Emotet: Updated client with new C2 list

Share Now

Facebook
Twitter
LinkedIn

The Emotet botnet updated their clients this morning around 6am EST.

We came across these hashes for the clients:

E1
4969b8145150d8c9d92abd66db2d17b1b54efcece75812ef77e7ef72d955bd19
E2
812e7a6ebdb40271ec0f878a559c29b459527f2e21ef6208e27d34c6808cd662

The following is a list of the C2 that were pulled from the binaries. Please use these to catch any infections that may be present within your environment:

Epoch 1

109.104.79.48:8080
109.169.86.13:8080
125.99.61.162:7080
128.199.78.227:8080
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
159.65.241.220:8080
162.241.130.39:8080
170.247.122.37:8080
178.79.163.131:8080
179.62.18.56:443
181.39.134.122:80
181.48.174.242:80
183.82.97.25:80
183.87.87.73:80
185.129.93.140:80
185.86.148.222:8080
186.83.133.253:8080
186.93.145.178:443
187.144.227.2:7080
187.188.166.192:80
187.242.204.142:80
190.1.37.125:443
190.117.206.153:443
190.19.42.131:80
190.230.60.129:80
190.55.39.215:80
190.97.10.198:80
196.6.112.70:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.80.198.34:80
201.219.183.243:443
203.25.159.3:8080
213.120.104.180:50000
217.113.27.158:443
217.199.175.216:8080
23.92.22.225:7080
37.59.1.74:8080
43.229.62.186:8080
46.21.105.59:8080
46.249.204.99:8080
46.29.183.211:8080
5.77.13.70:80
62.210.142.58:8080
62.75.143.100:7080
69.163.33.82:8080
72.47.248.48:8080
77.122.183.203:8080
80.0.106.83:80
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
88.250.223.190:8080
89.188.124.145:443
90.69.208.50:7080
91.205.215.57:7080
91.83.93.124:7080

109.104.79.48:8080
109.169.86.13:8080
125.99.61.162:7080
128.199.78.227:8080
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
159.65.241.220:8080
162.241.130.39:8080
170.247.122.37:8080
178.79.163.131:8080
179.62.18.56:443
181.39.134.122:80
181.48.174.242:80
183.82.97.25:80
183.87.87.73:80
185.129.93.140:80
185.86.148.222:8080
186.83.133.253:8080
186.93.145.178:443
187.144.227.2:7080
187.188.166.192:80
187.242.204.142:80
190.1.37.125:443
190.117.206.153:443
190.19.42.131:80
190.230.60.129:80
190.55.39.215:80
190.97.10.198:80
196.6.112.70:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.80.198.34:80
201.219.183.243:443
203.25.159.3:8080
213.120.104.180:50000
217.113.27.158:443
217.199.175.216:8080
23.92.22.225:7080
37.59.1.74:8080
43.229.62.186:8080
46.21.105.59:8080
46.249.204.99:8080
46.29.183.211:8080
5.77.13.70:80
62.210.142.58:8080
62.75.143.100:7080
69.163.33.82:8080
72.47.248.48:8080
77.122.183.203:8080
77.245.101.134:8080
79.143.182.254:8080
80.0.106.83:80
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
88.250.223.190:8080
89.188.124.145:443
90.69.208.50:7080
91.205.215.57:7080
91.83.93.124:7080

Epoch 2

104.131.11.150:8080
104.131.208.175:8080
104.236.246.93:8080
104.247.221.104:8080
124.121.192.163:8443
125.99.106.226:80
136.243.177.26:8080
138.201.140.110:8080
142.93.88.16:443
144.139.247.220:80
149.202.153.252:8080
152.169.236.172:80
159.65.25.128:8080
162.144.119.216:8080
162.243.125.212:8080
169.239.182.217:8080
173.212.203.26:8080
175.100.138.82:22
177.242.214.30:80
177.246.193.139:20
178.62.37.188:443
178.79.161.166:443
179.32.19.219:22
182.176.132.213:8090
185.94.252.13:443
188.166.253.46:8080
189.209.217.49:80
190.145.67.134:8090
190.186.203.55:80

200.85.46.122:80
201.212.57.109:80
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
222.214.218.192:8080
31.12.67.62:7080
31.172.240.91:8080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
62.75.187.192:8080
64.13.225.150:8080
75.127.14.170:8080
78.24.219.147:8080
85.104.59.244:20
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.205.215.66:8080
91.83.93.103:7080
94.205.247.10:80
95.128.43.213:8080

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Read More Related Phishing Blog Posts

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.