Updated List of Emotet Banking Malware Trojan IP C2 Servers and Port Numbers

Emotet Peers: 104.131.58132:8080 104.236.13772:8080 109.169.8613:8080 110.170.65146:80 111.125.7122:8080 112.218.134227:80 113.61.76239:80 116.48.138115:80 116.48.14832:80 118.36.70245:80 119.59.124163:8080 125.99.61162:7080 130.204.247253:80 138.68.1064:7080 139.162.11888:8080 14.160.93230:80 142.127.5763:8080 142.93.114137:8080 144.139.56105:80 144.217.117207:8080 149.62.173247:8080 151.237.36220:80 152.170.10899:443 159.203.204126:8080 163.172.40218:7080 165.228.19593:80 175.114.17883:443 178.79.163131:8080 181.198.20345:443 181.36.42205:443 181.61.143177:80 183.99.239141:80 185.160.2123:80 185.160.22926:80 185.86.148222:8080 186.15.8352:8080 186.68.48204:443 187.188.166192:8080 188.135.1549:80 188.216.24204:80 189.19.81181:443 190.100.153162:443 190.146.131105:8080 190.186.16423:80 190.195.129227:8090 190.210.184138:995 190.6.193152:8080 190.97.30167:990 191.103.7634:443 191.183.21190:80 192.241.14684:8080 2.139.158136:443 2.42.173240:80 2.44.16752:80 2.45.112134:80 200.119.11118:443 200.124.22532:80 200.58.83179:80 201.213.3259:80 203.130.069:80 203.25.1593:8080 207.154.20440:8080 212.237.5061:8080 212.71.237140:8080 217.199.160224:8080 219.75.66103:80 223.255.148134:80 37.120.185153:443 37.183.12132:80 37.187.663:8080 37.211.49127:80 45.50.177164:80 45.79.95107:443 45.8.136201:80 46.101.212195:8080 46.28.111142:7080 5.196.35138:7080 5.32.41106:80 5.88.2767:8080 50.28.51143:8080 51.255.165160:8080 58.171.3826:80 62.75.143100:7080 62.75.160178:8080 63.246.252234:80 63.248.1988:80 68.129.203162:443 68.174.15223:80 68.183.170114:8080 68.183.190199:8080 68.187.16028:443 69.163.3384:8080 72.29.55174:80 73.60.8210:80 74.59.18794:80 74.79.10355:80 77.27.22124:443 77.55.21177:8080 […]

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan

JA3 Fingerprint: f735bbc6b69723b9df7b0e7ef27872af First seen: 2018-10-02 18:04:16 UTC Last seen: 2020-01-15 05:53:57 UTC Status: Blacklisted Malware samples: 1’816 Destination IPs: 193 Malware: TrickBot Listing date: 2020-01-09 14:17:18 2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1 E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bbvaticanskeys.com Connection: Keep-Alive Cookie: SERVERID104280=112034|XiBGX|XiBGX 2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, […]

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan PCAP download traffic sample

JA3 Fingerprint: f735bbc6b69723b9df7b0e7ef27872af First seen: 2018-10-02 18:04:16 UTC Last seen: 2020-01-15 05:53:57 UTC Status: Blacklisted Malware samples: 1’816 Destination IPs: 193 Malware: TrickBot Listing date: 2020-01-09 14:17:18 2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1 E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bbvaticanskeys.com Connection: Keep-Alive Cookie: SERVERID104280=112034|XiBGX|XiBGX 2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, […]

Trojan Malware BDaim-A is c000.exe vbc.exe Malicious X.509 SSL Certificate PCAP File Download Traffic Sample

Troj/BDaim-A is a backdoor trojan. The Trojan installs itself as uvwxyz.exe in system folder of Windows and creates the following files, also in the system folder: mswinsck.ocx (This is clean microsoft socket control) raim.ocx Troj/BDaim-A creates the following registry entry so that it automatically starts up with Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\uvwxyz = C:\WINDOWS\System32\uvwxyz.exe In addition, Troj/BDaim-A creates the following registry entries: HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\ HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Host = “localhost” HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Port = dword:0000103f HKCU\Software\Microsoft\Visual Basic\ HKCU\Software\Microsoft\Visual Basic\6.0\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D)\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Microsoft WinSock Control, version 6.0” HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Control\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A52-2BAA-11CF-A229-00AA003D7352)\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) […]