Skip to main content


Showing posts from December, 2018

Malienist C2i Feed now on OTX

Malienist Emotet weekly feed is now available on the OTX platform by AlienVault. You can integrate it with your SIEM solution. Here's the link to the first pulse - Subscribe the feed at OTX by joining the group  EMOTET C2I

SMA: Sharpshooter Payload

Article by  Vishal Thakur This is a SMA of the payload used in the SharpShooter campaign. The sample shows code-reuse from the Lazarus malware family but full attribution is hard to determine at this time. The focus of this article is on the networking C2i. Following is the complete URI for the first connection: 000007FEFA6ABA48 | 4C 8B DC                  | mov r11,rsp                              | 000007FEFA6ABA4B | 53                        | push rbx                                 | 000007FEFA6ABA4C | 55                        | push rbp                                 | 000007FEFA6ABA4D | 56                        | push rsi                                 | 000007FEFA6ABA4E | 57                        | push rdi                                  | 000007FEFA6ABA4F | 41 54                     | push r12                                 | 000007FEFA6ABA51 | 41 55                     | push r13                                 | 000007FEFA6ABA5

Emotet C2 Network IOC December 2018 Week 2 Campaign

Article by  Vishal Thakur OTX Feed: Ip Address Country Region City Status United Kingdom Valid Belgium Wallonia Ohey Valid United Kingdom Glasgow City Glasgow Valid United Kingdom Glasgow City Glasgow Valid United Kingdom Glasgow City Glasgow Valid Japan Valid United Kingdom London, City of London Valid Germany Bayern Gunzenhausen Valid Argentina Santa Fe Rosario Valid United States California Santa Clara Valid United States New Jersey Clifton Valid Germany Valid Russia Kirov Lomovskaya Valid Dominican Republic Distrito Nacional Santa Domingo Valid Colombia Bogota D.C. Bogotá Valid Colombia Antioquia MedellĂ­n Valid Colombia Valid Swe