Daily Emotet IoCs and Notes for 01/06/20

2aaf8fee56c6232db176c8676de16351b92fb8398ddcd299ba61a2eabd72d5d6
df6918aab03242b0a42ec4cf1f4258e3b57df8441c4743aae9985f89f5c4bb65
771a1f4b303dc2c4c50763091ca9cefa80b3c46cda0a2d82d4f5276c850d2ef2
d79abaa339b8b6e9ae8ac82edbaa139e32e0c82fe9f540d49372a7cfc8a1212f
9dff074ff1529d16d8c2e5acf3a4773cbd20789da573804ccfd35f5521defeb2
6a97c158536273e8b84faafc44b9c31ff463bfb2bdd02093fd585fb70f159c73
bae3bbbdd1f2e4478de579548c41a1c98eaac07cfa4e2ebb20e1f2d46e0b0b62
219da8349484f4746f08b3f79771cfdb426d9a8b29ef1cbc2eeff5c4b59f7519
458cac23702ba41e788b1a37adf1dca87df3f4c13a8676fad4084ba33890fd36
e3b79adf7e0429d33e2545894ab2351547de1e17e705ff75dffb8310466974e7
888e5f4f2a1729724ff35c899984735534fcd8e64a853524e4c7f3cb6cd6af41
a611c93296c6babd00cf06ff2a811e14c510f77cf86d7b7e59fdf7a83b1065ca
8dd7a0e0daee637f049a6e08d5c7ba935f6f7075acce2ff6f4c8a0aea3b3ca38
12a399dd6446b57fdd4bb50d38b0e7fb4290cb0ae9437486b305dbe8db206b87

cd47457850c6326e64e66ed3f2eb935bee45bab0738599244903b727014e405e
c5128fe6d59d35cfbc6555d52ce624a3262f3ce407df3b584dc5fabe0822c539
2b37ddaf408bcec8b47d797d77653442d272c7ed10e079ff8d9bfee26527bd02
1d7a6ba97c39065178e1e37a7bfbc971cb5ddb8890e993ac519f59c77727b8e7
84d0235b0e47572cfe1533f3614c76ebd4bcdb552612625fd8a2000e124da3b9
d21e42ebeab12bf7b50e845d769dd59e16e2f2d8bbcdd2a1786b46bc76f2fae7
109e8295a026646fc73936199fc99d122f880ae7a30e0573f195dc76ba27c615
7d315266bacd384196ddd36e0209a9b58948a88b437ba28d4841624fbb344796
9d5811b4a1f6931ae46f517a92e73909f0ff7aaa6c2a152ea6c5ab72027e251f
5a2ea528794f6e5ead09d7b85f7009c97d20f6f172d789bb8f952592ab93cc8d
c0ff16afbc8840e484d2d0df166cf1069f806c10d73817b76b989ce4a77029bf
149dc8a7f0fc161dc4123ebc6200bba1c02d07081602b67151d9fdade2b08d27
d63c896de55d6e7ea7ee1602bb214a91da1bcc781ca5c4c90bc84e8d89e06e38
e4a4ebe7c54fa7cf2b615d46427a7442f317addf64586ce8bc2947b9d04782c2

7ba00d10e9e86a523e14feb18c7c9a0e9f76e586d21c69185cae5c09070cb184
11e7cf800404c2e4a4d7bb5681d84753bcd2c8bb929ab6ba2f96a4cd6ddb80dc
306bf9287ae2975436a2faf0576b568bbc63bd511c82a019a7ba3bc8481377b5
653d683fcfa7b7f24fc52dea7d51d85e9ed0a3e8b7d521f014f264fd97df3e26
e3845bb9c6b12677868e6252d475ac7264a05dc227745a1284ae0f4a3363a759
58854666e2430081a2c13a1e07362986600a3dca244d1cbadfd93c8fd03c9f33
0df7364370cd694a6e3abd8145a3d12736cb93a38b76dca5bfc9b28ad22966a7
cb580a9291d90ce09a98857bb35b43a1013e271b44351e22286b8f0ff200905c
c386d4c9468beca0a8def97ce9af0e47802425967f6b433963449f2d43582472
b428fa0ebd44bc6d12c2d7614202aed223e1dc11491909cb5d8778554e5393b6
7a10d338086bf1a6970189dd4e77ff3c6a07854778f4c37563a91262e8d4bae6
6b94ea2b4e49a5d30527cdec685d23de7bba64f2bf1fa575098270d2e9d31382
e584dfdee795745dcf1724d64ea00ba6e9a4fdf0c57d566bec66cda8363a33ed
a76e2ce58627be8ad2f6e6f9826396c26f6c0d63a334ff101522c45b04eb5de3

45.73.157.243:8080
190.195.129.227:8090
177.92.14.34:80
45.79.95.107:443
69.163.33.84:8080
104.131.58.132:8080
68.183.190.199:8080
190.210.184.138:995
200.58.83.179:80
216.251.83.79:80
177.242.21.126:80
187.54.225.76:80
14.160.93.230:80
212.71.237.140:8080
159.203.204.126:8080
217.199.160.224:8080
46.101.212.195:8080
46.28.111.142:7080
185.86.148.222:8080
2.45.112.134:80
114.109.179.60:80
113.190.254.245:80
82.196.15.205:8080
68.174.15.223:80
94.200.114.162:80
151.237.36.220:80
5.88.27.67:8080
62.15.36.103:443
96.61.113.203:80
62.75.160.178:8080
58.162.218.151:80
186.15.83.52:8080
109.169.86.13:8080
45.8.136.201:80
175.114.178.83:443
190.186.164.23:80
165.228.195.93:80
177.34.142.163:80
203.25.159.3:8080
142.93.114.137:8080
83.248.141.198:80
177.180.115.224:80
110.170.65.146:80
181.231.220.232:80
189.19.81.181:443
68.187.160.28:443
113.61.76.239:80
185.160.229.26:80
200.55.53.7:80
212.253.82.142:443
179.208.84.218:8080
185.160.212.3:80
202.62.39.111:80
37.120.185.153:443
63.248.198.8:80
201.213.100.141:8080
118.36.70.245:80
86.42.166.147:80
14.201.35.38:80
149.62.173.247:8080
125.99.61.162:7080
190.210.236.139:80
80.11.158.65:8080
190.151.5.130:443
94.200.126.42:80
200.123.183.137:443
37.187.6.63:8080
203.130.0.69:80
72.29.55.174:80
2.42.173.240:80
59.120.5.154:80
79.7.158.208:80
120.150.247.164:80
144.139.56.105:80
190.100.153.162:443
188.218.104.226:80
181.36.42.205:443
207.154.204.40:8080
91.117.159.233:80
93.144.226.57:80
200.82.170.231:80
91.74.175.46:80
68.183.170.114:8080
138.68.106.4:7080
189.26.118.194:80
5.196.35.138:7080
77.55.211.77:8080
177.103.159.44:80
62.75.143.100:7080
91.83.93.124:7080
50.28.51.143:8080
73.60.8.210:80
191.103.76.34:443
79.7.114.1:80
119.59.124.163:8080
189.201.197.98:8080
2.47.112.72:80
91.205.215.57:7080
192.241.146.84:8080
190.191.82.216:80
139.162.118.88:8080
190.219.149.236:80
97.120.32.227:80
201.213.32.59:80
178.79.163.131:8080
181.10.204.106:80
110.142.161.90:443
87.106.46.107:8080
190.38.152.143:80
58.171.38.26:80
190.17.44.48:80
186.68.48.204:443
87.106.77.40:7080
188.135.15.49:80
187.188.166.192:8080
82.8.232.51:80
188.216.24.204:80
191.183.21.190:80
181.198.203.45:443

not active

51.159.23.217:443
75.127.72.18:8080
190.115.18.139:8080

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB

47.180.91.213:80
181.143.126.170:80
186.86.247.171:443
136.243.250.34:8080
104.131.44.150:8080
167.71.10.37:8080
192.241.255.77:8080
59.103.164.174:80
176.106.183.253:8080
50.116.86.205:8080
37.157.194.134:443
182.176.132.213:8090
2.237.76.249:80
209.97.168.52:8080
73.217.39.73:80
173.66.96.135:80
201.184.105.242:443
5.32.55.214:80
201.173.217.124:443
160.16.215.66:8080
91.73.197.90:80
200.21.90.5:443
24.181.125.62:80
87.230.19.21:8080
64.53.242.181:8080
173.91.11.142:80
47.153.183.211:80
104.131.11.150:8080
181.126.70.117:80
41.60.200.34:80
62.75.187.192:8080
178.237.139.83:8080
92.222.216.44:8080
24.94.237.248:80
5.196.74.210:8080
108.191.2.72:80
139.130.242.43:80
91.205.215.66:443
98.30.113.161:80
173.21.26.90:80
210.6.85.121:80
45.51.40.140:80
5.154.58.24:80
223.197.185.60:80
206.81.10.215:8080
104.236.246.93:8080
58.171.42.66:8080
209.141.54.221:8080
110.142.38.16:80
190.220.19.82:443
59.8.197.241:80
103.86.49.11:8080
88.249.120.205:80
87.106.136.232:8080
66.34.201.20:7080
169.239.182.217:8080
190.53.135.159:21
190.189.224.117:443
93.147.141.5:80
195.244.215.206:80
62.138.26.28:8080
188.0.135.237:80
108.179.206.219:8080
121.88.5.176:443
180.92.239.110:8080
139.130.241.252:443
174.77.190.137:8080
79.159.249.152:80
47.6.15.79:80
78.24.219.147:8080
178.153.176.124:80
189.203.177.41:443
98.156.206.153:80
120.150.246.241:80
120.151.135.224:80
76.164.99.46:80
46.105.131.87:80
190.117.226.104:80
110.143.84.202:80
87.106.139.101:8080
185.144.138.190:80
190.55.181.54:443
24.105.202.216:443
159.65.25.128:8080
70.46.247.81:80
211.63.71.72:8080
183.101.175.193:80
70.169.53.234:80
31.31.77.83:443
116.48.142.21:443
200.116.145.225:443
206.189.112.148:8080
60.231.217.199:8080
179.13.185.19:80
47.6.15.79:443
95.128.43.213:8080
85.67.10.190:80
149.202.153.252:8080
190.162.159.212:80
73.11.153.178:8080
217.160.182.191:8080
183.102.238.69:465
31.172.240.91:8080
45.33.49.124:443
209.146.22.34:443
47.156.70.145:80
189.179.108.157:80
190.12.119.180:443

not active

168.235.67.138:8080
139.162.183.41:443
46.101.7.140:8080

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB

196.6.119.137:80
86.108.77.73:443
91.73.169.210:80
91.205.173.150:8080
168.235.82.183:8080
198.57.217.170:7080
192.163.221.191:7080
110.142.161.90:80
1.217.126.11:443
1.221.254.82:80
112.68.254.127:80
41.185.29.128:8080
69.30.205.162:7080
197.94.32.129:8080
124.150.175.133:80
124.150.175.129:8080
50.116.78.109:8080
78.210.132.35:80
212.129.14.27:8080
189.225.211.171:443
201.137.247.222:443
157.7.164.178:8081
203.124.57.50:80
112.186.195.176:80
193.33.38.208:443
88.248.140.80:80
105.209.235.113:8080
42.51.192.231:8080
95.216.207.86:7080
211.42.204.154:80
180.33.6.136:443
181.53.29.136:8080
190.201.144.85:7080
88.247.26.78:80
82.79.244.92:80
78.189.165.52:8080
192.241.220.183:8080
75.86.6.174:80
139.59.12.63:8080
158.69.167.246:8080
185.192.75.240:443
162.144.46.90:8080
203.153.216.178:7080
110.2.118.164:80
200.41.121.69:443
212.112.113.235:80
216.75.37.196:8080
192.210.217.94:8080
95.9.217.200:8080
114.179.127.48:80
201.183.251.100:80
46.17.6.116:8080
82.165.15.188:8080
191.100.24.201:50000
177.144.130.105:443
138.197.140.163:8080
91.83.93.103:443
91.117.31.181:80
78.189.60.109:443
190.17.94.108:443
122.116.104.238:7080
58.185.224.18:80
210.224.65.117:80
144.139.91.187:80
190.171.153.139:80
37.46.129.215:8080
181.196.27.123:80
85.100.122.211:80
69.14.208.221:80
94.203.236.122:80
91.117.131.122:80
67.254.196.78:443
183.87.40.21:8080
85.109.190.235:443
217.12.70.226:80
195.201.56.70:8080
66.229.161.86:443
210.171.146.118:80
142.93.87.198:8080
83.156.88.159:80
5.178.245.100:80
179.5.118.12:8080
87.9.181.247:80
200.45.187.90:80
198.199.112.197:8080
72.51.153.27:80
175.127.140.68:80
186.177.174.163:80
46.32.229.152:8080
51.77.113.97:8080
37.59.24.25:8080
98.15.140.226:80
200.82.88.254:80
185.244.167.25:443
78.46.87.133:8080
51.38.134.203:8080
88.249.181.198:443
182.187.137.199:8080
188.251.213.180:443
89.215.225.15:80
37.70.131.107:80
182.176.116.139:995
192.241.241.221:443
172.104.70.207:8080
210.111.160.220:80
113.52.135.33:7080
190.93.210.113:80
220.78.29.88:80
160.119.153.20:80
95.216.212.157:8080
14.161.30.33:443
156.155.163.232:80
95.130.37.244:443
82.146.55.23:7080
72.27.212.209:8080
186.84.173.136:8080
187.72.47.161:443
23.253.207.142:8080
181.167.35.84:80
98.178.241.106:80
78.186.102.195:80
176.58.93.123:80
190.5.162.204:80
41.77.74.214:443

not active

198.46.150.196:7080
178.32.255.133:443
178.63.78.150:8080

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
@executemalware, @luc4m, @SecSome

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, 
@bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)

Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)

Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
infrastructure and helping out with this!

Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
@KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
for providing services/software at no charge to this cause!

UPDATE: 1915 UTC: Looks like Ivan/Yuri(the intern) was not pleased with me posting this and changed all 3 botnets shortly after
I published the previous report. The 2nd change today is listed in the "Second Run after 1915UTC:" section below and all totals
are updated.

This report was gathered by @ps66uk and @jroosen.

@JRoosen here - Ivan is still on break and not actively spamming at all. Talk out there is we won't see Ivan and the Emotet gang 
back on distro until the week of 01/13/20 or 01/21/20. We are seeing loader C2 updates at a rate of about 1-3 per day on each botnet. 
Surprisingly, we are already seeing a decrease of C2 combos on each botnet. E2 had the steepest drop and now clocks in at 106.  
Nothing else major to report at this time.

@JayTHL sums up some Emotet metrics on how fast payloads are being accessed and by whom:
https://twitter.com/JayTHL/status/1214075722828001280

@GossiTheDog, @James_inthe_box, @malware_traffic, @VK_Intel and @Zackwhittaker all shared an interesting Trickbot loader that
may be being used while Emotet is not doing distro. gtag wecanxx:
https://twitter.com/zackwhittaker/status/1213226099762761728
https://twitter.com/GossiTheDog/status/1213239990425178112
https://twitter.com/VK_Intel/status/1213253987492864000
https://twitter.com/James_inthe_box/status/1213108964532994048

Catalin Cimpanu (@campuscodi) fixed the Emotet Wikipedia link to no longer call it a Banking Trojan. :)
https://twitter.com/campuscodi/status/1213192441815293953

Cofense did a Phish Fryday segement on Emotet:
https://twitter.com/Cofense/status/1213142051627438081

@pollo290987 did a summary of all the emotet seen from September till December 20th:
https://twitter.com/pollo290987/status/1212936450515320832

Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
_____________
Reminder:
EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
______________

C2 Deltas:
E1 now 119 combos, was 127 for a net -8
E2 now 108 combos, was 127 for a net -19
E3 now 124 combos, was 127 for a net -3

Most of the E1 additions are brand  new and not seen before. The other 2 were about 50% new again. This is the first time in 
awhile that Ivan has cut the  number of C2s which means that we have hit the peak of the period they wanted coverage for. This
is likely further evidence that we will be seeing them back before the month is out.

UPDATE: 1915 UTC: Looks like Ivan/Yuri(the intern) was not pleased with me posting this and changed all 3 botnets shortly after
I published the previous report. The 2nd change today is listed in the "Second Run after 1915UTC:" section below and all totals
are updated.

---
E1 - 

Dropped:
144.217.117.207:8080
104.236.137.72:8080
51.255.165.160:8080
183.99.239.141:80
91.191.206.60:443
181.61.143.177:80
163.172.40.218:7080
220.255.57.31:80
190.74.246.158:8080
200.124.225.32:80
112.218.134.227:80
91.117.83.59:80
219.75.66.103:80
223.255.148.134:80
190.161.180.184:80
85.152.208.146:80

Second Run after 1915UTC:
190.231.42.130:80
83.165.78.227:80
99.252.27.6:80
200.119.11.118:443
179.159.198.70:80
212.237.50.61:8080
74.79.103.55:80

Added:
187.54.225.76:80
190.231.42.130:80
190.38.152.143:80
120.150.247.164:80
200.82.170.231:80
91.117.159.233:80
179.208.84.218:8080
189.26.118.194:80
189.201.197.98:8080
2.47.112.72:80

Second Run after 1915UTC:
45.73.157.243:8080
190.195.129.227:8090
177.92.14.34:80
201.213.100.141:8080
190.191.82.216:80

---
E2 

Dropped:
159.69.89.130:8080
59.148.227.190:80
74.105.102.97:8080
64.147.15.138:80
71.83.82.123:8080
108.20.69.44:80
184.167.148.162:80
66.209.97.122:8080
174.81.132.128:80
2.235.190.23:8080
100.14.117.137:80
70.175.171.251:80
173.12.14.133:8080
37.59.24.177:8080
66.25.34.20:80
176.31.200.130:8080
1.215.28.101:8080
101.187.247.29:80
31.177.54.196:443
12.176.19.218:80
173.247.19.238:80
188.152.7.140:80
186.67.208.78:8080
178.210.51.222:8080
128.65.154.183:443
47.149.28.234:80
138.59.177.106:443
138.122.5.214:8080
219.78.255.48:80
107.170.24.125:8080
67.225.179.64:8080
186.75.241.230:80
68.118.26.116:80
86.98.156.239:443
101.187.134.207:443
104.137.176.186:80
73.214.99.25:80
144.139.247.220:80
85.152.174.56:80
200.114.167.85:80
46.216.60.138:80
82.27.181.93:80
2.38.99.79:80
189.159.115.178:8080

Second Run after 1915UTC:
165.227.156.155:443
167.99.105.223:7080
186.4.172.5:8080

Added:
189.203.177.41:443
139.130.242.43:80
178.153.176.124:80
190.55.181.54:443
173.91.11.142:80
73.217.39.73:80
201.184.105.242:443
185.144.138.190:80
173.66.96.135:80
110.143.84.202:80
98.30.113.161:80
88.249.120.205:80
41.60.200.34:80
62.75.187.192:8080
174.77.190.137:8080
73.11.153.178:8080
60.231.217.199:8080
79.159.249.152:80
181.126.70.117:80
183.102.238.69:465
62.138.26.28:8080
5.32.55.214:80
183.101.175.193:80

Second Run after 1915UTC:
47.180.91.213:80
181.143.126.170:80
186.86.247.171:443
223.197.185.60:80
189.179.108.157:80

---
E3 

Dropped:
5.189.148.98:8080
192.161.190.171:8080
175.103.239.50:80
211.48.165.9:443
120.51.83.89:443
203.160.173.202:80
190.231.210.35:80
190.161.67.63:80
108.184.9.44:80
46.105.131.68:8080
165.100.148.200:8080
92.16.222.156:80
41.111.190.94:80
190.171.135.235:80
201.196.15.79:990
163.172.97.112:8080
24.28.178.71:80
221.154.59.110:80
103.108.146.195:80
81.82.247.216:80
178.134.1.238:80
189.61.200.9:443
190.47.236.83:80
59.158.164.66:443
156.155.163.232:80
85.235.219.74:80
115.179.91.58:80
217.181.139.237:443

Second Run after 1915UTC:
190.38.252.45:443
154.120.227.190:443
187.250.92.82:80
177.103.240.93:80

Added:
88.249.181.198:443
183.87.40.21:8080
75.86.6.174:80
91.205.173.150:8080
168.235.82.183:8080
198.57.217.170:7080
192.163.221.191:7080
190.201.144.85:7080
201.137.247.222:443
212.112.113.235:80
91.83.93.103:443
192.241.241.221:443
200.82.88.254:80
78.210.132.35:80
217.12.70.226:80
113.52.135.33:7080
78.186.102.195:80
82.79.244.92:80
181.196.27.123:80
198.199.112.197:8080
180.33.6.136:443
1.217.126.11:443
211.42.204.154:80
1.221.254.82:80

Second Run after 1915UTC:
196.6.119.137:80
86.108.77.73:443
91.73.169.210:80
112.68.254.127:80
156.155.163.232:80

REMINDER:
Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
We have been thinking they will come back later this month during the week of the 13th or 21st. So get ready. 
In the meantime, stay safe and Happy New Year!

E1 
https://capesandbox.com/analysis/10356/
https://capesandbox.com/analysis/10386/

E2
https://capesandbox.com/analysis/10357/
https://capesandbox.com/analysis/10388/

E3
https://capesandbox.com/analysis/10358/
https://capesandbox.com/analysis/10389/