Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 06/10/19 as of 06/10/19 11:30 EDT ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- Small Emotet Update - 06/10/2019 - 11:15 EDT:
- It looks like C2 is down on Tier 1 across both botnets. We are seeing no response or 400/404/502 responses.
- This has been happening since 06/07/19 around 19:00UTC. The latest binaries for both botnets are:
- 8e5089260064a955819a92ebccc43d05520e32d234dd3c176bed5f6d0665ebdb for E1
- f8f6faa7e578785f53796c395f4ca0b757d43b62d77cdb47f74f8573e8af37a3 for E2
- C2 Combos are MUCH higher than normal at 122 for E1 and 92 for E2. This leads me to believe that this outage
- was planned and we are seeing some sort of maintenance on the C2 infrastructure play out. The C2s combos are:
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 104.236.151.95:7080
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 111.67.12.221:8080
- 112.72.9.242:443
- 115.124.109.85:8443
- 117.218.133.244:80
- 125.99.61.162:7080
- 128.199.78.227:8080
- 134.196.209.126:443
- 138.219.214.164:443
- 138.68.106.4:7080
- 149.62.173.247:8080
- 159.203.204.126:8080
- 159.65.241.220:8080
- 162.217.250.243:7080
- 170.247.122.37:8080
- 176.250.213.131:80
- 176.31.200.136:8080
- 178.79.163.131:8080
- 179.40.105.76:80
- 181.134.105.191:80
- 181.15.180.140:80
- 181.15.243.22:80
- 181.16.127.226:443
- 181.171.118.19:80
- 181.198.67.178:20
- 181.231.72.200:80
- 181.28.144.64:80
- 181.28.248.205:80
- 181.39.134.122:80
- 181.48.174.242:80
- 183.82.97.25:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.138.56.183:443
- 186.22.209.16:8080
- 186.23.146.42:80
- 186.23.18.211:443
- 186.83.133.253:8080
- 186.86.177.193:80
- 187.149.41.205:8080
- 187.178.9.19:20
- 187.188.166.192:80
- 187.242.204.142:80
- 189.180.84.115:8080
- 189.196.140.187:80
- 190.1.37.125:443
- 190.102.226.91:80
- 190.113.233.4:7080
- 190.117.206.153:443
- 190.147.12.71:443
- 190.186.221.50:80
- 190.189.112.116:80
- 190.189.204.100:80
- 190.19.42.131:80
- 190.193.131.141:443
- 190.230.60.129:80
- 190.246.166.217:80
- 190.36.88.98:8080
- 190.55.39.215:80
- 190.97.10.198:80
- 191.97.116.232:443
- 196.6.112.70:443
- 197.211.244.6:50000
- 200.107.105.16:465
- 200.123.101.90:80
- 200.28.131.215:443
- 200.32.61.210:8080
- 200.57.102.71:8443
- 200.58.171.51:80
- 200.58.83.179:80
- 200.80.198.34:80
- 201.212.24.6:443
- 201.219.183.243:443
- 201.251.229.37:80
- 201.252.229.169:8443
- 203.25.159.3:8080
- 205.186.154.130:80
- 213.120.104.180:50000
- 216.98.148.136:4143
- 217.113.27.158:443
- 217.92.171.167:53
- 219.74.237.49:443
- 23.254.203.51:8080
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.32.158.232:7080
- 45.55.82.2:8080
- 45.55.83.204:8080
- 45.73.124.235:8080
- 46.101.123.139:8080
- 46.21.105.59:8080
- 46.249.204.99:8080
- 46.29.183.211:8080
- 46.32.228.206:8080
- 5.153.252.228:8080
- 5.79.119.1:8080
- 61.92.159.208:8080
- 62.210.142.58:8080
- 62.75.143.100:7080
- 66.209.69.165:443
- 69.163.33.82:8080
- 70.32.84.74:8080
- 71.244.60.231:8080
- 77.122.183.203:8080
- 77.245.101.134:8080
- 79.143.182.254:8080
- 80.0.106.83:80
- 80.85.87.122:8080
- 81.140.12.131:8080
- 81.143.213.156:7080
- 81.183.213.36:80
- 85.132.96.242:80
- 86.42.166.147:80
- 89.134.144.41:8080
- 90.69.208.50:7080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 2 C2s ####
- ```
- 104.131.11.150:8080
- 104.131.208.175:8080
- 104.236.246.93:8080
- 104.236.99.225:8080
- 115.71.233.127:443
- 125.99.106.226:80
- 136.243.177.26:8080
- 138.201.140.110:8080
- 142.4.198.249:7080
- 142.93.88.16:443
- 144.139.247.220:80
- 147.135.210.39:8080
- 159.65.25.128:8080
- 162.144.119.216:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 173.212.203.26:8080
- 174.136.14.100:8080
- 175.100.138.82:22
- 177.242.214.30:80
- 177.246.193.139:20
- 178.62.37.188:443
- 178.79.161.166:443
- 179.14.2.75:80
- 179.32.19.219:22
- 181.189.213.231:465
- 186.144.64.31:53
- 186.4.167.166:80
- 186.4.234.27:443
- 187.163.180.243:22
- 187.163.222.244:465
- 187.189.195.208:8443
- 188.166.253.46:8080
- 189.209.217.49:80
- 190.112.228.47:443
- 190.145.67.134:8090
- 190.186.203.55:80
- 190.25.255.98:80
- 190.25.255.98:443
- 190.72.136.214:465
- 195.242.117.231:8080
- 198.58.114.91:4143
- 200.24.248.206:80
- 200.43.231.10:7080
- 200.85.46.122:80
- 201.199.89.223:8443
- 201.220.152.101:80
- 201.231.44.78:80
- 201.238.152.20:465
- 202.83.16.150:80
- 206.189.98.125:8080
- 211.63.71.72:8080
- 212.71.234.16:8080
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 222.214.218.192:8080
- 24.139.205.186:8080
- 31.12.67.62:7080
- 31.172.240.91:8080
- 37.211.85.139:80
- 41.169.20.147:465
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 46.101.142.115:8080
- 46.105.131.87:80
- 47.41.213.2:22
- 50.31.0.160:8080
- 50.99.132.7:465
- 59.103.164.174:80
- 60.48.253.12:20
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 69.45.19.145:8080
- 71.244.60.230:8080
- 75.127.14.170:8080
- 78.24.219.147:8080
- 81.109.227.123:80
- 85.104.59.244:20
- 86.98.61.221:443
- 87.106.136.232:8080
- 87.106.139.101:8080
- 87.230.19.21:8080
- 91.205.215.10:7080
- 91.205.215.66:8080
- 91.83.93.103:7080
- 92.154.101.154:50000
- 94.76.200.114:8080
- 95.128.43.213:8080
- Obviously we are not seeing any spamming or any other activity during this time. Now is the time to block these IP/Port combos
- while you can. Also if you see any requests going out to these IP/Port combos, cleanup isle whatever that computer is in because
- it is infected!
- We will see how long this break lasts and what new surprises they have up their sleeve.
- ```
- #### Sandbox 06/10/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-06-10 at 13:45 UTC - https://app.any.run/tasks/7f48ce71-945d-418e-a0f9-6c5fc3613e46
- ```
- ```
- Epoch 2 C2 run on 2019-06-10 at 14:45 UTC - https://app.any.run/tasks/cd7edc98-a3bb-4c3b-bea5-a8493e020476
- ```
Add Comment
Please, Sign In to add comment