API tools faq
paste
ExecuteMalware

2020-07-17 Emotet IOCs

ExecuteMalware
Jul 17th, 2020
6,909
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.37 KB | None | 0 0
raw download clone embed print report
  1. THREAT ATTRIBUTION: EMOTET
  2.  
  3. Dynamic method Used To Get Emotet IOCs:
  4. 1. Disable Internet connectivity
  5. 2. Start CMD Watcher
  6. 3. Open Word documents and grab the base64-encoded Powershell script from CMD Watcher
  7. 4. CyberChef Recipe to decode:
  8. From_Base64('A-Za-z0-9+/=',true)
  9. Decode_text('UTF-16LE (1200)')
  10. Split('*','\\n')
  11. Extract_URLs(false)
  12. 5. Enable internet connectivity and manually download .exe from payload URLs
  13. 6. Disable internet connection again and run one of the payload executables - capture C2 traffic in Fiddler
  14.  
  15.  
  16. SENDERS OBSERVED
  17. [email protected]
  18. [email protected]
  19. [email protected]
  20. [email protected]
  21. [email protected]
  22. [email protected]
  23. [email protected]
  24. [email protected]
  25. [email protected]
  26. [email protected]
  27. [email protected]
  28. [email protected]
  29. [email protected]
  30. [email protected]
  31. [email protected]
  32. [email protected]
  33. [email protected]
  34. [email protected]
  35. [email protected]
  36. [email protected]
  37. [email protected]
  38. [email protected]
  39. [email protected]
  40. [email protected]
  41. [email protected]
  42. [email protected]
  43. [email protected]
  44. [email protected]
  45. [email protected]
  46. [email protected]
  47. [email protected]
  48.  
  49. DOCUMENT FILE HASHES
  50. 1ff452af811663fe1b2d02d818f213e8
  51. 20bd788b3f0682c4f0146ae9a554d54b
  52. 3c9cbc6f2976548609dea56d147b20f1
  53. 6e17f259490bde55e2e751dd2440d33a
  54. 73a75e40d5b73fe35ded2a82b1743cbe
  55. 74c8c361a7a78d096c2dbd629b5abc6d
  56. 780732f1e23e7e09be35e23412dfeecd
  57. 7872817339a35c2452babd1f1cc30d5d
  58. 78fe1505b6851ea884ef555874373ded
  59. 8edc8e6d88636b9e5350aa2e80f8336d
  60. 968203d0531ceb11a0e3298c390c2872
  61. a97740e8d3d27258f8e25de5c1a8e9b4
  62. b270acc8fd391d79b4d0bfac126cc5ff
  63. b97a25f68f9c501c487735d5c058757e
  64. d8641ce9ed475045cf82d82463399ad9
  65. ec9b276d4666d77203b46d89227fe2cd
  66.  
  67. PAYLOAD FILE HASHES
  68. 13067d944a3c16ce092dbe80d3f69b41
  69. 30333d086f47122e8bf43b2ff6076bff
  70. 62f979be778c0d83047350fa2d1de2a1
  71. 759e289fa582cd91f0e2f69e6baff40a
  72. 90c500199a04f70cd810e55c56e01cea
  73. d2916d363b9d9b7f16e8210da16f42bf
  74. ecfc2d4481aaa0dfc8aaaa1fad367f56
  75.  
  76. MALDOC DOWNLOAD URLs
  77. http://aarunya.in/wp-admin/swift/3jc4jqgai3rf/98382623658csjsmcfrnnlx032w6e9/
  78. http://af2play.online/cadic/DOC/q9n256866279950911462178txj81v0getc0nq8d84nl/
  79. http://agoty.org/wp-content/uploads/1569700949_aQmJGB6jChk2g_6711054_esaD78/e0n1mn2x_6ygf_41wR_vLbhodeZ/05uoy_108vytsx7/
  80. http://akzy.top/h8ioc8/Documentation/
  81. http://bushireinlondon.co.uk/fonts/available_disk/test_forum/676747_SYh9NiV2/
  82. http://careco.parts/wp-content/Uf/
  83. http://cellstore.net.br/wp-admin/protected-zone/interior-zgirj9bvpgy5ef1-0z7d5cqgj949/KL4SoBjA0s-nGbvgduN/
  84. http://cepabol.noticias.bo/alfacgiapi/ybaurum4dq/
  85. http://cleardristi.com/cleardristi.com_WP_INSTALL/g84oq8lq9ek_d0qdnl3l0gkrr_module/corporate_wkg55rof6x_cf5kxjphwqyz/who5_06y576/
  86. http://demo.xoweb.cn/static/public/yn4g1lj32bix/
  87. http://drive.medisail.fr/lib/INC/
  88. http://dsoft.software/euy/lj/
  89. http://elilaifs.cn/wp-admin/parts_service/jecxwnaz1j/
  90. http://essah.in/new/jke8sdg-a892-41684/
  91. http://exchangecamp.ir/wp-admin/Documentation/
  92. http://guoxiaorui.cn/wp-admin/private_FbVo_PSouiS1uKbbyfs/interior_forum/9005074_1StXFeoXH8jW9/
  93. http://hirebyprofession.com/assets/lm/
  94. http://linhkien36.cf/wp-admin/personal_array/open_forum/248250499770_SkHduGJkxpK/
  95. http://linhkien36.net.co/wp-admin/browse/
  96. http://longphuong.tk/wp-admin/browse/buz7el/
  97. http://minibus-hire-basingstoke.co.uk/js/erhXjTo/
  98. http://money-crdt.ru/q0by2r/invoice/
  99. http://movie.cxyw.net/fork/LLC/jj0av1ems/xrgxn858627574n193e6s4zoqd2/
  100. http://pasca.fapet.ub.ac.id/l/sites/
  101. http://psotm.pl/wp-includes/closed_zone/interior_area/963338392_kCrsPUBs/
  102. http://ranks.hoonicorns.pt/comp3/Overview/00giwvmzhy/s04054954269w9vtvn5tqlan/
  103. http://sample.tri-comma.com/wp-admin/FILE/
  104. http://stayfitphysio.ca/wp-content/plugins/balance/fzozekbnnb/
  105. http://steelworks-students.com/wp-admin/FILE/ype8vbeho2jn/
  106. http://sul.t.12cotacao.us/clicar/32551467/
  107. http://swingcommerce.com/wp-content/uploads/closed_box/YHim0z_mvqyzrJPRQe_76jy_mxy1me3/pa84uf2f2oqj_sv590sx04s45wy/
  108. http://tangramadigital.tecnologia.bo/wp-admin/87296192280_GCdHQit_473088_QQLl2FZUTJVfNgF/guarded_forum/hfwF5TB7kQ_uLMfnpJjwN63/
  109. http://tarisfotografi.com/aup/Overview/
  110. http://temp.tara.edu.lk/wp-content/uploads/2020/personal-DVdtZjL-mQSSVjj/test-profile/17169653973-18JoYS1FAiHzZCDR/
  111. http://teste.hoonicorns.pt/ddfcn41dj/payment/epwsnm/
  112. http://tophoras.hoonicorns.pt/comp3/z9-9elt-66213/
  113. http://triptovacations.com/wp-content/wadJUaE/
  114. http://ulfhorror.com/wp-admin/83279465106718/7fkhh84265327972167057acuknjrmhrfbxz9bdd/
  115. http://united-vision.net/smart-school-5.0/available_disk/open_space/4648749024_erM9SWF/
  116. http://watkins.mitchellpwright.com/wp-includes/docs/lg2wm6zn/sxhgff291213969722cb2tpmjwffm/
  117. http://web86.s146.goserver.host/hk9jj/CchogvhEi/
  118. http://wmzart.com/wp-includes/available-box/special-area/682477561403-C9hB9Em/
  119. http://www.0931tangfc.com/images/multifunctional_d1hiw_ewtuc2kwj/verifiable_space/2w3z_403y7v5934/
  120. http://www.ajanews.asia/wp/Document/5r65712504026116389jmyzp09zw2b3sfn63/
  121. http://www.aumhealings.org/wp-admin/docs/1izhzmhbo/
  122. http://www.carloni.com.br/wp-includes/closed-module/corporate-090menkn8gyh0v-flesu2z9rvhj/xzus-294v8y/
  123. http://www.dawoodsupermarket.com/wp-admin/eNUOCqw/
  124. http://www.gdstechnologies.co.in/app/eTrac/
  125. http://www.leonardoenergie.it/media/balance/
  126. http://www.mikesar.com/cgi-bin/FILE/9iy3rbp/yc697386432801482480z1o1srx37/
  127. http://www.mikesar.com/cgi-bin/rqag0gz/
  128. http://www.oakeno.com/wp-admin/801579841823_XUeIoA6k4S663_zone/test_area/rgfnwniaa_3x7u49063/
  129. http://www.quintapavicich.com.ar/3e8mgy/private-module/individual-profile/wo718fkda46wwqw-04xs44/
  130. http://www.timelyrain.top/wp-includes/ID3/parts_service/enlbnfk4xl/
  131. http://wx.yuan.fit/data/multifunctional-ni7pt4lu-igevj/interior-profile/6kj-s2ss899y0wtzy/
  132. http://yihe.fcglobal.com.cn/phpsso_server/ej9ni-qb-014/
  133. http://ypbb.or.id/wp-content/bao-5yp-968/
  134. http://yuan.fit/wp-admin/v3na-c7uu-042786/
  135. http://zeing-kor.com/b/common_array/open_12aprkbzsnv01y_4uawa/87933126050098_FOkxEXj/
  136. http://zingadata.com/wp-content/protected-680154094967-NkP2aIaG/guarded-TDUl5Ai-CW9oksOL8Jh/1705605-2vBjnW/
  137. https://1haowan.cn/wp-includes/protected-disk/open-653784029-jIpt1NW/mzWXqM-lk28z57HqL/
  138. https://affutes.netavantage.com/wp-content/closed-9858205266-15AeMiAnE9/open-warehouse/9YpjLKfyXx-lzyNfHLNn/
  139. https://ahdaaf.me/site/attachments/8uawrs20822876186p63anwn63gv9dv/
  140. https://allamanolibrary.com/zyro/public/
  141. https://anikwp.com/6d3jv/personal_box/open_Loa8_MvQFjwwmkY/8064625563_dYBaZNqg0f2/
  142. https://antalyalogodestek.com/wp-content/public/
  143. https://bawaslu.wonosobokab.go.id/wp-content/iskGT/
  144. https://construtoraaguiar.com.br/wp-includes/available-ph1S-smmNI7wAUDV42iB/special-portal/528912442-bGAY3pyBEmP/
  145. https://daniwilkinson.co.uk/dup-installer/sites/3u01718046821pkh6l38v42wa3e1eiw/
  146. https://delhisuppliers.in/wp-admin/closed_array/open_space/gwr2soq_4wy25t3026/
  147. https://dinghaomcc.com/wp-admin/protected-resource/interior-area/lnlnimb-yw16sztu69/
  148. https://doraflob.com/fef2/Document/
  149. https://fitmode.vn/wp-admin/common-09174168043-bWUexpZAf3/guarded-space/xvy4fksg-66xy89524359w/
  150. https://grafikos.com.ar/cgi-bin/open-43667-nqZwUKt5/security-3lrg-AjxU8K4c/12097743559-MsAVhVJHCjVT4bV/
  151. https://hightea.tk/wp-admin/LLC/uxblj70750248131jyb5yjz51vq9r3zg0yo/
  152. https://ideanetsolutions.com/wp-admin/multifunctional-zone/guarded-mglbz8f9qqm-77foumy8y423bo/ZqnWyCb1ePV-yhG1xbpjL/
  153. https://ineedmoney.loan/wp-content/dAXpzb/
  154. https://koncenful.com/wp-content/lm/hmhj52/ook7ri689941810111164mlk5ffuksnm6anf/
  155. https://konipapua.com/wp-content/uploads/
  156. https://konipapua.com/wp-content/uploads/zpqn7d-w8-418/
  157. https://max-hoffmann-webdesign.de/eTrac/
  158. https://momentomt.com.br/wp-includes/5lto7-by5y-45/
  159. https://qhn.vn/default/attachments/
  160. https://qrtalk.nl/wp-content/docs/f6k3vrc0/
  161. https://robotena.org/wp-admin/dhly-qh6p-87788/
  162. https://steer2vision.com/recurringo/Overview/t8oku994412361893ciornz3iuaysczvm/
  163. https://www.chinavok.com/wv7kv/multifunctional-gmgtAcb-XzR6tiFghuo/additional-gN3u1-JPwnriOV0YM/wg7hzo1jit-0sus2x/
  164. https://www.fleuve.tk/wp-admin/statement/zfkdtqgff/
  165. https://www.pharma-israel.org.il/wp-content/DOC/
  166. https://www.strain.ee/site/82kxurzh-4x7-27/
  167. https://www.supercutscissors.com/wp-content/uploads/11a-t48x-5941/
  168. https://www.ziyuan.tech/wp-admin/Documentation/
  169.  
  170. EMOTET PAYLOAD URLs
  171. http://abatiy.com/yaa/po0395/
  172. http://cpads.net/7iuhq/mri/
  173. http://crm.shaayanpharma.com/application/ffltO/
  174. http://fivestarcleanerstx.com/wp-content/mu-plugins/2CLid868/
  175. http://shubhinfoways.com/p/XEcc5x1qx73/
  176. http://sustainableandorganicgarments.com/komentarz/KHF6ry92657/
  177. http://test2.cxyw.net/hyeht3/aWybkzi/
  178. http://topgameus.com/AutoIT_UngdungOnline/zqjqel/
  179. http://www.szhealthshield.com/websiteguide/k82i/
  180. http://zazabajouk.com/cf9r4nd/Xsma350581/
  181. https://aliyousefpoor.com/wp-admin/Gkt8B41139/
  182. https://bhandaraexpress.com/wp-includes/0Iw2jW2/
  183. https://digitalcon7.net/wp-snapshots/0Wn/
  184. https://e2e-solution.com/sandbox/Sv2880/
  185. https://exam.ylsbmeirong.com/data/tjEyH973/
  186. https://fivestarcleanerstx.com/wp-content/mu-plugins/2CLid868/
  187. https://ramukakaonline.com/wp-includes/cxSzmSXN/
  188. https://skenglish.com/wp-admin/o0gf/
  189. https://ssuse.com/wp-content/uploads/IMv2xyEc3/
  190. https://thesuperservice.com/wp-admin/rL00/
  191. https://tyres2c.com/wp-admin/zu2h/
  192. https://www.elseelektrikci.com/wp-content/hedk3/
  193. https://www.packersmoversmohali.com/wp-includes/pgmt4x/
  194. https://www.rviradeals.com/wp-includes/LeDR/
  195. https://www.tri-comma.com/wp-admin/MmD/
  196.  
  197. EMOTET C2s
  198. http://101.187.97.173
  199. http://103.86.49.11:8080
  200. http://104.131.103.37:8080
  201. http://104.131.11.150:443
  202. http://104.131.41.185:8080
  203. http://104.131.44.150:8080
  204. http://104.236.161.64:8080
  205. http://104.236.246.93:8080
  206. http://104.247.221.104:443
  207. http://108.48.41.69
  208. http://109.117.53.230:443
  209. http://109.74.5.95:8080
  210. http://110.143.151.194
  211. http://110.145.77.103
  212. http://111.67.12.221:8080
  213. http://113.160.130.116:8443
  214. http://113.190.254.245
  215. http://114.109.179.60
  216. http://116.203.32.252:8080
  217. http://12.162.84.2:8080
  218. http://121.124.124.40:7080
  219. http://137.59.187.107:8080
  220. http://137.74.106.111:7080
  221. http://139.130.242.43
  222. http://139.59.60.244:8080
  223. http://143.0.87.101
  224. http://149.62.173.247:8080
  225. http://153.126.210.205:7080
  226. http://157.245.99.39:8080
  227. http://162.154.38.103
  228. http://162.241.92.219:8080
  229. http://168.235.67.138:7080
  230. http://169.239.182.217:8080
  231. http://170.81.48.2
  232. http://172.104.169.32:8080
  233. http://173.91.22.41
  234. http://176.111.60.55:8080
  235. http://177.139.131.143:443
  236. http://177.144.135.2
  237. http://177.66.190.130
  238. http://177.72.13.80
  239. http://178.79.163.131:8080
  240. http://181.120.79.227
  241. http://181.129.96.162:8080
  242. http://181.31.211.181
  243. http://185.94.252.104:443
  244. http://185.94.252.12
  245. http://185.94.252.13:443
  246. http://185.94.252.27:443
  247. http://186.208.123.210:443
  248. http://186.250.52.226:8080
  249. http://186.70.127.199:8090
  250. http://187.162.248.237
  251. http://187.51.47.26
  252. http://189.218.165.63
  253. http://190.108.228.62:443
  254. http://190.144.18.198
  255. http://190.147.137.153:443
  256. http://190.160.53.126
  257. http://190.163.1.31:8080
  258. http://190.17.195.202
  259. http://190.181.235.46
  260. http://190.194.242.254:443
  261. http://190.229.148.144
  262. http://190.55.181.54:443
  263. http://190.6.193.152:8080
  264. http://192.241.143.52:8080
  265. http://192.241.146.84:8080
  266. http://2.47.112.152
  267. http://200.41.121.90
  268. http://200.55.243.138:8080
  269. http://201.173.217.124:443
  270. http://201.213.32.59
  271. http://202.62.39.111
  272. http://203.153.216.189:7080
  273. http://203.25.159.3:8080
  274. http://204.225.249.100:7080
  275. http://207.255.37.143
  276. http://209.141.54.221:8080
  277. http://210.165.156.91
  278. http://212.51.142.238:8080
  279. http://212.71.237.140:8080
  280. http://217.13.106.14:8080
  281. http://217.199.160.224:7080
  282. http://219.92.13.25
  283. http://222.214.218.37:4143
  284. http://24.1.189.87:8080
  285. http://31.31.77.83:443
  286. http://37.139.21.175:8080
  287. http://37.187.72.193:8080
  288. http://41.60.200.34
  289. http://45.161.242.102
  290. http://46.105.131.79:8080
  291. http://46.105.131.87
  292. http://46.214.11.172
  293. http://46.28.111.142:7080
  294. http://5.196.35.138:7080
  295. http://5.196.74.210:8080
  296. http://5.39.91.110:7080
  297. http://50.116.86.205:8080
  298. http://50.28.51.143:8080
  299. http://51.255.165.160:8080
  300. http://58.153.68.176
  301. http://60.130.173.117
  302. http://61.19.246.238:443
  303. http://61.92.159.208:8080
  304. http://62.138.26.28:8080
  305. http://62.75.141.82
  306. http://68.183.170.114:8080
  307. http://68.183.190.199:8080
  308. http://70.32.115.157:8080
  309. http://70.32.84.74:8080
  310. http://72.47.248.48:7080
  311. http://73.11.153.178:8080
  312. http://74.208.45.104:8080
  313. http://75.139.38.211
  314. http://77.55.211.77:8080
  315. http://77.90.136.129:8080
  316. http://78.189.165.52:8080
  317. http://78.24.219.147:8080
  318. http://79.7.158.208
  319. http://79.98.24.39:8080
  320. http://80.249.176.206
  321. http://81.2.235.111:8080
  322. http://82.196.15.205:8080
  323. http://83.169.21.32:7080
  324. http://87.106.136.232:8080
  325. http://87.106.139.101:8080
  326. http://87.106.46.107:8080
  327. http://89.32.150.160:8080
  328. http://91.205.215.66:443
  329. http://91.211.88.52:7080
  330. http://91.236.4.234:443
  331. http://93.156.165.186
  332. http://93.51.50.171:8080
  333. http://94.176.234.118:443
  334. http://95.179.229.244:8080
  335. http://95.213.236.64:8080
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!