2020-09-08 Emotet IOCs

CYBERCHEF RECIPE TO DECODE POWERSHELL SCRIPT
From_Base64('A-Za-z0-9+/=',true)
Decode_text('UTF-16LE (1200)')
Split('*','\\n')
Find_/_Replace({'option':'Simple string','string':'\''},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'+'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'('},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':')'},'',true,false,true,false)
Extract_URLs(false)


THREAT ATTRIBUTION:  EMOTET
I can't say with certainty if the 2 documents that I downloaded were from today or yesterday.
I suspect yesterday, however.

SUBJECTS OBSERVED
None

SENDERS OBSERVED
None

MALDOC DISTRIBUTION URLS
http://tarravalleyfoods.com.au/awstats/http:/OCT/Dm2yEAoApkxvx/
http://www.alfapress.com/form/http:/browse/mt5wzrldAEQ8GjkYxO/

WORD DOCUMENT FILE HASHES
4b2a3819f609433d4aee7caa93f2035f
a6d7ed8fc2065320b5da489be82655e7

PAYLOAD FILE HASHES
693b2498489aa81a6121cb991f47bd59
9fd5e8dc6586baaeb8e8f30f9244e7fe
f40a7ec4d252eb261c283d07de9181dd

EMOTET PAYLOAD URLs
http://aldama.com/www/jkm/
http://ebu.no/billett/VMs/
http://fotoboule.de/bba/file/TyfJoGH/
http://frankroller.de/cgi-bin/attach/edFGzwpekjnwk/
http://franzosenbach.de/Meerbusch/igHfjN/
http://gerotax.de/assets/attach/rEzDDIkWAlZ/
http://gms2006.de/cgi-bin/file/fEyZ/
http://maximumwebimpact.com/test/rL9/
http://must-in.com/wp-admin/Q/
http://sriharshampromoters.com/sriharshaptr/8/
http://staniszczak.net/cpf/F/
http://www.bismarjeparamebel.com/wp-includes/SX/
https://gestoriasanchez.es/paginas/Vqywzqmas498299/
https://twisterprint.com/stats/KsU/

EMOTET C2s
http://185.215.227.107:443
http://51.38.124.206
http://38.88.126.202:8080
http://54.37.42.48:8080
http://172.104.169.32:8080
http://68.183.190.199:8080
http://187.162.248.237
http://82.76.111.249:443
http://184.66.18.83
http://190.6.193.152:8080
http://77.238.212.227
http://199.203.62.165
http://188.2.217.94
http://185.94.252.12
http://178.250.54.208:8080
http://206.15.68.237:443
http://65.36.62.20
http://216.47.196.104
http://219.92.8.17:8080
http://213.60.96.117
http://77.55.211.77:8080
http://72.167.223.217:8080
http://177.74.228.34
http://186.103.141.250:443
http://190.163.31.26
http://85.109.159.61:443
http://68.183.170.114:8080
http://213.197.182.158:8080
http://45.161.242.102
http://71.197.211.156
http://104.131.103.37:8080
http://94.176.234.118:443
http://190.2.31.172
http://5.196.35.138:7080
http://190.195.129.227:8090
http://67.247.242.247
http://64.201.88.132
http://152.169.22.67
http://24.135.1.177
http://191.182.6.118
http://51.159.23.217:443
http://110.142.219.51
http://68.69.155.181
http://82.196.15.205:8080
http://77.90.136.129:8080
http://181.129.96.162:8080
http://45.33.77.42:8080
http://95.9.180.128
http://192.241.146.84:8080
http://91.219.169.180
http://188.135.15.49
http://212.71.237.140:8080
http://98.13.75.196
http://72.47.248.48:7080
http://209.236.123.42:8080
http://217.13.106.14:8080
http://219.92.13.25
http://177.72.13.80
http://12.162.84.2:8080
http://177.73.0.98:443
http://50.121.220.50
http://185.178.10.77
http://216.10.40.16
http://61.92.159.208:8080
http://170.81.48.2
http://45.16.226.117:443
http://185.94.252.27:443
http://217.199.160.224:7080
http://178.79.163.131:8080
http://186.70.127.199:8090
http://91.121.54.71:8080
http://190.190.148.27:8080
http://190.24.243.186
http://138.97.60.141:7080
http://104.131.41.185:8080
http://73.213.208.163
http://181.30.61.163:443
http://103.106.236.83:8080
http://192.241.143.52:8080
http://87.106.46.107:8080
http://2.47.112.152
http://45.173.88.33
http://204.225.249.100:7080
http://111.67.77.202:8080
http://70.32.115.157:8080
http://111.67.12.221:8080
http://70.32.84.74:8080
http://58.171.153.81
http://190.147.137.153:443
http://190.115.18.139:8080
http://83.169.21.32:7080
http://5.189.178.202:8080
http://50.28.51.143:8080
http://137.74.106.111:7080
http://189.2.177.210:443
http://72.135.200.124
http://51.255.165.160:8080