Emotet/Geodo Updated Analysis

Good Morning Everyone,

I have created a passivetotal project for tracking of the Downloader and payload domains. Information can be found in the link below as to 214 different domains that we have observed thus far over the last 3 days. We are estimating 128 unique domains per day but are still encountering various variants. Basic Regex detection of the file names would be [0-9]{4}[.]exe and a generic partial detection which could improved upon [a-zA-Z0-9]+[\_\ ]+[a-zA-Z0-9]+[\_\ ]+[a-zA-Z0-9]+[\_\ ]+(2017|[0-9]{10,11})[.](js|exe|zip).

Sandbox Results – Payloads:
https://www.hybrid-analysis.com/sample/91c4df8e591d8c6abc439afac8c623981111b309514988fb27f6bef646ceb8fe?environmentId=100
https://www.hybrid-analysis.com/sample/dbafbb3c21a5c217da347bbf04a3a5ae0c5a8cb42972ae7f0eb200411b58a97e?environmentId=100
https://www.hybrid-analysis.com/sample/6055957d42e6b3e82061dd8cdaa81596e615fc046617f0cd89546690c3db70aa?environmentId=100
https://www.hybrid-analysis.com/sample/592eb3250d9e2cbdcd82cd1c4f6eeabd9fce25c2cbb6803347e3060436975861?environmentId=100

Sandbox Results – Downloader:
https://www.hybrid-analysis.com/sample/a15609ed0d096c7c044c431dc728e15b840caad6dba0b3aec9ec9c02d26f0c1f?environmentId=100
https://www.hybrid-analysis.com/sample/c70b3368f15affb758256cbe1a172f891ee74b9cd4104934b154024e395bdbcd?environmentId=100

Email Subjects:
DHL On Demand Delivery
DHL On Demand Delivery for your attention
DHL On Demand Delivery so far
DHL Urgent Delivery
Get Your Bill
Get Your Bill is Ready
Get Your Vodafone Bill is Ready
Have Your Bill is Ready
My O2 Business – Your O2 Bill is ready
Obecny stan przesylki DHL
On Demand DHL Delivery
Pls, have Your Bill is Ready
Sprawdź stan przesylki DHL
Vodafone Bill is Ready
Your Bill
Your Bill for Vodafone
Your Bill has been already Ready
Your Bill is Ready
Your Bill is already Ready
Your O2 bill hasa been ready
Your O2 bill is already ready
Your O2 bill is ready
Your O2 billing
Your O2 bill is ready
get DHL On Demand Delivery for your attention
get Your O2 bill is ready
get Your O2 bill ready
receive Your O2 bill is ready
DHL Intraship – Shipment notification

File Names:
1432.exe
1599.exe
6643.exe
7500.exe
DHL_Express_UK_invoice__0003121831_Apr_2017.js
DHL_Express_UK_invoice__1400508222_Apr_2017.js
DHL_Express_UK_invoice__1669588487_Apr_2017.js
DHL_Express_UK_invoice__1870896677_Apr_2017.js
DHL_Express_UK_invoice__2018751644_Apr_2017.js
DHL_Express_UK_invoice__2167843675_Apr_2017.js
DHL_Express_UK_invoice__2607877220_Apr_2017.js
DHL_Express_UK_invoice__2858654753_Apr_2017.js
DHL_Express_UK_invoice__3262548225_Apr_2017.js
DHL_Express_UK_invoice__3457166120_Apr_2017.js
DHL_Express_UK_invoice__3474397866_Apr_2017.js
DHL_Express_UK_invoice__4579786200_Apr_2017.js
DHL_Express_UK_invoice__4723982668_Apr_2017.js
DHL_Express_UK_invoice__5259509174_Apr_2017.js
DHL_Express_UK_invoice__5383265676_Apr_2017.js
DHL_Express_UK_invoice__6273908290_Apr_2017.js
DHL_Express_UK_invoice__6985065737_Apr_2017.js
DHL_Express_UK_invoice__6993396227_Apr_2017.js
DHL_Express_UK_invoice__7527953807_Apr_2017.js
DHL_Express_UK_invoice__8000285527_Apr_2017.js
DHL_Express_UK_invoice__8478795397_Apr_2017.js
DHL_Express_UK_invoice__9324426295_Apr_2017.js
DHL_Express_UK_invoice__9749267862_Apr_2017.js
DHL__Report__Apr___12___2017___number __5940856348.js
DHL__numer__zlecenia___0682475940_____kwi___12___2017.js
DHL__numer__zlecenia___1111396974_____kwi___13___2017.js
DHL__numer__zlecenia___5194539019_____kwi___13___2017.js
DHL__numer__zlecenia___6463577907_____kwi___13___2017.js
DHL__numer__zlecenia___7600745719_____kwi___13___2017.js
DHL__numer__zlecenia___7949488628_____kwi___13___2017.js
DHL__numer__zlecenia___8448116658_____kwi___13___2017.js
DHL__numer__zlecenia___8989102211_____kwi___13___2017.js
DHL__numer__zlecenia___9148260176_____kwi___13___2017.js
DHL__numer__zlecenia___9509679180_____kwi___13___2017.js
O2_Billing___1807805485__13__04__2017.js
O2_Billing___3194960136__12__04__2017.js
O2_Billing___5746763153__13__04__2017.js
O2_UK___3525115464__13__04__2017.js
O2___1375658777__13__04__2017.js
O2_bill___5724355051__13__04__2017.js
O2_bill___7084355827__13__04__2017.js
O2_payment___7919738042__13__04__2017.js
O2_team___4569939528__13__04__2017.js
O2_uk_limited___4723045152__13__04__2017.js
Telekom_2017_04rechnung_33412966373.js
Telekom_2017_04rechnung_37661958175.js
Telekom_2017_04rechnung_38715336846.js
Telekom_2017_04rechnung_41074092260.js
Telekom_2017_04rechnung_50349493965.js
Telekom_2017_04rechnung_83328011963.js
Telekom_2017_04rechnung_97347687805.js
Vodafone__bill__online__0482017585__Apr___2017.js
Vodafone__bill__online__0576772058__Apr___2017.js
Vodafone__bill__online__0704164140__Apr___2017.js
Vodafone__bill__online__0970624048__Apr___2017.js
Vodafone__bill__online__1332345313__Apr___2017.js
Vodafone__bill__online__1642490166_____Wed___Apr___12___2017.js
Vodafone__bill__online__2053572355__Apr___2017.js
Vodafone__bill__online__2911726819__Apr___2017.js
Vodafone__bill__online__3034645949__Apr___2017.js
Vodafone__bill__online__3050088648__Apr___2017.js
Vodafone__bill__online__3361207186__Apr___2017.js
Vodafone__bill__online__3380812186__Apr___2017.js
Vodafone__bill__online__3429886379__Apr___2017.js
Vodafone__bill__online__3849108266__Apr___2017.js
Vodafone__bill__online__4115908237__Apr___2017.js
Vodafone__bill__online__4593971037__Apr___2017.js
Vodafone__bill__online__5098250486__Apr___2017.js
Vodafone__bill__online__5445123480__Apr___2017.js
Vodafone__bill__online__5455459583__Apr___2017.js
Vodafone__bill__online__5619734794__Apr___2017.js
Vodafone__bill__online__5723014394__Apr___2017.js
Vodafone__bill__online__5736872769__Apr___2017.js
Vodafone__bill__online__6591503495__Apr___2017.js
Vodafone__bill__online__7067620892__Apr___2017.js
Vodafone__bill__online__7171423237__Apr___2017.js
Vodafone__bill__online__7390262697__Apr___2017.js
Vodafone__bill__online__7615037689__Apr___2017.js
Vodafone__bill__online__7690197077__Apr___2017.js
Vodafone__bill__online__8324450458__Apr___2017.js
Vodafone__bill__online__8423713847__Apr___2017.js
Vodafone__bill__online__8929576055__Apr___2017.js
Vodafone__bill__online__9860040521__Apr___2017.js
Vodafone__bill__online__9875069400__Apr___2017.js
bill_O2___2627549936__13__04__2017.js
bill_O2___3316747324__13__04__2017.js
bill_O2___4059163857__13__04__2017.js
bill_O2___7285705702__13__04__2017.js
dhl__com__status__8608239457_____Tue___Apr___11___2017.js
myO2Business___1242260842__13__04__2017.js
myO2___0214565102__13__04__2017.js
myO2___4168972254__13__04__2017.js
myO2___4362161783__12__04__2017.js
myO2___6354589952__13__04__2017.js
myO2___8034871221__13__04__2017.js
myO2___8170830131__13__04__2017.js
o2__co__uk__09__04__2017__O2_bill_5630735220.js

File Hashes:
19729fc0b31215863770f5f2df66b9ea
2d436b83915b1cc22d29109be240788a
3b8927da0cdca9e657e3d75fc9cb862a
530e76add228dada1850a8c639fb7a6f
5f2fd6aa05d897ad3498140fc97f5be8
64a7da1b25927894fd703e169345dbcf
71f5237e155aa47d1d0853168343091e
840110418d42b2c1750b73d42ed29b8c
8514f60d4f2d866670842534250b66c7
bcecf036e318d7d844448e4359928b56
cf996db848721b92a490927efcce2f47
d9cf26531b3f1a6c1bf9c79e72ff70c4
eea3e536645c2f55237be661c97aa756

Passivetotal:
https://www.passivetotal.org/projects/88ff6148-9220-b4c3-efb4-45540597797d

Emotet/Geodo Updated Analysis

Related

By dodgethissecurity_1ooun4

Leave a comment Cancel reply

Share this:

Related

By dodgethissecurity_1ooun4

Leave a comment Cancel reply