Malware-Traffic-Analysis.net - My technical blog posts - 2018

MY TECHNICAL POSTS - [ 2013 ] - [ 2014 ] - [ 2015 ] - [ 2016 ] - [ 2017 ] - [ 2018 ] - [ 2019 ]

2018-12-27 -- Malspam pushes Shade (Troldesh) ransomware and other malware
2018-12-20 -- Quick post: Emotet infection with Gootkit
2018-12-20 -- Three days of Hancitor infections, today with Smoke Loader
2018-12-19 -- Malspam pushing the MyDoom worm is still a thing
2018-12-17 -- Files for an ISC diary (password-protected Word docs push IcedID)
2018-12-17 -- Quick post: Hancitor malspam uses links to XLS files instead of Word docs
2018-12-14 -- Emotet infection with Qakbot
2018-12-13 -- Recent bomb threat extortion (bombstortion) spam
2018-12-11 thru 2018-12-13 -- Quick post: Hancitor infections with Ursnif
2018-12-10 -- Quick post: malspam pushing Imminent Monitor RAT
2018-12-10 -- Quick post: Ursnif infection with Dridex
2018-12-10 -- Quick post: Malspam with password-protected Word docs push Nymaim
2018-12-10 -- Quick post: Emotet infection with IcedID (Bokbot)
2018-12-10 -- Quick post: Hancitor malspam and infection traffic
2018-12-07 -- New Trickbot modules bcClientDllTestTest64 and NewBCtestnDll64
2018-12-03 thru 2018-12-07 -- Quick post: Malspam pushing Emotet + IcedID (Bokbot)
2018-12-06 -- Quick post: Hancitor malspam
2018-12-05 -- Quick post: Hancitor malspam
2018-12-04 -- Files for an ISC diary (Hancitor malspam)
2018-12-03 -- Files for an ISC diary (Lokibot malspam)

2018-11-30 -- Quick post: malspam pushing Flawed Ammyy RAT
2018-11-26 thru 2018-11-30 -- Five examples of Emotet infections
2018-11-29 -- Quick post: malspam pushing Gootkit
2018-11-29 -- Quick post: Hancitor infection with Ursnif
2018-11-28 -- Pcap and malaware for an ISC diary (Shade/Troldesh malspam)
2018-11-27 -- Ursnif infection with Dridex
2018-11-26 -- Infection from malspam pushing Lokibot
2018-11-23 -- Emotet infection with Gootkit
2018-11-21 -- Ursnif infection with Dridex
2018-11-16 -- Emotet now using XML files as Word docs
2018-11-14 -- Pcap and malware for an ISC diary (Emotet infection with IcedID)
2018-11-12 -- Trickbot malspam targeting United States recipients (gtag: sat100)
2018-11-09 -- Pcap of week-long Trickbot infection
2018-11-08 -- Three recent infections from malspam pushing Ursnif
2018-11-06 -- Emotet infection with Trickbot
2018-11-02 -- GandCrab ransomware infection (version 5.0.4)

2018-10-30 -- Pcap/malware for ISC diary (malspam with password-protected Word docs)
2018-10-29 -- Pcap and malware for an ISC diary (Hancitor with Ursnif)
2018-10-26 -- Malspam with password-protected Word docs now pushing GlobeImposter
2018-10-26 -- Quick post: Trickbot malspam gtag: ser1025us
2018-10-22 -- Quick post: Trickbot malspam - gtag: ser1022
2018-10-22 -- Quick post: Hancitor malspam - No Zeus Panda Banker... just Pony
2018-10-19 -- malspam using links for zipped Windows shortcuts to push Nymaim
2018-10-18 -- Trickbot malspam using links, not attachments (gtag: any1)
2018-10-17 -- Quick post: Hancitor malspam
2018-10-15 -- Quick post: Changes in Trickbot seen today
2018-10-12 -- Hookads campaign Fallout EK (3 examples)
2018-10-10 -- Quick post: Paypal-themed Trickbot malspam targeting United States
2018-10-10 -- Quick post: Hancitor infection with Zeus Panda Banker
2018-10-10 -- Malspam link leads to fake updater malware
2018-10-09 -- Hancitor infection with Zeus Panda Banker
2018-10-08 -- Quick post: Trickbot sat75 infection with Powershell Empire traffic
2018-10-05 -- Quick post: Trickbot malspam, gtag sat74
2018-10-04 -- Quick post: Trickbot spreads from client to DC
2018-10-02 -- Russian malspam pushes Redaman malware

2018-09-28 -- more malspam with password-protected Word docs pushing Nymaim
2018-09-27 -- Quick post: 4 days of Hancitor
2018-09-25 -- Files for an ISC diary (Emotet + Trickbot + IcedID + AZORult)
2018-09-24 -- Files for an ISC diary (sextortion spam)
2018-09-21 -- Malspam with password-protected Word docs still pushing Nymaim
2018-09-21 -- Emotet infections with Trickbot (UK and US)
2018-09-20 -- Quick post: Emotet infection with Trickbot (gtag: arz1)
2018-09-19 -- Data dump (Hancitor, Nymaim, Trickbot)
2018-09-17 -- Quick post: Malspam with password-protected Word doc pushes Nymaim
2018-09-14 -- Quick post: Emotet infection with Trickbot
2018-09-11 -- Quick post: Two days of Hancitor
2018-09-06 -- Data dump (Emotet, Hancitor, and Trickbot)
2018-09-06 -- Malspam with password-protected Word doc pushes AZORult then Neutrino
2018-09-05 -- Quick post: Hancitor malspam stops using PDF attachments after 1 day
2018-09-05 -- Emotet infection with IcedID banking Trojan and AZORult
2018-09-05 -- Extortion malspam: 30 email examples
2018-09-04 -- Emotet infection with IcedID banking Trojan
2018-09-04 -- Quick post: Hancitor malspam uses PDF attachments
2018-09-03 -- Quick post: Emotet infection with Zeus Panda Banker
2018-09-03 -- Quick post: Trickbot malspam and infection traffic

2018-08-24 -- Quick post: Emotet malspam infections with Zeus Panda Banker
2018-08-23 -- Quick post: Hancitor malspam infection with Zeus Panda Banker
2018-08-22 -- Quick post: 3 days of Hancitor malspam infections
2018-08-21 -- malspam w/ password-protected Word docs, now pushes Neutrino malware
2018-08-21 -- malspam using HTML attachments --> LNK files for Windows infections
2018-08-17 -- Trickbot updates propagation from infected client to DC
2018-08-16 -- Emotet infections with Zeus Panda Banker on 2018-08-15 and 2018-08-16
2018-08-16 -- Hancitor infection traffic with Zeus Panda Banker
2018-08-15 -- Pcap and malware for an ISC diary
2018-08-15 -- Quick post: Hancitor infection traffic with Zeus Panda Banker
2018-08-14 -- Quick post: Emotet malspam infections from 2018-08-13 and 2018-08-14
2018-08-14 -- Quick post: Hancitor malspam infections from 2018-08-13 and 2018-08-14
2018-08-10 -- Quick post: Emotet infection with Zeus Panda Banker
2018-08-08 -- Quick post: Emotet infection with Trickbot (gtag: tot285)
2018-08-07 -- Quick post: Trickbot (gtag: tot284) moves from client to DC
2018-08-07 -- Hookads Rig EK pushes AZORult, AZORult pushes SmokeLoader
2018-08-06 -- Quick post: Emotet and Hancitor both pushing Zeus Panda Banker
2018-08-06 -- XMRig coinminer caused by ad traffic leading to adobeupdater.mcdir.ru
2018-08-02 -- Quick post: Hancitor malspam and infection traffic
2018-08-02 -- Pcap and malware for an ISC diary (DHL-themed malspam)
2018-08-01 -- Quick post: Emotet + spammer malware traffic

2018-07-31 -- two Emotet infections: Emotet + Trickbot and Emotet + Zeus Panda Banker
2018-07-27 -- Pcap and malware for ISC diary (malspam pushes Hermes ransomware)
2018-07-25 -- Quick post: Rig EK pushes GandCrab ransomware
2018-07-24 -- Pcap for an ISC diary (Emotet + Zeus Panda Banker)
2018-07-23 -- Malspam using password-protected Word docs still pushing ransomware
2018-07-21 -- Quick post: Trickbot infection with PowerShell Empire traffic
2018-07-20 -- Emotet infections with Zeus Panda Banker and Trickbot (gtag: del34)
2018-07-19 -- Quick post: Another Trickbot infection moves from client to DC
2018-07-19 -- Hancitor infection with AZORult and Zeus Panda Banker
2018-07-19 -- Emotet infection with Zeus Panda Banker
2018-07-18 -- Quick post: Trickbot infection with Tor traffic and new module
2018-07-18 -- Quick post: Hancitor infection traffic with AZORult and Zeus Panda Banker
2018-07-17 -- Necurs Botnet malspam uses .iqy files to push Flawed Ammyy RAT
2018-07-16 -- Quick post: Hancitor infection with Zeus Panda Banker (and AZORult)
2018-07-16 -- Quick post: Emotet infection with Trickbot (gtag: mon1)
2018-07-13 -- Malspam uses .iqy files to push Flawed Ammyy RAT
2018-07-10 -- Data dump
2018-07-09 -- Quick post: Trickbot infection traffic (gtag: ser0709us)
2018-07-09 -- Hancitor malspam infection traffic with Zeus Panda Banker
2018-07-09 -- Emotet malspam infection traffic with Zeus Panda Banker
2018-07-05 -- Trickbot malspam infection traffic
2018-07-05 -- fake updater traffic (Chthonic, Dridex, and NetSupport RAT)
2018-07-03 -- Emotet malspam infection traffic with Zeus Panda Banker
2018-07-03 -- Hancitor malspam infection traffic with Zeus Panda Banker
2018-07-02 -- Trickbot malspam infection traffic
2018-07-02 -- Emotet infection traffic with Zeus Panda Banker

2018-06-29 -- More Trickbot moving from client (gtag: ser0629) to DC (gtag: lib257)
2018-06-29 -- Data Dump: Fake Flash Update and Rig EK
2018-06-28 -- Quick post: Hancitor infection with Zeus Panda Banker
2018-06-28 -- Fake AV screen locker (a relatively easy fix)
2018-06-27 -- Quick post: Emotet infection with IcedID banking Trojan
2018-06-27 -- Quick post: Hancitor infection with Zeus Panda Banker
2018-06-26 -- Quick post: Trickbot infection traffic
2018-06-26 -- Quick post: Emotet infection with IcedID
2018-06-22 -- Quick post: Emotet with Trickbot and Emotet with Zeus Panda Banker
2018-06-20 -- Malspam pushes Emotet & Emotet pushes IcedID banking malware (again)
2018-06-19 -- Malspam pushes Emotet and Emotet pushes IcedID banking malware
2018-06-18 -- Emotet malspam infection traffic with IcedID banking malware
2018-06-15 -- Emotet malspam infection with Trickbot (gtag: del9) and DC infection
2018-06-14 -- Emotet infection with Trickbot (gtag: del8)
2018-06-13 -- Necurs Botnet malspam uses .iqy file to push Flawed Ammyy RAT
2018-06-12 -- Emotet malspam and infection traffic
2018-06-11 -- Emotet data dump
2018-06-11 -- Pcap and malware for an ISC diary (Loki-Bot malspam)
2018-06-08 -- Pcap and malware for an ISC diary (coin miner malspam)
2018-06-04 -- More malspam pushing password-protected Word docs

2018-05-31 -- Hancitor malspam - Fake HelloFax notifications
2018-05-31 -- End of month round-up: Emotet malspam and infection traffic
2018-05-29 -- DHL-themed malspam with links to .js file downloader
2018-05-27 -- SlyIP campaign uses Grandsoft EK to push Ursnif
2018-05-25 -- Quick post: Emotet malspam
2018-05-25 -- Quick post: Trickbot malspam
2018-05-25 -- Necurs Botnet malspam pushes Flawed Ammyy RAT
2018-05-24 -- Quick post: Trickbot malspam (infection from client to domain controller)
2018-05-24 -- Quick post: Hancitor infection traffic
2018-05-16 -- Quick post: Emotet malspam
2018-05-16 -- Quick post: Hancitor malspam
2018-05-16 -- Quick post: Trickbot malspam
2018-05-15 -- Quick post: Emotet malspam
2018-05-15 -- Quick post: Hancitor malspam
2018-05-15 -- Quick post: Trickbot malspam
2018-05-15 -- Pcap and malware for an ISC diary (MyEtherWallet phishing emails)
2018-05-14 -- Quick post: Hancitor malspam
2018-05-14 -- Pcap and malware for an ISC diary (Trickbot malspam)
2018-05-09 -- Malspam using password-protected Word docs still active
2018-05-09 -- Quick Post: Emotet malspam infection traffic
2018-05-08 -- Grandsoft EK sends QuantLoader which retrieves Ursnif
2018-05-08 -- Fake Bright!Tax emails distribute Xorist Ransomware
2018-05-08 -- Data dump
2018-05-07 -- Data dump
2018-05-04 -- malspam pushing Emotet moved from links to attachments this week
2018-05-03 -- Trickbot malspam - Subject: Bill payment alert
2018-05-03 -- Hancitor malspam - fake Vemno notifications
2018-05-02 -- Hancitor malspam - fake Verizon notifications
2018-05-01 -- Trickbot malspam - Subject: FW: Account Documents
2018-05-01 -- Hancitor malspam - fake U.S. Bank notifications

2018-04-30 -- Example of Trickbot moving from client to domain controller
2018-04-27 -- Data dump
2018-04-26 -- Data dump
2018-04-25 -- Data dump
2018-04-24 -- Infection traffic, email samples, and malware from 3 malspam campaigns
2018-04-23 -- DHL-themed malspam pushes Agent Telsa - a somewhat sloppy job
2018-04-23 -- Hancitor malspam - Fake Bank of America notifications
2018-04-20 -- Yesterday's fake Netflix phishing emails are today's fake Spotify messages
2018-04-19 -- Hancitor malspam - Fake HelloFax notifications
2018-04-18 -- Hancitor malspam - Fake IRS notifications
2018-04-18 -- Italian invoice (Fattura) malspam pushes Zeus Panda Banker
2018-04-17 -- "Zero-Gand" malspam active again since Monday 2018-04-16
2018-04-17 -- Quick post: Trickbot malspam and traffic
2018-04-16 -- Quick post: Trickbot malspam and traffic
2018-04-14 -- Quick post: Rig EK sends GandCrab ransomware
2018-04-13 -- Quick post: malspam and traffic dump
2018-04-12 -- Quick post: Trickbot malspam and infection traffic
2018-04-12 -- Pcap and malware for an ISC diary (Zero-Gand malspam)
2018-04-11 -- Hancitor malspam - fake ATT notifications
2018-04-10 -- Malspam pushing Gandcrab ransomware
2018-04-09 -- Grandsoft EK sends Zeus Panda Banker
2018-04-06 -- I went after Rig EK like it was a snake on Whacking Day
2018-04-05 -- Quick post: some malspam (and traffic and malware) from today
2018-04-04 -- Quick post: Necurs Botnet malspam pushes Quantloader
2018-04-04 -- Quick post: Trickbot malspam
2018-04-04 -- Hancitor malspam - fake DHL notifications
2018-04-03 -- Quick post: Malspam pushing Gandcrab ransomware
2018-04-03 -- Quick post: Necurs Botnet malspam pushes Quantloader
2018-04-03 -- Quick post: Fake Chrome, Firefox, and Flash player updates
2018-04-02 -- Quick post: Necurs Botnet malspam pushes QuantLoader & follow-up

2018-03-30 -- malspam pushing Ursnif through batch files
2018-03-28 -- Quick post: Trickbot malspam
2018-03-27 -- fake Chrome, Firefox, or Flash update pages push JS malware
2018-03-26 -- malspam pushing Sigma ransomware
2018-03-26 -- Emotet malspam
2018-03-23 -- Quick post: Those pesky Netflix-themed phishing emails
2018-03-23 -- Quick post: Emotet malspam
2018-03-22 -- GoDaddy-themed phish
2018-03-22 -- Netflix-themed phish
2018-03-22 -- Trickbot malspam - Subject: You have received a secure document
2018-03-21 -- Emotet malspam examples and infection traffic
2018-03-20 -- Brazil malspam and infection traffic
2018-03-16 -- Who starts malspam this late on a Friday pushing GandCrab?
2018-03-15 -- GrandSoft EK sends AZORult
2018-03-15 -- Quick post: Rig EK sends GandCrab ransomware
2018-03-15 -- Quick post: some recent Emotet malspam examples
2018-03-14 -- Hancitor malspam - fake Invoicely notice
2018-03-14 -- Pcap and malware for an ISC diary (Sigma ransomware malspam)
2018-03-13 -- Hancitor malspam - Fake Due notice
2018-03-09 -- Malspam pushing Loki-Bot malware
2018-03-08 -- Quick post: Hancitor malspam
2018-03-08 -- Quick post: HookAds campaign Rig EK sends Bunitu
2018-03-07 -- 100 examples of Emotet malspam
2018-03-07 -- Hancitor malspam - fake PayPal notice
2018-03-07 -- Pcap and malware for an ISC diary (GlobeImposter & GandCrab malspam)
2018-03-06 -- Hancitor malspam - fake DocuSign notice
2018-03-05 -- Coins LTD campaign uses Rig EK to push Ursnif
2018-03-05 -- Malspam from the Boleto Mestre campaign
2018-03-01 -- Emotet malspam

2018-02-28 -- Hancitor malspam - fake eFax messages
2018-02-27 -- Quick post: Hancitor malspam
2018-02-27 -- Pcap and malware for an ISC diary (Formbook malspam)
2018-02-26 -- Quick post: Formbook malspam
2018-02-26 -- Quick post: Hancitor malspam
2018-02-24 -- Quick post: ISRstealer malspam
2018-02-22 -- Quick post: Hancitor malspam
2018-02-21 -- Malspam - Subject: DHL Italy - ordine
2018-02-20 -- Hancitor malspam - Fake ADP payroll invoice
2018-02-16 -- Malspam pushing Formbook info stealer
2018-02-14 -- Quick post: Hancitor malspam
2018-02-13 -- Hancitor malspam - Fake Quill.com credit card charge
2018-02-12 -- Quick post: Emotet infection traffic
2018-02-12 -- Quick post: Hancitor malspam
2018-02-12 -- Seamless campaign Rig EK sends Ramnit
2018-02-08 -- Return of Quant Loader: Malspam Using PDF Files Tries A New Tactic
2018-02-07 -- Pcap and malware for an ISC diary (GandCrab malspam)
2018-02-06 -- Hancitor malspam - fake UPS notification
2018-02-05 -- Malspam using PDF attachments to push Dridex since 2018-01-30
2018-02-02 -- Traffic and malware data dump
2018-02-01 -- Quick test-drive of Trickbot (it now has a Monero module)

2018-01-30 -- Rig EK sends Ramnit, follow-up malware: AZORult
2018-01-29 -- Quick post: Hancitor malspam
2018-01-29 -- Three days of Seamless campaign Rig EK pushing Gandcrab ransomware
2018-01-25 -- Quick post: Dridex malspam
2018-01-24 -- Quick post: Hancitor malspam
2018-01-23 -- Pcap and malware for an ISC diary (Hancitor malspam)
2018-01-22 -- More resume malspam pushing Smoke Loader and other malware
2018-01-19 -- Three recent examples of Ngay campaign Rig EK
2018-01-17 -- Data for an ISC diary (Word doc causes Gozi-ISFB infection)
2018-01-16 -- Malspam pushes Zeus Panda Banker
2018-01-15 -- Malspam uses CVE-2017-11882 RTF file to push Formbook info stealer
2018-01-12 -- Malspam pushes NanoCore RAT
2018-01-11 -- Rig EK sends Smoke Loader and Monero coin miner
2018-01-10 -- Hancitor malspam - Fake UPS shipping notification
2018-01-09 -- Emotet malspam infection traffic with Zeus Panda Banker
2018-01-09 -- Seamless campaign continues using Rig EK to send Ramnit
2018-01-09 -- Malspam pushing Java-based RAT
2018-01-08 -- Malspam pushing Loki Bot malware
2018-01-08 -- pcap for an ISC diary (fake AV page)
2018-01-06 -- Compromised web sites leading to fake AV or other unwanted pages
2018-01-04 -- Malspam pushing Formbook info stealer
2018-01-04 -- Malspam pushing PCRat/Gh0st
2018-01-03 -- Ursnif or not? Infection traffic from a malspam Word doc
2018-01-02 -- Fake Flash updater is actually coinminer malware
2018-01-02 -- WhatsApp-themed malspam targeting Brazil (again)

Return to main menu
RSS feed
@malware_traffic on Twitter

Traffic analysis exercises
My technical blog posts
My non-technical posts
Guest blog posts

Tutorials and other entries

About this blog

Copyright © 2018 | Malware-Traffic-Analysis.net