2018-11-16 - EMOTET NOW USING XML FILES AS WORD DOCS

Shown above:  The new Emotet infection chain.

 

NOTES:

• As of Friday 2018-11-16, email attachments with (and URL downloads for) Emotet docs are now XML-based.
• These new Emotet docs don't match Microsoft's XML-based DOCX format for Word docs.
• These new Emotet docs are tagged xml in VirusTotal.
• Using the "file" command in Linux shows them as:  XML 1.0 document text, UTF-8 Unicode text, with very long lines, with CRLF line terminators
• These new Emotet XML docs still use a .doc extension, they open in Microsoft Word, and they look and act the same as before.
• Thanks to people like @pollo290987, @JRoosen, @Ledtech3, and others who discussed this on Twitter.   (one thread)   (another thread)

 

EXAMPLES OF NEW EMOTET XML ATTACHMENTS:

• 2018-11-16 malspam:  2018-11-16-malspam-with-new-Emotet-XML-docs-8-examples.zip   642 kB (642,464 bytes)
• 2018-11-16 attachments:  2018-11-16-new-Emotet-XML-docs-8-examples.zip   444 kB (443,873 bytes)

 

EMOTET INFECTION TRAFFIC AND MALWARE:

• 2018-11-15 traffic:  2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap.zip   5.9 MB (5,910,719 bytes)

• 2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap   (9,138,140 bytes)

• 2018-11-15 malware and artifacts:  2018-11-15-Emotet-and-IcedID-and-AZORult-malware.zip   731 kB (731,232 bytes)

• 2018-11-15-AZORult-from-hermes.travel.pl.exe   (407,040 bytes)
• 2018-11-15-downloaded-Word-doc-with-macro-for-Emotet.doc   (85,632 bytes)
• 2018-11-15-Emotet-malware-binary.exe   (475,136 bytes)
• 2018-11-15-IcedID-persistent-on-infected-Windows-host.exe   (513,024 bytes)
• 2018-11-15-IcedID-retrieved-by-Emotet-infected-host.exe   (513,024 bytes)

• 2018-11-16 traffic:  2018-11-16-Emotet-infection-with-IcedID-and-AZORult.pcap.zip   6.3 MB (6,348,310 bytes)

• 2018-11-16-Emotet-infection-with-IcedID-and-AZORult.pcap   (9,916,890 bytes)

• 2018-11-16 malware and artifacts:  2018-11-16-Emotet-and-IcedID-malware.zip   753 kB (753,099 bytes)

• 2018-11-16-Emotet-malware-binary.exe   (1,212,416 bytes)
• 2018-11-16-IcedID-persistent-on-infected-Windows-host.exe   (376,832 bytes)
• 2018-11-16-IcedID-retrieved-by-Emotet-infected-host.exe   (376,832 bytes)

• 2018-11-17 traffic:  2018-11-17-Emotet-infection-with-IcedID-and-AZORult.pcap.zip   6.3 MB (6,334,493 bytes)

• 2018-11-17-Emotet-infection-with-IcedID-and-AZORult.pcap   (9,753,943 bytes)

• 2018-11-17 malware and artifacts:  2018-11-17-Emotet-and-IcedID-malware.zip   929 kB (929,494 bytes)

• 2018-11-17-downloaded-XML-doc-with-macro-for-Emotet.doc   (136,413 bytes)
• 2018-11-17-Emotet-malware-binary-initial.exe   (1,212,416 bytes)
• 2018-11-17-Emotet-malware-binary-updated.exe   (847,872 bytes)
• 2018-11-17-IcedID-persistent-on-infected-Windows-host.exe   (376,832 bytes)
• 2018-11-17-IcedID-retrieved-by-Emotet-infected-host.exe   (376,832 bytes)

 

MALWARE

SHA256 HASHES FOR 8 EXAMPLES OF THE ATTACHED XML DOCUMENTS:

• 7ccfb6433cc7b3173250028d08719efd1cbe5e556cc284f73a4f88c7aae4b008 - 140,541 bytes - INV299.doc
• 0190578680e963ac41ca3e4cbb2632ec296a5c41437a0219f2cc7ce7508cb4f6 - 135,677 bytes - INV903491.doc
• 67296941ea18e73e60ea2e56e9dcd8472c993bfcd023a0598d3c8cfb3c3e046d - 144,253 bytes - Untitled-EUG-M51083.doc
• 27576e6f18fb9c9663eb357842e88aa3b74ef31fe5180adad88d3b5bd7c6dc38 - 143,485 bytes - Untitled-EXO-T0409395.doc
• 37e4a6a266f2c2605e8b5c8923512fde8518b3a36fadac8128c15dcf1aa4dd6d - 145,021 bytes - Untitled-HSN-W999901.doc
• b2da18b67f24e82ac7ba4275d1250067c0a383794765478872fc7c88181a4669 - 145,533 bytes - Untitled-HWN-H39546.doc
• e9d2eb9b6e20426564d038ef0890e4c34caf394b59ed8fef0c295778d4d5aa13 - 145,277 bytes - Untitled-LVT-63613687.doc
• 6f583e147d0b35f68113fdc69cec2b19ecf1cb07ef94752a692294758f0d3ac9 - 135,549 bytes - Untitled-LXP-S6981571.doc

 

SHA256 HASHES FOR THE 2018-11-15 INFECTION (PREVIOUS STYLE WORD DOC):

• 236802de534d99059e8c6718dca929724c154d97524221b4ce388647ee8ac4b5 - 85,632 bytes - downloaded Word doc
• b2ffd1d5ecff5a946e032add96d05413df84be323d6490d119a65f5f96f5dbef - 407,040 bytes - AZORult from hermes[.]travel[.]pl
• 141c5f862c723ab68ca3fa253178ea5f49bcc619f20a147260c2135c221845dc - 475,136 bytes - Emotet malware binary.exe
• b672bfae654ba565dbd2cfa0cead61c8f9e6504a647e7b883f7f3eabb2fcf059 - 513,024 bytes - IcedID retrieved by Emotet
• da8105248f3355eb2c98c9e87df6ebd9afcaef0273d529de5115a20292706061 - 513,024 bytes - IcedID made persistent

 

SHA256 HASHES FOR THE 2018-11-16 INFECTION (WHERE I DOWNLOADED AN EMOTET EXE DIRECTLY):

• 0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615 - 1,212,416 bytes - Emotet malware binary
• d68673c8c4393dd3a7a4d40a065d8305b52ac8948863ddd8e7cfd417ee0df6fe - 376,832 bytes - IcedID retrieved by Emotet
• 4d97e3665772d4d41f7e7c0b6a7cea0c36017f444dbfb47f91de75f050412fce - 376,832 bytes - IcedID made persistent

 

SHA256 HASHES FOR THE 2018-11-17 INFECTION (NEW STYLE XML DOC):

• 2c53c197eb31a21e988b37bea9b2f8d3fb3c71b9e773fa8237b48d797aa5d85 - 136,413 bytes - downloaded XML doc with macro for Emotet
• a7ce456fe20c1d68c3069c327b802b21122602a77839679e93f749eac63d1b32 - 1,212,416 bytes - Emotet malware binary (initial)
• 2645cc7bfde1325875b5fa2dab3c807da5bd75d171d88ebecbee17c311f6b31e - 847,872 bytes - Emotet malware binary (updated during infection)
• d68673c8c4393dd3a7a4d40a065d8305b52ac8948863ddd8e7cfd417ee0df6fe - 376,832 bytes - IcedID retrieved by Emotet
• fd89aaa3e60672fcb6519dfdc0150df5c9312fb521a4360cfdf4fa8717923994 - 376,832 bytes - IcedID made persistent

 

MALWARE NOTES:

• Infection and malware labled 2018-11-17 are based on UTC time.  It was evening time on 2018-11-16 in the US.
• The AZORult binary was the same file hash during each infection.

 

IMAGES

Shown above:  The new Emotet XML docs still work the same way with a macro.

 

FINAL NOTES

Once again, here are the associated files:

• 2018-11-16 malspam:  2018-11-16-malspam-with-new-Emotet-XML-docs-8-examples.zip   642 kB (642,464 bytes)
• 2018-11-16 attachments:  2018-11-16-new-Emotet-XML-docs-8-examples.zip   444 kB (443,873 bytes)

• 2018-11-15 traffic:  2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap.zip   5.9 MB (5,910,719 bytes)
• 2018-11-15 malware and artifacts:  2018-11-15-Emotet-and-IcedID-and-AZORult-malware.zip   731 kB (731,232 bytes)
• 2018-11-16 traffic:  2018-11-16-Emotet-infection-with-IcedID-and-AZORult.pcap.zip   6.3 MB (6,348,310 bytes)
• 2018-11-16 malware and artifacts:  2018-11-16-Emotet-and-IcedID-malware.zip   753 kB (753,099 bytes)
• 2018-11-17 traffic:  2018-11-17-Emotet-infection-with-IcedID-and-AZORult.pcap.zip   6.3 MB (6,334,493 bytes)
• 2018-11-17 malware and artifacts:  2018-11-17-Emotet-and-IcedID-malware.zip   929 kB (929,494 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.