2020-12-28 Emotet IOCs

1. THREAT ATTRIBUTION: EMOTET
2.  
3. CYBERCHEF RECIPE TO GET URLS FROM THE BASE64-ENCODED POWERSHELL SCRIPT
4. ----------------------------------------------------------------------
5. From_Base64('A-Za-z0-9+/=',true)
6. Decode_text('UTF-16LE (1200)')
7. Split('*','\\n')
8. Find_/_Replace({'option':'Simple string','string':'\''},'',true,false,true,false)
9. Find_/_Replace({'option':'Simple string','string':'+'},'',true,false,true,false)
10. Find_/_Replace({'option':'Simple string','string':'('},'',true,false,true,false)
11. Find_/_Replace({'option':'Simple string','string':')'},'',true,false,true,false)
12. Find_/_Replace({'option':'Simple string','string':'`'},'',true,false,true,false)
13. Find_/_Replace({'option':'Simple string','string':'=Y3nkOs'},' ',true,false,true,false)
14. Split('@','\\n')
15. Find_/_Replace({'option':'Simple string','string':']b2[s'},'http',true,false,true,false)
16. Extract_URLs(false)
17.  
18. SENDERS OBSERVED
19. absolutethaicic@seacuisine.com.my
20. admin@talleresinco.arnetbiz.com.ar
21. alibaba.credit@hwaidakhotels.com
22. asistente.contabilidad2@mineracruz.cl
23. barbara@mfsgroup.co.zw
24. compras@agroconsulta.com
25. hcj92@ms59.hinet.net
26. info@dmengineers.co.in
27. invoices@carhubjapan.com
28. jetro_vicente@dt-factory.com
29. jpolmedo@olmedoguerra.com.ar
30. kamranaslam@fm91.com.pk
31. mehmetpolat@onpo.com.tr
32. muhasebe@zumrutparfumeri.com.tr
33. naveed.waheed@dadabhoy.edu.pk
34. pchomba@staffingafrica.com
35. presidente@faa.net
36. reception@amazonfoods.ae
37. recursos_humanos@bluefinrental.net
38. sabeen@rijafashions.com
39. sales@mediamerit.com.ph
40. umit@zagros-group.com
41. vmartha@zopone.com.br
42.  
43. MALDOC DISTRIBUTION URLS
44. http://30sheji.com/ALFA_DATA/ViNCY1lJ3Wnwjp7iGerObGnPkBH7axELaW6e49gAQBIlTsTiOoaj7v4uwvBU/
45. http://acepublicidad.com.mx/forms/Z6NCjUY9hyMtZ/
46. http://agentsambal.com/wp-admin/re2uGmuFzSMStzTiivGffiPkwulC22u0Xs36dl9Ahap9w7nVZC9EC3z/
47. http://anurontv.com/wp-admin/T9zcOGl3UoIksQvCU2kFbBeeutS8lYnG1odLOk7VaSnft1Hwu2J37yLhshRtesY4lj5u/
48. http://axocollege.com/jobs/qfeLlmh8N/
49. http://bethapro.com/cgi-bin/DEfcw7LCaU6TXyvBmBb0YLWSCPfBazlgdinj/
50. http://bsangels.com/tommy-boy-wteclu/mIokEGHGmfhO6oH5rM4PSgsLLqUGkHXY8XstOvGiLxBdFNkDgW969cL/
51. http://calgaryautorepairservice.com/wp-content/OV7CVUSdoDpQ95HG0/
52. http://cashcart.loan/mikes-bikes-laupj/kmst5YJfkMSBb/
53. http://dreamsmattress.in/wordpress/pWZV2PoAbLoa886MvQFjwwmkYLU8e2jd6SE2g4pcY35uiYuy5TSyXnvH/
54. http://drpamelageorge.com/wp-includes/1zILg/
55. http://eixoarquitetura.com.br/content/6ITRO/
56. http://harperwoods-001-site3.btempurl.com/content/bwuy14tezn92b/
57. http://hoofdynamics.com/beretta-m9-eumks/zKIU2WU4uZGXJRnLr6Ya2pHkpeWs5yHsPRt4Raz/
58. http://jdkems.com/admin/LEWwG4e970Smxq2cR6VIE49uwIkoHTBoNTkO5O4n40GqGE9xKgjgZMOUycZ05aB/
59. http://junzhizaixian.com/admin/I9OlacXPqGUPd1RaJC7phteelqqu8hMA3NTQNgZUD1TTRreA2x30sOitTBrRk3EsUtgiA/
60. http://lab.lesh.vn/wp-content/QrOs7dmvQPcqPnViFlSsrQHScPc3fTCT3O5/
61. http://larayochoaclinicadental.com/wp-content/y41qCdCSc5KtcpsqYcKixnwlP8wbqCaD64uJswo4Da5QKttWpbPMFpTfUNqAs/
62. http://localvocal.com/images/xJBgYvtEu6I6s4NPxMziXTExJTWcbu8EYKl08yLMcZRf9GDrgtk1X3YMGt2/
63. http://lukelive.in/dolphin-android-heoth/h7c6d22eiVg7E2SNsrhGDnFgJMbRWXqBd/
64. http://mahaluxmioil.com/content/WfvHvzOsbX5A4np/
65. http://manayradio.com/wp-admin/UyOxy8RA4wpudn/
66. http://matadorfashions.com/dimply/RPRNqXyPA3HuAtv/
67. http://pageshare.net/sales/9LPvv3NJjJdxeSwMiFWUUen6VJyq8rBu5DEgmhUKI19ePRSVBrtahSkU1ZO7/
68. http://priyabeatus.com/iltfjz/lBRkydp3EF3GhZjOStty1gZU7kMVHZIxPmv/
69. http://rubisasphalt.com/wp-includes/MxpRRPiCi6UvDMccFpj/
70. http://sambalmeletup.com/wp-includes/f8PFVlR7WyLU5MEJbp7kNMc0eUz6o7NR098XOQhSeuPjNWeHm60MYcLl8eeDLKw1seuX/
71. http://sancydubai.com/setupconfigo/Xx6cxNI29GeYoT/
72. http://shop.symplyfabrics.com/wp-includes/2DhvKotF1GjDJWWKRi9SiBZJKgxGufqwykSyqplh22lD2Qf0kM5tjOFK5saAiiW8KcREH/
73. http://uduakcharlesdiaries.com.ng/x99-xeon-ubgpi/pyOXS6Wp0pHC0NKhZg0NJwUOnhURnbwF89MDFjXWrkNOsyVC/
74. http://vidyabhartiekalvidyalya.com/ekalvidyalya/XlGhnk9RoNQ98nYU8jhQWasvDWO/
75. http://www.68yuanzhijia.xyz/wp-admin/y2kBcwLEzlkonTYMosCer2GGetZbJqXb0OYBIcPckGbOAgXR7T/
76. http://www.acepublicidad.com.mx/forms/Z6NCjUY9hyMtZ/
77. http://www.alphasierra.wp.appswind.com/v/N3qQqHqvUyPh2DuuVRsDWWAAfT0WiKN29tRd/
78. http://www.christopherenovation.fr/unagility/irrlR5vbltSovMvrifV/
79. https://ancorals.com/aminophenol/1Levh8/
80. https://eytsoft.com/css/ix8JmyjwQW/
81. https://game.vlexor.com/links14/MGoIEcpcszYz24ISTMsHzvtbZhTvhIR1WaFqJZ4zoMP8GGn9Mapk3CSfMmxLf3Ds68g/
82. https://goldilockstraining.com/wp-includes/ZZ7JwKoL9HwxVJRmE6jZRb7jovAws3GL8V2yV4eX025ND6/
83. https://imoblarimoveis.com.br/free-true-e1m7u/RQXBKlswicrhFCbBBvzPnZRfL6dJbL/
84. https://infraheroes.ir/wp-includes/aENaHtyk5BzklYrfdbeiDwHlzlLj2fJEzrFVppNxgH67Ee13u0GHKVkBWMRIPf/
85. https://jada.co.in/z/UkST/
86. https://musickidsprogram.com/wp-includes/KB6YYfwoIjLsh8LVuKXcjPSn/
87. https://thehopstopsd.com/pament/iqtFEGuzD4p6YdXTJ6eFOEzReUAECB8D0l0myVM/
88. https://tonyzhuangxiu.com/suzanne-morphew-lkgid/wiVWiyPprSGCsTH64zBkaBUtJJd6DQHYHwGm2HPcXs0tn9mc/
89. https://www.doodahlabs.com/wp-includes/iCsY1il8/
90.  
91. 30sheji.com
92. 68yuanzhijia.xyz
93. acepublicidad.com.mx
94. agentsambal.com
95. ancorals.com
96. anurontv.com
97. appswind.com
98. axocollege.com
99. bethapro.com
100. bsangels.com
101. btempurl.com
102. calgaryautorepairservice.com
103. cashcart.loan
104. christopherenovation.fr
105. doodahlabs.com
106. dreamsmattress.in
107. drpamelageorge.com
108. eixoarquitetura.com.br
109. eytsoft.com
110. goldilockstraining.com
111. hoofdynamics.com
112. imoblarimoveis.com.br
113. infraheroes.ir
114. jada.co.in
115. jdkems.com
116. junzhizaixian.com
117. larayochoaclinicadental.com
118. lesh.vn
119. localvocal.com
120. lukelive.in
121. mahaluxmioil.com
122. manayradio.com
123. matadorfashions.com
124. musickidsprogram.com
125. pageshare.net
126. priyabeatus.com
127. rubisasphalt.com
128. sambalmeletup.com
129. sancydubai.com
130. symplyfabrics.com
131. thehopstopsd.com
132. tonyzhuangxiu.com
133. uduakcharlesdiaries.com.ng
134. vidyabhartiekalvidyalya.com
135. vlexor.com
136.  
137. DOCUMENT FILE HASHES
138. 11f0e6d911676be87bb5b43d33c94717
139. 1b9d0443c552a24de0491c0affe0ad22
140. 3e55d0d2e89383defa49e63601783a5c
141. 594990cb777d1137e638122e9236b834
142. 7158ec27841dba17b545e32014ca27a6
143. 73be14213d2f6435d2895cd97fd98e4b
144. 9bd2b768124a1d27248c333901d70491
145. b43b3fa97f354aba4843216837dae788
146. cb26af77968809fd82ee154f856d8265
147. edc82c608885dd3270635572cb306923
148. f09ce175d19406185b1c8fc39f219dee
149. f49557e295c2fd54a94cbbcd96c5e6f7
150. fca5166cd1205a42369532d545fb9e26
151.  
152. PAYLOAD FILE HASHES
153. 149c4e3a234892e587b1f7c84fdfd05e
154. 215e89d759deb72118af11350b436e32
155. 4628a82818e759641babda304c0939d2
156. 806a8f90d43d2300a9f16a2d1c296f95
157. df44443e58657effc0b7f0453db582d2
158. e2d23db6cb34e903d89dc85afc32d7ee
159.  
160. EMOTET PAYLOAD URLs
161. http://andeanreach.com/MSInfo/
162. http://dupuisacademy.com/projects/media/Me6bB/
163. http://gadgetbay.com/letsdeal/7o/
164. http://hightimesmarketingandconsulting.com/prediksi-jitu-15vfp/Vr8B/
165. http://indemnity360.com/nsw-highways-yqgdk/j63BIy/
166. http://karsonhomecare.com/wp-includes/Yo/
167. http://new.icfcfilm.com/wp-content/2jMJEJD/
168. http://penambahberatbadan.info/x/inf/
169. http://siitav.net/cuim/data/2/
170. http://tools.apecsoft.asia/application/O/
171. http://www.savedahorses.org/wp-content/xH/
172. https://alabamaballdrop.com/wp-includes/kef1U/
173. https://cashyinvestment.org/wp-content/IH/
174. https://coastlinepoolspa.com/wp-content/S88uK/
175. https://countrynavigator.com/J/
176. https://dr-yasser.com/wordpress/JNS/
177. https://praticideas.net/wp-content/inf/
178. https://qualcommmedia.com/wp-includes-old/rW1/
179. https://secretmassageclub.co.uk/wp-includes/inf/
180. https://travianbot.net/wp-admin/R7/
181.  
182. alabamaballdrop.com
183. andeanreach.com
184. apecsoft.asia
185. cashyinvestment.org
186. coastlinepoolspa.com
187. countrynavigator.com
188. dr-yasser.com
189. dupuisacademy.com
190. gadgetbay.com
191. hightimesmarketingandconsulting.com
192. icfcfilm.com
193. indemnity360.com
194. karsonhomecare.com
195. penambahberatbadan.info
196. praticideas.net
197. qualcommmedia.com
198. savedahorses.org
199. secretmassageclub.co.uk
200. siitav.net
201. travianbot.net
202.  
203. EMOTET C2s
204. http://98.109.133.80
205. http://75.177.207.146
206. http://50.116.111.59:8080
207. http://173.249.20.233:443
208. http://188.165.214.98:8080
209. http://181.165.68.127
210. http://110.145.101.66:443
211. http://74.208.45.104:8080
212. http://118.83.154.64:443
213. http://104.131.11.150:443
214. http://72.188.173.74
215. http://110.145.11.73
216. http://78.189.148.42
217. http://201.241.127.190
218. http://85.105.111.166
219. http://174.118.202.24:443
220. http://72.186.136.247:443
221. http://202.141.243.254:443
222. http://185.201.9.197:8080
223. http://139.99.158.11:443
224. http://79.137.83.50:443
225. http://109.116.245.80
226. http://87.106.139.101:8080
227. http://97.120.3.198
228. http://41.185.28.84:8080
229. http://190.240.194.77:443
230. http://5.39.91.110:7080
231. http://138.68.87.218:443
232. http://78.188.225.105
233. http://119.59.116.21:8080
234. http://61.19.246.238:443
235. http://167.114.153.111:8080
236. http://194.4.58.192:7080
237. http://115.94.207.99:443
238. http://37.139.21.175:8080
239. http://142.112.10.95:20
240. http://173.70.61.180
241. http://89.216.122.92
242. http://100.37.240.62
243. http://24.178.90.49
244. http://172.105.13.66:443
245. http://95.213.236.64:8080
246. http://62.30.7.67:443
247. http://50.91.114.38
248. http://95.9.5.93
249. http://152.170.205.73
250. http://136.244.110.184:8080
251. http://74.128.121.17
252. http://120.150.218.241:443
253. http://72.229.97.235
254. http://190.162.215.233
255. http://161.0.153.60
256. http://94.23.237.171:443
257. http://78.24.219.147:8080
258. http://220.245.198.194
259. http://46.105.131.79:8080
260. http://197.211.245.21
261. http://50.245.107.73:443
262. http://217.20.166.178:7080
263. http://70.183.211.3
264. http://202.134.4.211:8080
265. http://172.125.40.123
266. http://144.217.7.207:7080
267. http://190.29.166.0
268. http://134.209.144.106:443
269. http://194.190.67.75
270. http://201.252.34.3
271. http://178.152.87.96
272. http://47.144.21.37
273. http://2.58.16.89:8080
274. http://168.235.67.138:7080
275. http://203.153.216.189:7080
276. http://185.94.252.104:443
277. http://58.1.242.115
278. http://187.161.206.24
279. http://5.2.212.254
280. http://172.86.188.251:8080
281. http://24.69.65.8:8080
282. http://202.134.4.216:8080
283. http://64.207.182.168:8080
284. http://59.21.235.119
285. http://24.179.13.119
286. http://51.89.36.180:443
287. http://110.145.77.103
288. http://109.74.5.95:8080
289. http://121.124.124.40:7080
290. http://37.187.72.193:8080
291. http://172.104.97.173:8080
292. http://70.180.33.202
293. http://188.219.31.12
294. http://62.171.142.179:8080
295. http://62.75.141.82
296. http://74.40.205.197:443
297. http://200.116.145.225:443
298. http://139.162.60.124:8080
299. http://139.59.60.244:8080
300. http://181.171.209.241:443
301. http://209.141.54.221:7080
302. http://67.170.250.203:443
303. http://157.245.99.39:8080
304. http://70.92.118.112
305. http://120.150.60.189
306. http://176.111.60.55:8080
307. http://123.176.25.234
308. http://49.205.182.134