Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware IOCs for 01/09/20 as of 01/09/20 19:15 EST ##
- *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
- #### SHA256s for Epoch 1 Loader EXEs ####
- ```
- 82250f58bc13701f838005447c5450fe665e057405c8e1e65f91b69c05dc7c08
- 91db132e8d1c2aa2bde9b3d2dc5dd20fc0a1e132e8575c7bfbc700a107657116
- c4834056bcafd682da1c5e1fe4a9029e7152c625b5b3199b5d5382308ed70ba5
- c1a335c2424a14c557cf9d07ae87754a2a19937c2746d44e7963386bfa6b071f
- 9632407ccd7cc6f775d33774f35b26d2e9d1dc1ec026af00455bb36c529ee36c
- 29844524d41d8b94e36c5eba04f4e69d11df77d1a206b290ab4bb670ab13093a
- eac58264fc5ce6e76db45069f048c48d0adbc9274d829f987dc3871269982558
- 498f0dddb6b21f67e5db3e11be5a26d5656a2941dfe20797c1f51d49fc52d8fc
- 03ecb0350b3535bf39ea93ba4dafd3c5311c2d4d073541cfdd00d85c8fa29b06
- a59b47a650af4df9728adef74fd71d512ca2b5e18064250ebfbbe65c3de95ec2
- 810ab8f3be3ed79b102b4d066fdf3ba19c6a74ccd19026583580506b9e1e48ee
- ab6587fb7402aa61f8e1ebeba5e577e9bdf05514f3e36036bc3dec7110d7aeff
- 2aaf8fee56c6232db176c8676de16351b92fb8398ddcd299ba61a2eabd72d5d6
- ```
- #### SHA256s for Epoch 2 Loader EXEs ####
- ```
- 44878a9a1577c626a3c7b8e62b621b036bff7b957f3005a5fbdf4553ed52a319
- 0850a829501e407a1b520f971db4c07b1c0840e7ff71abd1aa08c561eccb78eb
- 1c98d7e147a6fae77d9cb9966eedee404edf223f15aa1a52b4ed8f7b72255c2b
- 15eddcb65ce1d962ffa5e4a0faab7f679b0af16e922ede027debe93722ae360b
- 4f636eba8752b5a9c808781c38e1b82a15cf91a83748974e4a7aea8ff18aadbe
- 7d8ebe60227b6c2f27f64a65626d710ab2168a8ef6fec9d0d8f10ba44f4c4ad3
- 16a3156e255e1b374279cc16a5ca1a09429183ca6b5249dcf2b764ab807e8678
- e1eb87d0a23d97dd42d0f3ced796f8936e55a4f918438aabadc218165d2fc03d
- ea73cd1c2a5d2a5cfb41a6a5192e56a999e8d20ed7cb9752ce7ccb6abcc78b8b
- 7df246b78d7845c970bf3c1c1e70a618438f5dcbfba88f9af1f73fa35c425c01
- b54d64ca12e3c36168921ec9509b0e31f048eb4c1faf58cc8978196e62bb01cd
- 5286092a71ee0dbb2a9c7cf2c287680f669baadc59e76e1a5a74bd3bf8531645
- cd47457850c6326e64e66ed3f2eb935bee45bab0738599244903b727014e405e
- ```
- #### SHA256s for Epoch 3 Loader EXEs ####
- ```
- 48bc2181625e18fa054a6e03fd4d1adc945bc15ef6429394d9cc945165d1d4f2
- 8a0e6485db289b3d82a5981eabb46bd84cb0fbaf3c98ade5df29a498d1f976fb
- dc5e712ba02de5ad4bbf59ccc5421757208d04d7686c9ed289a4681e88241320
- 512bc70bc44caccf8e1aae7647c77ea2cee9a1e23a10756fe8bafd6f1e9d6770
- dc47276e2aea0b96ec09892a60e07187d301b52dd61bf76dd822d716b0f24754
- d7432e39ca661b27191d374ad999172dce8f35768ef573cc243a009dd0fdca77
- 916e6851b5871a67e256526fedbc4024a4e4574594a8d05fdaacf8fe8b1aca53
- bbe6c32183d5db325c57c9bfc034ade39f5aa6c62f475379ff7110648c41e24f
- b6b747d1c1d50d0972cdcef6a62dd81a433dbbde04f4ead8c757b974d5add6bc
- cf38f4aef5c8c4efe6a1985dc4584248b1ea28e68c76f8844f3008eb56a20d41
- 5b49bf61bcb9c5c1ee1efd6aec67aae2435c07ef4cf39199c454af2daaa4040a
- 7ba00d10e9e86a523e14feb18c7c9a0e9f76e586d21c69185cae5c09070cb184
- ```
- ### C2's Per Epoch ###
- #### Epoch 1 C2s ####
- ```
- 76.31.115.125:80
- 181.30.61.163:80
- 181.30.61.163:443
- 103.31.232.93:80
- 94.177.183.28:8080
- 159.65.241.220:8080
- 45.79.95.107:443
- 181.231.220.232:80
- 189.19.81.181:443
- 181.36.42.205:443
- 5.196.35.138:7080
- 190.38.152.143:80
- 83.248.141.198:80
- 181.29.101.13:8080
- 138.68.106.4:7080
- 77.55.211.77:8080
- 212.71.237.140:8080
- 207.154.204.40:8080
- 68.187.160.28:443
- 190.191.82.216:80
- 190.151.5.130:443
- 188.216.24.204:80
- 80.11.158.65:8080
- 177.103.159.44:80
- 37.120.185.153:443
- 190.100.153.162:443
- 89.32.150.160:8080
- 46.101.212.195:8080
- 91.83.93.124:7080
- 178.79.163.131:8080
- 82.196.15.205:8080
- 72.29.55.174:80
- 190.219.149.236:80
- 79.7.158.208:80
- 97.120.32.227:80
- 94.200.126.42:80
- 50.28.51.143:8080
- 175.114.178.83:443
- 189.201.197.98:8080
- 187.188.166.192:8080
- 201.213.100.141:8080
- 62.15.36.103:443
- 200.82.170.231:80
- 200.123.183.137:443
- 185.86.148.222:8080
- 179.208.84.218:8080
- 110.142.161.90:443
- 2.42.173.240:80
- 187.54.225.76:80
- 203.25.159.3:8080
- 165.228.195.93:80
- 186.68.48.204:443
- 177.92.14.34:80
- 96.61.113.203:80
- 191.103.76.34:443
- 188.135.15.49:80
- 177.180.115.224:80
- 93.144.226.57:80
- 202.62.39.111:80
- 113.190.254.245:80
- 86.42.166.147:80
- 37.187.6.63:8080
- 186.15.52.123:80
- 200.58.83.179:80
- 177.34.142.163:80
- 190.210.184.138:995
- 91.74.175.46:80
- 177.242.21.126:80
- 190.186.164.23:80
- 14.201.35.38:80
- 81.213.78.151:443
- 45.8.136.201:80
- 191.183.21.190:80
- 91.117.159.233:80
- 118.36.70.245:80
- 188.218.104.226:80
- 69.163.33.84:8080
- 58.171.38.26:80
- 125.99.61.162:7080
- 91.205.215.57:7080
- 68.183.190.199:8080
- 212.253.82.142:443
- 2.47.112.72:80
- 14.160.93.230:80
- 189.26.118.194:80
- 114.109.179.60:80
- 109.169.86.13:8080
- 200.55.53.7:80
- 79.7.114.1:80
- 201.213.32.59:80
- 45.73.157.243:8080
- 186.15.83.52:8080
- 89.211.114.203:80
- 185.160.212.3:80
- 181.198.203.45:443
- 204.225.249.100:7080
- 144.139.56.105:80
- 139.162.118.88:8080
- 87.106.77.40:7080
- 58.162.218.151:80
- 120.150.247.164:80
- 63.248.198.8:80
- 151.237.36.220:80
- 119.59.124.163:8080
- 62.75.143.100:7080
- 216.251.83.79:80
- 59.120.5.154:80
- 104.131.58.132:8080
- 192.241.146.84:8080
- 185.94.252.12:80
- 190.195.129.227:8090
- 82.8.232.51:80
- 149.62.173.247:8080
- 190.210.236.139:80
- 68.183.170.114:8080
- 181.10.204.106:80
- 142.93.114.137:8080
- 203.130.0.69:80
- 2.45.112.134:80
- 46.28.111.142:7080
- 68.174.15.223:80
- 113.61.76.239:80
- 5.88.27.67:8080
- 62.75.160.178:8080
- 85.105.241.192:80
- 185.160.229.26:80
- 94.200.114.162:80
- ```
- #### Epoch 1 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 1 - Stealer C2s ####
- ```
- 51.159.23.217:443
- 190.115.18.139:8080
- 162.144.119.110:8080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
- j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
- fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 24.164.79.147:8080
- 190.117.126.169:80
- 221.165.123.72:80
- 37.187.72.193:8080
- 136.243.250.34:8080
- 104.131.44.150:8080
- 167.71.10.37:8080
- 50.116.86.205:8080
- 192.241.255.77:8080
- 98.174.166.205:80
- 60.231.217.199:8080
- 88.249.120.205:80
- 195.244.215.206:80
- 200.21.90.5:443
- 62.75.187.192:8080
- 189.203.177.41:443
- 110.36.217.66:8080
- 64.53.242.181:8080
- 108.191.2.72:80
- 190.55.181.54:443
- 206.81.10.215:8080
- 217.160.182.191:8080
- 206.189.112.148:8080
- 27.109.153.201:8090
- 91.73.197.90:80
- 73.217.39.73:80
- 189.179.108.157:80
- 59.103.164.174:80
- 46.105.131.69:443
- 87.230.19.21:8080
- 190.53.135.159:21
- 178.237.139.83:8080
- 47.153.183.211:80
- 190.220.19.82:443
- 209.141.54.221:8080
- 87.106.139.101:8080
- 110.143.84.202:80
- 45.33.49.124:443
- 47.180.91.213:80
- 104.236.246.93:8080
- 93.147.141.5:80
- 173.21.26.90:80
- 95.128.43.213:8080
- 62.138.26.28:8080
- 176.106.183.253:8080
- 139.130.242.43:80
- 181.143.126.170:80
- 31.31.77.83:443
- 24.105.202.216:443
- 120.151.135.224:80
- 104.131.11.150:8080
- 46.105.131.87:80
- 190.117.226.104:80
- 173.91.11.142:80
- 179.13.185.19:80
- 78.24.219.147:8080
- 2.237.76.249:80
- 120.150.246.241:80
- 66.34.201.20:7080
- 70.169.53.234:80
- 92.222.216.44:8080
- 5.154.58.24:80
- 188.0.135.237:80
- 59.8.197.241:80
- 201.184.105.242:443
- 103.86.49.11:8080
- 182.176.132.213:8090
- 70.46.247.81:80
- 149.202.153.252:8080
- 98.156.206.153:80
- 121.88.5.176:443
- 180.92.239.110:8080
- 47.6.15.79:80
- 200.116.145.225:443
- 47.6.15.79:443
- 159.65.25.128:8080
- 108.179.206.219:8080
- 5.196.74.210:8080
- 87.106.136.232:8080
- 209.146.22.34:443
- 186.86.247.171:443
- 31.172.240.91:8080
- 73.11.153.178:8080
- 37.157.194.134:443
- 183.102.238.69:465
- 190.189.224.117:443
- 201.173.217.124:443
- 85.67.10.190:80
- 91.205.215.66:443
- 183.101.175.193:80
- 190.12.119.180:443
- 76.164.99.46:80
- 79.159.249.152:80
- 5.32.55.214:80
- 209.97.168.52:8080
- 139.130.241.252:443
- 211.63.71.72:8080
- 24.94.237.248:80
- 37.139.21.175:8080
- 173.66.96.135:80
- 160.16.215.66:8080
- 110.142.38.16:80
- 58.171.42.66:8080
- 190.146.205.227:8080
- 169.239.182.217:8080
- 210.6.85.121:80
- 185.144.138.190:80
- 98.30.113.161:80
- 41.60.200.34:80
- 223.197.185.60:80
- 45.51.40.140:80
- 178.153.176.124:80
- 181.126.70.117:80
- 116.48.142.21:443
- 47.156.70.145:80
- ```
- #### Epoch 2 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 2 - Stealer C2s ####
- ```
- 168.235.67.138:8080
- 139.162.183.41:443
- 46.101.7.140:8080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
- bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
- LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
- ```
- #### Epoch 3 C2s ####
- ```
- 41.215.79.182:80
- 70.45.30.28:80
- 183.91.3.63:80
- 143.95.101.72:8080
- 91.205.173.150:8080
- 198.57.217.170:7080
- 192.163.221.191:7080
- 106.248.79.174:80
- 192.210.217.94:8080
- 42.51.192.231:8080
- 82.146.55.23:7080
- 158.69.167.246:8080
- 37.46.129.215:8080
- 124.150.175.133:80
- 66.229.161.86:443
- 41.77.74.214:443
- 91.117.131.122:80
- 114.179.127.48:80
- 82.79.244.92:80
- 91.117.31.181:80
- 95.216.212.157:8080
- 88.248.140.80:80
- 95.216.207.86:7080
- 75.86.6.174:80
- 193.33.38.208:443
- 182.176.116.139:995
- 1.221.254.82:80
- 201.137.247.222:443
- 198.199.112.197:8080
- 217.12.70.226:80
- 41.185.29.128:8080
- 37.59.24.25:8080
- 78.210.132.35:80
- 124.150.175.129:8080
- 203.124.57.50:80
- 110.2.118.164:80
- 157.7.164.178:8081
- 95.130.37.244:443
- 105.209.235.113:8080
- 37.210.208.141:80
- 187.72.47.161:443
- 183.82.123.60:443
- 176.58.93.123:80
- 23.253.207.142:8080
- 139.59.12.63:8080
- 160.119.153.20:80
- 122.116.104.238:7080
- 175.127.140.68:80
- 197.94.32.129:8080
- 190.17.94.108:443
- 185.192.75.240:443
- 212.129.14.27:8080
- 80.211.32.88:8080
- 110.142.161.90:80
- 82.165.15.188:8080
- 46.32.229.152:8080
- 210.224.65.117:80
- 182.187.137.199:8080
- 95.9.217.200:8080
- 78.186.102.195:80
- 69.30.205.162:7080
- 186.84.173.136:8080
- 211.42.204.154:80
- 50.116.78.109:8080
- 58.185.224.18:80
- 72.27.212.209:8080
- 50.63.13.135:8080
- 85.109.190.235:443
- 189.225.211.171:443
- 200.41.121.69:443
- 196.6.119.137:80
- 201.183.251.100:80
- 190.171.153.139:80
- 185.207.57.205:443
- 112.68.254.127:80
- 88.247.26.78:80
- 156.155.163.232:80
- 192.241.220.183:8080
- 94.203.236.122:80
- 89.215.225.15:80
- 180.33.6.136:443
- 138.197.140.163:8080
- 216.75.37.196:8080
- 181.53.29.136:8080
- 190.93.210.113:80
- 67.254.196.78:443
- 113.52.135.33:7080
- 179.5.118.12:8080
- 200.45.187.90:80
- 83.156.88.159:80
- 191.100.24.201:50000
- 210.171.146.118:80
- 210.111.160.220:80
- 188.251.213.180:443
- 177.144.130.105:443
- 46.17.6.116:8080
- 14.161.30.33:443
- 181.196.27.123:80
- 200.82.88.254:80
- 185.244.167.25:443
- 78.189.165.52:8080
- 112.186.195.176:80
- 125.209.114.180:443
- 91.83.93.103:443
- 190.201.144.85:7080
- 183.87.40.21:8080
- 181.167.35.84:80
- 91.73.169.210:80
- 37.70.131.107:80
- 190.5.162.204:80
- 162.144.46.90:8080
- 144.139.91.187:80
- 212.112.113.235:80
- 69.14.208.221:80
- 98.15.140.226:80
- 220.78.29.88:80
- 142.93.87.198:8080
- 195.201.56.70:8080
- 85.100.122.211:80
- 98.178.241.106:80
- 192.241.241.221:443
- 72.51.153.27:80
- 1.217.126.11:443
- 5.178.245.100:80
- 87.9.181.247:80
- 78.189.60.109:443
- 88.249.181.198:443
- ```
- #### Epoch 3 - Spam C2s ####
- ```
- not active
- ```
- #### Epoch 3 - Stealer C2s ####
- ```
- 198.46.150.196:7080
- 178.32.255.133:443
- 178.63.78.150:8080
- ```
- #### Current Epoch 3 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
- faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
- 7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
- ```
- #### Credits ####
- ```
- Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
- Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
- C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
- @executemalware, @luc4m, @SecSome
- Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk,
- @bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)
- Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)
- Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
- infrastructure and helping out with this!
- Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
- https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
- @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
- for providing services/software at no charge to this cause!
- ```
- ### Daily Log 01/09/20 ###
- ```
- This report was gathered by @ps66uk and @jroosen.
- @JRoosen here - Ivan is still on break and not actively spamming at all. However, it looks like Yuri the intern left us a gift of
- some C2 changes yesterday midday. I noticed them today and I am pushing out this for you all to get the latest data.
- ```
- #### General News ####
- ```
- Not too much going on out there in the new other than a lot of old recycled stories.
- @pollo290987 posted a graphic concerning the flavors of Emotet out there and the attack chains for the ransomware they lead to:
- https://twitter.com/pollo290987/status/1214596853771227137
- @VK_Intel posted the new Sentinel Labs PowerTrick blog with H/T to @sysopfb and Joshua Platt:
- https://twitter.com/VK_Intel/status/1215265399719243776
- While this is not directly #Emotet related, this is important because of how closely Emotet and Trickbot have been related in
- the past year or so. I would not be surprised to see gtag morxx dropping this PowerTrick fileless tool to then drop the Trickbot
- Anchor Bot in an infection landscape.
- ```
- #### Loader Report ####
- ```
- Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
- _____________
- Reminder:
- EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
- texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
- chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
- boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
- title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
- ______________
- C2 Deltas:
- E1 now 127 combos, was 119 for a net +8
- E2 now 119 combos, was 108 for a net +11
- E3 now 127 combos, was 124 for a net +3
- About 50% new again and now going back up to the max of 127. Looks like maybe Ivan got some new C2s and had Yuri push them out to
- keep the count near the max for all 3 botnets. We are also seeing updates to the loaders on C2 at a rate of 4 per day vs 1-2 when
- Ivan first when on break. Perhaps this is another clue they are getting ready to come back soon. This data was also pushed out to
- Feodotracker @abuse.ch.
- ---
- E1
- Dropped:
- 159.203.204.126:8080
- 217.199.160.224:8080
- 110.170.65.146:80
- 73.60.8.210:80
- 87.106.46.107:8080
- 190.17.44.48:80
- Added:
- 76.31.115.125:80
- 181.30.61.163:80
- 181.30.61.163:443
- 103.31.232.93:80
- 94.177.183.28:8080
- 159.65.241.220:8080
- 181.29.101.13:8080
- 89.32.150.160:8080
- 186.15.52.123:80
- 81.213.78.151:443
- 89.211.114.203:80
- 204.225.249.100:7080
- 185.94.252.12:80
- 85.105.241.192:80
- ---
- E2
- Dropped:
- 24.181.125.62:80
- 174.77.190.137:8080
- 190.162.159.212:80
- Added:
- 24.164.79.147:8080
- 190.117.126.169:80
- 221.165.123.72:80
- 37.187.72.193:8080
- 98.174.166.205:80
- 110.36.217.66:8080
- 27.109.153.201:8090
- 46.105.131.69:443
- 37.139.21.175:8080
- 190.146.205.227:8080
- ---
- E3
- Dropped:
- 86.108.77.73:443
- 168.235.82.183:8080
- 203.153.216.178:7080
- 186.177.174.163:80
- 51.77.113.97:8080
- 78.46.87.133:8080
- 51.38.134.203:8080
- 172.104.70.207:8080
- Added:
- 41.215.79.182:80
- 70.45.30.28:80
- 183.91.3.63:80
- 143.95.101.72:8080
- 106.248.79.174:80
- 37.210.208.141:80
- 183.82.123.60:443
- 80.211.32.88:8080
- 50.63.13.135:8080
- 185.207.57.205:443
- 125.209.114.180:443
- ```
- #### Closing ####
- ```
- REMINDER:
- Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
- any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
- We have been thinking they will come back later this month during the week of the 13th or 21st. So get ready.
- ```
- #### Sandbox 01/09/20 ####
- ```
- E1
- https://capesandbox.com/analysis/10483/
- E2
- https://capesandbox.com/analysis/10484/
- E3
- https://capesandbox.com/analysis/10485/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement