Emotet_Feodo_IOC's_05-07-2018

1. #Emotet #Feodo #Banking #Malware
2. ---------------------------------
3. 05-07-2018 IOC's
4. ---------------------------------
5. #C2
6. Main object- "logontrns.exe"
7. sha256 d5e20efb9d7f9d334f147a3892f8184e85c633cc69ce7a428f0d4623752b0efa
8. sha1 d856244ab9e28a20177c2d3041964ea0eeb27665
9. md5 cc12277cce8e730d10b336020801305c
10. HTTP/HTTPS requests
11. url http://92.27.116.104/
12. url http://24.173.127.246:443/
13. url http://186.71.61.90/
14. url http://24.121.176.48:443/
15. url http://149.62.173.247:8080/
16. url http://46.105.131.69:8080/
17. url http://24.234.175.215:8090/
18. url http://121.50.43.110:8080/
19. url http://24.119.116.230:990/
20. url http://80.153.201.243:443/
21. url http://24.229.49.37:8080/
22. url http://24.74.74.183/
23. url http://46.105.131.87/
24. url http://71.244.60.231:4143/
25. url http://199.119.78.9:443/
26. url http://187.178.17.209/
27. url http://216.21.168.27:8443/
28. url http://68.2.97.91:50000/
29. url http://157.7.164.23:8080/
30. url http://216.21.168.27:53/
31. url http://203.45.184.52/
32. url http://108.170.54.171:8080/
33. url http://222.214.218.192:4143/
34. url http://69.17.170.58/
35. url http://78.47.182.42:8080/
36. url http://76.72.225.30:465/
37. url http://203.201.60.206:443/
38. url http://177.99.167.185:443/
39. url http://12.182.146.226/
40. url http://72.0.255.155/
41. url http://178.21.113.145:4143/
42. url http://70.182.77.184:8090/
43. url http://206.210.104.194/
44. url http://193.251.43.125:7080/
45. url http://118.244.214.210:443/
46. url http://146.185.170.222:8080/
47. url http://27.50.89.209:8080/
48. url http://194.88.246.242:443/
49. url http://99.224.5.162:8080/
50. ---------------------------------------
51. Main object- "Fakturierung"
52. url http://www.aventyrskrocket.se/Fakturierung/
53. sha256 2cdd2da9534a046741e4dd2ac64b3e993222e5d8a7a583ce720ef8571c1e1b38
54. sha1 a9592fa1db9676d34d7d2092540c1070d6a1b9e7
55. md5 c0c25fcd749aa35978ea527ff3d38dcd
56. DNS requests
57. domain www.tcbecybersecurity.com
58. domain shop.69slam.sk
59. domain 51wh.top
60. domain www.thingyapp.com
61. domain www.lecreo.se
62. Connections
63. ip 47.94.145.10
64. ip 109.74.156.2
65. ip 213.171.196.39
66. ip 89.221.250.37
67. ip 96.125.160.15
68. HTTP/HTTPS requests
69. url http://51wh.top/II1S3LEJ/
70. url http://www.thingyapp.com/6nCqu9R8/
71. url http://www.lecreo.se/ZTAxFEDZxd/
72. url http://www.tcbecybersecurity.com/H56uKcU/
73. url http://shop.69slam.sk/60nDON/
74. ----------------------------------------
75. Main object- "Rechs"
76. url http://www.bfcorp.ru/Rechs/
77. sha256 2cdd2da9534a046741e4dd2ac64b3e993222e5d8a7a583ce720ef8571c1e1b38
78. sha1 a9592fa1db9676d34d7d2092540c1070d6a1b9e7
79. md5 c0c25fcd749aa35978ea527ff3d38dcd
80. DNS requests
81. domain shop.69slam.sk
82. domain www.tcbecybersecurity.com
83. domain 51wh.top
84. domain www.lecreo.se
85. domain www.thingyapp.com
86. Connections
87. ip 47.94.145.10
88. ip 213.171.196.39
89. ip 109.74.156.2
90. ip 89.221.250.37
91. ip 96.125.160.15
92. HTTP/HTTPS requests
93. url http://51wh.top/II1S3LEJ/
94. url http://www.thingyapp.com/6nCqu9R8/
95. url http://www.lecreo.se/ZTAxFEDZxd/
96. url http://shop.69slam.sk/60nDON/
97. url http://www.tcbecybersecurity.com/H56uKcU/
98. -------------------------------------------
99. Main object- "Rechnungs-fur-Zahlung"
100. url http://www.bib.dolcelab.org/Rechnungs-fur-Zahlung/
101. sha256 2cdd2da9534a046741e4dd2ac64b3e993222e5d8a7a583ce720ef8571c1e1b38
102. sha1 a9592fa1db9676d34d7d2092540c1070d6a1b9e7
103. md5 c0c25fcd749aa35978ea527ff3d38dcd
104. DNS requests
105. domain shop.69slam.sk
106. domain www.tcbecybersecurity.com
107. domain www.lecreo.se
108. domain www.thingyapp.com
109. domain 51wh.top
110. Connections
111. ip 47.94.145.10
112. ip 89.221.250.37
113. ip 213.171.196.39
114. ip 109.74.156.2
115. ip 96.125.160.15
116. HTTP/HTTPS requests
117. url http://51wh.top/II1S3LEJ/
118. url http://www.lecreo.se/ZTAxFEDZxd/
119. url http://shop.69slam.sk/60nDON/
120. url http://www.thingyapp.com/6nCqu9R8/
121. url http://www.tcbecybersecurity.com/H56uKcU/
122. -------------------------------------------
123. Main object- "Rechnungs"
124. url http://www.veremac.cl/Rechnungs/
125. sha256 2cdd2da9534a046741e4dd2ac64b3e993222e5d8a7a583ce720ef8571c1e1b38
126. sha1 a9592fa1db9676d34d7d2092540c1070d6a1b9e7
127. md5 c0c25fcd749aa35978ea527ff3d38dcd
128. DNS requests
129. domain shop.69slam.sk
130. domain www.tcbecybersecurity.com
131. domain www.lecreo.se
132. domain www.thingyapp.com
133. domain 51wh.top
134. Connections
135. ip 47.94.145.10
136. ip 213.171.196.39
137. ip 109.74.156.2
138. ip 89.221.250.37
139. ip 96.125.160.15
140. HTTP/HTTPS requests
141. url http://51wh.top/II1S3LEJ/
142. url http://www.thingyapp.com/6nCqu9R8/
143. url http://www.lecreo.se/ZTAxFEDZxd/
144. url http://shop.69slam.sk/60nDON/
145. url http://www.tcbecybersecurity.com/H56uKcU/