Traffic from the UK-based infection filtered in Wireshark.

 

Shown above:  Using Wireshark to export Trickbot malware binaries from SMB traffic in the UK-based pcap.

 

FINAL NOTES

Once again, here are the associated files:

• 2018-09-21-Emotet-infection-with-Trickbot-from-UK-location.pcap.zip   13.8 MB (13,776,822 bytes)
• 2018-09-21-Emotet-infection-with-Trickbot-from-US-location.pcap.zip   3.2 MB (3,202,102 bytes)
• 2018-09-21-Emotet-and-Trickbot-malware-and-artifacts.zip   1.5 MB (1,514,298 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.