2019-01-25 - EXAMPLES FROM THREE DAYS OF EMOTET + FOLLOW-UP MALWARE

NOTICE:

ASSOCIATED FILES:

  • 2019-01-23-Emotet-malspam-with-link-2052-UTC.eml   (24,625 bytes)
  • 2019-01-24-Emotet-malspam-with-attachment-1710-UTC.eml   (328,412 bytes)
  • 2019-01-25-Emotet-malspam-with-attachment-1533-UTC.eml   (2,678 bytes)
  • 2019-01-25-Emotet-malspam-with-link-1842-UTC.eml   (2,455 bytes)
  • 2019-01-23-Emotet-infection-with-Gootkit.pcap   (8,938,200 bytes)
  • 2019-01-23-downloaded-Word-doc-with-macro-for-Emotet.doc   (248,663 bytes)
  • 2019-01-23-Emotet-EXE-retrieved-by-Word-macro.exe   (159,744 bytes)
  • 2019-01-23-Emotet-EXE-updated-after-initial-infection.exe   (159,744 bytes)
  • 2019-01-23-Gootkit-INF-file.txt   (233 bytes)
  • 2019-01-23-Gootkit-retrieved-by-Emotet-infected-host.exe   (2,539,208 bytes)
  • 2019-01-24-Emotet-infection-with-spamming.pcap   (5,755,574 bytes)
  • 2019-01-24-downloaded-Word-doc-with-macro-for-Emotet.doc   (241,454 bytes)
  • 2019-01-24-Emotet-EXE-retrieved-by-Word-macro.exe   (222,208 bytes)
  • 2019-01-24-Emotet-EXE-updated-after-initial-infection.exe   (271,872 bytes)
  • 2019-01-25-1st-run-Emotet-infection-with-Trickbot.pcap   (7,339,411 bytes)
  • 2019-01-25-1st-run-downloaded-Word-doc-with-macro-for-Emotet.doc   (247,024 bytes)
  • 2019-01-25-1st-run-Emotet-EXE-retrieved-by-Word-macro.exe   (180,224 bytes)
  • 2019-01-25-1st-run-Emotet-EXE-updated-after-initial-infection.exe   (176,128 bytes)
  • 2019-01-25-1st-run-Trickbot-downloaded-by-Emotet-infected-host.exe   (802,816 bytes)
  • 2019-01-25-1st-run-Trickbot-related-binary.exe   (241,664 bytes)
  • 2019-01-25-1st-run-scheduled-task-for-Trickbot-NetvalTask.xml.txt   (3,544 bytes)
  • WNetval/settings.ini   (39,786 bytes)
  • WNetval/sz_zxnc9r9i3ulwyv0n_1k4a7ev1y_8yrf_p1xutbe1ydwxrth0t7tfg31tnz4z1.exe   (241,664 bytes)
  • WNetval/xRuRpFWkNGftgr1U.exe   (802,816 bytes)
  • WNetval/Data/injectDll64   (1,034,704 bytes)
  • WNetval/Data/injectDll64_configs/dinj   (96,544 bytes)
  • WNetval/Data/injectDll64_configs/dpost   (928 bytes)
  • WNetval/Data/injectDll64_configs/sinj   (71,552 bytes)
  • WNetval/Data/networkDll64   (22,704 bytes)
  • WNetval/Data/networkDll64_configs/dpost   (928 bytes)
  • WNetval/Data/pwgrab64   (1,305,040 bytes)
  • WNetval/Data/pwgrab64_configs/dinj   (96,544 bytes)
  • WNetval/Data/pwgrab64_configs/dpost   (928 bytes)
  • WNetval/Data/pwgrab64_configs/sinj   (71,552 bytes)
  • WNetval/Data/shareDll64   (13,024 bytes)
  • WNetval/Data/systeminfo64   (24,240 bytes)
  • WNetval/Data/tabDll64   (2,432,864 bytes)
  • WNetval/Data/tabDll64_configs/dpost   (928 bytes)
  • WNetval/Data/wormDll64   (59,680 bytes)
  • 2019-01-25-2nd-run-Emotet-infection-with-IcedID.pcap   (2,509,600 bytes)
  • 2019-01-25-2nd-run-downloaded-Word-doc-with-macro-for-Emotet.doc   (254,420 bytes)
  • 2019-01-25-2nd-run-Emotet-EXE-retrieved-by-Word-macro.exe   (176,128 bytes)
  • 2019-01-25-2nd-run-Emotet-EXE-updated-after-initial-infection.exe   (230,400 bytes)
  • 2019-01-25-2nd-run-IcedID-retrieved-by-Emotet-infected-host.exe   (221,184 bytes)
  • 2019-01-25-2nd-run-scheduled-task-to-keep-IcedID-persistent.txt   (3,166 bytes)

 


Shown above:  Flow chart for this week's Emotet infections.

 


Shown above:  Traffic from the Emotet + Gootkit infection on 2019-01-23 filtered in Wireshark.

 


Shown above:  Traffic from the Emotet + spamming infection on 2019-01-24 filtered in Wireshark.

 


Shown above:  Spambot traffic from the Emotet + spamming infection on 2019-01-24.

 


Shown above:  Filtering for unencrypted spambot traffic from the Emotet + spamming infection on 2019-01-24.

 


Shown above:  An example of the emails sent from the Emotet + spamming infection on 2019-01-25.

 


Shown above:  Traffic from the Emotet + Trickbot infection on 2019-01-25 filtered in Wireshark.

 


Shown above:  Traffic from the Emotet + IcedID infection on 2019-01-25 filtered in Wireshark.

 

Click here to return to the main page.