Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Mike Nolan Certified
- Some MD5 hashes
- Emotet version 2:
- 7c401bde8cafc5b745b9f65effbd588f
- 34c10ae0b87e3202fea252e25746c32d
- 9ab7b38da6eee714680adda3fdb08eb6
- ae5fa7fa02e7a29e1b54f407b33108e7
- 1d4d5a1a66572955ad9e01bee0203c99
- cdb4be5d62e049b6314058a8a27e975d
- 642a9becd99538738d6e0a7ebfbf2ef6
- aca8bdbd8e79201892f8b46a3005744b
- 9b011c8f47d228d12160ca7cd6ca9c1f
- 6358fae78681a21dd26f63e8ac6148cc
- ac49e85de3fced88e3e4ef78af173b37
- c0f8b2e3f1989b93f749d8486ce6f609
- 1561359c46a2df408f9860b162e7e13b
- a8ca1089d442543933456931240e6d45
- Emotet version 3:
- 177ae9a7fc02130009762858ad182678
- 1a6fe1312339e26eb5f7444b89275ebf
- 257e82d6c0991d8bd2d6c8eee4c672c7
- 3855724146ff9cf8b9bbda26b828ff05
- 3bac5797afd28ac715605fa9e7306333
- 3d28b10bcf3999a1b317102109644bf1
- 4e2eb67aa36bd3da832e802cd5bdf8bc
- 4f81a713114c4180aeac8a6b082cee4d
- 52f05ee28bcfec95577d154c62d40100
- 772559c590cff62587c08a4a766744a7
- 806489b327e0f016fb1d509ae984f760
- 876a6a5252e0fc5c81cc852d5b167f2b
- 94fa5551d26c60a3ce9a10310c765a89
- A5a86d5275fa2ccf8a55233959bc0274
- b43afd499eb90cee778c22969f656cd2
- b93a6ee991a9097dd8992efcacb3b2f7
- ddd7cdbc60bd0cdf4c6d41329b43b4ce
- e01954ac6d0009790c66b943e911063e
- e49c549b95dbd8ebc0930ad3f147a4b9
- ea804a986c02d734ad38ed0cb4d157a7
- 429cb31a2433d8bcad8c5773ef1268d3
- Traces/IOCs
- You may see entries in FRST logs that are similar to these:
- HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7
- HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D
- (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
- C:\WINDOWS\12345678.EXE
- C:\WINDOWS\SYSWOW64\SERVERNV.EXE
- C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE
- C:\WINDOWS\TEMP\1A2B.TMP
- Italized parts will have randomized names.
- General IOCs
- Persistence
- C:\Windows\System32\randomnumber\
- C:\Windows\System32\tasks\randomname
- C:\Windows\[randomname]
- C:\users[myusers]\appdata\roaming[random]
- %appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [Randomname].LNK. file in the startup folder
- Registry keys
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services {Random Hexadecimal Numbers}
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {Random Names} with value c:\users\admin\appdata\roaming\{Random}{Legitimate Filename}.exe
- Filename examples
- PlayingonaHash.exe
- certapp.exe
- CleanToast.exe
- CciAllow.exe
- RulerRuler.exe
- connectmrm.exe
- Strings (The following paths may be missing in some samples, they are not always there)
- C:\email.doc
- C:\123\email.doc
- C:\123\email.docx
- C:\a\foobar.bmp
- X:\Symbols\a
- C:\loaddll.exe
- C:\email.htm
- C:\take_screenshot.ps1
- C:\a\foobar.gif
- C:\a\foobar.doc
- Subject Filters:
- “UPS Ship Notification, Tracking Number”
- “UPS Express Domestic”
- “Tracking Number *”
- IP:
- 104.31.92.208
- 112.74.183.122
- 13.35.99.41
- 159.65.167.120
- 193.70.95.8
- alldc[.]pw
- dywanypers[.].pl
- keqiang[.]pro
- playasrivieramaya[.]com
- www.dentalsearchsolutions[.]com
- ://think1.com/wp-content/upgrade/2na4-4q5g-751619964/
- ://broadpeakdefense.com/fbsgf/McZcBMeM/
- s://lecairtravels.com/wp-admin/bXwjcdeg/
- s://www.biyunhui.com/fj/wbTKndf/
- ://nautcoins.com/wp-includes/AcZxFxQ/
- https://virustotal.com/gui/file/12a3fea4904bababa37b1b1b4fb22d4c7bf2591e2f3ee262aa35507c6d70cda6/detection
- https://app.any.run/tasks/40ba24cc-1b23-4745-917a-bf879dafc188
- https://cape.contextis.com/analysis/90807/
- c0a9ddececc465e6a3e9cef00a6332ef
- inwil.com
- dateandoando.com
- abidjanboutik.com
- vemalandsafaris.com
- blockchainjoblist.com/wp-admin/014080/
- 203.130.0.67/rtm/devices/
- 181.188.149.134/raster/img/ringin/
- 5.67.96.120:8080/prov/walk/
- 181.188.149.134/raster/arizona/
- 203.130.0.67/balloon/schema/
- 143.0.245.169:8080/entries/usbccid/nsip/merge/
- 5.67.96.120:8080/window/balloon/
- 151.80.142.33/vermont/forced/
- 187.155.233.46:443/vermont/publish/nsip/merge/
- 187.155.233.46:443/walk/prep/nsip/merge/
- blockchainjoblist.com/wp-admin/014080/
- 187.155.233.46:443/scripts/chunk/ringin/
- 187.155.233.46:443/loadan/odbc/ringin/
- 187.155.233.46:443/cab/sess/ringin/merge/
- 187.155.233.46:443/sess/enable/ringin/merge/
- 187.155.233.46:443/ban/devices/ringin/merge/
- rockstareats.com/wp-content/themes/NUOAajdJ/
- dateandoando.com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/
- 86passion.vn
- aardathdelivery.co.zw
- aboyehia.com
- aisect.org
- albintosworld.com
- alertaempresarial.com.br
- animex.global
- apartahotelfamilyhouse.com
- armstrongfieldconsulting.com
- atnimanvilla.com
- ausfinex.com
- autorepuestosdml.com
- avaagriculture.com
- aydin-transfer.biz.tr
- behlenjoiner.com
- bestrip.telkomuniversity.ac.id
- bhimsecurity.com
- biyunhui.com
- blnautoclub.ro
- blockchainjoblist.com
- blog.batalk.fun
- blog.haseemajaz.com
- blog.kobisi.com
- blog.lasoy.net
- bondagetrip.com
- broadpeakdefense.com
- canal20.com.br
- canvas.printageous.com
- careervsjob.com
- charosjewellery.co.uk
- chinapacific.co.nz
- chuquanla.com
- conghuar.com.cn
- cornelbusiness.co.uk
- covergt.com
- customernoble.com
- danangluxury.com
- dateandoando.com
- datvensaigon.com
- deepikarai.com
- dewibebaris.com
- dialogchelm.pl
- digsneil.info
- dj.emp.br
- duckiesplumbing.com.au
- dunlopillo.com.vn
- efobf.net
- emmabeaulieu.com
- emranweb.net
- enticapilates.co.uk
- entrevisionarysolutions.com
- examsnap.io
- farnamh.ir
- fireflysalesconsulting.com
- floydology.online
- followergods.com
- gardenandmore.co.il
- gcesab.com
- globaltimesnigerianewsmag.com
- gongdu.xin
- greenedus.com
- hanifbaba.com
- haosanwang.com.tw
- hierba-buena.com
- hippbeta.000webhostapp.com
- hisnherunisexsalon.co.in
- holyurbanhotel.com
- horadecocinar.com
- hotelkrome.com
- hotline2heaven.com
- i-conglomerates.com
- icerike.com
- iewa.sk
- iib123.com
- inesmanila.com
- interportodellatoscana.it
- jackalopesoftware.com
- joshgeneralremodeling.us
- jumpman.com.tw
- kattegattcenter.se
- keikomimura.com
- kisharzoni.ir
- klimabakimkombiservisi.com
- kolaysigorta.co
- kursusdigitalmarketingmalang.com
- levarudevich.ru
- life-consulting.org
- limkon.com
- lmntriximinds.000webhostapp.com
- lokomarijuanastore.com
- maxtraderpro.com
- menteesaude.com
- mobiextend.com
- modireit.com
- mohsinsaeedulhaq.com
- mutlukadinlarakademisi.com
- nautcoins.com
- navenpsicologosgetafe.es
- newabidgoods.com
- ortambu.net
- osim-heshbon.co.il
- ostriwin.com
- parsafanco.com
- parsroman.ir
- pep-egypt.com
- perfume-dubai.com
- pklgroup.pl
- profexsystem.com
- purnamahotel.id
- purplekushop.com
- refferalstaff.com
- revival-remaps.co.uk
- richhouse.com.vn
- rockstareats.com
- rpaconsultores.cl
- rubirosaoficial.com
- sachoob.com
- safarnavade.ir
- sazehatv.com
- schultecattlequip.com
- shu.cneee.net
- situsjudimurah.com
- solivagantfoodie.com
- sotelo.cl
- sp2secenter.com
- starbolt.eu
- startupforbusiness.com
- studiovista.fr
- sunchipaint.com.vn
- sunflagsteel.com
- sunnypalour.com
- tabxolabs.com
- techcitybd.xyz
- techiwant.com
- tokobajuaisyah.com
- unitypestcontrolandservices.com
- vaner.com.sg
- vip.muabannhanh.com
- vpdv.cn
- wallsorts.co.nz
- webuycellular-radio-rf-testers.com
- whatansu.lt
- whichwaymind.com
- womenempowermentpakistan.com
- yardcommunity.org
- zhaoyouxiu.com
- 186.4.172.5:443
- 117.197.124.36:443
- 37.208.39.59:7080
- 186.4.172.5:8080
- 182.176.106.43:995
- 178.62.37.188:443
- 92.51.129.249:4143
- 92.222.125.16:7080
- 142.44.162.209:8080
- 31.12.67.62:7080
- 46.105.131.87:80
- 92.222.216.44:8080
- 87.106.136.232:8080
- 103.97.95.218:143
- 190.145.67.134:8090
- 104.236.246.93:8080
- 88.156.97.210:80
- 175.100.138.82:22
- 78.24.219.147:8080
- 91.205.215.66:8080
- 185.94.252.13:443
- 138.201.140.110:8080
- 45.33.49.124:443
- 182.176.132.213:8090
- 186.4.194.153:993
- 179.32.19.219:22
- 91.83.93.103:7080
- 162.243.125.212:8080
- 188.166.253.46:8080
- 104.131.11.150:8080
- 206.189.98.125:8080
- 173.212.203.26:8080
- 181.188.149.134
- 104.27.132.137
- 203.130.0.67
- 5.67.96.120
- 143.0.245.169
- 35.246.182.130
- 31.210.76.98
- 187.155.233.46
- 203.130.0.67
- 181.188.149.134
- 5.67.96.120
- 143.0.245.169
- 151.80.142.33
- 187.155.233.46
- 68.183.49.130
- 104.24.118.227
- 60.205.208.213
- 190.9.44.28
- 173.249.42.35
- mail subject lines
- Payment Remittance Advice
- Numero Fattura 2019…
- Malicious Word documents
- eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
- fb25f35c54831b3641c50c760eb94ec57481d8c8b1da98dd05ba97080d54ee6a
- bee23d63404d97d2b03fbc38e4c554a55a7734d83dbd87f2bf1baf7ed2e39e3e
- 5d9775369ab5486b5f2d0faac423e213cee20daf5aaaaa9c8b4c3b4e66ea8224
- Hacked websites hosting the Emotet binary
- danangluxury[.]com/wp-content/uploads/KTgQsblu/
- gcesab[.]com/wp-includes/customize/zUfJervuM/
- autorepuestosdml[.]com/wp-content/CiloXIptI/
- covergt[.]com/wordpress/geh7l30-xq85i1-558/
- zhaoyouxiu[.]com/wp-includes/vxqo-84953w-5062/
- rockstareats[.]com/wp-content/themes/NUOAajdJ/
- inwil[.]com/wp-content/oyFhKHoe
- inesmanila[.]com/cgi-bin/otxpnmxm-3okvb2-29756/
- dateandoando[.]com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/
- Emotet binaries
- 8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e
- 7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205
- 61e0ac40dc2680aad77a71f1e6d845a37ab12aa8cd6b638d2dbcebe9195b0f6
- f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a
- 6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5
- Post-infection traffic (C2s)
- 187[.]155[.]233[.]46
- 83[.]29[.]180[.]97
- 181[.]36[.]42[.]205
- 200[.]21[.]90[.]6
- 123[.]168[.]4[.]66
- 151[.]80[.]142[.]33
- 159[.]65[.]241[.]220
- 109[.]104[.]79[.]48
- 43[.]229[.]62[.]186
- 72[.]47[.]248[.]48
- 190[.]1[.]37[.]125
- 46[.]29[.]183[.]211
- 91[.]205[.]215[.]57
- 178[.]79[.]163[.]131
- 187[.]188[.]166[.]192
- 181[.]188[.]149[.]134
- 125[.]99[.]61[.]162
- 77[.]245[.]101[.]134
- 138[.]68[.]106[.]4
- 187[.]242[.]204[.]142
- 190[.]19[.]42[.]131
- 213[.]120[.]104[.]180
- 149[.]62[.]173[.]247
- 181[.]48[.]174[.]242
- 80[.]85[.]87[.]122
- 183[.]82[.]97[.]25
- 185[.]86[.]148[.]222
- 90[.]69[.]208[.]50
- 91[.]83[.]93[.]124
- 183[.]87[.]87[.]73
- 62[.]210[.]142[.]58
- 186[.]83[.]133[.]253
- 109[.]169[.]86[.]13
- 179[.]62[.]18[.]56
- 81[.]169[.]140[.]14
- 187[.]144[.]227[.]2
- 69[.]163[.]33[.]82
- 88[.]250[.]223[.]190
- 190[.]230[.]60[.]129
- 37[.]59[.]1[.]74
- 203[.]25[.]159[.]3
- 79[.]143[.]182[.]254
- 200[.]57[.]102[.]71
- 217[.]199[.]175[.]216
- 201[.]219[.]183[.]243
- 196[.]6[.]112[.]70
- 200[.]58[.]171[.]51
- 5[.]77[.]13[.]70
- 217[.]113[.]27[.]158
- 46[.]249[.]204[.]99
- 159[.]203[.]204[.]126
- 170[.]247[.]122[.]37
- 200[.]80[.]198[.]34
- 62[.]75[.]143[.]100
- 89[.]188[.]124[.]145
- 143[.]0[.]245[.]169
- 190[.]117[.]206[.]153
- 77[.]122[.]183[.]203
- 46[.]21[.]105[.]59
- 181[.]39[.]134[.]122
- 86[.]42[.]166[.]147
- 23[.]92[.]22[.]225
- 179[.]12[.]170[.]88
- 182[.]76[.]6[.]2
- 201[.]250[.]11[.]236
- 86[.]98[.]25[.]30
- 198[.]199[.]88[.]162
- 178[.]62[.]37[.]188
- 92[.]51[.]129[.]249
- 92[.]222[.]125[.]16
- 142[.]44[.]162[.]209
- 92[.]222[.]216[.]44
- 138[.]201[.]140[.]110
- 64[.]13[.]225[.]150
- 182[.]176[.]132[.]213
- 37[.]157[.]194[.]134
- 206[.]189[.]98[.]125
- 45[.]123[.]3[.]54
- 45[.]33[.]49[.]124
- 178[.]79[.]161[.]166
- 104[.]131[.]11[.]150
- 173[.]212[.]203[.]26
- 88[.]156[.]97[.]210
- 190[.]145[.]67[.]134
- 144[.]139[.]247[.]220
- 159[.]65[.]25[.]128
- 186[.]4[.]172[.]5
- 87[.]106[.]136[.]232
- 189[.]209[.]217[.]49
- 149[.]202[.]153[.]252
- 78[.]24[.]219[.]147
- 125[.]99[.]106[.]226
- 95[.]128[.]43[.]213
- 47[.]41[.]213[.]2
- 37[.]208[.]39[.]59
- 185[.]94[.]252[.]13
- 212[.]71[.]234[.]16
- 87[.]106[.]139[.]101
- 188[.]166[.]253[.]46
- 175[.]100[.]138[.]82
- 85[.]104[.]59[.]244
- 62[.]75[.]187[.]192
- 91[.]205[.]215[.]66
- 136[.]243[.]177[.]26
- 190[.]186[.]203[.]55
- 162[.]243[.]125[.]212
- 91[.]83[.]93[.]103
- 217[.]160[.]182[.]191
- 94[.]205[.]247[.]10
- 211[.]63[.]71[.]72
- 41[.]220[.]119[.]246
- 104[.]236[.]246[.]93
- 117[.]197[.]124[.]36
- 75[.]127[.]14[.]170
- 31[.]12[.]67[.]62
- 169[.]239[.]182[.]217
- 179[.]32[.]19[.]219
- 177[.]246[.]193[.]139
- 31[.]172[.]240[.]91
- 152[.]169[.]236[.]172
- 201[.]212[.]57[.]109
- 222[.]214[.]218[.]192
- 87[.]230[.]19[.]21
- 46[.]105[.]131[.]87
- 182[.]176[.]106[.]43
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement