2019-03-13 - QUICK POST: EMOTET INFECTION WITH TRICKBOT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of 4 email examples:  2019-03-13-Emotet-malspam-4-examples.zip   340 kB (339,865 bytes)

• 2019-03-12-Emotet-malspam-with-link-1943-UTC.eml   (7,458 bytes)
• 2019-03-12-Emotet-malspam-with-link-2119-UTC.eml   (6,309 bytes)
• 2019-03-13-Emotet-malspam-with-PDF-attachment-2100-UTC.eml   (437,916 bytes)
• 2019-03-13-Emotet-malspam-with-link-1725-UTC.eml   (2,579 bytes)

Zip archive of the infection traffic:  2019-03-13-Emotet-infection-with-Trickbot.pcap.zip   7.2 MB (7,159,566 bytes)

• 2020-03-13-Emotet-infection-with-Trickbot.pcap   (8,425,714 bytes)

Zip archive of the malware/artifacts:  2019-03-13-Emotet-with-Trickbot-malware-and-artifacts.zip   15.2 MB (15,227,979 bytes)

• 2019-03-13-Emotet-retrieved-by-macro.exe   (309,000 bytes)
• 2019-03-13-Emotet-updated-after-initial-infection.exe   (184,072 bytes)
• 2019-03-13-Trickbot-retrieved-by-Emotet-infected-host.exe   (428,544 bytes)
• 2019-03-13-downloaded-Word-doc-with-macro-for-Emotet.doc   (206,976 bytes)
• 2019-03-13-registry-update-to-keep-Emotet-persistent.txt   (632 bytes)
• 2019-03-13-sched-task-to-keep-Trickbot-persistent.xml.txt   (3,798 bytes)
• wnetwork/Data/importDll64   (8,952,080 bytes)
• wnetwork/Data/injectDll64   (716,224 bytes)
• wnetwork/Data/injectDll64_configs/dinj   (121,440 bytes)
• wnetwork/Data/injectDll64_configs/dpost   (976 bytes)
• wnetwork/Data/injectDll64_configs/sinj   (85,040 bytes)
• wnetwork/Data/mailsearcher64   (27,824 bytes)
• wnetwork/Data/mailsearcher64_configs/mailconf   (240 bytes)
• wnetwork/Data/networkDll64   (22,704 bytes)
• wnetwork/Data/networkDll64_configs/dpost   (976 bytes)
• wnetwork/Data/psfin64   (22,192 bytes)
• wnetwork/Data/psfin64_configs/dpost   (976 bytes)
• wnetwork/Data/pwgrab64   (1,304,928 bytes)
• wnetwork/Data/pwgrab64_configs/dpost   (976 bytes)
• wnetwork/Data/shareDll64   (12,512 bytes)
• wnetwork/Data/systeminfo64   (24,240 bytes)
• wnetwork/Data/tabDll64   (2,640,224 bytes)
• wnetwork/Data/tabDll64_configs/dpost   (976 bytes)
• wnetwork/Data/wormDll64   (55,584 bytes)
• wnetwork/ESsW.exe   (428,544 bytes)
• wnetwork/settings.ini   (30,831 bytes)
• wnetwork/tetuq.exe   (405,504 bytes)

 

IMAGES

Shown above:  Screenshot from Emotet malspam with a PDF attachment.

 

Shown above:  PDF attachment merely links to a document with a macro for Emotet.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.