2021-01-04 Emotet IOCs


THREAT ATTRIBUTION:  EMOTET

CYBERCHEF RECIPE TO GET URLS FROM THE BASE64-ENCODED POWERSHELL SCRIPT
----------------------------------------------------------------------
From_Base64('A-Za-z0-9+/=',true)
Decode_text('UTF-16LE (1200)')
Split('*','\\n')
Find_/_Replace({'option':'Simple string','string':'\''},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'+'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'('},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':')'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'`'},'',true,false,true,false)
Split('@','\\n')
Find_/_Replace({'option':'Simple string','string':']anw[3'},'http',true,false,true,false)
Extract_URLs(false)


SENDERS OBSERVED
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

MALDOC DISTRIBUTION URLS
http://3daybookformatting.com/content/SkkAKQ5we3MfiCTxukxFFogd6bqIApw5SzwDV1rWDbF28/
http://adsenpai.com/cgi-bin/4CxWDkDjYqktBBgfLVAn3voiIlpc9/
http://beauty.scriptspapa.com/wp-admin/T7wb/
http://bubbawatsongolf.com/_ARCHIVE/1kkkKgOZ0fekTnDr9Y221yQmAabJ8I5yGEFlTawlU5OuJtZyYlUmm9/
http://caglayansurucukursu.com/wp-content/B2kcxf0B1cpk7aN0YDhGn7I/
http://callidora.ru/wp-admin/NM4HwYIL/
http://congdongthammy.net/wordpress/2lve24lJenlDGAur7e/
http://elboutika.tn/wp-admin/9PuT0ta9Gh19xg7I8ZI2y9ejXp8QD4GPedLKr9P5hxGmdQpnK/
http://fbsupermarket.com.wtchevalier.com/wp-content/omwvV2aR/
http://findcloud.id/wp-includes/8JTmzq3FN6z3OBJBdBCfXrdcZl5H7ZxOaOZzfl2H/
http://goodjobssolutions.com/mayo-clinic-nmk5w/WQDXUGGDH1memfhbzQba7kowTEW24A/
http://grafitishoes.com/zohoverify/zdvDi9Prkpn5qTAtW9gRh36yfpF7p4gVjlz1HJMnsVRw1Wrx9QgF45AANmD0fdLtNrRhu/
http://harmonimedia.com/wp-content/uploads/zuoNvq95YjQedNraEBjDzEMEkOZxzQeyUQ/
http://hefzi-pub.com/wp-content/zFg8uS6h4GYmANcO/
http://intrastack.com/ozaibxye/ZYViehfMD8WoCII01mE8Nv2bPkJOAPEsiW11c/
http://kaycee.rgpwheels.com/system/CKiv7wWcK5Df2oiknJGQrAAWQ69Wy7mU9bahOcgSffp679uPMlrUrfO8JJt5N/
http://klaksona2.net/_dump/BUyy0Zaa4VOb1rf8Ff0ABcgsiggRypyXBLFQAmlRXAG/
http://lorlighting.cn/uMj2P1uePs2MPjOflCwGSh4MvDIV72EUmEZkaUoYDOg0VN3FGpeHTOym0XzQfce6kSQ6/
http://martinas-kunsthandwerk.at/wp-includes/0LymJH0nWlfRZxSUf1holYj4enNHEXMerRI/
http://morsel.co.in/wp-includes/Kdq0FHpp8Btxy001szwBZZhy6Q3GSEMnno7OOv/
http://mrveggy.com/resgatecarrinho/jcWVa69vj8IDsQRCud8h6RNI9Mz17JqsPPJ0DFnlbXZGyMM2GcZ3/
http://nuockhoang.giaodien.vn/music-in-hjdnn/0cjbhwlIqxK3QGURHK/
http://ocblife-group.com/prediksi-terpercaya-4xmli/PaF2Gu5h/
http://onmovie.pl/wp-admin/5ZP1Us/
http://shaileshpatel.in/cgi-bin/1W4dZyW6qqIjF5uXRr9lp552s0RGd0T/
http://sigo.sosteniweb.com/admin/ga2gDU9CjPiyhLS0jxU7yiMTsGist7dzzGgvgdbCaQCrwhB/
http://smsys.in/cgi-bin/C9alXFt6xvnrImCyI55WEjF8Fc1odOfu2isl0/
http://spaeservices.com/zl1-427-mlle3/AQb4y66arRx3nnxzlevjljYl0HR2Xtyn3BBfLMQLbXi/
http://syntaxive.tech/revive/DLYODDTN7DLHeGSfdC6sP6bydhiMG4aDolRWIH/
http://talentztech.com/histioid/r4U3A1T/
http://thebestfikrah.com/wp-admin/uFHm8bj5DyJUbNBkPrJM9cEfEfi25LmwQo1LRGcsKav4/
http://union.jctrip.cn/wp-includes/kv5xqyfsYEYMO0Ql9A0hbRefUSjOpfRhlLXhxZ3JGSBlX/
http://wagnerbandeira.com.br/wp-admin/g2UDscMa7GMbMsCGxhHPxQFj0YE9qGWfbs9UID60mV/
http://web-de-login.de/wp-admin/hRgyS0HxxKmD1FSjsggdpbjl1NWH2uCsanHJMtRovh82it0jTi1dIIDnl5PwlJdxQ/
http://www.envirolyteck.hunterville.org/wp-admin/2lIbqOWuixWQIiTgvOVO04hiibMsIX7cUhGdpuBLj4LJWji3qxz9/
http://yy.xn--czrs0t/wp-includes/byovfmVbhLawsuhN/
https://admegmbh.com/facebook-algorithm-jxjz5/tC2c5TkggcHP3vtlMNm1FA22DdtkSxj4Oitb6f6WBQkHQx2/
https://brobeerburger.inform.md/wp-admin/ioabTsdFY/
https://hostinganddomain.us/wp-includes/SVe6Rh6NTjY5FCOAJeGsVTLYd0cFu/
https://lfsroot.com/wp-content/vDuaOltfgBKAgtIkFzIAOedx07hmI7aWk0f5JjW/
https://mrveggy.com/resgatecarrinho/jcWVa69vj8IDsQRCud8h6RNI9Mz17JqsPPJ0DFnlbXZGyMM2GcZ3/
https://ngoctugroup.com/wp-admin/y3zQQDx9FaYb4xx/
https://perfectscentsbyamy.co.uk/yaxche/ijm0FNY0EgCkVBdspiXG2t770x0gbr3Cp3FjfTJ3q5rgxtTYjGd/
https://www.thegreektaxi.com/wp-content/CQy9ThSoTY/

3daybookformatting.com
admegmbh.com
adsenpai.com
bubbawatsongolf.com
caglayansurucukursu.com
callidora.ru
congdongthammy.net
elboutika.tn
findcloud.id
giaodien.vn
goodjobssolutions.com
grafitishoes.com
harmonimedia.com
hefzi-pub.com
hostinganddomain.us
hunterville.org
inform.md
intrastack.com
jctrip.cn
klaksona2.net
lfsroot.com
lorlighting.cn
martinas-kunsthandwerk.at
morsel.co.in
mrveggy.com
ngoctugroup.com
ocblife-group.com
onmovie.pl
perfectscentsbyamy.co.uk
rgpwheels.com
scriptspapa.com
shaileshpatel.in
smsys.in
sosteniweb.com
spaeservices.com
syntaxive.tech
talentztech.com
thebestfikrah.com
thegreektaxi.com
wagnerbandeira.com.br
web-de-login.de
wtchevalier.com
yy.xn--czrs0t

DOCUMENT FILE HASHES
22e3fc629fb48006853f835c8b6c4973
32bf288e61b2a0c9585eb2f3ed54f998
b362e5db4a26fe8fa49294d030099882
db74b33012bff06e61271094c65c333f
eca7b443bdd18089d1e72b2394abfd96
faf2165619d1daa46b0d172147a52541

PAYLOAD FILE HASHES
032ed138c32c20af158e583da0aacb22
0ac3ee201f24fbb1bcc81121929c9971
0df5383e20f720415a744f99bf5d9b00
1be626b2f1d92fa9582ff937ede5398d
1ff0d58dc455a1089ea49c616e47c276
2ddb796a1cc50f5390b937daa2b708b0
3313bc5dc53a5a2a9b4010f60e45500c
509a553e0d37c412056f429f7e096013
59ea441a0aa63057a10ebb391b855151
77ee283da5525ccc5840f6dad95d74c1
8736e7b1eb4afc041c7a0ce4e80ee4b3
91eb537a28914ec23f119c8b6adba812
bbb571a04c13c74efa27ed0e84d2dda5
d608c6782f2551a3ad9d9863140e6c07
df1d2a755a6b31adfb558f8cfe641c4e
f8fe349d11b06f2724afe155020e5f43

EMOTET PAYLOAD URLs
http://anakhita.com/wordpress/Pt/
http://etbnaman.com/wp-admin/V0Sv/
http://etdog.com/wp-content/nu/
http://ezdesigns.net/ALFA_DATA/h/
http://firefightersanta.org/content/1BNtMyv/
http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
http://holonchile.cl/cgi-bin/font/
http://indemnity360.com/nsw-highways-yqgdk/Sys/
http://labasedespatriotes.net/wp-content/tGjE/
http://menol.eu/wp/mT/
http://norailya.com/drupal/n0uJoiR/
http://spovahealth.com/z/Vb/
http://the-ly.com/wp-admin/8/
http://ultimatesoftwarenet.com/wp-content/6rXDH9/
http://wm.mcdevelop.net/content/6F2gd/
http://www.bifangting.com/wp-content/f/
http://www.lapcare.com/wp-content/9fotgty/
http://www.mt4-ea.vip/sys-cache/62y7sA/
http://www.sinclair-electrical.com/wp-includes/np/
http://www.stmarouns.nsw.edu.au/paypal/b8G/
http://yisankeji.site/content/2uPjX/
http://youyouwj.com/b/HW/
https://admintk.com/wp-admin/L/
https://dayimachine.com/automator-mouse-xoq9e/aY9/
https://doctorww.com/22-hp-ak4yp/LRWLZ2/
https://elaheanahita.org/a/sbzLscs/
https://etkindedektiflik.com/pcie-speed/Engines/
https://ibelieveonline.org/wp-content/FvSP7/
https://mikegeerinck.com/c/YYsa/
https://mozzo.app/fitbit-charge-nefsx/oBgnw/
https://praticideas.net/wp-content/en-US/
https://ummahstars.com/app_old_may_2018/assets/Help/
https://whytech.info/wp-includes/oa/
https://www.hintup.com.br/wp-content/dE/

admintk.com
anakhita.com
bifangting.com
dayimachine.com
doctorww.com
elaheanahita.org
etbnaman.com
etdog.com
etkindedektiflik.com
ezdesigns.net
firefightersanta.org
freelancerwebdesignerhyderabad.com
hintup.com.br
holonchile.cl
ibelieveonline.org
indemnity360.com
labasedespatriotes.net
lapcare.com
mcdevelop.net
menol.eu
mikegeerinck.com
mozzo.app
mt4-ea.vip
norailya.com
praticideas.net
sinclair-electrical.com
spovahealth.com
stmarouns.nsw.edu.au
the-ly.com
ultimatesoftwarenet.com
ummahstars.com
whytech.info
yisankeji.site
youyouwj.com

EMOTET C2s
http://90.160.138.175
http://74.222.117.42
http://157.245.123.197:8080
http://50.116.111.59:8080
http://173.249.20.233:443
http://200.116.145.225:443
http://142.112.10.95:20
http://87.106.139.101:8080
http://173.70.61.180
http://75.177.207.146
http://121.124.124.40:7080
http://98.109.133.80
http://37.187.72.193:8080
http://74.40.205.197:443
http://220.245.198.194
http://197.211.245.21
http://123.176.25.234
http://194.190.67.75
http://78.188.225.105
http://217.20.166.178:7080
http://49.205.182.134
http://79.137.83.50:443
http://50.91.114.38
http://62.171.142.179:8080
http://119.59.116.21:8080
http://75.109.111.18
http://24.179.13.119
http://120.150.60.189
http://24.69.65.8:8080
http://185.201.9.197:8080
http://154.0.8.2:443
http://118.83.154.64:443
http://161.0.153.60
http://61.19.246.238:443
http://100.37.240.62
http://66.57.108.14:443
http://144.217.7.207:7080
http://181.165.68.127
http://174.118.202.24:443
http://188.219.31.12
http://89.106.251.163
http://104.131.11.150:443
http://181.171.209.241:443
http://178.152.87.96
http://89.216.122.92
http://172.125.40.123
http://47.144.21.37
http://185.94.252.104:443
http://139.59.60.244:8080
http://24.231.88.85
http://190.240.194.77:443
http://190.29.166.0
http://194.4.58.192:7080
http://138.68.87.218:443
http://187.161.206.24
http://78.189.148.42
http://74.128.121.17
http://75.188.107.174
http://202.141.243.254:443
http://59.21.235.119
http://62.30.7.67:443
http://5.2.212.254
http://134.209.144.106:443
http://110.145.11.73
http://139.162.60.124:8080
http://95.213.236.64:8080
http://51.89.36.180:443
http://41.185.28.84:8080
http://168.235.67.138:7080
http://203.153.216.189:7080
http://93.146.48.84
http://94.23.237.171:443
http://74.208.45.104:8080
http://5.39.91.110:7080
http://172.105.13.66:443
http://109.74.5.95:8080
http://115.94.207.99:443
http://78.24.219.147:8080
http://70.92.118.112
http://37.139.21.175:8080
http://24.178.90.49
http://62.75.141.82
http://188.165.214.98:8080
http://84.232.252.202:443
http://74.58.215.226
http://109.116.245.80
http://64.207.182.168:8080
http://110.145.101.66:443
http://136.244.110.184:8080
http://202.134.4.216:8080
http://2.58.16.89:8080
http://95.9.5.93
http://172.104.97.173:8080
http://172.86.188.251:8080
http://167.114.153.111:8080
http://176.111.60.55:8080
http://202.134.4.211:8080
http://67.170.250.203:443
http://46.105.131.79:8080
http://70.183.211.3
http://139.99.158.11:443
http://24.164.79.147:8080
http://85.105.111.166
http://157.245.99.39:8080
http://201.241.127.190
http://97.120.3.198
http://50.245.107.73:443

http://125.0.215.60
http://163.53.204.180:443
http://89.163.210.141:8080
http://203.157.152.9:7080
http://157.245.145.87:443
http://82.78.179.117:443
http://85.247.144.202
http://37.46.129.215:8080
http://110.37.224.243
http://192.210.217.94:8080
http://2.82.75.215
http://69.159.11.38:443
http://188.166.220.180:7080
http://103.93.220.182
http://198.20.228.9:8080
http://91.75.75.46
http://88.247.30.64
http://189.211.214.19:443
http://203.160.167.243
http://178.33.167.120:8080
http://178.254.36.182:8080
http://70.32.89.105:8080
http://103.80.51.61:8080
http://54.38.143.245:8080
http://113.203.238.130
http://50.116.78.109:8080
http://195.201.56.70:8080
http://109.99.146.210:8080
http://75.127.14.170:8080
http://172.193.14.201
http://203.56.191.129:8080
http://157.7.164.178:8081
http://46.32.229.152:8080
http://78.90.78.210
http://116.202.10.123:8080
http://189.34.18.252:8080
http://114.158.126.84
http://201.193.160.196
http://79.133.6.236:8080
http://202.29.237.113:8080
http://203.153.216.178:7080
http://172.96.190.154:8080
http://74.208.173.91:8080
http://139.59.61.215:443
http://117.2.139.117:443
http://24.230.124.78
http://5.83.32.101
http://139.5.101.203
http://8.4.9.137:8080
http://120.51.34.254
http://188.226.165.170:8080
http://91.83.93.103:443
http://183.91.3.63
http://192.241.220.183:8080
http://190.18.184.113
http://2.58.16.86:8080
http://5.79.70.250:8080
http://113.161.176.235
http://46.105.131.68:8080
http://223.17.215.76
http://186.146.229.172
http://186.96.170.61
http://121.117.147.153:443
http://192.163.221.191:8080
http://139.59.12.63:8080
http://115.79.195.246
http://172.104.46.84:8080
http://180.52.66.193
http://185.208.226.142:8080
http://152.32.75.74:443
http://143.95.101.72:8080
http://47.150.238.196
http://201.212.201.127:8080
http://190.85.46.52:7080
http://182.73.7.59:8080
http://178.62.254.156:8080
http://195.159.28.244:8080
http://103.229.73.17:8080
http://103.124.152.221
http://180.148.4.130:8080
http://60.108.128.186
http://110.172.180.180:8080
http://162.144.145.58:8080
http://37.205.9.252:7080
http://185.142.236.163:443
http://27.78.27.110:443
http://58.27.215.3:8080
http://125.0.215.60