Emotet_Feodo_IOC's_19-06-2018

1. #Emotet #Feodo #Banking #Trojan #Malware
2. -------------------------------------------------
3. 19-06-2018 IOC's
4. -------------------------------------------------
5. Main object- "3e2d7638b70a4469b85a05cf168b314c2dcb0760d67301e4de1fbaadfe9d856a.bin"
6. sha256 3e2d7638b70a4469b85a05cf168b314c2dcb0760d67301e4de1fbaadfe9d856a
7. sha1 b5d8f35714d3db837432988c50c5ba6e7d5443ca
8. md5 6dc05ffb9686494ccc58b976a3c35518
9. DNS requests
10. domain santehnika-kohler.ru
11. domain www.7.adborod.z8.ru
12. domain www.intermekatronik.com
13. domain positivebusinessimages.com
14. domain www.holod24.by
15. HTTP/HTTPS requests
16. url http://positivebusinessimages.com/JJBZ2k/
17. url http://www.intermekatronik.com/cPIbc/
18. url http://www.holod24.by/Ushy/
19. url http://www.7.adborod.z8.ru/qpzJM8T/
20. url http://santehnika-kohler.ru/system/helper/4pKGw/
21. ---------------------------------------------------
22. Main object- "tracking-number-and-invoice-of-your-order"
23. url http://www.euro-specialists.com/STATUS/tracking-number-and-invoice-of-your-order/
24. sha256 ceb070480f3fd618c25a3f6f418081e7d5a9f136b7fdc7dec42c36ed57756e97
25. sha1 396165596641f484c0aaed98e85eb852df1bff5f
26. md5 27e352533fac86b81835d22b7cf7d8e5
27. DNS requests
28. domain www.asdohasda.org
29. domain www.hoaphamxaydung.com
30. domain www.iconetworkllc.com
31. domain www.17184.p17.justsv.com
32. domain www.umjmnyqx.com
33. HTTP/HTTPS requests
34. url http://www.hoaphamxaydung.com/3y49s/
35. url http://www.iconetworkllc.com/IN3mtJj/
36. url http://www.umjmnyqx.com/t6pONVQ/
37. url http://www.asdohasda.org/vv28IS9/
38. url http://www.17184.p17.justsv.com/pUZdddm/
39. ----------------------------------------------------
40. Main object- "UPS-Invoice-for-downloads-726.doc"
41. sha256 86ed28e677575a7f498aaeb8ef98613c896a9dd025e540f4f6d8e9afc6a8c51a
42. sha1 cb359655f6f78690e6fd5c7ac0920b55d45de919
43. md5 41df718f344c92e8a7ccb4a8b47b2452
44. [Duplicate payload drops]
45. ----------------------------------------------------
46. Main object- "DEAXUW.exe"
47. sha256 e5bb3b427629cf817ca7372a44fba31365037ee50155027f49bf43aef7b47197
48. sha1 d1e5ad977fca95ce511923a431cb3fd126a8de3b
49. md5 66cd421eff9dfe084d0185b25f0b9132
50. HTTP/HTTPS requests
51. url http://47.188.131.94:443/
52. url http://217.91.43.150:7080/
53. url http://128.100.126.113/
54. url http://98.100.177.74:8080/
55. url http://46.4.100.178:8080/
56. url http://70.184.125.132:8080/
57. url http://76.72.225.30:465/
58. url http://203.45.184.52/
59. url http://70.168.7.6:443/
60. url http://23.239.2.11:8080/
61. url http://177.99.167.185:443/
62. url http://164.160.161.118:8080/
63. url http://75.152.52.109:8080/
64. url http://121.50.43.110:8080/
65. url http://115.78.95.230:443/
66. url http://24.119.116.230:990/
67. url http://46.38.238.8:8080/
68. url http://66.76.26.33:8080/
69. url http://87.248.77.159/
70. url http://110.143.116.201/
71. url http://206.255.140.203/
72. url http://71.244.60.231:4143/
73. url http://69.17.170.58/
74. url http://222.214.218.192:4143/
75. url http://191.242.178.46:443/
76. url http://149.62.173.247:8080/
77. url http://197.249.165.27:443/
78. url http://80.153.201.243:22/
79. url http://194.88.246.242:443/
80. url http://50.31.146.101:8080/
81. url http://24.217.117.217/
82. url http://78.47.182.42:8080/
83. url http://96.94.189.130:443/
84. url http://108.170.54.171:8080/
85. url http://184.186.78.177/
86. url http://189.236.94.20:995/
87. url http://216.105.170.139:4143/
88. url http://50.73.183.69/
89. ----------------------------------------------
90. Main object- "rechnungszahlung-Nr0180_87.doc"
91. sha256 a9e46fe6f26eee23427740e1cb3aefee7cf9621684edaedb966d394725332b2f
92. sha1 0b82f9f55c7eb2b6f916134900ec4def45ef2ee5
93. md5 915e693de6a9bfd5997484c5c5e77654
94. DNS requests
95. domain www.healthy.gmsto.com
96. domain 024dna.cn
97. domain www.jxprint.ru
98. domain tecserv.us
99. domain techidra.com.br
100. HTTP/HTTPS requests
101. url http://techidra.com.br/eYE0Bjsz/
102. url http://www.healthy.gmsto.com/qrcC2Q/
103. url http://tecserv.us/TedsCars/gUSyoA7/
104. url http://www.jxprint.ru/Gj6zBk/
105. url http://024dna.cn/0rGSKVzu/
106. ---------------------------------------------
107. Main object- "INV1928326040384393"
108. url http://www.amiralpalacehotel.com/Purchase/INV1928326040384393/
109. sha256 b3e0c3db94c18eed05404d8f29c8353b9601e170a4ed6456df5b7a77d2924e74
110. sha1 55649969127e11f54ce22166c3883259619359c9
111. md5 fa15a1e8911825f42fec1f9bce646ac2
112. DNS requests
113. domain www.17184.p17.justsv.com
114. domain www.iconetworkllc.com
115. domain www.asdohasda.org
116. domain www.umjmnyqx.com
117. domain www.hoaphamxaydung.com
118.  
119. [Duplication Payload Domains]
120. ----------------------------------------------
121. Main object- "Rechnungs-fur-Zahlung"
122. url http://www.arrifa.com/Rechnungs-fur-Zahlung/
123. sha256 a5e5e88268b6edb1fa13cee068f6ecf8b5fb31ada12e9afebb5c2549812c1ef7
124. sha1 50afff58110dd9839697aa8b420ecd8a7243a6d5
125. md5 b9ab3017e2a694e3f7308059f32a1de7
126. DNS requests
127. domain www.createyourfuture.org.uk
128. domain the-grizz.com
129. domain pekny.eu
130. domain milldesign.com
131. domain thegilbertlawoffice.com
132. HTTP/HTTPS requests
133. url http://thegilbertlawoffice.com/Facturation/Kfa1i4MiD/
134. url http://the-grizz.com/gallery/g2data/hRjNssfWG/ <---- [OpenDir]
135. url http://milldesign.com/84TqhmkDOW/
136. url http://pekny.eu/nC5GuNE/
137. url http://www.createyourfuture.org.uk/z5h2FEnyt/
138. ------------------------------------------------
139. Main object- "Rechnung_2018_06_395914984.doc"
140. sha256 afe37a79b49e80d09ab51400c291cb9d50b73cc561bb409c1d7b9c7bc3b002d0
141. sha1 7ca9a6a8bb7afaf3b96f2b2c7c97850c28bdfe97
142. md5 99b8d31f05e56d97ed335245110bf4ed
143. DNS requests
144. domain casamatamatera.it
145. domain www.qwqcpfhp.com
146. domain online-band.nl
147. domain cloudcapgames.com
148. domain windwardwake.com
149. HTTP/HTTPS requests
150. url http://windwardwake.com/YgRI/
151. url http://cloudcapgames.com/pSWMA/
152. url http://www.qwqcpfhp.com/7YMtk/
153. url http://casamatamatera.it/vvYa/
154. url http://online-band.nl/images/newspost_images/KXi68g/
155. --------------------------------------------------
156. Main object- "2018"
157. url http://www.beautifulgreat.com/RECH/Rechnung-vom-19/06/2018/
158. sha256 32bbbe9e913054ba09dcee52cbcd8b755ea77d8655567387baf28e343d0513ae
159. sha1 3fae4062f18ad138a609da44111697a093b0641b
160. md5 4222eb0aaf76b788d07d411673911695
161. DNS requests
162. domain www.17184.p17.justsv.com
163. domain www.asdohasda.org
164. domain www.umjmnyqx.com
165. domain www.iconetworkllc.com
166. domain www.hoaphamxaydung.com
167.  
168. [Duplication Payload Domains]
169. --------------------------------------------------
170. Main object- "Invoice-45490"
171. url http://houselight.com.br/Jun2018/Invoice-45490/
172. sha256 de0ecad318280b0dc89a7ee8251981b92b618cb14112369cf0f626b495c06804
173. sha1 0c12a081c04ff43ba62baab6deb4656f5ba5c4a7
174. md5 75be313380b9c6cc0cc2c4bd18687c31
175. DNS requests
176. domain www.hoaphamxaydung.com
177. domain www.iconetworkllc.com
178. domain www.asdohasda.org
179. domain www.17184.p17.justsv.com
180. domain www.umjmnyqx.com
181. HTTP/HTTPS requests
182. [Duplication Payload Domains]
183. ---------------------------------------------------
184. url http://www.masozilan.info/YAL1Ah/
185. url http://skyleaders.com/OH7y4n2/
186. url http://amexx.sk/Z6JYZ/
187. url http://healthphysics.com.au/p0ACEU/
188. url http://zafado.com/aspnet_client/zWDjgqBG/