Emotet_Feodo_iOCs_18-01-2019

1. #Emotet #Feodo #Banking #Trojan
2. -------------------------------------
3. 18-01-2019 C2 + IOC's
4. -------------------------------------
5. **DOCUMENT**
6. -------------------------------------
7. Main object- "d0f796359a8146d55f6bfd2aa62e36b89902e7ebf605df036fcab67f16ee665d.bin.gz"
8. sha256 4db3093157a9bc13987fced400c5a6bf18ef8f8545b341ca23dc90232b8e82b4
9. sha1 c70a0df0e4987f8a6d4b1e58097ccaf9313525b6
10. md5 e3d2a98cf70fa4412457cf57c35f3a95
11. DNS requests
12. domain bouresmau-gsf.com
13. domain demos.technoexam.com
14. domain livingdivineprinciple.org
15. domain antidisciplinary.org
16. domain uttechsystem.com
17. Connections
18. ip 108.167.146.36
19. ip 192.254.185.2
20. ip 27.254.86.9
21. ip 87.98.154.146
22. ip 85.17.254.22
23. HTTP/HTTPS requests
24. url http://bouresmau-gsf.com/ZhPZMfOo
25. url http://demos.technoexam.com/C1CpwolKHv
26. url http://livingdivineprinciple.org/xTV5cGLcz2
27. url http://uttechsystem.com/ZzO90Kh
28. url http://antidisciplinary.org/QvzhhXf
29. ---------------------------------------------
30. **PAYLOADS**
31. ---------------------------------------------
32. Main object- "ZhPZMfOo"
33. url http://bouresmau-gsf.com/ZhPZMfOo
34. sha256 91e0624b7c57b11767745a27b9a950158497a95af7abb8a77c5a040e784aaf15
35. sha1 cb5d6e3faab8f7dfe8cec502f9b551a706846dd7
36. md5 8129fcdde29f8381077b6a80e2957a84
37. Connections
38. ip 116.240.3.27
39. ip 109.104.79.48
40. ip 133.242.208.183
41. ip 138.68.139.199
42. ip 144.76.117.247
43. ip 159.65.76.245
44. ip 165.227.213.173
45. ip 181.167.49.76
46. ip 185.38.216.84
47. ip 181.211.11.171
48. ip 185.86.148.222
49. ip 181.45.45.132
50. ip 181.54.202.80
51. ip 186.129.174.150
52. ip 189.250.100.248
53. ip 187.192.133.210
54. ip 189.159.119.242
55. ip 189.190.40.163
56. ip 189.173.4.161
57. ip 190.55.123.250
58. ip 190.25.255.98
59. ip 192.155.90.90
60. ip 190.195.169.170
61. ip 200.43.114.10
62. ip 190.190.101.38
63. ip 200.86.246.50
64. ip 216.252.83.23
65. ip 210.19.41.87
66. ip 200.83.21.5
67. ip 201.103.81.129
68. ip 210.2.86.72
69. ip 201.231.70.72
70. ip 31.53.229.122
71. ip 5.9.128.163
72. ip 69.158.10.125
73. ip 24.222.22.58
74. ip 45.73.27.218
75. ip 23.254.203.51
76. ip 49.212.135.76
77. ip 31.193.130.187
78. ip 219.94.254.93
79. ip 80.12.84.86
80. ip 79.98.31.206
81. ip 72.47.248.48
82. ip 95.9.248.89
83. ip 92.48.118.27
84. ip 69.163.33.82
85. HTTP/HTTPS requests
86. url http://190.55.123.250/
87. url http://200.43.114.10:8080/
88. url http://189.159.119.242:22/
89. url http://201.103.81.129/
90. url http://189.250.100.248:465/
91. url http://186.129.174.150:8080/
92. url http://189.173.4.161:995/
93. url http://72.47.248.48:8080/
94. url http://69.163.33.82:8080/
95. url http://95.9.248.89/
96. url http://24.222.22.58:990/
97. url http://185.38.216.84/
98. url http://69.158.10.125:50000/
99. url http://109.104.79.48:8080/
100. url http://159.65.76.245:443/
101. url http://45.73.27.218/
102. url http://31.193.130.187:443/
103. url http://187.192.133.210:53/
104. url http://210.2.86.72:8080/
105. url http://201.231.70.72/
106. url http://189.190.40.163:990/
107. url http://144.76.117.247:8080/
108. url http://190.190.101.38:443/
109. url http://116.240.3.27:443/
110. url http://200.83.21.5/
111. url http://23.254.203.51:8080/
112. url http://192.155.90.90:7080/
113. url http://181.54.202.80:443/
114. url http://219.94.254.93:8080/
115. url http://190.25.255.98:465/
116. url http://185.86.148.222:8080/
117. url http://216.252.83.23:20/
118. url http://190.195.169.170:20/
119. url http://210.19.41.87:50000/
120. url http://31.53.229.122:8090/
121. url http://80.12.84.86:8080/
122. url http://181.45.45.132:8443/
123. url http://49.212.135.76:443/
124. url http://92.48.118.27:8080/
125. url http://165.227.213.173:8080/
126. url http://138.68.139.199:443/
127. url http://181.211.11.171:443/
128. url http://181.167.49.76/
129. url http://200.86.246.50:20/
130. url http://5.9.128.163:8080/
131. url http://133.242.208.183:8080/
132. url http://79.98.31.206:443/
133. ----------------------------------------
134. Main object- "C1CpwolKHv"
135. url http://demos.technoexam.com/C1CpwolKHv
136. sha256 91e0624b7c57b11767745a27b9a950158497a95af7abb8a77c5a040e784aaf15
137. sha1 cb5d6e3faab8f7dfe8cec502f9b551a706846dd7
138. md5 8129fcdde29f8381077b6a80e2957a84
139. Connections
140. ip 116.240.3.27
141. ip 109.104.79.48
142. ip 144.76.117.247
143. ip 165.227.213.173
144. ip 159.65.76.245
145. ip 185.38.216.84
146. ip 181.45.45.132
147. ip 181.54.202.80
148. ip 185.86.148.222
149. ip 189.173.4.161
150. ip 186.129.174.150
151. ip 189.159.119.242
152. ip 189.190.40.163
153. ip 187.192.133.210
154. ip 190.55.123.250
155. ip 190.25.255.98
156. ip 190.195.169.170
157. ip 189.250.100.248
158. ip 190.190.101.38
159. ip 192.155.90.90
160. ip 201.103.81.129
161. ip 210.2.86.72
162. ip 200.83.21.5
163. ip 200.43.114.10
164. ip 216.252.83.23
165. ip 201.231.70.72
166. ip 210.19.41.87
167. ip 23.254.203.51
168. ip 69.158.10.125
169. ip 219.94.254.93
170. ip 31.193.130.187
171. ip 49.212.135.76
172. ip 45.73.27.218
173. ip 31.53.229.122
174. ip 24.222.22.58
175. ip 72.47.248.48
176. ip 69.163.33.82
177. ip 92.48.118.27
178. ip 95.9.248.89
179. HTTP/HTTPS requests
180. url http://190.55.123.250/
181. url http://200.43.114.10:8080/
182. url http://189.159.119.242:22/
183. url http://201.103.81.129/
184. url http://189.250.100.248:465/
185. url http://186.129.174.150:8080/
186. url http://189.173.4.161:995/
187. url http://72.47.248.48:8080/
188. url http://69.163.33.82:8080/
189. url http://185.38.216.84/
190. url http://95.9.248.89/
191. url http://69.158.10.125:50000/
192. url http://109.104.79.48:8080/
193. url http://45.73.27.218/
194. url http://159.65.76.245:443/
195. url http://24.222.22.58:990/
196. url http://31.193.130.187:443/
197. url http://187.192.133.210:53/
198. url http://210.2.86.72:8080/
199. url http://144.76.117.247:8080/
200. url http://201.231.70.72/
201. url http://181.54.202.80:443/
202. url http://190.190.101.38:443/
203. url http://200.83.21.5/
204. url http://189.190.40.163:990/
205. url http://23.254.203.51:8080/
206. url http://192.155.90.90:7080/
207. url http://216.252.83.23:20/
208. url http://190.25.255.98:465/
209. url http://116.240.3.27:443/
210. url http://185.86.148.222:8080/
211. url http://219.94.254.93:8080/
212. url http://190.195.169.170:20/
213. url http://31.53.229.122:8090/
214. url http://49.212.135.76:443/
215. url http://165.227.213.173:8080/
216. url http://92.48.118.27:8080/
217. url http://210.19.41.87:50000/
218. url http://181.45.45.132:8443/
219. -------------------------------------------
220. Main object- "QvzhhXf"
221. url http://antidisciplinary.org/QvzhhXf
222. sha256 91e0624b7c57b11767745a27b9a950158497a95af7abb8a77c5a040e784aaf15
223. sha1 cb5d6e3faab8f7dfe8cec502f9b551a706846dd7
224. md5 8129fcdde29f8381077b6a80e2957a84
225. Connections
226. ip 116.240.3.27
227. ip 109.104.79.48
228. ip 159.65.76.245
229. ip 144.76.117.247
230. ip 165.227.213.173
231. ip 181.45.45.132
232. ip 185.86.148.222
233. ip 185.38.216.84
234. ip 181.54.202.80
235. ip 189.190.40.163
236. ip 186.129.174.150
237. ip 189.173.4.161
238. ip 189.159.119.242
239. ip 187.192.133.210
240. ip 190.25.255.98
241. ip 189.250.100.248
242. ip 190.55.123.250
243. ip 190.190.101.38
244. ip 190.195.169.170
245. ip 192.155.90.90
246. ip 210.2.86.72
247. ip 201.103.81.129
248. ip 200.83.21.5
249. ip 200.43.114.10
250. ip 216.252.83.23
251. ip 201.231.70.72
252. ip 210.19.41.87
253. ip 49.212.135.76
254. ip 69.158.10.125
255. ip 45.73.27.218
256. ip 219.94.254.93
257. ip 31.53.229.122
258. ip 31.193.130.187
259. ip 23.254.203.51
260. ip 24.222.22.58
261. ip 92.48.118.27
262. ip 95.9.248.89
263. ip 72.47.248.48
264. ip 69.163.33.82
265. HTTP/HTTPS requests
266. url http://190.55.123.250/
267. url http://200.43.114.10:8080/
268. url http://189.159.119.242:22/
269. url http://201.103.81.129/
270. url http://189.250.100.248:465/
271. url http://186.129.174.150:8080/
272. url http://189.173.4.161:995/
273. url http://72.47.248.48:8080/
274. url http://69.163.33.82:8080/
275. url http://185.38.216.84/
276. url http://95.9.248.89/
277. url http://69.158.10.125:50000/
278. url http://109.104.79.48:8080/
279. url http://31.193.130.187:443/
280. url http://159.65.76.245:443/
281. url http://45.73.27.218/
282. url http://24.222.22.58:990/
283. url http://210.2.86.72:8080/
284. url http://144.76.117.247:8080/
285. url http://181.54.202.80:443/
286. url http://187.192.133.210:53/
287. url http://201.231.70.72/
288. url http://192.155.90.90:7080/
289. url http://189.190.40.163:990/
290. url http://190.190.101.38:443/
291. url http://200.83.21.5/
292. url http://23.254.203.51:8080/
293. url http://185.86.148.222:8080/
294. url http://116.240.3.27:443/
295. url http://216.252.83.23:20/
296. url http://190.25.255.98:465/
297. url http://219.94.254.93:8080/
298. url http://210.19.41.87:50000/
299. url http://190.195.169.170:20/
300. url http://49.212.135.76:443/
301. url http://31.53.229.122:8090/
302. url http://165.227.213.173:8080/
303. url http://181.45.45.132:8443/
304. url http://92.48.118.27:8080/