Skip to main content

Emotet July 2019 Wk 4 C2i



Emotet C2 July2019Wk4:

103.255.150.84
103.53.44.20
119.155.153.14
119.93.243.2
124.123.42.93
133.242.156.30
136.243.117.85
138.201.140.110
144.202.9.18
147.135.210.39
149.167.86.174
149.255.56.242
159.65.22.223
162.243.125.212
167.114.210.191
173.255.196.209
174.93.130.148
175.100.138.82
176.63.173.71
177.230.108.144
177.242.214.30
178.152.78.149
178.62.37.188
178.79.161.166
179.14.2.75
180.150.87.75
181.39.51.243
182.176.132.213
182.176.94.236
182.188.47.206
183.82.110.170
186.4.234.27
187.189.195.208
189.183.234.170
190.112.228.47
190.193.18.37
190.97.219.241
2.50.4.159
2.50.52.255
200.21.90.6
201.220.152.101
201.231.44.78
208.78.100.202
211.63.71.72
212.22.215.140
213.14.166.152
216.98.148.156
217.13.106.160
217.199.175.217
24.139.205.186
41.169.20.147
41.220.119.246
45.123.3.54
45.33.49.124
5.230.147.179
50.31.0.160
50.99.132.7
59.103.164.174
62.75.187.192
64.13.225.150
67.205.149.117
69.45.19.145
69.45.19.252
73.49.109.200
75.177.169.225
77.56.253.112
78.100.187.118
78.186.5.109
82.28.208.186
84.241.10.111
85.104.59.244
87.106.139.101
91.205.215.66
92.154.101.154
94.130.35.140
94.76.200.114
95.128.43.213

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also