2018-11-06 - EMOTET INFECTION WITH TRICKBOT
ASSOCIATED FILES:
- 2018-11-06-Emotet-malspam-3-email-examples.zip 116 kB (115,787 bytes)
- 2018-11-06-Emotet-malspam-with-PDF-attachment.eml (29,068 bytes)
- 2018-11-06-Emotet-malspam-with-Word-attachment-1-of-2.eml (101,605 bytes)
- 2018-11-06-Emotet-malspam-with-Word-attachment-2-of-2.eml (96,946 bytes)
- 2018-11-06-Emotet-infection-with-Trickbot.pcap.zip 7.4 MB (7,410,712 bytes)
- 2018-11-06-Emotet-infection-with-Trickbot.pcap (7,919,501 bytes)
- 2018-11-06-Emotet-and-Trickbot-malware-and-artifacts.zip 715 kB (715,125 bytes)
- 2018-11-06-downloaded-Word-doc-with-macro-for-Emotet.doc (78,592 bytes)
- 2018-11-06-Emotet-malware-binary.exe (143,360 bytes)
- 2018-11-06-Trickbot-malware-binary-retrieved-by-Emotet-gtag-del90.exe (393,728 bytes)
- 2018-11-06-radiance.png-from-192.227.186.151.exe (331,776 bytes)
NOTES:
- Before this past Monday, the group behind sending Emotet malspam was quiet for about 4 weeks.
- Since this past Monday 2018-11-05, we've seen the normal amount of malspam pushing Emotet as before.
- My thanks to people like @BAXD00R, @executemalware, @JRoosen, @pancak3lullz, @ps66uk, @unixronin, @SeraphimDomain, and many others who tweet info about Emotet near-real-time.
Shown above: Flow chart for recent Emotet malspam.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs and partial URL:
- hxxp://1stniag[.]com/Download/EN_en/Invoice-Number-44664/
- hxxp://209[.]97[.]182[.]51/EN_US/Details/2018-11/
- hxxp://209[.]97[.]186[.]248/En_us/Payments/11_18/
- hxxp://35[.]167[.]6[.]44/0455GPLCNXSV/PAY/Commercial/
- hxxp://3kepito[.]hu/En_us/Details/11_18/
- hxxp://777ton[.]ru/DOC/US_us/Scan/
- hxxp://adsdeedee[.]com/1358285S/BIZ/Smallbusiness/
- hxxp://aes[.]co[.]th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
- hxxp://agrarszakkepzes[.]hu/5931ZTIGS/com/US/
- hxxp://alliance-rnd[.]com/EN_US/Attachments/112018/
- hxxp://altaredlife[.]com/logssite/INFO/US_us/Question/
- hxxp://alumni[.]poltekba[.]ac[.]id/US/Transaction_details/2018-11/
- hxxp://amnisopes[.]com/En_us/Information/112018/
- hxxp://appafoodiz[.]com/En_us/Clients_transactions/2018-11/
- hxxp://artzkaypharmacy[.]com[.]au/4690UVTTQOXO/SWIFT/Commercial/
- hxxp://azatamartik[.]org/US/Information/2018-11/
- hxxp://benchmarkiso[.]com/24IYXQCHNP/biz/US/
- hxxp://bgtest[.]vedel-oesterby[.]dk/3810430RP/PAYROLL/Commercial/
- hxxp://blacktiemining[.]com/0YVX/SWIFT/Commercial/
- hxxp://clabels[.]pt/EN_US/Clients_information/2018-11/
- hxxp://corporaciondelsur[.]com[.]pe/US/Transaction_details/2018-11/
- hxxp://cressy27[.]com/En_us/Documents/2018-11/
- hxxp://dev[.]kevinscott[.]com[.]au/85SRSH/PAY/Personal/
- hxxp://dietmantra[.]org/En_us/Clients_information/11_18/
- hxxp://digirising[.]com/En_us/Transactions-details/11_18/
- hxxp://eventus[.]ie/359PQLQ/biz/Personal/
- hxxp://fantastika[.]in[.]ua/3616974KVTNZUT/PAYMENT/Commercial/
- hxxp://felipeuchoa[.]com[.]br/wp-content/uploads/DOC/US_us/Invoice-receipt/
- hxxp://fert[.]es/EN_US/Clients_information/112018/
- hxxp://fglab[.]com[.]br/LLC/En_us/New-order/
- hxxp://fincabonanzaquindio[.]com/En_us/Transaction_details/11_18/
- hxxp://forzashowband[.]com/EN_US/Clients/2018-11/
- hxxp://graywhalefoundation[.]org/US/Transactions-details/112018/
- hxxp://grille-tech[.]com/hj4M3FfcISLL6fdUo/BIZ/Privatkunden/
- hxxp://hartmannbossen[.]dk/En_us/Attachments/11_18/
- hxxp://hawaiikaigolf[.]com/US/Clients/112018/
- hxxp://hsrventures[.]com/En_us/Clients_transactions/112018/
- hxxp://ichangevn[.]org/EN_US/Transactions/112018/
- hxxp://lemar[.]home[.]pl/manager/En_us/Transactions-details/112018/
- hxxp://lmetallurg[.]ru/831063SSI/identity/Business/
- hxxp://meleyrodri[.]com/xdYdvDnPM24m9e/de/IhreSparkasse/
- hxxp://mohandes724[.]com/En_us/Details/2018-11/
- hxxp://nga[.]no/91985U/biz/Personal/
- hxxp://nikbox[.]ru/24926SQ/identity/Commercial/
- hxxp://okrenviewhotel[.]com/En_us/Details/11_18/
- hxxp://pibuilding[.]com/6547LNPZL/PAYROLL/Commercial/
- hxxp://pirilax[.]su/6ZW/PAYROLL/Commercial/
- hxxp://raeesp[.]com/hUc77ZvQQxq/de/Privatkunden/
- hxxp://riverwalkmb[.]com/US/Attachments/2018-11/
- hxxp://shingari[.]ru/41381RLL/SEP/Personal/
- hxxp://sociallysavvyseo[.]com/US/Payments/11_18/
- hxxp://testingweb[.]in/En_us/Clients_transactions/11_18/
- hxxp://tomas[.]datanom[.]fi/ovning/US/Payments/112018/
- hxxp://toronto[.]rogersupfront[.]com/10613MKDPJF/SEP/Personal/
- hxxp://www[.]fromjoy[.]fr/EN_US/Clients_transactions/112018
- hxxp://www[.]reklame[.]ru/7665310VEYLGBNW/biz/Business/
- hxxp://www[.]transimperial[.]ru/605FW/BIZ/US/
- hxxp://xn----gtbreobjp7byc[.]xn--p1ai/32NNLUEIY/com/Commercial/
- hxxp://ampdist[.]com/AEZf
- hxxp://blog[.]comjagat[.]com/wp-content/mWdx
- hxxp://colombiaagro[.]com[.]co/EZLOpSOF
- hxxp://lipetsk-pivo[.]ru/h
- hxxp://mabnanirou[.]com/oG
- hxxp://micheleverdi[.]com/Fbestfz
- hxxp://www[.]gerrithamann[.]de/hP2IldM
- hxxp://www[.]prevencionplus[.]com/BuLyc2HKL
- hxxp://www[.]sastudio[.]co/AU4fI
- hxxp://www[.]upex[.]ee/vqUuJ3B7
- hxxp://192[.]227[.]186[.]151/radiance.png
- hxxp://192[.]227[.]186[.]151/table.png
- hxxp://192[.]227[.]186[.]151/worming.png
- hxxp://47.32.109.184/del90/
EMAILS
Shown above: Example of an email from Emotet malspam with a PDF attachment.
Shown above: Link in the PDF attachment to download the initial Word doc.
Shown above: Downloading the initial Word document and enabling macros to infect a victim's host.
TRAFFIC
URLS TO DOWNLOAD THE INITIAL WORD DOCUMENT (FROM PDF FILES OR LINKS IN THE EMAILS):
NOTE: Items marked with ** means these URLs did not deliver the malware when I checked earlier (probably taken off-line).
- hxxp://1stniag[.]com/Download/EN_en/Invoice-Number-44664/
- hxxp://209[.]97[.]182[.]51/EN_US/Details/2018-11/
- hxxp://209[.]97[.]186[.]248/En_us/Payments/11_18/
- hxxp://35[.]167[.]6[.]44/0455GPLCNXSV/PAY/Commercial/
- hxxp://3kepito[.]hu/En_us/Details/11_18/
- hxxp://777ton[.]ru/DOC/US_us/Scan/
- hxxp://adsdeedee[.]com/1358285S/BIZ/Smallbusiness/
- hxxp://aes[.]co[.]th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
- hxxp://agrarszakkepzes[.]hu/5931ZTIGS/com/US/
- hxxp://alliance-rnd[.]com/EN_US/Attachments/112018/
- hxxp://altaredlife[.]com/logssite/INFO/US_us/Question/
- hxxp://altarfx[.]com/Nov2018/En/Invoice-for-p/e-11/05/2018/ **
- hxxp://alumni[.]poltekba[.]ac[.]id/US/Transaction_details/2018-11/
- hxxp://amnisopes[.]com/En_us/Information/112018/
- hxxp://appafoodiz[.]com/En_us/Clients_transactions/2018-11/
- hxxp://artzkaypharmacy[.]com[.]au/4690UVTTQOXO/SWIFT/Commercial/
- hxxp://azatamartik[.]org/US/Information/2018-11/
- hxxp://benchmarkiso[.]com/24IYXQCHNP/biz/US/
- hxxp://bgtest[.]vedel-oesterby[.]dk/3810430RP/PAYROLL/Commercial/
- hxxp://blacktiemining[.]com/0YVX/SWIFT/Commercial/
- hxxp://clabels[.]pt/EN_US/Clients_information/2018-11/
- hxxp://corporaciondelsur[.]com[.]pe/US/Transaction_details/2018-11/
- hxxp://cressy27[.]com/En_us/Documents/2018-11/
- hxxp://dmas[.]es/US/Details/11_18/ **
- hxxp://dev[.]kevinscott[.]com[.]au/85SRSH/PAY/Personal/
- hxxp://dietmantra[.]org/En_us/Clients_information/11_18/
- hxxp://digirising[.]com/En_us/Transactions-details/11_18/
- hxxp://eventus[.]ie/359PQLQ/biz/Personal/
- hxxp://fantastika[.]in[.]ua/3616974KVTNZUT/PAYMENT/Commercial/
- hxxp://felipeuchoa[.]com[.]br/wp-content/uploads/DOC/US_us/Invoice-receipt/
- hxxp://fert[.]es/EN_US/Clients_information/112018/
- hxxp://fglab[.]com[.]br/LLC/En_us/New-order/
- hxxp://fincabonanzaquindio[.]com/En_us/Transaction_details/11_18/
- hxxp://forzashowband[.]com/EN_US/Clients/2018-11/
- hxxp://gilmarnazareno[.]com[.]br/BhWwli/BIZ/Service-Center/ **
- hxxp://graywhalefoundation[.]org/US/Transactions-details/112018/
- hxxp://grille-tech[.]com/hj4M3FfcISLL6fdUo/BIZ/Privatkunden/
- hxxp://guselceva[.]ru/39808GPKVXO/identity/Personal/ **
- hxxp://hartmannbossen[.]dk/En_us/Attachments/11_18/
- hxxp://hawaiikaigolf[.]com/US/Clients/112018/
- hxxp://homebakerz[.]com[.]au/hG5sm76mEjQMCzGLn/SWIFT/PrivateBanking/ **
- hxxp://hsrventures[.]com/En_us/Clients_transactions/112018/
- hxxp://i4c[.]com[.]br/US/Transactions/2018-11/ **
- hxxp://ichangevn[.]org/EN_US/Transactions/112018/
- hxxp://jurist29[.]ru/2J/SWIFT/Commercial/ **
- hxxp://legal-world[.]su/qmB9mXRB/de_DE/200-Jahre/ **
- hxxp://lemar[.]home[.]pl/manager/En_us/Transactions-details/112018/
- hxxp://lmetallurg[.]ru/831063SSI/identity/Business/
- hxxp://meleyrodri[.]com/xdYdvDnPM24m9e/de/IhreSparkasse/
- hxxp://mohandes724[.]com/En_us/Details/2018-11/
- hxxp://nga[.]no/91985U/biz/Personal/
- hxxp://nikbox[.]ru/24926SQ/identity/Commercial/
- hxxp://okrenviewhotel[.]com/En_us/Details/11_18/
- hxxp://pibuilding[.]com/6547LNPZL/PAYROLL/Commercial/
- hxxp://pirilax[.]su/6ZW/PAYROLL/Commercial/
- hxxp://raeesp[.]com/hUc77ZvQQxq/de/Privatkunden/
- hxxp://riverwalkmb[.]com/US/Attachments/2018-11/
- hxxp://shingari[.]ru/41381RLL/SEP/Personal/
- hxxp://sociallysavvyseo[.]com/US/Payments/11_18/
- hxxp://testingweb[.]in/En_us/Clients_transactions/11_18/
- hxxp://tomas[.]datanom[.]fi/ovning/US/Payments/112018/
- hxxp://toronto[.]rogersupfront[.]com/10613MKDPJF/SEP/Personal/
- hxxp://www[.]24complex[.]ru/2AYX/com/Commercial/ **
- hxxp://www[.]dermainstant[.]com/dkH4TT2/BIZ/PrivateBanking/ **
- hxxp://www[.]dtoneycpa[.]com/En_us/Clients/2018-11/ **
- hxxp://www[.]fromjoy[.]fr/EN_US/Clients_transactions/112018
- hxxp://www[.]planosdesaudebrasilia[.]net[.]br/EN_US/Documents/112018/ **
- hxxp://www[.]reklame[.]ru/7665310VEYLGBNW/biz/Business/
- hxxp://www[.]transimperial[.]ru/605FW/BIZ/US/
- hxxp://xn-----8kcbcubc0cfh6a2am9f7cg[.]xn--p1ai/815734WLPDJ/biz/Personal/ **
- hxxp://xn----gtbreobjp7byc[.]xn--p1ai/32NNLUEIY/com/Commercial/
- hxxp://xn--80aaxk0bn[.]xn--p1ai/36OEKNKS/ACH/Business/ **
- hxxp://xn--80agpqajcme4aij[.]xn--p1ai/51TFMV/ACH/Smallbusiness/ **
- hxxp://yasinau[.]ru/0KMBMkQMMptet4/de/Privatkunden/ **
- hxxp://zalco[.]nl/76BWXKGCT/PAY/Business/ **
URLS GENERATED BY MACROS IN THE INITIAL WORD DOC TO DOWNLOAD THE EMOTET BINARY:
- hxxp://1412studiodm[.]com/xGDA0q **
- hxxp://aldo[.]jplms[.]com[.]au/eWykVvYj **
- hxxp://ampdist[.]com/AEZf
- hxxp://blog[.]comjagat[.]com/wp-content/mWdx
- hxxp://colombiaagro[.]com[.]co/EZLOpSOF
- hxxp://lipetsk-pivo[.]ru/h
- hxxp://mabnanirou[.]com/oG
- hxxp://micheleverdi[.]com/Fbestfz
- hxxp://staging[.]bridgecode[.]co[.]uk/wQr0hzU **
- hxxp://www[.]gerrithamann[.]de/hP2IldM
- hxxp://www[.]prevencionplus[.]com/BuLyc2HKL
- hxxp://www[.]sastudio[.]co/AU4fI
- hxxp://www[.]seosyd[.]com/IyThn3I **
- hxxp://www[.]sicfms[.]com/sybnoK9 **
- hxxp://www[.]upex[.]ee/vqUuJ3B7
Shown above: Traffic from an infection filtered in Wireshark.
TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE US:
- 213.186.33.17 port 80 - www.fromjoy.fr - GET /EN_US/Clients_transactions/112018/
- 69.163.156.184 port 80 - www.seosyd.com - GET /IyThn3I
- 212.47.220.51 port 80 - www.upex.ee - GET /vqUuJ3B7
- 212.47.220.51 port 80 - www.upex.ee - GET /vqUuJ3B7/
- 47.34.43.223 port 80 - 47.34.43.223 - GET /
- 47.225.131.10 port 80 - TCP connection attempts, but no response from server
- 128.193.56.169 port 443 - 128.193.56.169:443 - GET /
- port 80 - ipinfo.io - GET /ip (IP address check by infected host)
- port 80 - myexternalip.com - GET /raw (IP address check by infected host)
- 184.169.105.210 port 449 - TCP connection attempts, but no response from server
- 65.31.241.133 port 449 - HTTPS/SSL/TLS traffic caused by Trickbot
- 198.46.196.109 port 447 - HTTPS/SSL/TLS traffic caused by Trickbot
- port 80 - ipecho.net - GET /plain (IP address check by infected host)
- port 443 - ipecho.net - HTTPS traffic (IP address check by infected host)
- 47.32.109.184 port 8082 - 47.32.109.184 - POST /del90/[long string of characters]
- 192.227.186.151 port 80 - 192.227.186.151 - GET /radiance.png
MALWARE
MALWARE FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: fc048b04dc8a13fba792e2caa5b50f5fe95c5d78855c74cbc5c93fdf0d398853
- File size: 78,592 bytes
- File location: hxxp://www[.]fromjoy[.]fr/EN_US/Clients_transactions/112018/
- File name: FORM-9459438630448044.doc (various names)
- File description: Downloaded Word document with macro for Emotet
- SHA256 hash: 87d0b764f2670d2373470d8becad7f26301e206f00b5f35391ab4a38e94ec524
- File size: 143,360 bytes
- File location: hxxp://www[.]upx[.]ee/vqUuJ3B7/
- File location: C:\Users\[username]\AppData\Local\Windows\[random file name].exe
- File description: Emotet malware binary
- SHA256 hash: ea79f26437f3d0eb8a5185bcf1190ea0918c5263a2ca1336c0915fded8d4b7ad
- File size: 393,728 bytes
- File location: C:\Users\[username]\AppData\Roaming\WINYS\[random file name].exe
- File description: Trickbot malware binary retrieved by Emotet-infected Windows host (gtag: del90)
- SHA256 hash: e0eb41ccb2f33576f65ece6072b8f07af7b93ab847f3858d1b75468ed41fd2da
- File size: 331,776 bytes
- File location: hxxp://192.227.186[.]151/radiance.png
- File description: Follow-up Trickbot malware binary retrieved to infect other Windows hosts
FINAL NOTES
Once again, here are the associated files:
- 2018-11-06-Emotet-malspam-3-email-examples.zip 116 kB (115,787 bytes)
- 2018-11-06-Emotet-infection-with-Trickbot.pcap.zip 7.4 MB (7,410,712 bytes)
- 2018-11-06-Emotet-and-Trickbot-malware-and-artifacts.zip 715 kB (715,125 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.