API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 11/05/18

jroosen
Nov 5th, 2018
5,721
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.10 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 11/05/18 as of 11/05/18 23:59 EST ##
  2. *Notes and Credits now at the bottom* Follow me on twitter @jroosen for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 11/05/18 ####
  5. ```
  6.  
  7. So far attachment only.
  8.  
  9. ```
  10. #### Epoch 2 Document/Downloader links seen for 11/05/18 ####
  11. ```
  12.  
  13. http://1stniag.com/Download/EN_en/Invoice-Number-44664/
  14. http://777ton.ru/DOC/US_us/Scan/
  15. http://agrarszakkepzes.hu/5931ZTIGS/com/US/
  16. http://altaredlife.com/logssite/INFO/US_us/Question/
  17. http://altarfx.com/Nov2018/En/Invoice-for-p/e-11/05/2018/
  18. http://armator.info/tjweather/04224FCYKUT/biz/Commercial/
  19. http://artzkaypharmacy.com.au/4690UVTTQOXO/SWIFT/Commercial/
  20. http://b2streeteats.com/LLC/En/Service-Report-73478/
  21. http://balispadallas.com/sites/US_us/Outstanding-Invoices/
  22. http://bemnyc.com/Nov2018/US/Past-Due-Invoices/
  23. http://blogforprofits.com/files/En_us/Paid-Invoices/
  24. http://borggini.com/11XW/SEP/Smallbusiness/
  25. http://brasileirinhabeauty.com.br/Document/En_us/Invoice-for-s/o-11/05/2018/
  26. http://brazilianbuttaugmentation.net/11997OLJVY/BIZ/Business/
  27. http://carbonbyte.com/xerox/EN_en/Invoice-Corrections-for-37/59/
  28. http://carminewarren.com/newsletter/US_us/Invoice-Corrections-for-15/54/
  29. http://casino338a.city/newsletter/En/Invoice-5505302-November/
  30. http://cdn5.rvshare.com/1541440212.491c5b0b32d56a2330520a9a91463722.doc/
  31. http://chefshots.com/57953PMYDYHBV/SWIFT/Commercial/
  32. http://chstarkeco.com/Document/EN_en/1-Past-Due-Invoices/
  33. http://chungelliott.com/wp-admin/Nov2018/US/Question/
  34. http://cidadeempreendedora.org.br/wp-content/upgrade/65208YCNN/PAY/Smallbusiness/
  35. http://craniofacialhealth.com/newsletter/US/Past-Due-Invoices/
  36. http://crowdgusher.com/Document/US_us/Overdue-payment/
  37. http://djlilmic.com/84025BMQKXYDV/BIZ/Personal/
  38. http://duwon.net/wpp-app/4815587SLERFGAN/identity/US/
  39. http://emilyxu.com/847XLUFEIHG/BIZ/Personal/
  40. http://fenlabenergy.com/FILE/En_us/Outstanding-Invoices/
  41. http://foccusmedical.com.br/INFO/US/Invoices-Overdue/
  42. http://gaardhaverne.dk/371880QWYFSQ/PAYMENT/Business/
  43. http://griff.art.br/default/US_us/Invoice/
  44. http://gueben.es/INFO/EN_en/Document-needed/
  45. http://ingridkaslik.com/0597864MMOLPXNP/identity/Business/
  46. http://investicon.in/wp-content/plugins/workfence/649494OUWHGA/oamo/Personal/
  47. http://jacquesrougeau.ca/old/LLC/US_us/Invoices-attached/
  48. http://johnscevolaseo.com/doc/EN_en/Open-Past-Due-Orders/
  49. http://juegosaleo.com/newsletter/US/Invoice-Corrections-for-81/79/
  50. http://marcocciaviaggi.it/sites/EN_en/Sales-Invoice/
  51. http://mesaqore.com/doc/US_us/Service-Invoice/
  52. http://mironovka-school.ru/977878WBVWYKBV/BIZ/Smallbusiness/
  53. http://never3putt.com/Nov2018/US/Past-Due-Invoices/
  54. http://notehashtom.ir/wp-admin/598GLELB/SWIFT/Smallbusiness/
  55. http://nuomed.com/Nov2018/En_us/Service-Report-3672/
  56. http://nutrilatina.com.br/files/En_us/Sales-Invoice/
  57. http://peconashville.com/INFO/En_us/Service-Report-20333/
  58. http://pereira.photo/newsletter/EN_en/Invoice-receipt/
  59. http://pornbeam.com/eVsCvwP/4AY/8QVYJ/PAYROLL/Business/
  60. http://touchandlearn.pt/wp-content/uploads/81944UBMHWQIH/PAY/Business/
  61. http://tvaradze.com/doc/US_us/Invoices-Overdue/
  62. http://womendrivers.be/scan/US_us/Open-Past-Due-Orders/
  63. http://www.aes.co.th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
  64. http://www.cabdjw.gov.cn/wp-includes/2021ACJTULJK/SWIFT/US/
  65. http://www.conceptsacademy.co.in/wp-content/uploads/2018/files/US/024-13-180753-957-024-13-180753-943/
  66. http://www.greenamazontoursperu.com/LLC/EN_en/Open-Past-Due-Orders/
  67. http://www.imankeyvani.ir/INFO/US_us/Open-invoices/
  68. http://www.martabadias.com/8481483FGDDG/PAYROLL/Commercial/
  69. http://www.milaszewski.pl/sites/US_us/Invoices-attached/
  70. http://www.retailtechexpo.cn/en/wp-content/wp-rocket-config/scan/US_us/Scan/
  71. http://www.swiftsgroup.com/default/En/Outstanding-Invoices/
  72. http://www.test.vic-pro.com/newsletter/EN_en/Outstanding-Invoices/
  73. http://www.torneighistorics.cat/INFO/EN_en/Invoice-Number-85412/
  74. http://www.ultigamer.com/wp-admin/includes/INFO/US/Important-Please-Read/
  75. http://www.willbcn.com/sites/US_us/Invoice/
  76. http://www.zcnet.com/0872684IQBTLZW/ACH/Personal/
  77. https://celgene.zendesk.com/attachments/token/jsBvNcgFVs4ELgPF4okoU1R3T/
  78.  
  79.  
  80. ```
  81. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  82. ```
  83.  
  84. Creation Time 2018-11-05 22:29:00
  85. SHA256:
  86. ad3781adce18959a883e43e6d3d03a264388f9c8bf99df96cda11131a63371f9
  87.  
  88. http://keywestartistmarket.com/OaM1uBg
  89. http://cadenas.com.br/30A6rlp
  90. http://krmar.ru/9qiWCR4b
  91. http://shababazm.com/v675zUP
  92. http://andrzejsmiech.com/UZpCXUkk
  93.  
  94. ```
  95. #### SHA256s for Epoch 1 Payload EXEs seen on 11/05/18 ####
  96. ```
  97. 3f9d6c29995dbc28b91e0d30b63cfb7f7cf42d050949355b0b62293b76327568
  98. 185094ab98a1c77837a6c3b0bf48c4a1d25698e5844b308d4704b5d3f40db681
  99. 865c74a009e713098d335e4138a09a545ec2ef26001ddacf64c9cb9ec597fe3f
  100. d3611b52f3662288d438bca5d9fe7ad394f954a33d155915645d7526caf91e68
  101. 56463dac265e82a6178a8924d5be794495b295a25efd1976daae35eff61829ac
  102. fd91f0d55d932a2d14451967e225765c21037a91b5e64fe4915c87fd87561bf9
  103. ```
  104. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  105. ```
  106.  
  107. Creation Time 2018-11-05 17:18:00
  108. SHA256:
  109.  
  110. f3e187ebd0be4413d9495345935aeb63a025bb299c63b24787188a71003e5a5b
  111. 0acd52e7f92f125d8fec5d78db296ee3c88079456dfb66b84fa92be944dc1293
  112. 4dfb9830a14e1e92ca88b40189fb05be60a42be886c9ca1cd2f6a3f5f09e0208
  113. 680d56d915ec028d4d0e33cd63e90f58c1f67c4e8b92d11eabf2576702d5b3bd
  114. d997af80a0b2cea354d82735f28b04fb6f40ec6a687b4616cbc03230c7319ad3
  115. 6c9f60643913ae688fc163d8e09a71268c0bd527ca5e9330c163108aafac5944
  116. 26fba2bd9792cbe6aa14f3baa9a2ffb57344d7348805648a53dcf92644a8b973
  117. f43ced0de6dce1c3fcf386cb7bd4e0d787d64983f0d2bb236311605402ba74a9
  118. e78f28580ea5e79a33be5ba93c71e2c66528812db3580a3e39f3f652ecaaa858
  119. 18c74f2852985acd6a5b35d21d12e8e852d54003b4e5d3714243e045969c434f
  120. af3fea36a05c59c3670d5fe58a4d679c3e089ceb8be39c92663c3401ce8784eb
  121. 87b5210624989f6ff74bb9a07083aeab116ba3e179db099f768982ac1dbbb5b8
  122. 5d3e5a9b7730bd40f0cd4392367744bb7a3ddefd3b316d603e56369a7813ee68
  123. 3cebbd85235c819ec92210572035f2973b54740f306b8b0607e03c84eb7b0914
  124. 9827a577b252a3417174e8177592785515f22b9bca4d435a2206e512a2ced3fd
  125. 3ebc758a0186db99545ab2614b2a96544ab4509bf7d24c8d11dca06b2d17adbd
  126. 943aa71f481cb0a3af7e24e2be09298ed6c98235b4d1cfb89979339c8bad8085
  127. 42df2ceda548dbd95ed4cf8176dfb8817e7350ea9b296adb33a3e6c3f2fb272e
  128. 11d52b1ee5c330911ed98ba86a4560c67cba2bd70427c8d33a0b793ddeb5c11e
  129. 9bd34506cacf57f6329a6b5530684822d50d03a26e6105d217220e46297bf84c
  130. 687d3887779bf147f8ab6637c28f76559f3a1cbe0899cfa07d0ac33733fc74efc
  131. 1a4dc5022a6b5296fe5d03597782a985bd721e3651b010c06b9be205b5c9f97d
  132. fc4fa944b430fb0c175ab12d9bb776819f04d29c4a371baa243af0d7e7ab267b
  133. 7ae43402b33483d995f4c64940500a3cd508a22e4e2ae9c70ead3f9fd6396bc7
  134. 8560ed53158f7c2f7931ee6e95abcbf0325d117b039d96f9ebc2e7971c22a151
  135. 8393f02d75dd065203874f01ad54ccaa767603b63d5a2faf77d3a55c17a6b4bc
  136. 1f5e9f1c173cc8611a5d34e801c0a26ce7365cb1c7b660bcd88816153b76d467
  137. c2470c1b4e9e97fa1820f29ca1dece3f99e154c6cd695d1e6f89e12425eb3a4f
  138. 7575b3de182b5ad8b92eabad4f5307e27280729f81ab692d20633dac2f786d8c
  139. e7dcbaaec834d3b3accd527299f71fd1056b9b88e5156d83ec6e928d13872177
  140. 51cd6bdb18da6dc94549e067b04e727b9e947f2f189f5c27da67eb56f77c5f54
  141. 2210bb4262bd6f02c2c1b836ea7372c28b35f7e31d81dcf4749fbd4fe71676fb
  142. 9aee83d453ff3ce67e771d3b417ec0e29c1104a3e6b035088b8e799557049c3c
  143. 853d3351d23e0de67958a4669d628444c1a15d4de4de4f114f8db90689a2d715
  144.  
  145. http://tlextreme.com/orsOyz
  146. http://vanherreweghen.be/I
  147. http://www.camenisch-software.ch/ynlTz
  148. http://sh2017.chancemkt.com/Vg07
  149. http://www.tzen2.com/wp-content/8xR
  150.  
  151. Creation Time 2018-11-05 10:02:00
  152. SHA256:
  153. 7516af39a37c18fa7c21a8dc9b0659463886b7453d92d0082e04907e8c7cfb32
  154. e410c621736aa8e6b5174ad62cc2c49fc6a804dd6dac8f87fcfd35910b5734ca
  155. b61113e598e002f1d9273b07d7607d858efba0cb4dcda4a8c72864885ed63376
  156. 1908cf7f7f3be0ea4d3221f70402947b76211dad38058a5a0bfb762f8ecdd392
  157. 3ce80ee8433dc8ddd1459244196e687508bd564493621a45fa2df58b3e521314
  158. 5ab7313c5141a184d22a5c6ac325dbd3bdaf81aa448600d204914a3740e5612d
  159. e4ecb82fb8a2bf785c2f976c1feea57bca2ff115f5a26c00a9282f9d7f43eb43
  160. 6840a6c22f7f7070147e3d119e95b2c794de450af9bdbcfbca7ede94c6678440
  161. 000cac78f50ff38ccb4465cac82be45df87e8d0b9e28338fdd62d367240f26a0
  162. 6ca9d13ba701a131d357c033e15204e7daacd1805142856c568c1289ca010656
  163. 0b3e6fb8bf5701aa1e13c089b2cf51bcb8c169e3d6a2e3e86a8ed9398f8f493b
  164. d1e2d97314ab7f756f8ce799a9b578d80388f8e1365f648743183ec08a9f315d
  165. 3546c31ab9a6dbcf55084397ce3b5b24afe23861e2a9cc2b84f7d79b07e33ee5
  166.  
  167. http://artsntek.com/YtQno
  168. http://bahiacreativa.com/9SYOE9k
  169. http://cipherme.pl/data/cw
  170. http://charliefox.com.br/41Cj
  171. http://casellamoving.com/t1g
  172.  
  173.  
  174. ```
  175. #### SHA256s for Epoch 2 Payload EXEs seen on 11/05/18 ####
  176. ```
  177. 10a02d3fea79599ab6fa9a8518045cc41b5fb50c57c01f69242b8bdb4b79d8c8
  178. Trickbot 59b603b211b6a4a76f7b025f6bfd414819a9639df45f9d3e70dd4ece1ba7c6b6
  179. 049f732f2da2289408b937bb46c365028fed6f9ee74a373cc92e4dca2f18dcf2
  180. e9aab3899d0279062b117e543ca3397394541e68bf124730fc43c2e3409a0047
  181. c1790994f32aa1c104bbca7ff17b6b8710acb03030ee1e4351547603e9fd88e7
  182. 06af2e77bacf94f4328ce864aa162346e685730aa10919b7a93b76abbc0e7119
  183. f05ca029a47e30740c5ea4fa8d8e28bbe18c15fa3a82551f952493e78a72d59b
  184. 0448a0701036b154e48b34cc49d9cbe28985a02730cebd7d1a04f0b142bbe144
  185. 906e954a652300362198d3b7be578487eac04f14be1c562bf75b1b1c01436c32
  186. b85fb8892c9a1778f470d70689c8f1e60082504df0d2dd06a11d85efba738729
  187. 09f69cb18f86d6bcb718a6cb9b7fa0e2ac4bbe4f38f8dc6a01476e9681825a9a
  188.  
  189. ```
  190. #### Epoch 1 C2s ####
  191. ```
  192. (Port is 80 unless noted)
  193.  
  194. 128.193.56.169:443
  195. 133.242.208.183:8080
  196. 139.59.242.76:8080
  197. 148.103.7.242:7080
  198. 159.65.76.245:443
  199. 165.227.213.173:8080
  200. 186.10.17.186:443
  201. 186.20.217.236
  202. 190.124.166.113:8080
  203. 190.17.44.48
  204. 190.90.100.228:8080
  205. 192.155.90.90:7080
  206. 198.199.185.25:443
  207. 200.21.90.6:8080
  208. 201.111.74.224:7080
  209. 210.2.86.72:8080
  210. 210.2.86.94:8080
  211. 213.48.239.192
  212. 217.35.82.190:7080
  213. 23.254.203.51:8080
  214. 24.117.165.162:50000
  215. 24.37.218.86
  216. 37.120.175.15
  217. 45.73.110.62:8080
  218. 47.225.131.10
  219. 47.34.43.223
  220. 49.212.135.76:443
  221. 5.9.128.163:8080
  222. 69.198.17.20:8080
  223. 76.65.166.252:7080
  224. 81.20.87.205:443
  225. 81.214.108.10:443
  226. 90.75.137.228:50000
  227.  
  228.  
  229. ```
  230. #### Spam/Stealer C2s ####
  231. ```
  232. 24.161.14.157:443
  233. 174.71.204.179:8080
  234. 24.28.182.224:443
  235. 186.68.80.34:443
  236. 212.48.68.58:8080
  237. 87.106.243.118:8080
  238. 70.82.209.53:8080
  239. 186.85.127.59
  240. 211.228.237.11:443
  241.  
  242. ```
  243. #### Epoch 2 C2s ####
  244. ```
  245.  
  246. (Port is 80 unless noted)
  247.  
  248. 104.205.121.6:8090
  249. 115.71.233.127:443
  250. 136.56.103.201
  251. 139.162.151.141:8080
  252. 149.167.86.174:990
  253. 153.122.38.158:443
  254. 160.2.24.88:990
  255. 174.55.139.78
  256. 189.190.61.232
  257. 190.92.37.171:7080
  258. 200.194.26.234:443
  259. 211.115.111.19:443
  260. 217.13.106.160:7080
  261. 217.174.206.181:443
  262. 222.214.218.192:4143
  263. 24.59.228.182
  264. 27.96.91.225:8443
  265. 37.211.34.12:8080
  266. 45.123.3.54:443
  267. 46.163.76.187:8080
  268. 47.32.248.75:8080
  269. 5.230.147.179:8080
  270. 67.205.149.117:443
  271. 69.198.17.7:8080
  272. 69.55.255.159
  273. 70.50.196.234:8080
  274. 71.167.178.19
  275. 72.255.128.229:7080
  276. 73.31.237.56:443
  277. 78.47.182.42:8080
  278. 79.69.254.176:7080
  279. 81.7.10.106:7080
  280. 83.222.124.62:8080
  281. 84.200.106.120:8080
  282. 95.141.175.240:443
  283. 96.67.83.134
  284. 98.102.182.2:8443
  285. 98.142.208.27:443
  286.  
  287. ```
  288. #### Epoch 2 - Spam/Stealer C2s ####
  289. ```
  290. 50.100.215.149:50000
  291. 70.62.224.226
  292. 202.175.188.154:8443
  293.  
  294. ```
  295. #### Credits and Notes Section ####
  296. ```
  297. Updated 7/13/18
  298. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
  299.  
  300. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
  301.  
  302. UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
  303.  
  304. What is Epoch 1 and Epoch 2?
  305. Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
  306.  
  307. ```
  308. #### Community Lists ####
  309. ```
  310.  
  311. https://pastebin.com/GXaSAMJ6 - @James_inthe_box
  312. https://pastebin.com/h61QUzSv - @ps66uk
  313. https://pastebin.com/Zbrny8VL - @pollo290987
  314.  
  315. ```
  316. #### Credits ####
  317. ```
  318. (OC and combination work)
  319. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch
  320. C2 info - @unixronin, @MalwareTechBlog
  321. Payloads - @James_inthe_box, @MalwareTechBlog
  322.  
  323. Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
  324.  
  325. Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
  326.  
  327. ```
  328. #### Daily Log ####
  329. ```
  330.  
  331. After a long hiatus it is back. E1 shutdown and E2 is going pretty strong. I will put up some templates later of the emails.
  332.  
  333. 16:00 - seems like E1 may be waking up? Been able to find over ~60 URLs of E2 stuff so far.
  334.  
  335. 18:30 - Confirmed, E1 is now sending attachment malspam and @ps66uk found the first sample.
  336.  
  337. 23:00 - Ran the latest C2s for both botnets and listed them above replacing the old ones.
  338.  
  339. 23:59 - added C2 runs at the end from @anyrun_app. Added @pollo290987's list.
  340.  
  341. ```
  342. #### Sandbox 11/05/18 ####
  343. (all with fakenet and MITM unless spam/secondary infection)
  344. ```
  345.  
  346. ```
  347. Epoch 1 C2 Run as of 23:12 https://app.any.run/tasks/04ec5fd9-61cb-4457-a8ec-4d6043f89ff3
  348.  
  349. Epoch 2 C2 Run as of 23:05 https://app.any.run/tasks/3f21db2f-8461-49a1-a60f-71f9d46c8d84
  350.  
  351. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!