API tools faq
paste
ExecuteMalware

2020-12-21 Emotet IOCs

ExecuteMalware
Dec 21st, 2020 (edited)
4,315
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.52 KB | None | 0 0
raw download clone embed print report
  1. THREAT ATTRIBUTION: EMOTET
  2.  
  3. CYBERCHEF RECIPE TO GET URLS FROM THE BASE64-ENCODED POWERSHELL SCRIPT
  4. ----------------------------------------------------------------------
  5. From_Base64('A-Za-z0-9+/=',true)
  6. Decode_text('UTF-16LE (1200)')
  7. Split('*','\\n')
  8. Find_/_Replace({'option':'Simple string','string':'\''},'',true,false,true,false)
  9. Find_/_Replace({'option':'Simple string','string':'+'},'',true,false,true,false)
  10. Find_/_Replace({'option':'Simple string','string':'('},'',true,false,true,false)
  11. Find_/_Replace({'option':'Simple string','string':')'},'',true,false,true,false)
  12. Find_/_Replace({'option':'Simple string','string':'`'},'',true,false,true,false)
  13. Find_/_Replace({'option':'Simple string','string':'=Y3nkOs'},' ',true,false,true,false)
  14. Split('@','\\n')
  15. Find_/_Replace({'option':'Simple string','string':'J3s2'},'/',true,false,true,false)
  16. Extract_URLs(false)
  17.  
  18.  
  19. SENDERS OBSERVED
  20. aafin3@saps.com.pk
  21. absolutethaicic@seacuisine.com.my
  22. adminlae@manogeneralservices.com
  23. Airline03@mattressdirect.com
  24. antoine.bernheim@sudjuristes.fr
  25. Asad.ullah@ilmauniversity.edu.pk
  26. auxiliaribague@inacar.com
  27. butterflyhotel@evita-hotels.com
  28. calvinonggo@eseco.co.id
  29. careers@shafishoes.com
  30. carlos.gama@maispertodesi.pt
  31. carlos.sosa@appcore.mx
  32. coordinadorlogisticoregion.pacifico@gopack365.com
  33. doguscicekci@tekbasgrup.com
  34. eastwest@eastwest.ro
  35. edgar@kus.com.ph
  36. egutierrez@aytonavacerrada.org
  37. faturamento@bevianitransportes.com.br
  38. general@mecatec.hn
  39. glasgowsales@mfsgroup.co.zw
  40. h.brissaud.75120@paris.notaires.fr
  41. h_boram@dandace.jp
  42. hernane.ribeiro@aac.cv
  43. herry@ravindopm.com
  44. info@tsotrastst.gr
  45. ioannidisv@klidarithmos.gr
  46. jetro_vicente@dt-factory.com
  47. julie.carpanini.78111@paris.notaires.fr
  48. maliha@fm91.com.pk
  49. mohd.hamed@alhilalcapital.ae
  50. nadyfarahat@dhabicontracting.com
  51. ostoja.ivanovic@bip.co.rs
  52. pdv006860@simplysardegna.com
  53. production@nafcocoatings.com
  54. r.nikova@sheynovo-ag.eu
  55. reservation@pthotel.vn
  56. rj@rgmengineering.net
  57. sales@rgtech.tech
  58. sgb@butterfly-lg.com
  59. shamim@singwah.com
  60. shan@powermagicelec.com
  61. Social.95036@paris.notaires.fr
  62. spraza@siddiqsonsgroup.com
  63. sshaba@rcz.org.zw
  64. testa@amazonfoods.ae
  65. thomas@bpsl.net
  66. thuannt@shintsbvt.com
  67. thuy.tran@smartsurvey.com.vn
  68. tomovsol@mbox.contact.bg
  69. transportadoras@majestic.com.br
  70. tseptember@mpnetwork.org.za
  71. vanessa.barony@pignusmontagem.com
  72. ventas@mecatec.hn
  73. waseem.ansari@chase.pk
  74.  
  75. MALDOC DISTRIBUTION URLS
  76. http://379code.com/rec_site/u/
  77. http://51.104.243.215/wp-content/1m1phEKnm7Yxx/
  78. http://amarteargentina.com.ar/wp-admin/1PBCSSi33FN7IPhc/
  79. http://annabphotography.co.uk/wp-includes/t8dI6v/
  80. http://avanttipisos.com.br/catalogo-virtual/i1XnbBRzXXXrqGLfBZ3UNn6Yjh1mubdZKDm48wvQD3thzthxMysX/
  81. http://caballo.com.au/arabians_htm_files/QshdpdaxEhJYs7jJXGQ/
  82. http://camminachetipassa.it/icaqf83fflrlm6d8xqfk1sgl4zq4eqtasmy1bgnvg6fmcbya89ia6iid5qwtsuhb/
  83. http://catchpoolshetlands.co.uk/border-design-fjk/8fGEiO7xg7WfdRWDoQ/
  84. http://colfarse.com.ar/colfar/ZLucvhsj5FFvq5GC5NEi0K9AUThp/
  85. http://cuadros.pe/personal_sector/uyol9rQZq00rUNlKzBTSr3ZXzW42WXMizFoeyPfMvWe6lNL/
  86. http://dentalalliance.se/wp-admin/UyTpqmldkf67M7oqYSpBDCA3VQsg9GTvTA3ulrFHRKUuCjqIpvG02kejwSt2/
  87. http://ff.vishou.net/static/cnhAJnGYfhUWaVjupktcfydjI8LtBmqj17ft0YVDZF4Vwi6WsysT7aBqKXf7R2k/
  88. http://futuregraphics.com.ar/esp/LcHx70VyC/
  89. http://greensync.com.br/aspnet_clientOld/Dbd6MTtmukhp0fZUYwV/
  90. http://hesa.co.id/_errorpages/54ioffqqt8rey6DU7GH/
  91. http://imaspro.com/done/page/css/RXXjEyB8JQU/
  92. http://imindtech.com/l/vB8p34smQK7yqGyBjMreZHcPAq0v7sgcBDolLF8J1dbeoR6FyH4YJDq6muJIVt/
  93. http://inaotheoyeucau.com/wp-content/Lqc4vQ22pw7un/
  94. http://jiafunongye.com/application/Oq39CDBoJAPl5BXx7K2iViylLLivre9K/
  95. http://kevinley.com/lib/Hz9FTkbmAytMwBJikJ755nYw9rzO0uNKtgca/
  96. http://lblcomputacion.com/services/52r6pfMGbWCoY32iWRMSrShatHkghBoNK85bduKA4PXWlCPCYwc1HbBYCG/
  97. http://merkadito.mx/upload/3FI5Z8BI0nwi42Q312tuQwuLqqmtRdf53EMPbKcwsItZCCR5f/
  98. http://mlrodasepneus.com.br/index11/NNjzVXE4iK54pJCPRZb2ZfqnCbPtE6Wyei/
  99. http://nirmalvermicompost.com/printsaga.in/wdAwnc6WqcdSUTrTBjPKw6SN/
  100. http://omilen.cl/wordpress/o5MLV1qQlaZNrKSU1SyA/
  101. http://randradeseguros.com.br/produtos/LHwfUihcnUZo38T15EhCTPhOB4FwZJ3QRrxx3Hr9/
  102. http://sasystemsuk.com/index_files/2xke/
  103. http://snpconsulting.com.au/Documents/S4fgk9KdJl9YnV47haL/
  104. http://swiftlogisticseg.com/wp-admin/PPL/
  105. http://syracusecoffee.com/customer/I7XXOVU4L3YVkEithMWiQ2ZnZ/
  106. http://vuatritue.com/wp-admin/ddCqa5l9bAEIl/
  107. http://www.toplevel.com.br/medico/wuEeTldQTSKCYLrggl97PUJb7x99t1/
  108. http://www.x-treme.gr/kritikos/3.2.Sep2019/logs/dgWE4INdW1DdrDjpuQsgy4VLXkYpL9nAZ1NpezunTJFsLg3K7P/
  109. https://52.221.6.170/well-known/Hqp2ZWrlUCCubgY/
  110. https://ajstudiollc.com/cgi-bin/azvkj9RT3ghV017Le4fm6H3V/
  111. https://liubaozi.cn/wordpress/wayW90OoXCT5diCZSYmJ1qg5XZyS3x86p5/
  112. https://nonnarina.ax/wp-content/TgjpYgCSgQJAPYCZDPrzF8XAK4f1esP0V3d7PTY/
  113. https://paisocial.org/wp-includes/DaiyEBsh2lt4Jwwf8lndfnL5U3Q5Jp0e3Id8nXRxs/
  114. https://phucdu.cf/wp-admin/iGGoSNhhMLNb3a780Qyd2c5OUmVLK/
  115. https://srishtiherbs.com/jms/uwLD9lewOZrnEUTvCGDXaZ7mBs/
  116. https://sunbayhotel.vn/wp-content/Av1CoybiHY4GqECQgoMG8a6Z0OdKaOHEBnAbmdyc7iUAZBp1I18gDNx7rfFaeHxxtPXV/
  117. https://teleguru.com.au/wp-content/PmzcwGED/
  118. https://terplandia.com/publish_f2/j57DVgxq5B3kbJ6ckaxsZG/
  119. https://x.ziyoubb.com.cn/wp-includes/WkcTboK3jM1MKm3EuF9pdIGREGrqyuHX/
  120. https://zzznan.com/wp-admin/NL9wu1TisXOy1RVpkCyGfvtoQe8r2Grvon8eggV0MNTeI7RUUBIi5ntluBkrAF/
  121.  
  122. 379code.com
  123. ajstudiollc.com
  124. amarteargentina.com.ar
  125. annabphotography.co.uk
  126. avanttipisos.com.br
  127. caballo.com.au
  128. camminachetipassa.it
  129. catchpoolshetlands.co.uk
  130. colfarse.com.ar
  131. cuadros.pe
  132. dentalalliance.se
  133. futuregraphics.com.ar
  134. greensync.com.br
  135. hesa.co.id
  136. imaspro.com
  137. imindtech.com
  138. inaotheoyeucau.com
  139. jiafunongye.com
  140. kevinley.com
  141. lblcomputacion.com
  142. liubaozi.cn
  143. merkadito.mx
  144. mlrodasepneus.com.br
  145. nirmalvermicompost.com
  146. nonnarina.ax
  147. omilen.cl
  148. paisocial.org
  149. phucdu.cf
  150. randradeseguros.com.br
  151. sasystemsuk.com
  152. snpconsulting.com.au
  153. srishtiherbs.com
  154. sunbayhotel.vn
  155. swiftlogisticseg.com
  156. syracusecoffee.com
  157. teleguru.com.au
  158. terplandia.com
  159. toplevel.com.br
  160. vishou.net
  161. vuatritue.com
  162. x-treme.gr
  163. ziyoubb.com.cn
  164. zzznan.com
  165.  
  166. DOCUMENT FILE HASHES
  167. 153643e9b1055571b289f3b456e40ff5
  168. 463eb7e2c29b88d3a094ccdce03caa65
  169. 7544fa02879a60decfafe039f8977c76
  170. 77f5669faf8b543a3a9b31a9e05ad65b
  171. 83187840bbd9923f44cbfd64e7d09679
  172. 90f8b0288f5257128c3d53f7b4dd0da2
  173. d9db3c40c53b786cb43e29301d53928a
  174. fc2597c20a99be987a753a84fb861d2f
  175.  
  176. PAYLOAD FILE HASHES
  177. 18b23ff53477834ded58c1f99ea729d0
  178. 4735a3a21ba6aac9eec7017ca9481fad
  179. 508e8c108ac35dc73763a3ba3c081e33
  180. 81d13f98f4187cf2f2976be9ff36c8c9
  181. 8b117cf4c943500f993ab2c80ab3a1c1
  182. ae88e9fc6fb133e8f42d42ea3a87365f
  183. b774782a8b6effd1b59efd21bc80d3e2
  184. cf3befcefb8b7655e76804f00f8857d9
  185. e22ca344e5e427983f40d7caab0ea41c
  186. ee12cd722441b54819530ac0f4f0d698
  187.  
  188. EMOTET PAYLOAD URLs
  189. http://aeropilates.cl/wp-content/Service/
  190. http://aramisconstruct.ro/wp-admin/uX/
  191. http://arquivopop.com.br/index_htm_files/Kxh/
  192. http://assecon.com.br/novoassecon/diagnostics/
  193. http://azraktours.com/wp-content/NWF9jC/
  194. http://biglaughs.org/smallpotatoes/rRwRzc/
  195. http://blog.vishou.net/admin/font/
  196. http://brand360.vn/bljgz/93U/
  197. http://cheetahridge.mediadevstaging.com/c/B/
  198. http://elemsindikat.com.mk/shadow-vip-2pxdt/Pyh/
  199. http://expeditionquest.com/X/
  200. http://geoffoglemusic.com/wp-admin/x/
  201. http://goldcoastoffice365.com/temp/X/
  202. http://helionspharmaceutical.com/wp-admin/oXJB/
  203. http://hotelshivansh.com/UserFiles/8/
  204. http://jarodcharity.org/wp-includes/9ocR/
  205. http://josegene.com/theme/gU8/
  206. http://koreankidsedu.com/wp-content/2cQTh/
  207. http://mateusz1infa.5v.pl/titan-structures-dotzt/Rl555/
  208. http://megasolucoesti.com/R9KDq0O8w/Microsoft.NET/
  209. http://ownitconsignment.com/files/b/
  210. http://parakkunnathtemple.com/bckup/7SDAvi/
  211. http://paulscomputing.com/CraigsMagicSquare/H/
  212. http://phasdesign.com/wordpress/MSInfo/
  213. http://pos-egypt.com/wp-content/xTr/
  214. http://preparateparaloquevenga.com/predisi-tgl-jlpml/jjvCL/
  215. http://resuco.net/wp-content/uploads/2020/12/S0K/
  216. http://riandutra.com/img/dRWJ5aN5/
  217. http://siamimplement.co.th/images/System32/
  218. http://talkischeap.co.za/4-pin-iscru/t7k/
  219. http://transfersuvan.com/wp-admin/OVl/
  220. http://vod.vishou.net/data/6hCNth/
  221. http://www.greaudstudio.com/docs/FGn/
  222. http://zhongshixingchuang.com/wp-admin/OTm/
  223. https://accordiblehr.com/wp-admin/HdzyEn/
  224. https://ardenneweb.com/765779o900/re/
  225. https://b2bcom.com.br/site/0H/
  226. https://cairocad.com/cgi-bin/1PBB/
  227. https://dagranitegiare.com/wp-admin/jCH/
  228. https://goldilockstraining.com/wp-includes/bftt/
  229. https://jeffdahlke.com/css/bg4n3/
  230. https://mobgroup.com.br/wp-content/font/
  231. https://mrveggy.com/erros/s0/
  232. https://norailya.com/vendor/1j/
  233. https://physio-svdh.ch/wp-admin/kK/
  234. https://pox23.io/wp-content/I/
  235. https://snjwellers.com/wp-includes/esttW/
  236. https://suriagrofresh.com/serevers/MVDjI/
  237. https://unikaryapools.com/wp/Speech/
  238. https://whytech.info/wp-includes/HceUxFK/
  239. https://www.alshuwail.com/cgi-bin/5/
  240. https://www.isatechnology.com/training/b/
  241. https://www.lavenderkart.com/blogs/nZP5c/
  242. https://www.lixko.com/wp-includes/VGX/
  243. https://www.talktalkenglish.vn/database/v/
  244. https://www.themoviebazar.com/2007-bmw/Help/
  245. https://www.wellnursesmartnurse.co.za/wp-admin/HFdox/
  246.  
  247. accordiblehr.com
  248. aeropilates.cl
  249. alshuwail.com
  250. aramisconstruct.ro
  251. ardenneweb.com
  252. arquivopop.com.br
  253. assecon.com.br
  254. azraktours.com
  255. b2bcom.com.br
  256. biglaughs.org
  257. brand360.vn
  258. cairocad.com
  259. cheetahridge.mediadevstaging.com
  260. dagranitegiare.com
  261. elemsindikat.com.mk
  262. expeditionquest.com
  263. geoffoglemusic.com
  264. goldcoastoffice365.com
  265. goldilockstraining.com
  266. greaudstudio.com
  267. helionspharmaceutical.com
  268. hotelshivansh.com
  269. isatechnology.com
  270. jarodcharity.org
  271. jeffdahlke.com
  272. josegene.com
  273. koreankidsedu.com
  274. lavenderkart.com
  275. lixko.com
  276. mateusz1infa.5v.pl
  277. megasolucoesti.com
  278. mobgroup.com.br
  279. mrveggy.com
  280. norailya.com
  281. ownitconsignment.com
  282. parakkunnathtemple.com
  283. paulscomputing.com
  284. phasdesign.com
  285. physio-svdh.ch
  286. pos-egypt.com
  287. pox23.io
  288. preparateparaloquevenga.com
  289. resuco.net
  290. riandutra.com
  291. siamimplement.co.th
  292. snjwellers.com
  293. suriagrofresh.com
  294. talkischeap.co.za
  295. talktalkenglish.vn
  296. themoviebazar.com
  297. transfersuvan.com
  298. unikaryapools.com
  299. vishou.net
  300. wellnursesmartnurse.co.za
  301. whytech.info
  302. zhongshixingchuang.com
  303.  
  304. EMOTET C2s
  305. http://67.170.250.203:443
  306. http://70.92.118.112
  307. http://50.116.111.59:8080
  308. http://173.249.20.233:443
  309. http://188.165.214.98:8080
  310. http://187.161.206.24
  311. http://37.139.21.175:8080
  312. http://24.69.65.8:8080
  313. http://78.24.219.147:8080
  314. http://87.106.139.101:8080
  315. http://110.145.11.73
  316. http://67.10.155.92
  317. http://152.170.205.73
  318. http://109.74.5.95:8080
  319. http://176.111.60.55:8080
  320. http://110.145.101.66:443
  321. http://190.162.215.233
  322. http://118.83.154.64:443
  323. http://217.20.166.178:7080
  324. http://168.235.67.138:7080
  325. http://185.201.9.197:8080
  326. http://62.75.141.82
  327. http://119.59.116.21:8080
  328. http://100.37.240.62
  329. http://200.116.145.225:443
  330. http://209.141.54.221:7080
  331. http://161.0.153.60
  332. http://72.229.97.235
  333. http://95.213.236.64:8080
  334. http://64.207.182.168:8080
  335. http://74.40.205.197:443
  336. http://79.137.83.50:443
  337. http://134.209.144.106:443
  338. http://174.118.202.24:443
  339. http://58.1.242.115
  340. http://108.21.72.56:443
  341. http://115.94.207.99:443
  342. http://190.146.92.48
  343. http://144.217.7.207:7080
  344. http://138.68.87.218:443
  345. http://181.165.68.127
  346. http://181.171.209.241:443
  347. http://185.94.252.104:443
  348. http://49.205.182.134
  349. http://74.208.45.104:8080
  350. http://50.91.114.38
  351. http://41.185.28.84:8080
  352. http://188.219.31.12
  353. http://123.176.25.234
  354. http://194.4.58.192:7080
  355. http://61.19.246.238:443
  356. http://137.59.187.107:8080
  357. http://74.75.104.224
  358. http://110.145.77.103
  359. http://24.178.90.49
  360. http://139.162.60.124:8080
  361. http://167.114.153.111:8080
  362. http://136.244.110.184:8080
  363. http://190.240.194.77:443
  364. http://62.30.7.67:443
  365. http://220.245.198.194
  366. http://190.29.166.0
  367. http://139.99.158.11:443
  368. http://94.23.237.171:443
  369. http://62.171.142.179:8080
  370. http://202.134.4.216:8080
  371. http://50.245.107.73:443
  372. http://120.150.60.189
  373. http://74.128.121.17
  374. http://172.86.188.251:8080
  375. http://202.141.243.254:443
  376. http://201.241.127.190
  377. http://208.74.26.234
  378. http://120.150.218.241:443
  379. http://72.188.173.74
  380. http://24.179.13.119
  381. http://46.105.131.79:8080
  382. http://172.125.40.123
  383. http://172.104.97.173:8080
  384. http://202.134.4.211:8080
  385. http://203.153.216.189:7080
  386. http://75.143.247.51
  387. http://121.124.124.40:7080
  388. http://157.245.99.39:8080
  389. http://72.186.136.247:443
  390. http://2.58.16.89:8080
  391. http://89.216.122.92
  392. http://142.112.10.95:20
  393. http://37.187.72.193:8080
  394. http://155.186.9.160
  395. http://51.89.36.180:443
  396. http://109.116.245.80
  397. http://5.39.91.110:7080
  398. http://139.59.60.244:8080
  399. http://172.105.13.66:443
  400. http://104.131.11.150:443
  401. http://85.105.111.166
  402. http://47.144.21.37
  403. http://95.9.5.93
  404. http://186.74.215.34
  405. http://5.2.212.254
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!