Exposing Emotet's Modern Infrastructure - A Case Study on Tracking Down and Shutting Down Abusive Malware In Direct Cooperation with Abuse Departments

In this post I'll officially attempt to bring down and take offline the Emotet botnet including to actually provide never-published before OSINT type of research analysis on the actual C&C infrastructure behind the Emotet botnet which is one of the most prolific botnets up to present day with the idea to attempt a coordinated take down attempt in direct cooperation with multiple international ISPs and their associated abuse departments for the purpose of bringing it offline.

Sample Emotet known C&C infrastructure servers:

hxxp://109.123.78.10

hxxp://66.54.51.172

hxxp://108.161.128.103

hxxp://195.210.29.237

hxxp://5.35.249.46

hxxp://5.159.57.195

hxxp://206.210.70.175

hxxp://88.80.187.139

hxxp://188.93.174.136

hxxp://130.133.3.7

hxxp://162.144.79.192

hxxp://79.110.90.207

hxxp://72.18.204.17

hxxp://212.129.13.110

hxxp://66.228.61.248

hxxp://193.171.152.53

hxxp://129.187.254.237

hxxp://178.248.200.118

hxxp://133.242.19.182

hxxp://195.154.243.237

hxxp://80.237.133.77

hxxp://158.255.238.163

hxxp://91.198.174.192

hxxp://46.105.236.18

hxxp://205.186.139.105

hxxp://72.10.49.117

hxxp://133.242.54.221

hxxp://198.1.66.98

hxxp://148.251.11.107

hxxp://213.208.154.110

hxxp://192.163.245.236

hxxp://88.80.189.50

hxxp://185.46.55.88

hxxp://173.255.248.34

hxxp://104.219.55.50

hxxp://200.159.128.19

hxxp://198.23.78.98

hxxp://70.32.92.133

hxxp://192.163.253.154

hxxp://192.138.21.214

hxxp://106.187.103.213

hxxp://162.144.80.214

hxxp://128.199.214.100

hxxp://69.167.152.111

hxxp://46.214.107.142

hxxp://195.154.176.172

hxxp://106.186.17.24

hxxp://74.207.247.144

hxxp://209.250.6.60

hxxp://142.34.138.90

hxxp://74.217.254.29

hxxp://212.48.85.224

hxxp://167.216.129.13

hxxp://91.194.151.38

hxxp://162.42.207.58

hxxp://104.28.17.67

hxxp://8.247.6.134

hxxp://5.9.189.24

hxxp://78.129.213.41

hxxp://184.86.225.91

hxxp://107.189.160.196

hxxp://88.208.193.123

hxxp://50.56.135.44

hxxp://184.106.3.194

hxxp://185.31.17.144

hxxp://67.19.105.107

hxxp://218.185.224.231

Including the following C&C infrastructure servers part of Emotet's C&C infrastructure:

103.201.150.209

104.131.11.150

104.131.208.175

104.236.151.95

104.236.246.93

104.236.99.225

105.224.171.102

109.104.79.48

109.73.52.242

111.67.12.221

112.72.9.242

115.124.109.85

115.71.233.127

117.218.133.244

125.99.106.226

125.99.61.162

128.199.78.227

134.196.209.126

136.243.177.26

138.201.140.110

138.219.214.164

138.68.106.4

142.4.198.249

142.93.88.16

144.139.247.220

147.135.210.39

149.62.173.247

159.203.204.126

159.65.241.220

159.65.25.128

162.144.119.216

162.217.250.243

162.243.125.212

167.114.210.191

169.239.182.217

170.247.122.37

173.212.203.26

174.136.14.100

175.100.138.82

176.250.213.131

176.31.200.136

177.242.214.30

177.246.193.139

178.62.37.188

178.79.161.166

178.79.163.131

179.14.2.75

179.32.19.219

179.40.105.76

181.134.105.191

181.15.180.140

181.15.243.22

181.16.127.226

181.171.118.19

181.189.213.231

181.198.67.178

181.231.72.200

181.28.144.64

181.28.248.205

181.39.134.122

181.48.174.242

183.82.97.25

185.129.93.140

185.86.148.222

185.94.252.27

186.138.56.183

186.144.64.31

186.22.209.16

186.23.146.42

186.23.18.211

186.4.167.166

186.4.234.27

186.83.133.253

186.86.177.193

187.149.41.205

187.163.180.243

187.163.222.244

187.178.9.19

187.188.166.192

187.189.195.208

187.242.204.142

188.166.253.46

189.180.84.115

189.196.140.187

189.209.217.49

190.1.37.125

190.102.226.91

190.112.228.47

190.113.233.4

190.117.206.153

190.145.67.134

190.147.12.71

190.186.203.55

190.186.221.50

190.189.112.116

190.189.204.100

190.19.42.131

190.193.131.141

190.230.60.129

190.246.166.217

190.25.255.98

190.36.88.98

190.55.39.215

190.72.136.214

190.97.10.198

191.97.116.232

195.242.117.231

196.6.112.70

197.211.244.6

198.58.114.91

200.107.105.16

200.123.101.90

200.24.248.206

200.28.131.215

200.32.61.210

200.43.231.10

200.57.102.71

200.58.171.51

200.58.83.179

200.80.198.34

200.85.46.122

201.199.89.223

201.212.24.6

201.219.183.243

201.220.152.101

201.231.44.78

201.238.152.20

201.251.229.37

201.252.229.169

202.83.16.150

203.25.159.3

205.186.154.130

206.189.98.125

211.63.71.72

212.71.234.16

213.120.104.180

216.98.148.136

216.98.148.156

217.113.27.158

217.13.106.160

217.92.171.167

219.74.237.49

222.214.218.136

222.214.218.192

225.153.252.228

77.122.183.203

109.123.78.10

66.54.51.172

108.161.128.103

195.210.29.237

5.35.249.46

5.159.57.195

206.210.70.175

88.80.187.139

188.93.174.136

130.133.3.7

162.144.79.192

79.110.90.207

72.18.204.17

212.129.13.110

66.228.61.248

193.171.152.53

129.187.254.237

178.248.200.118

133.242.19.182

195.154.243.237

80.237.133.77

158.255.238.163

91.198.174.192

46.105.236.18

205.186.139.105

72.10.49.117

133.242.54.221

198.1.66.98

148.251.11.107

213.208.154.110

192.163.245.236

88.80.189.50

185.46.55.88

173.255.248.34

104.219.55.50

200.159.128.19

198.23.78.98

70.32.92.133

192.163.253.154

192.138.21.214

106.187.103.213

162.144.80.214

128.199.214.100

69.167.152.111

46.214.107.142

195.154.176.172

106.186.17.24

74.207.247.144

209.250.6.60

142.34.138.90

74.217.254.29

212.48.85.224

167.216.129.13

91.194.151.38

162.42.207.58

104.28.17.67

8.247.6.134

5.9.189.24

78.129.213.41

184.86.225.91

107.189.160.196

88.208.193.123

50.56.135.44

184.106.3.194

185.31.17.144

67.19.105.107

218.185.224.231

Sample actionable intelligence on Emotet's C&C infrastructure:

Abuse Departments Primary Contact Points Involved in this Take Down Campaign Include:

noc@premianet.com

eig-abuse@endurance.com

cschelp@gov.bc.ca

complaints@cari.net

abuse@youbroadband.in

abuse@websupport.sk

abuse@webfusion.com

abuse@vps.net

abuse@trueinternet.co.th

abuse@tpnet.co.nz

abuse@telstra.net

abuse@telkomsa.net

abuse@tektonic.net

abuse@softlayer.com

abuse@skymedia.mn

abuse@sky.uk

abuse@rackspace.com

abuse@ovh.net

abuse@ovh.ca

abuse@nextlayer.at

abuse@netnames.com

abuse@mediatemple.net

abuse@lrz.de

abuse@liquidweb.com

abuse@linode.com

abuse@hetzner.com

abuse@hathway.net

abuse@fu-berlin.de

abuse@fasthosts.co.uk

abuse@expedient.com

abuse@dxc.com

abuse@dion.ne.jp

abuse@digitalocean.com

abuse@contabo.de

abuse@cloudflare.com

abuse@btopenworld.com

abuse@bluehost.com

abuse@atlantic.net

abuse@as47195.net

abuse@akamai.com

abuse@actcorp.in

abuse@123-reg.co.uk

sainfo@netsuite.com

support@premianet.com

noc@inap.com

noc@cybertrails.net

ipaddressing@level3.com

info@mellowhost.com

ipadmin@gov.bc.ca

network@cari.net

admin@armourcloud.io

gr.sridhar@youbroadband.co.in

info@websupport.sk

abuse@uk2group.com

ipadmin@trueinternet.co.th

tim@initech.co.nz

addressing@telstra.net

pieter@saix.net

abuse@telekom.de

matta@tektonic.net

abuse@ta.telecom.com.ar

ipadmin@softlayer.com

curtis1977@us.ibm.com

soyoloo@skymedia.mn

hostmaster@sky.uk

abuse@rapidswitch.com

hostmaster@rackspace.com

noc@ovh.net

abuse@online.net

ripe@online.net

noc@nextlayer.at

sys-ripe@netnames.com

dnsadmin@mediatemple.net

ipadmin@lrz.de

ipadmin@liquidweb.com

support@linode.com

abuse@hostturka.com

abuse@hostopia.com.au

ripe@hetzner.com

abuse@hekko.pl

vijaym@hathway.net

admin-c@fu-berlin.de

networks@fasthosts.com

ipm@expedient.com

abuse@esds.co.in

ipaddr@dxc.com

rir@cloudflare.com

btretail.ipam@bt.com

eig-net-team@endurance.com

eig-noc@endurance.com

ip-admin@atlantic.net

noc@as47195.net

ip-admin@akamai.com

tech.support@incredible.actcorp.in

ip-admin@actcorp.in

ripe@webfusion.com

sknetwork2012@gmail.com

hostmaster@twl-kom.de

idc_sales@daou.co.kr

hostmaster@bsnl.in

alejandro@patagoniadata.com.ar

jpinazo@axarnet.es

hello@syn.one

operations@hostafrica.co.za

nestorbonfante66@gmail.com

nic_tech@megacable.com.mx

ipadmin@tigo.com.co

admin.internet.co@telefonica.com

tasamail.ar@telefonica.com

adminternet@une.net.co

noc@megaservers.de

wimpie@letaba.net

andrew.alston@liquidtelecom.com

domains@send.itto.us

tech@duruan.co.kr

albert@web.am

pda@1b.hu

hostmaster@singnet.com.sg

anti-spam@ns.chinanet.cn.net

avmc@ctvnet.dp.ua

d.pastian@terralink.de

claude.demuth@lu-cix.lu

scharwitzl@bmlv.gv.at

bz@giganet.hu

mass-ripe@heg.com

noc@wikimedia.org

hostmaster@nic.ad.jp

noc@digitalocean.com

noc@next-gen.ro

rir-admin@fastly.com

Sample hostnames acting as Emotet C&C infrastructure servers:

zabbix-sakura2.anthill.jp

www.zedat.fu-berlin.de

www.snowmobile.gov.bc.ca

www.netdoktor.at

www.cceca.ca

www.bmlv.gv.at

www-riedle.transfermarkt.de

wp308.webpack.hosteurope.de

vps.cournoyer17.info

vmh17370.hosting24.com.au

vmd61678.contaboserver.net

universidadedoingles.com.br

twojj.com

trc-200-107-105-16.trcnet.com.ar

text-lb.esams.wikimedia.org

testwerk.org

static.bb.ahd.117.218.133.244.bsnl.in

static.24.189.9.5.clients.your-server.de

static.110.140.201.138.clients.your-server.de

static.107.11.251.148.clients.your-server.de

static-ip-cr1901471271.cable.net.co

static-ip-cablemodem-190.186.221.50.cotas.com.bo

static-ip-cablemodem-190.186.203.55.cotas.com.bo

static-ip-adsl-200.58.171.51.cotas.com.bo

static-200-58-83-179.supernet.com.bo

static-190-25-255-98.static.etb.net.co

snaplive.org

shopping.netsuite.com

server90240.uk2net.com

server88-208-193-123.live-servers.net

server.driveclassic.com

sapper.ethii.com

rtw7-rfpn.accessdomain.com

rs250366.rs.hosteurope.de

roadbikesales.com.au

rmolina.mx

rb2.leevee.it

popdesigngroup.com

pd95caba7.dip0.t-ipconnect.de

ovz06.gamesdom.com

ny-1.robbiebyrd.com

ns2.hospemex.com

ns2.datatrust.com.br

niotek.vservers.es

mail2.rhubarb-cs.com

mail.ps4hacked.es

mail.behaplastik.com

lvps109-104-79-48.vps.webfusion.co.uk

li89-144.members.linode.com

li695-139.members.linode.com

li616-91.members.linode.com

li318-248.members.linode.com

li301-131.members.linode.com

li299-166.members.linode.com

lasvegas-nv-datacenter.com

israel-studies.com

ip.77.122.183.203.dynamic.krr.volia.net

host90.200-123-101.static.telmex.net.ar

host37.170-247-122.netacebal.com.ar

host233-004.vccfranck.com.ar

host22.181-15-243.telecom.net.ar

host213-120-104-180.in-addr.btopenworld.com

host190.102.226.91.dynamic.pacificonet.cl

host181-189-213-231.wilnet.com.ar

host169.201-252-229.telecom.net.ar

host140.181-15-180.telecom.net.ar

host129.190-230-60.telecom.net.ar

host.thehiddencollective.com

host-186-4-234-27.netlife.ec

host-186-4-167-166.netlife.ec

host-181-16-127-226.telered.com.ar

hirlevel.uniweb.hu

hh4.secureserver.net.nz

h2041.gfsrv.net

gbg1.0x0.network

fixed-187-189-195-208.totalplay.net

enterprise.hellokrd.net

dynamic-ip-18686177193.cable.net.co

dynamic-ip-18683133253.cable.net.co

dynamic-ip-1861446431.cable.net.co

dsrecordings.com

dsl-189-180-84-115-dyn.prod-infinitum.com.mx

dsl-187-149-41-205-dyn.prod-infinitum.com.mx

dmj.southo.net

dinamic-tigo-179-14-2-75.tigo.com.co

customer.megaservers.de

customer-tgz-204-142.megared.net.mx

customer-smal-140-187.megared.net.mx

customer-qro-214-30.megared.net.mx

customer-col-193-139.megared.net.mx

customer-201-219-183-243.megacable.com.ar

cpe-190-55-39-215.telecentro-reversos.com.ar

cpe-186-23-18-211.telecentro-reversos.com.ar

cpe-186-23-146-42.telecentro-reversos.com.ar

cpe-186-22-209-16.telecentro-reversos.com.ar

comadosa.mx

cm-134-196-209-126.revip18.asianet.co.th

cable-181-134-105-191.une.net.co

bscloud.vps.wbsprt.com

bsbdb01.bsb.lrz.de

broadband.actcorp.in

bcairquality.ca

bb219-74-237-49.singnet.com.sg

b0fad583.bb.sky.com

aol-dial-200-57-102-71.zone-0.ip.static-ftth.axtel.net.mx

act2028316150.broadband.actcorp.in

a184-86-225-91.deploy.static.akamaitechnologies.com

82-138-100-175.static.youbroadband.in

78-44-231-201.fibertel.com.ar

64-144-28-181.fibertel.com.ar

62.4e.17c6.ip4.static.sl-reverse.com

505139.vps-10.com

46-214-107-142.next-gen.ro

40-24-mail.arylump.net

39.ip-147-135-210.eu

368940.customer.zol.co.zw

217-166-246-190.fibertel.com.ar

212-129-13-110.rev.poneytelecom.eu

210.advance.com.ar

205-248-28-181.fibertel.com.ar

201-251-229-37.mrse.com.ar

201-212-24-6.cab.prima.net.ar

200.80.198.34.static.techtelnet.net

200-72-231-181.cab.prima.com.ar

200-28-131-215.baf.movistar.cl

200-159-128-19.winfnet.com.br

20.201-238-152.etapanet.net

198-1-66-98.unifiedlayer.com

195-154-243-237.rev.poneytelecom.eu

195-154-176-172.rev.poneytelecom.eu

192.218.214.222.broad.ab.sc.dynamic.163data.com.cn

192-163-253-154.unifiedlayer.com

192-163-245-236.unifiedlayer.com

190-97-10-198.bvconline.com.ar

190-72-136-214.dyn.dsl.cantv.net

190-36-88-98.dyn.dsl.cantv.net

190-1-37-125.bvconline.com.ar

19-118-171-181.fibertel.com.ar

189-209-217-49.static.axtel.net

187-178-9-19.dynamic.axtel.net

187-163-222-244.static.axtel.net

187-163-180-243.static.axtel.net

183-56-138-186.fibertel.com.ar

179-40-105-76.mrse.com.ar

164.214.219.138.dynamic.grupoequis.com.ar

162-144-80-214.unifiedlayer.com

162-144-79-192.unifiedlayer.com

162-144-119-216.unifiedlayer.com

141-131-193-190.cab.prima.net.ar

136.218.214.222.broad.ab.sc.dynamic.163data.com.cn

131-42-19-190.fibertel.com.ar

116-112-189-190.cab.prima.net.ar

105-224-171-102.south.dsl.telkomsa.net

101.152.220.201.itc.com.ar

100-204-189-190.cab.prima.net.ar

Stay tuned!