Skip to main content

Posts

Showing posts from June, 2018

EMOTET C2 IPs 21 June 2018

Here's the list of latest C2 connections for Emotet Payload (Geodo): CPU Stack "47.188.131.94" CPU Stack "119.18.8.51" CPU Stack "199.167.209.11" CPU Stack "69.41.8.88" CPU Stack "62.159.33.122" CPU Stack "67.20.224.109" CPU Stack "86.209.63.166" CPU Stack "222.112.169.133" CPU Stack "70.183.98.85" CPU Stack "105.228.39.7" CPU Stack "69.129.91.38" CPU Stack "179.52.46.11" CPU Stack "178.42.196.228" CPU Stack "50.84.214.74" CPU Stack "169.0.250.138" CPU Stack "125.129.212.89" CPU Stack "217.160.93.187" CPU Stack "174.140.167.85" CPU Stack "216.105.170.139"

QuantLoader - Malware Analysis

QuantLoader is a Trojan downloader that has been available for sale on underground forums for quite some time now. It has been used in campaigns serving a range of malware, including ransomware, Banking Trojans, and RATs. The campaign that we are going to analyze is serving a BackDoor. In this post, we’ll take both a high-level look at the campaign flow, as well as a deep dive into how the malware executes, with a focus on the networking functions. We’ll dig into the binary to analyze how the malware executes and how it connects back to the C2. We’ll also analyze some interesting calls the malware makes, like calling and executing the netsh command to change local firewall rules. The latest version of QuantLoader is being served through a phishing campaign using some interesting techniques. The campaign starts with a phishing email that comes with a link serving the victim the initial JS downloader. What’s interesting is that they’ve opted for a file:// (SMB) protocol rather t