216.73.217.22

WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Sekoia.io Blog

· Published 19/09/2024 19:34 · Modified 19/09/2024 20:37

Export JSON

Essential information

Published
19/09/2024 19:34
Modified
19/09/2024 20:37
Tags
2024-09-19 clearfake darkgate dcrat emmenhtal google cloud marko polo peaklight selfau3 webdav zgrat
Related entities
120 observables, 3 techniques (mitre), 16 malware, 5 others

Description

The loader, also known as , operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (120)

  • 95.216.196.85
  • 95.164.68.24
  • 94.156.8.31
  • 94.156.69.6
  • 94.156.69.111
  • 94.156.65.130
  • 94.156.64.76
  • 94.156.65.126
  • 94.156.64.74
  • 92.118.112.253
  • 94.131.112.206
  • 92.118.112.223
  • 91.92.254.225
  • 91.92.254.167
  • 91.92.253.126
  • 91.92.251.35
  • 91.92.250.150
  • 91.92.250.44
  • 91.92.250.123
  • 91.92.248.90
  • 91.92.248.77
  • 91.92.248.50
  • 91.92.248.129
  • 91.92.246.102
  • 91.92.243.74
  • 91.92.243.198
  • 91.92.240.29
  • 91.92.240.247
  • 91.92.240.234
  • 89.23.113.140
  • 89.23.107.67
  • 89.23.107.251
  • 89.23.107.244
  • 89.23.107.240
  • 89.23.107.181
  • 89.23.107.168
  • 89.23.107.123
  • 89.23.103.97
  • 89.23.107.113
  • 89.23.103.8
  • 89.23.103.56
  • 89.23.103.57
  • 89.23.103.253
  • 89.23.103.205
  • 89.23.103.188
  • 89.23.103.15
  • 89.23.103.118
  • 89.23.103.123
  • 89.110.78.58
  • 82.115.223.234
  • 84.247.187.231
  • 79.137.203.158
  • 78.153.139.202
  • 62.133.61.98
  • 62.133.61.97
  • 62.133.61.90
  • 62.133.61.79
  • 62.133.61.69
  • 62.133.61.73
  • 62.133.61.49
  • 62.133.61.37
  • 62.133.61.240
  • 62.133.61.207
  • 62.133.61.189
  • 62.133.61.168
  • 62.133.61.155
  • 62.133.61.148
  • 62.133.61.106
  • 62.133.61.104
  • 46.29.234.129
  • 62.133.61.101
  • 45.151.62.238
  • 212.18.104.111
  • 200.150.194.109
  • 206.188.196.28
  • 194.87.252.22
  • 194.190.152.108
  • 193.233.75.13
  • 191.243.196.114
  • 185.196.8.158
  • 185.143.223.188
  • 178.209.51.222
  • 168.100.9.199
  • 151.236.17.180
  • 147.45.79.82
  • 147.45.50.86
  • 147.45.50.57
  • 147.45.50.34
  • 147.45.50.23
  • 147.45.50.26
  • 147.45.50.214
  • 147.45.50.172
  • 147.45.50.144
  • 147.45.50.142
  • 141.98.234.166
  • 147.45.178.54
  • 104.131.7.207
  • 193.124.33.71
  • 91.92.245.222
  • 62.133.61.56
  • 62.133.61.43
  • 62.133.61.26
  • 91.92.245.185
  • 91.202.233.136
  • http://94.156.64.74/Downloads/SecretTeachings.pdf.lnk
  • http://91.92.251.35/Downloads/solaris-docs.lnk
  • http://92.118.112.253/Downloads/releaseform.pdf.lnk
  • http://91.92.243.198:81/Downloads/test.lnk
  • http://89.23.107.67/Downloads/2023-Documents%20Shared.lnk
  • http://89.23.107.244/Downloads/Test.lnk
  • http://62.133.61.73/Downloads/Photo.lnk
  • http://89.23.103.56/Downloads/Videof/Full%20Video%20HD%20%281080p%29.lnk
  • http://62.133.61.37/Downloads/config.txt.lnk
  • http://62.133.61.104/Downloads/test.pdf.lnk
  • http://62.133.61.101/Downloads/Invoice.pdf.lnk
  • http://206.188.196.28/Downloads/example.lnk
  • http://147.45.50.57/Downloads/INVOICE%20340138551.pdf.lnk
  • http://151.236.17.180/Wire%20Confirmation/WireConfirmation.pdf.lnk
  • http://147.45.79.82/Downloads/qqeng.pdf.lnk
  • http://147.45.50.214/Downloads/demo.pdf.lnk

Techniques (MITRE) (3)

  • T1199
    Trusted Relationship
  • T1218
    System Binary Proxy Execution
  • T1027
    Obfuscated Files or Information

Malware (16)

  • Deer Stealer
    Family
    Published 19/09/2024 19:34 · Modified 19/09/2024 19:34
  • Stealit
    Family
    Published 11/10/2025 02:50 · Modified 11/10/2025 02:50
  • SelfAU3
    Family
    Published 19/09/2024 19:34 · Modified 19/09/2024 19:34
  • ACR Stealer
    Family
    Published 19/02/2026 16:01 · Modified 19/02/2026 16:01
  • Meduza Stealer
    Family
    Published 20/08/2025 18:39 · Modified 20/08/2025 18:39
  • CryptBot
    Family
    Published 04/04/2025 07:07 · Modified 04/04/2025 07:07
  • DanaBot
    Family
    Published 03/11/2025 14:28 · Modified 03/11/2025 14:28
  • DarkGate
    Family
    Published 21/08/2025 21:03 · Modified 21/08/2025 21:03
  • Remcos
    Family
    Published 05/05/2026 18:45 · Modified 05/05/2026 18:45
  • Lumma
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:50 · Modified 21/12/2025 16:13
  • XWorm
    Family
    Published 27/03/2026 08:45 · Modified 27/03/2026 08:45
  • Redline
    Family
    Published 08/05/2026 11:31 · Modified 08/05/2026 11:31
  • GuLoader
    Family
    Published 19/09/2024 19:34 · Modified 19/09/2024 19:34
  • Amadey
    Family The MITRE Corporation Confidence 100

    [Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)

    First seen 01/01/1970 · Last seen 16/11/5138 Published 14/07/2022 19:30 · Modified 27/03/2026 01:03
  • zgRAT
    Family
    Published 21/08/2025 00:37 · Modified 21/08/2025 00:37
  • AsyncRAT
    Family
    Published 11/06/2026 16:31 · Modified 11/06/2026 16:31

Others (5)

  • Gaming
  • Cryptocurrency
  • Technology
  • Media
  • Financial

External references