2018-03-22 - TRICKBOT MALSPAM - SUBJECT: YOU HAVE RECEIVED A SECURE DOCUMENT

ASSOCIATED FILES:

  • 2018-03-22-Trickbot-malspam-120834-UTC.eml   (144,137 bytes)
  • 2018-03-22-Trickbot-malspam-120844a-UTC.eml   (146,448 bytes)
  • 2018-03-22-Trickbot-malspam-120844b-UTC.eml   (146,454 bytes)
  • 2018-03-22-Trickbot-malspam-120845a-UTC.eml   (146,450 bytes)
  • 2018-03-22-Trickbot-malspam-120845b-UTC.eml   (146,460 bytes)
  • 2018-03-22-Trickbot-malspam-infection-traffic.pcap   (2,622,359 bytes)
  • 2018-03-22-sanitized-traffic-from-Reverse.it-analysis-of-Word-document.pcap   (4,597,230 bytes)
  • 2018-03-22-Trickbot-artifact-group_tag.txt   (16 bytes)
  • 2018-03-22-Trickbot-artifact-rhknve.bat.txt   (328 bytes)
  • 2018-03-22-Trickbot-binary-Yknxohk.exe   (348,160 bytes)
  • 2018-03-22-Trickbot-scheduled-task-MsNetMonitor.xml.txt   (3,736 bytes)
  • 2018-03-22-maldoc-with-macro-to-install-Trickbot-9S659EHDCSI72649DS.doc   (80,896 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

DATA FROM 5 EMAIL SAMPLES:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

ADDITIONAL TRAFFIC FROM REVERSE.IT ANALYSIS OF THE WORD DOCUMENT (LINK):

 

FILE HASHES

DOWNLOADED WORD DOCUMENT:

EMOTET BINARY:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.