2018-11-06 - EMOTET INFECTION WITH TRICKBOT

ASSOCIATED FILES:

• 2018-11-06-Emotet-malspam-3-email-examples.zip   116 kB (115,787 bytes)

• 2018-11-06-Emotet-malspam-with-PDF-attachment.eml   (29,068 bytes)
• 2018-11-06-Emotet-malspam-with-Word-attachment-1-of-2.eml   (101,605 bytes)
• 2018-11-06-Emotet-malspam-with-Word-attachment-2-of-2.eml   (96,946 bytes)

• 2018-11-06-Emotet-infection-with-Trickbot.pcap.zip   7.4 MB (7,410,712 bytes)

• 2018-11-06-Emotet-infection-with-Trickbot.pcap   (7,919,501 bytes)

• 2018-11-06-Emotet-and-Trickbot-malware-and-artifacts.zip   715 kB (715,125 bytes)

• 2018-11-06-downloaded-Word-doc-with-macro-for-Emotet.doc   (78,592 bytes)
• 2018-11-06-Emotet-malware-binary.exe   (143,360 bytes)
• 2018-11-06-Trickbot-malware-binary-retrieved-by-Emotet-gtag-del90.exe   (393,728 bytes)
• 2018-11-06-radiance.png-from-192.227.186.151.exe   (331,776 bytes)

NOTES:

• Before this past Monday, the group behind sending Emotet malspam was quiet for about 4 weeks.
• Since this past Monday 2018-11-05, we've seen the normal amount of malspam pushing Emotet as before.
• My thanks to people like @BAXD00R, @executemalware, @JRoosen, @pancak3lullz, @ps66uk, @unixronin, @SeraphimDomain, and many others who tweet info about Emotet near-real-time.

 

Shown above:  Flow chart for recent Emotet malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and partial URL:

• hxxp://1stniag[.]com/Download/EN_en/Invoice-Number-44664/
• hxxp://209[.]97[.]182[.]51/EN_US/Details/2018-11/
• hxxp://209[.]97[.]186[.]248/En_us/Payments/11_18/
• hxxp://35[.]167[.]6[.]44/0455GPLCNXSV/PAY/Commercial/
• hxxp://3kepito[.]hu/En_us/Details/11_18/
• hxxp://777ton[.]ru/DOC/US_us/Scan/
• hxxp://adsdeedee[.]com/1358285S/BIZ/Smallbusiness/
• hxxp://aes[.]co[.]th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
• hxxp://agrarszakkepzes[.]hu/5931ZTIGS/com/US/
• hxxp://alliance-rnd[.]com/EN_US/Attachments/112018/
• hxxp://altaredlife[.]com/logssite/INFO/US_us/Question/
• hxxp://alumni[.]poltekba[.]ac[.]id/US/Transaction_details/2018-11/
• hxxp://amnisopes[.]com/En_us/Information/112018/
• hxxp://appafoodiz[.]com/En_us/Clients_transactions/2018-11/
• hxxp://artzkaypharmacy[.]com[.]au/4690UVTTQOXO/SWIFT/Commercial/
• hxxp://azatamartik[.]org/US/Information/2018-11/
• hxxp://benchmarkiso[.]com/24IYXQCHNP/biz/US/
• hxxp://bgtest[.]vedel-oesterby[.]dk/3810430RP/PAYROLL/Commercial/
• hxxp://blacktiemining[.]com/0YVX/SWIFT/Commercial/
• hxxp://clabels[.]pt/EN_US/Clients_information/2018-11/
• hxxp://corporaciondelsur[.]com[.]pe/US/Transaction_details/2018-11/
• hxxp://cressy27[.]com/En_us/Documents/2018-11/
• hxxp://dev[.]kevinscott[.]com[.]au/85SRSH/PAY/Personal/
• hxxp://dietmantra[.]org/En_us/Clients_information/11_18/
• hxxp://digirising[.]com/En_us/Transactions-details/11_18/
• hxxp://eventus[.]ie/359PQLQ/biz/Personal/
• hxxp://fantastika[.]in[.]ua/3616974KVTNZUT/PAYMENT/Commercial/
• hxxp://felipeuchoa[.]com[.]br/wp-content/uploads/DOC/US_us/Invoice-receipt/
• hxxp://fert[.]es/EN_US/Clients_information/112018/
• hxxp://fglab[.]com[.]br/LLC/En_us/New-order/
• hxxp://fincabonanzaquindio[.]com/En_us/Transaction_details/11_18/
• hxxp://forzashowband[.]com/EN_US/Clients/2018-11/
• hxxp://graywhalefoundation[.]org/US/Transactions-details/112018/
• hxxp://grille-tech[.]com/hj4M3FfcISLL6fdUo/BIZ/Privatkunden/
• hxxp://hartmannbossen[.]dk/En_us/Attachments/11_18/
• hxxp://hawaiikaigolf[.]com/US/Clients/112018/
• hxxp://hsrventures[.]com/En_us/Clients_transactions/112018/
• hxxp://ichangevn[.]org/EN_US/Transactions/112018/
• hxxp://lemar[.]home[.]pl/manager/En_us/Transactions-details/112018/
• hxxp://lmetallurg[.]ru/831063SSI/identity/Business/
• hxxp://meleyrodri[.]com/xdYdvDnPM24m9e/de/IhreSparkasse/
• hxxp://mohandes724[.]com/En_us/Details/2018-11/
• hxxp://nga[.]no/91985U/biz/Personal/
• hxxp://nikbox[.]ru/24926SQ/identity/Commercial/
• hxxp://okrenviewhotel[.]com/En_us/Details/11_18/
• hxxp://pibuilding[.]com/6547LNPZL/PAYROLL/Commercial/
• hxxp://pirilax[.]su/6ZW/PAYROLL/Commercial/
• hxxp://raeesp[.]com/hUc77ZvQQxq/de/Privatkunden/
• hxxp://riverwalkmb[.]com/US/Attachments/2018-11/
• hxxp://shingari[.]ru/41381RLL/SEP/Personal/
• hxxp://sociallysavvyseo[.]com/US/Payments/11_18/
• hxxp://testingweb[.]in/En_us/Clients_transactions/11_18/
• hxxp://tomas[.]datanom[.]fi/ovning/US/Payments/112018/
• hxxp://toronto[.]rogersupfront[.]com/10613MKDPJF/SEP/Personal/
• hxxp://www[.]fromjoy[.]fr/EN_US/Clients_transactions/112018
• hxxp://www[.]reklame[.]ru/7665310VEYLGBNW/biz/Business/
• hxxp://www[.]transimperial[.]ru/605FW/BIZ/US/
• hxxp://xn----gtbreobjp7byc[.]xn--p1ai/32NNLUEIY/com/Commercial/
• hxxp://ampdist[.]com/AEZf
• hxxp://blog[.]comjagat[.]com/wp-content/mWdx
• hxxp://colombiaagro[.]com[.]co/EZLOpSOF
• hxxp://lipetsk-pivo[.]ru/h
• hxxp://mabnanirou[.]com/oG
• hxxp://micheleverdi[.]com/Fbestfz
• hxxp://www[.]gerrithamann[.]de/hP2IldM
• hxxp://www[.]prevencionplus[.]com/BuLyc2HKL
• hxxp://www[.]sastudio[.]co/AU4fI
• hxxp://www[.]upex[.]ee/vqUuJ3B7
• hxxp://192[.]227[.]186[.]151/radiance.png
• hxxp://192[.]227[.]186[.]151/table.png
• hxxp://192[.]227[.]186[.]151/worming.png
• hxxp://47.32.109.184/del90/

 

EMAILS

Shown above:  Example of an email from Emotet malspam with a PDF attachment.

 

Shown above:  Link in the PDF attachment to download the initial Word doc.

 

Shown above:  Downloading the initial Word document and enabling macros to infect a victim's host.

 

TRAFFIC

URLS TO DOWNLOAD THE INITIAL WORD DOCUMENT (FROM PDF FILES OR LINKS IN THE EMAILS):

NOTE:  Items marked with ** means these URLs did not deliver the malware when I checked earlier (probably taken off-line).

• hxxp://1stniag[.]com/Download/EN_en/Invoice-Number-44664/
• hxxp://209[.]97[.]182[.]51/EN_US/Details/2018-11/
• hxxp://209[.]97[.]186[.]248/En_us/Payments/11_18/
• hxxp://35[.]167[.]6[.]44/0455GPLCNXSV/PAY/Commercial/
• hxxp://3kepito[.]hu/En_us/Details/11_18/
• hxxp://777ton[.]ru/DOC/US_us/Scan/
• hxxp://adsdeedee[.]com/1358285S/BIZ/Smallbusiness/
• hxxp://aes[.]co[.]th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
• hxxp://agrarszakkepzes[.]hu/5931ZTIGS/com/US/
• hxxp://alliance-rnd[.]com/EN_US/Attachments/112018/
• hxxp://altaredlife[.]com/logssite/INFO/US_us/Question/
• hxxp://altarfx[.]com/Nov2018/En/Invoice-for-p/e-11/05/2018/   **
• hxxp://alumni[.]poltekba[.]ac[.]id/US/Transaction_details/2018-11/
• hxxp://amnisopes[.]com/En_us/Information/112018/
• hxxp://appafoodiz[.]com/En_us/Clients_transactions/2018-11/
• hxxp://artzkaypharmacy[.]com[.]au/4690UVTTQOXO/SWIFT/Commercial/
• hxxp://azatamartik[.]org/US/Information/2018-11/
• hxxp://benchmarkiso[.]com/24IYXQCHNP/biz/US/
• hxxp://bgtest[.]vedel-oesterby[.]dk/3810430RP/PAYROLL/Commercial/
• hxxp://blacktiemining[.]com/0YVX/SWIFT/Commercial/
• hxxp://clabels[.]pt/EN_US/Clients_information/2018-11/
• hxxp://corporaciondelsur[.]com[.]pe/US/Transaction_details/2018-11/
• hxxp://cressy27[.]com/En_us/Documents/2018-11/
• hxxp://dmas[.]es/US/Details/11_18/   **
• hxxp://dev[.]kevinscott[.]com[.]au/85SRSH/PAY/Personal/
• hxxp://dietmantra[.]org/En_us/Clients_information/11_18/
• hxxp://digirising[.]com/En_us/Transactions-details/11_18/
• hxxp://eventus[.]ie/359PQLQ/biz/Personal/
• hxxp://fantastika[.]in[.]ua/3616974KVTNZUT/PAYMENT/Commercial/
• hxxp://felipeuchoa[.]com[.]br/wp-content/uploads/DOC/US_us/Invoice-receipt/
• hxxp://fert[.]es/EN_US/Clients_information/112018/
• hxxp://fglab[.]com[.]br/LLC/En_us/New-order/
• hxxp://fincabonanzaquindio[.]com/En_us/Transaction_details/11_18/
• hxxp://forzashowband[.]com/EN_US/Clients/2018-11/
• hxxp://gilmarnazareno[.]com[.]br/BhWwli/BIZ/Service-Center/   **
• hxxp://graywhalefoundation[.]org/US/Transactions-details/112018/
• hxxp://grille-tech[.]com/hj4M3FfcISLL6fdUo/BIZ/Privatkunden/
• hxxp://guselceva[.]ru/39808GPKVXO/identity/Personal/   **
• hxxp://hartmannbossen[.]dk/En_us/Attachments/11_18/
• hxxp://hawaiikaigolf[.]com/US/Clients/112018/
• hxxp://homebakerz[.]com[.]au/hG5sm76mEjQMCzGLn/SWIFT/PrivateBanking/   **
• hxxp://hsrventures[.]com/En_us/Clients_transactions/112018/
• hxxp://i4c[.]com[.]br/US/Transactions/2018-11/   **
• hxxp://ichangevn[.]org/EN_US/Transactions/112018/
• hxxp://jurist29[.]ru/2J/SWIFT/Commercial/   **
• hxxp://legal-world[.]su/qmB9mXRB/de_DE/200-Jahre/   **
• hxxp://lemar[.]home[.]pl/manager/En_us/Transactions-details/112018/
• hxxp://lmetallurg[.]ru/831063SSI/identity/Business/
• hxxp://meleyrodri[.]com/xdYdvDnPM24m9e/de/IhreSparkasse/
• hxxp://mohandes724[.]com/En_us/Details/2018-11/
• hxxp://nga[.]no/91985U/biz/Personal/
• hxxp://nikbox[.]ru/24926SQ/identity/Commercial/
• hxxp://okrenviewhotel[.]com/En_us/Details/11_18/
• hxxp://pibuilding[.]com/6547LNPZL/PAYROLL/Commercial/
• hxxp://pirilax[.]su/6ZW/PAYROLL/Commercial/
• hxxp://raeesp[.]com/hUc77ZvQQxq/de/Privatkunden/
• hxxp://riverwalkmb[.]com/US/Attachments/2018-11/
• hxxp://shingari[.]ru/41381RLL/SEP/Personal/
• hxxp://sociallysavvyseo[.]com/US/Payments/11_18/
• hxxp://testingweb[.]in/En_us/Clients_transactions/11_18/
• hxxp://tomas[.]datanom[.]fi/ovning/US/Payments/112018/
• hxxp://toronto[.]rogersupfront[.]com/10613MKDPJF/SEP/Personal/
• hxxp://www[.]24complex[.]ru/2AYX/com/Commercial/   **
• hxxp://www[.]dermainstant[.]com/dkH4TT2/BIZ/PrivateBanking/   **
• hxxp://www[.]dtoneycpa[.]com/En_us/Clients/2018-11/   **
• hxxp://www[.]fromjoy[.]fr/EN_US/Clients_transactions/112018
• hxxp://www[.]planosdesaudebrasilia[.]net[.]br/EN_US/Documents/112018/   **
• hxxp://www[.]reklame[.]ru/7665310VEYLGBNW/biz/Business/
• hxxp://www[.]transimperial[.]ru/605FW/BIZ/US/
• hxxp://xn-----8kcbcubc0cfh6a2am9f7cg[.]xn--p1ai/815734WLPDJ/biz/Personal/   **
• hxxp://xn----gtbreobjp7byc[.]xn--p1ai/32NNLUEIY/com/Commercial/
• hxxp://xn--80aaxk0bn[.]xn--p1ai/36OEKNKS/ACH/Business/   **
• hxxp://xn--80agpqajcme4aij[.]xn--p1ai/51TFMV/ACH/Smallbusiness/   **
• hxxp://yasinau[.]ru/0KMBMkQMMptet4/de/Privatkunden/   **
• hxxp://zalco[.]nl/76BWXKGCT/PAY/Business/   **

URLS GENERATED BY MACROS IN THE INITIAL WORD DOC TO DOWNLOAD THE EMOTET BINARY:

• hxxp://1412studiodm[.]com/xGDA0q   **
• hxxp://aldo[.]jplms[.]com[.]au/eWykVvYj   **
• hxxp://ampdist[.]com/AEZf
• hxxp://blog[.]comjagat[.]com/wp-content/mWdx
• hxxp://colombiaagro[.]com[.]co/EZLOpSOF
• hxxp://lipetsk-pivo[.]ru/h
• hxxp://mabnanirou[.]com/oG
• hxxp://micheleverdi[.]com/Fbestfz
• hxxp://staging[.]bridgecode[.]co[.]uk/wQr0hzU   **
• hxxp://www[.]gerrithamann[.]de/hP2IldM
• hxxp://www[.]prevencionplus[.]com/BuLyc2HKL
• hxxp://www[.]sastudio[.]co/AU4fI
• hxxp://www[.]seosyd[.]com/IyThn3I   **
• hxxp://www[.]sicfms[.]com/sybnoK9   **
• hxxp://www[.]upex[.]ee/vqUuJ3B7

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE US:

• 213.186.33.17 port 80 - www.fromjoy.fr - GET /EN_US/Clients_transactions/112018/
• 69.163.156.184 port 80 - www.seosyd.com - GET /IyThn3I
• 212.47.220.51 port 80 - www.upex.ee - GET /vqUuJ3B7
• 212.47.220.51 port 80 - www.upex.ee - GET /vqUuJ3B7/
• 47.34.43.223 port 80 - 47.34.43.223 - GET /
• 47.225.131.10 port 80 - TCP connection attempts, but no response from server
• 128.193.56.169 port 443 - 128.193.56.169:443 - GET /
• port 80 - ipinfo.io - GET /ip   (IP address check by infected host)
• port 80 - myexternalip.com - GET /raw   (IP address check by infected host)
• 184.169.105.210 port 449 - TCP connection attempts, but no response from server
• 65.31.241.133 port 449 - HTTPS/SSL/TLS traffic caused by Trickbot
• 198.46.196.109 port 447 - HTTPS/SSL/TLS traffic caused by Trickbot
• port 80 - ipecho.net - GET /plain   (IP address check by infected host)
• port 443 - ipecho.net - HTTPS traffic   (IP address check by infected host)
• 47.32.109.184 port 8082 - 47.32.109.184 - POST /del90/[long string of characters]
• 192.227.186.151 port 80 - 192.227.186.151 - GET /radiance.png

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  fc048b04dc8a13fba792e2caa5b50f5fe95c5d78855c74cbc5c93fdf0d398853
  
• File size:  78,592 bytes
  
• File location:  hxxp://www[.]fromjoy[.]fr/EN_US/Clients_transactions/112018/
  
• File name:  FORM-9459438630448044.doc   (various names)
  
• File description:  Downloaded Word document with macro for Emotet

• SHA256 hash:  87d0b764f2670d2373470d8becad7f26301e206f00b5f35391ab4a38e94ec524
  
• File size:  143,360 bytes
  
• File location:  hxxp://www[.]upx[.]ee/vqUuJ3B7/
  
• File location:  C:\Users\[username]\AppData\Local\Windows\[random file name].exe
  
• File description:  Emotet malware binary

• SHA256 hash:  ea79f26437f3d0eb8a5185bcf1190ea0918c5263a2ca1336c0915fded8d4b7ad
  
• File size:  393,728 bytes
  
• File location:  C:\Users\[username]\AppData\Roaming\WINYS\[random file name].exe
  
• File description:  Trickbot malware binary retrieved by Emotet-infected Windows host (gtag: del90)

• SHA256 hash:  e0eb41ccb2f33576f65ece6072b8f07af7b93ab847f3858d1b75468ed41fd2da
  
• File size:  331,776 bytes
  
• File location:  hxxp://192.227.186[.]151/radiance.png
  
• File description:  Follow-up Trickbot malware binary retrieved to infect other Windows hosts

 

FINAL NOTES

Once again, here are the associated files:

• 2018-11-06-Emotet-malspam-3-email-examples.zip   116 kB (115,787 bytes)
• 2018-11-06-Emotet-infection-with-Trickbot.pcap.zip   7.4 MB (7,410,712 bytes)
• 2018-11-06-Emotet-and-Trickbot-malware-and-artifacts.zip   715 kB (715,125 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.