Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware IOCs for 01/06/20 as of 01/06/20 17:15 EST ##
- *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
- #### SHA256s for Epoch 1 Loader EXEs ####
- ```
- 2aaf8fee56c6232db176c8676de16351b92fb8398ddcd299ba61a2eabd72d5d6
- df6918aab03242b0a42ec4cf1f4258e3b57df8441c4743aae9985f89f5c4bb65
- 771a1f4b303dc2c4c50763091ca9cefa80b3c46cda0a2d82d4f5276c850d2ef2
- d79abaa339b8b6e9ae8ac82edbaa139e32e0c82fe9f540d49372a7cfc8a1212f
- 9dff074ff1529d16d8c2e5acf3a4773cbd20789da573804ccfd35f5521defeb2
- 6a97c158536273e8b84faafc44b9c31ff463bfb2bdd02093fd585fb70f159c73
- bae3bbbdd1f2e4478de579548c41a1c98eaac07cfa4e2ebb20e1f2d46e0b0b62
- 219da8349484f4746f08b3f79771cfdb426d9a8b29ef1cbc2eeff5c4b59f7519
- 458cac23702ba41e788b1a37adf1dca87df3f4c13a8676fad4084ba33890fd36
- e3b79adf7e0429d33e2545894ab2351547de1e17e705ff75dffb8310466974e7
- 888e5f4f2a1729724ff35c899984735534fcd8e64a853524e4c7f3cb6cd6af41
- a611c93296c6babd00cf06ff2a811e14c510f77cf86d7b7e59fdf7a83b1065ca
- 8dd7a0e0daee637f049a6e08d5c7ba935f6f7075acce2ff6f4c8a0aea3b3ca38
- 12a399dd6446b57fdd4bb50d38b0e7fb4290cb0ae9437486b305dbe8db206b87
- ```
- #### SHA256s for Epoch 2 Loader EXEs ####
- ```
- cd47457850c6326e64e66ed3f2eb935bee45bab0738599244903b727014e405e
- c5128fe6d59d35cfbc6555d52ce624a3262f3ce407df3b584dc5fabe0822c539
- 2b37ddaf408bcec8b47d797d77653442d272c7ed10e079ff8d9bfee26527bd02
- 1d7a6ba97c39065178e1e37a7bfbc971cb5ddb8890e993ac519f59c77727b8e7
- 84d0235b0e47572cfe1533f3614c76ebd4bcdb552612625fd8a2000e124da3b9
- d21e42ebeab12bf7b50e845d769dd59e16e2f2d8bbcdd2a1786b46bc76f2fae7
- 109e8295a026646fc73936199fc99d122f880ae7a30e0573f195dc76ba27c615
- 7d315266bacd384196ddd36e0209a9b58948a88b437ba28d4841624fbb344796
- 9d5811b4a1f6931ae46f517a92e73909f0ff7aaa6c2a152ea6c5ab72027e251f
- 5a2ea528794f6e5ead09d7b85f7009c97d20f6f172d789bb8f952592ab93cc8d
- c0ff16afbc8840e484d2d0df166cf1069f806c10d73817b76b989ce4a77029bf
- 149dc8a7f0fc161dc4123ebc6200bba1c02d07081602b67151d9fdade2b08d27
- d63c896de55d6e7ea7ee1602bb214a91da1bcc781ca5c4c90bc84e8d89e06e38
- e4a4ebe7c54fa7cf2b615d46427a7442f317addf64586ce8bc2947b9d04782c2
- ```
- #### SHA256s for Epoch 3 Loader EXEs ####
- ```
- 7ba00d10e9e86a523e14feb18c7c9a0e9f76e586d21c69185cae5c09070cb184
- 11e7cf800404c2e4a4d7bb5681d84753bcd2c8bb929ab6ba2f96a4cd6ddb80dc
- 306bf9287ae2975436a2faf0576b568bbc63bd511c82a019a7ba3bc8481377b5
- 653d683fcfa7b7f24fc52dea7d51d85e9ed0a3e8b7d521f014f264fd97df3e26
- e3845bb9c6b12677868e6252d475ac7264a05dc227745a1284ae0f4a3363a759
- 58854666e2430081a2c13a1e07362986600a3dca244d1cbadfd93c8fd03c9f33
- 0df7364370cd694a6e3abd8145a3d12736cb93a38b76dca5bfc9b28ad22966a7
- cb580a9291d90ce09a98857bb35b43a1013e271b44351e22286b8f0ff200905c
- c386d4c9468beca0a8def97ce9af0e47802425967f6b433963449f2d43582472
- b428fa0ebd44bc6d12c2d7614202aed223e1dc11491909cb5d8778554e5393b6
- 7a10d338086bf1a6970189dd4e77ff3c6a07854778f4c37563a91262e8d4bae6
- 6b94ea2b4e49a5d30527cdec685d23de7bba64f2bf1fa575098270d2e9d31382
- e584dfdee795745dcf1724d64ea00ba6e9a4fdf0c57d566bec66cda8363a33ed
- a76e2ce58627be8ad2f6e6f9826396c26f6c0d63a334ff101522c45b04eb5de3
- ```
- ### C2's Per Epoch ###
- #### Epoch 1 C2s ####
- ```
- 45.73.157.243:8080
- 190.195.129.227:8090
- 177.92.14.34:80
- 45.79.95.107:443
- 69.163.33.84:8080
- 104.131.58.132:8080
- 68.183.190.199:8080
- 190.210.184.138:995
- 200.58.83.179:80
- 216.251.83.79:80
- 177.242.21.126:80
- 187.54.225.76:80
- 14.160.93.230:80
- 212.71.237.140:8080
- 159.203.204.126:8080
- 217.199.160.224:8080
- 46.101.212.195:8080
- 46.28.111.142:7080
- 185.86.148.222:8080
- 2.45.112.134:80
- 114.109.179.60:80
- 113.190.254.245:80
- 82.196.15.205:8080
- 68.174.15.223:80
- 94.200.114.162:80
- 151.237.36.220:80
- 5.88.27.67:8080
- 62.15.36.103:443
- 96.61.113.203:80
- 62.75.160.178:8080
- 58.162.218.151:80
- 186.15.83.52:8080
- 109.169.86.13:8080
- 45.8.136.201:80
- 175.114.178.83:443
- 190.186.164.23:80
- 165.228.195.93:80
- 177.34.142.163:80
- 203.25.159.3:8080
- 142.93.114.137:8080
- 83.248.141.198:80
- 177.180.115.224:80
- 110.170.65.146:80
- 181.231.220.232:80
- 189.19.81.181:443
- 68.187.160.28:443
- 113.61.76.239:80
- 185.160.229.26:80
- 200.55.53.7:80
- 212.253.82.142:443
- 179.208.84.218:8080
- 185.160.212.3:80
- 202.62.39.111:80
- 37.120.185.153:443
- 63.248.198.8:80
- 201.213.100.141:8080
- 118.36.70.245:80
- 86.42.166.147:80
- 14.201.35.38:80
- 149.62.173.247:8080
- 125.99.61.162:7080
- 190.210.236.139:80
- 80.11.158.65:8080
- 190.151.5.130:443
- 94.200.126.42:80
- 200.123.183.137:443
- 37.187.6.63:8080
- 203.130.0.69:80
- 72.29.55.174:80
- 2.42.173.240:80
- 59.120.5.154:80
- 79.7.158.208:80
- 120.150.247.164:80
- 144.139.56.105:80
- 190.100.153.162:443
- 188.218.104.226:80
- 181.36.42.205:443
- 207.154.204.40:8080
- 91.117.159.233:80
- 93.144.226.57:80
- 200.82.170.231:80
- 91.74.175.46:80
- 68.183.170.114:8080
- 138.68.106.4:7080
- 189.26.118.194:80
- 5.196.35.138:7080
- 77.55.211.77:8080
- 177.103.159.44:80
- 62.75.143.100:7080
- 91.83.93.124:7080
- 50.28.51.143:8080
- 73.60.8.210:80
- 191.103.76.34:443
- 79.7.114.1:80
- 119.59.124.163:8080
- 189.201.197.98:8080
- 2.47.112.72:80
- 91.205.215.57:7080
- 192.241.146.84:8080
- 190.191.82.216:80
- 139.162.118.88:8080
- 190.219.149.236:80
- 97.120.32.227:80
- 201.213.32.59:80
- 178.79.163.131:8080
- 181.10.204.106:80
- 110.142.161.90:443
- 87.106.46.107:8080
- 190.38.152.143:80
- 58.171.38.26:80
- 190.17.44.48:80
- 186.68.48.204:443
- 87.106.77.40:7080
- 188.135.15.49:80
- 187.188.166.192:8080
- 82.8.232.51:80
- 188.216.24.204:80
- 191.183.21.190:80
- 181.198.203.45:443
- ```
- #### Epoch 1 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 1 - Stealer C2s ####
- ```
- 51.159.23.217:443
- 75.127.72.18:8080
- 190.115.18.139:8080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
- j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
- fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 47.180.91.213:80
- 181.143.126.170:80
- 186.86.247.171:443
- 136.243.250.34:8080
- 104.131.44.150:8080
- 167.71.10.37:8080
- 192.241.255.77:8080
- 59.103.164.174:80
- 176.106.183.253:8080
- 50.116.86.205:8080
- 37.157.194.134:443
- 182.176.132.213:8090
- 2.237.76.249:80
- 209.97.168.52:8080
- 73.217.39.73:80
- 173.66.96.135:80
- 201.184.105.242:443
- 5.32.55.214:80
- 201.173.217.124:443
- 160.16.215.66:8080
- 91.73.197.90:80
- 200.21.90.5:443
- 24.181.125.62:80
- 87.230.19.21:8080
- 64.53.242.181:8080
- 173.91.11.142:80
- 47.153.183.211:80
- 104.131.11.150:8080
- 181.126.70.117:80
- 41.60.200.34:80
- 62.75.187.192:8080
- 178.237.139.83:8080
- 92.222.216.44:8080
- 24.94.237.248:80
- 5.196.74.210:8080
- 108.191.2.72:80
- 139.130.242.43:80
- 91.205.215.66:443
- 98.30.113.161:80
- 173.21.26.90:80
- 210.6.85.121:80
- 45.51.40.140:80
- 5.154.58.24:80
- 223.197.185.60:80
- 206.81.10.215:8080
- 104.236.246.93:8080
- 58.171.42.66:8080
- 209.141.54.221:8080
- 110.142.38.16:80
- 190.220.19.82:443
- 59.8.197.241:80
- 103.86.49.11:8080
- 88.249.120.205:80
- 87.106.136.232:8080
- 66.34.201.20:7080
- 169.239.182.217:8080
- 190.53.135.159:21
- 190.189.224.117:443
- 93.147.141.5:80
- 195.244.215.206:80
- 62.138.26.28:8080
- 188.0.135.237:80
- 108.179.206.219:8080
- 121.88.5.176:443
- 180.92.239.110:8080
- 139.130.241.252:443
- 174.77.190.137:8080
- 79.159.249.152:80
- 47.6.15.79:80
- 78.24.219.147:8080
- 178.153.176.124:80
- 189.203.177.41:443
- 98.156.206.153:80
- 120.150.246.241:80
- 120.151.135.224:80
- 76.164.99.46:80
- 46.105.131.87:80
- 190.117.226.104:80
- 110.143.84.202:80
- 87.106.139.101:8080
- 185.144.138.190:80
- 190.55.181.54:443
- 24.105.202.216:443
- 159.65.25.128:8080
- 70.46.247.81:80
- 211.63.71.72:8080
- 183.101.175.193:80
- 70.169.53.234:80
- 31.31.77.83:443
- 116.48.142.21:443
- 200.116.145.225:443
- 206.189.112.148:8080
- 60.231.217.199:8080
- 179.13.185.19:80
- 47.6.15.79:443
- 95.128.43.213:8080
- 85.67.10.190:80
- 149.202.153.252:8080
- 190.162.159.212:80
- 73.11.153.178:8080
- 217.160.182.191:8080
- 183.102.238.69:465
- 31.172.240.91:8080
- 45.33.49.124:443
- 209.146.22.34:443
- 47.156.70.145:80
- 189.179.108.157:80
- 190.12.119.180:443
- ```
- #### Epoch 2 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 2 - Stealer C2s ####
- ```
- 168.235.67.138:8080
- 139.162.183.41:443
- 46.101.7.140:8080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
- bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
- LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
- ```
- #### Epoch 3 C2s ####
- ```
- 196.6.119.137:80
- 86.108.77.73:443
- 91.73.169.210:80
- 91.205.173.150:8080
- 168.235.82.183:8080
- 198.57.217.170:7080
- 192.163.221.191:7080
- 110.142.161.90:80
- 1.217.126.11:443
- 1.221.254.82:80
- 112.68.254.127:80
- 41.185.29.128:8080
- 69.30.205.162:7080
- 197.94.32.129:8080
- 124.150.175.133:80
- 124.150.175.129:8080
- 50.116.78.109:8080
- 78.210.132.35:80
- 212.129.14.27:8080
- 189.225.211.171:443
- 201.137.247.222:443
- 157.7.164.178:8081
- 203.124.57.50:80
- 112.186.195.176:80
- 193.33.38.208:443
- 88.248.140.80:80
- 105.209.235.113:8080
- 42.51.192.231:8080
- 95.216.207.86:7080
- 211.42.204.154:80
- 180.33.6.136:443
- 181.53.29.136:8080
- 190.201.144.85:7080
- 88.247.26.78:80
- 82.79.244.92:80
- 78.189.165.52:8080
- 192.241.220.183:8080
- 75.86.6.174:80
- 139.59.12.63:8080
- 158.69.167.246:8080
- 185.192.75.240:443
- 162.144.46.90:8080
- 203.153.216.178:7080
- 110.2.118.164:80
- 200.41.121.69:443
- 212.112.113.235:80
- 216.75.37.196:8080
- 192.210.217.94:8080
- 95.9.217.200:8080
- 114.179.127.48:80
- 201.183.251.100:80
- 46.17.6.116:8080
- 82.165.15.188:8080
- 191.100.24.201:50000
- 177.144.130.105:443
- 138.197.140.163:8080
- 91.83.93.103:443
- 91.117.31.181:80
- 78.189.60.109:443
- 190.17.94.108:443
- 122.116.104.238:7080
- 58.185.224.18:80
- 210.224.65.117:80
- 144.139.91.187:80
- 190.171.153.139:80
- 37.46.129.215:8080
- 181.196.27.123:80
- 85.100.122.211:80
- 69.14.208.221:80
- 94.203.236.122:80
- 91.117.131.122:80
- 67.254.196.78:443
- 183.87.40.21:8080
- 85.109.190.235:443
- 217.12.70.226:80
- 195.201.56.70:8080
- 66.229.161.86:443
- 210.171.146.118:80
- 142.93.87.198:8080
- 83.156.88.159:80
- 5.178.245.100:80
- 179.5.118.12:8080
- 87.9.181.247:80
- 200.45.187.90:80
- 198.199.112.197:8080
- 72.51.153.27:80
- 175.127.140.68:80
- 186.177.174.163:80
- 46.32.229.152:8080
- 51.77.113.97:8080
- 37.59.24.25:8080
- 98.15.140.226:80
- 200.82.88.254:80
- 185.244.167.25:443
- 78.46.87.133:8080
- 51.38.134.203:8080
- 88.249.181.198:443
- 182.187.137.199:8080
- 188.251.213.180:443
- 89.215.225.15:80
- 37.70.131.107:80
- 182.176.116.139:995
- 192.241.241.221:443
- 172.104.70.207:8080
- 210.111.160.220:80
- 113.52.135.33:7080
- 190.93.210.113:80
- 220.78.29.88:80
- 160.119.153.20:80
- 95.216.212.157:8080
- 14.161.30.33:443
- 156.155.163.232:80
- 95.130.37.244:443
- 82.146.55.23:7080
- 72.27.212.209:8080
- 186.84.173.136:8080
- 187.72.47.161:443
- 23.253.207.142:8080
- 181.167.35.84:80
- 98.178.241.106:80
- 78.186.102.195:80
- 176.58.93.123:80
- 190.5.162.204:80
- 41.77.74.214:443
- ```
- #### Epoch 3 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 3 - Stealer C2s ####
- ```
- 198.46.150.196:7080
- 178.32.255.133:443
- 178.63.78.150:8080
- ```
- #### Current Epoch 3 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
- faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
- 7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
- ```
- #### Credits ####
- ```
- Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
- Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
- C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
- @executemalware, @luc4m, @SecSome
- Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk,
- @bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)
- Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)
- Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
- infrastructure and helping out with this!
- Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
- https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
- @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
- for providing services/software at no charge to this cause!
- ```
- ### Daily Log 01/06/20 ###
- ```
- UPDATE: 1915 UTC: Looks like Ivan/Yuri(the intern) was not pleased with me posting this and changed all 3 botnets shortly after
- I published the previous report. The 2nd change today is listed in the "Second Run after 1915UTC:" section below and all totals
- are updated.
- This report was gathered by @ps66uk and @jroosen.
- @JRoosen here - Ivan is still on break and not actively spamming at all. Talk out there is we won't see Ivan and the Emotet gang
- back on distro until the week of 01/13/20 or 01/21/20. We are seeing loader C2 updates at a rate of about 1-3 per day on each botnet.
- Surprisingly, we are already seeing a decrease of C2 combos on each botnet. E2 had the steepest drop and now clocks in at 106.
- Nothing else major to report at this time.
- ```
- #### General News ####
- ```
- @JayTHL sums up some Emotet metrics on how fast payloads are being accessed and by whom:
- https://twitter.com/JayTHL/status/1214075722828001280
- @GossiTheDog, @James_inthe_box, @malware_traffic, @VK_Intel and @Zackwhittaker all shared an interesting Trickbot loader that
- may be being used while Emotet is not doing distro. gtag wecanxx:
- https://twitter.com/zackwhittaker/status/1213226099762761728
- https://twitter.com/GossiTheDog/status/1213239990425178112
- https://twitter.com/VK_Intel/status/1213253987492864000
- https://twitter.com/James_inthe_box/status/1213108964532994048
- Catalin Cimpanu (@campuscodi) fixed the Emotet Wikipedia link to no longer call it a Banking Trojan. :)
- https://twitter.com/campuscodi/status/1213192441815293953
- Cofense did a Phish Fryday segement on Emotet:
- https://twitter.com/Cofense/status/1213142051627438081
- @pollo290987 did a summary of all the emotet seen from September till December 20th:
- https://twitter.com/pollo290987/status/1212936450515320832
- ```
- #### Loader Report ####
- ```
- Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
- _____________
- Reminder:
- EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
- texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
- chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
- boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
- title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
- ______________
- C2 Deltas:
- E1 now 119 combos, was 127 for a net -8
- E2 now 108 combos, was 127 for a net -19
- E3 now 124 combos, was 127 for a net -3
- Most of the E1 additions are brand new and not seen before. The other 2 were about 50% new again. This is the first time in
- awhile that Ivan has cut the number of C2s which means that we have hit the peak of the period they wanted coverage for. This
- is likely further evidence that we will be seeing them back before the month is out.
- UPDATE: 1915 UTC: Looks like Ivan/Yuri(the intern) was not pleased with me posting this and changed all 3 botnets shortly after
- I published the previous report. The 2nd change today is listed in the "Second Run after 1915UTC:" section below and all totals
- are updated.
- ---
- E1 -
- Dropped:
- 144.217.117.207:8080
- 104.236.137.72:8080
- 51.255.165.160:8080
- 183.99.239.141:80
- 91.191.206.60:443
- 181.61.143.177:80
- 163.172.40.218:7080
- 220.255.57.31:80
- 190.74.246.158:8080
- 200.124.225.32:80
- 112.218.134.227:80
- 91.117.83.59:80
- 219.75.66.103:80
- 223.255.148.134:80
- 190.161.180.184:80
- 85.152.208.146:80
- Second Run after 1915UTC:
- 190.231.42.130:80
- 83.165.78.227:80
- 99.252.27.6:80
- 200.119.11.118:443
- 179.159.198.70:80
- 212.237.50.61:8080
- 74.79.103.55:80
- Added:
- 187.54.225.76:80
- 190.231.42.130:80
- 190.38.152.143:80
- 120.150.247.164:80
- 200.82.170.231:80
- 91.117.159.233:80
- 179.208.84.218:8080
- 189.26.118.194:80
- 189.201.197.98:8080
- 2.47.112.72:80
- Second Run after 1915UTC:
- 45.73.157.243:8080
- 190.195.129.227:8090
- 177.92.14.34:80
- 201.213.100.141:8080
- 190.191.82.216:80
- ---
- E2
- Dropped:
- 159.69.89.130:8080
- 59.148.227.190:80
- 74.105.102.97:8080
- 64.147.15.138:80
- 71.83.82.123:8080
- 108.20.69.44:80
- 184.167.148.162:80
- 66.209.97.122:8080
- 174.81.132.128:80
- 2.235.190.23:8080
- 100.14.117.137:80
- 70.175.171.251:80
- 173.12.14.133:8080
- 37.59.24.177:8080
- 66.25.34.20:80
- 176.31.200.130:8080
- 1.215.28.101:8080
- 101.187.247.29:80
- 31.177.54.196:443
- 12.176.19.218:80
- 173.247.19.238:80
- 188.152.7.140:80
- 186.67.208.78:8080
- 178.210.51.222:8080
- 128.65.154.183:443
- 47.149.28.234:80
- 138.59.177.106:443
- 138.122.5.214:8080
- 219.78.255.48:80
- 107.170.24.125:8080
- 67.225.179.64:8080
- 186.75.241.230:80
- 68.118.26.116:80
- 86.98.156.239:443
- 101.187.134.207:443
- 104.137.176.186:80
- 73.214.99.25:80
- 144.139.247.220:80
- 85.152.174.56:80
- 200.114.167.85:80
- 46.216.60.138:80
- 82.27.181.93:80
- 2.38.99.79:80
- 189.159.115.178:8080
- Second Run after 1915UTC:
- 165.227.156.155:443
- 167.99.105.223:7080
- 186.4.172.5:8080
- Added:
- 189.203.177.41:443
- 139.130.242.43:80
- 178.153.176.124:80
- 190.55.181.54:443
- 173.91.11.142:80
- 73.217.39.73:80
- 201.184.105.242:443
- 185.144.138.190:80
- 173.66.96.135:80
- 110.143.84.202:80
- 98.30.113.161:80
- 88.249.120.205:80
- 41.60.200.34:80
- 62.75.187.192:8080
- 174.77.190.137:8080
- 73.11.153.178:8080
- 60.231.217.199:8080
- 79.159.249.152:80
- 181.126.70.117:80
- 183.102.238.69:465
- 62.138.26.28:8080
- 5.32.55.214:80
- 183.101.175.193:80
- Second Run after 1915UTC:
- 47.180.91.213:80
- 181.143.126.170:80
- 186.86.247.171:443
- 223.197.185.60:80
- 189.179.108.157:80
- ---
- E3
- Dropped:
- 5.189.148.98:8080
- 192.161.190.171:8080
- 175.103.239.50:80
- 211.48.165.9:443
- 120.51.83.89:443
- 203.160.173.202:80
- 190.231.210.35:80
- 190.161.67.63:80
- 108.184.9.44:80
- 46.105.131.68:8080
- 165.100.148.200:8080
- 92.16.222.156:80
- 41.111.190.94:80
- 190.171.135.235:80
- 201.196.15.79:990
- 163.172.97.112:8080
- 24.28.178.71:80
- 221.154.59.110:80
- 103.108.146.195:80
- 81.82.247.216:80
- 178.134.1.238:80
- 189.61.200.9:443
- 190.47.236.83:80
- 59.158.164.66:443
- 156.155.163.232:80
- 85.235.219.74:80
- 115.179.91.58:80
- 217.181.139.237:443
- Second Run after 1915UTC:
- 190.38.252.45:443
- 154.120.227.190:443
- 187.250.92.82:80
- 177.103.240.93:80
- Added:
- 88.249.181.198:443
- 183.87.40.21:8080
- 75.86.6.174:80
- 91.205.173.150:8080
- 168.235.82.183:8080
- 198.57.217.170:7080
- 192.163.221.191:7080
- 190.201.144.85:7080
- 201.137.247.222:443
- 212.112.113.235:80
- 91.83.93.103:443
- 192.241.241.221:443
- 200.82.88.254:80
- 78.210.132.35:80
- 217.12.70.226:80
- 113.52.135.33:7080
- 78.186.102.195:80
- 82.79.244.92:80
- 181.196.27.123:80
- 198.199.112.197:8080
- 180.33.6.136:443
- 1.217.126.11:443
- 211.42.204.154:80
- 1.221.254.82:80
- Second Run after 1915UTC:
- 196.6.119.137:80
- 86.108.77.73:443
- 91.73.169.210:80
- 112.68.254.127:80
- 156.155.163.232:80
- ```
- #### Closing ####
- ```
- REMINDER:
- Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
- any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
- We have been thinking they will come back later this month during the week of the 13th or 21st. So get ready.
- In the meantime, stay safe and Happy New Year!
- ```
- #### Sandbox 01/06/20 ####
- ```
- E1
- https://capesandbox.com/analysis/10356/
- https://capesandbox.com/analysis/10386/
- E2
- https://capesandbox.com/analysis/10357/
- https://capesandbox.com/analysis/10388/
- E3
- https://capesandbox.com/analysis/10358/
- https://capesandbox.com/analysis/10389/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement