2019-01-21 - EMOTET INFECTION WITH GOOTKIT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Pcap of the infection traffic:  2019-01-21-Emotet-infection-with-Gootkit.pcap.zip   6.3 MB (6,283,535 bytes)

• 2019-01-21-Emotet-infection-with-Gootkit.pcap   (7,595,455 bytes)

• Associated malware:  2019-01-21-Emotet-and-Gootkit-malware-and-artifacts.zip   462 kB (461,917 bytes)

• 2019-01-21-Emotet-EXE-retreived-by-Word-macro.exe   (159,744 bytes)
• 2019-01-21-Gootkit-retrieved-by-Emotet-infected-host.exe   (299,520 bytes)
• 2019-01-21-INF-file-for-Gootkit.txt   (305 bytes)
• 2019-01-21-downloaded-Word-doc-with-macro-for-Emotet.doc   (265,289 bytes)

NOTES:

• @cryptolaemus1 posted info on more than 200 URLs seen on 2019-01-21.
• Based on URL patterns, the majority of these URLs for the Emotet Word document are from Germany-targeted malspam.
• Today also revealed a new Word document template I haven't noticed before.

 

Shown above:  Flow chart for today's Emotet malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

• hxxp[:]//www.forma-31[.]ru/De/KVHFNE8175184/Bestellungen/Fakturierung/
• hxxp[:]//www.animoderne[.]com/kcrod7Kciuarbik_lZO
• hxxp[:]//www.animoderne[.]com/kcrod7Kciuarbik_lZO/
• hxxp[:]//ftp.spbv[.]org/yV6CuadvZ3v7G_60Tk
• hxxp[:]//ftp.spbv[.]org/yV6CuadvZ3v7G_60Tk/
• hxxp[:]//wijdoenbeter[.]be/kZ1ywr7u_rQL
• hxxp[:]//animoderne[.]com/6H7bU7fDVegZsDf_jmA
• hxxp[:]//animoderne[.]com/6H7bU7fDVegZsDf_jmA/
• hxxp[:]//realgen-marketing[.]nl/06yF2OmyV8
• hxxp[:]//realgen-marketing[.]nl/06yF2OmyV8/
• rent.golfcarexport[.]com
• sale.mandinipearls[.]com
• fri33-ay[.]com
• getlo801c[.]com

 

DOWNLOADED WORD DOC

Shown above:  Downloaded Word doc with macro for Emotet

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

DOWNLOAD OF INITIAL WORD DOCUMENT:

• 77.222.63[.]27 port 80 - www.forma-31[.]ru - GET /De/KVHFNE8175184/Bestellungen/Fakturierung/

TRAFFIC TO RETREIVE EMOTET EXE CAUSED BY WORD MACRO:

• 213.186.33[.]18 port 80 - www.animoderne[.]com - GET /kcrod7Kciuarbik_lZO   (301 Moved Permanently)
• 213.186.33[.]18 port 80 - www.animoderne[.]com - GET /kcrod7Kciuarbik_lZO/   (200 OK, shows index of dir)
• 134.0.14[.]83 port 80 - ftp.spbv[.]org - GET /yV6CuadvZ3v7G_60Tk   (301 Moved Permanently)
• 134.0.14[.]83 port 80 - ftp.spbv[.]org - GET /yV6CuadvZ3v7G_60Tk/   (403 Forbidden)
• 83.217.75[.]51 port 80 - wijdoenbeter[.]be - GET /kZ1ywr7u_rQL   (200 OK, but no content returned)
• 213.186.33[.]18 port 80 - animoderne[.]com - GET /6H7bU7fDVegZsDf_jmA   (301 Moved Permanently)
• 213.186.33[.]18 port 80 - animoderne[.]com - GET /6H7bU7fDVegZsDf_jmA/   (200 OK, shows index of dir)
• 5.61.248[.]185 port 80 - realgen-marketing[.]nl - GET /06yF2OmyV8   (301 Moved Permanently)
• 5.61.248[.]185 port 80 - realgen-marketing[.]nl - GET /06yF2OmyV8/   (200 OK, returned Emotet EXE)

EMOTET POST-INFECTION TRAFFIC:

• 182.176.106[.]43 port 995 - attempted TCP connections, but no response from server
• 100.42.20[.]148 port 53 - 100.42.20[.]148:53 - GET /   (multiple requests, encoded traffic, included Gootkit EXE)

GOOTKIT POST-INFECTION TRAFFIC:

• 178.162[.]132.90 port 443 - rent.golfcarexport[.]com - HTTPS traffic caused by Gootkit
• 178.162[.]132.90 port 443 - sale.mandinipearls[.]com - HTTPS traffic caused by Gootkit
• 51.15.37[.]44 port 443 - fri33-ay[.]com - HTTPS traffic caused by Gootkit
• 51.15.37[.]44 port 443 - getlo801c[.]com - HTTPS traffic caused by Gootkit

 

MALWARE

INITIAL WORD DOC:

• SHA256 hash:  1a73585dc90551822b772e3bab61a856a3ed8377b2e71326ce1b946a43cfa1f2
  
• File size:  265,289 bytes
  
• File location:  hxxp[:]//www.forma-31[.]ru/De/KVHFNE8175184/Bestellungen/Fakturierung/
  
• Downloadedile name:  2019_Januar_21_50_04_Uhr.doc   (different file names)
  
• File description: Downloaded Word doc with macro for Emotet

EMOTET BINARIES:

• SHA256 hash:  98e832e8d670daed18a0449113b7ae909cfce32c49f6a2a048893c95cad2bbe8
  
• File size:  159,744 bytes
  
• File location:  hxxp[:]//realgen-marketing[.]nl/06yF2OmyV8/
  
• File location:  C:\Users\[username]\AppData\Local\[random name]\[same as directory name].exe
  
• File description:  Emotet binary retrieved by Word macro

• SHA256 hash:  52c84e9f8be452405bdc6dac12518a04509e8d34d16633e11f707f493ed4f9a7
  
• File size:  299,520 bytes
  
• File location:  C:\ProgramData\[random characters].exe
  
• File description:  Gootkit executable retrieved by Emotet-infected host

 

Click here to return to the main page.