Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Wed, Sep 26th):Firefox Monitor;

Latest Diaries

One Emotet infection leads to three follow-up malware infections

Published: 2018-09-26
Last Updated: 2018-09-26 03:49:09 UTC
by Brad Duncan (Version: 1)
2 comment(s)


During 2018, Emotet has been a continual presence in the malicious spam (malspam) landscape.  With few exceptions, malspam from this campaign is active every weekday.  As the months progress, I've generally found follow-up malware from Emotet infections in my lab.  I wrote about one such malware team-up back in July 2018, and Symantec has published an in-depth look at Emotet's evolution from banking Trojan to a delivery service for other threat actors.

In recent weeks, I've generally seen Emotet retrieve Trickbot, the IcedID banking Trojan, or spambot malware for its follow-up infection.  I rarely see Emotet retrieve more than one type of follow-up malware.  But on Tuesday 2018-09-25, my infected lab host retrieved Trickbot and IcedID immediately after an Emotet infection.  Then IcedID caused another infection with AZORult on the same host.

Shown above:  Flow chart for the infection.

Emotet malspam

I currently find three types of Emotet malspam.  The first type has an attached Microsoft Word document with a macro.  The macro is designed to infected a vulnerable Windows host with Emotet.

The second type of Emotet malspam has a link to download the malicious Word document instead of an attachment.

The third type of Emotet malspam has a PDF attachment without any links in the message.  The PDF file contains a link to download the malicious Word document.

All three cases involve a malicious Word document with macros.  In all three cases, opening the Word document and enabling macros will kick off the infection process on a vulnerable Windows host.

Shown above:  Three different types of malspam for Emotet infections.

Shown above:  Example of Emotet malspam with a PDF attachment.

Shown above:  Downloading an Emotet Word document and enabling macros.

Infection traffic

I kicked off an infection with a URL that retrieved an Emotet Word doc.  This could've come from an email link, or it could've come from a PDF attachment.  There's no way tell based on the URL alone.

Shortly after my lab host was infected with Emotet, I saw indictors of a Trickbot infection.  I also saw indicators of an IcedID infection.  Finally, I saw an HTTP request that returned an AZORult malware binary, and it was followed by AZORult post-infection traffic.  See the image below for details.

Shown above:  Traffic from the infection filtered in Wireshark.

The Emotet infection was kept persistent on my infected lab host through the Windows registry.  IcedID and Trickbot were kept persistent through a scheduled task.  After the AZORult executable ran on my infected lab host, it deleted itself, and I didn't find any method of persistence for AZORult.

Shown above:  Emotet persistent on my infected Windows host.

Shown above:  IcedID persistent on my infected Windows host.

Shown above:  Trickbot persistent on my infected Windows host.


The following are indicators (IP addresses, domain names, and file hashes) associated with the infection of my Windows lab host.

Traffic from the Emotet infection:

  • port 80 - - GET /tyoinvur/En_us/Clients/092018/
  • port 80 - - GET /18Ge0wDF
  • port 80 - - GET /AlvUfSm
  • port 80 - - GET /AlvUfSm/
  • port 8090 - - GET /
  • port 50000 - Attempted TCP connections, but no response from the server
  • port 443 - - GET /whoami.php
  • port 443 - - POST /

Traffic from the Trickbot infection:

  • port 80 - - GET /   (IP address check by the infected host, not inherently malicious)
  • port 449 - SSL/TLS traffic caused by Trickbot
  • port 447 - SSL/TLS traffic caused by Trickbot
  • port 8082 - - POST /arz1/[long string with host info]/90

Traffic from the IcedID infection:

  • port 443 - - HTTPS/SSL/TLS traffic caused by IcedID
  • port 80 - - GET /data2.php?B41857926E193158

Traffic associated with the AZORult infection:

  • port 80 - - GET /crypt_AU3_EXE.exe   (caused by IcedID)
  • port 80 - - POST /index.php

File hashes for malware retrieved from the infected Windows host follow.

SHA256 hash: 34fd8ab80ff403db687517beac2b1d3024f69119e73c054ffe6686b1a0a40489

  • File size: 211,584 bytes
  • File description: Downloaded Word doc with macro for Emotet

SHA256 hash: d9352b362629bdcd5d7c830a3ea9c5f55d1e0be4240b5df2867903fb317ee7d3

  • File size: 219,648 bytes
  • File description: Emotet malware executable
  • File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\[various file names].exe

SHA256 hash: 806bc3a91b86dbc5c367ecc259136f77482266d9fedca009e4e78f7465058d16

  • File size: 519,149 bytes
  • File description: Trickbot caused by Emotet infection (gtag: arz1)
  • File location: C:\Users\[username]\AppData\AIMT\[string of characters].exe

SHA256 hash: 2cbb833b3410d0d27719614f3b4ffe8f16d7dd5242a8b85f35619405b110784e

  • File size: 392,192 bytes
  • File description: IcedID caused by Emotet infection
  • File location: C:\ProgramData\{12345678-1234-1234-1234-12345689ABC}\[string of characters].exe   --   various hex digits between the { }

SHA256 hash: 80aa7f6f6b25aaf43e52d5ca6971f5dac45b3b2e0ed5c5f3843080b03771c2cc

  • File size: 536,576 bytes
  • File description: AZORult caused by IcedID infection
  • File location: C:\Users\[username]\AppData\Local\[string of characters].exe
  • File location: hxxp://

Final words

Most enterprise spam filters are quite good at blocking malspam pushing Emotet.  From what I can tell, online email services like Gmail and Yahoo also seem to keep these messages from your inbox.  But it only takes one message to make it through, and it only takes one person to click their way through any warnings to successfully infect a vulnerable Windows host.

However, properly-administered and up-to-date Windows hosts are not likely to get infected.  Windows warns potential victims if such Word documents are downloaded from the Internet, and recent versions of Microsoft Office have a Protected View feature that should prevent people from accidentally enabling these macros.  Furthermore, system administrators and the technically inclined can implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

Email examples, pcap, and malware associated with today's diary can be found here.

Brad Duncan
brad [at]

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Sextortion Spam and the Infinite Monkey Theorem
Sep 25th 2018
1 day ago by Brad (2 comments)

Analyzing Encoded Shellcode with scdbg
Sep 24th 2018
1 day ago by DidierStevens (0 comments)

Hunting for Suspicious Processes with OSSEC
Sep 24th 2018
1 day ago by Xme (1 comment)

Suspicious DNS Requests ... Issued by a Firewall
Sep 23rd 2018
3 days ago by DidierStevens (0 comments)

The danger of sending information for API consumption without adequate security measures
Sep 22nd 2018
3 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

Pre-Pwned AMI Images in Amazon's AWS public instance store
Sep 21st 2018
5 days ago by Johannes (0 comments)

Certificates Revisited - SSL VPN Certificates 2 Ways
Sep 19th 2018
1 week ago by Rob VandenBrink (2 comments)

View All Diaries →

Latest Discussions

Attempting to report (msg body missing) -- Powershell malware in zip with jpg
created Sep 10th 2018
2 weeks ago by W60 (0 replies)

SSL Labs vs.
created Sep 7th 2018
2 weeks ago by Anonymous (0 replies)

SSL Labs vs.
created Sep 7th 2018
2 weeks ago by Anonymous (0 replies)

Has anyone any ideas what "glirote3" -- malware powershell link.
created Sep 4th 2018
3 weeks ago by W60 (0 replies)

Remote code execution attacks
created Aug 28th 2018
4 weeks ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
9 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)