WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Sekoia.io Blog

Sept. 19, 2024, 8:37 p.m.

Description

The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.

External References

https://blog.sekoia.io/webdav-as-a-service-uncovering-the-infrastructure-behind-emmenhtal-loader-distribution/
https://otx.alienvault.com/pulse/66ec7cadd732dd516497e4f8
Tags
darkgate
dcrat
webdav
2024-09-19
marko polo
zgrat
google cloud
clearfake
emmenhtal
peaklight
selfau3

Date

  • Created: Sept. 19, 2024, 7:34 p.m.
  • Published: Sept. 19, 2024, 7:34 p.m.
  • Modified: Sept. 19, 2024, 8:37 p.m.

Indicators

  • 95.216.196.85
  • 95.164.68.24
  • 94.156.8.31
  • 94.156.69.6
  • 94.156.69.111
  • 94.156.65.130
  • 94.156.64.76
  • 94.156.65.126
  • 94.156.64.74
  • 92.118.112.253
  • 94.131.112.206
  • 92.118.112.223
  • 91.92.254.225
  • 91.92.254.167
  • 91.92.253.126
  • 91.92.251.35
  • 91.92.250.150
  • 91.92.250.44
  • 91.92.250.123
  • 91.92.248.90
  • 91.92.248.77
  • 91.92.248.50
  • 91.92.248.129
  • 91.92.246.102
  • 91.92.243.74
  • 91.92.243.198
  • 91.92.240.29
  • 91.92.240.247
  • 91.92.240.234
  • 89.23.113.140
  • 89.23.107.67
  • 89.23.107.251
  • 89.23.107.244
  • 89.23.107.240
  • 89.23.107.181
  • 89.23.107.168
  • 89.23.107.123
  • 89.23.103.97
  • 89.23.107.113
  • 89.23.103.8
  • 89.23.103.56
  • 89.23.103.57
  • 89.23.103.253
  • 89.23.103.205
  • 89.23.103.188
  • 89.23.103.15
  • 89.23.103.118
  • 89.23.103.123
  • 89.110.78.58
  • 82.115.223.234
  • 84.247.187.231
  • 79.137.203.158
  • 78.153.139.202
  • 62.133.61.98
  • 62.133.61.97
  • 62.133.61.90
  • 62.133.61.79
  • 62.133.61.69
  • 62.133.61.73
  • 62.133.61.49
  • 62.133.61.37
  • 62.133.61.240
  • 62.133.61.207
  • 62.133.61.189
  • 62.133.61.168
  • 62.133.61.155
  • 62.133.61.148
  • 62.133.61.106
  • 62.133.61.104
  • 46.29.234.129
  • 62.133.61.101
  • 45.151.62.238
  • 212.18.104.111
  • 200.150.194.109
  • 206.188.196.28
  • 194.87.252.22
  • 194.190.152.108
  • 193.233.75.13
  • 191.243.196.114
  • 185.196.8.158
  • 185.143.223.188
  • 178.209.51.222
  • 168.100.9.199
  • 151.236.17.180
  • 147.45.79.82
  • 147.45.50.86
  • 147.45.50.57
  • 147.45.50.34
  • 147.45.50.23
  • 147.45.50.26
  • 147.45.50.214
  • 147.45.50.172
  • 147.45.50.144
  • 147.45.50.142
  • 141.98.234.166
  • 147.45.178.54
  • 104.131.7.207
  • 193.124.33.71
  • 91.92.245.222
  • 62.133.61.56
  • 62.133.61.43
  • 62.133.61.26
  • 91.92.245.185
  • 91.202.233.136
  • http://94.156.64.74/Downloads/SecretTeachings.pdf.lnk
  • http://91.92.251.35/Downloads/solaris-docs.lnk
  • http://92.118.112.253/Downloads/releaseform.pdf.lnk
  • http://91.92.243.198:81/Downloads/test.lnk
  • http://89.23.107.67/Downloads/2023-Documents%20Shared.lnk
  • http://89.23.107.244/Downloads/Test.lnk
  • http://62.133.61.73/Downloads/Photo.lnk
  • http://89.23.103.56/Downloads/Videof/Full%20Video%20HD%20%281080p%29.lnk
  • http://62.133.61.37/Downloads/config.txt.lnk
  • http://62.133.61.104/Downloads/test.pdf.lnk
  • http://62.133.61.101/Downloads/Invoice.pdf.lnk
  • http://206.188.196.28/Downloads/example.lnk
  • http://147.45.50.57/Downloads/INVOICE%20340138551.pdf.lnk
  • http://151.236.17.180/Wire%20Confirmation/WireConfirmation.pdf.lnk
  • http://147.45.79.82/Downloads/qqeng.pdf.lnk
  • http://147.45.50.214/Downloads/demo.pdf.lnk
Download all indicators here!

Attack Patterns

  • Deer Stealer
  • Stealit
  • SelfAU3
  • ACR Stealer
  • Meduza Stealer
  • CRYPTBOT
  • DanaBot
  • DarkGate
  • Remcos
  • Lumma
  • Xworm
  • Redline
  • GuLoader
  • Amadey
  • zgRAT
  • AsyncRAT

Additional Informations

  • Gaming
  • Cryptocurrency
  • Technology
  • Media
  • Financial