Daily Emotet IoCs and Notes for 12/30/19

Emotet Malware IOCs for 12/30/19 as of 12/30/19 13:30 EST

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.

SHA256s for Epoch 1 Loader EXEs

12a399dd6446b57fdd4bb50d38b0e7fb4290cb0ae9437486b305dbe8db206b87
90ac7045de5a60eeb18f26b9aaa8fc871af0ef45460e967a966d2a2c7764be54
ad9bb56dad4eaa586bb6478f64718f73edb3ca02bd147216f3fdc8158391db96
a01b92f7580e0077456a02f561cc660f7fa0b08ce9a80a25ef84a2a841f27f17
6775818ba56a8908741ed22869403ae8acbc94201707b0d52cf1a0fd7cc578c0
e59083eb47c917a133b76be10ee5c69eee412adc13ffac135128480c2d5908a0
3a8a5f2c6b6b6eb136f1805de8f6d2d147cdc88627e8a1a9841053293ba19ff0
0b96303dfd12e9a7a4cd0f1946ea8adf8219454510e5f541d71be5ce7d79fed7
93f9d15e50938bb936f08165d7e3531e016e7c69568c265017cd78d6aa9a15c5
35e35a70aee02c963660b1b49f110c4547ce1afe99529388ebaa03aceecaab24
b8471764e02be8ce2ab10ee944015584e1540ab863901e2c1347faef7ef27f4e

SHA256s for Epoch 2 Loader EXEs

e4a4ebe7c54fa7cf2b615d46427a7442f317addf64586ce8bc2947b9d04782c2
6936aa4b2afe14b38fe2e94735126f00cdd090a63984fcef5d4ca0fe54e46427
d2c6e0fdb98844f5b111007a0ed904f4d4000897f42b4438b4bdd46fce2b6fe9
06231c67997abcc429db7ff28e625b5fcba8aabbeb94b3ba8a3131d5ec65b8d0
f2dd300d24ff3eeb0931748f909443fb2ca2c288a2582d4860b4f9bdf485185d
ae097a7e9880dc379b2ede35a2742169f0cc490450f0da324b2eceff77dedf50
404fc27f94946ee424f85984d699dc2082725a5784a025af9d034149bcc95c14
c1df111e7060b5affb1b3851cc289105a34776e9bad4a3f96eb1f05d0997d8b4
935047fb6827983b800921ee4385da677e478dfae591355200369e2f6770fd67
91621c6d0f36e4f1be9560a6b16bcdb79c238812cdc97129d0e1a6607a20c363
785e465e1ac2b2b54e24c0fc80299294fbc9ff2562322c29c2ffb4fa52be0a37

SHA256s for Epoch 3 Loader EXEs

a76e2ce58627be8ad2f6e6f9826396c26f6c0d63a334ff101522c45b04eb5de3
b21038dbfe316ae74df7c06be5583a8ba73aa91a960949d241187e7b180b26dd
68f7b50d8366226743706772690c3dfda0e1afca3d0bfa6188977521e846e1fa
0aad4cd137edd3916c7e3a66458bd8548352fa18f999b0e0101ad0d65b4608c1
78d7a5619849f438688409c6c116dc5f52834e7b28ccd814bd986b2ee9032a7d
662cecbcd0a553efbb3dbe6b397fe19b0af9bfb82cf47fdfa179d02582246d8d
f282f19d8389da8b7966a5f5965c139fbe39c0bdd05ea9514f06f49b1fe3cd68
add26d83c734bdb2d35c08ee99c11a84297e1fa1170853a7c029ee0b6c681b45
9bf03035fc1bcaeb1065f7fe7c7d338f3040c94f9bc408cf769bbd72c573541c
003b5c4ef0b2124ab3656acbb07e6a567b7465fa7e90d5280555aec6593a8fa4
d63e41981abfee28272d20a0b26c555e9385d503f561d8d21db909255846ef4e

C2’s Per Epoch

Epoch 1 C2s

190.219.149.236:80
94.200.126.42:80
62.15.36.103:443
45.79.95.107:443
144.217.117.207:8080
104.236.137.72:8080
51.255.165.160:8080
2.42.173.240:80
183.99.239.141:80
68.183.190.199:8080
110.170.65.146:80
190.210.236.139:80
68.183.170.114:8080
87.106.77.40:7080
79.7.158.208:80
91.205.215.57:7080
109.169.86.13:8080
86.42.166.147:80
50.28.51.143:8080
190.210.184.138:995
203.25.159.3:8080
144.139.56.105:80
181.231.220.232:80
91.191.206.60:443
91.74.175.46:80
93.144.226.57:80
68.174.15.223:80
181.61.143.177:80
189.19.81.181:443
200.119.11.118:443
217.199.160.224:8080
163.172.40.218:7080
185.160.212.3:80
99.252.27.6:80
59.120.5.154:80
5.88.27.67:8080
94.200.114.162:80
119.59.124.163:8080
58.171.38.26:80
177.34.142.163:80
110.142.161.90:443
188.218.104.226:80
200.58.83.179:80
220.255.57.31:80
46.28.111.142:7080
46.101.212.195:8080
14.201.35.38:80
190.186.164.23:80
191.103.76.34:443
200.55.53.7:80
185.160.229.26:80
190.74.246.158:8080
82.8.232.51:80
68.187.160.28:443
200.123.183.137:443
186.15.83.52:8080
63.248.198.8:80
190.100.153.162:443
207.154.204.40:8080
37.187.6.63:8080
191.183.21.190:80
142.93.114.137:8080
82.196.15.205:8080
178.79.163.131:8080
212.237.50.61:8080
104.131.58.132:8080
74.79.103.55:80
96.61.113.203:80
177.103.159.44:80
181.198.203.45:443
179.159.198.70:80
186.68.48.204:443
87.106.46.107:8080
187.188.166.192:8080
190.17.44.48:80
114.109.179.60:80
200.124.225.32:80
113.190.254.245:80
118.36.70.245:80
201.213.32.59:80
91.83.93.124:7080
181.10.204.106:80
202.62.39.111:80
192.241.146.84:8080
62.75.143.100:7080
188.216.24.204:80
212.71.237.140:8080
112.218.134.227:80
190.151.5.130:443
5.196.35.138:7080
62.75.160.178:8080
216.251.83.79:80
212.253.82.142:443
37.120.185.153:443
77.55.211.77:8080
181.36.42.205:443
97.120.32.227:80
91.117.83.59:80
79.7.114.1:80
58.162.218.151:80
69.163.33.84:8080
83.165.78.227:80
83.248.141.198:80
14.160.93.230:80
113.61.76.239:80
165.228.195.93:80
138.68.106.4:7080
177.242.21.126:80
175.114.178.83:443
219.75.66.103:80
45.8.136.201:80
139.162.118.88:8080
223.255.148.134:80
149.62.173.247:8080
190.161.180.184:80
72.29.55.174:80
151.237.36.220:80
188.135.15.49:80
85.152.208.146:80
177.180.115.224:80
125.99.61.162:7080
185.86.148.222:8080
73.60.8.210:80
80.11.158.65:8080
2.45.112.134:80
159.203.204.126:8080
203.130.0.69:80

Epoch 1 - Spam C2s

not active

Epoch 1 - Stealer C2s

51.159.23.217:443
75.127.72.18:8080
190.115.18.139:8080

Current Epoch 1 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB

Epoch 2 C2s

59.8.197.241:80
200.116.145.225:443
200.21.90.5:443
136.243.250.34:8080
165.227.156.155:443
159.69.89.130:8080
167.99.105.223:7080
59.148.227.190:80
50.116.86.205:8080
2.237.76.249:80
74.105.102.97:8080
76.164.99.46:80
209.97.168.52:8080
64.147.15.138:80
108.191.2.72:80
71.83.82.123:8080
190.220.19.82:443
159.65.25.128:8080
108.20.69.44:80
184.167.148.162:80
121.88.5.176:443
58.171.42.66:8080
104.131.11.150:8080
179.13.185.19:80
120.150.246.241:80
66.209.97.122:8080
174.81.132.128:80
91.205.215.66:443
70.169.53.234:80
2.235.190.23:8080
190.117.226.104:80
201.173.217.124:443
100.14.117.137:80
70.175.171.251:80
173.12.14.133:8080
104.236.246.93:8080
176.106.183.253:8080
182.176.132.213:8090
192.241.255.77:8080
209.146.22.34:443
206.81.10.215:8080
85.67.10.190:80
24.181.125.62:80
37.59.24.177:8080
209.141.54.221:8080
188.0.135.237:80
31.31.77.83:443
93.147.141.5:80
5.196.74.210:8080
169.239.182.217:8080
195.244.215.206:80
103.86.49.11:8080
211.63.71.72:8080
66.25.34.20:80
190.12.119.180:443
176.31.200.130:8080
1.215.28.101:8080
101.187.247.29:80
47.6.15.79:80
91.73.197.90:80
31.177.54.196:443
12.176.19.218:80
173.247.19.238:80
87.106.136.232:8080
188.152.7.140:80
31.172.240.91:8080
87.230.19.21:8080
173.21.26.90:80
87.106.139.101:8080
186.67.208.78:8080
186.4.172.5:8080
178.210.51.222:8080
128.65.154.183:443
24.105.202.216:443
92.222.216.44:8080
47.149.28.234:80
160.16.215.66:8080
120.151.135.224:80
139.130.241.252:443
190.189.224.117:443
110.142.38.16:80
149.202.153.252:8080
70.46.247.81:80
190.53.135.159:21
167.71.10.37:8080
217.160.182.191:8080
24.94.237.248:80
138.59.177.106:443
138.122.5.214:8080
210.6.85.121:80
180.92.239.110:8080
108.179.206.219:8080
98.156.206.153:80
116.48.142.21:443
66.34.201.20:7080
219.78.255.48:80
107.170.24.125:8080
67.225.179.64:8080
47.156.70.145:80
190.162.159.212:80
59.103.164.174:80
47.6.15.79:443
104.131.44.150:8080
186.75.241.230:80
45.51.40.140:80
68.118.26.116:80
86.98.156.239:443
5.154.58.24:80
95.128.43.213:8080
78.24.219.147:8080
101.187.134.207:443
206.189.112.148:8080
104.137.176.186:80
73.214.99.25:80
144.139.247.220:80
178.237.139.83:8080
85.152.174.56:80
47.153.183.211:80
64.53.242.181:8080
45.33.49.124:443
46.105.131.87:80
37.157.194.134:443
200.114.167.85:80
46.216.60.138:80
82.27.181.93:80
2.38.99.79:80
189.159.115.178:8080

Epoch 2 - Spam C2s

not active

Epoch 2 - Stealer C2s

168.235.67.138:8080
139.162.183.41:443
46.101.7.140:8080

Current Epoch 2 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB

Epoch 3 C2s

114.179.127.48:80
200.45.187.90:80
144.139.91.187:80
124.150.175.133:80
5.189.148.98:8080
69.30.205.162:7080
192.161.190.171:8080
160.119.153.20:80
192.210.217.94:8080
190.93.210.113:80
175.103.239.50:80
105.209.235.113:8080
190.5.162.204:80
211.48.165.9:443
82.146.55.23:7080
142.93.87.198:8080
112.186.195.176:80
191.100.24.201:50000
212.129.14.27:8080
182.187.137.199:8080
181.53.29.136:8080
120.51.83.89:443
88.247.26.78:80
58.185.224.18:80
203.160.173.202:80
190.231.210.35:80
37.70.131.107:80
190.161.67.63:80
110.142.161.90:80
216.75.37.196:8080
186.177.174.163:80
110.2.118.164:80
108.184.9.44:80
187.72.47.161:443
176.58.93.123:80
46.105.131.68:8080
72.51.153.27:80
195.201.56.70:8080
165.100.148.200:8080
185.244.167.25:443
220.78.29.88:80
92.16.222.156:80
182.176.116.139:995
41.111.190.94:80
91.117.31.181:80
85.109.190.235:443
98.178.241.106:80
210.111.160.220:80
94.203.236.122:80
190.38.252.45:443
172.104.70.207:8080
46.32.229.152:8080
83.156.88.159:80
158.69.167.246:8080
189.225.211.171:443
78.189.60.109:443
203.124.57.50:80
201.183.251.100:80
190.171.135.235:80
5.178.245.100:80
201.196.15.79:990
210.171.146.118:80
157.7.164.178:8081
95.9.217.200:8080
163.172.97.112:8080
187.250.92.82:80
91.117.131.122:80
24.28.178.71:80
190.171.153.139:80
221.154.59.110:80
14.161.30.33:443
72.27.212.209:8080
192.241.220.183:8080
95.216.207.86:7080
179.5.118.12:8080
42.51.192.231:8080
124.150.175.129:8080
177.144.130.105:443
67.254.196.78:443
103.108.146.195:80
203.153.216.178:7080
185.192.75.240:443
200.41.121.69:443
81.82.247.216:80
190.17.94.108:443
162.144.46.90:8080
197.94.32.129:8080
175.127.140.68:80
37.59.24.25:8080
154.120.227.190:443
178.134.1.238:80
189.61.200.9:443
190.47.236.83:80
69.14.208.221:80
59.158.164.66:443
51.38.134.203:8080
41.77.74.214:443
177.103.240.93:80
66.229.161.86:443
88.248.140.80:80
85.100.122.211:80
122.116.104.238:7080
41.185.29.128:8080
139.59.12.63:8080
23.253.207.142:8080
87.9.181.247:80
82.165.15.188:8080
156.155.163.232:80
78.46.87.133:8080
85.235.219.74:80
186.84.173.136:8080
138.197.140.163:8080
51.77.113.97:8080
50.116.78.109:8080
37.46.129.215:8080
89.215.225.15:80
115.179.91.58:80
95.130.37.244:443
98.15.140.226:80
210.224.65.117:80
181.167.35.84:80
46.17.6.116:8080
78.189.165.52:8080
95.216.212.157:8080
193.33.38.208:443
188.251.213.180:443
217.181.139.237:443

Epoch 3 - Spam C2s

not active

Epoch 3 - Stealer C2s

198.46.150.196:7080
178.32.255.133:443
178.63.78.150:8080

Current Epoch 3 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
@executemalware, @luc4m, @SecSome

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, 
@bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)

Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)

Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
infrastructure and helping out with this!

Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
@KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
for providing services/software at no charge to this cause!

Daily Log 12/30/19

This report was gathered by @ps66uk and @jroosen.

@JRoosen here - Ivan is still on break and not actively spamming at all. Talk out there is we won't see Ivan and the Emotet gang 
back on distro until the week of 01/13/20. We are seeing loader C2 updates at a rate of about 2-4 per day on each botnet. Ivan 
has handed over the keys to Vasily clearly and they are using all the installs of Trickbot gtag morXX to drop tools to prep and
execute a Ryuk ransomware deployments. We are of course seeing these happening out there. This is noted in the news below:

General News


Kevin Beaumont had some observations of interesting powershell activity(PsReflect/Powerview) on his EmoPot:
https://twitter.com/GossiTheDog/status/1211600216715137024
https://twitter.com/GossiTheDog/status/1211655228107431936

VK reminds us that the cybercrime calendar begins sometime after Jan 14th:
https://twitter.com/VK_Intel/status/1211661749579071489

@SethKingHi did some analysis on the loader yesterday and found an interesting resource name:
https://twitter.com/SethKingHi/status/1211510574464425985
(this has since changed)

@abuse_ch confirms that Emotet is using ipv4 for C2s only:
https://twitter.com/abuse_ch/status/1211200391372820480

@bry_campbell was one of many that tweeted about a potential Emotet link to the US Coast Guard MTSA Ransomware incident:
https://twitter.com/bry_campbell/status/1211052638747406341

Loader Report

Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
_____________
Reminder:
EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
______________

C2 Deltas:
E1 now 127 combos, was 127 for a net nil
E2 now 127 combos, was 127 for a net nil
E3 now 127 combos, was 127 for a net nil

Looks like Ivan hit the limit in the C2 count for the loader. 127 per botnet seems to be the standard now but note 
the amount(24+) of combo changes/churn. About 50% of these IPs are NEW. We have seen Ivan change C2 combos during 
break periods at a rate of 1 time per week or so. 

---
E1 - 

Dropped:
96.126.121.64:443
85.234.143.94:8080
97.81.12.153:80
116.48.138.115:80
2.139.158.136:443
2.44.167.52:80
74.59.187.94:80
93.67.154.252:443
142.127.57.63:8080
96.38.234.10:80
190.146.131.105:8080
5.32.41.106:80
77.27.221.24:443
93.148.252.90:80
37.183.121.32:80
190.195.129.227:8090
91.204.163.19:8090
81.157.234.90:8080
45.50.177.164:80
111.125.71.22:8080
190.97.30.167:990
190.6.193.152:8080
130.204.247.253:80
152.170.108.99:443

Added:
190.219.149.236:80
94.200.126.42:80
62.15.36.103:443
45.79.95.107:443
79.7.158.208:80
99.252.27.6:80
59.120.5.154:80
94.200.114.162:80
119.59.124.163:8080
177.34.142.163:80
110.142.161.90:443
188.218.104.226:80
14.201.35.38:80
200.55.53.7:80
185.160.229.26:80
82.8.232.51:80
191.183.21.190:80
82.196.15.205:8080
177.103.159.44:80
190.17.44.48:80
200.124.225.32:80
188.216.24.204:80
216.251.83.79:80
58.162.218.151:80

---
E2 

Dropped:
108.61.99.179:8080
200.7.243.108:443
183.102.238.69:465
62.75.187.192:8080
174.77.190.137:8080
91.242.138.5:443
190.147.215.53:22
81.0.63.86:8080
110.143.57.109:80
173.91.11.142:80
73.11.153.178:8080
201.184.105.242:443
85.72.180.68:80
201.251.133.92:443
82.155.161.203:80
62.138.26.28:8080
5.88.182.250:80
61.197.110.214:80
75.80.148.244:80
165.228.24.197:80
212.129.24.79:8080
24.93.212.32:80
218.44.21.114:80
178.209.71.63:8080
73.176.241.255:80
80.21.182.46:80
1.33.230.137:80

Added:
59.8.197.241:80
200.116.145.225:443
200.21.90.5:443
136.243.250.34:8080
74.105.102.97:8080
108.191.2.72:80
71.83.82.123:8080
121.88.5.176:443
58.171.42.66:8080
70.169.53.234:80
2.235.190.23:8080
190.117.226.104:80
70.175.171.251:80
173.12.14.133:8080
209.146.22.34:443
188.0.135.237:80
1.215.28.101:8080
186.4.172.5:8080
160.16.215.66:8080
70.46.247.81:80
190.53.135.159:21
180.92.239.110:8080
66.34.201.20:7080
101.187.134.207:443
47.153.183.211:80
64.53.242.181:8080
189.159.115.178:8080

---
E3 

Dropped:
45.79.75.232:8080
164.68.115.146:8080
96.234.38.186:8080
78.186.102.195:80
119.57.36.54:8080
86.70.224.211:80
100.38.11.243:80
128.92.54.20:80
181.46.176.38:80
41.190.148.90:80
46.105.128.215:8080
86.98.157.3:80
195.250.143.182:80
190.247.9.40:443
24.27.122.202:80
86.6.123.109:80
58.93.151.148:80
113.52.135.33:7080
95.255.140.89:443
212.112.113.235:80
188.230.134.205:80
217.12.70.226:80
190.101.87.170:80
200.71.112.158:53
211.42.204.154:80
174.57.150.13:8080
82.79.244.92:80
211.218.105.101:80

Added:
114.179.127.48:80
200.45.187.90:80
144.139.91.187:80
69.30.205.162:7080
160.119.153.20:80
182.187.137.199:8080
120.51.83.89:443
190.231.210.35:80
187.72.47.161:443
195.201.56.70:8080
46.32.229.152:8080
78.189.60.109:443
203.124.57.50:80
5.178.245.100:80
210.171.146.118:80
157.7.164.178:8081
163.172.97.112:8080
14.161.30.33:443
103.108.146.195:80
59.158.164.66:443
122.116.104.238:7080
41.185.29.128:8080
23.253.207.142:8080
82.165.15.188:8080
78.46.87.133:8080
51.77.113.97:8080
50.116.78.109:8080
188.251.213.180:443

Closing

Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
We have been thinking they will come back on 2020/01/13, so get ready. In the meantime, stay safe and Happy New Year!

Sandbox 12/30/19


E1 
https://capesandbox.com/analysis/10183/

E2
https://capesandbox.com/analysis/10184/

E3
https://capesandbox.com/analysis/10185/