Emotet: Updated client with new C2 list

The Emotet botnet updated their clients this morning around 6am EST.

We came across these hashes for the clients:

E1
4969b8145150d8c9d92abd66db2d17b1b54efcece75812ef77e7ef72d955bd19
E2
812e7a6ebdb40271ec0f878a559c29b459527f2e21ef6208e27d34c6808cd662

The following is a list of the C2 that were pulled from the binaries. Please use these to catch any infections that may be present within your environment:

Epoch 1

109.104.79.48:8080
109.169.86.13:8080
125.99.61.162:7080
128.199.78.227:8080
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
159.65.241.220:8080
162.241.130.39:8080
170.247.122.37:8080
178.79.163.131:8080
179.62.18.56:443
181.39.134.122:80
181.48.174.242:80
183.82.97.25:80
183.87.87.73:80
185.129.93.140:80
185.86.148.222:8080
186.83.133.253:8080
186.93.145.178:443
187.144.227.2:7080
187.188.166.192:80
187.242.204.142:80
190.1.37.125:443
190.117.206.153:443
190.19.42.131:80
190.230.60.129:80
190.55.39.215:80
190.97.10.198:80
196.6.112.70:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.80.198.34:80
201.219.183.243:443
203.25.159.3:8080
213.120.104.180:50000
217.113.27.158:443
217.199.175.216:8080
23.92.22.225:7080
37.59.1.74:8080
43.229.62.186:8080
46.21.105.59:8080
46.249.204.99:8080
46.29.183.211:8080
5.77.13.70:80
62.210.142.58:8080
62.75.143.100:7080
69.163.33.82:8080
72.47.248.48:8080
77.122.183.203:8080
80.0.106.83:80
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
88.250.223.190:8080
89.188.124.145:443
90.69.208.50:7080
91.205.215.57:7080
91.83.93.124:7080

109.104.79.48:8080
109.169.86.13:8080
125.99.61.162:7080
128.199.78.227:8080
138.68.106.4:7080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
159.65.241.220:8080
162.241.130.39:8080
170.247.122.37:8080
178.79.163.131:8080
179.62.18.56:443
181.39.134.122:80
181.48.174.242:80
183.82.97.25:80
183.87.87.73:80
185.129.93.140:80
185.86.148.222:8080
186.83.133.253:8080
186.93.145.178:443
187.144.227.2:7080
187.188.166.192:80
187.242.204.142:80
190.1.37.125:443
190.117.206.153:443
190.19.42.131:80
190.230.60.129:80
190.55.39.215:80
190.97.10.198:80
196.6.112.70:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.80.198.34:80
201.219.183.243:443
203.25.159.3:8080
213.120.104.180:50000
217.113.27.158:443
217.199.175.216:8080
23.92.22.225:7080
37.59.1.74:8080
43.229.62.186:8080
46.21.105.59:8080
46.249.204.99:8080
46.29.183.211:8080
5.77.13.70:80
62.210.142.58:8080
62.75.143.100:7080
69.163.33.82:8080
72.47.248.48:8080
77.122.183.203:8080
77.245.101.134:8080
79.143.182.254:8080
80.0.106.83:80
80.85.87.122:8080
81.169.140.14:443
86.42.166.147:80
88.250.223.190:8080
89.188.124.145:443
90.69.208.50:7080
91.205.215.57:7080
91.83.93.124:7080

Epoch 2

104.131.11.150:8080
104.131.208.175:8080
104.236.246.93:8080
104.247.221.104:8080
124.121.192.163:8443
125.99.106.226:80
136.243.177.26:8080
138.201.140.110:8080
142.93.88.16:443
144.139.247.220:80
149.202.153.252:8080
152.169.236.172:80
159.65.25.128:8080
162.144.119.216:8080
162.243.125.212:8080
169.239.182.217:8080
173.212.203.26:8080
175.100.138.82:22
177.242.214.30:80
177.246.193.139:20
178.62.37.188:443
178.79.161.166:443
179.32.19.219:22
182.176.132.213:8090
185.94.252.13:443
188.166.253.46:8080
189.209.217.49:80
190.145.67.134:8090
190.186.203.55:80
200.85.46.122:80
201.212.57.109:80
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
222.214.218.192:8080
31.12.67.62:7080
31.172.240.91:8080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
62.75.187.192:8080
64.13.225.150:8080
75.127.14.170:8080
78.24.219.147:8080
85.104.59.244:20
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.156.97.210:80
91.205.215.66:8080
91.83.93.103:7080
94.205.247.10:80
95.128.43.213:8080

We will continue to monitor and analyze this change and provide any updates as we come across them.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.