Emotet-Feodo_C2_IOCs_EPOCH1_15-04-2019

1. #Emotet #Feodo #Banking #Trojan #Epoch1
2. --------------------------------------------
3. 15-04-2019 IOC's
4. --------------------------------------------
5. Main object- "a9928f8d9664c94af92a33072fe747bb261d4637ca6ec1a8ca9e758a0efc7a7d.bin.gz"
6. sha256 12deae3bc3cdbb1a12ad02bb8722936233d627c51058edc2d7af746fe9ea1afc
7. sha1 334a8ed0fb44d15dd3ad010feb3e7c3d3453f33a
8. md5 22baf2700754930ddcc9c91fb55e37cf
9. DNS requests
10. domain garammatka.com
11. domain rinconadarolandovera.com
12. domain hadrianjonathan.com
13. domain gamvrellis.com
14. domain warwickvalleyliving.com
15. Connections
16. ip 103.228.112.39
17. ip 72.29.90.59
18. ip 107.180.43.3
19. ip 104.198.58.45
20. ip 198.105.216.238
21. HTTP/HTTPS requests
22. url http://garammatka.com/cgi-bin/o569U/
23. url http://rinconadarolandovera.com/calendar/5n5WY/
24. url http://gamvrellis.com/MEDIA/heuMx/
25. url http://hadrianjonathan.com/floorplans/vOec/
26. url http://warwickvalleyliving.com/images/wmGN/
27. ----------------------------------------------
28. Main object- "o569U"
29. url http://garammatka.com/cgi-bin/o569U/
30. sha256 e58a81f5bf5b603fd3bcb122830d3d731336fe06662940c2192157bd2064d25f
31. sha1 267d72153bf611c03545a0b6d7036fb01c3c0df5
32. md5 1d1b58e935b8a597283472714c1ab5f5
33. Dropped executable file
34. sha256 C:\Users\admin\AppData\Local\soundser\soundser.exe e58a81f5bf5b603fd3bcb122830d3d731336fe06662940c2192157bd2064d25f
35. Connections
36. ip 88.215.2.29
37. ip 187.188.166.192
38. ip 43.229.62.186
39. ip 65.49.60.163
40. ip 165.227.213.173
41. ip 210.2.86.72
42. ip 45.33.35.103
43. ip 187.137.162.145
44. ip 192.155.90.90
45. ip 88.97.26.73
46. ip 200.114.142.40
47. ip 107.159.94.183
48. ip 190.117.206.153
49. ip 67.241.81.253
50. ip 187.189.210.143
51. ip 185.86.148.222
52. ip 138.68.139.199
53. ip 219.94.254.93
54. ip 77.44.16.54
55. ip 71.11.157.249
56. ip 5.9.128.163
57. ip 144.76.117.247
58. ip 109.73.52.242
59. ip 69.163.33.82
60. ip 200.90.201.77
61. ip 192.163.199.254
62. ip 109.104.79.48
63. ip 200.28.131.215
64. ip 89.211.193.18
65. ip 62.75.143.100
66. ip 82.226.163.9
67. ip 181.29.101.13
68. ip 196.6.112.70
69. ip 189.225.119.52
70. ip 189.205.185.71
71. ip 176.58.93.123
72. ip 200.107.105.16
73. ip 72.47.248.48
74. ip 66.209.69.165
75. ip 92.48.118.27
76. ip 91.205.215.57
77. ip 139.59.19.157
78. ip 213.172.88.13
79. ip 51.255.50.164
80. ip 23.254.203.51
81. ip 99.243.127.236
82. ip 197.248.67.226
83. ip 154.120.228.126
84. ip 136.49.87.106
85. ip 186.139.160.193
86. ip 181.29.186.65
87.  
88. C2 SERVERS
89. 88.215.2.29:80
90. 65.49.60.163:443
91. 187.137.162.145:443
92. 187.188.166.192:80
93. 45.33.35.103:8080
94. 43.229.62.186:8080
95. 165.227.213.173:8080
96. 192.155.90.90:7080
97. 190.117.206.153:443
98. 185.86.148.222:8080
99. 187.189.210.143:80
100. 67.241.81.253:8443
101. 200.114.142.40:8080
102. 138.68.139.199:443
103. 107.159.94.183:8080
104. 219.94.254.93:8080
105. 88.97.26.73:50000
106. 210.2.86.72:8080
107. 200.90.201.77:80
108. 71.11.157.249:80
109. 192.163.199.254:8080
110. 144.76.117.247:8080
111. 77.44.16.54:465
112. 69.163.33.82:8080
113. 5.9.128.163:8080
114. 189.225.119.52:990
115. 109.73.52.242:8080
116. 181.29.186.65:80
117. 189.205.185.71:465
118. 200.28.131.215:443
119. 181.29.101.13:80
120. 62.75.143.100:7080
121. 176.58.93.123:8080
122. 196.6.112.70:443
123. 72.47.248.48:8080
124. 200.107.105.16:465
125. 23.254.203.51:8080
126. 89.211.193.18:80
127. 109.104.79.48:8080
128. 82.226.163.9:80
129. 66.209.69.165:443
130. 197.248.67.226:8080
131. 213.172.88.13:80
132. 51.255.50.164:8080
133. 186.139.160.193:8080
134. 99.243.127.236:80
135. 136.49.87.106:80
136. 139.59.19.157:80
137. 154.120.228.126:8080
138. 92.48.118.27:8080
139. 91.205.215.57:7080
140. ------------------------------------
141. Main object- "5n5WY"
142. url http://rinconadarolandovera.com/calendar/5n5WY/
143. sha256 e58a81f5bf5b603fd3bcb122830d3d731336fe06662940c2192157bd2064d25f
144. sha1 267d72153bf611c03545a0b6d7036fb01c3c0df5
145. md5 1d1b58e935b8a597283472714c1ab5f5
146. Dropped executable file
147. sha256 C:\Users\admin\AppData\Local\soundser\soundser.exe e58a81f5bf5b603fd3bcb122830d3d731336fe06662940c2192157bd2064d25f
148. Connections
149. ip 187.188.166.192
150. ip 88.215.2.29
151. ip 187.137.162.145
152. ip 65.49.60.163
153. ip 43.229.62.186
154. ip 45.33.35.103
155. ip 165.227.213.173
156. ip 88.97.26.73
157. ip 192.155.90.90
158. ip 190.117.206.153
159. ip 210.2.86.72
160. ip 185.86.148.222
161. ip 77.44.16.54
162. ip 219.94.254.93
163. ip 67.241.81.253
164. ip 187.189.210.143
165. ip 200.114.142.40
166. ip 107.159.94.183
167. ip 200.90.201.77
168. ip 71.11.157.249
169. ip 5.9.128.163
170. ip 109.73.52.242
171. ip 69.163.33.82
172. ip 192.163.199.254
173. ip 144.76.117.247
174. ip 138.68.139.199
175. ip 89.211.193.18
176. ip 189.205.185.71
177. ip 62.75.143.100
178. ip 181.29.186.65
179. ip 176.58.93.123
180. ip 200.28.131.215
181. ip 181.29.101.13
182. ip 189.225.119.52
183. ip 109.104.79.48
184. ip 72.47.248.48
185. ip 92.48.118.27
186. ip 154.120.228.126
187. ip 213.172.88.13
188. ip 200.107.105.16
189. ip 51.255.50.164
190. ip 196.6.112.70
191. ip 82.226.163.9
192. ip 197.248.67.226
193. ip 23.254.203.51
194. ip 136.49.87.106
195. ip 139.59.19.157
196. ip 99.243.127.236
197. ip 186.139.160.193
198. ip 91.205.215.57
199. ip 66.209.69.165
200.  
201. C2 SERVERS
202. 187.188.166.192:80
203. 88.215.2.29:80
204. 187.137.162.145:443
205. 65.49.60.163:443
206. 45.33.35.103:8080
207. 165.227.213.173:8080
208. 210.2.86.72:8080
209. 88.97.26.73:50000
210. 190.117.206.153:443
211. 185.86.148.222:8080
212. 43.229.62.186:8080
213. 192.155.90.90:7080
214. 200.114.142.40:8080
215. 187.189.210.143:80
216. 138.68.139.199:443
217. 67.241.81.253:8443
218. 107.159.94.183:8080
219. 219.94.254.93:8080
220. 200.90.201.77:80
221. 69.163.33.82:8080
222. 77.44.16.54:465
223. 192.163.199.254:8080
224. 144.76.117.247:8080
225. 71.11.157.249:80
226. 189.225.119.52:990
227. 5.9.128.163:8080
228. 109.73.52.242:8080
229. 82.226.163.9:80
230. 89.211.193.18:80
231. 181.29.101.13:80
232. 176.58.93.123:8080
233. 189.205.185.71:465
234. 62.75.143.100:7080
235. 109.104.79.48:8080
236. 181.29.186.65:80
237. 200.28.131.215:443
238. 92.48.118.27:8080
239. 72.47.248.48:8080
240. 200.107.105.16:465
241. 154.120.228.126:8080
242. 196.6.112.70:443
243. 66.209.69.165:443
244. 91.205.215.57:7080
245. 99.243.127.236:80
246. 197.248.67.226:8080
247. 139.59.19.157:80
248. 51.255.50.164:8080
249. 213.172.88.13:80
250. 23.254.203.51:8080
251. 136.49.87.106:80
252. 186.139.160.193:8080
253. ---------------------------------
254. Main object- "heuMx"
255. url http://gamvrellis.com/MEDIA/heuMx/
256. sha256 e4efd5db09c1719670e57a54aa8de9ebb6789d5f7a3b60c28c30fe40de429565
257. sha1 e797e2fc0155e6ed3b860fd30f0eb1367455a6a0
258. md5 69a5838744d6aa7b8f1d08b6e36d6844
259. Dropped executable file
260. sha256 C:\Users\admin\AppData\Local\soundser\soundser.exe e4efd5db09c1719670e57a54aa8de9ebb6789d5f7a3b60c28c30fe40de429565
261. Connections
262. ip 187.188.166.192
263. ip 88.215.2.29
264. ip 187.137.162.145
265. ip 65.49.60.163
266. ip 45.33.35.103
267. ip 165.227.213.173
268. ip 43.229.62.186
269. ip 210.2.86.72
270. ip 192.155.90.90
271. ip 185.86.148.222
272. ip 88.97.26.73
273. ip 190.117.206.153
274. ip 187.189.210.143
275. ip 67.241.81.253
276. ip 200.114.142.40
277. ip 138.68.139.199
278. ip 107.159.94.183
279. ip 144.76.117.247
280. ip 219.94.254.93
281. ip 77.44.16.54
282. ip 200.90.201.77
283. ip 71.11.157.249
284. ip 192.163.199.254
285. ip 189.225.119.52
286. ip 69.163.33.82
287. ip 5.9.128.163
288. ip 181.29.186.65
289. ip 109.104.79.48
290. ip 200.28.131.215
291. ip 89.211.193.18
292. ip 109.73.52.242
293. ip 62.75.143.100
294. ip 72.47.248.48
295. ip 200.107.105.16
296. ip 23.254.203.51
297. ip 176.58.93.123
298. ip 154.120.228.126
299. ip 181.29.101.13
300. ip 92.48.118.27
301. ip 82.226.163.9
302. ip 196.6.112.70
303. ip 189.205.185.71
304. ip 66.209.69.165
305. ip 51.255.50.164
306. ip 91.205.215.57
307. ip 99.243.127.236
308. ip 197.248.67.226
309. ip 186.139.160.193
310. ip 213.172.88.13
311. ip 136.49.87.106
312. ip 139.59.19.157
313.  
314. C2 SERVERS
315. 45.33.35.103:8080
316. 187.188.166.192:80
317. 88.215.2.29:80
318. 187.137.162.145:443
319. 65.49.60.163:443
320. 43.229.62.186:8080
321. 192.155.90.90:7080
322. 165.227.213.173:8080
323. 210.2.86.72:8080
324. 187.189.210.143:80
325. 67.241.81.253:8443
326. 200.114.142.40:8080
327. 185.86.148.222:8080
328. 190.117.206.153:443
329. 88.97.26.73:50000
330. 77.44.16.54:465
331. 138.68.139.199:443
332. 219.94.254.93:8080
333. 107.159.94.183:8080
334. 200.90.201.77:80
335. 71.11.157.249:80
336. 69.163.33.82:8080
337. 192.163.199.254:8080
338. 144.76.117.247:8080
339. 109.73.52.242:8080
340. 5.9.128.163:8080
341. 189.225.119.52:990
342. 62.75.143.100:7080
343. 89.211.193.18:80
344. 200.28.131.215:443
345. 181.29.186.65:80
346. 109.104.79.48:8080
347. 189.205.185.71:465
348. 82.226.163.9:80
349. 181.29.101.13:80
350. 72.47.248.48:8080
351. 92.48.118.27:8080
352. 196.6.112.70:443
353. 176.58.93.123:8080
354. 200.107.105.16:465
355. 213.172.88.13:80
356. 23.254.203.51:8080
357. 139.59.19.157:80
358. 197.248.67.226:8080
359. 51.255.50.164:8080
360. 154.120.228.126:8080
361. 66.209.69.165:443
362. 91.205.215.57:7080
363. 186.139.160.193:8080
364. 99.243.127.236:80
365. 136.49.87.106:80
366. --------------------------------
367. Main object- "vOec"
368. url http://hadrianjonathan.com/floorplans/vOec/
369. sha256 e4efd5db09c1719670e57a54aa8de9ebb6789d5f7a3b60c28c30fe40de429565
370. sha1 e797e2fc0155e6ed3b860fd30f0eb1367455a6a0
371. md5 69a5838744d6aa7b8f1d08b6e36d6844
372. Dropped executable file
373. sha256 C:\Users\admin\AppData\Local\soundser\soundser.exe e4efd5db09c1719670e57a54aa8de9ebb6789d5f7a3b60c28c30fe40de429565
374. Connections
375. ip 187.188.166.192
376. ip 88.215.2.29
377. ip 65.49.60.163
378. ip 187.137.162.145
379. ip 45.33.35.103
380. ip 43.229.62.186
381. ip 210.2.86.72
382. ip 165.227.213.173
383. ip 192.155.90.90
384. ip 88.97.26.73
385. ip 185.86.148.222
386. ip 107.159.94.183
387. ip 187.189.210.143
388. ip 200.114.142.40
389. ip 219.94.254.93
390. ip 190.117.206.153
391. ip 138.68.139.199
392. ip 67.241.81.253
393. ip 5.9.128.163
394. ip 69.163.33.82
395. ip 77.44.16.54
396. ip 200.90.201.77
397. ip 109.73.52.242
398. ip 192.163.199.254
399. ip 71.11.157.249
400. ip 144.76.117.247
401. ip 176.58.93.123
402. ip 181.29.101.13
403. ip 89.211.193.18
404. ip 62.75.143.100
405. ip 189.225.119.52
406. ip 200.28.131.215
407. ip 109.104.79.48
408. ip 189.205.185.71
409. ip 181.29.186.65
410. ip 23.254.203.51
411. ip 213.172.88.13
412. ip 51.255.50.164
413. ip 82.226.163.9
414. ip 200.107.105.16
415. ip 92.48.118.27
416. ip 154.120.228.126
417. ip 72.47.248.48
418. ip 196.6.112.70
419. ip 197.248.67.226
420. ip 136.49.87.106
421. ip 139.59.19.157
422. ip 99.243.127.236
423. ip 91.205.215.57
424. ip 186.139.160.193
425. ip 66.209.69.165
426.  
427. C2 SERVERS
428. 88.215.2.29:80
429. 187.188.166.192:80
430. 187.137.162.145:443
431. 65.49.60.163:443
432. 45.33.35.103:8080
433. 43.229.62.186:8080
434. 165.227.213.173:8080
435. 210.2.86.72:8080
436. 192.155.90.90:7080
437. 190.117.206.153:443
438. 88.97.26.73:50000
439. 185.86.148.222:8080
440. 187.189.210.143:80
441. 67.241.81.253:8443
442. 200.114.142.40:8080
443. 107.159.94.183:8080
444. 138.68.139.199:443
445. 219.94.254.93:8080
446. 200.90.201.77:80
447. 71.11.157.249:80
448. 77.44.16.54:465
449. 189.225.119.52:990
450. 109.73.52.242:8080
451. 5.9.128.163:8080
452. 62.75.143.100:7080
453. 192.163.199.254:8080
454. 144.76.117.247:8080
455. 69.163.33.82:8080
456. 89.211.193.18:80
457. 109.104.79.48:8080
458. 200.28.131.215:443
459. 181.29.186.65:80
460. 176.58.93.123:8080
461. 181.29.101.13:80
462. 189.205.185.71:465
463. 196.6.112.70:443
464. 72.47.248.48:8080
465. 23.254.203.51:8080
466. 82.226.163.9:80
467. 200.107.105.16:465
468. 92.48.118.27:8080
469. 154.120.228.126:8080
470. 197.248.67.226:8080
471. 139.59.19.157:80
472. 91.205.215.57:7080
473. 51.255.50.164:8080
474. 66.209.69.165:443
475. 99.243.127.236:80
476. 213.172.88.13:80
477. 136.49.87.106:80
478. 186.139.160.193:8080
479. -------------------------------------
480. Main object- "wmGN"
481. url http://warwickvalleyliving.com/images/wmGN/
482. sha256 80a087ec36a0a71dc941e8d10c2bffde8aa4892268f3d75af9ebcb2d1b1b7d85
483. sha1 40a61771b70d55b72723fa08bd461162ca5c1a5a
484. md5 4bfababf12701adf400d1f89c411a7af
485. Dropped executable file
486. sha256 C:\Users\admin\AppData\Local\soundser\soundser.exe 80a087ec36a0a71dc941e8d10c2bffde8aa4892268f3d75af9ebcb2d1b1b7d85
487. Connections
488. ip 88.215.2.29
489. ip 187.188.166.192
490. ip 65.49.60.163
491. ip 187.137.162.145
492. ip 45.33.35.103
493. ip 43.229.62.186
494. ip 192.155.90.90
495. ip 210.2.86.72
496. ip 165.227.213.173
497. ip 88.97.26.73
498. ip 67.241.81.253
499. ip 187.189.210.143
500. ip 185.86.148.222
501. ip 107.159.94.183
502. ip 77.44.16.54
503. ip 200.114.142.40
504. ip 219.94.254.93
505. ip 138.68.139.199
506. ip 190.117.206.153
507. ip 71.11.157.249
508. ip 192.163.199.254
509. ip 5.9.128.163
510. ip 144.76.117.247
511. ip 69.163.33.82
512. ip 200.90.201.77
513. ip 109.73.52.242
514. ip 89.211.193.18
515. ip 189.205.185.71
516. ip 200.28.131.215
517. ip 181.29.101.13
518. ip 181.29.186.65
519. ip 109.104.79.48
520. ip 62.75.143.100
521. ip 82.226.163.9
522. ip 154.120.228.126
523. ip 196.6.112.70
524. ip 200.107.105.16
525. ip 92.48.118.27
526. ip 23.254.203.51
527. ip 72.47.248.48
528. ip 176.58.93.123
529. ip 189.225.119.52
530. ip 197.248.67.226
531. ip 186.139.160.193
532. ip 213.172.88.13
533. ip 66.209.69.165
534. ip 91.205.215.57
535. ip 99.243.127.236
536. ip 139.59.19.157
537. ip 136.49.87.106
538. ip 51.255.50.164
539.  
540. C2 SERVERS
541. 187.137.162.145:443
542. 187.188.166.192:80
543. 88.215.2.29:80
544. 65.49.60.163:443
545. 45.33.35.103:8080
546. 43.229.62.186:8080
547. 165.227.213.173:8080
548. 210.2.86.72:8080
549. 192.155.90.90:7080
550. 88.97.26.73:50000
551. 187.189.210.143:80
552. 185.86.148.222:8080
553. 190.117.206.153:443
554. 200.114.142.40:8080
555. 107.159.94.183:8080
556. 67.241.81.253:8443
557. 200.90.201.77:80
558. 138.68.139.199:443
559. 219.94.254.93:8080
560. 77.44.16.54:465
561. 189.225.119.52:990
562. 109.73.52.242:8080
563. 69.163.33.82:8080
564. 5.9.128.163:8080
565. 192.163.199.254:8080
566. 71.11.157.249:80
567. 144.76.117.247:8080
568. 181.29.186.65:80
569. 89.211.193.18:80
570. 189.205.185.71:465
571. 109.104.79.48:8080
572. 62.75.143.100:7080
573. 200.28.131.215:443
574. 181.29.101.13:80
575. 176.58.93.123:8080
576. 92.48.118.27:8080
577. 196.6.112.70:443
578. 82.226.163.9:80
579. 200.107.105.16:465
580. 213.172.88.13:80
581. 51.255.50.164:8080
582. 197.248.67.226:8080
583. 154.120.228.126:8080
584. 23.254.203.51:8080
585. 72.47.248.48:8080
586. 139.59.19.157:80
587. 186.139.160.193:8080
588. 91.205.215.57:7080
589. 136.49.87.106:80
590. 66.209.69.165:443
591. 99.243.127.236:80