Daily Emotet IoCs and Notes for 01/09/20

Emotet Malware IOCs for 01/09/20 as of 01/09/20 19:15 EST

Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.

SHA256s for Epoch 1 Loader EXEs

82250f58bc13701f838005447c5450fe665e057405c8e1e65f91b69c05dc7c08
91db132e8d1c2aa2bde9b3d2dc5dd20fc0a1e132e8575c7bfbc700a107657116
c4834056bcafd682da1c5e1fe4a9029e7152c625b5b3199b5d5382308ed70ba5
c1a335c2424a14c557cf9d07ae87754a2a19937c2746d44e7963386bfa6b071f
9632407ccd7cc6f775d33774f35b26d2e9d1dc1ec026af00455bb36c529ee36c
29844524d41d8b94e36c5eba04f4e69d11df77d1a206b290ab4bb670ab13093a
eac58264fc5ce6e76db45069f048c48d0adbc9274d829f987dc3871269982558
498f0dddb6b21f67e5db3e11be5a26d5656a2941dfe20797c1f51d49fc52d8fc
03ecb0350b3535bf39ea93ba4dafd3c5311c2d4d073541cfdd00d85c8fa29b06
a59b47a650af4df9728adef74fd71d512ca2b5e18064250ebfbbe65c3de95ec2
810ab8f3be3ed79b102b4d066fdf3ba19c6a74ccd19026583580506b9e1e48ee
ab6587fb7402aa61f8e1ebeba5e577e9bdf05514f3e36036bc3dec7110d7aeff
2aaf8fee56c6232db176c8676de16351b92fb8398ddcd299ba61a2eabd72d5d6

SHA256s for Epoch 2 Loader EXEs

44878a9a1577c626a3c7b8e62b621b036bff7b957f3005a5fbdf4553ed52a319
0850a829501e407a1b520f971db4c07b1c0840e7ff71abd1aa08c561eccb78eb
1c98d7e147a6fae77d9cb9966eedee404edf223f15aa1a52b4ed8f7b72255c2b
15eddcb65ce1d962ffa5e4a0faab7f679b0af16e922ede027debe93722ae360b
4f636eba8752b5a9c808781c38e1b82a15cf91a83748974e4a7aea8ff18aadbe
7d8ebe60227b6c2f27f64a65626d710ab2168a8ef6fec9d0d8f10ba44f4c4ad3
16a3156e255e1b374279cc16a5ca1a09429183ca6b5249dcf2b764ab807e8678
e1eb87d0a23d97dd42d0f3ced796f8936e55a4f918438aabadc218165d2fc03d
ea73cd1c2a5d2a5cfb41a6a5192e56a999e8d20ed7cb9752ce7ccb6abcc78b8b
7df246b78d7845c970bf3c1c1e70a618438f5dcbfba88f9af1f73fa35c425c01
b54d64ca12e3c36168921ec9509b0e31f048eb4c1faf58cc8978196e62bb01cd
5286092a71ee0dbb2a9c7cf2c287680f669baadc59e76e1a5a74bd3bf8531645
cd47457850c6326e64e66ed3f2eb935bee45bab0738599244903b727014e405e

SHA256s for Epoch 3 Loader EXEs

48bc2181625e18fa054a6e03fd4d1adc945bc15ef6429394d9cc945165d1d4f2
8a0e6485db289b3d82a5981eabb46bd84cb0fbaf3c98ade5df29a498d1f976fb
dc5e712ba02de5ad4bbf59ccc5421757208d04d7686c9ed289a4681e88241320
512bc70bc44caccf8e1aae7647c77ea2cee9a1e23a10756fe8bafd6f1e9d6770
dc47276e2aea0b96ec09892a60e07187d301b52dd61bf76dd822d716b0f24754
d7432e39ca661b27191d374ad999172dce8f35768ef573cc243a009dd0fdca77
916e6851b5871a67e256526fedbc4024a4e4574594a8d05fdaacf8fe8b1aca53
bbe6c32183d5db325c57c9bfc034ade39f5aa6c62f475379ff7110648c41e24f
b6b747d1c1d50d0972cdcef6a62dd81a433dbbde04f4ead8c757b974d5add6bc
cf38f4aef5c8c4efe6a1985dc4584248b1ea28e68c76f8844f3008eb56a20d41
5b49bf61bcb9c5c1ee1efd6aec67aae2435c07ef4cf39199c454af2daaa4040a
7ba00d10e9e86a523e14feb18c7c9a0e9f76e586d21c69185cae5c09070cb184

C2’s Per Epoch

Epoch 1 C2s

76.31.115.125:80
181.30.61.163:80
181.30.61.163:443
103.31.232.93:80
94.177.183.28:8080
159.65.241.220:8080
45.79.95.107:443
181.231.220.232:80
189.19.81.181:443
181.36.42.205:443
5.196.35.138:7080
190.38.152.143:80
83.248.141.198:80
181.29.101.13:8080
138.68.106.4:7080
77.55.211.77:8080
212.71.237.140:8080
207.154.204.40:8080
68.187.160.28:443
190.191.82.216:80
190.151.5.130:443
188.216.24.204:80
80.11.158.65:8080
177.103.159.44:80
37.120.185.153:443
190.100.153.162:443
89.32.150.160:8080
46.101.212.195:8080
91.83.93.124:7080
178.79.163.131:8080
82.196.15.205:8080
72.29.55.174:80
190.219.149.236:80
79.7.158.208:80
97.120.32.227:80
94.200.126.42:80
50.28.51.143:8080
175.114.178.83:443
189.201.197.98:8080
187.188.166.192:8080
201.213.100.141:8080
62.15.36.103:443
200.82.170.231:80
200.123.183.137:443
185.86.148.222:8080
179.208.84.218:8080
110.142.161.90:443
2.42.173.240:80
187.54.225.76:80
203.25.159.3:8080
165.228.195.93:80
186.68.48.204:443
177.92.14.34:80
96.61.113.203:80
191.103.76.34:443
188.135.15.49:80
177.180.115.224:80
93.144.226.57:80
202.62.39.111:80
113.190.254.245:80
86.42.166.147:80
37.187.6.63:8080
186.15.52.123:80
200.58.83.179:80
177.34.142.163:80
190.210.184.138:995
91.74.175.46:80
177.242.21.126:80
190.186.164.23:80
14.201.35.38:80
81.213.78.151:443
45.8.136.201:80
191.183.21.190:80
91.117.159.233:80
118.36.70.245:80
188.218.104.226:80
69.163.33.84:8080
58.171.38.26:80
125.99.61.162:7080
91.205.215.57:7080
68.183.190.199:8080
212.253.82.142:443
2.47.112.72:80
14.160.93.230:80
189.26.118.194:80
114.109.179.60:80
109.169.86.13:8080
200.55.53.7:80
79.7.114.1:80
201.213.32.59:80
45.73.157.243:8080
186.15.83.52:8080
89.211.114.203:80
185.160.212.3:80
181.198.203.45:443
204.225.249.100:7080
144.139.56.105:80
139.162.118.88:8080
87.106.77.40:7080
58.162.218.151:80
120.150.247.164:80
63.248.198.8:80
151.237.36.220:80
119.59.124.163:8080
62.75.143.100:7080
216.251.83.79:80
59.120.5.154:80
104.131.58.132:8080
192.241.146.84:8080
185.94.252.12:80
190.195.129.227:8090
82.8.232.51:80
149.62.173.247:8080
190.210.236.139:80
68.183.170.114:8080
181.10.204.106:80
142.93.114.137:8080
203.130.0.69:80
2.45.112.134:80
46.28.111.142:7080
68.174.15.223:80
113.61.76.239:80
5.88.27.67:8080
62.75.160.178:8080
85.105.241.192:80
185.160.229.26:80
94.200.114.162:80

Epoch 1 - Spam C2s

not active

Epoch 1 - Stealer C2s

51.159.23.217:443
190.115.18.139:8080
162.144.119.110:8080

Current Epoch 1 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB

Epoch 2 C2s

24.164.79.147:8080
190.117.126.169:80
221.165.123.72:80
37.187.72.193:8080
136.243.250.34:8080
104.131.44.150:8080
167.71.10.37:8080
50.116.86.205:8080
192.241.255.77:8080
98.174.166.205:80
60.231.217.199:8080
88.249.120.205:80
195.244.215.206:80
200.21.90.5:443
62.75.187.192:8080
189.203.177.41:443
110.36.217.66:8080
64.53.242.181:8080
108.191.2.72:80
190.55.181.54:443
206.81.10.215:8080
217.160.182.191:8080
206.189.112.148:8080
27.109.153.201:8090
91.73.197.90:80
73.217.39.73:80
189.179.108.157:80
59.103.164.174:80
46.105.131.69:443
87.230.19.21:8080
190.53.135.159:21
178.237.139.83:8080
47.153.183.211:80
190.220.19.82:443
209.141.54.221:8080
87.106.139.101:8080
110.143.84.202:80
45.33.49.124:443
47.180.91.213:80
104.236.246.93:8080
93.147.141.5:80
173.21.26.90:80
95.128.43.213:8080
62.138.26.28:8080
176.106.183.253:8080
139.130.242.43:80
181.143.126.170:80
31.31.77.83:443
24.105.202.216:443
120.151.135.224:80
104.131.11.150:8080
46.105.131.87:80
190.117.226.104:80
173.91.11.142:80
179.13.185.19:80
78.24.219.147:8080
2.237.76.249:80
120.150.246.241:80
66.34.201.20:7080
70.169.53.234:80
92.222.216.44:8080
5.154.58.24:80
188.0.135.237:80
59.8.197.241:80
201.184.105.242:443
103.86.49.11:8080
182.176.132.213:8090
70.46.247.81:80
149.202.153.252:8080
98.156.206.153:80
121.88.5.176:443
180.92.239.110:8080
47.6.15.79:80
200.116.145.225:443
47.6.15.79:443
159.65.25.128:8080
108.179.206.219:8080
5.196.74.210:8080
87.106.136.232:8080
209.146.22.34:443
186.86.247.171:443
31.172.240.91:8080
73.11.153.178:8080
37.157.194.134:443
183.102.238.69:465
190.189.224.117:443
201.173.217.124:443
85.67.10.190:80
91.205.215.66:443
183.101.175.193:80
190.12.119.180:443
76.164.99.46:80
79.159.249.152:80
5.32.55.214:80
209.97.168.52:8080
139.130.241.252:443
211.63.71.72:8080
24.94.237.248:80
37.139.21.175:8080
173.66.96.135:80
160.16.215.66:8080
110.142.38.16:80
58.171.42.66:8080
190.146.205.227:8080
169.239.182.217:8080
210.6.85.121:80
185.144.138.190:80
98.30.113.161:80
41.60.200.34:80
223.197.185.60:80
45.51.40.140:80
178.153.176.124:80
181.126.70.117:80
116.48.142.21:443
47.156.70.145:80

Epoch 2 - Spam C2s

not active

Epoch 2 - Stealer C2s

168.235.67.138:8080
139.162.183.41:443
46.101.7.140:8080

Current Epoch 2 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB

Epoch 3 C2s

41.215.79.182:80
70.45.30.28:80
183.91.3.63:80
143.95.101.72:8080
91.205.173.150:8080
198.57.217.170:7080
192.163.221.191:7080
106.248.79.174:80
192.210.217.94:8080
42.51.192.231:8080
82.146.55.23:7080
158.69.167.246:8080
37.46.129.215:8080
124.150.175.133:80
66.229.161.86:443
41.77.74.214:443
91.117.131.122:80
114.179.127.48:80
82.79.244.92:80
91.117.31.181:80
95.216.212.157:8080
88.248.140.80:80
95.216.207.86:7080
75.86.6.174:80
193.33.38.208:443
182.176.116.139:995
1.221.254.82:80
201.137.247.222:443
198.199.112.197:8080
217.12.70.226:80
41.185.29.128:8080
37.59.24.25:8080
78.210.132.35:80
124.150.175.129:8080
203.124.57.50:80
110.2.118.164:80
157.7.164.178:8081
95.130.37.244:443
105.209.235.113:8080
37.210.208.141:80
187.72.47.161:443
183.82.123.60:443
176.58.93.123:80
23.253.207.142:8080
139.59.12.63:8080
160.119.153.20:80
122.116.104.238:7080
175.127.140.68:80
197.94.32.129:8080
190.17.94.108:443
185.192.75.240:443
212.129.14.27:8080
80.211.32.88:8080
110.142.161.90:80
82.165.15.188:8080
46.32.229.152:8080
210.224.65.117:80
182.187.137.199:8080
95.9.217.200:8080
78.186.102.195:80
69.30.205.162:7080
186.84.173.136:8080
211.42.204.154:80
50.116.78.109:8080
58.185.224.18:80
72.27.212.209:8080
50.63.13.135:8080
85.109.190.235:443
189.225.211.171:443
200.41.121.69:443
196.6.119.137:80
201.183.251.100:80
190.171.153.139:80
185.207.57.205:443
112.68.254.127:80
88.247.26.78:80
156.155.163.232:80
192.241.220.183:8080
94.203.236.122:80
89.215.225.15:80
180.33.6.136:443
138.197.140.163:8080
216.75.37.196:8080
181.53.29.136:8080
190.93.210.113:80
67.254.196.78:443
113.52.135.33:7080
179.5.118.12:8080
200.45.187.90:80
83.156.88.159:80
191.100.24.201:50000
210.171.146.118:80
210.111.160.220:80
188.251.213.180:443
177.144.130.105:443
46.17.6.116:8080
14.161.30.33:443
181.196.27.123:80
200.82.88.254:80
185.244.167.25:443
78.189.165.52:8080
112.186.195.176:80
125.209.114.180:443
91.83.93.103:443
190.201.144.85:7080
183.87.40.21:8080
181.167.35.84:80
91.73.169.210:80
37.70.131.107:80
190.5.162.204:80
162.144.46.90:8080
144.139.91.187:80
212.112.113.235:80
69.14.208.221:80
98.15.140.226:80
220.78.29.88:80
142.93.87.198:8080
195.201.56.70:8080
85.100.122.211:80
98.178.241.106:80
192.241.241.221:443
72.51.153.27:80
1.217.126.11:443
5.178.245.100:80
87.9.181.247:80
78.189.60.109:443
88.249.181.198:443

Epoch 3 - Spam C2s

not active

Epoch 3 - Stealer C2s

198.46.150.196:7080
178.32.255.133:443
178.63.78.150:8080

Current Epoch 3 RSA Public Key

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB

Credits

Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:

Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161

C2 info/RSA Keys - @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @papa_anniekey, @Paladin3161,
@executemalware, @luc4m, @SecSome

Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, 
@bomccss, @reecdeep, @CholeVallabh, @papa_anniekey, @JAMESWT_MHT, @executemalware, @SecSome, Anonymous :)

Spam Templates - @devnullnoop, @lazyactivist192, Anonymous :)

Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/
infrastructure and helping out with this!

Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog,
@KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal
for providing services/software at no charge to this cause!

Daily Log 01/09/20

This report was gathered by @ps66uk and @jroosen.

@JRoosen here - Ivan is still on break and not actively spamming at all. However, it looks like Yuri the intern left us a gift of 
some C2 changes yesterday midday. I noticed them today and I am pushing out this for you all to get the latest data.

General News

Not too much going on out there in the new other than a lot of old recycled stories.

@pollo290987 posted a graphic concerning the flavors of Emotet out there and the attack chains for the ransomware they lead to:
https://twitter.com/pollo290987/status/1214596853771227137


@VK_Intel posted the new Sentinel Labs PowerTrick blog with H/T to @sysopfb and Joshua Platt:
https://twitter.com/VK_Intel/status/1215265399719243776
While this is not directly #Emotet related, this is important because of how closely Emotet and Trickbot have been related in
the past year or so. I would not be surprised to see gtag morxx dropping this PowerTrick fileless tool to then drop the Trickbot
Anchor Bot in an infection landscape.

Loader Report

Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
_____________
Reminder:
EXE naming convention changed 2019/11/14. The new names will be 2 of any of the following list of words:
texas,func,deploy,run,leel,stuck,def,print,hal,monthly,pdf,char,netsh,memo,trns,rds,maker,more,textto,
chunker,mailbox,compon,shades,scan,non,wsat,speed,publish,manual,hant,inbox,malert,zap,fill,angle,wrap,
boost,cors,iplk,sitka,wow,prints,acquire,wiz,smo,footer,attrib,group,appid,xcl,sensor,methods,ipmi,raw,
title,nic,ias,lua,dispid,special,serial,wsa,tcg,msp
______________

C2 Deltas:
E1 now 127 combos, was 119 for a net +8
E2 now 119 combos, was 108 for a net +11
E3 now 127 combos, was 124 for a net +3

About 50% new again and now going back up to the max of 127. Looks like maybe Ivan got some new C2s and had Yuri push them out to
keep the count near the max for all 3 botnets. We are also seeing updates to the loaders on C2 at a rate of 4 per day vs 1-2 when 
Ivan first when on break. Perhaps this is another clue they are getting ready to come back soon. This data was also pushed out to
Feodotracker @abuse.ch.

---
E1 

Dropped:
159.203.204.126:8080
217.199.160.224:8080
110.170.65.146:80
73.60.8.210:80
87.106.46.107:8080
190.17.44.48:80

Added:
76.31.115.125:80
181.30.61.163:80
181.30.61.163:443
103.31.232.93:80
94.177.183.28:8080
159.65.241.220:8080
181.29.101.13:8080
89.32.150.160:8080
186.15.52.123:80
81.213.78.151:443
89.211.114.203:80
204.225.249.100:7080
185.94.252.12:80
85.105.241.192:80

---
E2 

Dropped:
24.181.125.62:80
174.77.190.137:8080
190.162.159.212:80

Added:
24.164.79.147:8080
190.117.126.169:80
221.165.123.72:80
37.187.72.193:8080
98.174.166.205:80
110.36.217.66:8080
27.109.153.201:8090
46.105.131.69:443
37.139.21.175:8080
190.146.205.227:8080

---
E3 

Dropped:
86.108.77.73:443
168.235.82.183:8080
203.153.216.178:7080
186.177.174.163:80
51.77.113.97:8080
78.46.87.133:8080
51.38.134.203:8080
172.104.70.207:8080

Added:
41.215.79.182:80
70.45.30.28:80
183.91.3.63:80
143.95.101.72:8080
106.248.79.174:80
37.210.208.141:80
183.82.123.60:443
80.211.32.88:8080
50.63.13.135:8080
185.207.57.205:443
125.209.114.180:443

Closing

REMINDER:
Now is the time to block/alarm on these C2 IPs above to see if you can find Ivan's foothold in your network. Blocking them stops
any bots on your network from updating to deploy other malware like Trickbot. It also will stop spamming when they start back up.
We have been thinking they will come back later this month during the week of the 13th or 21st. So get ready. 


Sandbox 01/09/20

E1 
https://capesandbox.com/analysis/10483/

E2
https://capesandbox.com/analysis/10484/

E3
https://capesandbox.com/analysis/10485/