Daily Emotet IoCs and Notes for 11/05/18

Emotet Malware Document links/IOCs for 11/05/18 as of 11/05/18 23:59 EST

Notes and Credits now at the bottom Follow me on twitter @jroosen for more updates.


So far attachment only.


http://1stniag.com/Download/EN_en/Invoice-Number-44664/
http://777ton.ru/DOC/US_us/Scan/
http://agrarszakkepzes.hu/5931ZTIGS/com/US/
http://altaredlife.com/logssite/INFO/US_us/Question/
http://altarfx.com/Nov2018/En/Invoice-for-p/e-11/05/2018/
http://armator.info/tjweather/04224FCYKUT/biz/Commercial/
http://artzkaypharmacy.com.au/4690UVTTQOXO/SWIFT/Commercial/
http://b2streeteats.com/LLC/En/Service-Report-73478/
http://balispadallas.com/sites/US_us/Outstanding-Invoices/
http://bemnyc.com/Nov2018/US/Past-Due-Invoices/
http://blogforprofits.com/files/En_us/Paid-Invoices/
http://borggini.com/11XW/SEP/Smallbusiness/
http://brasileirinhabeauty.com.br/Document/En_us/Invoice-for-s/o-11/05/2018/
http://brazilianbuttaugmentation.net/11997OLJVY/BIZ/Business/
http://carbonbyte.com/xerox/EN_en/Invoice-Corrections-for-37/59/
http://carminewarren.com/newsletter/US_us/Invoice-Corrections-for-15/54/
http://casino338a.city/newsletter/En/Invoice-5505302-November/
http://cdn5.rvshare.com/1541440212.491c5b0b32d56a2330520a9a91463722.doc/
http://chefshots.com/57953PMYDYHBV/SWIFT/Commercial/
http://chstarkeco.com/Document/EN_en/1-Past-Due-Invoices/
http://chungelliott.com/wp-admin/Nov2018/US/Question/
http://cidadeempreendedora.org.br/wp-content/upgrade/65208YCNN/PAY/Smallbusiness/
http://craniofacialhealth.com/newsletter/US/Past-Due-Invoices/
http://crowdgusher.com/Document/US_us/Overdue-payment/
http://djlilmic.com/84025BMQKXYDV/BIZ/Personal/
http://duwon.net/wpp-app/4815587SLERFGAN/identity/US/
http://emilyxu.com/847XLUFEIHG/BIZ/Personal/
http://fenlabenergy.com/FILE/En_us/Outstanding-Invoices/
http://foccusmedical.com.br/INFO/US/Invoices-Overdue/
http://gaardhaverne.dk/371880QWYFSQ/PAYMENT/Business/
http://griff.art.br/default/US_us/Invoice/
http://gueben.es/INFO/EN_en/Document-needed/
http://ingridkaslik.com/0597864MMOLPXNP/identity/Business/
http://investicon.in/wp-content/plugins/workfence/649494OUWHGA/oamo/Personal/
http://jacquesrougeau.ca/old/LLC/US_us/Invoices-attached/
http://johnscevolaseo.com/doc/EN_en/Open-Past-Due-Orders/
http://juegosaleo.com/newsletter/US/Invoice-Corrections-for-81/79/
http://marcocciaviaggi.it/sites/EN_en/Sales-Invoice/
http://mesaqore.com/doc/US_us/Service-Invoice/
http://mironovka-school.ru/977878WBVWYKBV/BIZ/Smallbusiness/
http://never3putt.com/Nov2018/US/Past-Due-Invoices/
http://notehashtom.ir/wp-admin/598GLELB/SWIFT/Smallbusiness/
http://nuomed.com/Nov2018/En_us/Service-Report-3672/
http://nutrilatina.com.br/files/En_us/Sales-Invoice/
http://peconashville.com/INFO/En_us/Service-Report-20333/
http://pereira.photo/newsletter/EN_en/Invoice-receipt/
http://pornbeam.com/eVsCvwP/4AY/8QVYJ/PAYROLL/Business/
http://touchandlearn.pt/wp-content/uploads/81944UBMHWQIH/PAY/Business/
http://tvaradze.com/doc/US_us/Invoices-Overdue/
http://womendrivers.be/scan/US_us/Open-Past-Due-Orders/
http://www.aes.co.th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
http://www.cabdjw.gov.cn/wp-includes/2021ACJTULJK/SWIFT/US/
http://www.conceptsacademy.co.in/wp-content/uploads/2018/files/US/024-13-180753-957-024-13-180753-943/
http://www.greenamazontoursperu.com/LLC/EN_en/Open-Past-Due-Orders/
http://www.imankeyvani.ir/INFO/US_us/Open-invoices/
http://www.martabadias.com/8481483FGDDG/PAYROLL/Commercial/
http://www.milaszewski.pl/sites/US_us/Invoices-attached/
http://www.retailtechexpo.cn/en/wp-content/wp-rocket-config/scan/US_us/Scan/
http://www.swiftsgroup.com/default/En/Outstanding-Invoices/
http://www.test.vic-pro.com/newsletter/EN_en/Outstanding-Invoices/
http://www.torneighistorics.cat/INFO/EN_en/Invoice-Number-85412/
http://www.ultigamer.com/wp-admin/includes/INFO/US/Important-Please-Read/
http://www.willbcn.com/sites/US_us/Invoice/
http://www.zcnet.com/0872684IQBTLZW/ACH/Personal/
https://celgene.zendesk.com/attachments/token/jsBvNcgFVs4ELgPF4okoU1R3T/


Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2018-11-05 22:29:00
SHA256:
ad3781adce18959a883e43e6d3d03a264388f9c8bf99df96cda11131a63371f9

http://keywestartistmarket.com/OaM1uBg
http://cadenas.com.br/30A6rlp
http://krmar.ru/9qiWCR4b
http://shababazm.com/v675zUP
http://andrzejsmiech.com/UZpCXUkk

SHA256s for Epoch 1 Payload EXEs seen on 11/05/18

3f9d6c29995dbc28b91e0d30b63cfb7f7cf42d050949355b0b62293b76327568
185094ab98a1c77837a6c3b0bf48c4a1d25698e5844b308d4704b5d3f40db681
865c74a009e713098d335e4138a09a545ec2ef26001ddacf64c9cb9ec597fe3f
d3611b52f3662288d438bca5d9fe7ad394f954a33d155915645d7526caf91e68
56463dac265e82a6178a8924d5be794495b295a25efd1976daae35eff61829ac
fd91f0d55d932a2d14451967e225765c21037a91b5e64fe4915c87fd87561bf9

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2018-11-05 17:18:00 
SHA256:

f3e187ebd0be4413d9495345935aeb63a025bb299c63b24787188a71003e5a5b
0acd52e7f92f125d8fec5d78db296ee3c88079456dfb66b84fa92be944dc1293
4dfb9830a14e1e92ca88b40189fb05be60a42be886c9ca1cd2f6a3f5f09e0208
680d56d915ec028d4d0e33cd63e90f58c1f67c4e8b92d11eabf2576702d5b3bd
d997af80a0b2cea354d82735f28b04fb6f40ec6a687b4616cbc03230c7319ad3
6c9f60643913ae688fc163d8e09a71268c0bd527ca5e9330c163108aafac5944
26fba2bd9792cbe6aa14f3baa9a2ffb57344d7348805648a53dcf92644a8b973
f43ced0de6dce1c3fcf386cb7bd4e0d787d64983f0d2bb236311605402ba74a9
e78f28580ea5e79a33be5ba93c71e2c66528812db3580a3e39f3f652ecaaa858
18c74f2852985acd6a5b35d21d12e8e852d54003b4e5d3714243e045969c434f
af3fea36a05c59c3670d5fe58a4d679c3e089ceb8be39c92663c3401ce8784eb
87b5210624989f6ff74bb9a07083aeab116ba3e179db099f768982ac1dbbb5b8
5d3e5a9b7730bd40f0cd4392367744bb7a3ddefd3b316d603e56369a7813ee68
3cebbd85235c819ec92210572035f2973b54740f306b8b0607e03c84eb7b0914
9827a577b252a3417174e8177592785515f22b9bca4d435a2206e512a2ced3fd
3ebc758a0186db99545ab2614b2a96544ab4509bf7d24c8d11dca06b2d17adbd
943aa71f481cb0a3af7e24e2be09298ed6c98235b4d1cfb89979339c8bad8085
42df2ceda548dbd95ed4cf8176dfb8817e7350ea9b296adb33a3e6c3f2fb272e
11d52b1ee5c330911ed98ba86a4560c67cba2bd70427c8d33a0b793ddeb5c11e
9bd34506cacf57f6329a6b5530684822d50d03a26e6105d217220e46297bf84c
687d3887779bf147f8ab6637c28f76559f3a1cbe0899cfa07d0ac33733fc74efc
1a4dc5022a6b5296fe5d03597782a985bd721e3651b010c06b9be205b5c9f97d
fc4fa944b430fb0c175ab12d9bb776819f04d29c4a371baa243af0d7e7ab267b
7ae43402b33483d995f4c64940500a3cd508a22e4e2ae9c70ead3f9fd6396bc7
8560ed53158f7c2f7931ee6e95abcbf0325d117b039d96f9ebc2e7971c22a151
8393f02d75dd065203874f01ad54ccaa767603b63d5a2faf77d3a55c17a6b4bc
1f5e9f1c173cc8611a5d34e801c0a26ce7365cb1c7b660bcd88816153b76d467
c2470c1b4e9e97fa1820f29ca1dece3f99e154c6cd695d1e6f89e12425eb3a4f
7575b3de182b5ad8b92eabad4f5307e27280729f81ab692d20633dac2f786d8c
e7dcbaaec834d3b3accd527299f71fd1056b9b88e5156d83ec6e928d13872177
51cd6bdb18da6dc94549e067b04e727b9e947f2f189f5c27da67eb56f77c5f54
2210bb4262bd6f02c2c1b836ea7372c28b35f7e31d81dcf4749fbd4fe71676fb
9aee83d453ff3ce67e771d3b417ec0e29c1104a3e6b035088b8e799557049c3c
853d3351d23e0de67958a4669d628444c1a15d4de4de4f114f8db90689a2d715

http://tlextreme.com/orsOyz
http://vanherreweghen.be/I
http://www.camenisch-software.ch/ynlTz
http://sh2017.chancemkt.com/Vg07
http://www.tzen2.com/wp-content/8xR

Creation Time	2018-11-05 10:02:00
SHA256:
7516af39a37c18fa7c21a8dc9b0659463886b7453d92d0082e04907e8c7cfb32
e410c621736aa8e6b5174ad62cc2c49fc6a804dd6dac8f87fcfd35910b5734ca
b61113e598e002f1d9273b07d7607d858efba0cb4dcda4a8c72864885ed63376
1908cf7f7f3be0ea4d3221f70402947b76211dad38058a5a0bfb762f8ecdd392
3ce80ee8433dc8ddd1459244196e687508bd564493621a45fa2df58b3e521314
5ab7313c5141a184d22a5c6ac325dbd3bdaf81aa448600d204914a3740e5612d
e4ecb82fb8a2bf785c2f976c1feea57bca2ff115f5a26c00a9282f9d7f43eb43
6840a6c22f7f7070147e3d119e95b2c794de450af9bdbcfbca7ede94c6678440
000cac78f50ff38ccb4465cac82be45df87e8d0b9e28338fdd62d367240f26a0
6ca9d13ba701a131d357c033e15204e7daacd1805142856c568c1289ca010656
0b3e6fb8bf5701aa1e13c089b2cf51bcb8c169e3d6a2e3e86a8ed9398f8f493b
d1e2d97314ab7f756f8ce799a9b578d80388f8e1365f648743183ec08a9f315d
3546c31ab9a6dbcf55084397ce3b5b24afe23861e2a9cc2b84f7d79b07e33ee5

http://artsntek.com/YtQno
http://bahiacreativa.com/9SYOE9k
http://cipherme.pl/data/cw
http://charliefox.com.br/41Cj
http://casellamoving.com/t1g


SHA256s for Epoch 2 Payload EXEs seen on 11/05/18

10a02d3fea79599ab6fa9a8518045cc41b5fb50c57c01f69242b8bdb4b79d8c8
Trickbot 59b603b211b6a4a76f7b025f6bfd414819a9639df45f9d3e70dd4ece1ba7c6b6
049f732f2da2289408b937bb46c365028fed6f9ee74a373cc92e4dca2f18dcf2
e9aab3899d0279062b117e543ca3397394541e68bf124730fc43c2e3409a0047
c1790994f32aa1c104bbca7ff17b6b8710acb03030ee1e4351547603e9fd88e7
06af2e77bacf94f4328ce864aa162346e685730aa10919b7a93b76abbc0e7119
f05ca029a47e30740c5ea4fa8d8e28bbe18c15fa3a82551f952493e78a72d59b
0448a0701036b154e48b34cc49d9cbe28985a02730cebd7d1a04f0b142bbe144
906e954a652300362198d3b7be578487eac04f14be1c562bf75b1b1c01436c32
b85fb8892c9a1778f470d70689c8f1e60082504df0d2dd06a11d85efba738729
09f69cb18f86d6bcb718a6cb9b7fa0e2ac4bbe4f38f8dc6a01476e9681825a9a

Epoch 1 C2s

(Port is 80 unless noted)

128.193.56.169:443
133.242.208.183:8080
139.59.242.76:8080
148.103.7.242:7080
159.65.76.245:443
165.227.213.173:8080
186.10.17.186:443
186.20.217.236
190.124.166.113:8080
190.17.44.48
190.90.100.228:8080
192.155.90.90:7080
198.199.185.25:443
200.21.90.6:8080
201.111.74.224:7080
210.2.86.72:8080
210.2.86.94:8080
213.48.239.192
217.35.82.190:7080
23.254.203.51:8080
24.117.165.162:50000
24.37.218.86
37.120.175.15
45.73.110.62:8080
47.225.131.10
47.34.43.223
49.212.135.76:443
5.9.128.163:8080
69.198.17.20:8080
76.65.166.252:7080
81.20.87.205:443
81.214.108.10:443
90.75.137.228:50000


Spam/Stealer C2s

24.161.14.157:443
174.71.204.179:8080
24.28.182.224:443
186.68.80.34:443
212.48.68.58:8080
87.106.243.118:8080
70.82.209.53:8080
186.85.127.59
211.228.237.11:443

Epoch 2 C2s


(Port is 80 unless noted)
 
104.205.121.6:8090
115.71.233.127:443
136.56.103.201
139.162.151.141:8080
149.167.86.174:990
153.122.38.158:443
160.2.24.88:990
174.55.139.78
189.190.61.232
190.92.37.171:7080
200.194.26.234:443
211.115.111.19:443
217.13.106.160:7080
217.174.206.181:443
222.214.218.192:4143
24.59.228.182
27.96.91.225:8443
37.211.34.12:8080
45.123.3.54:443
46.163.76.187:8080
47.32.248.75:8080
5.230.147.179:8080
67.205.149.117:443
69.198.17.7:8080
69.55.255.159
70.50.196.234:8080
71.167.178.19
72.255.128.229:7080
73.31.237.56:443
78.47.182.42:8080
79.69.254.176:7080
81.7.10.106:7080
83.222.124.62:8080
84.200.106.120:8080
95.141.175.240:443
96.67.83.134
98.102.182.2:8443
98.142.208.27:443
 

Epoch 2 - Spam/Stealer C2s

50.100.215.149:50000
70.62.224.226
202.175.188.154:8443

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
 
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!

What is Epoch 1 and Epoch 2?
Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.

Community Lists


https://pastebin.com/GXaSAMJ6 - @James_inthe_box
https://pastebin.com/h61QUzSv - @ps66uk
https://pastebin.com/Zbrny8VL - @pollo290987

Credits

(OC and combination work)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch
C2 info - @unixronin, @MalwareTechBlog
Payloads - @James_inthe_box, @MalwareTechBlog

Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!

Daily Log


After a long hiatus it is back. E1 shutdown and E2 is going pretty strong. I will put up some templates later of the emails. 

16:00 - seems like E1 may be waking up? Been able to find over ~60 URLs of E2 stuff so far.

18:30 - Confirmed, E1 is now sending attachment malspam and @ps66uk found the first sample.

23:00 - Ran the latest C2s for both botnets and listed them above replacing the old ones.

23:59 - added C2 runs at the end from @anyrun_app. Added @pollo290987's list.

Sandbox 11/05/18

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 Run as of 23:12 https://app.any.run/tasks/04ec5fd9-61cb-4457-a8ec-4d6043f89ff3

Epoch 2 C2 Run as of 23:05 https://app.any.run/tasks/3f21db2f-8461-49a1-a60f-71f9d46c8d84

```