2019-01-14 - EMOTET INFECTION WITH GOOTKIT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Malspam example:  2019-01-14-Emotet-malspam-with-attachment.eml.zip   113 kB (112,780 bytes)

• 2019-01-14-Emotet-malspam-with-attachment.eml   (205,760 bytes)

• Pcap of the infection traffic:  2019-01-14-Emotet-infection-with-Gootkit.pcap.zip   12.1 MB (9,219,785 bytes)

• 2019-01-14-Emotet-infection-with-Gootkit.pcap   (13,289,241 bytes)

• Associated malware:  2019-01-14-Emotet-and-Gootkit-malware-and-artifacts.zip   536 kB (535,519 bytes)

• 2019-01-14-downloaded-Word-doc-with-macro-for-Emotet.doc   (107,520 bytes)
• 2019-01-14-Emotet-binary-retreived-by-Word-macro.exe   (135,168 bytes)
• 2019-01-14-Emotet-binary-updated-after-initial-infection.exe   (139,264 bytes)
• 2019-01-14-Gootkit-INF-file.txt   (246 bytes)
• 2019-01-14-Gootkit-retrieved-by-Emotet-infected-host.exe   (528,384 bytes)

 

Shown above:  A flow chart for Emotet malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

• hxxp[:]//www[.]gessb[.]com/Attachments/012019
• hxxp[:]//www[.]gessb[.]com/Attachments/012019/
• hxxp[:]//ray-beta[.]com/1bVzEjoTlj
• hxxp[:]//ray-beta[.]com/1bVzEjoTlj/
• up[.]centralfloridafi[.]com
• floridimaiamiflow[.]com
• getfastlowprior[.]com
• getunderflowsf[.]com

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

INITIAL EMOTET INFECTION TRAFFIC:

• 192.254.184[.]180 port 80 - www[.]gessb[.]com - GET /Attachments/012019/
• 93.90.146[.]107 port 80 - ray-beta[.]com - GET /1bVzEjoTlj
• 93.90.146[.]107 port 80 - ray-beta[.]com - GET /1bVzEjoTlj/
• 187.163.213[.]124 port 443 - 187.163.213[.]124:443 - GET /   Emotet post-infection traffic
• 173.234.30[.]218 port 443 - up[.]centralfloridafi[.]com - HTTPS/SSL/TLS traffic   Gootkit post-infection traffic
• DNS query for floridimaiamiflow[.]com - response: No such name (DNS query caused by Gootkit)
• DNS query for getfastlowprior[.]com - response: No such name (DNS query caused by Gootkit)
• DNS query for getunderflowsf[.]com - response: No such name (DNS query caused by Gootkit)

 

MALWARE

INITIAL WORD DOC:

• SHA256 hash:  7e212ed3198f8e0e43d96afb80609a33ff08dabd18cc7864cc10307b1658a597
  
• File size:  107,520 bytes
  
• File location:  hxxp[:]//www[.]gessb[.]com/Attachments/012019/
  
• Downloadedile name:  INVOICE-N7709724.doc
  
• File description: Downloaded Word doc with macro for Emotet

EMOTET BINARIES:

• SHA256 hash:  11c6c26f9d485fa833fc457cc51a99e9b772c36816fc6c3bd55d3cd10b3722be
  
• File size:  135,168 bytes
  
• File location:  hxxp[:]//ray-beta[.]com/1bVzEjoTlj/
  
• File location:  C:\Users\[username]\AppData\Local\[random directory name]\[random file name].exe
  
• File description:  Emotet binary retrieved by Word macro

• SHA256 hash:  ce4d2265087a3dc3e8623eb0de100733d2da4cf443ef80dd37c9172a472f1a08
  
• File size:  139,264 bytes
  
• File location:  C:\Users\[username]\AppData\Local\[random directory name]\[random file name].exe   (same as above)
  
• File description:  Emotet binary updated after initial infection

GOOTKIT:

• SHA256 hash:  b1d902bea4b9756882022b2f6d1d7c2a4fbc0179207a04faee822e02b7123257
  
• File size:  528,384 bytes
  
• File location:  C:\ProgramData\nvJ4MbtV7Xb.exe   (random file name under ProgramData folder)
  
• File description:  Gootkit executable retrieved by Emotet-infected host

 

Click here to return to the main page.