API tools faq
paste
Guest User

Emotet IOCs as of Jan-16-2019 3:00PM US/Eastern Time

a guest
Jan 16th, 2019
201
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.31 KB | None | 0 0
raw download clone embed print report
  1. sender addresses
  2. ---
  3. adc056@quefacil.com.gt
  4. adc56@quefacil.com.gt
  5. admin1@recruitmentonline.in
  6. ahmed@anjcarriers.com
  7. bmgmemo@yourhostingaccount.com
  8. claudia.macias@casco.com.mx
  9. contabilidad1@inversionesincarven.com.ve
  10. direccion@tirsa.com.mx
  11. jamal@bmgint.net <jamal@yourhostingaccount.com>
  12. jgatica@rossi.cl
  13. maria@exelfuel.co.zw
  14. omar.barajas@climaproyectos.com.mx
  15. shirshova.ev@fnkc-fmba.ru
  16.  
  17. Observed some spoofed "Amazon.com <auto-confirm@amazon.com>" and "confirm@amazon.com" senders; their Return Path emails are listed above.
  18. ---
  19. subject lines
  20. ---
  21. Amazon Order #101-6822294-0962098
  22. Amazon Order #187-9321422-0266725
  23. Amazon order details
  24. Amazon.com order
  25. Amazon.com order payment
  26. Your Amazon Order 127-0478391-0792781
  27. ---
  28. [STATUS as of Jan 16 @ 3:00PM ET] link in email
  29. ---
  30. [403 ERROR] hxxp://science-house.ir/cgi-bin/Amazon/Attachments/2019-01
  31. [404 ERROR] hxxp://old.copyrightessentials.com/Amazon/Information/2019-01
  32. [ACTIVE] hxxp://dekbedbedrukken.koffie-bekers.nl/Amazon/Clients/01_19
  33. [ACTIVE] hxxp://liveloan.eu/Amazon/EN/Clients_Messages/01_19
  34. [ACTIVE] hxxp://smtp.stepoutforsuccess.ca/Amazon/Attachments/012019
  35. [ACTIVE] hxxp://sofathugian.vn/Amazon/EN/Payments/012019
  36. [ACTIVE] hxxp://themanorcentralparknguyenxien.net/Amazon/Orders_details/012019
  37. [ACTIVE] hxxp://www.themoonplease.com/Amazon/Clients/2019-01/
  38. [ERROR] hxxp://bluepalm.tech/Amazon/En/Payments_details/012019
  39. [NOT FOUND] hxxp://wellnessworkshop.ie/Amazon/EN/Clients_transactions/012019
  40. ---
  41. SHA256 of files downloaded from emailed links
  42. ---
  43. 157ed6528400612ce534b91a4e164b80e0dfa1cd868f98590d0b8b52a55e2136
  44. 24b035e1db6b53be081385b1c68d75c1d540f15df2cbc24a8dec21a7bac0df91
  45. 44a5249e375a50281edafaeec52542cf65b2659b6435df021723f71ff97f1359
  46. 5fa4e47a7c6ee9631ac151bafb0feeef27408946f72ba34283504c1a3af6cd92
  47. 6cc677d1ac4b9cfe4a5c39da0555abf73b47f5831781da5184962e3ffe988f5f
  48. 7dcb7f8c653d3f2787a11a1d88c0960e441f5e86b986e8d0b848d28ef7402509
  49. a76d5512199fbad3d171c7dc60c014ccb9f37bd8257be19a10208c6f88222565
  50. a7e9e05453f45702a490cb39b8e41f43f364efb1deb687fbca0669d81db05344
  51. b7fca84768b87804f9ec01ca78693c5ebf134c321f901bcae1936af997ac5d5b
  52. c5ab3988752d04b3c483bad60a407e386987790716aed72cf50d04a01d10bc47
  53. e5fdfb17d2b72ae4e8853face57b4cf43c3c1060ec49db55e137fbee13ca7d4b
  54. ed460a6be43aafdd964fc75159f4b43ac7dfeaf9b33eb9ebc2efd5f7f00f2096
  55. f5a3c7c73bcf3833808d643a9c9644c360aff6f64b9e68d2ed01f6273d2a681e
  56. fce499a679daab4202a09972465acaf3b4a2df82a6efbe9d3972c0d043b70c01
  57. ffe1eab5fba3de0241b6ed61201773458f38adfc7703b5b79a717336fecaf129
  58.  
  59. Majority of these files are on VirusTotal now; you can follow the chain there for executables / C2.
  60. ---
  61. additional sources on urlscan.io from today for those hashes
  62. ---
  63. hxxp://7seotools.com/Amazon/En/Payments_details/01_19/
  64. hxxp://azimut-volga.com/Amazon/Payments_details/2019-01
  65. hxxp://bakerykervan.godohosting.com/wp-content/uploads/Amazon/En/Information/2019-01
  66. hxxp://casetime.org/Rechnungs/01_19/
  67. hxxp://emiratesprefab.ae/Amazon/En/Orders-details/012019/
  68. hxxp://en.tag.ir/Amazon/Clients_transactions/012019
  69. hxxp://expoluxo.com/Amazon/En/Clients_information/2019-01
  70. hxxp://jameshunt.org/Rechnung/012019/
  71. hxxp://leodruker.com/Amazon/EN/Transactions/012019/
  72. hxxp://leonardokubrick.com/Amazon/Orders-details/012019/
  73. hxxp://mahsew.com/AMAZON/Transaction_details/012019/
  74. hxxp://mataukitaip.ekovalstybe.lt/Documents/01_19
  75. hxxp://maverick-advisory.fr/AMAZON/Details/012019/
  76. hxxp://mingroups.vn/Transactions/012019
  77. hxxp://newwayit.vn/admin/Clients_information/012019
  78. hxxp://old.polskamasens.pl/Amazon/Transactions/2019-01/
  79. hxxp://orderout.nl/Amazon/Clients_transactions/012019
  80. hxxp://qualitybeverages.co.za/Amazon/Clients_transactions/012019/
  81. hxxp://ragainesvaldos.ekovalstybe.lt/Payments/01_19
  82. hxxp://rampp.ir/wp-content/Amazon/Information/01_19/
  83. hxxp://sabugoventures.co.ke/Documents/012019/
  84. hxxp://seitenstreifen.ch/Attachments/01_19
  85. hxxp://voldprotekt.com/Amazon/EN/Information/01_19/
  86. hxxp://weddingstudio.com.my/Messages/2019-01
  87. hxxp://www.ayokerja.org/AMAZON/Clients/012019/
  88. hxxp://www.comparto.com.br/Amazon/Clients/01_19/
  89. hxxp://www.iain-padangsidimpuan.ac.id/Payment_details/2019-01
  90. hxxp://www.lagis.com.tw/ktPF-Fc8Pm_heXXiUK-HWE/Clients_Messages/012019
  91. hxxp://www.rokiatraore.net/Transaction_details/2019-01
  92. hxxp://www.wholehealthcrew.com/Amazon/Documents/01_19/
  93. hxxp://zidanmeubel.com/Amazon/EN/Payments_details/012019/
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!