Malware-Traffic-Analysis.net - 2017-10-10 - Emotet infection with spambot traffic

2017-10-10 - EMOTET INFECTION WITH SPAMBOT TRAFFIC

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-10-10-Emotet-infection-with-spambot-traffic.pcap.zip 2.3 MB (2,327,021 bytes)

2017-10-10-Emotet-infection-with-spambot-traffic.pcap (3,378,330 bytes)

Z2017-10-10-Emotet-malspam-14-examples.zip 19.9 kB (19,936 bytes)

2017-10-10-Emotet-malspam-0630-UTC.eml (1,080 bytes)

2017-10-10-Emotet-malspam-0635-UTC.eml (1,910 bytes)

2017-10-10-Emotet-malspam-0644-UTC.eml (2,458 bytes)

2017-10-10-Emotet-malspam-0820-UTC.eml (1,790 bytes)

2017-10-10-Emotet-malspam-0824-UTC.eml (1,853 bytes)

2017-10-10-Emotet-malspam-0839-UTC.eml (2,973 bytes)

2017-10-10-Emotet-malspam-0903-UTC.eml (1,739 bytes)

2017-10-10-Emotet-malspam-0921-UTC.eml (1,392 bytes)

2017-10-10-Emotet-malspam-0952-UTC.eml (1,748 bytes)

2017-10-10-Emotet-malspam-1152-UTC.eml (2,337 bytes)

2017-10-10-Emotet-malspam-1231-UTC.eml (1,978 bytes)

2017-10-10-Emotet-malspam-1233-UTC.eml (2,056 bytes)

2017-10-10-Emotet-malspam-1301-UTC.eml (1,334 bytes)

2017-10-10-Emotet-malspam-1421-UTC.eml (2,659 bytes)

2017-10-10-malware-from-Emotet-infection.zip 232.9 kB (232,865 bytes)

5572.exe (105,472 bytes)

Purchase Order _ 5894568.doc (81,920 bytes)

shedulecart.exe (221,696 bytes)

TWEETS NOTED ABOUT TODAY'S WAVE OF #EMOTET MALSPAM:

@JAMESWT_MHT: #malicious #doc [VirusTotal link] should drop #emotet (link)
@cybercdh: Seeing #emotet actors experimenting with their macros. Their .doc downloaders are today firing on AutoClose (link)
@James_inthe_box: Handful of #emotet #malspam doc links..looks like a new obfuscation method as well this round. (link)
@NelsonSecurity: #emotet payload URLs 10/10 [Pastebin and Hybrid-Analysis.com links]. (link)

EMAIL

Shown above: Screenshot from an email seen on 2017-10-10.

COLLECTED MALSPAM:

2017-10-10 06:30 UTC -- From (spoofed): "Gurpreet Bhogal" <msabal@panpacificusa[.]com> -- Subject: 2017 #4493#
2017-10-10 06:35 UTC -- From (spoofed): "Luke Squire" <kellyp-mac@comcast[.]net> -- Subject: Scan
2017-10-10 06:44 UTC -- From (spoofed): "sian@talawafostering[.]com" <aguiars@sbcglobal[.]net> -- Subject: 2017 #57875#
2017-10-10 08:20 UTC -- From (spoofed): "Rachel Boxall" <facturas@viprotemp[.]com> -- Subject: Rechnung 2017-10-04902
2017-10-10 08:24 UTC -- From (spoofed): "Isabella Smith" <kimburja@comcast[.]net> -- Subject: Ihre Bestellung wurde versendet (26256873)
2017-10-10 08:39 UTC -- From (spoofed): "[removed]@[recipient's email domain]" <mady_c@sbcglobal[.]net> -- Subject: Scan
2017-10-10 09:03 UTC -- From (spoofed): "Bryan White" <mlitch4242@comcast[.]net> -- Subject: Frage zur Rechnung
2017-10-10 09:21 UTC -- From (spoofed): "Sian Baptiste" <ashutosh.sharma@e-solutioninc[.]com> -- Subject: Rechnungs-Details
2017-10-10 09:52 UTC -- From (spoofed): "Stephen.Moyna@taylorwimpey[.]com" <dr.lange@ipg-neu-isenburg[.]de> -- Subject: Angebot GVSDY-3031915
2017-10-10 11:52 UTC -- From (spoofed): "justin.miller@itecpad[.]com" <salesmanager@labourdonnais[.]com> -- Subject: Purchase Order : 74454722
2017-10-10 12:31 UTC -- From (spoofed): "Alexandra.AUSTIN@lhoist[.]com" <rick@recruitment.softnice[.]com> -- Subject: invoice
2017-10-10 12:33 UTC -- From (spoofed): "billblack@glsllc[.]com" <ivana@admeng.ca> -- Subject: Statement from billblack@glsllc[.]com
2017-10-10 13:01 UTC -- From (spoofed): "rececption@hydeparkhayes.uk[.]com" <Gboodt@majoritybuilders[.]com> -- Subject: OVERDUE ACCOUNT
2017-10-10 14:21 UTC -- From (spoofed): "isp_enrollmentprocess@thawte[.]com" <helpdesk@browsecontacts[.]com> -- Subject: Client- 717, Oct 2017 Invoice

Shown above: Clicking on a link from one of the emails returned a randomly-named document.

Shown above: Malicious Word document downloaded from a link in one of the emails.

TRAFFIC

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: SMTP traffic from an infected Windows host sending more malspam.

URLS FROM THE EMAILS:

hxxp[:]//aussiescanners[.]com/Purchase-Order-50717202/
hxxp[:]//contapack[.]com[.]au/OVERDUE-ACCOUNT/
hxxp[:]//demonzmedia[.]com/OVERDUE-ACCOUNT/
hxxp[:]//denks[.]net/gescanntes-Dokument/
http[:]//diow[.]com[.]br/INVOICE-STATUS/
hxxp[:]//marinalimo[.]com/Payment-and-address./
hxxp[:]//mariovalente[.]it/Rechnung-Bestellung-97866/
hxxp[:]//mbhomes[.]com/2017-11190/
hxxp[:]//nbimarketing[.]net/Dokumente/
hxxp[:]//rackinfotech[.]com/2017-12852/
hxxp[:]//radionik[.]info/Statement/
hxxp[:]//rostravernatherm[.]com/Rechnung-2017-10-76709/
hxxp[:]//sagtalent[.]com/Rechnung-im-Anhang/
hxxp[:]//sandstonesoftware[.]com[.]au/2017-5756/
hxxp[:]//vodaless[.]net/Rechnung/Rechnung/

TRAFFIC FROM AN INFECTED HOST:

46.19.92[.]225 port 80 - radionik[.]info - GET /Statement/ [URL to get Word doc]
177.185.194[.]174 port 80 - webproj[.]com[.]br - GET /lxP/ [URL to get follow-up EXE]
5.39.84[.]48 port 8081 - 5.39.84[.]48:8081 - POST /
81.2.245[.]28 port 7080 - 81.2.245[.]28:7080 - POST /
178.254.24[.]98 port 8080 - 178.254.24[.]98:8080 - POST /
Various IPs over various port - various domains - SMTP traffic (clear and encrypted)

MALWARE

WORD DOCUMENT DOWNLOADED FROM EMAIL LINK:

SHA256 hash: 5a8b91fac4cdd9220dae03dc4160d8d77fb509482d14370da38227b5de7ee639
File size: 81,920 bytes
File name: Purchase Order _ 5894568.doc (random file names seen from the email URL)

MALWARE DOWNLOADED BY WORD MACRO:

SHA256 hash: ae388ef426ffac2888e3c0d616619091048e07f7dadb04051a895b71c9123626
File size: 105,472 bytes
File location: C:\Users\[username]\AppData\Local\Temp\5572.exe

MALWARE PERSISTENT ON THE INFECTED HOST:

SHA256 hash: 32eb4a34d123927ca5fd2e5f36634c1e50017e156e4ec7e5cdce3feb23c6c543
File size: 221,696 bytes
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\shedulecart.exe

Shown above: Malware persistent on the infected Windows host.

Click here to return to the main page.