Malware-Traffic-Analysis.net - 2018-06-15 - Quick post: Emotet infection with Trickbot (gtag: del9) and DC infection

2018-06-15 - QUICK POST: EMOTET INFECTION WITH TRICKBOT (GTAG: DEL9) AND DC INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2018-06-15-Emotet-malspam-11-examples.zip 416 kB (415,835 bytes)

2018-06-15-Emotet-malspam-1318-UTC.eml (1,712 bytes)

2018-06-15-Emotet-malspam-1411-UTC.eml (1,822 bytes)

2018-06-15-Emotet-malspam-1412-UTC.eml (166,645 bytes)

2018-06-15-Emotet-malspam-1428-UTC.eml (152,346 bytes)

2018-06-15-Emotet-malspam-1433-UTC.eml (1,201 bytes)

2018-06-15-Emotet-malspam-1533-UTC.eml (158,179 bytes)

2018-06-15-Emotet-malspam-1616-UTC.eml (1,269 bytes)

2018-06-15-Emotet-malspam-1729-UTC.eml (170,411 bytes)

2018-06-15-Emotet-malspam-1744-UTC.eml (178,836 bytes)

2018-06-15-Emotet-malspam-1803-UTC.eml (160,940 bytes)

2018-06-15-Emotet-malspam-1908-UTC.eml (1,601 bytes)

2018-06-15-Emotet-infection-with-Trickbot-and-DC-infection.pcap.zip 36.2 MB (36,242,431 bytes)

2018-06-15-Emotet-infection-with-Trickbot-and-DC-infection.pcap (41,218,290 bytes)

2018-06-15-Emotet-and-Trickbot-malware.zip 864 kB (864,266 bytes)

2018-06-15-Emotet-malware-binary-1-of-2.exe (126,976 bytes)

2018-06-15-Emotet-malware-binary-2-of-2.exe (330,752 bytes)

2018-06-15-Trickbot-gtag-del9.exe (495,671 bytes)

2018-06-15-Trickbot-gtag-lib247.exe (495,671 bytes)

2018-06-15-additional-Trickbot-binary-found-in-SMB-traffic.exe (115,712 bytes)

2018-06-15-downloaded-Word-doc-with-macro-for-Emotet.doc (117,760 bytes)

NOTES:

More Emotet malspam where the infection traffic contains Tickbot, like yesterday.
I did today's infection in an Active Directory (AD) environment where Trickbot spread to the domain controller (DC) through SMB.
This time I found Trickbot gtag del9 on the Windows client and Trickbot gtag lib247 on the infected DC.

The following info applies to the pcap:

Network segment: 192.168.200[.]0/24 (192.168.200[.]0 through .255)

Segment gateway: 192.168.200[.]1

Segment broadcast address: 192.168.200[.]255

Segment DHCP server: 192.168.200[.]254

Domain Controller: 192.168.200[.]4 - Oyster-DC

Domain: Oystertainment[.]com

Windows client: 192.168.200[.]95 - Linwood-Win-PC

User account: beverly.linwood

Shown above: Infection traffic from the pcap filtered in Wireshark.

Click here to return to the main page.