API tools faq
paste
Advertisement
CyberDyn999

Emotet Botnet IOC

CyberDyn999
Sep 16th, 2019
6,514
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.55 KB | None | 0 0
raw download clone embed print report
  1. Mike Nolan Certified
  2.  
  3. Some MD5 hashes
  4. Emotet version 2:
  5. 7c401bde8cafc5b745b9f65effbd588f
  6. 34c10ae0b87e3202fea252e25746c32d
  7. 9ab7b38da6eee714680adda3fdb08eb6
  8. ae5fa7fa02e7a29e1b54f407b33108e7
  9. 1d4d5a1a66572955ad9e01bee0203c99
  10. cdb4be5d62e049b6314058a8a27e975d
  11. 642a9becd99538738d6e0a7ebfbf2ef6
  12. aca8bdbd8e79201892f8b46a3005744b
  13. 9b011c8f47d228d12160ca7cd6ca9c1f
  14. 6358fae78681a21dd26f63e8ac6148cc
  15. ac49e85de3fced88e3e4ef78af173b37
  16. c0f8b2e3f1989b93f749d8486ce6f609
  17. 1561359c46a2df408f9860b162e7e13b
  18. a8ca1089d442543933456931240e6d45
  19.  
  20. Emotet version 3:
  21. 177ae9a7fc02130009762858ad182678
  22. 1a6fe1312339e26eb5f7444b89275ebf
  23. 257e82d6c0991d8bd2d6c8eee4c672c7
  24. 3855724146ff9cf8b9bbda26b828ff05
  25. 3bac5797afd28ac715605fa9e7306333
  26. 3d28b10bcf3999a1b317102109644bf1
  27. 4e2eb67aa36bd3da832e802cd5bdf8bc
  28. 4f81a713114c4180aeac8a6b082cee4d
  29. 52f05ee28bcfec95577d154c62d40100
  30. 772559c590cff62587c08a4a766744a7
  31. 806489b327e0f016fb1d509ae984f760
  32. 876a6a5252e0fc5c81cc852d5b167f2b
  33. 94fa5551d26c60a3ce9a10310c765a89
  34. A5a86d5275fa2ccf8a55233959bc0274
  35. b43afd499eb90cee778c22969f656cd2
  36. b93a6ee991a9097dd8992efcacb3b2f7
  37. ddd7cdbc60bd0cdf4c6d41329b43b4ce
  38. e01954ac6d0009790c66b943e911063e
  39. e49c549b95dbd8ebc0930ad3f147a4b9
  40. ea804a986c02d734ad38ed0cb4d157a7
  41. 429cb31a2433d8bcad8c5773ef1268d3
  42.  
  43.  
  44. Traces/IOCs
  45. You may see entries in FRST logs that are similar to these:
  46.  
  47. HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7
  48. HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D
  49. (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
  50. C:\WINDOWS\12345678.EXE
  51. C:\WINDOWS\SYSWOW64\SERVERNV.EXE
  52. C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE
  53. C:\WINDOWS\TEMP\1A2B.TMP
  54. Italized parts will have randomized names.
  55.  
  56. General IOCs
  57.  
  58. Persistence
  59.  
  60. C:\Windows\System32\randomnumber\
  61. C:\Windows\System32\tasks\randomname
  62. C:\Windows\[randomname]
  63. C:\users[myusers]\appdata\roaming[random]
  64. %appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [Randomname].LNK. file in the startup folder
  65.  
  66. Registry keys
  67.  
  68. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services {Random Hexadecimal Numbers}
  69. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {Random Names} with value c:\users\admin\appdata\roaming\{Random}{Legitimate Filename}.exe
  70.  
  71. Filename examples
  72.  
  73. PlayingonaHash.exe
  74. certapp.exe
  75. CleanToast.exe
  76. CciAllow.exe
  77. RulerRuler.exe
  78. connectmrm.exe
  79.  
  80. Strings (The following paths may be missing in some samples, they are not always there)
  81.  
  82. C:\email.doc
  83. C:\123\email.doc
  84. C:\123\email.docx
  85. C:\a\foobar.bmp
  86. X:\Symbols\a
  87. C:\loaddll.exe
  88. C:\email.htm
  89. C:\take_screenshot.ps1
  90. C:\a\foobar.gif
  91. C:\a\foobar.doc
  92.  
  93. Subject Filters:
  94.  
  95. “UPS Ship Notification, Tracking Number”
  96. “UPS Express Domestic”
  97. “Tracking Number *”
  98.  
  99. IP:
  100. 104.31.92.208
  101. 112.74.183.122
  102. 13.35.99.41
  103. 159.65.167.120
  104. 193.70.95.8
  105.  
  106.  
  107. alldc[.]pw
  108. dywanypers[.].pl
  109. keqiang[.]pro
  110. playasrivieramaya[.]com
  111. www.dentalsearchsolutions[.]com
  112.  
  113.  
  114. ://think1.com/wp-content/upgrade/2na4-4q5g-751619964/
  115. ://broadpeakdefense.com/fbsgf/McZcBMeM/
  116. s://lecairtravels.com/wp-admin/bXwjcdeg/
  117. s://www.biyunhui.com/fj/wbTKndf/
  118. ://nautcoins.com/wp-includes/AcZxFxQ/
  119.  
  120. https://virustotal.com/gui/file/12a3fea4904bababa37b1b1b4fb22d4c7bf2591e2f3ee262aa35507c6d70cda6/detection
  121.  
  122. https://app.any.run/tasks/40ba24cc-1b23-4745-917a-bf879dafc188
  123.  
  124. https://cape.contextis.com/analysis/90807/
  125.  
  126. c0a9ddececc465e6a3e9cef00a6332ef
  127.  
  128.  
  129. inwil.com
  130. dateandoando.com
  131. abidjanboutik.com
  132. vemalandsafaris.com
  133. blockchainjoblist.com/wp-admin/014080/
  134. 203.130.0.67/rtm/devices/
  135. 181.188.149.134/raster/img/ringin/
  136. 5.67.96.120:8080/prov/walk/
  137. 181.188.149.134/raster/arizona/
  138. 203.130.0.67/balloon/schema/
  139. 143.0.245.169:8080/entries/usbccid/nsip/merge/
  140. 5.67.96.120:8080/window/balloon/
  141. 151.80.142.33/vermont/forced/
  142. 187.155.233.46:443/vermont/publish/nsip/merge/
  143. 187.155.233.46:443/walk/prep/nsip/merge/
  144. blockchainjoblist.com/wp-admin/014080/
  145. 187.155.233.46:443/scripts/chunk/ringin/
  146. 187.155.233.46:443/loadan/odbc/ringin/
  147. 187.155.233.46:443/cab/sess/ringin/merge/
  148. 187.155.233.46:443/sess/enable/ringin/merge/
  149. 187.155.233.46:443/ban/devices/ringin/merge/
  150. rockstareats.com/wp-content/themes/NUOAajdJ/
  151. dateandoando.com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/
  152. 86passion.vn
  153. aardathdelivery.co.zw
  154. aboyehia.com
  155. aisect.org
  156. albintosworld.com
  157. alertaempresarial.com.br
  158. animex.global
  159. apartahotelfamilyhouse.com
  160. armstrongfieldconsulting.com
  161. atnimanvilla.com
  162. ausfinex.com
  163. autorepuestosdml.com
  164. avaagriculture.com
  165. aydin-transfer.biz.tr
  166. behlenjoiner.com
  167. bestrip.telkomuniversity.ac.id
  168. bhimsecurity.com
  169. biyunhui.com
  170. blnautoclub.ro
  171. blockchainjoblist.com
  172. blog.batalk.fun
  173. blog.haseemajaz.com
  174. blog.kobisi.com
  175. blog.lasoy.net
  176. bondagetrip.com
  177. broadpeakdefense.com
  178. canal20.com.br
  179. canvas.printageous.com
  180. careervsjob.com
  181. charosjewellery.co.uk
  182. chinapacific.co.nz
  183. chuquanla.com
  184. conghuar.com.cn
  185. cornelbusiness.co.uk
  186. covergt.com
  187. customernoble.com
  188. danangluxury.com
  189. dateandoando.com
  190. datvensaigon.com
  191. deepikarai.com
  192. dewibebaris.com
  193. dialogchelm.pl
  194. digsneil.info
  195. dj.emp.br
  196. duckiesplumbing.com.au
  197. dunlopillo.com.vn
  198. efobf.net
  199. emmabeaulieu.com
  200. emranweb.net
  201. enticapilates.co.uk
  202. entrevisionarysolutions.com
  203. examsnap.io
  204. farnamh.ir
  205. fireflysalesconsulting.com
  206. floydology.online
  207. followergods.com
  208. gardenandmore.co.il
  209. gcesab.com
  210. globaltimesnigerianewsmag.com
  211. gongdu.xin
  212. greenedus.com
  213. hanifbaba.com
  214. haosanwang.com.tw
  215. hierba-buena.com
  216. hippbeta.000webhostapp.com
  217. hisnherunisexsalon.co.in
  218. holyurbanhotel.com
  219. horadecocinar.com
  220. hotelkrome.com
  221. hotline2heaven.com
  222. i-conglomerates.com
  223. icerike.com
  224. iewa.sk
  225. iib123.com
  226. inesmanila.com
  227. interportodellatoscana.it
  228. jackalopesoftware.com
  229. joshgeneralremodeling.us
  230. jumpman.com.tw
  231. kattegattcenter.se
  232. keikomimura.com
  233. kisharzoni.ir
  234. klimabakimkombiservisi.com
  235. kolaysigorta.co
  236. kursusdigitalmarketingmalang.com
  237. levarudevich.ru
  238. life-consulting.org
  239. limkon.com
  240. lmntriximinds.000webhostapp.com
  241. lokomarijuanastore.com
  242. maxtraderpro.com
  243. menteesaude.com
  244. mobiextend.com
  245. modireit.com
  246. mohsinsaeedulhaq.com
  247. mutlukadinlarakademisi.com
  248. nautcoins.com
  249. navenpsicologosgetafe.es
  250. newabidgoods.com
  251. ortambu.net
  252. osim-heshbon.co.il
  253. ostriwin.com
  254. parsafanco.com
  255. parsroman.ir
  256. pep-egypt.com
  257. perfume-dubai.com
  258. pklgroup.pl
  259. profexsystem.com
  260. purnamahotel.id
  261. purplekushop.com
  262. refferalstaff.com
  263. revival-remaps.co.uk
  264. richhouse.com.vn
  265. rockstareats.com
  266. rpaconsultores.cl
  267. rubirosaoficial.com
  268. sachoob.com
  269. safarnavade.ir
  270. sazehatv.com
  271. schultecattlequip.com
  272. shu.cneee.net
  273. situsjudimurah.com
  274. solivagantfoodie.com
  275. sotelo.cl
  276. sp2secenter.com
  277. starbolt.eu
  278. startupforbusiness.com
  279. studiovista.fr
  280. sunchipaint.com.vn
  281. sunflagsteel.com
  282. sunnypalour.com
  283. tabxolabs.com
  284. techcitybd.xyz
  285. techiwant.com
  286. tokobajuaisyah.com
  287. unitypestcontrolandservices.com
  288. vaner.com.sg
  289. vip.muabannhanh.com
  290. vpdv.cn
  291. wallsorts.co.nz
  292. webuycellular-radio-rf-testers.com
  293. whatansu.lt
  294. whichwaymind.com
  295. womenempowermentpakistan.com
  296. yardcommunity.org
  297. zhaoyouxiu.com
  298. 186.4.172.5:443
  299. 117.197.124.36:443
  300. 37.208.39.59:7080
  301. 186.4.172.5:8080
  302. 182.176.106.43:995
  303. 178.62.37.188:443
  304. 92.51.129.249:4143
  305. 92.222.125.16:7080
  306. 142.44.162.209:8080
  307. 31.12.67.62:7080
  308. 46.105.131.87:80
  309. 92.222.216.44:8080
  310. 87.106.136.232:8080
  311. 103.97.95.218:143
  312. 190.145.67.134:8090
  313. 104.236.246.93:8080
  314. 88.156.97.210:80
  315. 175.100.138.82:22
  316. 78.24.219.147:8080
  317. 91.205.215.66:8080
  318. 185.94.252.13:443
  319. 138.201.140.110:8080
  320. 45.33.49.124:443
  321. 182.176.132.213:8090
  322. 186.4.194.153:993
  323. 179.32.19.219:22
  324. 91.83.93.103:7080
  325. 162.243.125.212:8080
  326. 188.166.253.46:8080
  327. 104.131.11.150:8080
  328. 206.189.98.125:8080
  329. 173.212.203.26:8080
  330. 181.188.149.134
  331. 104.27.132.137
  332. 203.130.0.67
  333. 5.67.96.120
  334. 143.0.245.169
  335. 35.246.182.130
  336. 31.210.76.98
  337. 187.155.233.46
  338. 203.130.0.67
  339. 181.188.149.134
  340. 5.67.96.120
  341. 143.0.245.169
  342. 151.80.142.33
  343. 187.155.233.46
  344. 68.183.49.130
  345. 104.24.118.227
  346. 60.205.208.213
  347. 190.9.44.28
  348. 173.249.42.35
  349.  
  350.  
  351.  
  352.  
  353. mail subject lines
  354.  
  355. Payment Remittance Advice
  356. Numero Fattura 2019…
  357.  
  358. Malicious Word documents
  359.  
  360. eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
  361. fb25f35c54831b3641c50c760eb94ec57481d8c8b1da98dd05ba97080d54ee6a
  362. bee23d63404d97d2b03fbc38e4c554a55a7734d83dbd87f2bf1baf7ed2e39e3e
  363. 5d9775369ab5486b5f2d0faac423e213cee20daf5aaaaa9c8b4c3b4e66ea8224
  364.  
  365. Hacked websites hosting the Emotet binary
  366.  
  367. danangluxury[.]com/wp-content/uploads/KTgQsblu/
  368. gcesab[.]com/wp-includes/customize/zUfJervuM/
  369. autorepuestosdml[.]com/wp-content/CiloXIptI/
  370. covergt[.]com/wordpress/geh7l30-xq85i1-558/
  371. zhaoyouxiu[.]com/wp-includes/vxqo-84953w-5062/
  372. rockstareats[.]com/wp-content/themes/NUOAajdJ/
  373. inwil[.]com/wp-content/oyFhKHoe
  374. inesmanila[.]com/cgi-bin/otxpnmxm-3okvb2-29756/
  375. dateandoando[.]com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/
  376.  
  377. Emotet binaries
  378.  
  379. 8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e
  380. 7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205
  381. 61e0ac40dc2680aad77a71f1e6d845a37ab12aa8cd6b638d2dbcebe9195b0f6
  382. f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a
  383. 6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5
  384.  
  385. Post-infection traffic (C2s)
  386.  
  387. 187[.]155[.]233[.]46
  388. 83[.]29[.]180[.]97
  389. 181[.]36[.]42[.]205
  390. 200[.]21[.]90[.]6
  391. 123[.]168[.]4[.]66
  392. 151[.]80[.]142[.]33
  393. 159[.]65[.]241[.]220
  394. 109[.]104[.]79[.]48
  395. 43[.]229[.]62[.]186
  396. 72[.]47[.]248[.]48
  397. 190[.]1[.]37[.]125
  398. 46[.]29[.]183[.]211
  399. 91[.]205[.]215[.]57
  400. 178[.]79[.]163[.]131
  401. 187[.]188[.]166[.]192
  402. 181[.]188[.]149[.]134
  403. 125[.]99[.]61[.]162
  404. 77[.]245[.]101[.]134
  405. 138[.]68[.]106[.]4
  406. 187[.]242[.]204[.]142
  407. 190[.]19[.]42[.]131
  408. 213[.]120[.]104[.]180
  409. 149[.]62[.]173[.]247
  410. 181[.]48[.]174[.]242
  411. 80[.]85[.]87[.]122
  412. 183[.]82[.]97[.]25
  413. 185[.]86[.]148[.]222
  414. 90[.]69[.]208[.]50
  415. 91[.]83[.]93[.]124
  416. 183[.]87[.]87[.]73
  417. 62[.]210[.]142[.]58
  418. 186[.]83[.]133[.]253
  419. 109[.]169[.]86[.]13
  420. 179[.]62[.]18[.]56
  421. 81[.]169[.]140[.]14
  422. 187[.]144[.]227[.]2
  423. 69[.]163[.]33[.]82
  424. 88[.]250[.]223[.]190
  425. 190[.]230[.]60[.]129
  426. 37[.]59[.]1[.]74
  427. 203[.]25[.]159[.]3
  428. 79[.]143[.]182[.]254
  429. 200[.]57[.]102[.]71
  430. 217[.]199[.]175[.]216
  431. 201[.]219[.]183[.]243
  432. 196[.]6[.]112[.]70
  433. 200[.]58[.]171[.]51
  434. 5[.]77[.]13[.]70
  435. 217[.]113[.]27[.]158
  436. 46[.]249[.]204[.]99
  437. 159[.]203[.]204[.]126
  438. 170[.]247[.]122[.]37
  439. 200[.]80[.]198[.]34
  440. 62[.]75[.]143[.]100
  441. 89[.]188[.]124[.]145
  442. 143[.]0[.]245[.]169
  443. 190[.]117[.]206[.]153
  444. 77[.]122[.]183[.]203
  445. 46[.]21[.]105[.]59
  446. 181[.]39[.]134[.]122
  447. 86[.]42[.]166[.]147
  448. 23[.]92[.]22[.]225
  449.  
  450. 179[.]12[.]170[.]88
  451. 182[.]76[.]6[.]2
  452. 201[.]250[.]11[.]236
  453. 86[.]98[.]25[.]30
  454. 198[.]199[.]88[.]162
  455. 178[.]62[.]37[.]188
  456. 92[.]51[.]129[.]249
  457. 92[.]222[.]125[.]16
  458. 142[.]44[.]162[.]209
  459. 92[.]222[.]216[.]44
  460. 138[.]201[.]140[.]110
  461. 64[.]13[.]225[.]150
  462. 182[.]176[.]132[.]213
  463. 37[.]157[.]194[.]134
  464. 206[.]189[.]98[.]125
  465. 45[.]123[.]3[.]54
  466. 45[.]33[.]49[.]124
  467. 178[.]79[.]161[.]166
  468. 104[.]131[.]11[.]150
  469. 173[.]212[.]203[.]26
  470. 88[.]156[.]97[.]210
  471. 190[.]145[.]67[.]134
  472. 144[.]139[.]247[.]220
  473. 159[.]65[.]25[.]128
  474. 186[.]4[.]172[.]5
  475. 87[.]106[.]136[.]232
  476. 189[.]209[.]217[.]49
  477. 149[.]202[.]153[.]252
  478. 78[.]24[.]219[.]147
  479. 125[.]99[.]106[.]226
  480. 95[.]128[.]43[.]213
  481. 47[.]41[.]213[.]2
  482. 37[.]208[.]39[.]59
  483. 185[.]94[.]252[.]13
  484. 212[.]71[.]234[.]16
  485. 87[.]106[.]139[.]101
  486. 188[.]166[.]253[.]46
  487. 175[.]100[.]138[.]82
  488. 85[.]104[.]59[.]244
  489. 62[.]75[.]187[.]192
  490. 91[.]205[.]215[.]66
  491. 136[.]243[.]177[.]26
  492. 190[.]186[.]203[.]55
  493. 162[.]243[.]125[.]212
  494. 91[.]83[.]93[.]103
  495. 217[.]160[.]182[.]191
  496. 94[.]205[.]247[.]10
  497. 211[.]63[.]71[.]72
  498. 41[.]220[.]119[.]246
  499. 104[.]236[.]246[.]93
  500. 117[.]197[.]124[.]36
  501. 75[.]127[.]14[.]170
  502. 31[.]12[.]67[.]62
  503. 169[.]239[.]182[.]217
  504. 179[.]32[.]19[.]219
  505. 177[.]246[.]193[.]139
  506. 31[.]172[.]240[.]91
  507. 152[.]169[.]236[.]172
  508. 201[.]212[.]57[.]109
  509. 222[.]214[.]218[.]192
  510. 87[.]230[.]19[.]21
  511. 46[.]105[.]131[.]87
  512. 182[.]176[.]106[.]43
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!