forked from PaloAltoNetworks/Unit42-timely-threat-intel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
2020-08-25-IOCs-for-Emotet-with-Trickbot.txt
86 lines (65 loc) · 4.75 KB
/
2020-08-25-IOCs-for-Emotet-with-Trickbot.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
2020-08-25 (TUESDAY) - EMOTET EPOCH 3 INFECTION WITH TRICKBOT GTAG MOR114
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1298711111538077696
CHAIN OF EVENTS:
- link from malspam --> Word doc --> enable macros --> Emotet infection --> Trickbot as follow-up malware
ASSOCIATED MALWARE:
- SHA256 hash: 9206615c27a64e4617f1e3ec11b5584e0510df8b5744581f9e9c5d0136b1e43f
- File size: 227,204 bytes
- File location: hxxp://grzegorzkucharski[.]com/cli/92278618/fs8rc5s-001552/
- File name: invoice.doc
- File description: Word doc from malspam with macro for Emotet (epoch 3 botnet)
- File note: Random, invoice-themed names are used for this malicious Word document
- SHA256 hash: ab738270198457f6e7d98c31337280933b09dd563ea6b9bfb73716903a0a7f23
- File size: 151,552 bytes
- File location: hxxp://king61tours[.]com/pdf/lwuqKsRgijhXw/
- File location: C:\Users\[username]\AppData\Local\Temp\wORd\2019\U4cjf5lx.exe
- File description: Initial Emotet EXE retreived by Word macro (epoch 3 botnet)
- SHA256 hash: 482f758d1a5ee81bf89cf7b582d80117520427064ce505246cca7733b4bbde67
- File size: 151,552 bytes
- File location: C:\Users\[username]\AppData\Local\KBDSMSNO\spwizeng.exe
- File description: Emotet persistent on the infected Windows host
- SHA256 hash: 537cae9dc56e79decd19c95f3558a5f204bb70fe6fa16ac7ef840991803508ac
- File size: 458,752 bytes
- File location: C:\Users\[username]\AppData\Local\KBDSMSNO\mtxoci73a.exe
- File location: C:\Users\[username]\AppData\Roaming\FWinTools\mtxoci73a.exe
- File description: Trickbot gtag mor114 retrieved by the Emotet-infected host
INFECTION TRAFFIC:
LINK FROM MALSPAM THAT RETURNED WORD DOC:
- 185.135.91[.]124 port 80 - grzegorzkucharski[.]com - GET /cli/92278618/fs8rc5s-001552/
TRAFFIC GENERATED BY WORD MACRO RETRIEVING INITIAL EMOTET EXE:
- 185.176.40[.]216 port 80 - karaz-sd[.]com - GET /admin/nlYFI/
- 37.247.111[.]239 port 80 - king61tours[.]com - GET /pdf/lwuqKsRgijhXw/
EMOTET POST-INFECTION TRAFFIC:
- 82.239.200[.]118 port 80 - attempted TCP connections, not successful
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /pMS75h0C/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /7A2lA/mchXWOBie1c/8XFZ4o/zWzTehlJg59VBhU/3rUMBgVhK82M10/W4OFSeMgYMsywiE5r/
- 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /FnwFuuKXKem7CogyE6n/eXyml/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /Kv2o7ntVsCJRhS1/JiDQry/WRlhyNH3W2O/C6Gt90uHcoFjbGhC2Z/cAsFx/uhOp/
- 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /6RYV84nS24/YCHB04L5im7/tLZ94FjlOh/E5HdzIL6sH6JoYLj/KXvLaxOHV5bFZ/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /xK3w9hHMSGopJyXiM/HUGHXP/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /mytKA7K5DCGgp/rlRnEd/lmJEJH6yPSECbSzD/vznzCzN/hkEk1Ze/wHDMyg/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /jLGr6oTxrYt3Z1/wkYi/WDwIWpYpA/h97UWiwJt1m3/xe01/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /ZR9XnctOAd/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /N648uYKJfnR2w6e5/tBgMrXrIzpWA/tFa2e686d5/cSyDlELS4PXeJ8Rar0/lF8QfwNKjo/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /oFgg7Z/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /NuuvpDaMKPQKaIOC96H/SqtVFoiBfcbIiv/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /WcputpK5lf8/pYZbopCWW03/KUgI/UlKKC5PicC68wT36RXe/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /z6lem/69pXFbBl1xv63g/nWQcbk2vXeYge/8n5ksU6m4NczUKhGI/
- 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /WgRtw (application/x-www-form-urlencoded)
- 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /Xck2hm (application/x-www-form-urlencoded)
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /Igtnj4XYzrPq1trM/X9ShC95/wpoLB9ncq52W/
- 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /GM9AQHsH7jnmj8Dq/wKiKa2UrPopAiiL3/nSLbRvr5sEfA/
TRAFFIC CAUSED BY TRICKBOT:
- 195.123.241[.]187 port 443 - attempted TCP connections, not successful
- 195.123.240[.]252 port 443 - attempted TCP connections, not successful
- 194.5.249[.]157 port 443 - attempted TCP connections, not successful
- port 80 - ipecho[.]net - GET /plain
- 180.211.170[.]214 port 449 - HTTPS/SSL/TLS traffic caused by Trickbot
- 91.200.103[.]236 port 447 - HTTPS/SSL/TLS traffic caused by Trickbot
- 203.176.135[.]102 port 8082 - 203.176.135[.]102:8082 - POST /mor114/[text string with identifers of infected host]/90
- 96.9.73[.]73 port 80 - 96.9.73[.]73 - POST /mor114/[text string with identifers of infected host]/81/
- 96.9.73[.]73 port 80 - 96.9.73[.]73 - POST /mor114/[text string with identifers of infected host]/83/
URLS FOR ADDITIONAL TRICKBOT EXE FILES (BOTH RETURNED 404 NOT FOUND):
- 107.174.192[.]219 port 80 - 107.174.192[.]219 - GET /images/cursor.png
- 107.174.192[.]219 port 80 - 107.174.192[.]219 - GET /images/imgpaper.png