2017-11-15 Another Malspam Message Leads to New Emotet
This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean VM to get that file. The file 73077.exe should be the same as the one listed below – 12961.exe. The artifacts from this can be found over at my Github here. IOCs: ===== 172.81.117.237 / xanaxsleepingpills.website (GET /Invoice-number-588962/) 162.221.188.251 / www.medicinedistributor.com (GET /UVRJ/) 41.72.140.141:8080 (POST /) 69.43.168.196:443 (POST /) Artifacts:…