Emotet Malware Document links/IOCs for 06/10/19 as of 06/10/19 11:30 EDT
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Small Emotet Update - 06/10/2019 - 11:15 EDT:
It looks like C2 is down on Tier 1 across both botnets. We are seeing no response or 400/404/502 responses. This has been happening since 06/07/19 around 19:00UTC. The latest binaries for both botnets are: 8e5089260064a955819a92ebccc43d05520e32d234dd3c176bed5f6d0665ebdb for E1 f8f6faa7e578785f53796c395f4ca0b757d43b62d77cdb47f74f8573e8af37a3 for E2
C2 Combos are MUCH higher than normal at 122 for E1 and 92 for E2. This leads me to believe that this outage was planned and we are seeing some sort of maintenance on the C2 infrastructure play out. The C2s combos are:
Epoch 1 C2s
103.201.150.209:80
104.236.151.95:7080
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
112.72.9.242:443
115.124.109.85:8443
117.218.133.244:80
125.99.61.162:7080
128.199.78.227:8080
134.196.209.126:443
138.219.214.164:443
138.68.106.4:7080
149.62.173.247:8080
159.203.204.126:8080
159.65.241.220:8080
162.217.250.243:7080
170.247.122.37:8080
176.250.213.131:80
176.31.200.136:8080
178.79.163.131:8080
179.40.105.76:80
181.134.105.191:80
181.15.180.140:80
181.15.243.22:80
181.16.127.226:443
181.171.118.19:80
181.198.67.178:20
181.231.72.200:80
181.28.144.64:80
181.28.248.205:80
181.39.134.122:80
181.48.174.242:80
183.82.97.25:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.138.56.183:443
186.22.209.16:8080
186.23.146.42:80
186.23.18.211:443
186.83.133.253:8080
186.86.177.193:80
187.149.41.205:8080
187.178.9.19:20
187.188.166.192:80
187.242.204.142:80
189.180.84.115:8080
189.196.140.187:80
190.1.37.125:443
190.102.226.91:80
190.113.233.4:7080
190.117.206.153:443
190.147.12.71:443
190.186.221.50:80
190.189.112.116:80
190.189.204.100:80
190.19.42.131:80
190.193.131.141:443
190.230.60.129:80
190.246.166.217:80
190.36.88.98:8080
190.55.39.215:80
190.97.10.198:80
191.97.116.232:443
196.6.112.70:443
197.211.244.6:50000
200.107.105.16:465
200.123.101.90:80
200.28.131.215:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.58.83.179:80
200.80.198.34:80
201.212.24.6:443
201.219.183.243:443
201.251.229.37:80
201.252.229.169:8443
203.25.159.3:8080
205.186.154.130:80
213.120.104.180:50000
216.98.148.136:4143
217.113.27.158:443
217.92.171.167:53
219.74.237.49:443
23.254.203.51:8080
37.59.1.74:8080
43.229.62.186:8080
45.32.158.232:7080
45.55.82.2:8080
45.55.83.204:8080
45.73.124.235:8080
46.101.123.139:8080
46.21.105.59:8080
46.249.204.99:8080
46.29.183.211:8080
46.32.228.206:8080
5.153.252.228:8080
5.79.119.1:8080
61.92.159.208:8080
62.210.142.58:8080
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
70.32.84.74:8080
71.244.60.231:8080
77.122.183.203:8080
77.245.101.134:8080
79.143.182.254:8080
80.0.106.83:80
80.85.87.122:8080
81.140.12.131:8080
81.143.213.156:7080
81.183.213.36:80
85.132.96.242:80
86.42.166.147:80
89.134.144.41:8080
90.69.208.50:7080
91.205.215.57:7080
91.83.93.124:7080
Epoch 2 C2s
104.131.11.150:8080
104.131.208.175:8080
104.236.246.93:8080
104.236.99.225:8080
115.71.233.127:443
125.99.106.226:80
136.243.177.26:8080
138.201.140.110:8080
142.4.198.249:7080
142.93.88.16:443
144.139.247.220:80
147.135.210.39:8080
159.65.25.128:8080
162.144.119.216:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
173.212.203.26:8080
174.136.14.100:8080
175.100.138.82:22
177.242.214.30:80
177.246.193.139:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:80
179.32.19.219:22
181.189.213.231:465
186.144.64.31:53
186.4.167.166:80
186.4.234.27:443
187.163.180.243:22
187.163.222.244:465
187.189.195.208:8443
188.166.253.46:8080
189.209.217.49:80
190.112.228.47:443
190.145.67.134:8090
190.186.203.55:80
190.25.255.98:80
190.25.255.98:443
190.72.136.214:465
195.242.117.231:8080
198.58.114.91:4143
200.24.248.206:80
200.43.231.10:7080
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.231.44.78:80
201.238.152.20:465
202.83.16.150:80
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
222.214.218.192:8080
24.139.205.186:8080
31.12.67.62:7080
31.172.240.91:8080
37.211.85.139:80
41.169.20.147:465
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.101.142.115:8080
46.105.131.87:80
47.41.213.2:22
50.31.0.160:8080
50.99.132.7:465
59.103.164.174:80
60.48.253.12:20
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.45.19.145:8080
71.244.60.230:8080
75.127.14.170:8080
78.24.219.147:8080
81.109.227.123:80
85.104.59.244:20
86.98.61.221:443
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
91.205.215.10:7080
91.205.215.66:8080
91.83.93.103:7080
92.154.101.154:50000
94.76.200.114:8080
95.128.43.213:8080
Obviously we are not seeing any spamming or any other activity during this time. Now is the time to block these IP/Port combos while you can. Also if you see any requests going out to these IP/Port combos, cleanup isle whatever that computer is in because it is infected!
We will see how long this break lasts and what new surprises they have up their sleeve.
#### Sandbox 06/10/19 ####
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-06-10 at 13:45 UTC - https://app.any.run/tasks/7f48ce71-945d-418e-a0f9-6c5fc3613e46
Epoch 2 C2 run on 2019-06-10 at 14:45 UTC - https://app.any.run/tasks/cd7edc98-a3bb-4c3b-bea5-a8493e020476
```