2018-11-16 - EMOTET NOW USING XML FILES AS WORD DOCS
Shown above: The new Emotet infection chain.
NOTES:
- As of Friday 2018-11-16, email attachments with (and URL downloads for) Emotet docs are now XML-based.
- These new Emotet docs don't match Microsoft's XML-based DOCX format for Word docs.
- These new Emotet docs are tagged xml in VirusTotal.
- Using the "file" command in Linux shows them as: XML 1.0 document text, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- These new Emotet XML docs still use a .doc extension, they open in Microsoft Word, and they look and act the same as before.
- Thanks to people like @pollo290987, @JRoosen, @Ledtech3, and others who discussed this on Twitter. (one thread) (another thread)
EXAMPLES OF NEW EMOTET XML ATTACHMENTS:
- 2018-11-16 malspam: 2018-11-16-malspam-with-new-Emotet-XML-docs-8-examples.zip 642 kB (642,464 bytes)
- 2018-11-16 attachments: 2018-11-16-new-Emotet-XML-docs-8-examples.zip 444 kB (443,873 bytes)
EMOTET INFECTION TRAFFIC AND MALWARE:
- 2018-11-15 traffic: 2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap.zip 5.9 MB (5,910,719 bytes)
- 2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap (9,138,140 bytes)
- 2018-11-15 malware and artifacts: 2018-11-15-Emotet-and-IcedID-and-AZORult-malware.zip 731 kB (731,232 bytes)
- 2018-11-15-AZORult-from-hermes.travel.pl.exe (407,040 bytes)
- 2018-11-15-downloaded-Word-doc-with-macro-for-Emotet.doc (85,632 bytes)
- 2018-11-15-Emotet-malware-binary.exe (475,136 bytes)
- 2018-11-15-IcedID-persistent-on-infected-Windows-host.exe (513,024 bytes)
- 2018-11-15-IcedID-retrieved-by-Emotet-infected-host.exe (513,024 bytes)
- 2018-11-16 traffic: 2018-11-16-Emotet-infection-with-IcedID-and-AZORult.pcap.zip 6.3 MB (6,348,310 bytes)
- 2018-11-16-Emotet-infection-with-IcedID-and-AZORult.pcap (9,916,890 bytes)
- 2018-11-16 malware and artifacts: 2018-11-16-Emotet-and-IcedID-malware.zip 753 kB (753,099 bytes)
- 2018-11-16-Emotet-malware-binary.exe (1,212,416 bytes)
- 2018-11-16-IcedID-persistent-on-infected-Windows-host.exe (376,832 bytes)
- 2018-11-16-IcedID-retrieved-by-Emotet-infected-host.exe (376,832 bytes)
- 2018-11-17 traffic: 2018-11-17-Emotet-infection-with-IcedID-and-AZORult.pcap.zip 6.3 MB (6,334,493 bytes)
- 2018-11-17-Emotet-infection-with-IcedID-and-AZORult.pcap (9,753,943 bytes)
- 2018-11-17 malware and artifacts: 2018-11-17-Emotet-and-IcedID-malware.zip 929 kB (929,494 bytes)
- 2018-11-17-downloaded-XML-doc-with-macro-for-Emotet.doc (136,413 bytes)
- 2018-11-17-Emotet-malware-binary-initial.exe (1,212,416 bytes)
- 2018-11-17-Emotet-malware-binary-updated.exe (847,872 bytes)
- 2018-11-17-IcedID-persistent-on-infected-Windows-host.exe (376,832 bytes)
- 2018-11-17-IcedID-retrieved-by-Emotet-infected-host.exe (376,832 bytes)
MALWARE
SHA256 HASHES FOR 8 EXAMPLES OF THE ATTACHED XML DOCUMENTS:
- 7ccfb6433cc7b3173250028d08719efd1cbe5e556cc284f73a4f88c7aae4b008 - 140,541 bytes - INV299.doc
- 0190578680e963ac41ca3e4cbb2632ec296a5c41437a0219f2cc7ce7508cb4f6 - 135,677 bytes - INV903491.doc
- 67296941ea18e73e60ea2e56e9dcd8472c993bfcd023a0598d3c8cfb3c3e046d - 144,253 bytes - Untitled-EUG-M51083.doc
- 27576e6f18fb9c9663eb357842e88aa3b74ef31fe5180adad88d3b5bd7c6dc38 - 143,485 bytes - Untitled-EXO-T0409395.doc
- 37e4a6a266f2c2605e8b5c8923512fde8518b3a36fadac8128c15dcf1aa4dd6d - 145,021 bytes - Untitled-HSN-W999901.doc
- b2da18b67f24e82ac7ba4275d1250067c0a383794765478872fc7c88181a4669 - 145,533 bytes - Untitled-HWN-H39546.doc
- e9d2eb9b6e20426564d038ef0890e4c34caf394b59ed8fef0c295778d4d5aa13 - 145,277 bytes - Untitled-LVT-63613687.doc
- 6f583e147d0b35f68113fdc69cec2b19ecf1cb07ef94752a692294758f0d3ac9 - 135,549 bytes - Untitled-LXP-S6981571.doc
SHA256 HASHES FOR THE 2018-11-15 INFECTION (PREVIOUS STYLE WORD DOC):
- 236802de534d99059e8c6718dca929724c154d97524221b4ce388647ee8ac4b5 - 85,632 bytes - downloaded Word doc
- b2ffd1d5ecff5a946e032add96d05413df84be323d6490d119a65f5f96f5dbef - 407,040 bytes - AZORult from hermes[.]travel[.]pl
- 141c5f862c723ab68ca3fa253178ea5f49bcc619f20a147260c2135c221845dc - 475,136 bytes - Emotet malware binary.exe
- b672bfae654ba565dbd2cfa0cead61c8f9e6504a647e7b883f7f3eabb2fcf059 - 513,024 bytes - IcedID retrieved by Emotet
- da8105248f3355eb2c98c9e87df6ebd9afcaef0273d529de5115a20292706061 - 513,024 bytes - IcedID made persistent
SHA256 HASHES FOR THE 2018-11-16 INFECTION (WHERE I DOWNLOADED AN EMOTET EXE DIRECTLY):
- 0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615 - 1,212,416 bytes - Emotet malware binary
- d68673c8c4393dd3a7a4d40a065d8305b52ac8948863ddd8e7cfd417ee0df6fe - 376,832 bytes - IcedID retrieved by Emotet
- 4d97e3665772d4d41f7e7c0b6a7cea0c36017f444dbfb47f91de75f050412fce - 376,832 bytes - IcedID made persistent
SHA256 HASHES FOR THE 2018-11-17 INFECTION (NEW STYLE XML DOC):
- 2c53c197eb31a21e988b37bea9b2f8d3fb3c71b9e773fa8237b48d797aa5d85 - 136,413 bytes - downloaded XML doc with macro for Emotet
- a7ce456fe20c1d68c3069c327b802b21122602a77839679e93f749eac63d1b32 - 1,212,416 bytes - Emotet malware binary (initial)
- 2645cc7bfde1325875b5fa2dab3c807da5bd75d171d88ebecbee17c311f6b31e - 847,872 bytes - Emotet malware binary (updated during infection)
- d68673c8c4393dd3a7a4d40a065d8305b52ac8948863ddd8e7cfd417ee0df6fe - 376,832 bytes - IcedID retrieved by Emotet
- fd89aaa3e60672fcb6519dfdc0150df5c9312fb521a4360cfdf4fa8717923994 - 376,832 bytes - IcedID made persistent
MALWARE NOTES:
- Infection and malware labled 2018-11-17 are based on UTC time. It was evening time on 2018-11-16 in the US.
- The AZORult binary was the same file hash during each infection.
IMAGES
Shown above: The new Emotet XML docs still work the same way with a macro.
FINAL NOTES
Once again, here are the associated files:
- 2018-11-16 malspam: 2018-11-16-malspam-with-new-Emotet-XML-docs-8-examples.zip 642 kB (642,464 bytes)
- 2018-11-16 attachments: 2018-11-16-new-Emotet-XML-docs-8-examples.zip 444 kB (443,873 bytes)
- 2018-11-15 traffic: 2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap.zip 5.9 MB (5,910,719 bytes)
- 2018-11-15 malware and artifacts: 2018-11-15-Emotet-and-IcedID-and-AZORult-malware.zip 731 kB (731,232 bytes)
- 2018-11-16 traffic: 2018-11-16-Emotet-infection-with-IcedID-and-AZORult.pcap.zip 6.3 MB (6,348,310 bytes)
- 2018-11-16 malware and artifacts: 2018-11-16-Emotet-and-IcedID-malware.zip 753 kB (753,099 bytes)
- 2018-11-17 traffic: 2018-11-17-Emotet-infection-with-IcedID-and-AZORult.pcap.zip 6.3 MB (6,334,493 bytes)
- 2018-11-17 malware and artifacts: 2018-11-17-Emotet-and-IcedID-malware.zip 929 kB (929,494 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.