2018-09-04 - EMOTET INFECTION WITH ICEDID BANKING TROJAN

ASSOCIATED FILES:

BONUS PCAPS:

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from a malspam example on Monday 2018-09-03.

 


Shown above:  Screenshot from a malspam example on Tuesday 2018-09-04.

 

5 EXAMPLES OF EMOTET MALSPAM WITH PDF ATTACHMENTS:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

INITIAL INFECTION TRAFFIC (EMOTET WORD DOC AND EXECUTABLE):

EMOTET POST-INFECTION TRAFFIC:

ICEDID BANKING TROJAN POST-INFECTION TRAFFIC:

 

FILE HASHES

PDF ATTACHMENTS FROM THOSE 5 EXAMPLES:

 

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

MORE IMAGES


Shown above:  Websocket traffic caused by IcedID on the infected Windows host.

 


Shown above:  SSL/TLS certificate data consistent with previous samples of IcedID banking Trojan (1 of 2).

 


Shown above:  SSL/TLS certificate data consistent with previous samples of IcedID banking Trojan (2 of 2).

 


Shown above:  Scheduled task to keep IcedID persistent on the infected Windows host.

 


Shown above:  Locations of IcedID malware and artifacts on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.