2019-01-18 - QUICK POST: EMOTET INFECTION WITH ICEDID (BOKBOT)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Email examples:  2019-01-18-Emotet-malspam-9-examples.zip   499 kB (499,231 bytes)

• 2019-01-16-Emotet-malspam-with-attachment-2105-UTC.eml   (123,009 bytes)
• 2019-01-16-Emotet-malspam-with-link-1353a-UTC.eml   (25,681 bytes)
• 2019-01-16-Emotet-malspam-with-link-1353b-UTC.eml   (27,948 bytes)
• 2019-01-17-Emotet-malspam-with-attachment-1708-UTC.eml   (332,352 bytes)
• 2019-01-18-Emotet-malspam-with-attachment-0930-UTC.eml   (191,451 bytes)
• 2019-01-18-Emotet-malspam-with-attachment-0933-UTC.eml   (182,569 bytes)
• 2019-01-18-Emotet-malspam-with-link-1411-UTC.eml   (4,657 bytes)
• 2019-01-18-Emotet-malspam-with-link-1421-UTC.eml   (4,557 bytes)
• 2019-01-18-Emotet-malspam-with-link-1959-UTC.eml   (1,653 bytes)

• Traffic:  2019-01-18-Emotet-infection-traffic-with-IcedID.pcap.zip   4.0 MB (3,965,420 bytes)

• 2019-01-18-Emotet-infection-traffic-with-IcedID.pcap   (4,335,921 bytes)

• Malware:  2019-01-18-Emotet-and-IcedID-malware.zip   371 kB (371,004 bytes)

• 2019-01-18-downloaded-Word-doc-with-macro-for-Emotet.doc   (105,276 bytes)
• 2019-01-18-Emotet-executable-downloaded-by-Word-macro.exe   (151,552 bytes)
• 2019-01-18-Emotet-executable-updated-after-initial-infection.exe   (151,552 bytes)
• 2019-01-18-IcedID-retreived-by-Emotet-infected-host.exe   (132,608 bytes)

NOTES:

• Seems like everyone knows Emotet is back.  I saw IcedID (Bokbot) as the follow-up malware today.

 

Shown above:  Pcap from today's infection filtered in Wireshark.

 

Click here to return to the main page.