Emotet Malware Document links/IOCs for 06/21/19 as of 06/21/19 15:00 EDT
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Emotet Tier 1 C2 is still down on both botnets. I wanted to update these lists because I was missing 4 combos on E1 and 8 combos on E2. The correct totals are 126 for E1 and 100 for E2. Somehow I truncated the totals and missed these 12 IP/Port combos. @0xtadavie found this oversight and provided me with the following missing combinations. Fortunately if you were just blocking on IPs, some of these were just additional ports on the same host.
Epoch 1 Missing C2s
104.236.185.25:8080
190.13.211.174:21
190.246.146.101:80
5.77.13.70:80
Epoch 2 Missing C2s
103.97.95.218:143
179.14.2.75:21
186.19.202.88:21
186.31.189.232:143
187.147.184.249:143
190.25.255.98:143
190.53.135.159:21
41.169.20.147:143
Here is the total of both of them as it originally should have been:
C2 Combos are MUCH higher than normal at 126 for E1 and 100 for E2. This leads me to believe that this outage was planned and we are seeing some sort of maintenance on the C2 infrastructure play out. The C2s combos are:
Epoch 1 C2s
103.201.150.209:80
104.236.151.95:7080
104.236.185.25:8080
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
112.72.9.242:443
115.124.109.85:8443
117.218.133.244:80
125.99.61.162:7080
128.199.78.227:8080
134.196.209.126:443
138.219.214.164:443
138.68.106.4:7080
149.62.173.247:8080
159.203.204.126:8080
159.65.241.220:8080
162.217.250.243:7080
170.247.122.37:8080
176.250.213.131:80
176.31.200.136:8080
178.79.163.131:8080
179.40.105.76:80
181.134.105.191:80
181.15.180.140:80
181.15.243.22:80
181.16.127.226:443
181.171.118.19:80
181.198.67.178:20
181.231.72.200:80
181.28.144.64:80
181.28.248.205:80
181.39.134.122:80
181.48.174.242:80
183.82.97.25:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.138.56.183:443
186.22.209.16:8080
186.23.146.42:80
186.23.18.211:443
186.83.133.253:8080
186.86.177.193:80
187.149.41.205:8080
187.178.9.19:20
187.188.166.192:80
187.242.204.142:80
189.180.84.115:8080
189.196.140.187:80
190.1.37.125:443
190.102.226.91:80
190.113.233.4:7080
190.117.206.153:443
190.13.211.174:21
190.147.12.71:443
190.186.221.50:80
190.189.112.116:80
190.189.204.100:80
190.19.42.131:80
190.193.131.141:443
190.230.60.129:80
190.246.146.101:80
190.246.166.217:80
190.36.88.98:8080
190.55.39.215:80
190.97.10.198:80
191.97.116.232:443
196.6.112.70:443
197.211.244.6:50000
200.107.105.16:465
200.123.101.90:80
200.28.131.215:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.58.83.179:80
200.80.198.34:80
201.212.24.6:443
201.219.183.243:443
201.251.229.37:80
201.252.229.169:8443
203.25.159.3:8080
205.186.154.130:80
213.120.104.180:50000
216.98.148.136:4143
217.113.27.158:443
217.92.171.167:53
219.74.237.49:443
23.254.203.51:8080
37.59.1.74:8080
43.229.62.186:8080
45.32.158.232:7080
45.55.82.2:8080
45.55.83.204:8080
45.73.124.235:8080
46.101.123.139:8080
46.21.105.59:8080
46.249.204.99:8080
46.29.183.211:8080
46.32.228.206:8080
5.153.252.228:8080
5.77.13.70:80
5.79.119.1:8080
61.92.159.208:8080
62.210.142.58:8080
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
70.32.84.74:8080
71.244.60.231:8080
77.122.183.203:8080
77.245.101.134:8080
79.143.182.254:8080
80.0.106.83:80
80.85.87.122:8080
81.140.12.131:8080
81.143.213.156:7080
81.183.213.36:80
85.132.96.242:80
86.42.166.147:80
89.134.144.41:8080
90.69.208.50:7080
91.205.215.57:7080
91.83.93.124:7080
Epoch 2 C2s
103.97.95.218:143
104.131.11.150:8080
104.131.208.175:8080
104.236.246.93:8080
104.236.99.225:8080
115.71.233.127:443
125.99.106.226:80
136.243.177.26:8080
138.201.140.110:8080
142.4.198.249:7080
142.93.88.16:443
144.139.247.220:80
147.135.210.39:8080
159.65.25.128:8080
162.144.119.216:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
173.212.203.26:8080
174.136.14.100:8080
175.100.138.82:22
177.242.214.30:80
177.246.193.139:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:21
179.14.2.75:80
179.32.19.219:22
181.189.213.231:465
186.144.64.31:53
186.19.202.88:21
186.31.189.232:143
186.4.167.166:80
186.4.234.27:443
187.147.184.249:143
187.163.180.243:22
187.163.222.244:465
187.189.195.208:8443
188.166.253.46:8080
189.209.217.49:80
190.112.228.47:443
190.145.67.134:8090
190.186.203.55:80
190.25.255.98:143
190.25.255.98:443
190.25.255.98:80
190.53.135.159:21
190.72.136.214:465
195.242.117.231:8080
198.58.114.91:4143
200.24.248.206:80
200.43.231.10:7080
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.231.44.78:80
201.238.152.20:465
202.83.16.150:80
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
222.214.218.192:8080
24.139.205.186:8080
31.12.67.62:7080
31.172.240.91:8080
37.211.85.139:80
41.169.20.147:143
41.169.20.147:465
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.101.142.115:8080
46.105.131.87:80
47.41.213.2:22
50.31.0.160:8080
50.99.132.7:465
59.103.164.174:80
60.48.253.12:20
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.45.19.145:8080
71.244.60.230:8080
75.127.14.170:8080
78.24.219.147:8080
81.109.227.123:80
85.104.59.244:20
86.98.61.221:443
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
91.205.215.10:7080
91.205.215.66:8080
91.83.93.103:7080
92.154.101.154:50000
94.76.200.114:8080
95.128.43.213:8080
Thanks to @0xtadavie for catching this oversight!
Now is the time to block these IP/Port combos while you can. Also, if you see any requests going out to these IP/Port combos, cleanup isle whatever that computer is in because it is infected!