2018-11-06 - EMOTET INFECTION WITH TRICKBOT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-11-06-Emotet-malspam-3-email-examples.zip   116 kB (116,259 bytes)

• 2018-11-06-Emotet-malspam-with-PDF-attachment.eml   (29,068 bytes)
• 2018-11-06-Emotet-malspam-with-Word-attachment-1-of-2.eml   (101,605 bytes)
• 2018-11-06-Emotet-malspam-with-Word-attachment-2-of-2.eml   (96,946 bytes)

• 2018-11-06-Emotet-infection-with-Trickbot.pcap.zip   7.4 MB (7,410,712 bytes)

• 2018-11-06-Emotet-infection-with-Trickbot.pcap   (7,919,501 bytes)

• 2018-11-06-Emotet-and-Trickbot-malware-and-artifacts.zip   716 kB (715,783 bytes)

• 2018-11-06-downloaded-Word-doc-with-macro-for-Emotet.doc   (78,592 bytes)
• 2018-11-06-Emotet-malware-binary.exe   (143,360 bytes)
• 2018-11-06-Trickbot-malware-binary-retrieved-by-Emotet-gtag-del90.exe   (393,728 bytes)
• 2018-11-06-radiance.png-from-192.227.186.151.exe   (331,776 bytes)

NOTES:

• Before this past Monday, the group behind sending Emotet malspam was quiet for about 4 weeks.
• Since this past Monday 2018-11-05, we've seen the normal amount of malspam pushing Emotet as before.
• My thanks to people like @BAXD00R, @executemalware, @JRoosen, @pancak3lullz, @ps66uk, @unixronin, @SeraphimDomain, and many others who tweet info about Emotet near-real-time.

 

Shown above:  Flow chart for recent Emotet malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and partial URL:

• hxxp[:]//1stniag[.]com/Download/EN_en/Invoice-Number-44664/
• hxxp[:]//209.97.182[.]51/EN_US/Details/2018-11/
• hxxp[:]//209.97.186[.]248/En_us/Payments/11_18/
• hxxp[:]//35.167.6[.]44/0455GPLCNXSV/PAY/Commercial/
• hxxp[:]//3kepito[.]hu/En_us/Details/11_18/
• hxxp[:]//777ton[.]ru/DOC/US_us/Scan/
• hxxp[:]//adsdeedee[.]com/1358285S/BIZ/Smallbusiness/
• hxxp[:]//aes[.]co[.]th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
• hxxp[:]//agrarszakkepzes[.]hu/5931ZTIGS/com/US/
• hxxp[:]//alliance-rnd[.]com/EN_US/Attachments/112018/
• hxxp[:]//altaredlife[.]com/logssite/INFO/US_us/Question/
• hxxp[:]//alumni[.]poltekba[.]ac[.]id/US/Transaction_details/2018-11/
• hxxp[:]//amnisopes[.]com/En_us/Information/112018/
• hxxp[:]//appafoodiz[.]com/En_us/Clients_transactions/2018-11/
• hxxp[:]//artzkaypharmacy[.]com[.]au/4690UVTTQOXO/SWIFT/Commercial/
• hxxp[:]//azatamartik[.]org/US/Information/2018-11/
• hxxp[:]//benchmarkiso[.]com/24IYXQCHNP/biz/US/
• hxxp[:]//bgtest[.]vedel-oesterby[.]dk/3810430RP/PAYROLL/Commercial/
• hxxp[:]//blacktiemining[.]com/0YVX/SWIFT/Commercial/
• hxxp[:]//clabels[.]pt/EN_US/Clients_information/2018-11/
• hxxp[:]//corporaciondelsur[.]com[.]pe/US/Transaction_details/2018-11/
• hxxp[:]//cressy27[.]com/En_us/Documents/2018-11/
• hxxp[:]//dev[.]kevinscott[.]com[.]au/85SRSH/PAY/Personal/
• hxxp[:]//dietmantra[.]org/En_us/Clients_information/11_18/
• hxxp[:]//digirising[.]com/En_us/Transactions-details/11_18/
• hxxp[:]//eventus[.]ie/359PQLQ/biz/Personal/
• hxxp[:]//fantastika[.]in[.]ua/3616974KVTNZUT/PAYMENT/Commercial/
• hxxp[:]//felipeuchoa[.]com[.]br/wp-content/uploads/DOC/US_us/Invoice-receipt/
• hxxp[:]//fert[.]es/EN_US/Clients_information/112018/
• hxxp[:]//fglab[.]com[.]br/LLC/En_us/New-order/
• hxxp[:]//fincabonanzaquindio[.]com/En_us/Transaction_details/11_18/
• hxxp[:]//forzashowband[.]com/EN_US/Clients/2018-11/
• hxxp[:]//graywhalefoundation[.]org/US/Transactions-details/112018/
• hxxp[:]//grille-tech[.]com/hj4M3FfcISLL6fdUo/BIZ/Privatkunden/
• hxxp[:]//hartmannbossen[.]dk/En_us/Attachments/11_18/
• hxxp[:]//hawaiikaigolf[.]com/US/Clients/112018/
• hxxp[:]//hsrventures[.]com/En_us/Clients_transactions/112018/
• hxxp[:]//ichangevn[.]org/EN_US/Transactions/112018/
• hxxp[:]//lemar[.]home[.]pl/manager/En_us/Transactions-details/112018/
• hxxp[:]//lmetallurg[.]ru/831063SSI/identity/Business/
• hxxp[:]//meleyrodri[.]com/xdYdvDnPM24m9e/de/IhreSparkasse/
• hxxp[:]//mohandes724[.]com/En_us/Details/2018-11/
• hxxp[:]//nga[.]no/91985U/biz/Personal/
• hxxp[:]//nikbox[.]ru/24926SQ/identity/Commercial/
• hxxp[:]//okrenviewhotel[.]com/En_us/Details/11_18/
• hxxp[:]//pibuilding[.]com/6547LNPZL/PAYROLL/Commercial/
• hxxp[:]//pirilax[.]su/6ZW/PAYROLL/Commercial/
• hxxp[:]//raeesp[.]com/hUc77ZvQQxq/de/Privatkunden/
• hxxp[:]//riverwalkmb[.]com/US/Attachments/2018-11/
• hxxp[:]//shingari[.]ru/41381RLL/SEP/Personal/
• hxxp[:]//sociallysavvyseo[.]com/US/Payments/11_18/
• hxxp[:]//testingweb[.]in/En_us/Clients_transactions/11_18/
• hxxp[:]//tomas[.]datanom[.]fi/ovning/US/Payments/112018/
• hxxp[:]//toronto[.]rogersupfront[.]com/10613MKDPJF/SEP/Personal/
• hxxp[:]//www.fromjoy[.]fr/EN_US/Clients_transactions/112018
• hxxp[:]//www.reklame[.]ru/7665310VEYLGBNW/biz/Business/
• hxxp[:]//www.transimperial[.]ru/605FW/BIZ/US/
• hxxp[:]//xn----gtbreobjp7byc[.]xn--p1ai/32NNLUEIY/com/Commercial/
• hxxp[:]//ampdist[.]com/AEZf
• hxxp[:]//blog[.]comjagat[.]com/wp-content/mWdx
• hxxp[:]//colombiaagro[.]com[.]co/EZLOpSOF
• hxxp[:]//lipetsk-pivo[.]ru/h
• hxxp[:]//mabnanirou[.]com/oG
• hxxp[:]//micheleverdi[.]com/Fbestfz
• hxxp[:]//www.gerrithamann[.]de/hP2IldM
• hxxp[:]//www.prevencionplus[.]com/BuLyc2HKL
• hxxp[:]//www.sastudio[.]co/AU4fI
• hxxp[:]//www.upex[.]ee/vqUuJ3B7
• hxxp[:]//192.227.186[.]151/radiance.png
• hxxp[:]//192.227.186[.]151/table.png
• hxxp[:]//192.227.186[.]151/worming.png
• hxxp[:]//47.32.109[.]184/del90/

 

EMAILS

Shown above:  Example of an email from Emotet malspam with a PDF attachment.

 

Shown above:  Link in the PDF attachment to download the initial Word doc.

 

Shown above:  Downloading the initial Word document and enabling macros to infect a victim's host.

 

TRAFFIC

URLS TO DOWNLOAD THE INITIAL WORD DOCUMENT (FROM PDF FILES OR LINKS IN THE EMAILS):

NOTE:  Items marked with ** means these URLs did not deliver the malware when I checked earlier (probably taken off-line).

• hxxp[:]//1stniag[.]com/Download/EN_en/Invoice-Number-44664/
• hxxp[:]//209[.]97[.]182[.]51/EN_US/Details/2018-11/
• hxxp[:]//209[.]97[.]186[.]248/En_us/Payments/11_18/
• hxxp[:]//35[.]167[.]6[.]44/0455GPLCNXSV/PAY/Commercial/
• hxxp[:]//3kepito[.]hu/En_us/Details/11_18/
• hxxp[:]//777ton[.]ru/DOC/US_us/Scan/
• hxxp[:]//adsdeedee[.]com/1358285S/BIZ/Smallbusiness/
• hxxp[:]//aes[.]co[.]th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
• hxxp[:]//agrarszakkepzes[.]hu/5931ZTIGS/com/US/
• hxxp[:]//alliance-rnd[.]com/EN_US/Attachments/112018/
• hxxp[:]//altaredlife[.]com/logssite/INFO/US_us/Question/
• hxxp[:]//altarfx[.]com/Nov2018/En/Invoice-for-p/e-11/05/2018/   **
• hxxp[:]//alumni[.]poltekba[.]ac[.]id/US/Transaction_details/2018-11/
• hxxp[:]//amnisopes[.]com/En_us/Information/112018/
• hxxp[:]//appafoodiz[.]com/En_us/Clients_transactions/2018-11/
• hxxp[:]//artzkaypharmacy[.]com[.]au/4690UVTTQOXO/SWIFT/Commercial/
• hxxp[:]//azatamartik[.]org/US/Information/2018-11/
• hxxp[:]//benchmarkiso[.]com/24IYXQCHNP/biz/US/
• hxxp[:]//bgtest[.]vedel-oesterby[.]dk/3810430RP/PAYROLL/Commercial/
• hxxp[:]//blacktiemining[.]com/0YVX/SWIFT/Commercial/
• hxxp[:]//clabels[.]pt/EN_US/Clients_information/2018-11/
• hxxp[:]//corporaciondelsur[.]com[.]pe/US/Transaction_details/2018-11/
• hxxp[:]//cressy27[.]com/En_us/Documents/2018-11/
• hxxp[:]//dmas[.]es/US/Details/11_18/   **
• hxxp[:]//dev[.]kevinscott[.]com[.]au/85SRSH/PAY/Personal/
• hxxp[:]//dietmantra[.]org/En_us/Clients_information/11_18/
• hxxp[:]//digirising[.]com/En_us/Transactions-details/11_18/
• hxxp[:]//eventus[.]ie/359PQLQ/biz/Personal/
• hxxp[:]//fantastika[.]in[.]ua/3616974KVTNZUT/PAYMENT/Commercial/
• hxxp[:]//felipeuchoa[.]com[.]br/wp-content/uploads/DOC/US_us/Invoice-receipt/
• hxxp[:]//fert[.]es/EN_US/Clients_information/112018/
• hxxp[:]//fglab[.]com[.]br/LLC/En_us/New-order/
• hxxp[:]//fincabonanzaquindio[.]com/En_us/Transaction_details/11_18/
• hxxp[:]//forzashowband[.]com/EN_US/Clients/2018-11/
• hxxp[:]//gilmarnazareno[.]com[.]br/BhWwli/BIZ/Service-Center/   **
• hxxp[:]//graywhalefoundation[.]org/US/Transactions-details/112018/
• hxxp[:]//grille-tech[.]com/hj4M3FfcISLL6fdUo/BIZ/Privatkunden/
• hxxp[:]//guselceva[.]ru/39808GPKVXO/identity/Personal/   **
• hxxp[:]//hartmannbossen[.]dk/En_us/Attachments/11_18/
• hxxp[:]//hawaiikaigolf[.]com/US/Clients/112018/
• hxxp[:]//homebakerz[.]com[.]au/hG5sm76mEjQMCzGLn/SWIFT/PrivateBanking/   **
• hxxp[:]//hsrventures[.]com/En_us/Clients_transactions/112018/
• hxxp[:]//i4c[.]com[.]br/US/Transactions/2018-11/   **
• hxxp[:]//ichangevn[.]org/EN_US/Transactions/112018/
• hxxp[:]//jurist29[.]ru/2J/SWIFT/Commercial/   **
• hxxp[:]//legal-world[.]su/qmB9mXRB/de_DE/200-Jahre/   **
• hxxp[:]//lemar[.]home[.]pl/manager/En_us/Transactions-details/112018/
• hxxp[:]//lmetallurg[.]ru/831063SSI/identity/Business/
• hxxp[:]//meleyrodri[.]com/xdYdvDnPM24m9e/de/IhreSparkasse/
• hxxp[:]//mohandes724[.]com/En_us/Details/2018-11/
• hxxp[:]//nga[.]no/91985U/biz/Personal/
• hxxp[:]//nikbox[.]ru/24926SQ/identity/Commercial/
• hxxp[:]//okrenviewhotel[.]com/En_us/Details/11_18/
• hxxp[:]//pibuilding[.]com/6547LNPZL/PAYROLL/Commercial/
• hxxp[:]//pirilax[.]su/6ZW/PAYROLL/Commercial/
• hxxp[:]//raeesp[.]com/hUc77ZvQQxq/de/Privatkunden/
• hxxp[:]//riverwalkmb[.]com/US/Attachments/2018-11/
• hxxp[:]//shingari[.]ru/41381RLL/SEP/Personal/
• hxxp[:]//sociallysavvyseo[.]com/US/Payments/11_18/
• hxxp[:]//testingweb[.]in/En_us/Clients_transactions/11_18/
• hxxp[:]//tomas[.]datanom[.]fi/ovning/US/Payments/112018/
• hxxp[:]//toronto[.]rogersupfront[.]com/10613MKDPJF/SEP/Personal/
• hxxp[:]//www.24complex[.]ru/2AYX/com/Commercial/   **
• hxxp[:]//www.dermainstant[.]com/dkH4TT2/BIZ/PrivateBanking/   **
• hxxp[:]//www.dtoneycpa[.]com/En_us/Clients/2018-11/   **
• hxxp[:]//www.fromjoy[.]fr/EN_US/Clients_transactions/112018
• hxxp[:]//www.planosdesaudebrasilia[.]net[.]br/EN_US/Documents/112018/   **
• hxxp[:]//www.reklame[.]ru/7665310VEYLGBNW/biz/Business/
• hxxp[:]//www.transimperial[.]ru/605FW/BIZ/US/
• hxxp[:]//xn-----8kcbcubc0cfh6a2am9f7cg[.]xn--p1ai/815734WLPDJ/biz/Personal/   **
• hxxp[:]//xn----gtbreobjp7byc[.]xn--p1ai/32NNLUEIY/com/Commercial/
• hxxp[:]//xn--80aaxk0bn[.]xn--p1ai/36OEKNKS/ACH/Business/   **
• hxxp[:]//xn--80agpqajcme4aij[.]xn--p1ai/51TFMV/ACH/Smallbusiness/   **
• hxxp[:]//yasinau[.]ru/0KMBMkQMMptet4/de/Privatkunden/   **
• hxxp[:]//zalco[.]nl/76BWXKGCT/PAY/Business/   **

URLS GENERATED BY MACROS IN THE INITIAL WORD DOC TO DOWNLOAD THE EMOTET BINARY:

• hxxp[:]//1412studiodm[.]com/xGDA0q   **
• hxxp[:]//aldo[.]jplms[.]com[.]au/eWykVvYj   **
• hxxp[:]//ampdist[.]com/AEZf
• hxxp[:]//blog[.]comjagat[.]com/wp-content/mWdx
• hxxp[:]//colombiaagro[.]com[.]co/EZLOpSOF
• hxxp[:]//lipetsk-pivo[.]ru/h
• hxxp[:]//mabnanirou[.]com/oG
• hxxp[:]//micheleverdi[.]com/Fbestfz
• hxxp[:]//staging[.]bridgecode[.]co[.]uk/wQr0hzU   **
• hxxp[:]//www.gerrithamann[.]de/hP2IldM
• hxxp[:]//www.prevencionplus[.]com/BuLyc2HKL
• hxxp[:]//www.sastudio[.]co/AU4fI
• hxxp[:]//www.seosyd[.]com/IyThn3I   **
• hxxp[:]//www.sicfms[.]com/sybnoK9   **
• hxxp[:]//www.upex[.]ee/vqUuJ3B7

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST IN THE US:

• 213.186.33[.]17 port 80 - www.fromjoy[.]fr - GET /EN_US/Clients_transactions/112018/
• 69.163.156[.]184 port 80 - www.seosyd[.]com - GET /IyThn3I
• 212.47.220[.]51 port 80 - www.upex[.]ee - GET /vqUuJ3B7
• 212.47.220[.]51 port 80 - www.upex[.]ee - GET /vqUuJ3B7/
• 47.34.43[.]223 port 80 - 47.34.43[.]223 - GET /
• 47.225.131[.]10 port 80 - TCP connection attempts, but no response from server
• 128.193.56[.]169 port 443 - 128.193.56[.]169:443 - GET /
• port 80 - ipinfo[.]io - GET /ip   (IP address check by infected host)
• port 80 - myexternalip[.]com - GET /raw   (IP address check by infected host)
• 184.169.105[.]210 port 449 - TCP connection attempts, but no response from server
• 65.31.241[.]133 port 449 - HTTPS/SSL/TLS traffic caused by Trickbot
• 198.46.196[.]109 port 447 - HTTPS/SSL/TLS traffic caused by Trickbot
• port 80 - ipecho[.]net - GET /plain   (IP address check by infected host)
• port 443 - ipecho[.]net - HTTPS traffic   (IP address check by infected host)
• 47.32.109[.]184 port 8082 - 47.32.109[.]184 - POST /del90/[long string of characters]
• 192.227.186[.]151 port 80 - 192.227.186[.]151 - GET /radiance.png

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  fc048b04dc8a13fba792e2caa5b50f5fe95c5d78855c74cbc5c93fdf0d398853
  
• File size:  78,592 bytes
  
• File location:  hxxp[:]//www.fromjoy[.]fr/EN_US/Clients_transactions/112018/
  
• File name:  FORM-9459438630448044.doc   (various names)
  
• File description:  Downloaded Word document with macro for Emotet

• SHA256 hash:  87d0b764f2670d2373470d8becad7f26301e206f00b5f35391ab4a38e94ec524
  
• File size:  143,360 bytes
  
• File location:  hxxp[:]//www.upx[.]ee/vqUuJ3B7/
  
• File location:  C:\Users\[username]\AppData\Local\Windows\[random file name].exe
  
• File description:  Emotet malware binary

• SHA256 hash:  ea79f26437f3d0eb8a5185bcf1190ea0918c5263a2ca1336c0915fded8d4b7ad
  
• File size:  393,728 bytes
  
• File location:  C:\Users\[username]\AppData\Roaming\WINYS\[random file name].exe
  
• File description:  Trickbot malware binary retrieved by Emotet-infected Windows host (gtag: del90)

• SHA256 hash:  e0eb41ccb2f33576f65ece6072b8f07af7b93ab847f3858d1b75468ed41fd2da
  
• File size:  331,776 bytes
  
• File location:  hxxp[:]//192.227.186[.]151/radiance.png
  
• File description:  Follow-up Trickbot malware binary retrieved to infect other Windows hosts

 

Click here to return to the main page.