2018-06-22 - QUICK POST: EMOTET WITH TRICKBOT AND EMOTET WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the emails: 2018-06-22-Emotet-malspam-60-examples.txt.zip   666 kB (666,452 bytes)

• 2018-06-21-and-2018-06-22-Emotet-malspam-60-examples.txt   (1,423,542 bytes)

• Zip archive of the pcaps: 2018-06-22-Emotet-infection-traffic-both-pcaps.zip   8.6 MB (8,567,806 bytes)

• 2018-06-22-1st-run-Emotet-pushes-Trickbot.pcap   (8,592,843 bytes)
• 2018-06-22-2nd-run-Emotet-pushes-Zeus-Panda-Banker.pcap   (1,999,915 bytes)

• Zip archive of the malware: 2018-06-22-Emotet-malware-and-artifacts.zip   904 kB (904,362 bytes)

• 2018-06-22-1st-run-downloaded-Word-doc-with-macro-for-Emotet.doc   (219,904 bytes)
• 2018-06-22-1st-run-Emotet-malware-binary.exe   (193,536 bytes)
• 2018-06-22-1st-run-Trickbot-gtag-del14.exe   (417,792 bytes)
• 2018-06-22-2nd-run-downloaded-Word-doc-with-macro-for-Emotet.doc   (193,280 bytes)
• 2018-06-22-2nd-run-Emotet-malware-binary.exe   (193,024 bytes)
• 2018-06-22-2nd-run-Zeus-Panda-Banker.exe   (222,208 bytes)

 

NOTES:

• Two different follow-up malware items from Emotet malspam infections about an hour apart from each other.

• 1st run: malspam link --> Word doc --> macro --> Emotet --> Trickbot
• 2nd run: malspam link --> Word doc --> macro --> Emotet --> Zeus Panda Banker

 

Shown above:  Traffic from the 1st Emotet infection filtered in Wireshark.

 

Shown above:  Traffic from the 2nd Emotet infection filtered in Wireshark.

 

Click here to return to the main page.