Skip to main content

Emotet Payload C2 Network IOC August 2018 Week 3 Campaign

Article by Vishal Thakur

Here is a list of all the current C2 IPs that are being used in the latest Emotet Campaign.



Ip AddressPortCountryCityStatus
199.0.205.131443United StatesConcordiaValid
50.244.180.5780United StatesHialeahValid
68.117.154.23580United StatesBirminghamValid
172.114.12.18680United StatesBellflowerValid
71.222.28.6680United StatesLas VegasValid
70.31.145.080CanadaTorontoValid
72.46.213.22280United StatesSugar LandValid
212.129.56.17980FranceValid
199.119.78.1980United StatesDallasValid
149.62.173.24780SpainValid
67.53.103.20280United StatesTehachapiValid
70.182.9.9580United StatesLafayetteValid
38.29.209.7680United StatesSan CarlosValid
46.105.131.6980FranceRoubaixValid
95.141.175.24080United KingdomRichmondValid
70.124.45.15280United StatesEdinburgValid
142.255.116.21580United StatesNew YorkValid
71.244.60.23180United StatesPlanoValid
194.150.118.880BulgariaSofiaValid
68.132.248.9880United StatesSpringfield GardensValid
201.229.10.10980ArubaNoordValid
194.88.246.242443FranceValid
216.21.168.2780United StatesKansas CityValid
27.50.89.20980AustraliaDromanaValid
174.113.155.23780CanadaOttawaValid
46.105.131.8780FranceRoubaixValid
68.97.124.7480United StatesOklahoma CityValid
199.119.78.38443United StatesDallasValid
73.52.173.11750000United StatesKaysvilleValid
173.175.154.68443United StatesEl PasoValid
192.119.217.13480United StatesOttawaValid
174.106.101.5880United StatesFayettevilleValid
189.190.199.220MexicoPuebla CityValid
72.23.181.977080United StatesMeadvilleValid
189.194.251.11480MexicoTolucaValid
146.185.170.22280NetherlandsValid
157.7.164.2380JapanTokyoValid
118.244.214.210443ChinaValid
108.170.54.17180United StatesTempeValid
199.119.78.980United StatesDallasValid
222.214.218.1924143ChinaWanyuanValid
78.47.182.4280GermanyGunzenhausenValid
2.90.246.63443Saudi ArabiaRiyadhValid

SHA256: e1c94ec2b51a9998f3c804cd4c6d6a8e3408f6442f1060ca5d5f5db0c1a53dc3

Comments

Popular posts from this blog

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+...

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll a...

Trickbot — a concise treatise

Post-execution scope of impact and threatscape details of a sophisticated malware First Edition, April 2019 Vishal Thakur Introduction S ince its initial release, Trickbot has been an advanced, modular malware, built on complex, well-written code and backed by continuous improvement and on-going development. The modular structure of the code is the most important part of this malware. Other than giving it a clearly defined and segmented flow, it allows the authors to have the ability to add new modules with new purposes to the existing malware, which they have been doing regularly throughout the history of the malware. Trickbot is a beautiful piece of code, used for malicious purposes. Technical analysis of this malware has been published throughout its existence in the wild and there are some good, detailed publishings that are available on the internet that go into great technical details regarding the inner workings of the code and flow of Trickbot. Here’s one of my earl...