Skip to content

Instantly share code, notes, and snippets.

View Blevene's full-sized avatar

Blevene Blevene

36 followers · 5 following
  • Google
View GitHub Profile
@Blevene
Blevene / November 13th 2018
Created November 13, 2018 14:40
Emotet IOCs
f887e50af1c99ba73f280e28c7b0581b392782dba0bf2effc72d1719d039152b,
http://www.xianjiaopi.com/41964H/PAY/US/,
http://agrarszakkepzes.hu/Q1iM9mt5a/,
http://agrarszakkepzes.hu/Q1iM9mt5a,
https://www.linktub.com/blog/wp-content/004444BN/com/Business/,
http://www.linktub.com/blog/wp-content/004444BN/com/Business,
http://bandarbola.net/4KMA/PAYMENT/Personal,
d8829e9c2929163f31b001419bb2f9bf88ebf9f92bc1783229ba42b8e1ba8029,
543beab4afdffb67c0b1cdc05a357404c7a9830b50f3e0125c0d57f2fcb8c19e,
7a142698e26899993b4d4b78276c26cde44d3a8fc724bd392e6eb7a5161e0b12,
@Blevene
Blevene / Emotet IOCs
Created November 9, 2018 16:48
Emotet Campaigns: November 9th, 2018
Emotet Campaign 1: https://www.virustotal.com/graph/g9c1d51be17da4d3d856dadb8ce07046e45da445e9dfa4304bc49880d90df381e
12b379ac95454c365edf299e087e861fbe8df739dcdb3d82b30dae3c4a201583
18d8a6f6bd307d67250eaccc4cc7b82f660a1923f6163c58666b969a5be18cd3
39942a00f9a77d75652b1c3911efdad8d8ff9f7c4f2b645418c54c5bb5074e32
6bd4b3f2072f67bb90832835c91a977dead10682a2a5f76b17993c73782179c0
6e7475b559f466986e6b33ff0c54896e3d85b3e6f7c04b75ca719433672eb1a4
7f52604743302a60f667bbcaddc4dc372a602862f41bf7a741f3676ebb3cbc6b
9c1468cf0ec8794f7a75fb8537e1a42e24436bcf63298792eb62ff55ee517f38
9f874949de45411ab799b437564babfb14560b13383b8feb6dfad4944cf0a79d
@Blevene
Blevene / Emotet indicators
Created November 7, 2018 18:18
Emotet Indicators, November 7th, 2018
01b52a15ba574e0ff16992965e3ebded49184b773465c2e48c41a6eaaec5fb70
0e825a9d115094b55e7ba9ce61735a6f5a7f6d94bd96de1440d63c01f5f93328
15663cca3c0e6837bf152f9cf9e995044721912fc7be0af486d14ba5a9d30776
1669658aa33d503a33501b21e315eca3be32ddcca70cb2077cc26275a3af05cb
21a52f2daad62f5cae0bb5307cc1d52cc0ada69ab05c0bafb0b543a74d012976
2aba409bab2990d7e48372698f361ce745b77b1b69924f14e3d713cfedf5c497
3dfd5b39ebf59837ff31dca9dded2a4770179d701589a125c61c84cafc307a56
4d5be1e5dace81b566024381e087f309413a2ffbe53982e1378a28b6a56be02b
51b324525eef0c5183f3841b14d6bae0ae368687ce9599b660dc09d690126fc3
56611c695a5fd11ebe3d42accc6b7ba109d70204898f37749ad1f803d5fa7106
@Blevene
Blevene / Modules from 92[.]38.163.10
Created November 6, 2018 20:34
Trickbot Modules
cb1b429cd203a995b05d3f6fcffd703ab78f79d24b6b08a856b0b8a08f564347,
2893c138c1e082ed6a626f5b87d21205245cd68a8f9a21711956a4313131666c,
d19a58e092f4c9eb99d6eff68208fdcbd6c94d35621bab96e98d6030d614b197,
87976b4815c508a22c55d3c8edfa0f7f6466db5681555b2c97a9c92ddab1945a,
hXXp://92.38.163[.]10/MailLer.exe,
hXXp://92.38.163[.]10/mailloggerref.exe,
hXXp://92.38.163[.]10/mailLoggerRef.exe,
hXXp://92.38.163[.]10/LoadStr.exe,
hXXp://92.38.163[.]10/MailClient.exe
@Blevene
Blevene / Emotet Indicators
Created November 6, 2018 17:00
Emotet - November 6th, 2018
Source: https://www.virustotal.com/graph/g73ae9e6a5e604209a65afdbf2a9fa99cdb112ff2c6e64a7b96df0734f81afb7f
0a5bbf5ce342db273b6f97e1cfb311ef7b67a46c3c1e9730a54aec51955d46f4
10d13d95c03cc3f6db0b17c47dcccd5c7da63983542511ae33fdbca278a42837
19115d137ec794ccc0d03636c70882b41dbc1872d970a658ecb5174f5fd1d2ff
1e105f89b77b13224ae58aa6445dd71df058da1358adc73d9548abaae9cf1f77
2ee6bea3c759dfb82e373bc39c4c7727ab0fff582b60c0308ce64c4d9b44343e
33ba0f5bcd94e39b9e46fc56a0a91531f732f0c1cf83988a7d2bce233c9838ac
33e3447fff8de6a489bbbf5998b25de0fd71b7067db9efb02d867674b4d24755
39b664c0a66bd1ba471dc56ebf1874f5fdb100c1c1d073ddd7e72fbb3b5aaeb0
@Blevene
Blevene / Trickbot Infra
Created October 31, 2018 14:41
Trickbot Infra 10-31-2018
Per: https://myonlinesecurity.co.uk/fake-companies-house-company-report-delivers-trickbot/
https://www.virustotal.com/#/file/53bf90cafdf5b2c48cef6b70e3d33975379a762206e978b98e0f95d5b5c6cfbe/detection
https://197.232.50.85
https://82.222.40.119:449
https://94.232.20.113
https://5.189.227.109
https://174.105.233.82:449
https://115.78.3.170
https://190.145.74.84:449
@Blevene
Blevene / C2s for Emotet
Created September 21, 2018 16:56
Emotet C2s 9/21
Lure URLs:
http://neurocoachingkm.com.br/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
http://old.gkinfotechs.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018
http://nigelkarikari.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18
C2s
http://96.242.246.128
http://203.198.129.4:8080
@Blevene
Blevene / Emotet Indicators
Created September 4, 2018 16:35
Emotet 9/3/2018 Indicators Courtesy of VirusTotal
1.22.155.6,
104.236.24.85,
133.242.208.183,
159.192.247.138,
160.226.162.79,
178.63.118.195,
181.29.82.117,
187.193.97.96,
189.161.67.1,
189.190.154.29,
@Blevene
Blevene / Smokeloader Sha256
Created April 13, 2018 15:57
Smokeloader associated with keamreddlo.bit
77f9f74f074dcb5fe5c5dfb7127f6d4932f08963e9d6cb6051f802583a317a65
d6f5320afcd5bbb172c6003df7218da7e6dbbe225871ba2e71048acaafb18e90
d822bab618ee2f59bec8fb5db13b610f3e67df5349988f92fe010d11ece272d5
effe9b9acc1753e87d2c4fb95dd48b85c3e38216c0f2bc7dcd424351a2c24305
a35fa12a4265e21d9fa6604e932aa51611a39f26bad453b1971dc7c9867866a5
c816019e3a5046f4bbebf64bbbae2de98ab41afe3c9344add69f63f640df0b1d
8ac9ad97d9a4f640b88adba2d3afaf9d0f6a42fee7ff34f6a1c83543da75a865
26058f0e1b07a9889cb7b758098e1fb0233dbc4d2171a118e8b5eaca7cb7e758
dfe9819f0d9d245e5b2d6b717e1a640ddee290b7b9518d6860ee5d01364ad664
d09832d568a5ad1177849032b1330f8eab5c2ea457c212b3427400d24b2ddcb6
@Blevene
Blevene / Trickbot Sha256
Last active April 11, 2018 13:02
Recent (April 9-11th) Trickbot Hashes
observables from svchost.exe:
Users\Administrator\AppData\Roaming\NetDefender\file
Windows\System32\Tasks\MsNetValidator
8be3f04b9f5133572e2756fdc8b3bd03f061306066958580214633377fede834
5ff83162fb50ceaaf72fc26540f2dc8f50aa4a0cf4d378ecb7c76b692c5e154c
f14f6436e688564de96ed3905c456f69b70570ca20ac9f4d83c8d8e008e97287
88b99cdd05ab132c0c61d8e74d998376281a6152c196436fb6250eb27e22e333
f1c92f183d6473402ed4867fc7a08d2a9dcb090217b99285b6b9c9fe68a31590
bdf453a7ebfd6f88bc98ac79d7d2d10b95c3bfbe624bbd0b2934ebedde4af02c