2022-03-29-IOCs-for-Emotet-and-Cobalt-Strike.txt

2022-03-29 (TUESDAY) - EMOTET EPOCH 4 INFECTION WITH COBALT STRIKE

NOTES:

- Today, we've seen Emotet send attachments for a short time, but it has been sending mostly URLs so far.

- Emotet started using URLs again yesterday as reported at https://twitter.com/Cryptolaemus1/status/1508542226275745803

32 EXAMPLES OF SENDING ADDRESSES FROM EMOTET MALSPAM:

- From: ""[spoofed sender name]"" <a-fukunaga@taiyo-in.co.jp>
- From: ""[spoofed sender name]"" <amairany.saucedo010@vimpet.com.mx>
- From: ""[spoofed sender name]"" <asistenteadmi@astextilni.com>
- From: ""[spoofed sender name]"" <business.development@mashhor.com>
- From: ""[spoofed sender name]"" <ccollante@utejgn.com.ar>
- From: ""[spoofed sender name]"" <contador@bestwesternghch.com>
- From: ""[spoofed sender name]"" <dohai@elentec.vn>
- From: ""[spoofed sender name]"" <fathi.surkhi@gsi-glass.com>
- From: ""[spoofed sender name]"" <fc@bwkindaihotel.com>
- From: ""[spoofed sender name]"" <finanzas@capcentroamerica.com>
- From: ""[spoofed sender name]"" <fokhrul@globalbrand.com.bd>
- From: ""[spoofed sender name]"" <francesco.lima@stile.conc-bmw.com>
- From: ""[spoofed sender name]"" <hirata@ki-corp.co.jp>
- From: ""[spoofed sender name]"" <immesus@immesus.com>
- From: ""[spoofed sender name]"" <info.mail@sidvsa.com>
- From: ""[spoofed sender name]"" <info@mikreocasa.com>
- From: ""[spoofed sender name]"" <info@realemutuabtp.it>
- From: ""[spoofed sender name]"" <info@vmgroupitalia.com>
- From: ""[spoofed sender name]"" <ingrid.grub@grupomm.com.uy>
- From: ""[spoofed sender name]"" <jhernandez@piamonte.cl>
- From: ""[spoofed sender name]"" <kelvinli@topmost-tech.com.tw>
- From: ""[spoofed sender name]"" <khurram@adamjeedurabuilt.com>
- From: ""[spoofed sender name]"" <lucia.gutierrez@distab.com.uy>
- From: ""[spoofed sender name]"" <mcornejo@servconsa.pe>
- From: ""[spoofed sender name]"" <muhammad.zaid@aquademintl.com>
- From: ""[spoofed sender name]"" <mustafa@zaco.com.pk>
- From: ""[spoofed sender name]"" <n-nakazawa@hk-ej.co.jp>
- From: ""[spoofed sender name]"" <pune.support@giplpune.com>
- From: ""[spoofed sender name]"" <s-yonehara@sohwa.jp>
- From: ""[spoofed sender name]"" <takisyo-master@yabuboard.ed.jp>
- From: ""[spoofed sender name]"" <y-matsuzaka@sinkou-e.jp>
- From: ""[spoofed sender name]"" <yosino@marine.odn.ne.jp>

7 EXAMPLES OF URLS FROM EMOTET MALSPAM:

- hxxp://ferroconsultora[.]com[.]ar/cli/3gKSvURXLb/
- hxxp://fikirteknesi[.]com/wp-includes/YQmEElzYjaqiFb3ZEnl21rBM9Ka6s/
- hxxp://fjcidea[.]com[.]ar/exhibit/W/
- hxxp://fkl[.]co[.]ke/wp-content/Elw3kPvOsZxM5/
- hxxp://fontecmobile[.]com/pk/TsR23QKKRQFRUFmFgQ2fIGkkk7Vg/
- hxxp://football.g-sports[.]gr/paok/jkL8M4zza4PwF84/
- hxxps://www.fitoka[.]com[.]br/plugins/oFZRcso98qlNk3FdrKPtlA8/

URLS FOR THE EXCEL FILE DOWNLOAD:

- hxxp://ferroconsultora[.]com[.]ar/cli/3gKSvURXLb/?i=1
- hxxp://fikirteknesi[.]com/wp-includes/YQmEElzYjaqiFb3ZEnl21rBM9Ka6s/?i=1
- hxxp://fjcidea[.]com[.]ar/exhibit/W/?i=1
- hxxp://fkl[.]co[.]ke/wp-content/Elw3kPvOsZxM5/?i=1
- hxxp://fontecmobile[.]com/pk/TsR23QKKRQFRUFmFgQ2fIGkkk7Vg/?i=1
- hxxp://football.g-sports[.]gr/paok/jkL8M4zza4PwF84/?i=1
- hxxps://www.fitoka[.]com[.]br/plugins/oFZRcso98qlNk3FdrKPtlA8/?i=1

DOWNLOADED EXCEL FILE:

- SHA256 hash: ade8be9f42310d7208c19f38eedbbdd38a925237d349718844a036d2ebaa7af3
- File size: 129,536 bytes
- File name: 426534628608157239.xls
- File description: Downloaded Excel file with macros for Emotet

EMOTET DLL RETRIEVED BY MACRO FROM EXCEL FILE:

- SHA256 hash: bb01a42f1b01a2d94a33b0cc9d192a2b5b447289133e12d92b619903e87c7086
- File size: 589,824 bytes
- File location: hxxp://g-wizcomputers[.]com/party/61W0ovBu86/
- File location: C:\Users\[username]\efhj.dll
- File location: C:\Users\[username]\AppData\Local\Vpifpbqmu\lsxmrbwejitduvo.qzr
- Run method: regsvr32.exe [filename]

FOLLOW-UP MALWARE: COBALT STRIKE:

- SHA256 hash: d08430ad21c7a08c68416ad117358c281e8d66c1eed9c8a5a044af66488369c0
- File size: 2,928,128 bytes
- File location: C:\Users\[username]\AppData\Local\Vpifpbqmu\bnsprrcrgbd.dll
- Run method: regsvr32.exe [filename]

URLS GENERATED BY EXCEL MACRO FOR EMOTET DLL:

- hxxp://drvishalchestclinic[.]com/wp-includes/SqqCZQ6y2uyFF/
- hxxp://funestotal[.]com/5aclo1em/21U/
- hxxp://g-wizcomputers[.]com/party/61W0ovBu86/
- hxxp://primefind[.]com/1mall-uk/h5/
- hxxp://la-csi[.]com/mt-admin/BB7/
- hxxps://pancook[.]com/newsite/H6xxeLefX1I2vgJFM1Y/

EMOTET C2 TRAFFC:

- 216.120.236[.]62 port 8080 - HTTPS traffic
- 189.232.46[.]161 port 443 - HTTPS traffic
- 144.217.88[.]125 port 443 - HTTPS traffic
- 45.184.36[.]10 port 8080 - HTTPS traffic
- 176.31.163[.]17 port 8080 - HTTPS traffic
- 109.160.96[.]230 port 4143 - HTTPS traffic
- 136.243.32[.]168 port 443 - HTTPS traffic

COBALT STRIKE TRAFFIC:

- 139.60.161[.]45 port 443 - verofes[.]com - HTTPS traffic