#Emotet Malware document links/ IOCs 03/01/18 18:15 EST

General notes: There has been a change in the behavior of Emotet as reported earlier by the community(@dvk01uk, @pollo290987, etc). Emotet is now attaching a PDF document to each malspam message that is basically a plain text copy of the email itself. This is odd and I am not sure the point of it honestly. Other than this, it is the same old Emotet as far as I can tell. There are some slight changes in the body of the email posted below in examples.

Downloader links New for 03/01/18: (Integrated community links)

from sandbox = found via SHA match or common payload

http://ailith-display.com/New-order/

http://www.akzonobelspinaker.pl/Open-invoices/

http://apteka.putemed.ru/ACH-form/

http://bearit.ca/Paid-Invoices/

http://begardi.com/Past-Due-Invoice/

http://blog.followminehosting.com/Invoice-receipt/

http://brightcore.biz/Scan/

http://calhellas.net/ACH/GMO596200RQP/Mar-01-2018-3837560/IBT-YVBG-Mar-01-2018/ - from @Mesiagh

http://cent-rdc.com/LLC/WAG9881560YFVWDR/Mar-01-2018-50051320/TTK-JLJ-Mar-01-2018/ - from @pollo290987 and @Mesiagh

http://condosiesta.com/New-order/

http://dhammaransi.com/ACH/XL7210504737YGJOS/Mar-01-2018-7121979345/XVYZ-PNL/

http://fashion-tver.ru/Paid-Invoices/ - From @Mesiagh

http://floristgo.ru/PAYMENT/ANW805869622SXBXGK/95586182/WOZL-HGUR/ - From @Mesiagh

http://igold.capital/Inv-823132-PO-9W331881/ - From @Mesiagh

http://www.lcjp.org/Service-Report-4137/

http://loxtonfamily.info/Past-Due-Invoices/

http://mastercoffeee.ru/Invoice-7545322-March/ - From @Mesiagh

http://meridian-web.ru/Invoice-receipt/ - From @Mesiagh

http://metaico.net/Important-Please-Read/ - From @Mesiagh

http://mixincorps.com/Summit-Companies-Invoice-4307815/

http://pruebas.rentserviceinformatica.com/New-order/ - from @dvk01uk

http://rf-electric.com/Sales-Invoice/

http://teamsites.ru/Service-Report-1722/ - From @Mesiagh

http://top-prodazha.ru/INFO/FR073308721ZK/954074/TX-OQYSV/ - From @Mesiagh

https://udare-shop.com/Past-Due-Invoices/

http://xn----7sbbha3arb1f6dp.xn--p1ai/Invoice-2911560/

New Payloads seen today 03/01/18: (also seen by @HAMESWT_MHT, @pollo290987, @NelsonSecurity

http://www.abexport.com/1ZQqbk/ - 62.149.140.190

http://try-o.ru/dDC9Eo/dDC9Eo/ - 31.184.194.115

http://nbzip.ru/CDvxeez/ - 88.212.247.52 (seen before with downloader)

http://www.irasetaranto.it/tymS4SC/ - 89.46.106.56

http://test.itsdco.com/gPzhcDB/ - 46.34.160.34

New Payloads from Community:

https://pastebin.com/X0nJttmK - from @NelsonSecurity

kelvinboerkamp.nl/SuE3cCp/ - 141.138.169.218 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_

stagingnadra.online/gpr6rbq - 209.182.196.25 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_

reinider.ru/OtLkRU/ - 194.67.196.104 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_

arkonziv.com/Site7_Pixelhobbies/iV1PKqL/ - 182.50.135.128 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_

jlatreasures.com/DETbz/ - 184.106.55.108 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_

C2:

106.187.91.235

45.56.65.180

91.217.66.130

119.59.124.163 - From @Mesiagh

Sandbox:

https://app.any.run/tasks/8c57345a-6901-46fb-9162-6555dac15047 - with fakenet

https://www.hybrid-analysis.com/sample/f295640889927e8709a3a2b8ee9df4442197eda568c7270a66607e4583c6d4ee?environmentId=100

https://app.any.run/tasks/f2700ccc-7b6c-4915-af24-7ab6e9b61a12 - with fakenet - from @JAMESWT_MHT

Additional Info from Community:

https://pastebin.com/h0tdAxNV - Hash and network from @Artillerie

https://pastebin.com/UU9L2w78 - more downloader urls and payloads From @Mesiagh

https://twitter.com/CapeSandbox/status/969268365318610944

https://twitter.com/malware_traffic/status/969275762653192193

https://twitter.com/fumik0_/status/969298743496445952

https://pastebin.com/VrtFAGjP - from @_ddoxer

Samples of PDF body:

Morning {RCPT.NAME}

Thanks Your invoice is attached. Please remit payment at your earliest

convenience. Thank you for your business - we appreciate it very much.

> http://www.akzonobelspinaker.pl/Open-invoices/

{FRIEND.EMAIL}

{FRIEND.NAME}

was attached in email with body:

Morning (Victim)

Thanks

Your invoice is attached. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

> http://www.akzonobelspinaker.pl/Open-invoices/

(Spoofed)

Scan of above PDF:

https://www.virustotal.com/#/file/9616629c1109beabb4491a525e7f1ea4441bbbea7867eb8f941073a6012402de/detection

Another copy of a sample PDF from @DynamicAnalysis:

https://twitter.com/DynamicAnalysis/status/969351220841402368

Examples of body changes:

note: seeing more HTML ones now.

Example #1

Hi (Victim),

Inserted are the three invoices that need to be corrected. The correct rates are as follows:

Regular Pay Rate: $25.21

Regular Bill Rate: $67.53

OT Pay Rate: $23.18

OT Bill Rate: $36.61

Please do not hesitate to contact me if you have any questions. Thanks!

>>> http://www.akzonobelspinaker.pl/Open-invoices/

(Spoofed)

Información Confidencial: La información contenida en este correo electrónico y cualquier anexo del mismo puede contener información Confidencial para uso exclusivo de su destinatario. Si usted no es el destinatario de este correo electrónico favor de notificar al remitente respondiendo al presente correo y proceder a su destrucción inmediata, incluyendo los anexos y cualquier copia del mismo. El presente correo electrónico no constituye una oferta vinculante para la empresa, aun si el precio(s), cantidad(es) u otros conceptos similares son incluidos en el mensaje electrónico o en sus archivos adjuntos. Aviso de Privacidad: Sus datos personales pueden ser tratados para diferentes finalidades con motivo de la relación que mantengamos con Usted. Si requiere mayor información puede acceder al Aviso de Privacidad a través de la página de internet www.grupoabx.com.mx

Example #2

<html>

<body>

(Victim)

<br>

<br>

I sent an email on 03/01/2018 and never got a response. We are now showing six past due invoices. Inserted is a current aging.

I would appreciate it if you could check on it and let me know when we can expect payment. Thanks!

<br>

<br>

>> <a href="http://mastercoffeee.ru/Invoice-7545322-March/">Open Past Due Orders.doc</a> (Attachment File Type: DOC)

<br>

<br>

<br>

<br>

Many Thanks<br>

<br>

(Spoofed)

</body>

</html>

Bonus Content Additional URL Patterns: *WIP*

(these may or may not work for you, use at your own risk. In my system(Vircom-Modusgate) they just put things into a quarantine and do not lose mail based on these filters.)

? = one character or space

*=many characters or spaces

Merged old and new list together. Minor tweaks in lists:

Contains exact string type (In sieve script this is done via "if body:text:contains"):

".com/UPS.com/",

"/ACH-form/",

"/Christmas-card/",

"/Christmas-eCard/",

"/Christmas-Gift-Card/",

"/Corporation/New-invoice-",

"/DOC/Invoice/",

"/DOC/New-invoice-",

"/document.jar",

"/Document-needed/",

"/Dokumente/",

"/Dokumente-vom-Notar/",

"/Download/Invoice-number-",

"/eCard/",

"/eGift-Card/",

"/Final-Account/",

"/Gift-Card-for-you",

"/Happy-Holidays-Card/",

"/Holidays-Card/",

"/Holidays-eCard/",

"/Holidays-gift-card/",

"/Important-Please-Read/",

"/INCORRECT-INVOICE/",

"/INFO/Invoice-number-",

"/Informationen/",

"/Invoice-",

"/Invoice-Corrections-for-",

"/Invoice-for-t/",

"/Invoice-for-you/",

"/Invoice-Number-",

"/Invoice-receipt/",

"/Invoices-attached/",

"/Invoices-Overdue/",

"/Invoice-t/h-February/",

"/LLC/New-invoice-/",

"/Open-invoices/",

"/Need-to-send-the-attachment/",

"/New-order/",

"/Open-Past-Due-Orders/",

"/Order-Confirmation/",

"/outstanding-invoice-",

"/Outstanding-Invoices/",

"/Overdue-payment/",

"/Paid-Invoice/",

"/Paid-Invoices/",

"/Paid-Invoice-Credit-Card-Receipt/",

"/Past-Due-Invoice",

"-Past-Due-Invoices/",

"/PayPal.com/LLC/",

"/PAYPAL/DOC/",

"/PAYPAL/INFO/",

"/PayPal/LLC/",

"/PayPal-US/DOC/",

"/Purchases-2017/",

"/Purchases-2018/",

"/Question/",

"/Rechnung/",

"/Rechnung-Nr-",

"/Rechnungs-Details/",

"/scan/Invoice/",

"/Sales-Invoice/",

"/Service-Invoice/",

"/Service-Report-",

"/Summit-Companies-Invoice-",

"/Tracking-Number-",

"/UPS/Feb-",

"/UPS-Express-Domestic/",

"/UPS-Quantum-View/",

"/UPS-Ship-Notification/",

"/UPS-View/",

"/wp-content/Invoice-Number-",

"/Your-Card/",

"/Your-Christmas-Card/",

"/Your-Christmas-Gift-Card/",

"/Your-eCard/",

"/Your-Gift-Card/",

"/Your-Holidays-Card/",

"/Your-Holidays-eCard/",

"/Your-holidays-Gift-Card/"

Pattern match(done via if body:text:matches in Sieve script)

"*http:/*.ru/ACH/*"

"*http:/*/ACH/*-???-??-2018/ *"

"*http:/*/ACH/*/???-??-2018-*"

"*http:/*.info/CARD/*"

"*http:/*/CARD/*-???-??-2018/ *"

"*http:/*/CARD/*/???-??-2018-*"

"*http:/*/Corporation/*-???-??-2018/ *"

"*http:/*/Corporation/*/???-??-2018-*"

"*http:/*.au/DOC/*"

"*http:/*/DOC/*-???-??-2018/ *"

"*http:/*/DOC/*/???-??-2018-*"

"*http:/*/Download/*-???-??-2018/ *"

"*http:/*/Download/*/???-??-2018-*"

"*http:/*.sg/FILE/*"

"*http:/*/FILE/*-???-??-2018/ *"

"*http:/*/FILE/*/???-??-2018-*"

"*http:/*.com/INFO/*"

"*http:/*/INFO/*-???-??-2018/ *"

"*http:/*/INFO/*/???-??-2018-*"

"*http:/*.ru/LLC/*"

"*http:/*/LLC/*-???-??-2018/ *"

"*http:/*/LLC/*/???-??-2018-*"

"*http:/*/PAY/*-???-??-2018/ *"

"*http:/*/PAY/*/???-??-2018-*"

"*http:/*/PAYMENT/*-???-??-2018/ *"

"*http:/*/PAYMENT/*/???-??-2018-*"

"*http:/*/Scan/ *"

"*http:/*.com/Invoice/ *"

"*http:/*.org/Invoice/ *"

"*http:/*.pl/Invoice/ *"

"*http:/*.ru/Invoice/ *"