2018-07-31 - TWO EMOTET INFECTIONS: EMOTET + TRICKBOT AND EMOTET + ZEUS PANDA BANKER

ASSOCIATED FILES:

  • 2018-07-30-Emotet-malspam-0825-UTC.eml   (967 bytes)
  • 2018-07-30-Emotet-malspam-2031-UTC.eml   (7,116 bytes)
  • 2018-07-31-Emotet-malspam-0945-UTC.eml   (1,347 bytes)
  • 2018-07-31-Emotet-infection-with-Trickbot.pcap   (5,767,774 bytes)
  • 2018-07-31-Emotet-infection-with-Zeus-Panda-Banker.pcap   (2,336,550 bytes)
  • 2018-07-31-Emotet-malware-binary-1-of-3.exe   (131,584 bytes)
  • 2018-07-31-Emotet-malware-binary-2-of-3.exe   (131,584 bytes)
  • 2018-07-31-Emotet-malware-binary-3-of-3.exe   (133,120 bytes)
  • 2018-07-31-Trickbot-retrieved-suing-Emotet-infection.exe   (327,168 bytes)
  • 2018-07-31-Zeus-Panda-Banker-retrieved-suing-Emotet-infection.exe   (136,704 bytes)
  • 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-1-of-4.doc   (101,248 bytes)
  • 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-2-of-4.doc   (93,440 bytes)
  • 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-3-of-4.doc   (100,224 bytes)
  • 2018-07-31-downloaded-Word-doc-with-macro-for-Emotet-4-of-4.doc   (88,576 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URLs:

 

EMAILS


Shown above:  Example of the malspam (1 of 3).

 


Shown above:  Example of the malspam (2 of 3).

 


Shown above:  Example of the malspam (3 of 3).

 

INFECTION TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark (Emotet + Trickbot).

 


Shown above:  Traffic from an infection filtered in Wireshark (Emotet + Zeus Panda Banker).

 

LINKS IN THE EMAILS TO DOWNLOAD THE MALICIOUS WORD DOCUMENT:

 

URLS FOR THE FOLLOW-UP EMOTET MALWARE:

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + TRICKBOT):

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + ZEUS PANDA BANKER):

 

MALWARE

SHA256 HASHES FOR THE INITIAL WORD DOCUMENTS:

SHA256 HASHES FOR THE FOLLOW-UP EMOTET MALWARE:

SHA256 HASH FOR TRICKBOT CAUSED BY EMOTET INFECTION (GTAG: MON1):

SHA256 HASH FOR ZEUS PANDA BANKER CAUSED BY EMOTET INFECTION:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.