API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/12/30

jroosen
Dec 30th, 2019
10,812
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.21 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware IOCs for 12/30/19 as of 12/30/19 13:30 EST ##
  2. *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
  3.  
  4. #### SHA256s for Epoch 1 Loader EXEs ####
  5. ```
  6. 12a399dd6446b57fdd4bb50d38b0e7fb4290cb0ae9437486b305dbe8db206b87
  7. 90ac7045de5a60eeb18f26b9aaa8fc871af0ef45460e967a966d2a2c7764be54
  8. ad9bb56dad4eaa586bb6478f64718f73edb3ca02bd147216f3fdc8158391db96
  9. a01b92f7580e0077456a02f561cc660f7fa0b08ce9a80a25ef84a2a841f27f17
  10. 6775818ba56a8908741ed22869403ae8acbc94201707b0d52cf1a0fd7cc578c0
  11. e59083eb47c917a133b76be10ee5c69eee412adc13ffac135128480c2d5908a0
  12. 3a8a5f2c6b6b6eb136f1805de8f6d2d147cdc88627e8a1a9841053293ba19ff0
  13. 0b96303dfd12e9a7a4cd0f1946ea8adf8219454510e5f541d71be5ce7d79fed7
  14. 93f9d15e50938bb936f08165d7e3531e016e7c69568c265017cd78d6aa9a15c5
  15. 35e35a70aee02c963660b1b49f110c4547ce1afe99529388ebaa03aceecaab24
  16. b8471764e02be8ce2ab10ee944015584e1540ab863901e2c1347faef7ef27f4e
  17. ```
  18. #### SHA256s for Epoch 2 Loader EXEs ####
  19. ```
  20. e4a4ebe7c54fa7cf2b615d46427a7442f317addf64586ce8bc2947b9d04782c2
  21. 6936aa4b2afe14b38fe2e94735126f00cdd090a63984fcef5d4ca0fe54e46427
  22. d2c6e0fdb98844f5b111007a0ed904f4d4000897f42b4438b4bdd46fce2b6fe9
  23. 06231c67997abcc429db7ff28e625b5fcba8aabbeb94b3ba8a3131d5ec65b8d0
  24. f2dd300d24ff3eeb0931748f909443fb2ca2c288a2582d4860b4f9bdf485185d
  25. ae097a7e9880dc379b2ede35a2742169f0cc490450f0da324b2eceff77dedf50
  26. 404fc27f94946ee424f85984d699dc2082725a5784a025af9d034149bcc95c14
  27. c1df111e7060b5affb1b3851cc289105a34776e9bad4a3f96eb1f05d0997d8b4
  28. 935047fb6827983b800921ee4385da677e478dfae591355200369e2f6770fd67
  29. 91621c6d0f36e4f1be9560a6b16bcdb79c238812cdc97129d0e1a6607a20c363
  30. 785e465e1ac2b2b54e24c0fc80299294fbc9ff2562322c29c2ffb4fa52be0a37
  31. ```
  32. #### SHA256s for Epoch 3 Loader EXEs ####
  33. ```
  34. a76e2ce58627be8ad2f6e6f9826396c26f6c0d63a334ff101522c45b04eb5de3
  35. b21038dbfe316ae74df7c06be5583a8ba73aa91a960949d241187e7b180b26dd
  36. 68f7b50d8366226743706772690c3dfda0e1afca3d0bfa6188977521e846e1fa
  37. 0aad4cd137edd3916c7e3a66458bd8548352fa18f999b0e0101ad0d65b4608c1
  38. 78d7a5619849f438688409c6c116dc5f52834e7b28ccd814bd986b2ee9032a7d
  39. 662cecbcd0a553efbb3dbe6b397fe19b0af9bfb82cf47fdfa179d02582246d8d
  40. f282f19d8389da8b7966a5f5965c139fbe39c0bdd05ea9514f06f49b1fe3cd68
  41. add26d83c734bdb2d35c08ee99c11a84297e1fa1170853a7c029ee0b6c681b45
  42. 9bf03035fc1bcaeb1065f7fe7c7d338f3040c94f9bc408cf769bbd72c573541c
  43. 003b5c4ef0b2124ab3656acbb07e6a567b7465fa7e90d5280555aec6593a8fa4
  44. d63e41981abfee28272d20a0b26c555e9385d503f561d8d21db909255846ef4e
  45. ```
  46.  
  47. ### C2's Per Epoch ###
  48.  
  49. #### Epoch 1 C2s ####
  50. ```
  51. 190.219.149.236:80
  52. 94.200.126.42:80
  53. 62.15.36.103:443
  54. 45.79.95.107:443
  55. 144.217.117.207:8080
  56. 104.236.137.72:8080
  57. 51.255.165.160:8080
  58. 2.42.173.240:80
  59. 183.99.239.141:80
  60. 68.183.190.199:8080
  61. 110.170.65.146:80
  62. 190.210.236.139:80
  63. 68.183.170.114:8080
  64. 87.106.77.40:7080
  65. 79.7.158.208:80
  66. 91.205.215.57:7080
  67. 109.169.86.13:8080
  68. 86.42.166.147:80
  69. 50.28.51.143:8080
  70. 190.210.184.138:995
  71. 203.25.159.3:8080
  72. 144.139.56.105:80
  73. 181.231.220.232:80
  74. 91.191.206.60:443
  75. 91.74.175.46:80
  76. 93.144.226.57:80
  77. 68.174.15.223:80
  78. 181.61.143.177:80
  79. 189.19.81.181:443
  80. 200.119.11.118:443
  81. 217.199.160.224:8080
  82. 163.172.40.218:7080
  83. 185.160.212.3:80
  84. 99.252.27.6:80
  85. 59.120.5.154:80
  86. 5.88.27.67:8080
  87. 94.200.114.162:80
  88. 119.59.124.163:8080
  89. 58.171.38.26:80
  90. 177.34.142.163:80
  91. 110.142.161.90:443
  92. 188.218.104.226:80
  93. 200.58.83.179:80
  94. 220.255.57.31:80
  95. 46.28.111.142:7080
  96. 46.101.212.195:8080
  97. 14.201.35.38:80
  98. 190.186.164.23:80
  99. 191.103.76.34:443
  100. 200.55.53.7:80
  101. 185.160.229.26:80
  102. 190.74.246.158:8080
  103. 82.8.232.51:80
  104. 68.187.160.28:443
  105. 200.123.183.137:443
  106. 186.15.83.52:8080
  107. 63.248.198.8:80
  108. 190.100.153.162:443
  109. 207.154.204.40:8080
  110. 37.187.6.63:8080
  111. 191.183.21.190:80
  112. 142.93.114.137:8080
  113. 82.196.15.205:8080
  114. 178.79.163.131:8080
  115. 212.237.50.61:8080
  116. 104.131.58.132:8080
  117. 74.79.103.55:80
  118. 96.61.113.203:80
  119. 177.103.159.44:80
  120. 181.198.203.45:443
  121. 179.159.198.70:80
  122. 186.68.48.204:443
  123. 87.106.46.107:8080
  124. 187.188.166.192:8080
  125. 190.17.44.48:80
  126. 114.109.179.60:80
  127. 200.124.225.32:80
  128. 113.190.254.245:80
  129. 118.36.70.245:80
  130. 201.213.32.59:80
  131. 91.83.93.124:7080
  132. 181.10.204.106:80
  133. 202.62.39.111:80
  134. 192.241.146.84:8080
  135. 62.75.143.100:7080
  136. 188.216.24.204:80
  137. 212.71.237.140:8080
  138. 112.218.134.227:80
  139. 190.151.5.130:443
  140. 5.196.35.138:7080
  141. 62.75.160.178:8080
  142. 216.251.83.79:80
  143. 212.253.82.142:443
  144. 37.120.185.153:443
  145. 77.55.211.77:8080
  146. 181.36.42.205:443
  147. 97.120.32.227:80
  148. 91.117.83.59:80
  149. 79.7.114.1:80
  150. 58.162.218.151:80
  151. 69.163.33.84:8080
  152. 83.165.78.227:80
  153. 83.248.141.198:80
  154. 14.160.93.230:80
  155. 113.61.76.239:80
  156. 165.228.195.93:80
  157. 138.68.106.4:7080
  158. 177.242.21.126:80
  159. 175.114.178.83:443
  160. 219.75.66.103:80
  161. 45.8.136.201:80
  162. 139.162.118.88:8080
  163. 223.255.148.134:80
  164. 149.62.173.247:8080
  165. 190.161.180.184:80
  166. 72.29.55.174:80
  167. 151.237.36.220:80
  168. 188.135.15.49:80
  169. 85.152.208.146:80
  170. 177.180.115.224:80
  171. 125.99.61.162:7080
  172. 185.86.148.222:8080
  173. 73.60.8.210:80
  174. 80.11.158.65:8080
  175. 2.45.112.134:80
  176. 159.203.204.126:8080
  177. 203.130.0.69:80
  178. ```
  179. #### Epoch 1 - Spam C2s ####
  180. ```
  181. not active
  182. ```
  183. #### Epoch 1 - Stealer C2s ####
  184. ```
  185. 51.159.23.217:443
  186. 75.127.72.18:8080
  187. 190.115.18.139:8080
  188. ```
  189. #### Current Epoch 1 RSA Public Key ####
  190. ```
  191. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
  192. j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
  193. fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
  194. ```
  195. #### Epoch 2 C2s ####
  196. ```
  197. 59.8.197.241:80
  198. 200.116.145.225:443
  199. 200.21.90.5:443
  200. 136.243.250.34:8080
  201. 165.227.156.155:443
  202. 159.69.89.130:8080
  203. 167.99.105.223:7080
  204. 59.148.227.190:80
  205. 50.116.86.205:8080
  206. 2.237.76.249:80
  207. 74.105.102.97:8080
  208. 76.164.99.46:80
  209. 209.97.168.52:8080
  210. 64.147.15.138:80
  211. 108.191.2.72:80
  212. 71.83.82.123:8080
  213. 190.220.19.82:443
  214. 159.65.25.128:8080
  215. 108.20.69.44:80
  216. 184.167.148.162:80
  217. 121.88.5.176:443
  218. 58.171.42.66:8080
  219. 104.131.11.150:8080
  220. 179.13.185.19:80
  221. 120.150.246.241:80
  222. 66.209.97.122:8080
  223. 174.81.132.128:80
  224. 91.205.215.66:443
  225. 70.169.53.234:80
  226. 2.235.190.23:8080
  227. 190.117.226.104:80
  228. 201.173.217.124:443
  229. 100.14.117.137:80
  230. 70.175.171.251:80
  231. 173.12.14.133:8080
  232. 104.236.246.93:8080
  233. 176.106.183.253:8080
  234. 182.176.132.213:8090
  235. 192.241.255.77:8080
  236. 209.146.22.34:443
  237. 206.81.10.215:8080
  238. 85.67.10.190:80
  239. 24.181.125.62:80
  240. 37.59.24.177:8080
  241. 209.141.54.221:8080
  242. 188.0.135.237:80
  243. 31.31.77.83:443
  244. 93.147.141.5:80
  245. 5.196.74.210:8080
  246. 169.239.182.217:8080
  247. 195.244.215.206:80
  248. 103.86.49.11:8080
  249. 211.63.71.72:8080
  250. 66.25.34.20:80
  251. 190.12.119.180:443
  252. 176.31.200.130:8080
  253. 1.215.28.101:8080
  254. 101.187.247.29:80
  255. 47.6.15.79:80
  256. 91.73.197.90:80
  257. 31.177.54.196:443
  258. 12.176.19.218:80
  259. 173.247.19.238:80
  260. 87.106.136.232:8080
  261. 188.152.7.140:80
  262. 31.172.240.91:8080
  263. 87.230.19.21:8080
  264. 173.21.26.90:80
  265. 87.106.139.101:8080
  266. 186.67.208.78:8080
  267. 186.4.172.5:8080
  268. 178.210.51.222:8080
  269. 128.65.154.183:443
  270. 24.105.202.216:443
  271. 92.222.216.44:8080
  272. 47.149.28.234:80
  273. 160.16.215.66:8080
  274. 120.151.135.224:80
  275. 139.130.241.252:443
  276. 190.189.224.117:443
  277. 110.142.38.16:80
  278. 149.202.153.252:8080
  279. 70.46.247.81:80
  280. 190.53.135.159:21
  281. 167.71.10.37:8080
  282. 217.160.182.191:8080
  283. 24.94.237.248:80
  284. 138.59.177.106:443
  285. 138.122.5.214:8080
  286. 210.6.85.121:80
  287. 180.92.239.110:8080
  288. 108.179.206.219:8080
  289. 98.156.206.153:80
  290. 116.48.142.21:443
  291. 66.34.201.20:7080
  292. 219.78.255.48:80
  293. 107.170.24.125:8080
  294. 67.225.179.64:8080
  295. 47.156.70.145:80
  296. 190.162.159.212:80
  297. 59.103.164.174:80
  298. 47.6.15.79:443
  299. 104.131.44.150:8080
  300. 186.75.241.230:80
  301. 45.51.40.140:80
  302. 68.118.26.116:80
  303. 86.98.156.239:443
  304. 5.154.58.24:80
  305. 95.128.43.213:8080
  306. 78.24.219.147:8080
  307. 101.187.134.207:443
  308. 206.189.112.148:8080
  309. 104.137.176.186:80
  310. 73.214.99.25:80
  311. 144.139.247.220:80
  312. 178.237.139.83:8080
  313. 85.152.174.56:80
  314. 47.153.183.211:80
  315. 64.53.242.181:8080
  316. 45.33.49.124:443
  317. 46.105.131.87:80
  318. 37.157.194.134:443
  319. 200.114.167.85:80
  320. 46.216.60.138:80
  321. 82.27.181.93:80
  322. 2.38.99.79:80
  323. 189.159.115.178:8080
  324. ```
  325. #### Epoch 2 - Spam C2s ####
  326. ```
  327. not active
  328. ```
  329. #### Epoch 2 - Stealer C2s ####
  330. ```
  331. 168.235.67.138:8080
  332. 139.162.183.41:443
  333. 46.101.7.140:8080
  334. ```
  335. #### Current Epoch 2 RSA Public Key ####
  336. ```
  337. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
  338. bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
  339. LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
  340. ```
  341. #### Epoch 3 C2s ####
  342. ```
  343. 114.179.127.48:80
  344. 200.45.187.90:80
  345. 144.139.91.187:80
  346. 124.150.175.133:80
  347. 5.189.148.98:8080
  348. 69.30.205.162:7080
  349. 192.161.190.171:8080
  350. 160.119.153.20:80
  351. 192.210.217.94:8080
  352. 190.93.210.113:80
  353. 175.103.239.50:80
  354. 105.209.235.113:8080
  355. 190.5.162.204:80
  356. 211.48.165.9:443
  357. 82.146.55.23:7080
  358. 142.93.87.198:8080
  359. 112.186.195.176:80
  360. 191.100.24.201:50000
  361. 212.129.14.27:8080
  362. 182.187.137.199:8080
  363. 181.53.29.136:8080
  364. 120.51.83.89:443
  365. 88.247.26.78:80
  366. 58.185.224.18:80
  367. 203.160.173.202:80
  368. 190.231.210.35:80
  369. 37.70.131.107:80
  370. 190.161.67.63:80
  371. 110.142.161.90:80
  372. 216.75.37.196:8080
  373. 186.177.174.163:80
  374. 110.2.118.164:80
  375. 108.184.9.44:80
  376. 187.72.47.161:443
  377. 176.58.93.123:80
  378. 46.105.131.68:8080
  379. 72.51.153.27:80
  380. 195.201.56.70:8080
  381. 165.100.148.200:8080
  382. 185.244.167.25:443
  383. 220.78.29.88:80
  384. 92.16.222.156:80
  385. 182.176.116.139:995
  386. 41.111.190.94:80
  387. 91.117.31.181:80
  388. 85.109.190.235:443
  389. 98.178.241.106:80
  390. 210.111.160.220:80
  391. 94.203.236.122:80
  392. 190.38.252.45:443
  393. 172.104.70.207:8080
  394. 46.32.229.152:8080
  395. 83.156.88.159:80
  396. 158.69.167.246:8080
  397. 189.225.211.171:443
  398. 78.189.60.109:443
  399. 203.124.57.50:80
  400. 201.183.251.100:80
  401. 190.171.135.235:80
  402. 5.178.245.100:80
  403. 201.196.15.79:990
  404. 210.171.146.118:80
  405. 157.7.164.178:8081
  406. 95.9.217.200:8080
  407. 163.172.97.112:8080
  408. 187.250.92.82:80
  409. 91.117.131.122:80
  410. 24.28.178.71:80
  411. 190.171.153.139:80
  412. 221.154.59.110:80
  413. 14.161.30.33:443
  414. 72.27.212.209:8080
  415. 192.241.220.183:8080
  416. 95.216.207.86:7080
  417. 179.5.118.12:8080
  418. 42.51.192.231:8080
  419. 124.150.175.129:8080
  420. 177.144.130.105:443
  421. 67.254.196.78:443
  422. 103.108.146.195:80
  423. 203.153.216.178:7080
  424. 185.192.75.240:443
  425. 200.41.121.69:443
  426. 81.82.247.216:80
  427. 190.17.94.108:443
  428. 162.144.46.90:8080
  429. 197.94.32.129:8080
  430. 175.127.140.68:80
  431. 37.59.24.25:8080
  432. 154.120.227.190:443
  433. 178.134.1.238:80
  434. 189.61.200.9:443
  435. 190.47.236.83:80
  436. 69.14.208.221:80
  437. 59.158.164.66:443
  438. 51.38.134.203:8080
  439. 41.77.74.214:443
  440. 177.103.240.93:80
  441. 66.229.161.86:443
  442. 88.248.140.80:80
  443. 85.100.122.211:80
  444. 122.116.104.238:7080
  445. 41.185.29.128:8080
  446. 139.59.12.63:8080
  447. 23.253.207.142:8080
  448. 87.9.181.247:80
  449. 82.165.15.188:8080
  450. 156.155.163.232:80
  451. 78.46.87.133:8080
  452. 85.235.219.74:80
  453. 186.84.173.136:8080
  454. 138.197.140.163:8080
  455. 51.77.113.97:8080
  456. 50.116.78.109:8080
  457. 37.46.129.215:8080
  458. 89.215.225.15:80
  459. 115.179.91.58:80
  460. 95.130.37.244:443
  461. 98.15.140.226:80
  462. 210.224.65.117:80
  463. 181.167.35.84:80
  464. 46.17.6.116:8080
  465. 78.189.165.52:8080
  466. 95.216.212.157:8080
  467. 193.33.38.208:443
  468. 188.251.213.180:443
  469. 217.181.139.237:443
  470. ```
  471. #### Epoch 3 - Spam C2s ####
  472. ```
  473. not active
  474. ```
  475. #### Epoch 3 - Stealer C2s ####
  476. ```
  477. 198.46.150.196:7080
  478. 178.32.255.133:443
  479. 178.63.78.150:8080
  480. ```
  481. #### Current Epoch 3 RSA Public Key ####
  482. ```
  483. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
  484. faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
  485. 7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
  486. ```
  487. #### Credits ####
  488. ```
  489. Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
  490.  
  491. Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
  492.  
  493. C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
  494. @executemalware, @luc4m, @SecSome
  495.  
  496. Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk,
  497. @bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)
  498.  
  499. Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)
  500.  
  501. Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
  502. infrastructure and helping out with this!
  503.  
  504. Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
  505. https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
  506. @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
  507. for providing services/software at no charge to this cause!
  508.  
  509. ```
  510. ### Daily Log 12/30/19 ###
  511. ```
  512. This report was gathered by @ps66uk and @jroosen.
  513.  
  514. @JRoosen here - Ivan is still on break and not actively spamming at all. Talk out there is we won't see Ivan and the Emotet gang
  515. back on distro until the week of 01/13/20. We are seeing loader C2 updates at a rate of about 2-4 per day on each botnet. Ivan
  516. has handed over the keys to Vasily clearly and they are using all the installs of Trickbot gtag morXX to drop tools to prep and
  517. execute a Ryuk ransomware deployments. We are of course seeing these happening out there. This is noted in the news below:
  518.  
  519. ```
  520. #### General News ####
  521. ```
  522.  
  523. Kevin Beaumont had some observations of interesting powershell activity(PsReflect/Powerview) on his EmoPot:
  524. https://twitter.com/GossiTheDog/status/1211600216715137024
  525. https://twitter.com/GossiTheDog/status/1211655228107431936
  526.  
  527. VK reminds us that the cybercrime calendar begins sometime after Jan 14th:
  528. https://twitter.com/VK_Intel/status/1211661749579071489
  529.  
  530. @SethKingHi did some analysis on the loader yesterday and found an interesting resource name:
  531. https://twitter.com/SethKingHi/status/1211510574464425985
  532. (this has since changed)
  533.  
  534. @abuse_ch confirms that Emotet is using ipv4 for C2s only:
  535. https://twitter.com/abuse_ch/status/1211200391372820480
  536.  
  537. @bry_campbell was one of many that tweeted about a potential Emotet link to the US Coast Guard MTSA Ransomware incident:
  538. https://twitter.com/bry_campbell/status/1211052638747406341
  539.  
  540. ```
  541. #### Loader Report ####
  542. ```
  543. Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
  544. _____________
  545. Reminder:
  546. EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
  547. texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
  548. chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
  549. boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
  550. title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
  551. ______________
  552.  
  553. C2 Deltas:
  554. E1 now 127 combos, was 127 for a net nil
  555. E2 now 127 combos, was 127 for a net nil
  556. E3 now 127 combos, was 127 for a net nil
  557.  
  558. Looks like Ivan hit the limit in the C2 count for the loader. 127 per botnet seems to be the standard now but note
  559. the amount(24+) of combo changes/churn. About 50% of these IPs are NEW. We have seen Ivan change C2 combos during
  560. break periods at a rate of 1 time per week or so.
  561.  
  562. ---
  563. E1 -
  564.  
  565. Dropped:
  566. 96.126.121.64:443
  567. 85.234.143.94:8080
  568. 97.81.12.153:80
  569. 116.48.138.115:80
  570. 2.139.158.136:443
  571. 2.44.167.52:80
  572. 74.59.187.94:80
  573. 93.67.154.252:443
  574. 142.127.57.63:8080
  575. 96.38.234.10:80
  576. 190.146.131.105:8080
  577. 5.32.41.106:80
  578. 77.27.221.24:443
  579. 93.148.252.90:80
  580. 37.183.121.32:80
  581. 190.195.129.227:8090
  582. 91.204.163.19:8090
  583. 81.157.234.90:8080
  584. 45.50.177.164:80
  585. 111.125.71.22:8080
  586. 190.97.30.167:990
  587. 190.6.193.152:8080
  588. 130.204.247.253:80
  589. 152.170.108.99:443
  590.  
  591. Added:
  592. 190.219.149.236:80
  593. 94.200.126.42:80
  594. 62.15.36.103:443
  595. 45.79.95.107:443
  596. 79.7.158.208:80
  597. 99.252.27.6:80
  598. 59.120.5.154:80
  599. 94.200.114.162:80
  600. 119.59.124.163:8080
  601. 177.34.142.163:80
  602. 110.142.161.90:443
  603. 188.218.104.226:80
  604. 14.201.35.38:80
  605. 200.55.53.7:80
  606. 185.160.229.26:80
  607. 82.8.232.51:80
  608. 191.183.21.190:80
  609. 82.196.15.205:8080
  610. 177.103.159.44:80
  611. 190.17.44.48:80
  612. 200.124.225.32:80
  613. 188.216.24.204:80
  614. 216.251.83.79:80
  615. 58.162.218.151:80
  616.  
  617. ---
  618. E2
  619.  
  620. Dropped:
  621. 108.61.99.179:8080
  622. 200.7.243.108:443
  623. 183.102.238.69:465
  624. 62.75.187.192:8080
  625. 174.77.190.137:8080
  626. 91.242.138.5:443
  627. 190.147.215.53:22
  628. 81.0.63.86:8080
  629. 110.143.57.109:80
  630. 173.91.11.142:80
  631. 73.11.153.178:8080
  632. 201.184.105.242:443
  633. 85.72.180.68:80
  634. 201.251.133.92:443
  635. 82.155.161.203:80
  636. 62.138.26.28:8080
  637. 5.88.182.250:80
  638. 61.197.110.214:80
  639. 75.80.148.244:80
  640. 165.228.24.197:80
  641. 212.129.24.79:8080
  642. 24.93.212.32:80
  643. 218.44.21.114:80
  644. 178.209.71.63:8080
  645. 73.176.241.255:80
  646. 80.21.182.46:80
  647. 1.33.230.137:80
  648.  
  649. Added:
  650. 59.8.197.241:80
  651. 200.116.145.225:443
  652. 200.21.90.5:443
  653. 136.243.250.34:8080
  654. 74.105.102.97:8080
  655. 108.191.2.72:80
  656. 71.83.82.123:8080
  657. 121.88.5.176:443
  658. 58.171.42.66:8080
  659. 70.169.53.234:80
  660. 2.235.190.23:8080
  661. 190.117.226.104:80
  662. 70.175.171.251:80
  663. 173.12.14.133:8080
  664. 209.146.22.34:443
  665. 188.0.135.237:80
  666. 1.215.28.101:8080
  667. 186.4.172.5:8080
  668. 160.16.215.66:8080
  669. 70.46.247.81:80
  670. 190.53.135.159:21
  671. 180.92.239.110:8080
  672. 66.34.201.20:7080
  673. 101.187.134.207:443
  674. 47.153.183.211:80
  675. 64.53.242.181:8080
  676. 189.159.115.178:8080
  677.  
  678. ---
  679. E3
  680.  
  681. Dropped:
  682. 45.79.75.232:8080
  683. 164.68.115.146:8080
  684. 96.234.38.186:8080
  685. 78.186.102.195:80
  686. 119.57.36.54:8080
  687. 86.70.224.211:80
  688. 100.38.11.243:80
  689. 128.92.54.20:80
  690. 181.46.176.38:80
  691. 41.190.148.90:80
  692. 46.105.128.215:8080
  693. 86.98.157.3:80
  694. 195.250.143.182:80
  695. 190.247.9.40:443
  696. 24.27.122.202:80
  697. 86.6.123.109:80
  698. 58.93.151.148:80
  699. 113.52.135.33:7080
  700. 95.255.140.89:443
  701. 212.112.113.235:80
  702. 188.230.134.205:80
  703. 217.12.70.226:80
  704. 190.101.87.170:80
  705. 200.71.112.158:53
  706. 211.42.204.154:80
  707. 174.57.150.13:8080
  708. 82.79.244.92:80
  709. 211.218.105.101:80
  710.  
  711. Added:
  712. 114.179.127.48:80
  713. 200.45.187.90:80
  714. 144.139.91.187:80
  715. 69.30.205.162:7080
  716. 160.119.153.20:80
  717. 182.187.137.199:8080
  718. 120.51.83.89:443
  719. 190.231.210.35:80
  720. 187.72.47.161:443
  721. 195.201.56.70:8080
  722. 46.32.229.152:8080
  723. 78.189.60.109:443
  724. 203.124.57.50:80
  725. 5.178.245.100:80
  726. 210.171.146.118:80
  727. 157.7.164.178:8081
  728. 163.172.97.112:8080
  729. 14.161.30.33:443
  730. 103.108.146.195:80
  731. 59.158.164.66:443
  732. 122.116.104.238:7080
  733. 41.185.29.128:8080
  734. 23.253.207.142:8080
  735. 82.165.15.188:8080
  736. 78.46.87.133:8080
  737. 51.77.113.97:8080
  738. 50.116.78.109:8080
  739. 188.251.213.180:443
  740.  
  741. ```
  742. #### Closing ####
  743. ```
  744. Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
  745. any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
  746. We have been thinking they will come back on 2020/01/13, so get ready. In the meantime, stay safe and Happy New Year!
  747.  
  748. ```
  749. #### Sandbox 12/30/19 ####
  750.  
  751. ```
  752.  
  753. E1
  754. https://capesandbox.com/analysis/10183/
  755.  
  756. E2
  757. https://capesandbox.com/analysis/10184/
  758.  
  759. E3
  760. https://capesandbox.com/analysis/10185/
  761. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!