2018-07-20 - EMOTET INFECTIONS WITH ZEUS PANDA BANKER OR TRICKBOT (GTAG: DEL34)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of 2 email examples:  2018-07-20-Emotet-malspam-2-examples.zip   122 kB (122,226 bytes)

• 2018-07-20-Emotet-malspam-0751-UTC.eml   (1,730 bytes)
• 2018-07-20-Emotet-malspam-1638-UTC.eml   (263,143 bytes)

• Zip archive of the infection traffic:  2018-07-20-Emotet-infection-traffic-2-examples.zip   15.1 MB (15,109,023 bytes)

• 2018-07-20-Emotet-infection-traffic-with-Trickbot.pcap   (14,601,676 bytes)
• 2018-07-20-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap   (1,586,907 bytes)

• Zip archive of the malware:  2018-07-20-malware-from-Emotet-infections.zip   1.4 MB (1,412,594 bytes)

• 2018-07-20-Emotet-binary-1-of-4.exe   (161,792 bytes)
• 2018-07-20-Emotet-binary-2-of-4.exe   (163,328 bytes)
• 2018-07-20-Emotet-binary-3-of-4.exe   (285,696 bytes)
• 2018-07-20-Emotet-binary-4-of-4.exe   (184,320 bytes)
• 2018-07-20-Trickbot-caused-by-Emotet-infection.exe   (439,296 bytes)
• 2018-07-20-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (276,992 bytes)
• 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-1-of-5.doc   (239,360 bytes)
• 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-2-of-5.doc   (170,112 bytes)
• 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-3-of-5.doc   (170,240 bytes)
• 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-4-of-5.doc   (177,024 bytes)
• 2018-07-20-downloaded-Word-doc-with-macro-for-Emotet-5-of-5.doc   (172,544 bytes)

 

NOTES:

• I recently did a blog for Palo Alto Networks titled Malware Team Up: Malspam Pushing Emotet + Trickbot.
• It focuses on Emotet with Trickbot, but today saw both Emotet with Trickbot and Emotet with Zeus Panda Banker.

 

Shown above:  Flowchart for recent Emotet infection traffic.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp[:]//artechne[.]com[.]au/pdf/En/ACCOUNT/Invoice-07-19-18/
• hxxp[:]//fenja[.]com/logsite/files/En_us/STATUS/Direct-Deposit-Notice/
• hxxp[:]//mobilaok[.]ro/newsletter/US_us/STATUS/Services-07-20-18-New-Customer-UB/
• hxxp[:]//murrayspianotuning[.]com/Jul2018/US/Jul2018/Invoice-07-20-18/
• hxxp[:]//pavlovsk22.ru/files/En/Purchase/New-Invoice-IL22429-MK-49231/
• hxxp[:]//rbailoni[.]com[.]br/pdf/US_us/Statement/Invoice-07-20-18/
• hxxp[:]//saladesom[.]com[.]br/files/En/ACCOUNT/Order-7588626054/
• hxxp[:]//selekture[.]com/pdf/US_us/Statement/Please-pull-invoice-47846/
• hxxp[:]//sergioaraujo[.]com/pdf/En/INVOICE-STATUS/ACCOUNT3928319/
• hxxp[:]//slajd[.]eu/pdf/En/New-Order-Upcoming/021068/
• hxxp[:]//techsistsolution[.]com/files/EN_en/Client/Invoice-722487715-072018/
• hxxp[:]//timlinger[.]com/doc/US_us/STATUS/Services-07-20-18-New-Customer-NZ/
• hxxp[:]//www.gminalezajsk[.]pl/Jul2018/En_us/INVOICE-STATUS/Direct-Deposit-Notice/
• hxxp[:]//www.rapidopizza[.]cl/newsletter/US/FILE/Invoice-968031/
• hxxp[:]//crinet[.]com[.]br/Pw6
• hxxp[:]//ebadvocacia[.]com[.]br/IRSmO
• hxxp[:]//easternh[.]com[.]hk/logon/pPLrktpc
• hxxp[:]//ikuzim[.]com/logssite/Hhzm1
• hxxp[:]//kdrecord[.]com/SA0FH9a
• hxxp[:]//procoach[.]jp/newfolde_r/Q8G8Tdg
• hxxp[:]//regenerationcongo[.]com/imiK6
• hxxp[:]//sportpony[.]ch/R1c
• hxxp[:]//spprospekt[.]com[.]br/WCH
• hxxp[:]//suidi[.]com/IdWaI
• hxxp[:]//24.40.239[.]62/whoami.php

 

TRAFFIC

Shown above:  Traffic from my first infection filtered in Wireshark (Emotet + Zeus Panda Banker).

 

Shown above:  Traffic from a later infection filtered in Wireshark (Emotet + Trickbot).

 

URLS FROM MALSPAM FOR THE WORD DOCUMENTS:

• hxxp[:]//artechne[.]com[.]au/pdf/En/ACCOUNT/Invoice-07-19-18/
• hxxp[:]//fenja[.]com/logsite/files/En_us/STATUS/Direct-Deposit-Notice/
• hxxp[:]//mobilaok[.]ro/newsletter/US_us/STATUS/Services-07-20-18-New-Customer-UB/
• hxxp[:]//murrayspianotuning[.]com/Jul2018/US/Jul2018/Invoice-07-20-18/
• hxxp[:]//pavlovsk22.ru/files/En/Purchase/New-Invoice-IL22429-MK-49231/
• hxxp[:]//rbailoni[.]com[.]br/pdf/US_us/Statement/Invoice-07-20-18/
• hxxp[:]//saladesom[.]com[.]br/files/En/ACCOUNT/Order-7588626054/
• hxxp[:]//selekture[.]com/pdf/US_us/Statement/Please-pull-invoice-47846/
• hxxp[:]//sergioaraujo[.]com/pdf/En/INVOICE-STATUS/ACCOUNT3928319/
• hxxp[:]//slajd[.]eu/pdf/En/New-Order-Upcoming/021068/
• hxxp[:]//techsistsolution[.]com/files/EN_en/Client/Invoice-722487715-072018/
• hxxp[:]//timlinger[.]com/doc/US_us/STATUS/Services-07-20-18-New-Customer-NZ/
• hxxp[:]//www.gminalezajsk[.]pl/Jul2018/En_us/INVOICE-STATUS/Direct-Deposit-Notice/
• hxxp[:]//www.rapidopizza[.]cl/newsletter/US/FILE/Invoice-968031/

 

URLS GENERATED BY WORD MACROS TO RETRIEVE EMOTET BINARIES:

• hxxp[:]//crinet[.]com[.]br/Pw6
• hxxp[:]//ebadvocacia[.]com[.]br/IRSmO
• hxxp[:]//easternh[.]com[.]hk/logon/pPLrktpc
• hxxp[:]//ikuzim[.]com/logssite/Hhzm1
• hxxp[:]//kdrecord[.]com/SA0FH9a
• hxxp[:]//procoach[.]jp/newfolde_r/Q8G8Tdg
• hxxp[:]//regenerationcongo[.]com/imiK6
• hxxp[:]//sportpony[.]ch/R1c
• hxxp[:]//spprospekt[.]com[.]br/WCH
• hxxp[:]//suidi[.]com/IdWaI

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + ZEUS PANDA BANKER):

• 63.249.102[.]6 port 80 - murrayspianotuning[.]com - GET /Jul2018/US/Jul2018/Invoice-07-20-18/
• 202.146.241[.]44 port 80 - kdrecord[.]com - GET /SA0FH9a
• 202.146.241[.]44 port 80 - kdrecord[.]com - GET /SA0FH9a/
• 129.89.95[.]110 port 80 - 129.89.95[.]110 - GET /
• 24.40.239[.]62 port 80 - 24.40.239[.]62 - GET /whoami.php
• 24.40.239[.]62 port 80 - 24.40.239[.]62 - POST /
• 97.89.253[.]146 port 80 - 97.89.253[.]146 - GET /
• 108.246.196[.]73 port 80 - attempted TCP connections, but no response from the server
• 129.89.95[.]199 port 80 - attempted TCP connections, but no response from the server
• DNS query for tailbackuisback[.]xyz - query response: No such name (caused by Zeus Panda Banker)

 

TRAFFIC FROM AN INFECTED WINDOWS HOST (EMOTET + TRICKBOT):

• 69.16.244[.]78 port 80 - www.rapidopizza[.]cl - GET /newsletter/US/FILE/Invoice-968031/
• 103.104.196[.]74 port 80 - suidi[.]com - GET /IdWaI
• 103.104.196[.]74 port 80 - suidi[.]com - GET /IdWaI/
• 129.89.95[.]110 port 80 - 129.89.95[.]110 - GET /
• 24.40.239[.]62 port 80 - 24.40.239[.]62 - GET /whoami.php
• 24.40.239[.]62 port 80 - 24.40.239[.]62 - POST /
• 129.89.95[.]199 port 80 - 129.89.95[.]199 - GET /
• 108.246.196[.]73 port 80 - attempted TCP connections, but no response from the server

• port 443 - ident[.]me - IP check by Trickbot-infected host
• 70.79.178[.]120 port 449 - SSL/TLS traffic caused by Trickbot
• 82.146.46[.]184 port 447 - SSL/TLS traffic caused by Trickbot
• 109.234.36[.]14 port 447 - SSL/TLS traffic caused by Trickbot
• 109.234.34[.]220 port 443 - SSL/TLS traffic caused by Trickbot
• 158.58.131[.]54 port 443 - SSL/TLS traffic caused by Trickbot
• 188.124.167[.]132 port 8082 - 188.124.167[.]132:8082 - POST /del34/[long string of characers] (caused by Trickbot)
• 31.29.62[.]112 port 443 - attempted TCP connections, but no response from the server (caused by Trickbot)
• 185.159.129[.]97 port 443 - attempted TCP connections, but no response from the server (caused by Trickbot)
• 185.174.172[.]236 port 443 - attempted TCP connections, but no response from the server (caused by Trickbot)

 

FILE HASHES

SHA256 HASHES FOR THE WORD DOCUMENTS:

• 01318725589e72c960c01ddb6f1647c226664be8f8daa1d396a02ad3ad78f44c - 239,360 bytes
• 67165d9b0b0017a2ce12791473747dfbd8c7c1d1c44b8433435aba27191c54ff - 170,112 bytes
• 7411a3de5ed22351f99283b783d220317c83f854e4053e7bdeff393042238186 - 170,240 bytes
• 81b20ec967d3d800c7ac296d0fade5d21fd832c4ad97191e4ebf179b7ccc938b - 177,024 bytes
• 8449b8b0faadcfab22485004ccc56e221ddf48083c8569741996115ef56452f2 - 172,544 bytes

 

SHA256 HASHES FOR THE FOLLOW-UP EMOTET BINARIES:

• 19b6ee41a73766d860b29839a02ceef59b292e99544183f5e9f73bf6c01ab22d - 161,792 bytes
• 460d96ddb9ee3d46a84600eca37923ae6d49ec1d817e7f49c18bd95fa9cdca57 - 163,328 bytes
• dd3b36acc1417bcf519244f7b9f39d78ef013989ee83c76ea74bdfc7b1a2a7de - 285,696 bytes
• e4e5d7fa81ec704c4faa98e8ff6410c1d8eb34daad638043f4a918b31544a170 - 184,320 bytes

 

SHA256 HASH FOR ZEUS PANDA BANKER:

• 57cfd2da86195b4d5636579aba6c61fa7fc9d0646ea6fe7cb4752ddbc789428a - 276,992 bytes

 

SHA256 HASH FOR TRICKBOT (GTAG: DEL34):

• c7a46a08aed438e3a1895140a3fd4de98c4fe6919e6a3ab353681a298d2acf5f - 439,296 bytes

 

Click here to return to the main page.