Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware IOCs for 12/30/19 as of 12/30/19 13:30 EST ##
- *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
- #### SHA256s for Epoch 1 Loader EXEs ####
- ```
- 12a399dd6446b57fdd4bb50d38b0e7fb4290cb0ae9437486b305dbe8db206b87
- 90ac7045de5a60eeb18f26b9aaa8fc871af0ef45460e967a966d2a2c7764be54
- ad9bb56dad4eaa586bb6478f64718f73edb3ca02bd147216f3fdc8158391db96
- a01b92f7580e0077456a02f561cc660f7fa0b08ce9a80a25ef84a2a841f27f17
- 6775818ba56a8908741ed22869403ae8acbc94201707b0d52cf1a0fd7cc578c0
- e59083eb47c917a133b76be10ee5c69eee412adc13ffac135128480c2d5908a0
- 3a8a5f2c6b6b6eb136f1805de8f6d2d147cdc88627e8a1a9841053293ba19ff0
- 0b96303dfd12e9a7a4cd0f1946ea8adf8219454510e5f541d71be5ce7d79fed7
- 93f9d15e50938bb936f08165d7e3531e016e7c69568c265017cd78d6aa9a15c5
- 35e35a70aee02c963660b1b49f110c4547ce1afe99529388ebaa03aceecaab24
- b8471764e02be8ce2ab10ee944015584e1540ab863901e2c1347faef7ef27f4e
- ```
- #### SHA256s for Epoch 2 Loader EXEs ####
- ```
- e4a4ebe7c54fa7cf2b615d46427a7442f317addf64586ce8bc2947b9d04782c2
- 6936aa4b2afe14b38fe2e94735126f00cdd090a63984fcef5d4ca0fe54e46427
- d2c6e0fdb98844f5b111007a0ed904f4d4000897f42b4438b4bdd46fce2b6fe9
- 06231c67997abcc429db7ff28e625b5fcba8aabbeb94b3ba8a3131d5ec65b8d0
- f2dd300d24ff3eeb0931748f909443fb2ca2c288a2582d4860b4f9bdf485185d
- ae097a7e9880dc379b2ede35a2742169f0cc490450f0da324b2eceff77dedf50
- 404fc27f94946ee424f85984d699dc2082725a5784a025af9d034149bcc95c14
- c1df111e7060b5affb1b3851cc289105a34776e9bad4a3f96eb1f05d0997d8b4
- 935047fb6827983b800921ee4385da677e478dfae591355200369e2f6770fd67
- 91621c6d0f36e4f1be9560a6b16bcdb79c238812cdc97129d0e1a6607a20c363
- 785e465e1ac2b2b54e24c0fc80299294fbc9ff2562322c29c2ffb4fa52be0a37
- ```
- #### SHA256s for Epoch 3 Loader EXEs ####
- ```
- a76e2ce58627be8ad2f6e6f9826396c26f6c0d63a334ff101522c45b04eb5de3
- b21038dbfe316ae74df7c06be5583a8ba73aa91a960949d241187e7b180b26dd
- 68f7b50d8366226743706772690c3dfda0e1afca3d0bfa6188977521e846e1fa
- 0aad4cd137edd3916c7e3a66458bd8548352fa18f999b0e0101ad0d65b4608c1
- 78d7a5619849f438688409c6c116dc5f52834e7b28ccd814bd986b2ee9032a7d
- 662cecbcd0a553efbb3dbe6b397fe19b0af9bfb82cf47fdfa179d02582246d8d
- f282f19d8389da8b7966a5f5965c139fbe39c0bdd05ea9514f06f49b1fe3cd68
- add26d83c734bdb2d35c08ee99c11a84297e1fa1170853a7c029ee0b6c681b45
- 9bf03035fc1bcaeb1065f7fe7c7d338f3040c94f9bc408cf769bbd72c573541c
- 003b5c4ef0b2124ab3656acbb07e6a567b7465fa7e90d5280555aec6593a8fa4
- d63e41981abfee28272d20a0b26c555e9385d503f561d8d21db909255846ef4e
- ```
- ### C2's Per Epoch ###
- #### Epoch 1 C2s ####
- ```
- 190.219.149.236:80
- 94.200.126.42:80
- 62.15.36.103:443
- 45.79.95.107:443
- 144.217.117.207:8080
- 104.236.137.72:8080
- 51.255.165.160:8080
- 2.42.173.240:80
- 183.99.239.141:80
- 68.183.190.199:8080
- 110.170.65.146:80
- 190.210.236.139:80
- 68.183.170.114:8080
- 87.106.77.40:7080
- 79.7.158.208:80
- 91.205.215.57:7080
- 109.169.86.13:8080
- 86.42.166.147:80
- 50.28.51.143:8080
- 190.210.184.138:995
- 203.25.159.3:8080
- 144.139.56.105:80
- 181.231.220.232:80
- 91.191.206.60:443
- 91.74.175.46:80
- 93.144.226.57:80
- 68.174.15.223:80
- 181.61.143.177:80
- 189.19.81.181:443
- 200.119.11.118:443
- 217.199.160.224:8080
- 163.172.40.218:7080
- 185.160.212.3:80
- 99.252.27.6:80
- 59.120.5.154:80
- 5.88.27.67:8080
- 94.200.114.162:80
- 119.59.124.163:8080
- 58.171.38.26:80
- 177.34.142.163:80
- 110.142.161.90:443
- 188.218.104.226:80
- 200.58.83.179:80
- 220.255.57.31:80
- 46.28.111.142:7080
- 46.101.212.195:8080
- 14.201.35.38:80
- 190.186.164.23:80
- 191.103.76.34:443
- 200.55.53.7:80
- 185.160.229.26:80
- 190.74.246.158:8080
- 82.8.232.51:80
- 68.187.160.28:443
- 200.123.183.137:443
- 186.15.83.52:8080
- 63.248.198.8:80
- 190.100.153.162:443
- 207.154.204.40:8080
- 37.187.6.63:8080
- 191.183.21.190:80
- 142.93.114.137:8080
- 82.196.15.205:8080
- 178.79.163.131:8080
- 212.237.50.61:8080
- 104.131.58.132:8080
- 74.79.103.55:80
- 96.61.113.203:80
- 177.103.159.44:80
- 181.198.203.45:443
- 179.159.198.70:80
- 186.68.48.204:443
- 87.106.46.107:8080
- 187.188.166.192:8080
- 190.17.44.48:80
- 114.109.179.60:80
- 200.124.225.32:80
- 113.190.254.245:80
- 118.36.70.245:80
- 201.213.32.59:80
- 91.83.93.124:7080
- 181.10.204.106:80
- 202.62.39.111:80
- 192.241.146.84:8080
- 62.75.143.100:7080
- 188.216.24.204:80
- 212.71.237.140:8080
- 112.218.134.227:80
- 190.151.5.130:443
- 5.196.35.138:7080
- 62.75.160.178:8080
- 216.251.83.79:80
- 212.253.82.142:443
- 37.120.185.153:443
- 77.55.211.77:8080
- 181.36.42.205:443
- 97.120.32.227:80
- 91.117.83.59:80
- 79.7.114.1:80
- 58.162.218.151:80
- 69.163.33.84:8080
- 83.165.78.227:80
- 83.248.141.198:80
- 14.160.93.230:80
- 113.61.76.239:80
- 165.228.195.93:80
- 138.68.106.4:7080
- 177.242.21.126:80
- 175.114.178.83:443
- 219.75.66.103:80
- 45.8.136.201:80
- 139.162.118.88:8080
- 223.255.148.134:80
- 149.62.173.247:8080
- 190.161.180.184:80
- 72.29.55.174:80
- 151.237.36.220:80
- 188.135.15.49:80
- 85.152.208.146:80
- 177.180.115.224:80
- 125.99.61.162:7080
- 185.86.148.222:8080
- 73.60.8.210:80
- 80.11.158.65:8080
- 2.45.112.134:80
- 159.203.204.126:8080
- 203.130.0.69:80
- ```
- #### Epoch 1 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 1 - Stealer C2s ####
- ```
- 51.159.23.217:443
- 75.127.72.18:8080
- 190.115.18.139:8080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
- j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
- fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 59.8.197.241:80
- 200.116.145.225:443
- 200.21.90.5:443
- 136.243.250.34:8080
- 165.227.156.155:443
- 159.69.89.130:8080
- 167.99.105.223:7080
- 59.148.227.190:80
- 50.116.86.205:8080
- 2.237.76.249:80
- 74.105.102.97:8080
- 76.164.99.46:80
- 209.97.168.52:8080
- 64.147.15.138:80
- 108.191.2.72:80
- 71.83.82.123:8080
- 190.220.19.82:443
- 159.65.25.128:8080
- 108.20.69.44:80
- 184.167.148.162:80
- 121.88.5.176:443
- 58.171.42.66:8080
- 104.131.11.150:8080
- 179.13.185.19:80
- 120.150.246.241:80
- 66.209.97.122:8080
- 174.81.132.128:80
- 91.205.215.66:443
- 70.169.53.234:80
- 2.235.190.23:8080
- 190.117.226.104:80
- 201.173.217.124:443
- 100.14.117.137:80
- 70.175.171.251:80
- 173.12.14.133:8080
- 104.236.246.93:8080
- 176.106.183.253:8080
- 182.176.132.213:8090
- 192.241.255.77:8080
- 209.146.22.34:443
- 206.81.10.215:8080
- 85.67.10.190:80
- 24.181.125.62:80
- 37.59.24.177:8080
- 209.141.54.221:8080
- 188.0.135.237:80
- 31.31.77.83:443
- 93.147.141.5:80
- 5.196.74.210:8080
- 169.239.182.217:8080
- 195.244.215.206:80
- 103.86.49.11:8080
- 211.63.71.72:8080
- 66.25.34.20:80
- 190.12.119.180:443
- 176.31.200.130:8080
- 1.215.28.101:8080
- 101.187.247.29:80
- 47.6.15.79:80
- 91.73.197.90:80
- 31.177.54.196:443
- 12.176.19.218:80
- 173.247.19.238:80
- 87.106.136.232:8080
- 188.152.7.140:80
- 31.172.240.91:8080
- 87.230.19.21:8080
- 173.21.26.90:80
- 87.106.139.101:8080
- 186.67.208.78:8080
- 186.4.172.5:8080
- 178.210.51.222:8080
- 128.65.154.183:443
- 24.105.202.216:443
- 92.222.216.44:8080
- 47.149.28.234:80
- 160.16.215.66:8080
- 120.151.135.224:80
- 139.130.241.252:443
- 190.189.224.117:443
- 110.142.38.16:80
- 149.202.153.252:8080
- 70.46.247.81:80
- 190.53.135.159:21
- 167.71.10.37:8080
- 217.160.182.191:8080
- 24.94.237.248:80
- 138.59.177.106:443
- 138.122.5.214:8080
- 210.6.85.121:80
- 180.92.239.110:8080
- 108.179.206.219:8080
- 98.156.206.153:80
- 116.48.142.21:443
- 66.34.201.20:7080
- 219.78.255.48:80
- 107.170.24.125:8080
- 67.225.179.64:8080
- 47.156.70.145:80
- 190.162.159.212:80
- 59.103.164.174:80
- 47.6.15.79:443
- 104.131.44.150:8080
- 186.75.241.230:80
- 45.51.40.140:80
- 68.118.26.116:80
- 86.98.156.239:443
- 5.154.58.24:80
- 95.128.43.213:8080
- 78.24.219.147:8080
- 101.187.134.207:443
- 206.189.112.148:8080
- 104.137.176.186:80
- 73.214.99.25:80
- 144.139.247.220:80
- 178.237.139.83:8080
- 85.152.174.56:80
- 47.153.183.211:80
- 64.53.242.181:8080
- 45.33.49.124:443
- 46.105.131.87:80
- 37.157.194.134:443
- 200.114.167.85:80
- 46.216.60.138:80
- 82.27.181.93:80
- 2.38.99.79:80
- 189.159.115.178:8080
- ```
- #### Epoch 2 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 2 - Stealer C2s ####
- ```
- 168.235.67.138:8080
- 139.162.183.41:443
- 46.101.7.140:8080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
- bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
- LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
- ```
- #### Epoch 3 C2s ####
- ```
- 114.179.127.48:80
- 200.45.187.90:80
- 144.139.91.187:80
- 124.150.175.133:80
- 5.189.148.98:8080
- 69.30.205.162:7080
- 192.161.190.171:8080
- 160.119.153.20:80
- 192.210.217.94:8080
- 190.93.210.113:80
- 175.103.239.50:80
- 105.209.235.113:8080
- 190.5.162.204:80
- 211.48.165.9:443
- 82.146.55.23:7080
- 142.93.87.198:8080
- 112.186.195.176:80
- 191.100.24.201:50000
- 212.129.14.27:8080
- 182.187.137.199:8080
- 181.53.29.136:8080
- 120.51.83.89:443
- 88.247.26.78:80
- 58.185.224.18:80
- 203.160.173.202:80
- 190.231.210.35:80
- 37.70.131.107:80
- 190.161.67.63:80
- 110.142.161.90:80
- 216.75.37.196:8080
- 186.177.174.163:80
- 110.2.118.164:80
- 108.184.9.44:80
- 187.72.47.161:443
- 176.58.93.123:80
- 46.105.131.68:8080
- 72.51.153.27:80
- 195.201.56.70:8080
- 165.100.148.200:8080
- 185.244.167.25:443
- 220.78.29.88:80
- 92.16.222.156:80
- 182.176.116.139:995
- 41.111.190.94:80
- 91.117.31.181:80
- 85.109.190.235:443
- 98.178.241.106:80
- 210.111.160.220:80
- 94.203.236.122:80
- 190.38.252.45:443
- 172.104.70.207:8080
- 46.32.229.152:8080
- 83.156.88.159:80
- 158.69.167.246:8080
- 189.225.211.171:443
- 78.189.60.109:443
- 203.124.57.50:80
- 201.183.251.100:80
- 190.171.135.235:80
- 5.178.245.100:80
- 201.196.15.79:990
- 210.171.146.118:80
- 157.7.164.178:8081
- 95.9.217.200:8080
- 163.172.97.112:8080
- 187.250.92.82:80
- 91.117.131.122:80
- 24.28.178.71:80
- 190.171.153.139:80
- 221.154.59.110:80
- 14.161.30.33:443
- 72.27.212.209:8080
- 192.241.220.183:8080
- 95.216.207.86:7080
- 179.5.118.12:8080
- 42.51.192.231:8080
- 124.150.175.129:8080
- 177.144.130.105:443
- 67.254.196.78:443
- 103.108.146.195:80
- 203.153.216.178:7080
- 185.192.75.240:443
- 200.41.121.69:443
- 81.82.247.216:80
- 190.17.94.108:443
- 162.144.46.90:8080
- 197.94.32.129:8080
- 175.127.140.68:80
- 37.59.24.25:8080
- 154.120.227.190:443
- 178.134.1.238:80
- 189.61.200.9:443
- 190.47.236.83:80
- 69.14.208.221:80
- 59.158.164.66:443
- 51.38.134.203:8080
- 41.77.74.214:443
- 177.103.240.93:80
- 66.229.161.86:443
- 88.248.140.80:80
- 85.100.122.211:80
- 122.116.104.238:7080
- 41.185.29.128:8080
- 139.59.12.63:8080
- 23.253.207.142:8080
- 87.9.181.247:80
- 82.165.15.188:8080
- 156.155.163.232:80
- 78.46.87.133:8080
- 85.235.219.74:80
- 186.84.173.136:8080
- 138.197.140.163:8080
- 51.77.113.97:8080
- 50.116.78.109:8080
- 37.46.129.215:8080
- 89.215.225.15:80
- 115.179.91.58:80
- 95.130.37.244:443
- 98.15.140.226:80
- 210.224.65.117:80
- 181.167.35.84:80
- 46.17.6.116:8080
- 78.189.165.52:8080
- 95.216.212.157:8080
- 193.33.38.208:443
- 188.251.213.180:443
- 217.181.139.237:443
- ```
- #### Epoch 3 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 3 - Stealer C2s ####
- ```
- 198.46.150.196:7080
- 178.32.255.133:443
- 178.63.78.150:8080
- ```
- #### Current Epoch 3 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
- faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
- 7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
- ```
- #### Credits ####
- ```
- Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
- Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
- C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
- @executemalware, @luc4m, @SecSome
- Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk,
- @bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)
- Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)
- Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
- infrastructure and helping out with this!
- Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
- https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
- @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
- for providing services/software at no charge to this cause!
- ```
- ### Daily Log 12/30/19 ###
- ```
- This report was gathered by @ps66uk and @jroosen.
- @JRoosen here - Ivan is still on break and not actively spamming at all. Talk out there is we won't see Ivan and the Emotet gang
- back on distro until the week of 01/13/20. We are seeing loader C2 updates at a rate of about 2-4 per day on each botnet. Ivan
- has handed over the keys to Vasily clearly and they are using all the installs of Trickbot gtag morXX to drop tools to prep and
- execute a Ryuk ransomware deployments. We are of course seeing these happening out there. This is noted in the news below:
- ```
- #### General News ####
- ```
- Kevin Beaumont had some observations of interesting powershell activity(PsReflect/Powerview) on his EmoPot:
- https://twitter.com/GossiTheDog/status/1211600216715137024
- https://twitter.com/GossiTheDog/status/1211655228107431936
- VK reminds us that the cybercrime calendar begins sometime after Jan 14th:
- https://twitter.com/VK_Intel/status/1211661749579071489
- @SethKingHi did some analysis on the loader yesterday and found an interesting resource name:
- https://twitter.com/SethKingHi/status/1211510574464425985
- (this has since changed)
- @abuse_ch confirms that Emotet is using ipv4 for C2s only:
- https://twitter.com/abuse_ch/status/1211200391372820480
- @bry_campbell was one of many that tweeted about a potential Emotet link to the US Coast Guard MTSA Ransomware incident:
- https://twitter.com/bry_campbell/status/1211052638747406341
- ```
- #### Loader Report ####
- ```
- Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
- _____________
- Reminder:
- EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
- texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
- chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
- boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
- title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
- ______________
- C2 Deltas:
- E1 now 127 combos, was 127 for a net nil
- E2 now 127 combos, was 127 for a net nil
- E3 now 127 combos, was 127 for a net nil
- Looks like Ivan hit the limit in the C2 count for the loader. 127 per botnet seems to be the standard now but note
- the amount(24+) of combo changes/churn. About 50% of these IPs are NEW. We have seen Ivan change C2 combos during
- break periods at a rate of 1 time per week or so.
- ---
- E1 -
- Dropped:
- 96.126.121.64:443
- 85.234.143.94:8080
- 97.81.12.153:80
- 116.48.138.115:80
- 2.139.158.136:443
- 2.44.167.52:80
- 74.59.187.94:80
- 93.67.154.252:443
- 142.127.57.63:8080
- 96.38.234.10:80
- 190.146.131.105:8080
- 5.32.41.106:80
- 77.27.221.24:443
- 93.148.252.90:80
- 37.183.121.32:80
- 190.195.129.227:8090
- 91.204.163.19:8090
- 81.157.234.90:8080
- 45.50.177.164:80
- 111.125.71.22:8080
- 190.97.30.167:990
- 190.6.193.152:8080
- 130.204.247.253:80
- 152.170.108.99:443
- Added:
- 190.219.149.236:80
- 94.200.126.42:80
- 62.15.36.103:443
- 45.79.95.107:443
- 79.7.158.208:80
- 99.252.27.6:80
- 59.120.5.154:80
- 94.200.114.162:80
- 119.59.124.163:8080
- 177.34.142.163:80
- 110.142.161.90:443
- 188.218.104.226:80
- 14.201.35.38:80
- 200.55.53.7:80
- 185.160.229.26:80
- 82.8.232.51:80
- 191.183.21.190:80
- 82.196.15.205:8080
- 177.103.159.44:80
- 190.17.44.48:80
- 200.124.225.32:80
- 188.216.24.204:80
- 216.251.83.79:80
- 58.162.218.151:80
- ---
- E2
- Dropped:
- 108.61.99.179:8080
- 200.7.243.108:443
- 183.102.238.69:465
- 62.75.187.192:8080
- 174.77.190.137:8080
- 91.242.138.5:443
- 190.147.215.53:22
- 81.0.63.86:8080
- 110.143.57.109:80
- 173.91.11.142:80
- 73.11.153.178:8080
- 201.184.105.242:443
- 85.72.180.68:80
- 201.251.133.92:443
- 82.155.161.203:80
- 62.138.26.28:8080
- 5.88.182.250:80
- 61.197.110.214:80
- 75.80.148.244:80
- 165.228.24.197:80
- 212.129.24.79:8080
- 24.93.212.32:80
- 218.44.21.114:80
- 178.209.71.63:8080
- 73.176.241.255:80
- 80.21.182.46:80
- 1.33.230.137:80
- Added:
- 59.8.197.241:80
- 200.116.145.225:443
- 200.21.90.5:443
- 136.243.250.34:8080
- 74.105.102.97:8080
- 108.191.2.72:80
- 71.83.82.123:8080
- 121.88.5.176:443
- 58.171.42.66:8080
- 70.169.53.234:80
- 2.235.190.23:8080
- 190.117.226.104:80
- 70.175.171.251:80
- 173.12.14.133:8080
- 209.146.22.34:443
- 188.0.135.237:80
- 1.215.28.101:8080
- 186.4.172.5:8080
- 160.16.215.66:8080
- 70.46.247.81:80
- 190.53.135.159:21
- 180.92.239.110:8080
- 66.34.201.20:7080
- 101.187.134.207:443
- 47.153.183.211:80
- 64.53.242.181:8080
- 189.159.115.178:8080
- ---
- E3
- Dropped:
- 45.79.75.232:8080
- 164.68.115.146:8080
- 96.234.38.186:8080
- 78.186.102.195:80
- 119.57.36.54:8080
- 86.70.224.211:80
- 100.38.11.243:80
- 128.92.54.20:80
- 181.46.176.38:80
- 41.190.148.90:80
- 46.105.128.215:8080
- 86.98.157.3:80
- 195.250.143.182:80
- 190.247.9.40:443
- 24.27.122.202:80
- 86.6.123.109:80
- 58.93.151.148:80
- 113.52.135.33:7080
- 95.255.140.89:443
- 212.112.113.235:80
- 188.230.134.205:80
- 217.12.70.226:80
- 190.101.87.170:80
- 200.71.112.158:53
- 211.42.204.154:80
- 174.57.150.13:8080
- 82.79.244.92:80
- 211.218.105.101:80
- Added:
- 114.179.127.48:80
- 200.45.187.90:80
- 144.139.91.187:80
- 69.30.205.162:7080
- 160.119.153.20:80
- 182.187.137.199:8080
- 120.51.83.89:443
- 190.231.210.35:80
- 187.72.47.161:443
- 195.201.56.70:8080
- 46.32.229.152:8080
- 78.189.60.109:443
- 203.124.57.50:80
- 5.178.245.100:80
- 210.171.146.118:80
- 157.7.164.178:8081
- 163.172.97.112:8080
- 14.161.30.33:443
- 103.108.146.195:80
- 59.158.164.66:443
- 122.116.104.238:7080
- 41.185.29.128:8080
- 23.253.207.142:8080
- 82.165.15.188:8080
- 78.46.87.133:8080
- 51.77.113.97:8080
- 50.116.78.109:8080
- 188.251.213.180:443
- ```
- #### Closing ####
- ```
- Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
- any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
- We have been thinking they will come back on 2020/01/13, so get ready. In the meantime, stay safe and Happy New Year!
- ```
- #### Sandbox 12/30/19 ####
- ```
- E1
- https://capesandbox.com/analysis/10183/
- E2
- https://capesandbox.com/analysis/10184/
- E3
- https://capesandbox.com/analysis/10185/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement