-
Notifications
You must be signed in to change notification settings - Fork 25
/
2022-03-29-IOCs-for-Emotet-and-Cobalt-Strike.txt
108 lines (87 loc) · 4.82 KB
/
2022-03-29-IOCs-for-Emotet-and-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
2022-03-29 (TUESDAY) - EMOTET EPOCH 4 INFECTION WITH COBALT STRIKE
NOTES:
- Today, we've seen Emotet send attachments for a short time, but it has been sending mostly URLs so far.
- Emotet started using URLs again yesterday as reported at https://twitter.com/Cryptolaemus1/status/1508542226275745803
32 EXAMPLES OF SENDING ADDRESSES FROM EMOTET MALSPAM:
- From: ""[spoofed sender name]"" <a-fukunaga@taiyo-in.co.jp>
- From: ""[spoofed sender name]"" <amairany.saucedo010@vimpet.com.mx>
- From: ""[spoofed sender name]"" <asistenteadmi@astextilni.com>
- From: ""[spoofed sender name]"" <business.development@mashhor.com>
- From: ""[spoofed sender name]"" <ccollante@utejgn.com.ar>
- From: ""[spoofed sender name]"" <contador@bestwesternghch.com>
- From: ""[spoofed sender name]"" <dohai@elentec.vn>
- From: ""[spoofed sender name]"" <fathi.surkhi@gsi-glass.com>
- From: ""[spoofed sender name]"" <fc@bwkindaihotel.com>
- From: ""[spoofed sender name]"" <finanzas@capcentroamerica.com>
- From: ""[spoofed sender name]"" <fokhrul@globalbrand.com.bd>
- From: ""[spoofed sender name]"" <francesco.lima@stile.conc-bmw.com>
- From: ""[spoofed sender name]"" <hirata@ki-corp.co.jp>
- From: ""[spoofed sender name]"" <immesus@immesus.com>
- From: ""[spoofed sender name]"" <info.mail@sidvsa.com>
- From: ""[spoofed sender name]"" <info@mikreocasa.com>
- From: ""[spoofed sender name]"" <info@realemutuabtp.it>
- From: ""[spoofed sender name]"" <info@vmgroupitalia.com>
- From: ""[spoofed sender name]"" <ingrid.grub@grupomm.com.uy>
- From: ""[spoofed sender name]"" <jhernandez@piamonte.cl>
- From: ""[spoofed sender name]"" <kelvinli@topmost-tech.com.tw>
- From: ""[spoofed sender name]"" <khurram@adamjeedurabuilt.com>
- From: ""[spoofed sender name]"" <lucia.gutierrez@distab.com.uy>
- From: ""[spoofed sender name]"" <mcornejo@servconsa.pe>
- From: ""[spoofed sender name]"" <muhammad.zaid@aquademintl.com>
- From: ""[spoofed sender name]"" <mustafa@zaco.com.pk>
- From: ""[spoofed sender name]"" <n-nakazawa@hk-ej.co.jp>
- From: ""[spoofed sender name]"" <pune.support@giplpune.com>
- From: ""[spoofed sender name]"" <s-yonehara@sohwa.jp>
- From: ""[spoofed sender name]"" <takisyo-master@yabuboard.ed.jp>
- From: ""[spoofed sender name]"" <y-matsuzaka@sinkou-e.jp>
- From: ""[spoofed sender name]"" <yosino@marine.odn.ne.jp>
7 EXAMPLES OF URLS FROM EMOTET MALSPAM:
- hxxp://ferroconsultora[.]com[.]ar/cli/3gKSvURXLb/
- hxxp://fikirteknesi[.]com/wp-includes/YQmEElzYjaqiFb3ZEnl21rBM9Ka6s/
- hxxp://fjcidea[.]com[.]ar/exhibit/W/
- hxxp://fkl[.]co[.]ke/wp-content/Elw3kPvOsZxM5/
- hxxp://fontecmobile[.]com/pk/TsR23QKKRQFRUFmFgQ2fIGkkk7Vg/
- hxxp://football.g-sports[.]gr/paok/jkL8M4zza4PwF84/
- hxxps://www.fitoka[.]com[.]br/plugins/oFZRcso98qlNk3FdrKPtlA8/
URLS FOR THE EXCEL FILE DOWNLOAD:
- hxxp://ferroconsultora[.]com[.]ar/cli/3gKSvURXLb/?i=1
- hxxp://fikirteknesi[.]com/wp-includes/YQmEElzYjaqiFb3ZEnl21rBM9Ka6s/?i=1
- hxxp://fjcidea[.]com[.]ar/exhibit/W/?i=1
- hxxp://fkl[.]co[.]ke/wp-content/Elw3kPvOsZxM5/?i=1
- hxxp://fontecmobile[.]com/pk/TsR23QKKRQFRUFmFgQ2fIGkkk7Vg/?i=1
- hxxp://football.g-sports[.]gr/paok/jkL8M4zza4PwF84/?i=1
- hxxps://www.fitoka[.]com[.]br/plugins/oFZRcso98qlNk3FdrKPtlA8/?i=1
DOWNLOADED EXCEL FILE:
- SHA256 hash: ade8be9f42310d7208c19f38eedbbdd38a925237d349718844a036d2ebaa7af3
- File size: 129,536 bytes
- File name: 426534628608157239.xls
- File description: Downloaded Excel file with macros for Emotet
EMOTET DLL RETRIEVED BY MACRO FROM EXCEL FILE:
- SHA256 hash: bb01a42f1b01a2d94a33b0cc9d192a2b5b447289133e12d92b619903e87c7086
- File size: 589,824 bytes
- File location: hxxp://g-wizcomputers[.]com/party/61W0ovBu86/
- File location: C:\Users\[username]\efhj.dll
- File location: C:\Users\[username]\AppData\Local\Vpifpbqmu\lsxmrbwejitduvo.qzr
- Run method: regsvr32.exe [filename]
FOLLOW-UP MALWARE: COBALT STRIKE:
- SHA256 hash: d08430ad21c7a08c68416ad117358c281e8d66c1eed9c8a5a044af66488369c0
- File size: 2,928,128 bytes
- File location: C:\Users\[username]\AppData\Local\Vpifpbqmu\bnsprrcrgbd.dll
- Run method: regsvr32.exe [filename]
URLS GENERATED BY EXCEL MACRO FOR EMOTET DLL:
- hxxp://drvishalchestclinic[.]com/wp-includes/SqqCZQ6y2uyFF/
- hxxp://funestotal[.]com/5aclo1em/21U/
- hxxp://g-wizcomputers[.]com/party/61W0ovBu86/
- hxxp://primefind[.]com/1mall-uk/h5/
- hxxp://la-csi[.]com/mt-admin/BB7/
- hxxps://pancook[.]com/newsite/H6xxeLefX1I2vgJFM1Y/
EMOTET C2 TRAFFC:
- 216.120.236[.]62 port 8080 - HTTPS traffic
- 189.232.46[.]161 port 443 - HTTPS traffic
- 144.217.88[.]125 port 443 - HTTPS traffic
- 45.184.36[.]10 port 8080 - HTTPS traffic
- 176.31.163[.]17 port 8080 - HTTPS traffic
- 109.160.96[.]230 port 4143 - HTTPS traffic
- 136.243.32[.]168 port 443 - HTTPS traffic
COBALT STRIKE TRAFFIC:
- 139.60.161[.]45 port 443 - verofes[.]com - HTTPS traffic