-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Created 2020-08-25-IOCs-for-Emotet-with-Trickbot.txt
- Loading branch information
1 parent
d26d622
commit ec35245
Showing
1 changed file
with
86 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| 2020-08-25 (TUESDAY) - EMOTET EPOCH 3 INFECTION WITH TRICKBOT GTAG MOR114 | ||
|
|
||
| REFERENCE: | ||
|
|
||
| - https://twitter.com/Unit42_Intel/status/1298711111538077696 | ||
|
|
||
| CHAIN OF EVENTS: | ||
|
|
||
| - link from malspam --> Word doc --> enable macros --> Emotet infection --> Trickbot as follow-up malware | ||
|
|
||
| ASSOCIATED MALWARE: | ||
|
|
||
| - SHA256 hash: 9206615c27a64e4617f1e3ec11b5584e0510df8b5744581f9e9c5d0136b1e43f | ||
| - File size: 227,204 bytes | ||
| - File location: hxxp://grzegorzkucharski[.]com/cli/92278618/fs8rc5s-001552/ | ||
| - File name: invoice.doc | ||
| - File description: Word doc from malspam with macro for Emotet (epoch 3 botnet) | ||
| - File note: Random, invoice-themed names are used for this malicious Word document | ||
|
|
||
| - SHA256 hash: ab738270198457f6e7d98c31337280933b09dd563ea6b9bfb73716903a0a7f23 | ||
| - File size: 151,552 bytes | ||
| - File location: hxxp://king61tours[.]com/pdf/lwuqKsRgijhXw/ | ||
| - File location: C:\Users\[username]\AppData\Local\Temp\wORd\2019\U4cjf5lx.exe | ||
| - File description: Initial Emotet EXE retreived by Word macro (epoch 3 botnet) | ||
|
|
||
| - SHA256 hash: 482f758d1a5ee81bf89cf7b582d80117520427064ce505246cca7733b4bbde67 | ||
| - File size: 151,552 bytes | ||
| - File location: C:\Users\[username]\AppData\Local\KBDSMSNO\spwizeng.exe | ||
| - File description: Emotet persistent on the infected Windows host | ||
|
|
||
| - SHA256 hash: 537cae9dc56e79decd19c95f3558a5f204bb70fe6fa16ac7ef840991803508ac | ||
| - File size: 458,752 bytes | ||
| - File location: C:\Users\[username]\AppData\Local\KBDSMSNO\mtxoci73a.exe | ||
| - File location: C:\Users\[username]\AppData\Roaming\FWinTools\mtxoci73a.exe | ||
| - File description: Trickbot gtag mor114 retrieved by the Emotet-infected host | ||
|
|
||
| INFECTION TRAFFIC: | ||
|
|
||
| LINK FROM MALSPAM THAT RETURNED WORD DOC: | ||
|
|
||
| - 185.135.91[.]124 port 80 - grzegorzkucharski[.]com - GET /cli/92278618/fs8rc5s-001552/ | ||
|
|
||
| TRAFFIC GENERATED BY WORD MACRO RETRIEVING INITIAL EMOTET EXE: | ||
|
|
||
| - 185.176.40[.]216 port 80 - karaz-sd[.]com - GET /admin/nlYFI/ | ||
| - 37.247.111[.]239 port 80 - king61tours[.]com - GET /pdf/lwuqKsRgijhXw/ | ||
|
|
||
| EMOTET POST-INFECTION TRAFFIC: | ||
|
|
||
| - 82.239.200[.]118 port 80 - attempted TCP connections, not successful | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /pMS75h0C/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /7A2lA/mchXWOBie1c/8XFZ4o/zWzTehlJg59VBhU/3rUMBgVhK82M10/W4OFSeMgYMsywiE5r/ | ||
| - 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /FnwFuuKXKem7CogyE6n/eXyml/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /Kv2o7ntVsCJRhS1/JiDQry/WRlhyNH3W2O/C6Gt90uHcoFjbGhC2Z/cAsFx/uhOp/ | ||
| - 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /6RYV84nS24/YCHB04L5im7/tLZ94FjlOh/E5HdzIL6sH6JoYLj/KXvLaxOHV5bFZ/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /xK3w9hHMSGopJyXiM/HUGHXP/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /mytKA7K5DCGgp/rlRnEd/lmJEJH6yPSECbSzD/vznzCzN/hkEk1Ze/wHDMyg/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /jLGr6oTxrYt3Z1/wkYi/WDwIWpYpA/h97UWiwJt1m3/xe01/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /ZR9XnctOAd/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /N648uYKJfnR2w6e5/tBgMrXrIzpWA/tFa2e686d5/cSyDlELS4PXeJ8Rar0/lF8QfwNKjo/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /oFgg7Z/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /NuuvpDaMKPQKaIOC96H/SqtVFoiBfcbIiv/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /WcputpK5lf8/pYZbopCWW03/KUgI/UlKKC5PicC68wT36RXe/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /z6lem/69pXFbBl1xv63g/nWQcbk2vXeYge/8n5ksU6m4NczUKhGI/ | ||
| - 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /WgRtw (application/x-www-form-urlencoded) | ||
| - 104.236.52[.]89 port 8080 - 104.236.52[.]89:8080 - POST /Xck2hm (application/x-www-form-urlencoded) | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /Igtnj4XYzrPq1trM/X9ShC95/wpoLB9ncq52W/ | ||
| - 185.81.158[.]15 port 8080 - 185.81.158[.]15:8080 - POST /GM9AQHsH7jnmj8Dq/wKiKa2UrPopAiiL3/nSLbRvr5sEfA/ | ||
|
|
||
| TRAFFIC CAUSED BY TRICKBOT: | ||
|
|
||
| - 195.123.241[.]187 port 443 - attempted TCP connections, not successful | ||
| - 195.123.240[.]252 port 443 - attempted TCP connections, not successful | ||
| - 194.5.249[.]157 port 443 - attempted TCP connections, not successful | ||
|
|
||
| - port 80 - ipecho[.]net - GET /plain | ||
| - 180.211.170[.]214 port 449 - HTTPS/SSL/TLS traffic caused by Trickbot | ||
| - 91.200.103[.]236 port 447 - HTTPS/SSL/TLS traffic caused by Trickbot | ||
| - 203.176.135[.]102 port 8082 - 203.176.135[.]102:8082 - POST /mor114/[text string with identifers of infected host]/90 | ||
| - 96.9.73[.]73 port 80 - 96.9.73[.]73 - POST /mor114/[text string with identifers of infected host]/81/ | ||
| - 96.9.73[.]73 port 80 - 96.9.73[.]73 - POST /mor114/[text string with identifers of infected host]/83/ | ||
|
|
||
| URLS FOR ADDITIONAL TRICKBOT EXE FILES (BOTH RETURNED 404 NOT FOUND): | ||
|
|
||
| - 107.174.192[.]219 port 80 - 107.174.192[.]219 - GET /images/cursor.png | ||
| - 107.174.192[.]219 port 80 - 107.174.192[.]219 - GET /images/imgpaper.png |