Skip to main content

Emotet Payload C2 Network IOC August 2018 Week 3 Campaign

Article by Vishal Thakur

Here is a list of all the current C2 IPs that are being used in the latest Emotet Campaign.



Ip AddressPortCountryCityStatus
199.0.205.131443United StatesConcordiaValid
50.244.180.5780United StatesHialeahValid
68.117.154.23580United StatesBirminghamValid
172.114.12.18680United StatesBellflowerValid
71.222.28.6680United StatesLas VegasValid
70.31.145.080CanadaTorontoValid
72.46.213.22280United StatesSugar LandValid
212.129.56.17980FranceValid
199.119.78.1980United StatesDallasValid
149.62.173.24780SpainValid
67.53.103.20280United StatesTehachapiValid
70.182.9.9580United StatesLafayetteValid
38.29.209.7680United StatesSan CarlosValid
46.105.131.6980FranceRoubaixValid
95.141.175.24080United KingdomRichmondValid
70.124.45.15280United StatesEdinburgValid
142.255.116.21580United StatesNew YorkValid
71.244.60.23180United StatesPlanoValid
194.150.118.880BulgariaSofiaValid
68.132.248.9880United StatesSpringfield GardensValid
201.229.10.10980ArubaNoordValid
194.88.246.242443FranceValid
216.21.168.2780United StatesKansas CityValid
27.50.89.20980AustraliaDromanaValid
174.113.155.23780CanadaOttawaValid
46.105.131.8780FranceRoubaixValid
68.97.124.7480United StatesOklahoma CityValid
199.119.78.38443United StatesDallasValid
73.52.173.11750000United StatesKaysvilleValid
173.175.154.68443United StatesEl PasoValid
192.119.217.13480United StatesOttawaValid
174.106.101.5880United StatesFayettevilleValid
189.190.199.220MexicoPuebla CityValid
72.23.181.977080United StatesMeadvilleValid
189.194.251.11480MexicoTolucaValid
146.185.170.22280NetherlandsValid
157.7.164.2380JapanTokyoValid
118.244.214.210443ChinaValid
108.170.54.17180United StatesTempeValid
199.119.78.980United StatesDallasValid
222.214.218.1924143ChinaWanyuanValid
78.47.182.4280GermanyGunzenhausenValid
2.90.246.63443Saudi ArabiaRiyadhValid

SHA256: e1c94ec2b51a9998f3c804cd4c6d6a8e3408f6442f1060ca5d5f5db0c1a53dc3

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also