2018-06-19 - MALSPAM PUSHES EMOTET AND EMOTET PUSHES ICEDID BANKING MALWARE
ASSOCIATED FILES:
- 2018-06-19-Emotet-malspam-36-examples.zip 472 kB (471,767 bytes)
- 2018-06-19-Emotet-infection-traffic-with-IcedID-banking-malware.pcap.zip 1.97 MB (1,965,627 bytes)
- 2018-06-19-Emotet-with-IcedID-malware-and-artifacts.zip 927 kB (927,474 bytes)
NOTES:
- Emotet is still loading IcedID banking malware, like we saw yesterday.
EMAILS
DATE/TIME:
- Tuesday, 2018-06-19 as early as 10:58 through at least 22:10 UTC
DATA FROM 36 EMAIL EXAMPLES:
- Received: from 10.0.0.3 ([81.110.229.147])
- Received: from 10.0.0.5 ([197.188.221.68])
- Received: from 10.0.0.6 ([114.79.134.51])
- Received: from 10.0.0.6 ([221.163.32.101])
- Received: from 10.0.0.8 ([89.207.118.10])
- Received: from 10.0.0.9 ([190.164.138.172])
- Received: from 10.0.0.11 ([190.56.75.114])
- Received: from 10.0.0.12 ([190.85.64.22])
- Received: from 10.0.0.17 ([89.145.208.77])
- Received: from 10.0.0.17 ([221.163.32.101])
- Received: from 10.0.0.18 ([84.96.103.131])
- Received: from 10.0.0.18 ([111.119.192.38])
- Received: from 10.0.0.19 ([221.163.32.101])
- Received: from 10.0.0.21 ([89.24.242.103])
- Received: from 10.0.0.24 ([183.82.115.48])
- Received: from 10.0.0.24 ([189.165.179.105])
- Received: from 10.0.0.27 ([14.51.231.1])
- Received: from 10.0.0.28 ([37.47.12.205])
- Received: from 10.0.0.28 ([201.195.122.95])
- Received: from 10.0.0.30 ([213.196.137.6])
- Received: from 10.0.0.31 ([85.114.204.220])
- Received: from 10.0.0.36 ([212.156.91.142])
- Received: from 10.0.0.36 ([221.163.32.101])
- Received: from 10.0.0.37 ([194.168.211.218])
- Received: from 10.0.0.41 ([170.80.16.51])
- Received: from 10.0.0.42 ([176.22.253.218])
- Received: from 10.0.0.42 ([186.177.75.205])
- Received: from 10.0.0.45 ([36.34.121.154])
- Received: from 10.0.0.48 ([51.52.82.24])
- Received: from 10.0.0.49 ([14.51.231.1])
- Received: from 10.0.0.52 ([196.41.199.186])
- Received: from 10.0.0.54 ([14.51.231.1])
- Received: from 10.0.0.59 ([80.93.47.83])
- Received: from 10.0.0.59 ([101.99.59.114])
- Received: from 10.0.0.60 ([41.13.88.44])
- Received: from 10.0.0.60 ([119.153.172.143])
SPOOFED SENDING ADDRESSES:
- From: Amy Brink <[removed]@[removed]>
- From: Baljinder Singh <[removed]@[removed]>
- From: Bill Vanderford <[removed]@[removed]>
- From: Brad Smale <[removed]@[removed]>
- From: Brouillard, Jon <[removed]@[removed]>
- From: Cecilia Solomon <[removed]@[removed]>
- From: Dianna York <[removed]@[removed]>
- From: Eddie Carter <[removed]@[removed]>
- From: Full Name <[removed]@[removed]>
- From: Graham Young <[removed]@[removed]>
- From: InCorp (Compliance) <[removed]@[removed]>
- From: Intervia Transportes <[removed]@[removed]>
- From: Intuit <[removed]@[removed]>
- From: Intuit <[removed]@[removed]>
- From: Intuit Online Payroll Support Team <[removed]@[removed]>
- From: Intuit Online Payroll Support Team <[removed]@[removed]>
- From: Intuit Payroll <[removed]@[removed]>
- From: Intuit Payroll Services <[removed]@[removed]>
- From: IRS <Transcript@treasury.gov> <[removed]@[removed]>
- From: IRS Online <[removed]@[removed]>
- From: IRS.gov <[removed]@[removed]>
- From: Jeff McGuire <[removed]@[removed]>
- From: Joanna Muniz <[removed]@[removed]>
- From: Joe Duplan <[removed]@[removed]>
- From: Jordan Leichty <[removed]@[removed]>
- From: Joseph Zita <[removed]@[removed]>
- From: Laura McCraven <[removed]@[removed]>
- From: Lesa Pujol <[removed]@[removed]>
- From: Letty Turner <[removed]@[removed]>
- From: Luis Zapata <[removed]@[removed]>
- From: Micheal Martin <[removed]@[removed]>
- From: Minuteman Press Bohemia <[removed]@[removed]>
- From: Nick Bozzacco <[removed]@[removed]>
- From: Owens, Ashley <[removed]@[removed]>
- From: Robert James <[removed]@[removed]>
- From: Valentin Lucero <[removed]@[removed]>
SUBJECT LINES:
- Subject: 52100758447015
- Subject: ACCOUNT#61631831-Intervia Transportes
- Subject: ACCOUNT#949501-Nick Bozzacco
- Subject: ACCOUNT#9739040-Owens, Ashley
- Subject: Auditor of State - Notification of EFT Deposit
- Subject: B4 2018 Payroll
- Subject: Bill Vanderford: 07708
- Subject: Direct Deposit Notice
- Subject: Eddie Carter Past Due invoice
- Subject: eftps payroll 751309
- Subject: HRI Monthly Invoice
- Subject: Invoice 06.19.18
- Subject: Invoice 2301321
- Subject: Invoice 577360 from Dianna York
- Subject: Invoice 9333482
- Subject: Invoice from Cecilia Solomon
- Subject: Invoices
- Subject: IRS Record of Account Transcript from June 20, 2018
- Subject: IRS Tax Account Transcript
- Subject: IRS Verification of Non-filing Letter
- Subject: J8 2018 Payroll
- Subject: Lesa Pujol Invoice # 34301969526 06/19/2018
- Subject: Luis Zapata Invoice # 0571582518 06/20/2018
- Subject: New Invoice / KZ47787 / OP# 64519
- Subject: New Invoice / SS10118 / ZM# 14318
- Subject: New Payroll Co.
- Subject: Payroll Tax Payment
- Subject: Please pull invoice 07961
- Subject: Please pull invoice 94405
- Subject: Services / 06.19.18 / New Customer / KU
- Subject: Services / 06.19.18 / New Customer / YD
- Subject: tracking number and invoice of your order
- Subject: Valentin Lucero invoice
ATTACHMENT NAMES FROM EMAILS WITHOUT LINKS:
- Attachment name: 52100758447015.doc
- Attachment name: 52100758447015.pdf
- Attachment name: B4 2018 Payroll.doc
- Attachment name: B4 2018 Payroll.pdf
- Attachment name: eftps payroll 751309.doc
- Attachment name: eftps payroll 751309.pdf
- Attachment name: IRS_2815754_06202018.doc
- Attachment name: Tax Account Transcript.pdf
- Attachment name: J8 2018 Payroll.doc
- Attachment name: J8 2018 Payroll.pdf
- Attachment name: New Payroll Co..doc
- Attachment name: New Payroll Co..pdf
- Attachment name: Payroll Tax Payment.doc
- Attachment name: Payroll Tax Payment.pdf
TRAFFIC
Shown above: Traffic from an Emotet infection filtered in Wireshark also shows IcedID traffic.
LINKS FROM EMAILS WITHOUT ATTACHMENTS FOR THE INITIAL WORD DOCUMENT:
- hxxp://frcs.com.br/New-Order-Upcoming/HRI-Monthly-Invoice/
- hxxp://www.740745.ru/DOC/Pay-Invoice/
- hxxp://www.agencjainternauta.pl/Client/Invoice-7464068889-06-19-2018/
- hxxp://www.akademiawandy.pl/ACCOUNT/Invoice-007258077-061918/
- hxxp://www.alexdejesus.us/Statement/Invoice/
- hxxp://www.alkdev.thechronostime.com/Client/Past-Due-invoice/
- hxxp://www.armanitour.com/Client/84677/
- hxxp://www.arthysexpress.com.br/ACCOUNT/Invoice-06739/
- hxxp://www.bynoet.com/Client/Direct-Deposit-Notice/
- hxxp://www.colinhardy.com/multimedia/Statement/Invoice-174348/
- hxxp://www.conscious-investor.com/multimedia/Statement/Invoice/
- hxxp://www.da-pietro.com/ACCOUNT/Payment/
- hxxp://www.dajabon24horas.com/IRS-Transcripts-046/3/
- hxxp://www.danzaclassicamilano.com/Payment-and-address/HRI-Monthly-Invoice/
- hxxp://www.digitalsewapoint.com/Jun2018/Pay-Invoice/
- hxxp://www.dradarlinydiaz.com/OVERDUE-ACCOUNT/Services-06-19-18-New-Customer-ST/
- hxxp://www.drive.lemeunier.fr/Client/Invoice-3986739/
- hxxp://www.e-market.com.ua/IRS-TRANSCRIPTS-07M/65/
- hxxp://www.exploretour.in/FILE/Auditor-of-State-Notification-of-EFT-Deposit/
- hxxp://www.ezfastcashpersonalloans.com/OVERDUE-ACCOUNT/New-Invoice-OI5452-BG-6486/
- hxxp://www.gcardriving.com/New-Order-Upcoming/New-Invoice-IS34079-DO-04649/
- hxxp://www.gojukai.co/INVOICE-STATUS/HRI-Monthly-Invoice/
- hxxp://www.grampotchayatportal.club/Jun2018/Invoice-6750042/
- hxxp://www.gregsmoneyreview.com/Payment-and-address/Please-pull-invoice-21639/
- hxxp://www.hjocreations.com/ACCOUNT/tracking-number-and-invoice-of-your-order/
- hxxp://www.homeandtell.com/OVERDUE-ACCOUNT/Invoice-00663986061-06-19-2018/
- hxxp://www.khaolakstationtour.com/DOC/Invoice-343147/
- hxxp://www.krasr.skrollx.com.np/Purchase/Invoice-7247579851-06-19-2018/
- hxxp://www.papabubbleksa.com/Client/Pay-Invoice/
URLS GENERATED BY WORD MACROS FOR EMOTET MALWARE BINARY:
- hxxp://denaros.pl/Data/ZA4l/
- hxxp://ontracksolutions.com/767Egih/
- hxxp://www.2ip.ru.net/Rf53U/
- hxxp://www.alifhost.com/6Msp/
- hxxp://www.bandicapital.com/c8CouZB/
- hxxp://www.chamberstimber.com/zXtCc/
- hxxp://www.corapersianas.com/h3ZJ/
- hxxp://www.dekhoresellers.tk/PZlh/
- hxxp://www.disrepairclaims.com/haLhb0U/
- hxxp://www.donloadlagu.co/EcR7wcI/
- hxxp://www.duanbatdongsanvincity.com/xwe85du/
- hxxp://www.geo-sign.com/cvXDJ/
- hxxp://www.gorkemgursoy.com/atElK90/
- hxxp://www.ismetotokaporta.com/wROkQ/
- hxxp://www.kirpich-servis16.ru/dz5QD/
EMOTET INFECTION TRAFFIC FROM MY INFECTED LAB HOST:
- 111.118.212.86 port 80 - www.grampotchayatportal.club - GET /Jun2018/Invoice-6750042/
- 108.167.184.253 port 80 - www.chamberstimber.com - GET /zXtCc/
- 128.100.126.113 port 80 - 128.100.126.113 - POST /
- 173.70.47.89 port 443 - 173.70.47.89:443 - GET /whoami.php
- 173.70.47.89 port 443 - 173.70.47.89:443 - POST /
- 47.188.131.94 port 443 - 47.188.131.94:443 - POST /
- 76.72.225.30 port 465 - 76.72.225.30:465 - POST /
- 164.160.161.118 port 8080 - 164.160.161.118:8080 - POST /
- 46.4.100.178 port 8080 - 46.4.100.178:8080 - POST /
- 23.239.2.11 port 8080 - 23.239.2.11:8080 - POST /
- 66.76.26.33 port 8080 - 66.76.26.33:8080 - POST /
- 24.217.117.217 port 80 - 24.217.117.217 - POST /
- 75.152.52.109 port 8080 - 75.152.52.109:8080 - POST /
- 217.91.43.150 port 7080 - 217.91.43.150:7080 - POST /
- 189.236.94.20 port 995 - 189.236.94.20:995 - POST /
- 24.119.116.230 port 990 - 24.119.116.230:990 - POST /
- 96.94.189.130 port 443 - 96.94.189.130:443 - POST /
- 72.45.212.62 port 8080 - 72.45.212.62:8080 - POST /
- 70.184.125.132 port 8080 - 70.184.125.132:8080 - POST /
- 206.255.140.203 port 80 - 206.255.140.203 - POST /
- 121.50.43.110 port 8080 - TCP SYN packets, but no response from the server
- 216.105.170.139 port 4143 - TCP SYN packets, but no response from the server
- 46.38.238.8 port 8080 - TCP SYN packets, but no response from the server
- 178.62.103.94 port 8080 - TCP SYN packets, but no response from the server
- 78.47.182.42 port 8080 - TCP SYN packets, but no response from the server
- 184.186.78.177 port 80 - TCP SYN packets, but no response from the server
- 209.64.82.90 port 465 - TCP SYN packets, but no response from the server
- 194.88.246.242 port 443 - TCP SYN packets, but no response from the server
ICEDID TRAFFIC FROM MY INFECTED LAB HOST:
- 5.187.0.158 port 443 - urnachay.com - HTTPS/SSL/TLS traffic
- 5.187.0.158 port 443 - percalabia.com - HTTPS/SSL/TLS traffic
- 5.187.0.158 port 443 - localhost - HTTPS/SSL/TLS traffic
MALWARE
MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:
- SHA256 hash: f315565e9c9b5b80b563a607e590043cc635b06cc0fbffc790bbd8d5d196445f
File size: 110,080 bytes
File name: BVS-INV-9563373426884.doc (random file name)
File description: downloaded Word doc with macro for Emotet
- SHA256 hash: f6593f554c18488432c63b6a75f94cce4716b108bc98a6a5ed8e5f4d3d7cfc09
File size: 126,976 bytes
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\[random characters].exe
File description: Emotet malware binary
- SHA256 hash: 3a39f8e54b67df24588649974e5535f1f061facfc46a85cc374004277ada1bce
File size: 618,496 bytes
File location: C:\Users\[username]\AppData\Local\Microsoft\[random characters].exe
File description: IcedID banking malware downloaded by Emotet
SHA256 HASHES FOR ATTACHED WORD DOCS WITH MACROS FOR EMOTET:
- fb54ddaebb4f790021fda660e02d49c66cab5a46a017b502b271901363e9996d - 52100758447015.doc
- 1cf030bcdb50f7b4922a46ffc6ce21c7c2df04abfef9efd3c2472cbaffc522c3 - B4 2018 Payroll.doc
- 7b696aac4ddf28871435c9266fd58b1c46a9f8ae4ee9355409523d8a66e1aaf7 - IRS_2815754_06202018.doc
- 91c7ceb775de65af8655cfcfe14b3c4a2d1467c85b7d2d359801cc0d82af2604 - J8 2018 Payroll.doc
- d0613e9f2d8b5fce56e12790cf3c85df58275983ca8a9cf0805c938e981927cb - New Payroll Co..doc
- 024fa6958f0c60ce90ec87c349c3a010e4301927c66333c2fc167c165dcb5142 - Payroll Tax Payment.doc
- 024fa6958f0c60ce90ec87c349c3a010e4301927c66333c2fc167c165dcb5142 - eftps payroll 751309.doc
SHA256 HASHES FOR ATTACHED PDF FILES (NOT MALICIOUS):
- 6f943dba193993272bd74b98daf3897e99452b97008e66d9e25819edb8893418 - 52100758447015.pdf
- 3f5df1d296ec9820bda8f0ce78e6e215dee85b86f5b73c0ceff828dca68795a6 - B4 2018 Payroll.pdf
- e9e083859e99cf25df4af24a9e68afc241b9437ee644e8c06954858ea1ba6923 - J8 2018 Payroll.pdf
- be5378b850ae2353b7b8f92e9f487de94a580ebe89823923ebfe61b1aa42cfa5 - New Payroll Co..pdf
- dbe5b8483034772fd9a55492f498bbcf5bb9bba0fcd785df771371bae8b580db - Payroll Tax Payment.pdf
- 90444004309e799c55abdcb76e62747182972ec701d5acaae507411911877679 - eftps payroll 751309.pdf
- 2fcaae6cac9508c7b0c2180fcb6054aaefe37aa3cdc03a592fde1ef35298efc6 - Tax Account Transcript.pdf
Shown above: Malware from this infection persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- 2018-06-19-Emotet-malspam-36-examples.zip 472 kB (471,767 bytes)
- 2018-06-19-Emotet-infection-traffic-with-IcedID-banking-malware.pcap.zip 1.97 MB (1,965,627 bytes)
- 2018-06-19-Emotet-with-IcedID-malware-and-artifacts.zip 927 kB (927,474 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.