← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Emotet Strikes Again - LNK File Leads to Domain Wide Ransomware - The DFIR Report
WHITE OtpNgGim 2022-11-29 Modified: 2022-12-29
50
IOCs
MEDIUM VOLUME
cobalt strikeemotetet cncfeodo trackercnc servertactical rmmdfir reportanydesklnk filerclonepowershellagentbumblebeeexecutionlsassimpactjunecovenantmetasploitempireposhc2persistencemimikatzmegadatemeterpretertwitter
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (50)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://drechslerstammtisch.de 2022-11-29
URL https://descontador.com.br 2022-11-29
URL https://el-energiaki.gr 2022-11-29
URL https://www.elaboro.pl 2022-11-29
FileHash-MD5 0ea68856c4f56f4056502208e97e9033 2022-11-29
FileHash-MD5 211897664d51cffdfd7f78d684602ecc 2022-11-29
FileHash-MD5 22bbe1747933531e9c240e0db86268e2 MD5 of c2a8776e21403eb00b38bfccd36d1c03dffb009e 2022-11-29
FileHash-MD5 27f7186499bc8d10e51d17d3d6697bc5 MD5 of 52332ce16ee0c393b8eea6e71863ad41e3caeafd 2022-11-29
FileHash-MD5 50cc3a3bca96d7096c8118e838d9bc16 MD5 of b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf 2022-11-29
FileHash-MD5 a0e9f5d64349fb13191bc781f81f42e1 2022-11-29
FileHash-MD5 d2df4601c8d43e655163c0b292bc4cc9 2022-11-29
FileHash-MD5 de7c4da78a6cbba096e32e5eecb00566 MD5 of 02b4f495e9995cc2251c19cd9984763f52122951 2022-11-29
FileHash-SHA1 02b4f495e9995cc2251c19cd9984763f52122951 2022-11-29
FileHash-SHA1 08651822714c977d40d3c126c20ba4033d6836d3 2022-11-29
FileHash-SHA1 1f8e37351e7c5d89ce7808391edaef34bd8db6c0 2022-11-29
FileHash-SHA1 3a2079b02bcb1a2653ba9b5a5f56fd8b14a59820 2022-11-29
FileHash-SHA1 52332ce16ee0c393b8eea6e71863ad41e3caeafd 2022-11-29
FileHash-SHA1 74e2d1bd3cec8fa72ba06cf4eef8e58fb5e0e237 2022-11-29
FileHash-SHA1 8b749fb1260b92b9170e4e69fa1bd2f34e94d766 2022-11-29
FileHash-SHA1 a3eed2b760abddfd62014fcf9ae81f435b216473 2022-11-29
FileHash-SHA1 b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf 2022-11-29
FileHash-SHA1 b80c987c8849bf7905ea8f283b79d98753e3c15a 2022-11-29
FileHash-SHA1 c2a8776e21403eb00b38bfccd36d1c03dffb009e 2022-11-29
FileHash-SHA1 f6727d5d04f2728a3353fbd45d7b2cb19e98802c 2022-11-29
FileHash-SHA256 18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 SHA256 of 52332ce16ee0c393b8eea6e71863ad41e3caeafd 2022-11-29
FileHash-SHA256 1bf9314ae67ab791932c43e6c64103b1b572a88035447dae781bffd21a1187ad SHA256 of 02b4f495e9995cc2251c19cd9984763f52122951 2022-11-29
FileHash-SHA256 41e230134deca492704401ddf556ee2198ef6f32b868ec626d9aefbf268ab6b1 2022-11-29
FileHash-SHA256 53ae3567a34097f29011d752f1d3afab8f92beb36a8d6a5df5c1d4b12edc1703 SHA256 of c2a8776e21403eb00b38bfccd36d1c03dffb009e 2022-11-29
FileHash-SHA256 6424b4983f83f477a5da846a1dc3e2565b7a7d88ae3f084f3d3884c43aec5df6 2022-11-29
FileHash-SHA256 f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee SHA256 of b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf 2022-11-29
URL http://139.60.160.18:443 2022-11-29
URL http://139.60.160.18:80 2022-11-29
URL http://84.17.49.114:1249 2022-11-29
URL http://dhnconstrucciones.com.ar 2022-11-29
URL http://dilsrl.com 2022-11-29
URL https://api.floppasoftware.com 2022-11-29
YARA 8ed58983ae99d3e81e60a747056a1741da418bdc 15184_ - file dontsleep.exe 2022-11-29
YARA dd77e4fdffdedafb8d57456fd1ce0a013b322db1 15184_ - file 17jun.exe 2022-11-29
domain descontador.com.br 2022-11-29
domain dhnconstrucciones.com.ar 2022-11-29
domain dilsrl.com 2022-11-29
domain drechslerstammtisch.de 2022-11-29
domain el-energiaki.gr 2022-11-29
domain floppasoftware.com 2022-11-29
domain juanjik.com 2022-11-29
domain survefuz.com 2022-11-29
hostname api.floppasoftware.com 2022-11-29
hostname icanhazip.tacticalrmm.io 2022-11-29
hostname mesh.floppasoftware.com 2022-11-29
hostname www.elaboro.pl 2022-11-29
References (1)
↗ https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/