Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cyber_threat_intelligence/actors/Emotet/README.md

34 KiB
Raw Blame History

Emotet - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Emotet. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.emotet

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Emotet.

ID IP address Hostname Campaign Confidence
1 1.186.249.82 1.186.249.82.dvois.com - High
2 1.226.84.243 - - High
3 1.234.2.232 - - High
4 1.234.21.73 - - High
5 2.47.112.152 net-2-47-112-152.cust.vodafonedsl.it - High
6 2.58.16.86 - - High
7 2.58.16.89 - - High
8 2.82.75.215 bl21-75-215.dsl.telepac.pt - High
9 5.2.84.232 momos.alastyr.com - High
10 5.2.136.90 static-5-2-136-90.rdsnet.ro - High
11 5.2.182.7 static-5-2-182-7.rdsnet.ro - High
12 5.2.212.254 static-5-2-212-254.rdsnet.ro - High
13 5.9.116.246 static.246.116.9.5.clients.your-server.de - High
14 5.9.128.163 static.163.128.9.5.clients.your-server.de - High
15 5.9.189.24 static.24.189.9.5.clients.your-server.de - High
16 5.12.246.155 5-12-246-155.residential.rdsnet.ro - High
17 5.35.249.46 rs250366.rs.hosteurope.de - High
18 5.39.84.48 ns3126815.ip-5-39-84.eu - High
19 5.39.91.110 ns3278366.ip-5-39-91.eu - High
20 5.79.70.250 - - High
21 5.89.33.136 net-5-89-33-136.cust.vodafonedsl.it - High
22 5.101.138.188 uk.mthservers.com - High
23 5.159.57.195 www-riedle.transfermarkt.de - High
24 5.196.35.138 vps10.open-techno.net - High
25 5.196.73.150 ns3000085.ip-5-196-73.eu - High
26 5.196.133.206 pixelfed.hosnet.fr - High
27 5.230.193.41 casagarcia-web.sys.netzfabrik.eu - High
28 8.4.9.137 onlinehorizons.net - High
29 8.247.6.134 - - High
30 12.6.148.4 mail.carters.com - High
31 12.6.183.21 - - High
32 12.32.68.154 mail.sealscoinc.com - High
33 12.149.72.170 - - High
34 12.162.84.2 - - High
35 12.163.208.58 - - High
36 12.182.146.226 - - High
37 12.184.217.101 - - High
38 12.222.134.10 - - High
39 12.238.114.130 - - High
40 13.107.21.200 - - High
41 14.49.39.215 - - High
42 17.56.136.171 p74-smtp.mail.icloud.com - High
43 18.209.113.128 ec2-18-209-113-128.compute-1.amazonaws.com - Medium
44 18.211.9.206 ec2-18-211-9-206.compute-1.amazonaws.com - Medium
45 23.5.231.225 a23-5-231-225.deploy.static.akamaitechnologies.com - High
46 23.6.65.194 a23-6-65-194.deploy.static.akamaitechnologies.com - High
47 23.6.69.99 a23-6-69-99.deploy.static.akamaitechnologies.com - High
48 23.36.85.183 a23-36-85-183.deploy.static.akamaitechnologies.com - High
49 23.41.248.194 a23-41-248-194.deploy.static.akamaitechnologies.com - High
50 23.46.53.71 a23-46-53-71.deploy.static.akamaitechnologies.com - High
51 23.52.7.20 a23-52-7-20.deploy.static.akamaitechnologies.com - High
52 23.95.95.18 23-95-95-18-host.colocrossing.com - High
53 23.199.63.11 a23-199-63-11.deploy.static.akamaitechnologies.com - High
54 23.199.71.185 a23-199-71-185.deploy.static.akamaitechnologies.com - High
55 23.218.127.164 a23-218-127-164.deploy.static.akamaitechnologies.com - High
56 23.218.141.31 a23-218-141-31.deploy.static.akamaitechnologies.com - High
57 23.221.50.122 a23-221-50-122.deploy.static.akamaitechnologies.com - High
58 23.229.190.0 ip-23-229-190-0.ip.secureserver.net - High
59 23.239.2.11 li683-11.members.linode.com - High
60 23.254.203.51 hwsrv-779084.hostwindsdns.com - High
61 24.40.239.62 24-40-239-62.fidnet.com - High
62 24.43.99.75 rrcs-24-43-99-75.west.biz.rr.com - High
63 24.101.229.82 dynamic-acs-24-101-229-82.zoominternet.net - High
64 24.116.40.208 24-116-40-208.cpe.sparklight.net - High
65 24.119.116.230 24-119-116-230.cpe.sparklight.net - High
66 24.121.176.48 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net - High
67 24.137.76.62 host-24-137-76-62.public.eastlink.ca - High
68 24.178.90.49 024-178-090-049.res.spectrum.com - High
69 24.179.13.119 024-179-013-119.res.spectrum.com - High
70 24.190.11.79 ool-18be0b4f.dyn.optonline.net - High
71 24.201.79.34 modemcable034.79-201-24.mc.videotron.ca - High
72 24.203.4.40 modemcable040.4-203-24.mc.videotron.ca - High
73 24.217.117.217 024-217-117-217.res.spectrum.com - High
74 24.232.228.233 OL233-228.fibertel.com.ar - High
75 24.244.177.40 - - High
76 27.50.89.209 27-50-89-209.as45671.net - High
77 27.78.27.110 localhost - High
78 27.82.13.10 KD027082013010.ppp-bb.dion.ne.jp - High
79 27.109.24.214 - - High
80 27.114.9.93 i27-114-9-93.s41.a011.ap.plala.or.jp - High
81 31.24.158.56 bm.servidoresdedicados.com - High
82 31.167.248.50 - - High
83 31.172.86.183 - - High
84 35.190.87.116 116.87.190.35.bc.googleusercontent.com - Medium
85 36.91.44.183 - - High
86 37.9.175.14 14.175.9.37.in-addr.arpa.websupport.sk - High
87 37.46.129.215 we-too.ru - High
88 37.97.135.82 37-97-135-82.colo.transip.net - High
89 37.120.175.15 v220220112692175454.nicesrv.de - High
90 37.139.21.175 37.139.21.175-e2-8080-keep-up - High
91 37.179.204.33 - - High
92 37.187.4.178 ks2.kku.io - High
93 37.187.57.57 ns3357940.ovh.net - High
94 37.187.72.193 ns3362285.ip-37-187-72.eu - High
95 37.187.161.206 toolbox.alabs.io - High
96 37.205.9.252 s1.ithelp24.eu - High
97 37.221.70.250 b2b-customer.inftele.net - High
98 40.97.124.18 - - High
99 41.76.108.46 - - High
100 41.169.36.237 - - High
101 41.185.28.84 brf01-nix01.wadns.net - High
102 41.185.29.128 abp79-nix01.wadns.net - High
103 41.204.202.41 www41.cpt2.host-h.net - High
104 41.231.225.139 - - High
105 42.62.40.103 - - High
106 43.229.62.186 rocket-cheese.bnr.la - High
107 45.16.226.117 45-16-226-117.lightspeed.sndgca.sbcglobal.net - High
108 45.33.35.103 li985-103.members.linode.com - High
109 45.33.77.42 li1023-42.members.linode.com - High
110 45.46.37.97 cpe-45-46-37-97.maine.res.rr.com - High
111 45.55.36.51 - - High
112 45.55.219.163 - - High
113 45.59.204.133 rrcs-45-59-204-133.west.biz.rr.com - High
114 45.79.95.107 li1194-107.members.linode.com - High
115 45.80.148.200 - - High
116 45.118.115.99 - - High
117 45.118.135.203 45-118-135-203.ip.linodeusercontent.com - High
118 45.142.114.231 mail.dounutmail.de - High
119 45.176.232.124 - - High
120 45.230.45.171 - - High
121 46.4.100.178 support.wizard-shopservice.de - High
122 46.4.192.185 static.185.192.4.46.clients.your-server.de - High
123 46.28.111.142 enkindu.jsuchy.net - High
124 46.30.213.132 - - High
125 46.32.229.152 094882.vps-10.com - High
126 46.32.233.226 yetitoolusa.com - High
127 46.38.238.8 v2202109122001163131.happysrv.de - High
128 46.43.2.95 chris.default.cjenkinson.uk0.bigv.io - High
129 46.55.222.11 - - High
130 46.101.58.37 46.101.58.37-e1-8080 - High
131 46.105.81.76 myu0.cylipo.sbs - High
132 46.105.114.137 ns3188253.ip-46-105-114.eu - High
133 46.105.131.68 http.adven.fr - High
134 46.105.131.69 epouventaille.adven.fr - High
135 46.105.131.79 relay.adven.fr - High
136 46.105.131.87 pop.adven.fr - High
137 46.105.236.18 - - High
138 46.165.212.76 - - High
139 46.165.254.206 - - High
140 46.214.107.142 46-214-107-142.next-gen.ro - High
141 47.36.140.164 047-036-140-164.res.spectrum.com - High
142 47.52.19.221 - - High
143 47.146.39.147 - - High
144 47.150.11.161 - - High
145 47.188.131.94 - - High
146 47.201.208.154 - - High
147 47.246.24.225 - - High
148 47.246.24.226 - - High
149 47.246.24.230 - - High
150 47.246.24.232 - - High
151 49.12.121.47 filezilla-project.org - High
152 49.50.209.131 131.host-49-50-209.euba.megatel.co.nz - High
153 49.212.135.76 os3-321-50322.vs.sakura.ne.jp - High
154 49.212.155.94 os3-325-52340.vs.sakura.ne.jp - High
155 50.23.248.182 b6.f8.1732.ip4.static.sl-reverse.com - High
156 50.28.51.143 - - High
157 50.30.40.196 usve255301.serverprofi24.com - High
158 50.31.146.101 mail.brillinjurylaw.com - High
159 50.56.135.44 - - High
160 50.62.176.42 p3plcpnl0515.prod.phx3.secureserver.net - High
161 50.62.176.244 p3plcpnl0728.prod.phx3.secureserver.net - High
162 50.62.194.30 ip-50-62-194-30.ip.secureserver.net - High
163 50.78.167.65 millcreek.cc - High
164 50.87.59.65 50-87-59-65.unifiedlayer.com - High
165 50.87.144.137 gator3103.hostgator.com - High
166 50.87.144.197 gator3161.hostgator.com - High
167 50.87.150.177 50-87-150-177.unifiedlayer.com - High
168 50.91.114.38 050-091-114-038.res.spectrum.com - High
169 50.92.101.60 d50-92-101-60.bchsia.telus.net - High
170 50.116.54.215 li440-215.members.linode.com - High
171 50.116.78.109 intersearchmedia.com - High
172 50.245.107.73 50-245-107-73-static.hfc.comcastbusiness.net - High
173 51.15.4.22 51-15-4-22.rev.poneytelecom.eu - High
174 51.15.7.145 51-15-7-145.rev.poneytelecom.eu - High
175 51.38.201.19 ip19.ip-51-38-201.eu - High
176 51.75.33.120 ip120.ip-51-75-33.eu - High
177 51.75.33.127 ip127.ip-51-75-33.eu - High
178 51.89.36.180 ip180.ip-51-89-36.eu - High
179 51.89.199.141 ip141.ip-51-89-199.eu - High
180 51.91.7.5 ns3147667.ip-51-91-7.eu - High
181 51.91.76.89 89.ip-51-91-76.eu - High
182 51.159.23.217 jambold.co.uk - High
183 51.159.35.157 51-159-35-157.rev.poneytelecom.eu - High
184 51.254.140.238 238.ip-51-254-140.eu - High
185 51.255.50.164 vps-b6cfe010.vps.ovh.net - High
186 51.255.165.160 160.ip-51-255-165.eu - High
187 52.31.99.185 ec2-52-31-99-185.eu-west-1.compute.amazonaws.com - Medium
188 52.66.202.63 ec2-52-66-202-63.ap-south-1.compute.amazonaws.com - Medium
189 52.96.38.82 - - High
190 54.38.143.245 tools.inovato.me - High
191 58.27.215.3 58-27-215-3.wateen.net - High
192 58.94.58.13 i58-94-58-13.s41.a014.ap.plala.or.jp - High
193 58.216.16.130 - - High
194 58.227.42.236 - - High
195 59.124.1.19 59-124-1-19.hinet-ip.hinet.net - High
196 59.148.253.194 059148253194.ctinets.com - High
197 59.152.93.46 46.93.152.59.zipnetltd.com - High
198 60.93.23.51 softbank060093023051.bbtec.net - High
199 60.108.128.186 softbank060108128186.bbtec.net - High
200 60.125.114.64 softbank060125114064.bbtec.net - High
201 60.249.78.226 60-249-78-226.hinet-ip.hinet.net - High
202 61.19.246.238 - - High
203 62.30.7.67 67.7-30-62.static.virginmediabusiness.co.uk - High
204 62.75.141.82 static-ip-62-75-141-82.inaddr.ip-pool.com - High
205 62.84.75.50 mail.saadegrp.com.lb - High
206 62.171.142.179 vmi499457.contaboserver.net - High
207 62.210.127.136 62-210-127-136.rev.poneytelecom.eu - High
208 62.212.34.102 - - High
209 64.4.244.68 - - High
210 64.26.60.221 pop5.csee.onr.siteprotect.com - High
211 64.59.136.142 mail.shaw.ca - High
212 64.60.82.82 64-60-82-82.static-ip.telepacific.net - High
213 64.71.36.11 - - High
214 64.85.73.16 - - High
215 64.90.62.162 pop.dreamhost.com - High
216 64.91.228.45 - - High
217 64.98.36.5 mail.b.hostedemail.com - High
218 64.190.63.136 - - High
219 64.207.182.168 - - High
220 64.250.117.68 smtp.movistarcloud.com.ve - High
221 65.49.60.163 65-49-60-163.ip.linodeusercontent.com - High
222 65.55.72.183 origin.sn134w.snt134.mail.live.com - High
223 65.182.102.90 mail.geantes.com - High
224 65.254.228.100 customer.hostcentric.com - High
225 66.23.200.58 - - High
226 66.50.57.73 66-50-57-73.prtc.net - High
227 66.54.51.172 - - High
228 66.71.241.102 mail.nixhost.net - High
229 66.76.26.33 66-76-26-33.hdsncmta01.com.sta.suddenlink.net - High
230 66.96.134.1 1.134.96.66.static.eigbox.net - High
231 66.96.147.103 103.147.96.66.static.eigbox.net - High
232 66.96.147.110 110.147.96.66.static.eigbox.net - High
233 66.195.202.115 mail.navarac.com - High
234 66.209.69.165 - - High
235 66.216.234.131 066-216-234-131.res.spectrum.com - High
236 66.220.110.56 h66-220-110-56.bendor.broadband.dynamic.tds.net - High
237 66.228.32.31 li282-31.members.linode.com - High
238 66.228.45.129 li326-129.members.linode.com - High
239 66.228.61.248 li318-248.members.linode.com - High
240 67.19.105.107 ns2.datatrust.com.br - High
241 67.68.235.25 bas10-montrealak-67-68-235-25.dsl.bell.ca - High
242 67.170.250.203 c-67-170-250-203.hsd1.ca.comcast.net - High
243 67.177.71.77 c-67-177-71-77.hsd1.al.comcast.net - High
244 67.195.197.75 p9ats-i.geo.vip.bf1.yahoo.com - High
245 67.195.228.95 unknown.yahoo.com - High
246 67.216.131.134 134.131.216.67.134.static.hargray.net - High
247 67.222.2.148 - - High
248 67.225.218.50 lb01.parklogic.com - High
249 67.225.221.173 host.hddpool2.net - High
250 67.241.81.253 cpe-67-241-81-253.twcny.res.rr.com - High
251 68.2.97.91 ip68-2-97-91.ph.ph.cox.net - High
252 68.66.194.12 68.66.194.12.static.a2webhosting.com - High
253 68.178.213.203 p3plibsmtp03-v01.prod.phx3.secureserver.net - High
254 68.183.170.114 68.183.170.114-e1-8080-keep-up - High
255 68.183.190.199 68.183.190.199-e1-8080-keep-up - High
256 69.16.228.14 kurt.duplika.com - High
257 69.17.170.58 unallocated-static.rogers.com - High
258 69.43.168.200 ns0.imunplugged.com - High
259 69.43.168.232 - - High
260 69.45.19.251 coastinet.com - High
261 69.61.0.198 alpha01.serverparlor.net - High
262 69.147.92.11 e1.ycpi.vip.dca.yahoo.com - High
263 69.147.92.12 e2.ycpi.vip.dca.yahoo.com - High
264 69.156.240.33 smtp.transportalliance.ca - High
265 69.163.33.82 - - High
266 69.167.152.111 - - High
267 69.168.106.36 mail.windstream.syn-alias.com - High
268 69.175.31.212 212.31.175.69.unassigned.ord.singlehop.net - High
269 69.198.17.20 69-198-17-20.customerip.birch.net - High
270 69.198.17.49 69-198-17-49.customerip.birch.net - High
271 70.32.84.74 - - High
272 70.32.89.105 parties-at-sea.com - High
273 70.32.92.133 popdesigngroup.com - High
274 70.32.115.157 harpotripofalifetime.com - High
275 70.36.102.35 - - High
276 70.45.30.28 dynamic.libertypr.net - High
277 70.168.7.6 wsip-70-168-7-6.ri.ri.cox.net - High
278 70.182.77.184 wsip-70-182-77-184.ok.ok.cox.net - High
279 70.183.113.54 wsip-70-183-113-54.no.no.cox.net - High
280 70.184.86.103 wsip-70-184-86-103.ph.ph.cox.net - High
281 70.184.125.132 wsip-70-184-125-132.ph.ph.cox.net - High
282 71.8.1.188 071-008-001-188.res.spectrum.com - High
283 ... ... ... ...

There are 1126 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Emotet. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
2 T1068 CWE-264, CWE-284 Execution with Unnecessary Privileges High
3 T1110.001 CWE-798 Improper Restriction of Excessive Authentication Attempts High
4 ... ... ... ...

There are 3 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Emotet. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /admin.php?id=posts&action=display&value=1&postid= High
2 File /admin.php?id=siteoptions&social=display&value=0&sid=2 High
3 File /admin.php?id=siteoptions&social=edit&sid=2 High
4 File /admin/inbox.php&action=delete High
5 File /admin/inbox.php&action=read High
6 File /admin/pagerole.php&action=display&value=1 High
7 File /admin/pagerole.php&action=edit High
8 File /admin/posts.php High
9 File /admin/posts.php&action=delete High
10 File /admin/posts.php&action=edit High
11 File /admin/siteoptions.php&action=displaygoal&value=1&roleid=1 High
12 File /admin/siteoptions.php&social=remove&sid=2 High
13 File /admin/uesrs.php&&action=delete&userid=4 High
14 ... ... ...

There are 115 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!