API tools faq
paste
Advertisement
ExecuteMalware

2019-09-26 Emotet IOCs

ExecuteMalware
Sep 26th, 2019
8,466
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.60 KB | None | 0 0
raw download clone embed print report
  1. ANALYST NOTES
  2. Today I saw slightly lower Emotet volume.
  3. I had 64 recipients and, yet, I only got 8 Word document file hashes and 2 .exe hashes.
  4. As has been the case, I saw both "re-used" email threads and new stand-alone emails today.
  5. Some researchers said that they saw the use of Wscript today (with a .jse file) instead of Powershell.
  6. I did not - I continued to see Powershell in all cases.
  7. The Emotet VBA macros that I saw continue to generate simple base64 with no other obfuscation to be executed by Powershell.
  8.  
  9. Like yesterday, CyberChef decodes the base64 and splits out the URLs with this recipe:
  10. From_Base64('A-Za-z0-9+/=',true)
  11. Decode_text('UTF16LE (1200)')
  12. Split('@','\\n')
  13. Extract_URLs(false)
  14.  
  15. (it does leave a single quote artifact at the very end)
  16.  
  17. SENDERS OBSERVED
  18. administracio@santmoritz.com
  19. administracion.agv@grupozoom.com
  20. aiza.vercide@airyougotravels.com
  21. andrew@corcoranengineers.ie
  22. arecvble@pacificfoam.com.pg
  23. bakery@alafiyagroup.com
  24. bea@trofeosmartinez.com
  25. bintulu_service2@dailieng.com.my
  26. bnp@supremegroup.com.my
  27. bochieng@trackntrace.co.ke
  28. celest.tan@kde.my
  29. csylvester@townofcarmel.org
  30. danvinmotors@telkomsa.net
  31. dcemdesk@powerlinksworld.com
  32. dee.alin@transfame.com.my
  33. docx@gtc.com.pk
  34. ejecutivo.senior@productoslavictoria.com.co
  35. erin@wisefoundation.com
  36. facturacion@ingerack.com
  37. faidzyal.hassan@transfame.com.my
  38. faltas.avarias@grupochibatao.com.br
  39. fandvops@freshtrade.co.zw
  40. fomondi@trackntrace.co.ke
  41. fortiz@expertosenaddendas.com
  42. george@skybluerestorations.com
  43. info@carrara-marble.com.au
  44. info@flextonrealties.com
  45. info@thecromwellcourtyardhotel.com
  46. info@trofeosmartinez.com
  47. jamal@carrara-marble.com.au
  48. josep@cutspain.com
  49. lasanadas@lasanadas.es
  50. layla.haji@hahco.net
  51. leadreturn@reutersproemail.com
  52. m.mroz@elzat.pl
  53. maria@kitchenpro.com.ph
  54. maria@rameshtrading.com.ph
  55. mrmolina@labomega.com.ar
  56. mskcgo@hermandad.com.tw
  57. mtaylor@highresolution.tv
  58. nathan@dispatchtcm.com
  59. noorulain@consult-tech.org
  60. nurul.syafiqah@permintex.com.my
  61. p.nowak@nordstrandperle.de
  62. pandiraj@sailssp.in
  63. praveen@thinksmartinfo.com
  64. quinform@quinform.com.my
  65. sales@niss.in
  66. sara.ahmad@connecme.com
  67. shoaib@sigmatech.pk
  68. supervisorarchivoccs@grupozoom.com
  69. Support.payroll@sinewave.co.in
  70. support015@datacontrol-ltd.com
  71. technical@sqrisksa.co.za
  72. traveldocs@myayg.com
  73. ventas@trofeosmartinez.com
  74. wally@carrara-marble.com.au
  75. woredo@trackntrace.co.ke
  76. yen@evantek.com
  77. yousef@istlight.com
  78. zainul@hzncars.com.my
  79.  
  80.  
  81. WORD DOCUMENT FILE HASHES
  82. 4a48396815ffca9806cb8d10db52ad25
  83. 4f78611ee813a5abdfbe3c2e6841350a
  84. 50e042d7afe697f829e0a5a78a0707b8
  85. 92509b1b9f0114433c4ddd758d5dcb82
  86. a44247cf3f3b4bedd6c1eb123fd973d1
  87. a7833773b84ccb6fd797db9f510bf843
  88. a9b55918ff86759869163a91ffc4b700
  89. f0c2eca72f75cfbf13e56ddba5d99767
  90.  
  91. PAYLOAD FILE HASHES
  92. cdf8eafed40b73a32202e63427c30489
  93. dd1b03b522af0990bee0c4bc8ba81aab
  94.  
  95. EMOTET PAYLOAD URLs
  96. http://altaikawater.com/wp-admin/4jh8s_sxm6m3eec-441/
  97. http://antoinegimenez.com/css/hUgHbaEf/
  98. http://aplikasi.bangunrumah-kita.com/b8kee0mj/0m3l_clo7kkcub-76/
  99. http://auto-moto-ecole-vauban.fr/wp-admin/ww42_lwln3c-1236328628/
  100. http://avant2017.amsi-formations.com/prog/skzHGQddV/
  101. http://cheaptrainticket.cogbiz-infotech.com/cgi-bin/9vsx4g6l_p5x29co-43731795/
  102. http://fabiogutierrez.com.br/loja/bEZYtLkJGj/
  103. http://gruasasuservicio.com/cgi-bin/YdFmLIEsIB/
  104. http://gsfcloud.com/fir/qx88b0qgfq_tdpfmobexf-881829012/
  105. http://itf.palemiya.com/wp-includes/IIswblOCV/
  106. http://moda.9l.pl/calendar/HugncgqxUR/
  107. http://precisieving.com/wp-admin/db090yl5_bwwmv-86392/
  108. http://sweetmagazine.org/wp-admin/z0jxuhjao_n6me674y8i-3862/
  109. http://ucomechina.com/wp-content/aVMBsBCy/
  110. http://your-event.es/mailin/OgXcBNiq/
  111.  
  112. EMOTET C2s
  113. http://88.156.97.210
  114. http://199.19.237.192
  115. http://190.108.228.48:990
  116. http://212.129.24.82:8080
  117. http://162.144.47.94:7080
  118. http://77.237.248.136:8080
  119. http://185.142.236.163:443
  120. http://63.142.253.122:8080
  121. http://78.24.219.147:8080
  122. http://200.21.90.6
  123. http://85.104.59.244:20
  124. http://86.98.25.30:53
  125. http://222.214.218.192:8080
  126. http://5.196.74.210:8080
  127. http://31.12.67.62:7080
  128. http://190.145.67.134:8090
  129. http://178.79.161.166:443
  130. http://104.131.11.150:8080
  131. http://101.187.237.217:20
  132. http://188.166.253.46:8080
  133. http://190.106.97.230:443
  134. http://185.94.252.13:443
  135. http://186.75.241.230
  136. http://103.255.150.84
  137. http://211.63.71.72:8080
  138. http://179.32.19.219:22
  139. http://31.172.240.91:8080
  140. http://45.123.3.54:443
  141. http://159.65.25.128:8080
  142. http://177.246.193.139:20
  143. http://182.176.106.43:995
  144. http://149.202.153.252:8080
  145. http://217.145.83.44
  146. http://46.105.131.87
  147. http://187.144.189.58:50000
  148. http://92.222.216.44:8080
  149. http://190.186.203.55
  150. http://88.247.163.44
  151. http://41.220.119.246
  152. http://37.157.194.134:443
  153. http://190.18.146.70
  154. http://206.189.98.125:8080
  155. http://85.106.1.166:50000
  156. http://80.11.163.139:443
  157. http://201.251.43.69:8080
  158. http://149.167.86.174:990
  159. http://87.230.19.21:8080
  160. http://200.71.148.138:8080
  161. http://142.44.162.209:8080
  162. http://169.239.182.217:8080
  163. http://138.201.140.110:8080
  164. http://92.222.125.16:7080
  165. http://189.209.217.49
  166. http://47.41.213.2:22
  167. http://87.106.136.232:8080
  168. http://190.211.207.11:443
  169. http://27.147.163.188:8080
  170. http://212.71.234.16:8080
  171. http://190.228.72.244:53
  172. http://62.75.187.192:8080
  173. http://186.4.172.5:443
  174. http://83.136.245.190:8080
  175. http://173.212.203.26:8080
  176. http://186.4.172.5:8080
  177. http://94.205.247.10
  178. http://91.205.215.66:8080
  179. http://144.139.247.220
  180. http://87.106.139.101:8080
  181. http://119.15.153.237
  182. http://182.76.6.2:8080
  183. http://45.33.49.124:443
  184. http://182.176.132.213:8090
  185. http://136.243.177.26:8080
  186. http://104.236.246.93:8080
  187. http://181.143.194.138:443
  188. http://178.254.6.27:7080
  189. http://217.160.182.191:8080
  190. http://95.128.43.213:8080
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!