← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The Taxman Never Sleeps
WHITE Emotet feisty-swim1410 2022-12-22 Modified: 2023-01-21
34
IOCs
MEDIUM VOLUME
FortiGuard Labs discovered an e-mail that included a tax form seemingly from the United States Internal Revenue Service (IRS) in early November that had been sent by the recently resurgent Emotet group. Emotet (aka, Geodo and Heodo) began life as a banking Trojan but has since morphed into a jack-of-all-trades tool that can exploit several vulnerabilities to compromise its victims. Once it has infected a system, it then typically delivers additional payloads. And because it’s modular, it is easily customizable by its users. This flexibility and resiliency are part of why Emotet has managed to survive at least one coordinated industry/law enforcement takedown in 2021.
emotetfortiguards labsemail threatsemail phishingthreat researchfortinetcommandcontrolioc sectionfortiguardweb filteringantivirusfortimailforticlientmalwareapt & targeted attackscyber crime
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Emotet Daveshell Maltshake Warpgate WhiteDagger
Indicators of Compromise (34)
All domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
domain chobemaster.com 2022-12-22
domain cngst.com 2022-12-22
domain kabaruntukrakyat.com 2022-12-22
hostname www.spinbalence.com 2022-12-22
FileHash-MD5 18252d898a785e916760be3e63c29a78 MD5 of 8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed 2022-12-22
FileHash-MD5 41e82dccd7687de38408b2acf54ba3b3 MD5 of 9efdbe83c874a14282b0105fcec8dc46d9ba1de6496f5d570fa14915b8fd3285 2022-12-22
FileHash-SHA1 3a2411866f05c8148ebe69fa8ee542bf70d59167 SHA1 of 9efdbe83c874a14282b0105fcec8dc46d9ba1de6496f5d570fa14915b8fd3285 2022-12-22
FileHash-SHA1 769301632d80a6c5996e7f9514786e79d044db17 SHA1 of 8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed 2022-12-22
FileHash-SHA256 8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed 2022-12-22
FileHash-SHA256 9efdbe83c874a14282b0105fcec8dc46d9ba1de6496f5d570fa14915b8fd3285 2022-12-22
FileHash-SHA256 be2bb6f684cd23a66667a563a78ebfa43de4bb958dc0465a830229a9b927b714 2022-12-22
URL http://1.234.2.232:8080 2022-12-22
URL http://107.170.39.149:8080 2022-12-22
URL http://110.232.117.186:8080 2022-12-22
URL http://119.59.103.152:8080 2022-12-22
URL http://129.232.188.93:443 2022-12-22
URL http://139.59.126.41:443 2022-12-22
URL http://139.59.56.73:8080 2022-12-22
URL http://149.28.143.92:443 2022-12-22
URL http://159.89.202.34:443 2022-12-22
URL http://164.68.99.3:8080 2022-12-22
URL http://169.60.181.70:8080 2022-12-22
URL http://172.105.226.75:8080 2022-12-22
URL http://183.111.227.137:8080 2022-12-22
URL http://186.194.240.217:443 2022-12-22
URL http://188.44.20.25:443 2022-12-22
URL http://206.189.28.199:8080 2022-12-22
URL http://209.97.163.214:443 2022-12-22
URL http://45.235.8.30:8080 2022-12-22
URL http://94.23.45.86:4143 2022-12-22
URL http://chobemaster.com/INFECTED/LEdXM4gdwN4mgnlC/ 2022-12-22
URL http://cngst.com/data/fXWpDbJ3KwAybE/ 2022-12-22
URL http://kabaruntukrakyat.com/wp-content/ES/ 2022-12-22
URL http://www.spinbalence.com/admin3693/Z6WQpmNRNj6041fU2zpt/ 2022-12-22
References (1)
↗ https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps