{
	"id": "3b131939-8971-4dc9-acb2-f9b8fd07383a",
	"created_at": "2026-04-06T01:30:38.111565Z",
	"updated_at": "2026-04-10T13:12:30.106514Z",
	"deleted_at": null,
	"sha1_hash": "3c4576c21af33f3063dee2e460a11dd4bd83669c",
	"title": "Malware-Traffic-Analysis.net - 2018-07-19 - Emotet infection traffic with Zeus Panda Banker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1041180,
	"plain_text": "Malware-Traffic-Analysis.net - 2018-07-19 - Emotet infection\r\ntraffic with Zeus Panda Banker\r\nArchived: 2026-04-06 00:13:07 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\nZip archive of 4 email examples:  2018-07-19-Emotet-malspam-4-examples.zip   385 kB (384,921 bytes)\r\n2018-07-17-Emotet-malspam-1153-UTC.eml   (1,153 bytes)\r\n2018-07-18-Emotet-malspam-0716-UTC.eml   (247,503 bytes)\r\n2018-07-19-Emotet-malspam-1058-UTC.eml   (493,762 bytes)\r\n2018-07-19-Emotet-malspam-1703-UTC.eml   (1,022 bytes)\r\nZip archive of the infection traffic:  2018-07-19-Emotet-infection-with-Zeus-Panda-Banker.pcap.zip   4.1\r\nMB (4,064,731 bytes)\r\n2018-07-19-Emotet-infection-with-Zeus-Panda-Banker.pcap   (4,568,407 bytes)\r\nZip archive of the malware:  2018-07-19-malware-from-Emotet-infection.zip   690 kB (689,821 bytes)\r\n2018-07-19-downloaded-Word-doc-with-macro-for-Emotet.doc   (343,296 bytes)\r\n2018-07-19-Emotet-malware-binary-1-of-2.exe   (283,648 bytes)\r\n2018-07-19-Emotet-malware-binary-2-of-2.exe   (280,576 bytes)\r\n2018-07-19-Zeus-Panda-Banker-caused-by-Emotet-infection.exe   (265,728 bytes)\r\nNOTES:\r\nI recently did a blog for Palo Alto Networks titled Malware Team Up: Malspam Pushing Emotet +\r\nTrickbot.\r\nIt focuses on Emotet + Trickbot, but today it was Emotet + Zeus Panda Banker.\r\nhttps://www.malware-traffic-analysis.net/2018/07/19/index.html\r\nPage 1 of 4\n\nShown above:  Flowchart for recent Emotet infection traffic.\r\nWEB TRAFFIC BLOCK LIST\r\nIndicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URLs:\r\nhxxp[:]//aulacloud[.]com[.]br/pdf/EN_en/New-Order-Upcoming/Please-pull-invoice-984495/\r\nhxxp[:]//zazz[.]com[.]br/Documentos/\r\nhxxp[:]//astraclinic[.]com/Facturas-pendientes/\r\nhxxp[:]//trustsoft[.]ro/NFjd6T/\r\nhxxp[:]//181.129.60[.]162/whoami.php\r\ntailbackuisback[.]xyz\r\nEMAILS\r\nDATA FROM 4 EMAIL EXAMPLES:\r\nDate: Tuesday, 2018-07-17 11:53 UTC\r\nReceived: from 10.3.23[.]36 (UnknownHost [1.6.26[.]234])\r\nFrom: benji@overyondr[.]com \u003c[removed]@[removed]\u003e\r\nSubject: CUST. JFD-55-17335\r\nLink: hxxp[:]//aulacloud[.]com[.]br/pdf/EN_en/New-Order-Upcoming/Please-pull-invoice-984495/\r\nDate: Wednesday, 2018-07-18 07:16 UTC\r\nReceived: from [196.250.41[.]122] (port=49278 helo=10.0.0[.]52)\r\nFrom: SAV AITICA \u003c\u003e \u003calmacen@francachela[.]com[.]mx\u003e\u003e\r\nhttps://www.malware-traffic-analysis.net/2018/07/19/index.html\r\nPage 2 of 4\n\nSubject: Outstanding invoice\r\nAttachment name: INV-EB51776.doc\r\nDate: Thursday, 2018-07-19 10:58 UTC\r\nReceived: from 10.0.0[.]51 (fixed-187-190-248-34.totalplay[.]net [187.190.248[.]34])\r\nFrom: Raj Jhamb \u003c\u003e \u003cmarcs@svtv[.]com\u003e\r\nSubject:  Inv. no. 1ZVO1641\r\nAttachment name: INV-1ZVO1641.doc\r\nDate: Thursday, 2018-07-19 10:58 UTC\r\nReceived: from [189.232.17[.]251] (port=58245 helo=10.0.0[.]28)\r\nFrom: Kasaiah Amirisetty \u003c\u003e \u003cedgar@dgforensiks[.]mx\u003e\r\nSubject: Kasaiah Amirisetty Factura de servicio y soporte F4179871 de 19 julio\r\nLink: hxxp[:]//zazz[.]com[.]br/Documentos/\r\nTRAFFIC\r\nShown above:  Traffic from an infection filtered in Wireshark.\r\nTRAFFIC FROM AN INFECTED WINDOWS HOST:\r\n37.187.38[.]98 port 80 - astraclinic[.]com - GET /Facturas-pendientes/\r\n86.35.15[.]70 port 80 - trustsoft[.]ro - GET /NFjd6T/\r\n67.68.235[.]25 port 50000 - attempted TCP connections, but no response from the server\r\n187.192.180[.]144 port 995 - 187.192.180[.]144:995 - GET /\r\n154.16.37[.]53 port 443 - tailbackuisback[.]xyz - post-infection traffic caused by Zeus Panda Banker\r\nport 443 - www.google[.]com - connectivity check caused by Zeus Panda Banker\r\n5.188.231[.]137 port 443 - attempted TCP connections, but no response from the server\r\n91.243.80[.]2 port 443 - attempted TCP connections, but no response from the server\r\nhttps://www.malware-traffic-analysis.net/2018/07/19/index.html\r\nPage 3 of 4\n\n201.232.42[.]151 port 8443 - attempted TCP connections, but no response from the server\r\n181.129.60[.]162 port 80 - 181.129.60[.]162 - GET /whoami.php\r\n181.129.60[.]162 port 80 - 181.129.60[.]162 - POST /\r\nFILE HASHES\r\nMALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:\r\nSHA256 hash:  7bad900ea5cb2044726bd474d9b7f642c279425144e73b99463279fc83a95981\r\nFile size:  343,296 bytes\r\nFile name:  FACTURA-QMO-39839388.doc   (random file names)\r\nFile description:  Word doc downloaded from a link in Emotet malspam.  Doc has macro to retreive\r\nEmotet.\r\nSHA256 hash:  3dd27b20b2ab85c95f8e9e1b5f4944e277ab018b3c663a8bf6262aa36183b0cf\r\nFile size:  283,648 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Microsoft\\Windows\\[random file name].exe\r\nFile description:  Emotet malware binary downloaded by macro in downloaded Word doc\r\nSHA256 hash:  5482557ca490c50f5f383c6d6d3b51efd4b215b22ee3dde51a811a4f490735cc\r\nFile size:  280,576 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Microsoft\\Windows\\[random file name].exe\r\nFile description:  Updated Emotet malware binary after the host was infected for a while\r\nSHA256 hash:  200dd176eccfe11a3456193bf1fe7d46d23408834e172991b883d59aa59ce259\r\nFile size:  265,728 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Roaming\\[existing directory path]\\[random file name].exe\r\nFile description:  Zeus Panda Banker downloaded by my Emotet-infected host\r\nClick here to return to the main page.\r\nSource: https://www.malware-traffic-analysis.net/2018/07/19/index.html\r\nhttps://www.malware-traffic-analysis.net/2018/07/19/index.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malware-traffic-analysis.net/2018/07/19/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439038,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c4576c21af33f3063dee2e460a11dd4bd83669c.pdf",
		"text": "https://archive.orkl.eu/3c4576c21af33f3063dee2e460a11dd4bd83669c.txt",
		"img": "https://archive.orkl.eu/3c4576c21af33f3063dee2e460a11dd4bd83669c.jpg"
	}
}