Blevene’s gists

Blevene / Formbook hashes

Created November 20, 2018 17:28

Formbook, November19-20 2018

	a34fcd5496fab5dce127701c2edbeca41a2fdd9407ae1ecb2aaabbe7dcd51e5d
	c0bd8ea4a5eb03c1c011694dc281e99f26fb4e6eb9dd1c5f51c174df5aad8b9a
	d0ec1dccf63cc373b5799fd5a36be786aa1ad15b96b4688960a928a7d47cddc5
	f5d3771c764945a091df5d49d8526acf4bc0b6deb8529c8e9263b1478f92a385
	4c9ccbd475b0e44bb280052407f6724c33bfc8a837eabb9cc7821aa8b2bf30e3
	d054a1207332dddc61fdec378763bc6db93c7337e76ab6847fc99b0f2193c7db
	3776594e0978a844b5f0153ab9a348630f5cb85c1b2e9dc3006e7b639882554b
	ad525b5f0e55e0275a092a3fc890066f5ebc1d03c4aae64af9ae326697fecec8
	6dc3aa44055834b68b8d111f8fb1d46d8384c629eea18df6622b9ae0870f2d21
	58b7e97f8dd79ad3d9ceb412e2e409130f493b6cca1ba1dd40000cb143542b48

Blevene / Emotet Indicators

Created November 16, 2018 19:58

Emotet Indicators: November 16th, 2018

	0062692aa2341873911a34738d654dc2ef985620a3dc3b5b7a0733d531fe2038
	01da5a902c26bf9aaf5b73f1b12d9ace6721f49e011c1746da4a856e2ee20315
	079bcf1087e9dd2e1d63d15a784ee36aab95bf09c0f57c1ccdf69ef2348ea77b
	0a07cfc820b9ff728dabb39d8295ce0efbb5390f86d1cd525879b64b56231aac
	0a3f0bb71442c58ff7d83f42d4c17eaa6467048f9c551ae535ab7fdde93650c8
	0bd37ceff94394828645a0cb4d43e363b1e12c516164d42187c2c1641bfa268d
	0c2299de95c6449104d90410646ab19ab540d42ec19a74e28642dfac4be9782b
	12eeb4d6ed06fdaa609b2bedb2c8433c5c1426cf8fec63aa0d9b62d53857656a
	12f9a8c99798490cf35deaf4a33c1396fa295baa43703c09899a8c30c3e5a9d4
	136ad986a085a7ac59c2bdea852972f44849d1f92264e88b3a59ba31df143771

Blevene / November 13th 2018

Created November 13, 2018 14:40

Emotet IOCs

	f887e50af1c99ba73f280e28c7b0581b392782dba0bf2effc72d1719d039152b,
	http://www.xianjiaopi.com/41964H/PAY/US/,
	http://agrarszakkepzes.hu/Q1iM9mt5a/,
	http://agrarszakkepzes.hu/Q1iM9mt5a,
	https://www.linktub.com/blog/wp-content/004444BN/com/Business/,
	http://www.linktub.com/blog/wp-content/004444BN/com/Business,
	http://bandarbola.net/4KMA/PAYMENT/Personal,
	d8829e9c2929163f31b001419bb2f9bf88ebf9f92bc1783229ba42b8e1ba8029,
	543beab4afdffb67c0b1cdc05a357404c7a9830b50f3e0125c0d57f2fcb8c19e,
	7a142698e26899993b4d4b78276c26cde44d3a8fc724bd392e6eb7a5161e0b12,

Blevene / Emotet IOCs

Created November 9, 2018 16:48

Emotet Campaigns: November 9th, 2018

	Emotet Campaign 1: https://www.virustotal.com/graph/g9c1d51be17da4d3d856dadb8ce07046e45da445e9dfa4304bc49880d90df381e

	12b379ac95454c365edf299e087e861fbe8df739dcdb3d82b30dae3c4a201583
	18d8a6f6bd307d67250eaccc4cc7b82f660a1923f6163c58666b969a5be18cd3
	39942a00f9a77d75652b1c3911efdad8d8ff9f7c4f2b645418c54c5bb5074e32
	6bd4b3f2072f67bb90832835c91a977dead10682a2a5f76b17993c73782179c0
	6e7475b559f466986e6b33ff0c54896e3d85b3e6f7c04b75ca719433672eb1a4
	7f52604743302a60f667bbcaddc4dc372a602862f41bf7a741f3676ebb3cbc6b
	9c1468cf0ec8794f7a75fb8537e1a42e24436bcf63298792eb62ff55ee517f38
	9f874949de45411ab799b437564babfb14560b13383b8feb6dfad4944cf0a79d

Blevene / Emotet indicators

Created November 7, 2018 18:18

Emotet Indicators, November 7th, 2018

	01b52a15ba574e0ff16992965e3ebded49184b773465c2e48c41a6eaaec5fb70
	0e825a9d115094b55e7ba9ce61735a6f5a7f6d94bd96de1440d63c01f5f93328
	15663cca3c0e6837bf152f9cf9e995044721912fc7be0af486d14ba5a9d30776
	1669658aa33d503a33501b21e315eca3be32ddcca70cb2077cc26275a3af05cb
	21a52f2daad62f5cae0bb5307cc1d52cc0ada69ab05c0bafb0b543a74d012976
	2aba409bab2990d7e48372698f361ce745b77b1b69924f14e3d713cfedf5c497
	3dfd5b39ebf59837ff31dca9dded2a4770179d701589a125c61c84cafc307a56
	4d5be1e5dace81b566024381e087f309413a2ffbe53982e1378a28b6a56be02b
	51b324525eef0c5183f3841b14d6bae0ae368687ce9599b660dc09d690126fc3
	56611c695a5fd11ebe3d42accc6b7ba109d70204898f37749ad1f803d5fa7106

Blevene / Modules from 92[.]38.163.10

Created November 6, 2018 20:34

Trickbot Modules

	cb1b429cd203a995b05d3f6fcffd703ab78f79d24b6b08a856b0b8a08f564347,
	2893c138c1e082ed6a626f5b87d21205245cd68a8f9a21711956a4313131666c,
	d19a58e092f4c9eb99d6eff68208fdcbd6c94d35621bab96e98d6030d614b197,
	87976b4815c508a22c55d3c8edfa0f7f6466db5681555b2c97a9c92ddab1945a,
	hXXp://92.38.163[.]10/MailLer.exe,
	hXXp://92.38.163[.]10/mailloggerref.exe,
	hXXp://92.38.163[.]10/mailLoggerRef.exe,
	hXXp://92.38.163[.]10/LoadStr.exe,
	hXXp://92.38.163[.]10/MailClient.exe

Blevene / Emotet Indicators

Created November 6, 2018 17:00

Emotet - November 6th, 2018

	Source: https://www.virustotal.com/graph/g73ae9e6a5e604209a65afdbf2a9fa99cdb112ff2c6e64a7b96df0734f81afb7f

	0a5bbf5ce342db273b6f97e1cfb311ef7b67a46c3c1e9730a54aec51955d46f4
	10d13d95c03cc3f6db0b17c47dcccd5c7da63983542511ae33fdbca278a42837
	19115d137ec794ccc0d03636c70882b41dbc1872d970a658ecb5174f5fd1d2ff
	1e105f89b77b13224ae58aa6445dd71df058da1358adc73d9548abaae9cf1f77
	2ee6bea3c759dfb82e373bc39c4c7727ab0fff582b60c0308ce64c4d9b44343e
	33ba0f5bcd94e39b9e46fc56a0a91531f732f0c1cf83988a7d2bce233c9838ac
	33e3447fff8de6a489bbbf5998b25de0fd71b7067db9efb02d867674b4d24755
	39b664c0a66bd1ba471dc56ebf1874f5fdb100c1c1d073ddd7e72fbb3b5aaeb0

Blevene / Trickbot Infra

Created October 31, 2018 14:41

Trickbot Infra 10-31-2018

	Per: https://myonlinesecurity.co.uk/fake-companies-house-company-report-delivers-trickbot/
	https://www.virustotal.com/#/file/53bf90cafdf5b2c48cef6b70e3d33975379a762206e978b98e0f95d5b5c6cfbe/detection

	https://197.232.50.85
	https://82.222.40.119:449
	https://94.232.20.113
	https://5.189.227.109
	https://174.105.233.82:449
	https://115.78.3.170
	https://190.145.74.84:449

Blevene / C2s for Emotet

Created September 21, 2018 16:56

Emotet C2s 9/21

	Lure URLs:
	http://neurocoachingkm.com.br/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018

	http://old.gkinfotechs.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/092018

	http://nigelkarikari.com/urldefense_proofpoint/billpay_bankofamerica_com/PaymentCenter_Index/09_18

	C2s
	http://96.242.246.128
	http://203.198.129.4:8080

Blevene / Emotet Indicators

Created September 4, 2018 16:35

Emotet 9/3/2018 Indicators Courtesy of VirusTotal

Blevene Blevene