Severity

High

Analysis Summary

Emotet has been used as a loader for other malware for a while. The infection vector remains to be malicious emails that distribute the macro-embedded malicious attachments. In this campaign, Emotet Epoch 3 botnet is seen downloading the Trickbot and Qakbot as a second payload. The first malicious attachment is a file named ‘invoice.doc’, which means this malspam follows the common invoice themed lure. 

Impact

• Security Bypass
• Code Execution
• Financial Theft
• Credentials theft 
• Exposure of sensitive data 
• Account compromise 

Indicators of Compromise

Domain Name

• king61tours[.]com
• grzegorzkucharski[.]com
• karaz-sd[.]com
• Filename
• invoice[.]doc

MD5

• 80f08f9a481b39e6f6d33efdec834855
• 8e514dc1be16b12953315b5b6889bc00
• ca8f77c07e02b6065f745d0021396bf1
• 08ee2019e928a4a090edb0e98d073272

SHA-256

• 537cae9dc56e79decd19c95f3558a5f204bb70fe6fa16ac7ef840991803508ac
• ab738270198457f6e7d98c31337280933b09dd563ea6b9bfb73716903a0a7f23
• 482f758d1a5ee81bf89cf7b582d80117520427064ce505246cca7733b4bbde67
• 9206615c27a64e4617f1e3ec11b5584e0510df8b5744581f9e9c5d0136b1e43f

SHA1

• ca01e30acb99809ec08e9f02737e25084215b964
• 921a5af03f919c2ddf9d85e46a0307d75f394d9b
• 4c59d3ee93aaaaa400adedde0798182dee855ee2
• 58963deab813763b36552447878c2fb5f9b96ce0

Source IP

• 194[.]5[.]249[.]157
• 91[.]200[.]103[.]236
• 195[.]123[.]240[.]252
• 107[.]174[.]192[.]219
• 185[.]176[.]40[.]216
• 185[.]81[.]158[.]15
• 82[.]239[.]200[.]118
• 96[.]9[.]73[.]73
• 180[.]211[.]170[.]214
• 203[.]176[.]135[.]102
• 195[.]123[.]241[.]187
• 37[.]247[.]111[.]239

URL

• http[:]//grzegorzkucharski[.]com/cli/92278618/fs8rc5s-001552/
• http[:]//203[.]176[.]135[.]102[:]8082
• http[:]//104[.]236[.]52[.]89[:]8080
• http[:]//king61tours[.]com/pdf/lwuqKsRgijhXw/
• http[:]//185[.]81[.]158[.]15[:]8080

Remediation

• Block the threat indicators at their respective controls.
• Do not download invoice themed attachments in untrusted emails. 
• Do not enable macros for untrusted files.