IOC Emotet: 01/06/2018

1. [*] Dropper pattern:
2. (FACT |Facture-(impayee-)?)(Nr\. |#)?[-0-9T]{4,15}\.doc
3.  
4.  
5. [*] Host contacted to download paypload:
6. hxxp://alicicek.com.tr/9DK4OC/
7. hxxp://jpol.com/li8CyWi/
8. hxxp://foodstyle.de/kNKqO/
9. hxxps://silke-steinle.de/2hAuu3/
10. hxxp://charcalla.com/BjmQyaB/
11. hxxp://intrigueweb.com/iQV6A/
12. hxxp://provanet.co.jp/u6CdB/
13. hxxp://marugin.net/KexaQ/
14. hxxp://intrigueweb.com/iQV6A/
15. hxxp://provanet.co.jp/u6CdB/
16. hxxp://marugin.net/KexaQ/
17. hxxp://tulpconsult.nl/EMwiS/
18. hxxp://tudointernet.com.br/6YXeSb/
19.  
20. [*] Payload downloaded:
21. https://www.virustotal.com/en/file/1b6b800646f9c3412bb10bf7703d4713874bc634c21e8ec2460a667c5a71c8d1/analysis/
22. https://www.virustotal.com/en/file/85511c4588ce3b2fed557b17364471cf132cfaaa441f75b28604165af29913ee/analysis/
23.  
24. [*] C&C contacted by the payload:
25. 24.217.117.217
26. 37.59.51.53:8080
27. 72.52.216.110:8080
28. 149.62.173.247:8080
29. 50.84.95.206
30. 106.187.91.235:8080
31. 203.198.129.4:8080
32. 89.186.26.179:8080
33.  
34. [*] User-agent used by the payload to contact the C&C:
35. mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/7.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; infopath.3; .net4.0c; .net4.0e)