2018-06-12 - EMOTET MALSPAM AND INFECTION TRAFFIC

ASSOCIATED FILES:

• 2018-06-12-Emotet-malspam-10-email-examples.zip   69.7 kB (69,659 bytes)

• 2018-06-12-Emotet-malspam-1258-UTC.eml   (1,446 bytes)
• 2018-06-12-Emotet-malspam-1614-UTC.eml   (1,784 bytes)
• 2018-06-12-Emotet-malspam-1626-UTC.eml   (1,209 bytes)
• 2018-06-12-Emotet-malspam-1749-UTC.eml   (1,182 bytes)
• 2018-06-12-Emotet-malspam-1818-UTC.eml   (1,355 bytes)
• 2018-06-12-Emotet-malspam-1821-UTC.eml   (1,743 bytes)
• 2018-06-12-Emotet-malspam-1936-UTC.eml   (134,520 bytes)
• 2018-06-12-Emotet-malspam-1940-UTC.eml   (1,286 bytes)
• 2018-06-12-Emotet-malspam-2038-UTC.eml   (1,000 bytes)
• 2018-06-12-Emotet-malspam-2046-UTC.eml   (845 bytes)

• 2018-06-12-Emotet-malspam-infection-traffic-with-Zeus-Panda-Banker.pcap.zip   3.8 MB (3,838,852 bytes)

• 2018-06-12-Emotet-malspam-infection-traffic-with-Zeus-Panda-Banker.pcap   (4,823,683 bytes)/li>

• 2018-06-12-malware-from-Emotet-infection.zip   1.2 MB (1137619 bytes)

• 2018-06-12-Emotet-executable-1-of-5.exe   (274,432 bytes)
• 2018-06-12-Emotet-executable-2-of-5.exe   (143,360 bytes)
• 2018-06-12-Emotet-executable-3-of-5.exe   (143,360 bytes)
• 2018-06-12-Emotet-executable-4-of-5.exe   (143,360 bytes)
• 2018-06-12-Emotet-executable-5-of-5.exe   (287,744 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-1-of-12.doc   (104,448 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-10-of-12.doc   (123,648 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-11-of-12.doc   (96,000 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-12-of-12.doc   (99,840 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-2-of-12.doc   (92,416 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-3-of-12.doc   (119,296 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-4-of-12.doc   (110,336 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-5-of-12.doc   (98,048 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-6-of-12.doc   (104,192 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-7-of-12.doc   (94,976 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-8-of-12.doc   (123,392 bytes)
• 2018-06-12-Word-document-with-macro-for-emotet-9-of-12.doc   (91,136 bytes)
• 2018-06-12-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (275,456 bytes)

 

Shown above:  Sometimes there's also a PDF document when we see an attached Word document.  In this case, the PDF document was harmless.
It merely had text stating "Payroll reports are attached to this e-mail."

 

WEB TRAFFIC BLOCK LIST

URLS FROM THE MALSPAM TO RETRIEVE THE WORD DOCS:

• hxxp://aussiescanners.com/IRS-Tax-Transcipts-June-2018-1745/
• hxxp://dapinha.com.br/IRS-Tax-Transcipts-041L/82/
• hxxp://dekarlos.com/IRS-Tax-Transcipts-048B/96/
• hxxp://ekolab.by/Client/Invoice-70872717-Invoice-date-061218-Order-no-5545897287/
• hxxp://frayd.com/IRS-Transcripts-068/1/
• hxxp://josephdutton.com/Client/Emailing-H667564FV-45577/
• hxxp://parisel.pl/ACCOUNT/Past-Due-invoice/
• hxxp://planitsolutions.co.nz/IRS-Tax-Transcipts-062018-004S/13/
• hxxp://reidsprite.com/UPS-US-INV-00F/7/
• hxxp://the-grizz.com/gallery/g2data/IRS-Tax-Transcipts-062018-01/8/
• hxxp://vodaless.net/IRS-Letters-06G/90/
• hxxp://wevik.hu/IRS-Accounts-Transcipts-062018-0991/
• hxxp://www.1-stomatolog.ru/FILE/Invoice-18520036589-06-12-2018/
• hxxp://www.1.adborod.z8.ru/IRS-Letters-062018-002/54/
• hxxp://www.2.u0135364.z8.ru/ACCOUNT/Customer-Invoice-SB-36047325/
• hxxp://www.180daystohappy.com/IRS-Letters-074X/1/
• hxxp://www.acbor.org/IRS-Letters-050/5/
• hxxp://www.accuratedna.net/IRS-Transcripts-017P/48/
• hxxp://www.actionpackedcomics.ca/IRS-Tax-Transcipts-715/
• hxxp://www.actvideo.fr/IRS-TRANSCRIPTS-646/
• hxxp://www.adcanudosnh.com.br/IRS-Accounts-Transcipts-430/
• hxxp://www.adebeo.co.in/IRS-Accounts-Transcipts-3429/
• hxxp://www.airseaexpressshipping.com/STATUS/Invoices/
• hxxp://www.alanyaetkinegitim.com/UPS-Invoices-06122018-049/5/
• hxxp://www.almokhtarco.com/IRS-Tax-Transcipts-June-2018-09/9/
• hxxp://www.andreykalmykov.com/IRS-Transcripts-062018-028/79/
• hxxp://www.aninaslodge.com/ACCOUNT/Account-03721/
• hxxp://www.arj.zov-duha.ru/IRS-TRANSCRIPTS-085/67/
• hxxp://www.askalmostanything.com/STATUS/Invoices/
• hxxp://www.ateliestudia.ru/IRS-Accounts-Transcipts-957/
• hxxp://www.autokosmetykicartec.pl/IRS-Transcripts-013/2/
• hxxp://www.bathoff.ru/STATUS/Account-99386/
• hxxp://www.bergzitat.de/IRS-Tax-Transcipts-June-2018-040/15/
• hxxp://www.beta.salon.mn/Client/Invoice-981475/
• hxxp://www.beyhannakliyat.com/FILE/invoice/
• hxxp://www.bilberrymarketing.ca/IRS-Accounts-Transcipts-June-2018-02O/6/
• hxxp://www.blci.info/INV/
• hxxp://www.boxbomba.nichost.ru/IRS-Letters-04E/0/
• hxxp://www.campusbowling.com.tr/Invoice-Corrections-12/June/2018/
• hxxp://www.caritaszambia.org/ACCOUNT/Services-06-12-18-New-Customer-DC/
• hxxp://www.carpexhaliyikama.net/IRS-Letters-062018-2806/
• hxxp://www.catering.quoteprovider.com/IRS-Tax-Transcipts-04/32/
• hxxp://www.cecconi.com.br/DOC/Invoice-602577/
• hxxp://www.ciptasemula.com/ACCOUNT/Invoice-528134/
• hxxp://www.con-sentidos.com/IRS-Transcripts-June-2018-577/
• hxxp://www.corpus-delicti.com/Client/Emailing-B28901NZ-20555/
• hxxp://www.correo.kable.cl/STATUS/Invoice-860186/
• hxxp://www.crm.pandoravietnam.com/IRS-TRANSCRIPTS-02/8/
• hxxp://www.cuaabshanquoc.vn/ACCOUNT/Invoice-422182162-Invoice-date-061218-Order-no-97935570232/
• hxxp://www.demo2.arkan.ru/IRS-Tax-Transcipts-062018-030/6/
• hxxp://www.dev.klastcarpet.com/IRS-TRANSCRIPTS-June-2018-088/8/
• hxxp://www.dulichmyviet.com.vn/STATUS/New-Invoice-LR52783-FP-52816/
• hxxp://www.ealammadarisna.com/IRS-Tax-Transcipts-04T/48/
• hxxp://www.efs-euro-finanz-service.de/IRS-Letters-3869/
• hxxp://www.elearn.efesmoldova.md/IRS-Tax-Transcipts-June-2018-04Y/3/
• hxxp://www.en.chubakhangal.mn/FILE/Invoice-082673/
• hxxp://www.euro-finanz-service-ag.de/IRS-Accounts-Transcipts-June-2018-04/48/
• hxxp://www.followmetalk.com/Open-invoices/
• hxxp://www.followmetalkbeta.okoyemedia.com/DOC/invoice/
• hxxp://www.ingles.natal.br/FILE/New-Invoice-ZW5031-ST-0547/
• hxxp://www.invoice.mobileaps.in/IRS-Letters-091Y/0/
• hxxp://www.itswitch.nl/FILE/Auditor-of-State-Notification-of-EFT-Deposit/
• hxxp://www.mbsou37.ru/FILE/ACCOUNT468852/
• hxxp://www.precisionpaintingandrepairsinc.com/IRS-Accounts-Transcipts-062018-021U/4/
• hxxp://www.redridgeumc.org/DOC/Services-06-13-18-New-Customer-OC/
• hxxp://www.triboteen.com.br/IRS-Tax-Transcipts-June-2018-8815/
• hxxp://www.vacationhotels.xyz/IRS-Accounts-Transcipts-070A/43/
• hxxp://www.yeditepeofset.com/Past-Due-Invoices/

 

URLS GENERATED BY THE WORD MACROS TO RETRIEVE EMOTET:

• hxxp://airmaxx.rs/wIdY/
• hxxp://alpinewebgroup.com/A1gkl/
• hxxp://djivi.nl/iZoD/
• hxxp://eclatpro.com/tleyLN/
• hxxp://matthewbarley.com/o8LZnI/
• hxxp://nepapiano.com/VBrs/
• hxxp://rosehill.hu/ooOCqD/
• hxxp://scd.com.gt/J7cczqWI5n/
• hxxp://simp-consulting.pl/biuro/1GGaf/
• hxxp://soo.sg/dbs/media/sJUjDl/
• hxxp://spearllc.com/_dsn/h54alb/
• hxxp://teplokratiya.ru/giG1isC/
• hxxp://webuzmani.net/xNVuSEwKz3/
• hxxp://www.2015at-thru-hike.com/MvvjrZZ/
• hxxp://www.360detail.com/Rxx00P5AtM/
• hxxp://www.4outdoor.net/SnDJHLp/
• hxxp://www.adanawebseo.net/0ijCv/
• hxxp://www.avant-yug.ru/Av8E0EygP/
• hxxp://www.baskentfirinmakina.com/rQc2XGvbQ/
• hxxp://www.bostik.com.ro/6koI2ip/
• hxxp://www.depilation38.ru/DA4z/
• hxxp://www.englishcenter.ru/Ev5NVc/
• hxxp://www.erginmobilya.com/l9bBskaj5L/
• hxxp://www.etravel.su/x1LyKWdm/
• hxxp://www.fcpe81370.fr/FlpKcz/
• hxxp://www.india9am.com/wp-content/zPEGxIfwd/
• hxxp://www.planetariy.com/rlbOcvuh/
• hxxp://www.thecyberconxion.com/PUqUUe/
• hxxp://xn--k1acdflk8dk.xn--p1ai/DAA4WB/

 

DOMAIN FOR HTTPS/SSL/TLS TRAFFIC CAUSED BY ZEUS PANDA BANKER:

• adshiepkhach.top

 

EMAILS

Shown above:  Example of the IRS-themed Emotet malspam.

 

Shown above:  Example of Emotet malspam with an attached Word doc instead of a link.

 

DATA FROM 10 EMAIL EXAMPLES OF THE MALSPAM:

• Date/Time: Tuesday, 2018-06-12 12:58 UTC
• Received: from 10.0.0.61 ([103.55.184.7])
• From: IRS <Press@treasury.gov> <[removed]@[removed]>
• Subject:  IRS Record of Account Transcript from 06/12/2018
• Link for malware: hxxp://vodaless.net/IRS-Letters-06G/90/

• Date/Time: Tuesday, 2018-06-12 16:14 UTC
• Received: from 10.0.0.61 ([187.217.187.162])
• From: IRS Online <[removed]@[removed]>
• Subject:  IRS Record of Account Transcript from June 12, 2018
• Link for malware: hxxp://www.elearn.efesmoldova.md/IRS-Tax-Transcipts-June-2018-04Y/3/

• Date/Time: Tuesday, 2018-06-12 16:26 UTC
• Received: from ([189.134.228.12])
• From: IRS Online Center <[removed]@[removed]>
• Subject:  IRS Tax Account Transcript
• Link for malware: hxxp://www.bergzitat.de/IRS-Tax-Transcipts-June-2018-040/15/

• Date/Time: Tuesday, 2018-06-12 17:49 UTC
• Received: from 10.0.0.48 ([221.163.32.101])
• From: IRS <Press@treasury.gov> <[removed]@[removed]>
• Subject:  IRS Wage and Income Transcript from 06/12/2018
• Link for malware: hxxp://www.actionpackedcomics.ca/IRS-Tax-Transcipts-715/

• Date/Time: Tuesday, 2018-06-12 18:18 UTC
• Received: from 10.0.0.12 ([197.89.246.228])
• From: Internal Revenue Service Online <[removed]@[removed]>
• Subject:  IRS Tax Return Transcript from 06/12/2018
• Link for malware: hxxp://www.dev.klastcarpet.com/IRS-TRANSCRIPTS-June-2018-088/8/

• Date/Time: Tuesday, 2018-06-12 18:21 UTC
• Received: from 10.0.0.17 ([201.174.80.210])
• From: IRS <irsonline@treasury.gov> <[removed]@[removed]>
• Subject:  IRS Record of Account Transcript
• Link for malware: hxxp://wevik.hu/IRS-Accounts-Transcipts-062018-0991/

• Date/Time: Tuesday, 2018-06-12 19:36 UTC
• Received: from 10.0.0.33 ([221.163.32.101])
• From: Intuit Payroll Services <[removed]@[removed]>
• Subject: Daily Payroll for Jun 12 [mm45957]
• Attachment name: Daily Payroll for Jun 12 [mm45957].pdf
• Attachment name: Daily Payroll for Jun 12 [mm45957].doc

• Date/Time: Tuesday, 2018-06-12 19:40 UTC
• Received: from 10.0.0.57 ([221.163.32.101])
• From: IRS.gov <[removed]@[removed]>
• Subject:  IRS Tax Account Transcript
• Link for malware: hxxp://the-grizz.com/gallery/g2data/IRS-Tax-Transcipts-062018-01/8/

• Date/Time: Tuesday, 2018-06-12 20:38 UTC
• Received: from ([170.238.239.38])
• From: Casee Snook <[removed]@[removed]>
• Subject: Auditor of State - Notification of EFT Deposit
• Link for malware: hxxp://www.2.u0135364.z8.ru/ACCOUNT/Customer-Invoice-SB-36047325/

• Date/Time: Tuesday, 2018-06-12 20:46 UTC
• Received: from ([221.163.32.101])
• From: Tom  Burt <[removed]@[removed]>
• Subject: Payment
• Link for malware: hxxp://www.redridgeumc.org/DOC/Services-06-13-18-New-Customer-OC/

 

Shown above:  One of the downloaded (or attached) Word docs.

 

Shown above:  The attached PDF file from that one malspam message.

 

INFECTION TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 157.7.188.248 port 80 - vodaless.net - GET /IRS-Letters-06G/90/
• 50.63.90.1 port 80 - eclatpro.com - GET /tleyLN/
• 96.94.189.130 port 443 - 96.94.189.130:443 - POST /
• 24.101.223.95 port 443 - 24.101.223.95:443 - GET /whoami.php
• 24.101.223.95 port 443 - 24.101.223.95:443 - POST /
• 91.243.81.13 port 443 - adshiepkhach.top - HTTPS/SSL/TLS traffi caused by Zeus Panda Banker
• port 443 - www.google.com HTTP traffic, probable connectivity check by Zeus Panda Banker

 

SHA256 HASHES

DOWNLOADED WORD DOCUMENTS FROM LINKS IN THE MALSPAM:

• ebf030cd38a70fa41a826b7088087b52efdd4407c4be970dc45ab8faef76abfa - 104,448 bytes
• f7856f18306d10f6092e7d92b9356281924772e1172edf178629315dbb9301f8 - 92,416 bytes
• dbe16dee3023204ea81db1f4e08616a196768747ab83ab4d3a7aac3798299d72 - 119,296 bytes
• 8ec72da4cf9af5fbea85fdb17b2ccf8907f175708646515357408d81162b47b6 - 110,336 bytes
• b7f938aa350836740c0e76952d93cee15abfe803c9bf907664778019c37552e2 - 98,048 bytes
• c59c3380e301afe2d89848495d4f6172c9c4676757cb90bec5c85884b5a48d15 - 104,192 bytes
• 076b70645074ab55b7c0bcd8402b735b2326e37e21b089e2f1f453bddd43cbc9 - 94,976 bytes
• f2e119823ecb7aa1bfc1286c5115061268c68c7e00a1ae824af2f0fa3afe7b4e - 123,392 bytes
• 425e9188fd47060854e19992b264523cd19015da0970d3ae813750d7ab25187b - 91,136 bytes
• 829c31836b32433ad3879ec43f24c3f947496fba59d0f2dcaa7bf43478d6b927 - 123,648 bytes
• 85295d10ca74ba0b7074c5d50f114f3fa0f719a78a464be55474d52832bb04d8 - 96,000 bytes
• 3e0ee7c4e6bf9b8f14a5448b1d2156a8a489ae80b0b9bb6c205b79b2bc93a2e0 - 99,840 bytes

 

EMOTET EXECUTABLE FILES RETRIEVED BY THE WORD MARCOS:

• 42ea2e697bca96965ee39dd666229438fa433e97451f4c9cd5b6a6fdf105bcf3 - 274,432 bytes
• 8e6abdbee16746ed9871ae0a6717d207d1554b4ff9f86e5e53131438670fa702 - 143,360 bytes
• 91d0f65b0e9f62ccb7817030967cde51c8f4806a8acec6deabec39c7d8adb416 - 143,360 bytes
• ebe4ed8c191c7c09e706d9409b49f559fb8ab85ecf4966963c7f1a434e54e99d - 143,360 bytes
• ece2a89aa4bdb318370bc75458d7d790791d7b46287888d40b555e3b7726b228 - 287,744 bytes

 

ZEUS PANDA BANKER SEEN DURING EMOTET INFECTION:

• 333aff311b07c5cbedfb618ff902b0dd663c0ba50b2dc8a2a590e9409cb9bc3c - 275,456 bytes

 

FINAL NOTES

Once again, here are the associated files:

• 2018-06-12-Emotet-malspam-10-email-examples.zip   69.7 kB (69,659 bytes)
• 2018-06-12-Emotet-malspam-infection-traffic-with-Zeus-Panda-Banker.pcap.zip   3.8 MB (3,838,852 bytes)
• 2018-06-12-malware-from-Emotet-infection.zip   1.2 MB (1137619 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.