Skip to main content

Emotet Aug 2019 Wk 3 C2i



C2 IP/URI: 208.180.217.173C2 IP/URI: 181.31.182.138C2 IP/URI: 201.249.117.123C2 IP/URI: 190.219.231.69C2 IP/URI: 104.236.135.119C2 IP/URI: 162.243.125.212C2 IP/URI: 217.13.106.160C2 IP/URI: 5.230.147.179C2 IP/URI: 64.13.225.150C2 IP/URI: 190.16.121.202C2 IP/URI: 173.255.196.209C2 IP/URI: 85.104.59.244C2 IP/URI: 187.135.43.126C2 IP/URI: 138.201.140.110C2 IP/URI: 67.205.149.117C2 IP/URI: 63.77.201.245C2 IP/URI: 203.210.237.200C2 IP/URI: 211.63.71.72C2 IP/URI: 167.114.210.191C2 IP/URI: 69.198.17.7C2 IP/URI: 103.12.132.98C2 IP/URI: 190.161.186.116C2 IP/URI: 187.214.110.33C2 IP/URI: 70.57.82.196C2 IP/URI: 187.198.57.250C2 IP/URI: 201.220.152.101C2 IP/URI: 174.93.130.148C2 IP/URI: 189.154.84.161C2 IP/URI: 173.255.250.241C2 IP/URI: 133.242.156.30C2 IP/URI: 179.14.2.75C2 IP/URI: 201.138.11.223C2 IP/URI: 186.4.234.27C2 IP/URI: 200.126.225.56C2 IP/URI: 50.31.0.160C2 IP/URI: 208.78.100.202C2 IP/URI: 87.106.210.123C2 IP/URI: 104.247.248.129C2 IP/URI: 94.76.200.114C2 IP/URI: 95.128.43.213C2 IP/URI: 87.106.139.101C2 IP/URI: 91.92.191.134C2 IP/URI: 62.75.187.192C2 IP/URI: 189.190.153.12C2 IP/URI: 147.135.210.39C2 IP/URI: 175.100.138.82C2 IP/URI: 187.189.195.208C2 IP/URI: 201.110.165.146C2 IP/URI: 24.63.218.229C2 IP/URI: 78.186.5.109C2 IP/URI: 45.33.49.124C2 IP/URI: 177.242.214.30C2 IP/URI: 83.222.124.62C2 IP/URI: 190.141.245.221C2 IP/URI: 178.62.37.188C2 IP/URI: 181.39.51.243C2 IP/URI: 45.123.3.54

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also