Skip to main content

Ransomware Tracker

The C2i published in these lists are extracted from the malicious binaries. These executables are the final payloads served by the Emotet malware.
You can use this information to create block-lists. All C2i published here is active at the time of publishing but some of these C2s can go offline at any time after that. All information provided here is free to use.
C2i published on this site could cause some FPs as these IPs/URIs get recycled frequently, you agree to that before using any C2i from this site.

Lists are NOT deduped.  

May 2021

REvil 

hxxp://blossombeyond50.com
hxxp://aco-media.nl
hxxp://oemands.dk
hxxp://clos-galant.com
hxxp://gantungankunciakrilikbandung.com
hxxp://thaysa.com
hxxp://promesapuertorico.com
hxxp://mariposapropaneaz.com
hxxp://acomprarseguidores.com
hxxp://pubweb.carnet.hr
hxxp://team-montage.dk
hxxp://funjose.org.gt
hxxp://sahalstore.com
hxxp://fatfreezingmachines.com
hxxp://dubnew.com
hxxp://jolly-events.com
hxxp://wmiadmin.com
hxxp://fayrecreations.com
hxxp://promalaga.es
hxxp://schraven.de
hxxp://castillobalduz.es
hxxp://ftlc.es
hxxp://classycurtainsltd.co.uk
hxxp://simpkinsedwards.co.uk
hxxp://sporthamper.com
hxxp://transportesycementoshidalgo.es
hxxp://hokagestore.com
hxxp://devlaur.com
hxxp://sagadc.com
hxxp://greenko.pl
hxxp://skiltogprint.no
hxxp://geisterradler.de
hxxp://easytrans.com.au
hxxp://ra-staudte.de
hxxp://spargel-kochen.de
hxxp://herbstfeststaefa.ch
hxxp://rocketccw.com
hxxp://musictreehouse.net
hxxp://2ekeus.nl
hxxp://craigmccabe.fun
hxxp://tecnojobsnet.com
hxxp://qualitus.com
hxxp://schlafsack-test.net
hxxp://fitovitaforum.com
hxxp://kevinjodea.com
hxxp://buroludo.nl
hxxp://bouquet-de-roses.com
hxxp://humancondition.com
hxxp://rebeccarisher.com
hxxp://gonzalezfornes.es
hxxp://babcockchurch.org
hxxp://danholzmann.com
hxxp://dezatec.es
hxxp://modestmanagement.com
hxxp://bogdanpeptine.ro
hxxp://durganews.com
hxxp://chrissieperry.com
hxxp://appsformacpc.com
hxxp://abogados-en-alicante.es
hxxp://allure-cosmetics.at
hxxp://dpo-as-a-service.com
hxxp://lykkeliv.net
hxxp://dsl-ip.de
hxxp://sla-paris.com
hxxp://live-con-arte.de
hxxp://assurancesalextrespaille.fr
hxxp://mylolis.com
hxxp://paymybill.guru
hxxp://ecopro-kanto.com
hxxp://forskolorna.org
hxxp://marchand-sloboda.com
hxxp://syndikat-asphaltfieber.de
hxxp://jusibe.com
hxxp://psa-sec.de
hxxp://xoabigail.com
hxxp://bodyfulls.com
hxxp://handi-jack-llc.com
hxxp://solinegraphic.com
hxxp://ymca-cw.org.uk
hxxp://waynela.com
hxxp://kaminscy.com
hxxp://globedivers.wordpress.com
hxxp://danskretursystem.dk
hxxp://boulderwelt-muenchen-west.de
hxxp://ilive.lt
hxxp://kuntokeskusrok.fi
hxxp://foryourhealth.live
hxxp://noesis.tech
hxxp://lescomtesdemean.be
hxxp://rerekatu.com
hxxp://ivivo.es
hxxp://modamilyon.com
hxxp://c-a.co.in
hxxp://thedad.com
hxxp://work2live.de
hxxp://bafuncs.org
hxxp://aglend.com.au
hxxp://iqbalscientific.com
hxxp://tuuliautio.fi
hxxp://narcert.com

Comments

Popular posts from this blog

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also

Emotet February 2019 Wk 4 C2i

OTX Pulse:https://otx.alienvault.com/pulse/5c74e87bf481ce4d9544c4ef Indicator type Indicator IPv4 107.10.49.252 IPv4 12.235.180.10 IPv4 133.242.164.31 IPv4 138.201.140.110 IPv4 147.135.210.39 IPv4 153.121.36.202 IPv4 167.114.210.191 IPv4 172.98.243.40 IPv4 173.21.116.239 IPv4 173.255.196.209 IPv4 173.8.8.73 IPv4 178.62.37.188 IPv4 187.138.90.97 IPv4 187.153.90.98 IPv4 191.92.83.137 IPv4 197.245.16.149 IPv4 208.78.100.202 IPv4 208.82.45.8 IPv4 211.115.111.19 IPv4 217.13.106.160 IPv4 24.151.31.150 IPv4 24.153.169.62 IPv4 24.185.185.187 IPv4 45.123.3.54 IPv4 45.63.17.206 IPv4 5.230.147.179 IPv4 50.31.0.160 IPv4 62.75.187.192 IPv4 62.75.191.231 IPv4 64.19.74.49 IPv4 64.228.72.40