2018-06-15 - QUICK POST: EMOTET MALSPAM INFECTION WITH TRICKBOT (GTAG: DEL9) AND DC INFECTION

ASSOCIATED FILES:

  • 2018-06-15-Emotet-malspam-1318-UTC.eml   (1,712 bytes)
  • 2018-06-15-Emotet-malspam-1411-UTC.eml   (1,822 bytes)
  • 2018-06-15-Emotet-malspam-1412-UTC.eml   (166,645 bytes)
  • 2018-06-15-Emotet-malspam-1428-UTC.eml   (152,346 bytes)
  • 2018-06-15-Emotet-malspam-1433-UTC.eml   (1,201 bytes)
  • 2018-06-15-Emotet-malspam-1533-UTC.eml   (158,179 bytes)
  • 2018-06-15-Emotet-malspam-1616-UTC.eml   (1,269 bytes)
  • 2018-06-15-Emotet-malspam-1729-UTC.eml   (170,411 bytes)
  • 2018-06-15-Emotet-malspam-1744-UTC.eml   (178,836 bytes)
  • 2018-06-15-Emotet-malspam-1803-UTC.eml   (160,940 bytes)
  • 2018-06-15-Emotet-malspam-1908-UTC.eml   (1,601 bytes)
  • 2018-06-15-Emotet-malspam-infection-traffic-with-Trickbot-and-DC-infection.pcap   (41,218,290 bytes)
  • 2018-06-15-Emotet-malware-binary-1-of-2.exe   (126,976 bytes)
  • 2018-06-15-Emotet-malware-binary-2-of-2.exe   (330,752 bytes)
  • 2018-06-15-Trickbot-gtag-del9.exe   (495,671 bytes)
  • 2018-06-15-Trickbot-gtag-lib247.exe   (495,671 bytes)
  • 2018-06-15-additional-Trickbot-binary-found-in-SMB-traffic.exe   (115,712 bytes)
  • 2018-06-15-downloaded-Word-doc-with-macro-for-Emotet.doc   (117,760 bytes)

 

NOTES:

  • Network segment:  192.168.200.0/24 (192.168.200.0 through .255)
  • Segment gateway:  192.168.200.1
  • Segment broadcast address:  192.168.200.255
  • Segment DHCP server:  192.168.200.254
  • Domain Controller:  192.168.200.4 - Oyster-DC
  • Domain:  Oystertainment.com
  • Windows client:  192.168.200.95 - Linwood-Win-PC
  • User account:  beverly.linwood

 


Shown above:  Infection traffic from the pcap filtered in Wireshark.

 

FINAL NOTES

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.