2018-03-26 - EMOTET INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the spreadsheet tracker:  2018-03-26-Emotet-malspam-tracker-20-examples.csv.zip   1.4 kB (1,418 bytes)

• 2018-03-26-Emotet-malspam-tracker-20-examples.csv   (2,626 bytes)

• Zip archive of 20 email examples:  2018-03-26-Emotet-malspam-20-examples.txt.zip   3.1 kB (3,072 bytes)

• 2018-03-26-Emotet-malspam-20-examples.txt   (22,114 bytes)

• Zip archive of the infection traffic:  2018-03-26-Emotet-infection-traffic.pcap.zip   442 kB (441,900 bytes)

• 2018-03-26-Emotet-infection-traffic.pcap   (608,865 bytes)

• Zip archive of the associated malware:  2018-03-26-malware-from-Emotet-infection.zip   285 kB (285,353 bytes)

• 2018-03-26-Word-doc-with-macro-for-Emotet.doc   (202,752 bytes)
• 2018-03-26-Emotet-binary-example-1-of-2.exe   (139,264 bytes)
• 2018-03-26-Emotet-binary-example-2-of-2.exe   (135,168 bytes)

 

NOTES:

• Thanks to @pollo290987 who tweeted some post-infection IP addresses and ports for one of today's Emotet, which I've included in this post (link to tweet).
• And, of course, thanks to everyone else who routinely tweets info about Emotet malspam.

Shown above:  Flow chart for an infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp[:]//cateyestours[.]com/WIRE-FORM/BOW-12161796302339/
• hxxp[:]//demandgeneration[.]nl/WIRE-FORM/UV-368408997182101/
• hxxp[:]//dwikara[.]com/WIRE-FORM/FT-6545/
• hxxp[:]//ejohri[.]com/INV/XZ-5307350047/
• hxxp[:]//homesports[.]com[.]ar/wp-content/themes/the-league/INV/IW-3257762352784/
• hxxp[:]//jusa[.]com[.]mx/INV/AO-8988/
• hxxp[:]//lidogenrikhonelove[.]com/INVOICE/OV-8592859516/
• hxxp[:]//mantraproperties[.]in/INVOICE/HD-4993303773/
• hxxp[:]//mediatore-commerciale.iltuomediatore[.]it/WIRE-FORM/RZ-428245/
• hxxp[:]//observatics.edu[.]co/ACH-FORM/GOK-3188481/
• hxxp[:]//scrapcarsforcash[.]com[.]au/WIRE-FORM/FY-01386/
• hxxp[:]//torontobitman[.]com/INV/RP-03411563656235/
• hxxp[:]//www.astrojyoti[.]com/ACH-FORM/LTW-5333560209/
• hxxp[:]//www.doxa[.]ca/WIRE-FORM/QQZ-65491/
• hxxp[:]//www.jennysjerkchicken[.]co[.]uk/ACH-FORM/BW-8244577/
• hxxp[:]//www.liangli5[.]com/ACH-FORM/RN-4243117/
• hxxp[:]//www.lighthousevisuals[.]com[.]my/INV/DC-1185234/
• hxxp[:]//www.pergaminobasquet[.]com[.]ar/WIRE-FORM/SF-298515/
• hxxp[:]//www.turismo.ufma[.]br/wp-content/WIRE-FORM/YMD-7994330817/
• hxxp[:]//www.vitteo[.]com[.]ar/ACH-FORM/ATY-8701970/
• hxxp[:]//spkpr[.]ru/3Sxf7/
• hxxp[:]//ciarafever[.]com/qbof8b/
• hxxp[:]//lastres[.]com[.]br/ZerW/
• hxxp[:]//vektrans[.]ru/LELRq/
• hxxp[:]//18.194.253[.]41/wp-content/JTtaex/

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

20 EMAIL SAMPLES:

• Date/Time: Monday 2018-03-26 as early as 11:28 through at least 18:35 UTC

• Received: from ([41.180.1[.]198])
• Received: from ([41.213.135[.]19])
• Received: from ([45.70.56[.]12])
• Received: from ([62.65.156[.]26])
• Received: from ([62.194.188[.]41])
• Received: from ([80.28.131[.]22])
• Received: from ([110.227.199[.]89])
• Received: from ([121.177.111[.]2])
• Received: from ([165.225.68[.]66])
• Received: from ([178.189.3[.]180])
• Received: from ([185.96.72[.]10])
• Received: from ([200.52.193[.]94])
• Received: from ([202.91.23[.]11])
• Received: from ([217.99.155[.]10])
• Received: from 10.0.0[.]6 ([203.170.77[.]187])
• Received: from 10.0.0[.]7 ([88.245.99[.]241])
• Received: from 10.0.0[.]26 ([109.190.38[.]23])
• Received: from 10.0.0[.]36 ([112.220.55[.]67])
• Received: from 10.0.0[.]48 ([59.102.104[.]174])
• Received: from 10.0.0[.]53 ([37.210.73[.]22])

• Subject: 364812 - [removed]
• Subject: 803626 - [removed]
• Subject: ACH Payment Advice
• Subject: ACH Payment info
• Subject: COMET SIGNS PAYMENT NOTIFICATION 03.26.2018
• Subject: INV # UKE-21244692
• Subject: Invoice #79587653 from [removed]
• Subject: INVOICE 39552 / OVERPAYMENT
• Subject: INVOICE 89811 / OVERPAYMENT
• Subject: Invoice Code Changes
• Subject: invoices 9024 & 8256
• Subject: Payment status
• Subject: Ref# 4105852690 from [removed]
• Subject: Ref# 8217971951 from [removed]
• Subject: WIRE FORM # OY-35055004

 

URLS FROM THE EMAILS TO DOWNLOAD THE INITIAL WORD DOCUMENT:

• 66.96.147[.]106 port 80 - cateyestours[.]com - GET /WIRE-FORM/BOW-12161796302339/
• 149.210.209[.]87 port 80 - demandgeneration[.]nl - GET /WIRE-FORM/UV-368408997182101/
• 101.50.1[.]12 port 80 - dwikara[.]com - GET /WIRE-FORM/FT-6545/
• 104.28.6[.]102 port 80 - ejohri[.]com - GET /INV/XZ-5307350047/
• 190.7.61[.]227 port 80 - homesports[.]com[.]ar - GET /wp-content/themes/the-league/INV/IW-3257762352784/
• 52.165.128[.]249 port 80 - jusa[.]com[.]mx - GET /INV/AO-8988/
• 31.31.196[.]218 port 80 - lidogenrikhonelove[.]com - GET/INVOICE/OV-8592859516/
• 103.205.140[.]20 port 80 - mantraproperties[.]in - GET /INVOICE/HD-4993303773/
• 188.165.241[.]65 port 80 - mediatore-commerciale.iltuomediatore[.]it - GET /WIRE-FORM/RZ-428245/
• 50.62.135[.]242 port 80 - observatics.edu[.]co - GET/ACH-FORM/GOK-3188481/
• 221.121.152[.]105 port 80 - scrapcarsforcash[.]com[.]au - GET /WIRE-FORM/FY-01386/
• 199.250.192[.]221 port 80 - torontobitman[.]com - GET /INV/RP-03411563656235/
• 202.143.96[.]63 port 80 - www.astrojyoti[.]com - GET/ACH-FORM/LTW-5333560209/
• 70.38.11[.]117 port 80 - www.doxa[.]ca - GET /WIRE-FORM/QQZ-65491/
• 46.30.215[.]117 port 80 - www.jennysjerkchicken[.]co[.]uk - GET /ACH-FORM/BW-8244577/
• 198.105.244[.]228 port 80 - www.liangli5[.]com - GET /ACH-FORM/RN-4243117/
• 65.254.248[.]151 port 80 - www.lighthousevisuals[.]com[.]my - GET/INV/DC-1185234/
• 173.249.159[.]88 port 80 - www.pergaminobasquet[.]com[.]ar - GET/WIRE-FORM/SF-298515/
• 200.137.132[.]36 port 80 - www.turismo.ufma[.]br - GET/wp-content/WIRE-FORM/YMD-7994330817/
• 159.203.35[.]237 port 80 - www.vitteo[.]com[.]ar - GET/ACH-FORM/ATY-8701970/

 

Shown above:  Word document downloaded from one of the email links.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM WORD DOCUMENT MACRO TO DOWNLOAD EMOTET BINARY (THANKS TO ANY.RUN FAKENET ANALYSIS)::

• 5.101.152[.]77 port 80 - spkpr[.]ru - GET /3Sxf7/
• 185.38.249[.]146 port 80 - ciarafever[.]com - GET /qbof8b/
• 186.202.150[.]213 port 80 - lastres[.]com[.]br - GET /ZerW/
• 87.236.19[.]203 port 80 - vektrans[.]ru - GET /LELRq/
• 18.194.253[.]41 port 80 - 18.194.253[.]41 - GET /wp-content/JTtaex/

 

EMOTET POST-INFECION TRAFFIC (THANKS TO @pollo290987)::

• 37.187.4[.]178 port 443 - 37.187.4[.]178:443 - POST /
• 45.55.201[.]174 port 443 - 45.55.201[.]174:443 - POST /
• 46.4.251[.]184 port 8080 - 46.4.251[.]184:8080 - POST /
• 61.19.254[.]63 port 443 - 61.19.254[.]63:443 - POST /
• 89.186.26[.]179 port 4143 - 89.186.26[.]179:4143 - POST /
• 149.62.173[.]247 port 4143 - 149.62.173[.]247:4143 - POST /
• 149.202.153[.]252 port 4143 - 149.202.153[.]252:4143 - POST /
• 158.58.170[.]24 port 4143 - 158.58.170[.]24:4143 - POST /
• 158.69.249[.]236 port 4143 - 158.69.249[.]236:4143 - POST /
• 177.154.48[.]66 port 443 - 177.154.48[.]66:443 - POST /
• 178.254.24[.]98 port 8080 - 178.254.24[.]98:8080 - POST /
• 198.12.152[.]123 port 4143 - 198.12.152[.]123:4143 - POST /   **
• 200.146.250[.]0 port 4143 - 200.146.250[.]0:4143 - POST /
• 203.198.129[.]4 port 4143 - 203.198.129[.]4:4143 - POST /
• 220.227.247[.]35 port 4143 - 220.227.247[.]35:4143 - POST /

NOTE: ** notes the post-infection traffic I saw on my infected lab host.

 

FILE HASHES

DOWNLOADED WORD DOCUMENT:

• SHA256 hash:  9c657da632b79f66ee4d6a491597c858f510a41adc2bea2ea407b18a1060a209
  File size:  202,752 bytes
  File name:  [random file name].doc
  File description:  Word document with malicious macro to download/install Emotet

EMOTET BINARY EXAMPLE 1 OF 2:

• SHA256 hash:  be89a6bcabf71d59abfde701331238c3be2c4ce394e103359462d1a80f72e9f8
  File size:  139,264 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
  File description:  Emotet malware binary

EMOTET BINARY EXAMPLE 2 OF 2:

• SHA256 hash:  ab195dde06240ca9794b9877d7170d4a1db5543a20368ce25a0bebbadc64abeb
  File size:  135,168 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
  File description:  Emotet malware binary

 

IMAGES

Shown above:  Emotet binary persistent on an infected Windows host in my lab.

 

Click here to return to the main page.