2019-09-26 Emotet IOCs

1. ANALYST NOTES
2. Today I saw slightly lower Emotet volume.
3. I had 64 recipients and, yet, I only got 8 Word document file hashes and 2 .exe hashes.
4. As has been the case, I saw both "re-used" email threads and new stand-alone emails today.
5. Some researchers said that they saw the use of Wscript today (with a .jse file) instead of Powershell.
6. I did not - I continued to see Powershell in all cases.
7. The Emotet VBA macros that I saw continue to generate simple base64 with no other obfuscation to be executed by Powershell.
8.  
9. Like yesterday, CyberChef decodes the base64 and splits out the URLs with this recipe:
10. From_Base64('A-Za-z0-9+/=',true)
11. Decode_text('UTF16LE (1200)')
12. Split('@','\\n')
13. Extract_URLs(false)
14.  
15. (it does leave a single quote artifact at the very end)
16.  
17. SENDERS OBSERVED
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69. [email protected]
70. [email protected]
71. [email protected]
72. [email protected]
73. [email protected]
74. [email protected]
75. [email protected]
76. [email protected]
77. [email protected]
78. [email protected]
79.  
80.  
81. WORD DOCUMENT FILE HASHES
82. 4a48396815ffca9806cb8d10db52ad25
83. 4f78611ee813a5abdfbe3c2e6841350a
84. 50e042d7afe697f829e0a5a78a0707b8
85. 92509b1b9f0114433c4ddd758d5dcb82
86. a44247cf3f3b4bedd6c1eb123fd973d1
87. a7833773b84ccb6fd797db9f510bf843
88. a9b55918ff86759869163a91ffc4b700
89. f0c2eca72f75cfbf13e56ddba5d99767
90.  
91. PAYLOAD FILE HASHES
92. cdf8eafed40b73a32202e63427c30489
93. dd1b03b522af0990bee0c4bc8ba81aab
94.  
95. EMOTET PAYLOAD URLs
96. http://altaikawater.com/wp-admin/4jh8s_sxm6m3eec-441/
97. http://antoinegimenez.com/css/hUgHbaEf/
98. http://aplikasi.bangunrumah-kita.com/b8kee0mj/0m3l_clo7kkcub-76/
99. http://auto-moto-ecole-vauban.fr/wp-admin/ww42_lwln3c-1236328628/
100. http://avant2017.amsi-formations.com/prog/skzHGQddV/
101. http://cheaptrainticket.cogbiz-infotech.com/cgi-bin/9vsx4g6l_p5x29co-43731795/
102. http://fabiogutierrez.com.br/loja/bEZYtLkJGj/
103. http://gruasasuservicio.com/cgi-bin/YdFmLIEsIB/
104. http://gsfcloud.com/fir/qx88b0qgfq_tdpfmobexf-881829012/
105. http://itf.palemiya.com/wp-includes/IIswblOCV/
106. http://moda.9l.pl/calendar/HugncgqxUR/
107. http://precisieving.com/wp-admin/db090yl5_bwwmv-86392/
108. http://sweetmagazine.org/wp-admin/z0jxuhjao_n6me674y8i-3862/
109. http://ucomechina.com/wp-content/aVMBsBCy/
110. http://your-event.es/mailin/OgXcBNiq/
111.  
112. EMOTET C2s
113. http://88.156.97.210
114. http://199.19.237.192
115. http://190.108.228.48:990
116. http://212.129.24.82:8080
117. http://162.144.47.94:7080
118. http://77.237.248.136:8080
119. http://185.142.236.163:443
120. http://63.142.253.122:8080
121. http://78.24.219.147:8080
122. http://200.21.90.6
123. http://85.104.59.244:20
124. http://86.98.25.30:53
125. http://222.214.218.192:8080
126. http://5.196.74.210:8080
127. http://31.12.67.62:7080
128. http://190.145.67.134:8090
129. http://178.79.161.166:443
130. http://104.131.11.150:8080
131. http://101.187.237.217:20
132. http://188.166.253.46:8080
133. http://190.106.97.230:443
134. http://185.94.252.13:443
135. http://186.75.241.230
136. http://103.255.150.84
137. http://211.63.71.72:8080
138. http://179.32.19.219:22
139. http://31.172.240.91:8080
140. http://45.123.3.54:443
141. http://159.65.25.128:8080
142. http://177.246.193.139:20
143. http://182.176.106.43:995
144. http://149.202.153.252:8080
145. http://217.145.83.44
146. http://46.105.131.87
147. http://187.144.189.58:50000
148. http://92.222.216.44:8080
149. http://190.186.203.55
150. http://88.247.163.44
151. http://41.220.119.246
152. http://37.157.194.134:443
153. http://190.18.146.70
154. http://206.189.98.125:8080
155. http://85.106.1.166:50000
156. http://80.11.163.139:443
157. http://201.251.43.69:8080
158. http://149.167.86.174:990
159. http://87.230.19.21:8080
160. http://200.71.148.138:8080
161. http://142.44.162.209:8080
162. http://169.239.182.217:8080
163. http://138.201.140.110:8080
164. http://92.222.125.16:7080
165. http://189.209.217.49
166. http://47.41.213.2:22
167. http://87.106.136.232:8080
168. http://190.211.207.11:443
169. http://27.147.163.188:8080
170. http://212.71.234.16:8080
171. http://190.228.72.244:53
172. http://62.75.187.192:8080
173. http://186.4.172.5:443
174. http://83.136.245.190:8080
175. http://173.212.203.26:8080
176. http://186.4.172.5:8080
177. http://94.205.247.10
178. http://91.205.215.66:8080
179. http://144.139.247.220
180. http://87.106.139.101:8080
181. http://119.15.153.237
182. http://182.76.6.2:8080
183. http://45.33.49.124:443
184. http://182.176.132.213:8090
185. http://136.243.177.26:8080
186. http://104.236.246.93:8080
187. http://181.143.194.138:443
188. http://178.254.6.27:7080
189. http://217.160.182.191:8080
190. http://95.128.43.213:8080