Updated List of Emotet Banking Malware Trojan IP C2 Servers and Port Numbers

Emotet Peers: 104.131.58132:8080 104.236.13772:8080 109.169.8613:8080 110.170.65146:80 111.125.7122:8080 112.218.134227:80 113.61.76239:80 116.48.138115:80 116.48.14832:80 118.36.70245:80 119.59.124163:8080 125.99.61162:7080 130.204.247253:80 138.68.1064:7080 139.162.11888:8080 14.160.93230:80 142.127.5763:8080 142.93.114137:8080 144.139.56105:80 144.217.117207:8080 149.62.173247:8080 151.237.36220:80 152.170.10899:443 159.203.204126:8080 163.172.40218:7080 165.228.19593:80 175.114.17883:443 178.79.163131:8080 181.198.20345:443 181.36.42205:443 181.61.143177:80 183.99.239141:80 185.160.2123:80 185.160.22926:80 185.86.148222:8080 186.15.8352:8080 186.68.48204:443 187.188.166192:8080 188.135.1549:80 188.216.24204:80 189.19.81181:443 190.100.153162:443 190.146.131105:8080 190.186.16423:80 190.195.129227:8090 190.210.184138:995 190.6.193152:8080 190.97.30167:990 191.103.7634:443 191.183.21190:80 192.241.14684:8080 2.139.158136:443 2.42.173240:80 2.44.16752:80 2.45.112134:80 200.119.11118:443 200.124.22532:80 200.58.83179:80 201.213.3259:80 203.130.069:80 203.25.1593:8080 207.154.20440:8080 212.237.5061:8080 212.71.237140:8080 217.199.160224:8080 219.75.66103:80 223.255.148134:80 37.120.185153:443 37.183.12132:80 37.187.663:8080 37.211.49127:80 45.50.177164:80 45.79.95107:443 45.8.136201:80 46.101.212195:8080 46.28.111142:7080 5.196.35138:7080 5.32.41106:80 5.88.2767:8080 50.28.51143:8080 51.255.165160:8080 58.171.3826:80 62.75.143100:7080 62.75.160178:8080 63.246.252234:80 63.248.1988:80 68.129.203162:443 68.174.15223:80 68.183.170114:8080 68.183.190199:8080 68.187.16028:443 69.163.3384:8080 72.29.55174:80 73.60.8210:80 74.59.18794:80 74.79.10355:80 77.27.22124:443 77.55.21177:8080 […]

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan

JA3 Fingerprint: f735bbc6b69723b9df7b0e7ef27872af First seen: 2018-10-02 18:04:16 UTC Last seen: 2020-01-15 05:53:57 UTC Status: Blacklisted Malware samples: 1’816 Destination IPs: 193 Malware: TrickBot Listing date: 2020-01-09 14:17:18 2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1 E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bbvaticanskeys.com Connection: Keep-Alive Cookie: SERVERID104280=112034|XiBGX|XiBGX 2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, […]

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan PCAP download traffic sample

JA3 Fingerprint: f735bbc6b69723b9df7b0e7ef27872af First seen: 2018-10-02 18:04:16 UTC Last seen: 2020-01-15 05:53:57 UTC Status: Blacklisted Malware samples: 1’816 Destination IPs: 193 Malware: TrickBot Listing date: 2020-01-09 14:17:18 2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1 E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bbvaticanskeys.com Connection: Keep-Alive Cookie: SERVERID104280=112034|XiBGX|XiBGX 2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, […]

Trojan Malware BDaim-A is c000.exe vbc.exe Malicious X.509 SSL Certificate PCAP File Download Traffic Sample

Troj/BDaim-A is a backdoor trojan. The Trojan installs itself as uvwxyz.exe in system folder of Windows and creates the following files, also in the system folder: mswinsck.ocx (This is clean microsoft socket control) raim.ocx Troj/BDaim-A creates the following registry entry so that it automatically starts up with Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\uvwxyz = C:\WINDOWS\System32\uvwxyz.exe In addition, Troj/BDaim-A creates the following registry entries: HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\ HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Host = “localhost” HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Port = dword:0000103f HKCU\Software\Microsoft\Visual Basic\ HKCU\Software\Microsoft\Visual Basic\6.0\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D)\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Microsoft WinSock Control, version 6.0” HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Control\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A52-2BAA-11CF-A229-00AA003D7352)\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) […]

AZORult Rultazo PuffStealer Cryptocurrency Malware Crimeware PCAP file download Traffic Sample

AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. Type Stealer Origin ex-USSR First seen 1 January, 2016 Last seen 16 January, 2020 Also known as PuffStealer Rultazo The Trojan-PSW.Win32.Azorult is considered dangerous by lots of security experts. GridinSoft Anti-Malware THANK YOU!DOWNLOAD NOW On Going Offer What Trojan-PSW.Win32.Azorult virus can do? Executable code extraction Creates RWX memory HTTP traffic contains suspicious features which may be indicative of malware related traffic Performs some HTTP requests Unconventionial […]