API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2020/01/06

jroosen
Jan 6th, 2020
57,031
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.58 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware IOCs for 01/06/20 as of 01/06/20 17:15 EST ##
  2. *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
  3.  
  4. #### SHA256s for Epoch 1 Loader EXEs ####
  5. ```
  6. 2aaf8fee56c6232db176c8676de16351b92fb8398ddcd299ba61a2eabd72d5d6
  7. df6918aab03242b0a42ec4cf1f4258e3b57df8441c4743aae9985f89f5c4bb65
  8. 771a1f4b303dc2c4c50763091ca9cefa80b3c46cda0a2d82d4f5276c850d2ef2
  9. d79abaa339b8b6e9ae8ac82edbaa139e32e0c82fe9f540d49372a7cfc8a1212f
  10. 9dff074ff1529d16d8c2e5acf3a4773cbd20789da573804ccfd35f5521defeb2
  11. 6a97c158536273e8b84faafc44b9c31ff463bfb2bdd02093fd585fb70f159c73
  12. bae3bbbdd1f2e4478de579548c41a1c98eaac07cfa4e2ebb20e1f2d46e0b0b62
  13. 219da8349484f4746f08b3f79771cfdb426d9a8b29ef1cbc2eeff5c4b59f7519
  14. 458cac23702ba41e788b1a37adf1dca87df3f4c13a8676fad4084ba33890fd36
  15. e3b79adf7e0429d33e2545894ab2351547de1e17e705ff75dffb8310466974e7
  16. 888e5f4f2a1729724ff35c899984735534fcd8e64a853524e4c7f3cb6cd6af41
  17. a611c93296c6babd00cf06ff2a811e14c510f77cf86d7b7e59fdf7a83b1065ca
  18. 8dd7a0e0daee637f049a6e08d5c7ba935f6f7075acce2ff6f4c8a0aea3b3ca38
  19. 12a399dd6446b57fdd4bb50d38b0e7fb4290cb0ae9437486b305dbe8db206b87
  20. ```
  21. #### SHA256s for Epoch 2 Loader EXEs ####
  22. ```
  23. cd47457850c6326e64e66ed3f2eb935bee45bab0738599244903b727014e405e
  24. c5128fe6d59d35cfbc6555d52ce624a3262f3ce407df3b584dc5fabe0822c539
  25. 2b37ddaf408bcec8b47d797d77653442d272c7ed10e079ff8d9bfee26527bd02
  26. 1d7a6ba97c39065178e1e37a7bfbc971cb5ddb8890e993ac519f59c77727b8e7
  27. 84d0235b0e47572cfe1533f3614c76ebd4bcdb552612625fd8a2000e124da3b9
  28. d21e42ebeab12bf7b50e845d769dd59e16e2f2d8bbcdd2a1786b46bc76f2fae7
  29. 109e8295a026646fc73936199fc99d122f880ae7a30e0573f195dc76ba27c615
  30. 7d315266bacd384196ddd36e0209a9b58948a88b437ba28d4841624fbb344796
  31. 9d5811b4a1f6931ae46f517a92e73909f0ff7aaa6c2a152ea6c5ab72027e251f
  32. 5a2ea528794f6e5ead09d7b85f7009c97d20f6f172d789bb8f952592ab93cc8d
  33. c0ff16afbc8840e484d2d0df166cf1069f806c10d73817b76b989ce4a77029bf
  34. 149dc8a7f0fc161dc4123ebc6200bba1c02d07081602b67151d9fdade2b08d27
  35. d63c896de55d6e7ea7ee1602bb214a91da1bcc781ca5c4c90bc84e8d89e06e38
  36. e4a4ebe7c54fa7cf2b615d46427a7442f317addf64586ce8bc2947b9d04782c2
  37. ```
  38. #### SHA256s for Epoch 3 Loader EXEs ####
  39. ```
  40. 7ba00d10e9e86a523e14feb18c7c9a0e9f76e586d21c69185cae5c09070cb184
  41. 11e7cf800404c2e4a4d7bb5681d84753bcd2c8bb929ab6ba2f96a4cd6ddb80dc
  42. 306bf9287ae2975436a2faf0576b568bbc63bd511c82a019a7ba3bc8481377b5
  43. 653d683fcfa7b7f24fc52dea7d51d85e9ed0a3e8b7d521f014f264fd97df3e26
  44. e3845bb9c6b12677868e6252d475ac7264a05dc227745a1284ae0f4a3363a759
  45. 58854666e2430081a2c13a1e07362986600a3dca244d1cbadfd93c8fd03c9f33
  46. 0df7364370cd694a6e3abd8145a3d12736cb93a38b76dca5bfc9b28ad22966a7
  47. cb580a9291d90ce09a98857bb35b43a1013e271b44351e22286b8f0ff200905c
  48. c386d4c9468beca0a8def97ce9af0e47802425967f6b433963449f2d43582472
  49. b428fa0ebd44bc6d12c2d7614202aed223e1dc11491909cb5d8778554e5393b6
  50. 7a10d338086bf1a6970189dd4e77ff3c6a07854778f4c37563a91262e8d4bae6
  51. 6b94ea2b4e49a5d30527cdec685d23de7bba64f2bf1fa575098270d2e9d31382
  52. e584dfdee795745dcf1724d64ea00ba6e9a4fdf0c57d566bec66cda8363a33ed
  53. a76e2ce58627be8ad2f6e6f9826396c26f6c0d63a334ff101522c45b04eb5de3
  54. ```
  55.  
  56. ### C2's Per Epoch ###
  57.  
  58. #### Epoch 1 C2s ####
  59. ```
  60. 45.73.157.243:8080
  61. 190.195.129.227:8090
  62. 177.92.14.34:80
  63. 45.79.95.107:443
  64. 69.163.33.84:8080
  65. 104.131.58.132:8080
  66. 68.183.190.199:8080
  67. 190.210.184.138:995
  68. 200.58.83.179:80
  69. 216.251.83.79:80
  70. 177.242.21.126:80
  71. 187.54.225.76:80
  72. 14.160.93.230:80
  73. 212.71.237.140:8080
  74. 159.203.204.126:8080
  75. 217.199.160.224:8080
  76. 46.101.212.195:8080
  77. 46.28.111.142:7080
  78. 185.86.148.222:8080
  79. 2.45.112.134:80
  80. 114.109.179.60:80
  81. 113.190.254.245:80
  82. 82.196.15.205:8080
  83. 68.174.15.223:80
  84. 94.200.114.162:80
  85. 151.237.36.220:80
  86. 5.88.27.67:8080
  87. 62.15.36.103:443
  88. 96.61.113.203:80
  89. 62.75.160.178:8080
  90. 58.162.218.151:80
  91. 186.15.83.52:8080
  92. 109.169.86.13:8080
  93. 45.8.136.201:80
  94. 175.114.178.83:443
  95. 190.186.164.23:80
  96. 165.228.195.93:80
  97. 177.34.142.163:80
  98. 203.25.159.3:8080
  99. 142.93.114.137:8080
  100. 83.248.141.198:80
  101. 177.180.115.224:80
  102. 110.170.65.146:80
  103. 181.231.220.232:80
  104. 189.19.81.181:443
  105. 68.187.160.28:443
  106. 113.61.76.239:80
  107. 185.160.229.26:80
  108. 200.55.53.7:80
  109. 212.253.82.142:443
  110. 179.208.84.218:8080
  111. 185.160.212.3:80
  112. 202.62.39.111:80
  113. 37.120.185.153:443
  114. 63.248.198.8:80
  115. 201.213.100.141:8080
  116. 118.36.70.245:80
  117. 86.42.166.147:80
  118. 14.201.35.38:80
  119. 149.62.173.247:8080
  120. 125.99.61.162:7080
  121. 190.210.236.139:80
  122. 80.11.158.65:8080
  123. 190.151.5.130:443
  124. 94.200.126.42:80
  125. 200.123.183.137:443
  126. 37.187.6.63:8080
  127. 203.130.0.69:80
  128. 72.29.55.174:80
  129. 2.42.173.240:80
  130. 59.120.5.154:80
  131. 79.7.158.208:80
  132. 120.150.247.164:80
  133. 144.139.56.105:80
  134. 190.100.153.162:443
  135. 188.218.104.226:80
  136. 181.36.42.205:443
  137. 207.154.204.40:8080
  138. 91.117.159.233:80
  139. 93.144.226.57:80
  140. 200.82.170.231:80
  141. 91.74.175.46:80
  142. 68.183.170.114:8080
  143. 138.68.106.4:7080
  144. 189.26.118.194:80
  145. 5.196.35.138:7080
  146. 77.55.211.77:8080
  147. 177.103.159.44:80
  148. 62.75.143.100:7080
  149. 91.83.93.124:7080
  150. 50.28.51.143:8080
  151. 73.60.8.210:80
  152. 191.103.76.34:443
  153. 79.7.114.1:80
  154. 119.59.124.163:8080
  155. 189.201.197.98:8080
  156. 2.47.112.72:80
  157. 91.205.215.57:7080
  158. 192.241.146.84:8080
  159. 190.191.82.216:80
  160. 139.162.118.88:8080
  161. 190.219.149.236:80
  162. 97.120.32.227:80
  163. 201.213.32.59:80
  164. 178.79.163.131:8080
  165. 181.10.204.106:80
  166. 110.142.161.90:443
  167. 87.106.46.107:8080
  168. 190.38.152.143:80
  169. 58.171.38.26:80
  170. 190.17.44.48:80
  171. 186.68.48.204:443
  172. 87.106.77.40:7080
  173. 188.135.15.49:80
  174. 187.188.166.192:8080
  175. 82.8.232.51:80
  176. 188.216.24.204:80
  177. 191.183.21.190:80
  178. 181.198.203.45:443
  179. ```
  180. #### Epoch 1 - Spam C2s ####
  181. ```
  182. not active
  183. ```
  184. #### Epoch 1 - Stealer C2s ####
  185. ```
  186. 51.159.23.217:443
  187. 75.127.72.18:8080
  188. 190.115.18.139:8080
  189. ```
  190. #### Current Epoch 1 RSA Public Key ####
  191. ```
  192. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
  193. j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
  194. fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
  195. ```
  196. #### Epoch 2 C2s ####
  197. ```
  198. 47.180.91.213:80
  199. 181.143.126.170:80
  200. 186.86.247.171:443
  201. 136.243.250.34:8080
  202. 104.131.44.150:8080
  203. 167.71.10.37:8080
  204. 192.241.255.77:8080
  205. 59.103.164.174:80
  206. 176.106.183.253:8080
  207. 50.116.86.205:8080
  208. 37.157.194.134:443
  209. 182.176.132.213:8090
  210. 2.237.76.249:80
  211. 209.97.168.52:8080
  212. 73.217.39.73:80
  213. 173.66.96.135:80
  214. 201.184.105.242:443
  215. 5.32.55.214:80
  216. 201.173.217.124:443
  217. 160.16.215.66:8080
  218. 91.73.197.90:80
  219. 200.21.90.5:443
  220. 24.181.125.62:80
  221. 87.230.19.21:8080
  222. 64.53.242.181:8080
  223. 173.91.11.142:80
  224. 47.153.183.211:80
  225. 104.131.11.150:8080
  226. 181.126.70.117:80
  227. 41.60.200.34:80
  228. 62.75.187.192:8080
  229. 178.237.139.83:8080
  230. 92.222.216.44:8080
  231. 24.94.237.248:80
  232. 5.196.74.210:8080
  233. 108.191.2.72:80
  234. 139.130.242.43:80
  235. 91.205.215.66:443
  236. 98.30.113.161:80
  237. 173.21.26.90:80
  238. 210.6.85.121:80
  239. 45.51.40.140:80
  240. 5.154.58.24:80
  241. 223.197.185.60:80
  242. 206.81.10.215:8080
  243. 104.236.246.93:8080
  244. 58.171.42.66:8080
  245. 209.141.54.221:8080
  246. 110.142.38.16:80
  247. 190.220.19.82:443
  248. 59.8.197.241:80
  249. 103.86.49.11:8080
  250. 88.249.120.205:80
  251. 87.106.136.232:8080
  252. 66.34.201.20:7080
  253. 169.239.182.217:8080
  254. 190.53.135.159:21
  255. 190.189.224.117:443
  256. 93.147.141.5:80
  257. 195.244.215.206:80
  258. 62.138.26.28:8080
  259. 188.0.135.237:80
  260. 108.179.206.219:8080
  261. 121.88.5.176:443
  262. 180.92.239.110:8080
  263. 139.130.241.252:443
  264. 174.77.190.137:8080
  265. 79.159.249.152:80
  266. 47.6.15.79:80
  267. 78.24.219.147:8080
  268. 178.153.176.124:80
  269. 189.203.177.41:443
  270. 98.156.206.153:80
  271. 120.150.246.241:80
  272. 120.151.135.224:80
  273. 76.164.99.46:80
  274. 46.105.131.87:80
  275. 190.117.226.104:80
  276. 110.143.84.202:80
  277. 87.106.139.101:8080
  278. 185.144.138.190:80
  279. 190.55.181.54:443
  280. 24.105.202.216:443
  281. 159.65.25.128:8080
  282. 70.46.247.81:80
  283. 211.63.71.72:8080
  284. 183.101.175.193:80
  285. 70.169.53.234:80
  286. 31.31.77.83:443
  287. 116.48.142.21:443
  288. 200.116.145.225:443
  289. 206.189.112.148:8080
  290. 60.231.217.199:8080
  291. 179.13.185.19:80
  292. 47.6.15.79:443
  293. 95.128.43.213:8080
  294. 85.67.10.190:80
  295. 149.202.153.252:8080
  296. 190.162.159.212:80
  297. 73.11.153.178:8080
  298. 217.160.182.191:8080
  299. 183.102.238.69:465
  300. 31.172.240.91:8080
  301. 45.33.49.124:443
  302. 209.146.22.34:443
  303. 47.156.70.145:80
  304. 189.179.108.157:80
  305. 190.12.119.180:443
  306. ```
  307. #### Epoch 2 - Spam C2s ####
  308. ```
  309. not active
  310. ```
  311. #### Epoch 2 - Stealer C2s ####
  312. ```
  313. 168.235.67.138:8080
  314. 139.162.183.41:443
  315. 46.101.7.140:8080
  316. ```
  317. #### Current Epoch 2 RSA Public Key ####
  318. ```
  319. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
  320. bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
  321. LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
  322. ```
  323. #### Epoch 3 C2s ####
  324. ```
  325. 196.6.119.137:80
  326. 86.108.77.73:443
  327. 91.73.169.210:80
  328. 91.205.173.150:8080
  329. 168.235.82.183:8080
  330. 198.57.217.170:7080
  331. 192.163.221.191:7080
  332. 110.142.161.90:80
  333. 1.217.126.11:443
  334. 1.221.254.82:80
  335. 112.68.254.127:80
  336. 41.185.29.128:8080
  337. 69.30.205.162:7080
  338. 197.94.32.129:8080
  339. 124.150.175.133:80
  340. 124.150.175.129:8080
  341. 50.116.78.109:8080
  342. 78.210.132.35:80
  343. 212.129.14.27:8080
  344. 189.225.211.171:443
  345. 201.137.247.222:443
  346. 157.7.164.178:8081
  347. 203.124.57.50:80
  348. 112.186.195.176:80
  349. 193.33.38.208:443
  350. 88.248.140.80:80
  351. 105.209.235.113:8080
  352. 42.51.192.231:8080
  353. 95.216.207.86:7080
  354. 211.42.204.154:80
  355. 180.33.6.136:443
  356. 181.53.29.136:8080
  357. 190.201.144.85:7080
  358. 88.247.26.78:80
  359. 82.79.244.92:80
  360. 78.189.165.52:8080
  361. 192.241.220.183:8080
  362. 75.86.6.174:80
  363. 139.59.12.63:8080
  364. 158.69.167.246:8080
  365. 185.192.75.240:443
  366. 162.144.46.90:8080
  367. 203.153.216.178:7080
  368. 110.2.118.164:80
  369. 200.41.121.69:443
  370. 212.112.113.235:80
  371. 216.75.37.196:8080
  372. 192.210.217.94:8080
  373. 95.9.217.200:8080
  374. 114.179.127.48:80
  375. 201.183.251.100:80
  376. 46.17.6.116:8080
  377. 82.165.15.188:8080
  378. 191.100.24.201:50000
  379. 177.144.130.105:443
  380. 138.197.140.163:8080
  381. 91.83.93.103:443
  382. 91.117.31.181:80
  383. 78.189.60.109:443
  384. 190.17.94.108:443
  385. 122.116.104.238:7080
  386. 58.185.224.18:80
  387. 210.224.65.117:80
  388. 144.139.91.187:80
  389. 190.171.153.139:80
  390. 37.46.129.215:8080
  391. 181.196.27.123:80
  392. 85.100.122.211:80
  393. 69.14.208.221:80
  394. 94.203.236.122:80
  395. 91.117.131.122:80
  396. 67.254.196.78:443
  397. 183.87.40.21:8080
  398. 85.109.190.235:443
  399. 217.12.70.226:80
  400. 195.201.56.70:8080
  401. 66.229.161.86:443
  402. 210.171.146.118:80
  403. 142.93.87.198:8080
  404. 83.156.88.159:80
  405. 5.178.245.100:80
  406. 179.5.118.12:8080
  407. 87.9.181.247:80
  408. 200.45.187.90:80
  409. 198.199.112.197:8080
  410. 72.51.153.27:80
  411. 175.127.140.68:80
  412. 186.177.174.163:80
  413. 46.32.229.152:8080
  414. 51.77.113.97:8080
  415. 37.59.24.25:8080
  416. 98.15.140.226:80
  417. 200.82.88.254:80
  418. 185.244.167.25:443
  419. 78.46.87.133:8080
  420. 51.38.134.203:8080
  421. 88.249.181.198:443
  422. 182.187.137.199:8080
  423. 188.251.213.180:443
  424. 89.215.225.15:80
  425. 37.70.131.107:80
  426. 182.176.116.139:995
  427. 192.241.241.221:443
  428. 172.104.70.207:8080
  429. 210.111.160.220:80
  430. 113.52.135.33:7080
  431. 190.93.210.113:80
  432. 220.78.29.88:80
  433. 160.119.153.20:80
  434. 95.216.212.157:8080
  435. 14.161.30.33:443
  436. 156.155.163.232:80
  437. 95.130.37.244:443
  438. 82.146.55.23:7080
  439. 72.27.212.209:8080
  440. 186.84.173.136:8080
  441. 187.72.47.161:443
  442. 23.253.207.142:8080
  443. 181.167.35.84:80
  444. 98.178.241.106:80
  445. 78.186.102.195:80
  446. 176.58.93.123:80
  447. 190.5.162.204:80
  448. 41.77.74.214:443
  449. ```
  450. #### Epoch 3 - Spam C2s ####
  451. ```
  452. not active
  453. ```
  454. #### Epoch 3 - Stealer C2s ####
  455. ```
  456. 198.46.150.196:7080
  457. 178.32.255.133:443
  458. 178.63.78.150:8080
  459. ```
  460. #### Current Epoch 3 RSA Public Key ####
  461. ```
  462. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
  463. faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
  464. 7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
  465. ```
  466. #### Credits ####
  467. ```
  468. Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
  469.  
  470. Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
  471.  
  472. C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
  473. @executemalware, @luc4m, @SecSome
  474.  
  475. Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk,
  476. @bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)
  477.  
  478. Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)
  479.  
  480. Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
  481. infrastructure and helping out with this!
  482.  
  483. Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
  484. https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
  485. @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
  486. for providing services/software at no charge to this cause!
  487.  
  488. ```
  489. ### Daily Log 01/06/20 ###
  490. ```
  491. UPDATE: 1915 UTC: Looks like Ivan/Yuri(the intern) was not pleased with me posting this and changed all 3 botnets shortly after
  492. I published the previous report. The 2nd change today is listed in the "Second Run after 1915UTC:" section below and all totals
  493. are updated.
  494.  
  495. This report was gathered by @ps66uk and @jroosen.
  496.  
  497. @JRoosen here - Ivan is still on break and not actively spamming at all. Talk out there is we won't see Ivan and the Emotet gang
  498. back on distro until the week of 01/13/20 or 01/21/20. We are seeing loader C2 updates at a rate of about 1-3 per day on each botnet.
  499. Surprisingly, we are already seeing a decrease of C2 combos on each botnet. E2 had the steepest drop and now clocks in at 106.
  500. Nothing else major to report at this time.
  501.  
  502. ```
  503. #### General News ####
  504. ```
  505.  
  506. @JayTHL sums up some Emotet metrics on how fast payloads are being accessed and by whom:
  507. https://twitter.com/JayTHL/status/1214075722828001280
  508.  
  509. @GossiTheDog, @James_inthe_box, @malware_traffic, @VK_Intel and @Zackwhittaker all shared an interesting Trickbot loader that
  510. may be being used while Emotet is not doing distro. gtag wecanxx:
  511. https://twitter.com/zackwhittaker/status/1213226099762761728
  512. https://twitter.com/GossiTheDog/status/1213239990425178112
  513. https://twitter.com/VK_Intel/status/1213253987492864000
  514. https://twitter.com/James_inthe_box/status/1213108964532994048
  515.  
  516. Catalin Cimpanu (@campuscodi) fixed the Emotet Wikipedia link to no longer call it a Banking Trojan. :)
  517. https://twitter.com/campuscodi/status/1213192441815293953
  518.  
  519. Cofense did a Phish Fryday segement on Emotet:
  520. https://twitter.com/Cofense/status/1213142051627438081
  521.  
  522. @pollo290987 did a summary of all the emotet seen from September till December 20th:
  523. https://twitter.com/pollo290987/status/1212936450515320832
  524.  
  525. ```
  526. #### Loader Report ####
  527. ```
  528. Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
  529. _____________
  530. Reminder:
  531. EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
  532. texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
  533. chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
  534. boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
  535. title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
  536. ______________
  537.  
  538. C2 Deltas:
  539. E1 now 119 combos, was 127 for a net -8
  540. E2 now 108 combos, was 127 for a net -19
  541. E3 now 124 combos, was 127 for a net -3
  542.  
  543. Most of the E1 additions are brand new and not seen before. The other 2 were about 50% new again. This is the first time in
  544. awhile that Ivan has cut the number of C2s which means that we have hit the peak of the period they wanted coverage for. This
  545. is likely further evidence that we will be seeing them back before the month is out.
  546.  
  547. UPDATE: 1915 UTC: Looks like Ivan/Yuri(the intern) was not pleased with me posting this and changed all 3 botnets shortly after
  548. I published the previous report. The 2nd change today is listed in the "Second Run after 1915UTC:" section below and all totals
  549. are updated.
  550.  
  551. ---
  552. E1 -
  553.  
  554. Dropped:
  555. 144.217.117.207:8080
  556. 104.236.137.72:8080
  557. 51.255.165.160:8080
  558. 183.99.239.141:80
  559. 91.191.206.60:443
  560. 181.61.143.177:80
  561. 163.172.40.218:7080
  562. 220.255.57.31:80
  563. 190.74.246.158:8080
  564. 200.124.225.32:80
  565. 112.218.134.227:80
  566. 91.117.83.59:80
  567. 219.75.66.103:80
  568. 223.255.148.134:80
  569. 190.161.180.184:80
  570. 85.152.208.146:80
  571.  
  572. Second Run after 1915UTC:
  573. 190.231.42.130:80
  574. 83.165.78.227:80
  575. 99.252.27.6:80
  576. 200.119.11.118:443
  577. 179.159.198.70:80
  578. 212.237.50.61:8080
  579. 74.79.103.55:80
  580.  
  581. Added:
  582. 187.54.225.76:80
  583. 190.231.42.130:80
  584. 190.38.152.143:80
  585. 120.150.247.164:80
  586. 200.82.170.231:80
  587. 91.117.159.233:80
  588. 179.208.84.218:8080
  589. 189.26.118.194:80
  590. 189.201.197.98:8080
  591. 2.47.112.72:80
  592.  
  593. Second Run after 1915UTC:
  594. 45.73.157.243:8080
  595. 190.195.129.227:8090
  596. 177.92.14.34:80
  597. 201.213.100.141:8080
  598. 190.191.82.216:80
  599.  
  600. ---
  601. E2
  602.  
  603. Dropped:
  604. 159.69.89.130:8080
  605. 59.148.227.190:80
  606. 74.105.102.97:8080
  607. 64.147.15.138:80
  608. 71.83.82.123:8080
  609. 108.20.69.44:80
  610. 184.167.148.162:80
  611. 66.209.97.122:8080
  612. 174.81.132.128:80
  613. 2.235.190.23:8080
  614. 100.14.117.137:80
  615. 70.175.171.251:80
  616. 173.12.14.133:8080
  617. 37.59.24.177:8080
  618. 66.25.34.20:80
  619. 176.31.200.130:8080
  620. 1.215.28.101:8080
  621. 101.187.247.29:80
  622. 31.177.54.196:443
  623. 12.176.19.218:80
  624. 173.247.19.238:80
  625. 188.152.7.140:80
  626. 186.67.208.78:8080
  627. 178.210.51.222:8080
  628. 128.65.154.183:443
  629. 47.149.28.234:80
  630. 138.59.177.106:443
  631. 138.122.5.214:8080
  632. 219.78.255.48:80
  633. 107.170.24.125:8080
  634. 67.225.179.64:8080
  635. 186.75.241.230:80
  636. 68.118.26.116:80
  637. 86.98.156.239:443
  638. 101.187.134.207:443
  639. 104.137.176.186:80
  640. 73.214.99.25:80
  641. 144.139.247.220:80
  642. 85.152.174.56:80
  643. 200.114.167.85:80
  644. 46.216.60.138:80
  645. 82.27.181.93:80
  646. 2.38.99.79:80
  647. 189.159.115.178:8080
  648.  
  649. Second Run after 1915UTC:
  650. 165.227.156.155:443
  651. 167.99.105.223:7080
  652. 186.4.172.5:8080
  653.  
  654. Added:
  655. 189.203.177.41:443
  656. 139.130.242.43:80
  657. 178.153.176.124:80
  658. 190.55.181.54:443
  659. 173.91.11.142:80
  660. 73.217.39.73:80
  661. 201.184.105.242:443
  662. 185.144.138.190:80
  663. 173.66.96.135:80
  664. 110.143.84.202:80
  665. 98.30.113.161:80
  666. 88.249.120.205:80
  667. 41.60.200.34:80
  668. 62.75.187.192:8080
  669. 174.77.190.137:8080
  670. 73.11.153.178:8080
  671. 60.231.217.199:8080
  672. 79.159.249.152:80
  673. 181.126.70.117:80
  674. 183.102.238.69:465
  675. 62.138.26.28:8080
  676. 5.32.55.214:80
  677. 183.101.175.193:80
  678.  
  679. Second Run after 1915UTC:
  680. 47.180.91.213:80
  681. 181.143.126.170:80
  682. 186.86.247.171:443
  683. 223.197.185.60:80
  684. 189.179.108.157:80
  685.  
  686. ---
  687. E3
  688.  
  689. Dropped:
  690. 5.189.148.98:8080
  691. 192.161.190.171:8080
  692. 175.103.239.50:80
  693. 211.48.165.9:443
  694. 120.51.83.89:443
  695. 203.160.173.202:80
  696. 190.231.210.35:80
  697. 190.161.67.63:80
  698. 108.184.9.44:80
  699. 46.105.131.68:8080
  700. 165.100.148.200:8080
  701. 92.16.222.156:80
  702. 41.111.190.94:80
  703. 190.171.135.235:80
  704. 201.196.15.79:990
  705. 163.172.97.112:8080
  706. 24.28.178.71:80
  707. 221.154.59.110:80
  708. 103.108.146.195:80
  709. 81.82.247.216:80
  710. 178.134.1.238:80
  711. 189.61.200.9:443
  712. 190.47.236.83:80
  713. 59.158.164.66:443
  714. 156.155.163.232:80
  715. 85.235.219.74:80
  716. 115.179.91.58:80
  717. 217.181.139.237:443
  718.  
  719. Second Run after 1915UTC:
  720. 190.38.252.45:443
  721. 154.120.227.190:443
  722. 187.250.92.82:80
  723. 177.103.240.93:80
  724.  
  725. Added:
  726. 88.249.181.198:443
  727. 183.87.40.21:8080
  728. 75.86.6.174:80
  729. 91.205.173.150:8080
  730. 168.235.82.183:8080
  731. 198.57.217.170:7080
  732. 192.163.221.191:7080
  733. 190.201.144.85:7080
  734. 201.137.247.222:443
  735. 212.112.113.235:80
  736. 91.83.93.103:443
  737. 192.241.241.221:443
  738. 200.82.88.254:80
  739. 78.210.132.35:80
  740. 217.12.70.226:80
  741. 113.52.135.33:7080
  742. 78.186.102.195:80
  743. 82.79.244.92:80
  744. 181.196.27.123:80
  745. 198.199.112.197:8080
  746. 180.33.6.136:443
  747. 1.217.126.11:443
  748. 211.42.204.154:80
  749. 1.221.254.82:80
  750.  
  751. Second Run after 1915UTC:
  752. 196.6.119.137:80
  753. 86.108.77.73:443
  754. 91.73.169.210:80
  755. 112.68.254.127:80
  756. 156.155.163.232:80
  757.  
  758. ```
  759. #### Closing ####
  760. ```
  761. REMINDER:
  762. Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
  763. any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
  764. We have been thinking they will come back later this month during the week of the 13th or 21st. So get ready.
  765. In the meantime, stay safe and Happy New Year!
  766.  
  767. ```
  768. #### Sandbox 01/06/20 ####
  769. ```
  770. E1
  771. https://capesandbox.com/analysis/10356/
  772. https://capesandbox.com/analysis/10386/
  773.  
  774. E2
  775. https://capesandbox.com/analysis/10357/
  776. https://capesandbox.com/analysis/10388/
  777.  
  778. E3
  779. https://capesandbox.com/analysis/10358/
  780. https://capesandbox.com/analysis/10389/
  781. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!