Skip to main content

Emotet C2 Network IOC August 2018 Week 4 Campaign

Article by Vishal Thakur



IPPortCOUNTRYREGIONCITYTIME ZONE
50.33.142.65United StatesTexasDallasCST
173.63.125.138United StatesNew JerseyEST
67.175.118.157United StatesSouth CarolinaTamasseeEST
47.186.71.56CanadaOntarioOttawaEST
71.12.111.50443United StatesGeorgiaMoultrieEST
100.16.243.115443United StatesVirginiaAshburnEST
80.89.191.118United Arab EmiratesDubaiGMT+4
104.219.132.28United StatesOklahomaOklahoma CityCST
23.25.247.205443United StatesMassachusettsCambridgeEST
118.244.214.210443Korea, Republic OfSeoulGMT+9
212.129.56.179443Russian FederationMoscowGMT+3
47.16.187.1968090CanadaOntarioOttawaEST
97.68.6.1558090United StatesNew JerseyBedminsterEST
71.174.9.241United StatesFloridaBrandonEST
14.1.39.3443ChinaGuangzhouGMT+8
199.119.78.38443United StatesMissouriSpringfieldCST
71.8.233.2467080United StatesDelawareSeafordEST
108.191.59.73United StatesDistrict Of ColumbiaWashingtonEST
75.134.186.4150000United StatesTexasPlanoCST
194.150.118.8443HungaryBudapestGMT+1
146.185.170.2228080United StatesWisconsinRacineCST
76.184.189.139United StatesVirginiaHerndonEST
174.22.174.8990United StatesNew MexicoFarmingtonMST
47.49.12.988090ChinaHangzhouGMT+8
46.105.131.87SpainPontevedraVigoGMT+1
46.105.131.698080SpainPontevedraVigoGMT+1
95.141.175.240443NetherlandsDiemenGMT+1
216.162.104.12350000United StatesMassachusettsBurlingtonEST
94.205.172.987080RomaniaPloiestiGMT+2
222.214.218.1924143ChinaBeijingGMT+8
205.144.212.191United StatesVirginiaAshburnEST
211.115.111.19443AustraliaNew South WalesSydneyGMT+10
78.47.182.428080FranceSaint-denisGMT+1
121.221.143.348080ChinaBaotouGMT+8
157.7.164.238080ThailandGMT+7
86.98.19.67443FranceRennesGMT+1
70.184.197.174United StatesNew JerseyCedar KnollsEST
199.119.78.9443United StatesMissouriSpringfieldCST
187.250.146.185990BrazilGMT-3
71.42.101.146United StatesCaliforniaSeal BeachPST
174.113.155.237United StatesNew MexicoRio RanchoMST
189.194.251.1148080BrazilGMT-3
108.170.54.1718080United StatesCaliforniaIndioPST
149.62.173.247United StatesConnecticutBloomfieldEST
174.106.101.588080United StatesIdahoNampaMST
70.182.9.95443United StatesSouth CarolinaGreenvilleEST
173.175.154.68United StatesNevadaHendersonPST
70.124.45.152443CanadaOntarioBrockvilleEST
216.21.168.27United StatesFloridaOrlandoEST
67.53.103.202United StatesColoradoDenverMST
172.114.12.1868080
72.46.213.222443United StatesNew JerseyBedminsterEST
199.0.205.131443United States
209.182.122.217United StatesOhioColumbusEST
27.50.89.2098080ChinaHebeiGMT+8
50.244.180.57990United StatesArizonaScottsdaleMST
194.88.246.242443Iran, Islamic Republic OfTehranGMT+3.50
70.31.145.050000CanadaBritish ColumbiaVancouverPST
68.97.124.748090United StatesTexasRichardsonCST
71.244.60.2314143United StatesVirginiaStaffordEST
105.226.22.180KenyaGMT+3
71.222.28.66United StatesColoradoAuroraMST
68.132.248.98443United StatesMarylandFrederickEST
142.255.116.2158090United StatesNew YorkNew YorkEST
92.99.75.41443JordanGMT+2
50.27.155.347080CanadaBritish ColumbiaVancouverPST
201.229.10.109BrazilGMT-3
38.29.209.76United StatesDistrict Of ColumbiaWashingtonEST
72.64.155.122United StatesCaliforniaSan JosePST
209.89.46.153United StatesNew JerseyParsippanyEST

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18