Insights, news, education and announcements from PolySwarm

Latest Emotet malware samples and IOCs

Written by PolySwarm Tech Team | Nov 26, 2019 10:59:47 PM

[Updated November 27, 2019]: 

Emotet is a banking Trojan that was first identified by security researchers in 2014. Emotet was first designed as a banking malware that attempted to sneak onto computers and steal sensitive and private information. It has evolved over the last several years from a basic threat, and morphed into a customizable modular package and has been seen deploying additional payloads against financial institutions, enterprises, and consumers across the globe. 

Emotet uses functionality that helps it evade detection by some anti-malware products. Emotet's worm-like functionality enabling it to spread to connected computers prompted the Department of Homeland Security to conclude that Emotet is a destructive and costly malware, impacting private sectors, government and individuals, and costing upwards of $1 million per incident to remediate.

Here we have laid out the latest IOCs and links to hash search results and scans in PolySwarm, a threat detection marketplace that aggregates scan results and details provided by a network of scanning engines: 

November 27, 2019, 6:46:57 PM CET: 

[*] Malware family: Emotet
[+] Hashes:
3382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a30183
500ee54d1e170ab45f77d24fcd62ee3b87566de8412db3adeb19ce2e8dd338cd
55f774cf58ab33bd5b05ce68ba92ca0ada477bb38e08a97ebf0873f675523d4b
562af50f521878f7ff714a6bd5a7ef9d0cf7fa279b842de23ae4f562ead14594
64ff2f6f003d984ed69987b132110485a8390d7c95d464fc9a0fc1a1222e9dda
717164534c8479c7c4b25aa7c3c6eeab8341ffe1e73deb0097d7ba5107b88973
924563adf90b3e00642e072fbd14829c13038aa3f5a7b7c45ec720a3f2396801
9bcd9e0c60ee23bd7497880169f55416ace0bdf615779be2f2b82303cf3ea974
b4cec97c477de6c0e36a7f121c9e4cadb7bed25a36a2bea7219103877a3fb06d
c2fefbc6f35f5339810d5ba572868ac578888ff7b9d96ae33e2a4e5248e3d8a8
ceeb5a549809ae7aae33ec1c65bfc62d90e5400e52bba41f896f415d5c4237bf
d4e7e428ec774d37b7420805481ea9883991b63cb667035976c810c247d3a5d1
db0cd4eb4a6af551514fe57d32e8ab27c1e3ff7ad630509b252765208b8e2084
3382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a3
[+] PolySwarm Permalink:
Scan permalink: https://polyswarm.network/scan/results/file2eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a301833382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a30183/3382eaa2e1d89b479dbf8c9fed135e9c4737dd7b266383a65791615639a30183
Scan permalink: https://polyswarm.network/scan/results/file/500ee54d1e170ab45f77d24fcd62ee3b87566de8412db3adeb19ce2e8dd338cd
Scan permalink: https://polyswarm.network/scan/results/file/55f774cf58ab33bd5b05ce68ba92ca0ada477bb38e08a97ebf0873f675523d4b
Scan permalink: https://polyswarm.network/scan/results/file/562af50f521878f7ff714a6bd5a7ef9d0cf7fa279b842de23ae4f562ead14594
Scan permalink: https://polyswarm.network/scan/results/file/64ff2f6f003d984ed69987b132110485a8390d7c95d464fc9a0fc1a1222e9dda
Scan permalink: https://polyswarm.network/scan/results/file/717164534c8479c7c4b25aa7c3c6eeab8341ffe1e73deb0097d7ba5107b88973
Scan permalink: https://polyswarm.network/scan/results/file/924563adf90b3e00642e072fbd14829c13038aa3f5a7b7c45ec720a3f2396801
Scan permalink: https://polyswarm.network/scan/results/file/9bcd9e0c60ee23bd7497880169f55416ace0bdf615779be2f2b82303cf3ea974
Scan permalink: https://polyswarm.network/scan/results/file/b4cec97c477de6c0e36a7f121c9e4cadb7bed25a36a2bea7219103877a3fb06d
Scan permalink: https://polyswarm.network/scan/results/file/c2fefbc6f35f5339810d5ba572868ac578888ff7b9d96ae33e2a4e5248e3d8a8
Scan permalink: https://polyswarm.network/scan/results/file/ceeb5a549809ae7aae33ec1c65bfc62d90e5400e52bba41f896f415d5c4237bf
Scan permalink: https://polyswarm.network/scan/results/file/d4e7e428ec774d37b7420805481ea9883991b63cb667035976c810c247d3a5d1
Scan permalink: https://polyswarm.network/scan/results/file/db0cd4eb4a6af551514fe57d32e8ab27c1e3ff7ad630509b252765208b8e2084
[+] Dropper URL:
hxxp://anaesthesie-blasewitz[.]de/css/TWWKjnV/
hxxp://ardalan[.]biz/wp-includes/qb085995/
hxxp://consultinghd[.]ge/dberror/wHnkIRk/
hxxp://discoveryinspectors[.]com/wiajfh56jfs/iKgWHum/
hxxp://dldreamhomes[.]com/wp-admin/bwfPhHO/
hxxp://icloudgraphics[.]com/wp-content/o1cu7628/
hxxp://old[.]bigbom[.]com/wp-snapshots/installer/3vouc050850/
hxxp://romanemperorsroute[.]org/wp-content/9WtVQhBjl/
hxxps://aghayenan[.]com/mobi/lbckjl/
hxxps://bthitechvn[.]com/wp-admin/8qkzgnynv-47ovy28o-429/
hxxps://fysinstitute[.]com/hoaw62idks/xj/
hxxps://memaryab[.]com/wp-admin/F6klm/
hxxps://memorymusk[.]com/wp-content/ORIkPOUpF/
hxxps://my-way[.]style/8mjle980/vdCYhx/
hxxp://sociallysavvyseo[.]com/PinnacleDynamicServices/l0305/
hxxps://rakoffshoreic[.]com/media/KbjdZR/
hxxps://re365[.]com/wp-content/uploads/NNxgHxTx/
hxxps://rentigo[.]peppyemails[.]com/wp-content/uploads/4maot/
hxxps://revistaunipaz[.]000webhostapp[.]com/wp-admin/ZVqCpVyec/
hxxps://www[.]cuteandroid[.]com/wp-includes/sjfd01/
hxxps://www[.]icclcricketainment[.]com/wp-content/feWeaYm5jc/
hxxps://www[.]kiddostoysclub[.]com/wp-admin/c5/
hxxps://www[.]oshodrycleaning[.]com/aspnet_client/wlyj79/
hxxps://www[.]realestatetiming[.]net/oldwordpress/DooMQA/
hxxps://www[.]sennesgroup[.]com/wp-content/d4v/
hxxps://zvirinaal[.]000webhostapp[.]com/wp-admin/ZBsawyN/
hxxp://vogler[.]me/Schuldateien/rOXRqjAx/
hxxp://www[.]test3653[.]club/wp-includes/63llx5/

 

*Researchers and press are welcome to link to PolySwarm scan results in their reporting. Please attribute to PolySwarm.

***

PolySwarm helps security teams detect new and emerging malware. Enterprises and security operations centers (SOCs) benefit from PolySwarm’s aggregated network of scanning engines (both large AVs and specialized security experts) that are incentivized to accurately detect threats. PolySwarm lowers the barriers of participation for threat detection tools, and economically rewards early, accurate malware detection. Try out PolySwarm here and see how it detects new and emerging malware.