2018-06-11 - EMOTET DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-06-11-Emotet-malspam.zip   127.2 kB (127,261 bytes)

• 2018-06-05-Emotet-malspam-8-examples.txt   (9,218 bytes)
• 2018-06-06-Emotet-malspam-5-examples.txt   (7,484 bytes)
• 2018-06-08-Emotet-malspam-8-examples.txt   (318,242 bytes)

• 2018-06-11-pcaps-from-Emotet-infections.zip   45.8 MB (45,816,079 bytes)

• 2018-06-05-Emotet-infection-traffic.pcap   (58,247,565 bytes)
• 2018-06-06-Emotet-infection-traffic.pcap   (430,506 bytes)
• 2018-06-08-Emotet-infection-traffic.pcap   (5,959,347 bytes)
• 2018-06-11-Emotet-infection-traffic.pcap   (1,872,220 bytes)

• 2018-06-11-malware-from-Emotet-infections.zip   860.4 kB (860,424 bytes)

• 2018-06-05-downloaded-Word-doc-with-macro-for-Emotet.doc   (104,448 bytes)
• 2018-06-05-Emotet-malware-binary.exe   (180,224 bytes)
• 2018-06-05-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (304,640 bytes)
• 2018-06-06-downloaded-Word-doc-with-macro-for-Emotet.doc   (109,056 bytes)
• 2018-06-06-Emotet-malware-binary.exe   (254,976 bytes)
• 2018-06-06-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (266,240 bytes)
• 2018-06-08-downloaded-Word-doc-with-macro-for-Emotet.doc   (109,056 bytes)
• 2018-06-08-Emotet-malware-binary.exe   (254,976 bytes)
• 2018-06-11-downloaded-Word-doc-with-macro-for-Emotet.doc   (106,240 bytes)
• 2018-06-11-Emotet-malware-binary.exe   (331,776 bytes)

 

NOTES:

• I collected some Emotet malspam examples, infection traffic, and malware samples while I was in Japan last week.
• Didn't have time to post anything until today.
• I also generated some Emotet traffic today, but I didn't find any emails from today's wave of malspam.
• Traffic from 2018-06-05 and 2018-06-08 contains spambot traffic from my infected lab host sending out more Emotet malspam.
• Included below is a list of 54 URLs I found today (2018-06-11) to download an Emotet Word document.  These presumably came from Emotet malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp[:]//aspaud[.]com/IRS-Accounts-Transcipts-473/
• hxxp[:]//bechner[.]com/IRS-Transcripts-June-2018-039T/8/
• hxxp[:]//bestwigs[.]eu/IRS-Accounts-Transcipts-09Q/5/
• hxxp[:]//carricusa[.]com/ssfm/ups.com/WebTracking/YUI-32489460846/
• hxxp[:]//cninin[.]com/IRS-Accounts-Transcipts-062018-1266/
• hxxp[:]//decorazon[.]com[.]br/IRS-Letters-591/
• hxxp[:]//detss[.]com/IRS-Accounts-Transcipts-463/
• hxxp[:]//doc-japan[.]com/cms/IRS-Transcripts-065/4/
• hxxp[:]//feelgud8[.]com/IRS-Letters-730/
• hxxp[:]//flewer[.]pl/unicode_maps/IRS-Tax-Transcipts-4842/
• hxxp[:]//fourshells[.]com/FILE/Invoice-518087/
• hxxp[:]//generalgauffin[.]se/IRS-Tax-Transcipts-049M/99/
• hxxp[:]//hansetravel[.]de/IRS-Transcripts-062018-0101/
• hxxp[:]//healthyrevelations[.]com/IRS-Transcripts-June-2018-038K/5/
• hxxp[:]//hygienic[.]co[.]th/components/com_photo/IRS-Tax-Transcipts-062018-06X/5/
• hxxp[:]//innerlinkdesign[.]com/IRS-Letters-099/87/
• hxxp[:]//invizza[.]com/IRS-Transcripts-05/93/
• hxxp[:]//japanism[.]org/senkyo/lib/PEAR/Mail/FILE/Invoice-2688878/
• hxxp[:]//live-etutor[.]com/IRS-Transcripts-062018-3588/
• hxxp[:]//llupa[.]com/IRS-Transcripts-01D/79/
• hxxp[:]//montecarloclub[.]com/IRS-Accounts-Transcipts-361/
• hxxp[:]//nustyle[.]de/IRS-Tax-Transcipts-June-2018-014F/54/
• hxxp[:]//pentox[.]hu/IRS-Letters-062018-09/04/
• hxxp[:]//planitsolutions[.]co[.]nz/IRS-Tax-Transcipts-062018-004S/13/
• hxxp[:]//r-klecker[.]de/IRS-Accounts-Transcipts-062018-05B/8/
• hxxp[:]//s-kotobuki[.]co[.]jp/IRS-TRANSCRIPTS-062018-047L/4/
• hxxp[:]//satutitik[.]com/sms/manager/generated/IRS-Letters-062018-642/
• hxxp[:]//sia-gmbh[.]de/ups[.]com/WebTracking/RA-901282484434720/
• hxxp[:]//signsdesigns[.]com[.]au/IRS-Tax-Transcipts-062018-1197/
• hxxp[:]//speedscenewiring[.]com/IRS-TRANSCRIPTS-8894/
• hxxp[:]//spoonfedgroup[.]com/IRS-Transcripts-09N/98/
• hxxp[:]//stafffinancial[.]com/For-Check/
• hxxp[:]//stevebrown[.]nl/IRS-TRANSCRIPTS-08W/5/
• hxxp[:]//synchronus[.]de/IRS-Transcripts-June-2018-5347/
• hxxp[:]//tagtea[.]com/Fakturierung/IRS-Letters-June-2018-022/44/
• hxxp[:]//tenislam[.]com/IRS-Letters-June-2018-04E/5/
• hxxp[:]//trevorchristensen[.]com/ACCOUNT/ACCOUNT19213228/
• hxxp[:]//turski[.]eu/IRS-Letters-03/3/
• hxxp[:]//tutorial9[.]net/IRS-Transcripts-07/4/
• hxxp[:]//vermeer-oomens[.]nl/IRS-Accounts-Transcipts-June-2018-344/
• hxxp[:]//viciousenterprises[.]com/IRS-Transcripts-04W/6/
• hxxp[:]//visuelle-sprache[.]de/GAS/IRS-Accounts-Transcipts-062018-013G/3/
• hxxp[:]//waisir[.]com/IRS-Accounts-Transcipts-062018-00/2/
• hxxp[:]//webimr[.]com/IRS-TRANSCRIPTS-241/
• hxxp[:]//wernerkirchner[.]de/IRS-TRANSCRIPTS-062018-00/8/
• hxxp[:]//www.fluorescent[.]cc/IRS-Accounts-Transcipts-June-2018-433/
• hxxp[:]//www.izmir-teknik-kombi[.]com/IRS-Transcripts-June-2018-09/18/
• hxxp[:]//www.neodream-design[.]com/IRS-Accounts-Transcipts-062018-09/1/
• hxxp[:]//www.nobleartproject[.]pl/IRS-Transcripts-062018-300/
• hxxp[:]//www.palavrasaovento[.]com[.]br/IRS-Accounts-Transcipts-June-2018-7673/
• hxxp[:]//www.prkanchang[.]com/IRS-Tax-Transcipts-062018-010/5/
• hxxp[:]//www.scorpioncontrollers[.]com/IRS-Accounts-Transcipts-118/
• hxxp[:]//www.signal49.dev.dusit.ac[.]th/IRS-Tax-Transcipts-897/
• hxxp[:]//www.tangentsolutions[.]co[.]in/IRS-Letters-062018-04U/73/

 

Click here to return to the main page.