Severity
High
Analysis Summary
Emotet has been used as a loader for other malware for a while. The infection vector remains to be malicious emails that distribute the macro-embedded malicious attachments. In this campaign, Emotet Epoch 3 botnet is seen downloading the Trickbot and Qakbot as a second payload. The first malicious attachment is a file named ‘invoice.doc’, which means this malspam follows the common invoice themed lure.
Impact
Security Bypass Code Execution Financial Theft Credentials theft Exposure of sensitive data Account compromise
Indicators of Compromise
Domain Name
king61tours[.]com grzegorzkucharski[.]com karaz-sd[.]com Filename invoice[.]doc
MD5
80f08f9a481b39e6f6d33efdec834855 8e514dc1be16b12953315b5b6889bc00 ca8f77c07e02b6065f745d0021396bf1 08ee2019e928a4a090edb0e98d073272
SHA-256
537cae9dc56e79decd19c95f3558a5f204bb70fe6fa16ac7ef840991803508ac ab738270198457f6e7d98c31337280933b09dd563ea6b9bfb73716903a0a7f23 482f758d1a5ee81bf89cf7b582d80117520427064ce505246cca7733b4bbde67 9206615c27a64e4617f1e3ec11b5584e0510df8b5744581f9e9c5d0136b1e43f
SHA1
ca01e30acb99809ec08e9f02737e25084215b964 921a5af03f919c2ddf9d85e46a0307d75f394d9b 4c59d3ee93aaaaa400adedde0798182dee855ee2 58963deab813763b36552447878c2fb5f9b96ce0
Source IP
194[.]5[.]249[.]157 91[.]200[.]103[.]236 195[.]123[.]240[.]252 107[.]174[.]192[.]219 185[.]176[.]40[.]216 185[.]81[.]158[.]15 82[.]239[.]200[.]118 96[.]9[.]73[.]73 180[.]211[.]170[.]214 203[.]176[.]135[.]102 195[.]123[.]241[.]187 37[.]247[.]111[.]239
URL
http[:]//grzegorzkucharski[.]com/cli/92278618/fs8rc5s-001552/ http[:]//203[.]176[.]135[.]102[:]8082 http[:]//104[.]236[.]52[.]89[:]8080 http[:]//king61tours[.]com/pdf/lwuqKsRgijhXw/ http[:]//185[.]81[.]158[.]15[:]8080
Remediation
Block the threat indicators at their respective controls. Do not download invoice themed attachments in untrusted emails. Do not enable macros for untrusted files.