```
70.32.84.74
176.31.200.136
5.79.119.1
104.236.151.95
45.32.158.232
190.13.211.174
181.141.87.122
103.201.150.209
190.193.131.141
91.205.215.57
159.65.241.220
191.97.116.232
43.229.62.186
86.6.188.121
186.138.56.183
110.93.196.197
216.98.148.136
70.44.163.160
159.203.204.126
181.198.67.178
46.249.204.99
190.147.12.71
187.242.204.142
189.196.140.187
23.254.203.51
217.92.171.167
86.18.105.123
190.97.10.198
85.132.96.242
187.178.9.19
181.15.177.100
45.73.124.235
200.57.102.71
181.29.101.13
179.40.105.76
46.21.105.59
218.161.88.253
190.186.221.50
5.153.252.228
71.244.60.231
72.47.248.48
87.246.58.59
31.179.135.186
185.129.93.140
190.246.166.217
196.6.112.70
81.183.213.36
89.134.144.41
109.73.52.242
203.25.159.3
190.113.233.4
81.143.213.156
217.113.27.158
217.199.175.216
62.192.227.125
81.100.95.22
86.42.166.147
181.15.243.22
186.23.146.42
178.79.163.131
185.86.148.222
37.59.1.74
200.28.131.215
181.15.180.140
219.74.237.49
200.72.149.90
105.224.171.102
111.67.12.221
69.163.33.82
200.107.105.16
185.94.252.27
181.36.42.205
109.104.79.48
200.80.198.34
205.186.154.130
200.58.171.51
187.188.166.192
81.213.215.216
190.117.206.153
200.32.61.210
186.71.75.2
190.252.229.53
79.143.182.254
66.209.69.165
62.75.143.100
23.92.22.225
91.83.93.124
154.120.228.126
201.212.24.6
80.0.106.83
181.39.134.122
201.251.229.37
181.228.60.191
181.16.127.226
186.86.177.193
86.1.139.205
190.1.37.125
200.127.15.72```

### Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

### Grinju Downloader: Anti-analysis (on steroids) | Part 2

This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

### Grinju Downloader: Anti-analysis (on steroids) | Part 1

This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also