Emotet Banking Trojan 2018-02-14 MalSpam

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-02-15-Emotet-Banking-Trojan-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 192.169.197.235 – visa2work.co.in GET /Invoice-Corrections-for-35/87/ – Macro Word Doc
  • 208.91.198.231 – astoriatraining.com GET /o2x7Bx/ – Emotet Download
  • 84.200.208.98 – Emotet C2
  • 71.244.60.231 Port 4143 – Emotet C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Emotet Banking Trojan infection.

 

Shown above: Email with link to Macro Word Document to begin infection chain

 

Shown above: Macro Word Document leading to the download and installation of the Emotet Banking Trojan

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM:

  • Invoices attached.doc – Macro Word Doc
    VirusTotal Link
    Sha 256: be0bce3f1de3dfa656050433ff3e97f2f31a88955bb888feb3431819accaf76c
  • cachewlan.exe – Emotet Banking Trojan
    VirusTotal Link
    Sha 256: 4f293a7a7549f32c4761141640edcddd8cf21b462108ce62eff519cfc16a181b