API tools faq
paste
ExecuteMalware

2019-09-25 Emotet IOCs

ExecuteMalware
Sep 25th, 2019
13,008
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.39 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ANALYST NOTES
  3. Today was another day of relatively heavy Emotet volume.
  4. Despite heavier volume, I only saw 18 unique Word document file hashes and 4 unique payload exe files.
  5. Upon executing the Emotet executable, the task that shows up in Task Manager is still "lumberhash.exe*32".
  6. Immediately after running the Emotet executable, a file named 210.exe was noted in the %USERPROFILE% folder.
  7. It was deleted before I could grab it - it seems to move, rename and execute itself as lumberhash.exe.
  8. I can't confirm that until I can grab a file hash from 210.exe.
  9. Again, I was unable to trigger any follow-up malware after infecting my lab VM.
  10. The Emotet VBA macros that I saw continue to use simple base64 with no other significant obfuscation.
  11. I saw both "re-used" email threads and new stand-alone emails today.
  12.  
  13. CyberChef decodes the base64 and splits out the URLs with this recipe:
  14. From_Base64('A-Za-z0-9+/=',true)
  15. Decode_text('UTF16LE (1200)')
  16. Split('@','\\n')
  17. Extract_URLs(false)
  18.  
  19. (it does leave a single quote artifact at the very end)
  20.  
  21.  
  22. SENDERS OBSERVED
  23. 5507@shellpl.pl
  24. adriana.limon@insigniaconsultores.com.mx
  25. aiza.vercide@airyougotravels.com
  26. anhhai@fdtrans.com.vn
  27. ann@artform-inc.com
  28. anne@debels.com
  29. archanamary.l@facapital.co.in
  30. asistentelogistica@larosanautica.com
  31. asni@ngdepot.com.my
  32. bakery@alafiyagroup.com
  33. bochieng@trackntrace.co.ke
  34. buzon.cotizaciones@onlinebct.com
  35. Chaitanya.Kumavat@tikona.co.in
  36. collections.tata@tibos.in
  37. contabilidad@madeinecuador.ec
  38. cruzmurillo@promedan.net
  39. daveclingan@clingansteel.com
  40. descansazul@descansazul.com
  41. direcciocornella@asproseat.org
  42. eotieno@trackntrace.co.ke
  43. f.garavelli@puntodincontro.org
  44. faidzyal.hassan@transfame.com.my
  45. gaston@onlinebct.com
  46. geraldine@tana.admvalue.com
  47. glaeubiger@meinschuldennotruf.de
  48. gretchen.aytin@microtelgsi.com
  49. hardeep@deal4loans.com
  50. hcmf@vinastone.com
  51. helen@qtech.com.hk
  52. hr@choksisoftsolutions.com
  53. info@lavcevic.hr
  54. ipb@kde.my
  55. janet@etech.com.my
  56. JuneManns-Everett@warrencountync.gov
  57. leadreturn@reutersproemail.com
  58. linda.montiel@facturatech.co
  59. mages@hil.com.my
  60. maintenance@getforengineering.com
  61. marketing@cityneon.com.ph
  62. mosaraf@triangleservicesltd.com
  63. nancy@agds.org.ar
  64. nathan@dispatchtcm.com
  65. norazidah@epoca.com.my
  66. paqui@jdolera.com
  67. pchau@supportservices.cl
  68. rahayu@holiks-smg.com
  69. rajendra.sharma@shivamcement.com
  70. ritta-makwangwala@srwb.mw
  71. sales@signworld.co.ls
  72. standerton@thomastyres.co.za
  73. steven@hzncars.com.my
  74. sumeera.shahzad@avicenna.edu.pk
  75. tahiry@tana.admvalue.com
  76. tenking@sozialwerk.de
  77. trinajhoy.abila@bms.com.ph
  78. v.musa@optimaenergyresources.com
  79. wang@takakoh.co.jp
  80. yogesh.k@e-solutioninc.com
  81. zubair@amjaad.com
  82.  
  83. WORD DOCUMENT FILE HASHES
  84. 09f833c73b43fda771b2fbbaef593b50
  85. 446ed43cdf01e64b6189724d24e57a39
  86. 4ac3895fccda01e186985dd6d59171da
  87. 5acf5e8eb4351b89ddd8fb440fa50803
  88. 725aeabed9f1acb535e1df312a9aed88
  89. 74ea178d380dec1ccf97e9725cde39cd
  90. 775924b01762f68757142e0792d987fe
  91. 913cf5a3e9f68fb0149c95252d21ff58
  92. 9f4442fd3c117f2622df3d9ebb4b1588
  93. b3295925396e1ee37f04e96b3735c2bd
  94. bc5bc82280ecd23ff9800fe8fe862509
  95. c389564bb30686b02a6fcae2f009ca10
  96. c47976efd146b9f2afb58b7f2191d60b
  97. cbd2197f9d7c6b4ba767d3bc3fe9b98f
  98. da6e17c8a10b936f157c462cdf711976
  99. de598cbc76b0d384383e69b7e20e43f0
  100. f4e7837fa1156881054bf54a2d912705
  101. f859739e3b12c2373f2e11dedf38004f
  102.  
  103. PAYLOAD FILE HASHES
  104. fa95ae3d79fd7b00906201a1087ef29e
  105. f66c59a54de4227b09c1f90e48ab0eb9
  106. 8bcb0ce8bb4616184e3f1eee51be6612
  107. 284fe79685a92ad19d607e5466c5d810
  108.  
  109. EMOTET PAYLOAD URLs
  110. http://arbuzios-com-br.umbler.net/wp-admin/zZPfqaDo/
  111. http://beaueffects.com/wp-content/k12yqks_dmed0mt29g-7268777/
  112. http://dev.novembit.com/rattlers-html/pklrbPf/
  113. http://dev5.kenyaweb.com/elite/o4ju8awm-l34z9jn6-7107704/
  114. http://dospk.com/sites/TpsMVEnGJN/
  115. http://drukkombucha.com/wp-content/5k8-c8yeh6z6x4-577398645/
  116. http://fastestlaundry.com/laundry/QMrYZqfYE/
  117. http://freispieler.org/wp-includes/sfg-auz-74362/
  118. http://hepsihediyelik.net/wp-admin/7l8ob60/
  119. http://mti.shipindia.com/wp-admin/css/me1ml_2b9tq9zvd-95185817/
  120. http://ngoinhadaquy.com/wp-admin/20s8zvjwxw_bowi8z96-87/
  121. http://nissandongha.com/wp-content/KNzBUjpb/
  122. http://www.averybit.com/wp-content/uploads/d4/
  123. http://www.vivekanandadegreecollege.com/wp-includes/j63213/
  124. http://zimahenergy.com/wp-content/azwk6/
  125. https://divakurutemizleme.com/wp-content/p4481/
  126. https://iantronik.com/wp-content/NadMOUjUx/
  127. https://rubycuve.com/uqsf/qsKVkhUlri/
  128. https://www.projetorotamusical.com.br/wp-content/oog71_cwzb6zsnn-20060/
  129. https://xuongren.com/wp-content/j2ls7i8sd_bu2xvbns-01849/
  130.  
  131. EMOTET C2s
  132. http://101.187.237.217:20
  133. http://104.131.11.150:8080
  134. http://104.236.246.93:8080
  135. http://105.186.87.144
  136. http://119.15.153.237
  137. http://136.243.177.26:8080
  138. http://138.201.140.110:8080
  139. http://142.44.162.209:8080
  140. http://144.139.247.220
  141. http://149.167.86.174:990
  142. http://149.202.153.252:8080
  143. http://159.65.25.128:8080
  144. http://162.144.47.94:7080
  145. http://169.239.182.217:8080
  146. http://173.212.203.26:8080
  147. http://177.246.193.139:20
  148. http://178.254.6.27:7080
  149. http://178.79.161.166:443
  150. http://179.32.19.219:22
  151. http://181.143.194.138:443
  152. http://182.176.106.43:995
  153. http://182.176.132.213:8090
  154. http://182.76.6.2:8080
  155. http://185.142.236.163:443
  156. http://185.94.252.13:443
  157. http://186.4.172.5:443
  158. http://186.4.172.5:8080
  159. http://186.75.241.230
  160. http://187.144.189.58:50000
  161. http://188.166.253.46:8080
  162. http://189.209.217.49
  163. http://190.106.97.230:443
  164. http://190.145.67.134:8090
  165. http://190.18.146.70
  166. http://190.186.203.55
  167. http://190.201.164.223:53
  168. http://190.211.207.11:443
  169. http://190.228.72.244:53
  170. http://200.21.90.6
  171. http://200.71.148.138:8080
  172. http://201.251.43.69:8080
  173. http://206.189.98.125:8080
  174. http://211.63.71.72:8080
  175. http://212.129.24.82:8080
  176. http://212.71.234.16:8080
  177. http://217.145.83.44
  178. http://217.160.182.191:8080
  179. http://222.214.218.192:8080
  180. http://31.12.67.62:7080
  181. http://31.172.240.91:8080
  182. http://37.157.194.134:443
  183. http://41.220.119.246
  184. http://45.123.3.54:443
  185. http://45.33.49.124:443
  186. http://46.105.131.87
  187. http://47.41.213.2:22
  188. http://5.196.74.210:8080
  189. http://62.75.187.192:8080
  190. http://63.142.253.122:8080
  191. http://77.237.248.136:8080
  192. http://78.24.219.147:8080
  193. http://80.11.163.139:443
  194. http://83.136.245.190:8080
  195. http://85.104.59.244:20
  196. http://85.106.1.166:50000
  197. http://86.98.25.30:53
  198. http://87.106.136.232:8080
  199. http://87.106.139.101:8080
  200. http://87.230.19.21:8080
  201. http://88.247.163.44
  202. http://91.205.215.66:8080
  203. http://91.92.191.134:8080
  204. http://92.222.125.16:7080
  205. http://92.222.216.44:8080
  206. http://94.205.247.10
  207. http://95.128.43.213:8080
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!