Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 09/13/18 as of 09/13/18 23:59 ##
- *Notes and Credits now at the bottom* Follow me on twitter @jroosen for more updates.
- #### Epoch 1 Document/Downloader links seen for 09/13/18 ####
- ```
- Seen only in .doc attachments.
- ```
- #### Epoch 2 Document/Downloader links seen for 09/13/18 ####
- ```
- http://110.164.86.203/wp-content/uploads/3SFQJLDG/identity/Commercial/
- http://198.61.187.137/project/86AYMJ/com/Commercial/
- http://1energy.sk/20QSVKI/SWIFT/US/
- http://2x2print.com/404700RTYT/SEP/US/
- http://abakus-biuro.net/8539JHLOM/PAYROLL/Business/
- http://aile.pub/online.refund.Dvla.tax31000838/7GYOFZTT/PAYROLL/Personal/
- http://alabd-group.com/77EKMMGZ/BIZ/Business/
- http://alwaysaway.co.uk/doc/En/Paid-Invoices/
- http://amanita.com.my/903XOZ/PAYMENT/Business/
- http://apicecon.com.br/09012NQNFL/ACH/Smallbusiness/
- http://ardan.net/766646CVIO/PAYMENT/Smallbusiness/
- http://arianrayaneh.com/multimedia/4842RSTT/PAYROLL/Personal/
- http://bangkoktailor.biz/87CJSYV/PAYROLL/Commercial/
- http://bavmed.ru/DOC/US_us/Invoices-Overdue/
- http://bfs-dc.com/91964Z/PAYMENT/Business/
- http://bhgjxx.com/temp_6bd6c6c42b5ae81a4aa32aa263d99731/7351KFBDB/BIZ/Personal/
- http://binfish.ru/Sep2018/US_us/Past-Due-Invoice/
- http://blockcoin.co.in/files/EN_en/Paid-Invoice/
- http://bramlvx.com/544VXZXGHZ/PAYROLL/US/
- http://byacademy.fr/8706937YGVMNXM/PAYMENT/Smallbusiness/
- http://callansweringservicesoftware.com/Download/US/Service-Report-40234/
- http://casellamoving.com/69VQINXXJO/PAYROLL/Smallbusiness/
- http://challengerballtournament.com/418416IFUJ/biz/Personal/
- http://cleverspain.com/9QJAAPWCD/PAYROLL/US/
- http://collaborativeeconomyconference.com/55887OPVDW/oamo/Smallbusiness/
- http://cqfsbj.cn/8440684LVDKMWSR/PAYMENT/Commercial/
- http://cuentocontigo.net/5647VKHPSPV/SWIFT/Commercial/
- http://damiro.de/8EXFB/SWIFT/Smallbusiness/
- http://dansha-solutions.com/7574AFQXZHK/PAYMENT/Smallbusiness/
- http://daveandbrian.com/535287ONSAJHOA/identity/Smallbusiness/
- http://demicolon.com/dvrguru_revoerror/image/53LA/SWIFT/Business/
- http://demo.5v13.com/7498QLQMJLSN/SWIFT/US/
- http://demo1.lineabove.com/789075RLRZBZFZ/oamo/Personal/
- http://downinthecountry.com/048XUQTPIV/identity/Personal/
- http://duanvinhomeshanoi.net/000NAIDPEJ/BIZ/Smallbusiness/
- http://duratransgroup.com/1721558FYLUIW/BIZ/US/
- http://egomall.net/537173GAPZ/ACH/Personal/
- http://elidefire.my/9367677BZCEQILW/PAYROLL/Business/
- http://europroject.ro/3482AE/PAYROLL/Business/
- http://exxot.com/47BSUIJP/SEP/Smallbusiness/
- http://faratfilm.pl/86NH/PAYMENT/Business/
- http://farmasi.uin-malang.ac.id/wp-content/935ACFZSO/identity/Commercial/
- http://farozyapidenetim.com/907041JXJMTHC/identity/Commercial/
- http://fluorescent.cc/default/En/Outstanding-Invoices/
- http://folio101.com/29859NATGFOHJ/PAYROLL/Commercial/
- http://furnfeathers.co.uk/5IUIMNRBK/PAYMENT/US/
- http://g7wenden.de/Document/En/Document-needed/
- http://grupoembatec.com/4166240YQ/WIRE/US/
- http://hotelnoraipro.com/7932969XCYUKCM/PAYMENT/US/
- http://httpyiwujiadianweixiu.xyz/Corporation/En/Service-Invoice/
- http://imcfilmproduction.com/319952SLB/WIRE/Commercial/
- http://ingebo.cl/Document/EN_en/Inv-566468-PO-8B393306/
- http://ingridkaslik.com/48NJTKNT/SEP/Commercial/
- http://inmayjose.es/614K/SEP/US/
- http://jealousproductions.co.uk/6JHJYPMY/PAYROLL/Business/
- http://jtjdoprava.sk/146FEIYQZ/PAYMENT/Business/
- http://jxbaohusan.com/408019WUPITIGG/PAYROLL/Personal/
- http://karkasdom.dp.ua/7705752ZMA/BIZ/Personal/
- http://kdsk.ru/823VOKKH/identity/Commercial/
- http://kpopstarz.kienthucsong.info/Corporation/EN_en/Outstanding-Invoices/
- http://krasrazvitie.ru/3870029HXHQBIM/PAYMENT/Personal/
- http://kuganha.com/3365EPXTN/PAYROLL/Business/
- http://lauraolmedilla.com/doc/En/Sales-Invoice/
- http://leedye.com/6NP/PAYMENT/Personal/
- http://leulocati.com/297WQR/BIZ/Commercial/
- http://loristjohns.dabdemo.com/default/US_us/8-Past-Due-Invoices/
- http://lulagraysalon.com/220695DTM/PAYMENT/Smallbusiness/
- http://madarpoligrafia.pl/DOC/En_us/FILE/US_us/Scan/
- http://mail.vivafascino.com/470MXIBGD/SWIFT/Business/
- http://mainpartners.eu/6287508P/oamo/US/
- http://making-money-today.club/8827362NKRM/com/US/
- http://maxi-kuhni.ru/579653B/SWIFT/Commercial/
- http://med-up.pl/INFO/EN_en/Invoice-for-e/w-09/12/2018/
- http://mobileappo.com/LLC/En_us/Invoice/
- http://momentsindigital.com/8EGAAMVT/PAYMENT/Business/
- http://myafyanow.com/4YWMKOO/PAYROLL/Smallbusiness/
- http://mywholebody.net/Document/En_us/ACH-form/
- http://navyugenergy.com/wp-content/uploads/9OAXTTZV/SWIFT/Personal/
- http://newsite.iscapp.com/8973101JF/PAYMENT/Smallbusiness/
- http://nisho.us/23375MIQP/WIRE/Commercial/
- http://plasdo.com/MNXfUEtpo/702DXQ/PAYROLL/Commercial/
- http://premiereplasticsurgerylasvegas.com/0WBBL/WIRE/Commercial/
- http://prideagricintegratedfarms.com.ng/Sep2018/EN_en/Service-Invoice/
- http://prova.upyourfile.net/xerox/En_us/Need-to-send-the-attachment/
- http://ruralinnovationfund.varadev.com/5VSQTTY/ACH/Business/
- http://sellitti.com/8063779O/PAYROLL/US/
- http://sernet.com.ar/doc/En_us/Invoice-for-x/b-09/12/2018/
- http://signaturestairs.co.uk/984987KRRLUM/SEP/Personal/
- http://slajf.com/files/galeria/4614PZOJAL/SWIFT/Personal/
- http://soloanimal.com/55549LFBVBNXQ/PAYROLL/Business/
- http://soo.sg/epigami.com/blog/wp-content/uploads/2013/0931016LMVHF/com/US/
- http://stoobb.nl/default/EN_en/Inv-28167-PO-5S286034/
- http://summerlandrockers.org.au/0277YRFNQ/PAYMENT/Commercial/
- http://suportec.pt/files/US/Need-to-send-the-attachment/
- http://theme.colourspray.net/6220KZTRUR/PAYMENT/Personal/
- http://thepinkonionusa.com/249J/PAYMENT/Smallbusiness/
- http://tienphongmientrung.com/5408919R/PAYROLL/Business/
- http://valenciahillscondo.com/9694129WNFY/SWIFT/Business/
- http://valletbearings.com/831652JSXS/com/Commercial/
- http://versusgas.com/00BRSU/identity/Smallbusiness/
- http://versusgas.com/Sep2018/US_us/Open-Past-Due-Orders/
- http://vinastone.com/994WFILE/58AKWKTYMF/WIRE/Smallbusiness/
- http://vinmeconline.com/4TE/PAYMENT/Business/
- http://vong.info/wvvw/5FM/SWIFT/Business/
- http://webhall.com.br/526319JZGQK/SWIFT/Commercial/
- http://website.vtoc.vn/demo/hailoc/wp-snapshots/087849VTPT/com/Business/
- http://www.africimmo.com/886MIF/SWIFT/Personal/
- http://www.demicolon.com/dvrguru_revoerror/image/53LA/SWIFT/Business/
- http://www.duanvinhomeshanoi.net/000NAIDPEJ/BIZ/Smallbusiness/
- http://www.insurance4beauticians.com/Download/En_us/Summit-Companies-Invoice-9782424/
- http://www.mainpartners.eu/6287508P/oamo/US/
- http://www.offshoretraining.pl/0550248TOU/SEP/Commercial/
- http://www.teateaexpress.co.uk/9080980KHKLW/PAYROLL/Business/
- http://xn--b1axgdf5j.xn--j1amh/671GOTAHY/PAYMENT/Commercial/
- http://xuatbangiadinh.vn/588261LQO/PAYMENT/Personal/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2018-09-13 16:15:00
- SHA256:
- 8b3e7b0cd5c83967782bb2aa41996b97e8badd89b43171a48e7b28f94f443c7c
- 76b69f93b5532b1d050b38537035eee5c1aae94690d716aa96a1b926c36e6816
- 9a719afc937416f57b260e195384cb89fd72388fb25afe7e392063e5d06d4696
- http://familiekoning.net/Sw51duCIY
- http://website.vtoc.vn/demo/hailoc/wp-snapshots/JeHXbk6WzM
- http://librusfan.ru/271vNHA
- http://tomas.datanom.fi/testlab/VJ1t3ol
- http://altarfx.com/8Es5z7sVJL
- Creation Time 2018-09-13 10:03:00
- SHA256:
- a254a407abb8e029d07a538acf703751acbe62ebd16b5001fc781bab0d07307c
- e269c50894d6177cfdad365f0ef6b4f9753a27d7aa912a42b992e21b0cd029ac
- 10acf1385e8fbb1bfb62041a7effd5a755f816d55f35fd48a28203b0adbc76c1
- 0b13d542741a96fcba31522717d8909559db32df07032a6e8b4f151a80ac69dd
- ddf54839be09c9dabb116921834b583b81c427a7578af5d423b38b499c51454c
- d35026ff318ef7be4b398c9b42734cdfba5e99252dfdc29b4a4e52f4e9e642b1
- 21609da4c930bbe91ac12d4d9710407594ec0b36d2eac3d441fde2657fc70f08
- 7747b7f224ff3188820d3695073df34915d7f41cabe71a118abf491758ca414f
- bbf6f733ffdbb38d83a68f2af2d158b7e641200223ef65a3d8248ea631906e76
- 51ec5de264d2103209bd33cbd5ddea9341ab298f5f89d801eed00459e21a2c9d
- e0e221ef3acebbc414fbc3d15d41d87695a42a2aa7db051af76ad793a0f31b05
- e90cb759ba47ff925aa1aef820bed3cb4c11c225ef436f313c1b0029879af433
- http://vladetel.org/iDFxArAC
- http://vgd.vg/7MN5ZO8D
- http://madisonda.com/7klY6V30Z
- http://detss.com/3SHTOtr
- http://btesh.net/pQvrfzK
- Creation Time 2018-09-12 21:06:00
- SHA256:
- a06bc650b069bbc9c3e5cc234acc67e7ab22e38746120eaaf7be7d0bcfebc42f
- 2a8c2ebeed73c172d347af258a0ade7ebc73d29897797d25f9c6259cdfeff059
- 6b1af34b51c15c8736ae891ca2e037bc118e531f72cf3917e2b4e37ed14e461d
- 3f4d0ab5723f2200e245b149d8e8ee9665d3d0a7868ce938061f197429999153
- b967b161ca4f18a30268ef7f6dff604d93edc59367ee7bab5e81360748a9732f
- http://taltus.co.uk/EP4L639
- http://quintacasagrande.com/EJSAsCD
- http://glswp31.sprintsoft.ro/Y3IzCHzqIb
- http://vkontekste.net/f1OSAuOu5S
- http://dovgun.com/x7tDH1jMd9
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 09/13/18 ####
- ```
- a74967811f710d6c2d2d6d2e061e14d9bbf6e61646ecd580715ad40088e3dea7
- 5ed869578abcc9f9e4983adc3482394f231b2144a36a34be75694f4280fa4581
- fcb4ddb8e1a15cdb0029274c93838971d854ef88507e00a47c9a75af47b33b81
- 82e4585f249339dd5a4a38b526e705d8b5a23a51bc2ea4fd2f9bcd979bef8f7e
- 2a24d5d2fb44adb3eeb4d2d5d031ebef0c43f316922e186eaf12a852ea8dcd60
- 78cab845b041d60868a8da045da24e4325001869e10b0cd1390c541a3a05e50a
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2018-09-13 22:24:00
- SHA256:
- bb96154cb4c626418818c1159dd38038fc88261375c76c321cb90e0382618356
- d8d62e64a5af68e3aa0844b8556577e12634a6570948a4cbd98ceaad7731d1ad
- 6521ea29a65d135ae2979e8ffcbaf70089ffb260de6f6558db1ebf8294106d80
- c3f2233ec52a49433a093f5e83ea01228c7088ead6cef9b914543b2268085bc6
- 83a36e458172a563eed121b9423f7f255b5cacd96a323086484a193a92131a94
- f298f4c8151700d3be8c7b0176abbe3f53a1651fa682e647c27cf6b5092dc5fe
- 9349ca5c47141bc0277a0dd9f25c5767e7d6378057c985488ccd3b4b552a25da
- a5207d69b06370cac30aa2f58046957fd42810ca4efd0b67dcd8f05f9179e7c4
- 07cfea6b95c5394dabb083033dad126eaee6c553e015c00960f8f329d64807a5
- 27795a1f8929bda0569f58f10730b59ea02c13f276b55a2b8cf8b0af68ba9f9c
- 9e1aa204229316126c9c36888efe8116c383ee37e7ca858fcfc52eeb33e6ec01
- 9abdce46e8797388d7fb880707085b2d43fba6f67e68bda260379f6f8e66d619
- 56be3018493c1b5f47eddfbd3ae3309607dfe38aef9a20f75835acac73dd082b
- da31738c4b7beaa1cfa7a0a8c47344fafc434416811e1ea12a725bcb10679090
- 04fc0253af169117c8ff80e1cab523aaf9b974d9dda2ffd17cc50c515fed1226
- 3db7160117739cd1ea76bcb1b53457c840f029a46a8fedfe33757953d01e71cd
- 91b105504038a4b273df18623e4de9eae1d98f1ae9a219d46d8f942689776d19
- 4bbb79a95ba782a7367045789b6859f2913d8ae965209fd1829fd2206da1a73a
- 68b01d54c485e4de4b6aa0d992b19f0eff0ec43ca876faff5626a67085135d57
- 476d751d78531b1edc5d777e514c2b1a8d50914ec76f7f16ad68bfec66784f15
- http://gawus.com/klRialoB
- http://connecteur.apps-dev.fr/H1
- http://alliance-rnd.com/hYXxoC
- http://artwellness.net/j
- http://wiratechmesin.com/X
- Creation Time 2018-09-13 20:12:00
- SHA256:
- 79eb8ce2f6e869a1583b04fe69318a6d7d125022d96b5ee2e02adb27c9b09bbd
- e2b32187eeb3cd795da983342d10d6fef613e3363531444ae0ac5cab34553d5b
- 37f1ef7cba41c87894336943d3df8f77c799c8e0a913724372fee51b3b2f1359
- 4872f6d67a370ffaf1a8757a7d7eaa576b017d6a41ffdaee1e540359d80fb113
- 0916518b86d9538eba1f68130f630b27c21d7a6c8f4f2d419d1f26b470fc757f
- 8b808398cdf8bcb4dd059f8ae734fe5239594105ad4faacd6af89cf2bff68f32
- http://kaijiang001.com/xxwBiLY
- http://ericsweredoski.com/C
- http://www.tri-solve.com/4ZO
- http://onlinelegalsoftware.com/RPtWwdec
- http://www.ultigamer.com/wp-admin/includes/d
- Creation Time 2018-09-13 14:57:00
- SHA256:
- 1b1ca3aea7d761a91bb5dd9ac97b353320d065e08717fcabe0805eb0d9938c1b
- 824cb5f6f65d9e89f3fa79881bb8d41dd01089c25650eab57529c31eab46e798
- 8216b9bc7350597d772829a02f9ceaff4518c500f53588e88968c3ce21e0e9af
- 62d1d44a050ece5500a42b4a07dff0a7d11993f0469df963941313100020e962
- 0a35426736c00f1093d093059da49ac42b23113ea8019bcacf6769d5227dc795
- 5eb986d05ad832897acbc13e870ee4f2971f1901374615a41ee2f5f5fe91d68f
- 1c84d3a7b02bd30a0884d5a0ff5840f77490945045ae7b8055d408e8ec6de8ab
- 94cfd057c941845ed5bacf9290f6bd2f79311ed8fe0c9207ff13526df0efc7d0
- 1e87808f2a505c93cf95345d43b97124d655eb080d1263b785e08d3fe0bf206c
- e65548a144aeee2445a1ace2d57cb61582e904de973258056b6c4d55132a6343
- 80f27d7dfd3852253c47a67f11ee4cea9bb12a5370955ab32161bff0b189bb14
- 9955c6478408b2946ef1a557151fa68e28515bf07c1db05d0628963eea640141
- d4ed9ec5c2d5b17b5b2b28955c7dc1125a3376ea8e11d09a58f25d2ecdf6cfbb
- a7c54acf17f914288c551a6899259791047fec21d9705a7585be988227189837
- 1936f0ec1ecf544285fc94a531e77e608a3abe0eaab1d19632f247c7ba5acf7e
- 59651746ec22f0186a7ddaf454b1b858bf07b5197b411d7c485a9d6800db8e2b
- 0b3a20990ab9038b3964eb55717f1a15c25354a97945e2bbbee47995d5a233c1
- d108c4d7f9196112cb655063e9c3587380428deb543953be6250799355ed99ef
- 4f3b20b026bdadbc5b9744834db42bf6858f4a238068f44f335967461755578a
- http://dbsunstyle.ru/U2MAj
- http://valorpositivo.com/10Zu2p4
- http://institutodeidiomas.ulp.edu.ar/wp-content/uploads/5k0l
- http://atklogistic.ru/jB75CAA
- http://itray.co.kr/wp-content/B6b2J
- Creation Time 2018-09-13 10:11:00
- SHA256:
- 6207c24972e68133a2f34cac9e49035ae0dbece716af77006626d2232c2260f3
- ae14cb3d22626f71614f9c25c082d9165b1d8726943364c72b1ca1ec2641fc6f
- 5abafc4436cabaf8688ceb4cfc2a2c3f2b1ae06a34ffb9ecfe8ea5e06bc6d065
- 745f36d617fcc238ba47e7046463b4486a48512ef12c1a27b9d6314d7b7bce35
- 9fc740bc37aa0b29f27885daa6ee480a58aee5526710a5f99239b8921a159bc7
- 8ec0d258429998102d6974937b6acbb31005a714c65b96349883e76f7fefe822
- ea6090949f3c83cfd7091a3c0f96fd2ee79b10ea297f7cb8c67e218afe5ecdc3
- d28441e57833bfbbe1460f784f48ab2f8d6bc8d7478795f6ff64b5c1dd7ccafb
- 9df9d4884b2500037994a989411328a95a3cf5147b31477c5f01d71933fc3d6d
- c7874af7335c770faff29f4a78bd24092079ace115e3dc2fd7f498f361c3295c
- d4104c8b0ded4e59f51d21fc38de99fb4aef4da6f6e216b4b631f0da3253363c
- 5b13e439c9bc2479ec8aaaeabc516377178fdeafff910e94ec586e6b665aa031
- 0432b3023902e6923a125718c35108cdd55b58ddf985e3cc7efb5a4b79e1c208
- f704486b7acbe5a1bb8ebf08b81f2eca9ac98abb6a27c7e35bcfcfbc57e5d901
- 764122c8c7d3c80f2c4c5c812333b6d804683a90cd5c6ffe28d36e6bbd2ac90e
- 84705ead26ec41c8839f764d5534c666bb58078c55ab7c066cfc95db51023176
- 79e206f16b62c3727b50f8c02c461d794e8be5c0af2eb4be3d9eeca92ae7ded7
- 54d028fa1a679a62c8353bc90b03821e20892e399c11755a8d3243efa92027fb
- ee21e25fc479e08e637097ccd6469ee63f0970e139a3f3da675d1042fefbfd33
- 4c254727bf72c8de54c7a1554e6d6afeaea1ce89f7279e15005b5ff034881c8d
- ce7524428873a974c4fa9784f493cddcf68e440b8305f2efb8dbc6d8994e60b7
- http://newspectiveaddress.com/rOTph
- http://lariotgrill.com/2z8FmXgi
- http://akgemc.com/fsHYxx
- http://webartikelbaru.web.id/3ykDP
- http://artikeltentangwanita.com/L8097n
- Creation Time 2018-09-12 19:47:00
- SHA256:
- 8870a62f875161882a0c93807ccc85209554a068953ae16190484414b427b173
- 97c417918368f2b12dd4f531d6038f0f9b30c6a902fd17d43f6873f679cf1b11
- 2397e53241fe62832871bf56898653b33f4e416772ef5e36e674f082b3172328
- 0f27215d431683ca9e12bc565504b524a386c4815d19c60070205280676ef292
- 30594291490a1928a7bf89f633c88b3e8bb41c4ae795156309a0f076652d072c
- bdfb9ea5785db7461ad1c99e51e3e40b7e64329af163fcbe9ed2801feac887e7
- 9f2b391d98faa49081c4d876e166d99dd7130764ddc8e9a6bf2c23a15ad2837b
- d60b8789a0fbcd9209a9bba2a830e597282207641f479d9abe6f6607b4eeb256
- dafe595d8dc3cf275a9d6bea2e5151d40480a2d4b0e6c020b8065fe1a7972c80
- eeee3eda1a4e448a8909834a595467eaf54e5b161192168172057b0e2426b3d0
- 0e27e6f4d8da29d389fa3beecd8126d0b11698262a1c828d1dce799a274c3d29
- 83cc9bcaed258c00f23162e6cb665b456627869187fd543a49787808a1247127
- 91ce571ce305b5ec80a29d34599b3eb6c197ecd668e4daa3907115a56dcbd986
- 7f3e9c4a40ec41639e6c8d9db032229d6c58002874ed5d4cdc5fd03e622d25ed
- 1316c887d94e24f942b882ecbe7314ef4746e2800122b27bb0086e8aacbb8b00
- 5c5cd138b91a3d2baa90a02319e99a8a8804e4a08b2ffe6c57350cdc9a434734
- 1fdf0df4133e95138d2df0a009a4ae8224192758ed904b2628ae83a21411f70d
- 7dfa2a928330bcb0f33f6d4c5d97a88237f33bdf80efd982ef13b3fe1d964b5e
- feae1530ee01928ffa77b463da09e66f74220772ee2678e8047869a3145868b5
- 55c2cb81ad2856f39d7ebb41b399900e073fb98afeddbc5efb4f2842d429bcbc
- db5230bcc93d32f53678e4d45233561b27d5ad42aaa74f8edf3352220bd8523f
- 879d69ece9f3af526b2c17a21f0894ad06e7760a4d015b06f59a27579918edd8
- 2f832c6ae5974b67d30fd1125a5298047179d68d2fd9bf3e988f8bdcda63762d
- 48a5d05b5f703d2e64f35ddf18f1dc8ecfcbe71305cb0ac6324860bc01bb0d41
- aa44a4b26f945e7204d6ee644a5cde053dc131b4f05f007de58ebf2fa180a90f
- da2a56412ba9240e01d478074dfee4cd0ef92d0d8d1d2b42b01411212c2e6e83
- c64c8cb54c57849ca6c0d5a741e0726e4337b3df8dbd389e912c9a7899e3b311
- 3c6ca8020f39b252aa19db566ce0c87559ab1ec0784415815d4aabe9262ce501
- e9465d59e1b17072a433ac9f3e0db2eaf49afda401f0cd41e340eb084d99ac9f
- aa2161d4e4cda6b43839cc8d34aa992e38458c4a5702abd784dd9ae3a8832efd
- 40be53a0bb0ca1a290e96aebb2c6cd2317cea1fae4028e59229fc877fb4a6895
- d88af38c197e419d5c43ea5338ba41d7f77d6c9e5f4b7d5cb013670d28f06d6c
- f3458f43aa17ab5f31e01e807e13595696e918d53358ea85daa93c274a35a1a7
- 39e528ba3723a89b1abfd4ea526e999e1819878f825741f2aac35707ba3cda4e
- fdd4bdf80d2ed4dcc5eda75437173016e2f67a405cb2bf15b728052de2ac08ea
- b3e3f957528379284a50d3c3efe1acb675266f10f52b3e4c98e29ed1124435d3
- e6a578c89917327adb9fcd46a34823c0f2b34ec26d7e0bcdd08f2fdd0b3e534a
- d255e74d39fb90e116b46e8ae8a9285ebf292696285a84be8fb17bf3891a2da4
- a35039516c11525f68fad74dd01d54e3169855a1508abf923455ef469166e722
- 9b88ff4c7a6c39af6293e1b5a8002b9f56f2621d2dfdf33d55b5e1d7794511de
- a12728a25409259b1e7c50f3e7a3bbb6b9b428a67ad778970e8137f02218e2cf
- 2ac61b1ec360650ca38fb547d208e345f7abfc93d3ad8413bcaa21aadddce806
- 9dcfac123de75bcfc9f7c7583b6592522dbc3f8cf4a09cd0f29708255ec19e47
- 9455157454afce9ad1650f3c80c80ecc9654616e37235302df6c7610bd3e57c2
- 751b6ae3eef95b7b8ea335f62aaeb43851b59dc13c4eacfb962545666d156164
- a3fb9df5e722abe9b8ae3e3ca64379da758492cd5b9ce43ddbe29b41178b6d66
- http://mooremakeup.com/k
- http://crossroadstamp.com/0
- http://ntsuporte.com.br/kl5
- http://oooka.biz/RaQOFhRM
- http://parusalon.ru/idb
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 09/12/18 ####
- ```
- 214d0fede2c22de3a9e8803ceaf6ff520a5e6ee24d29dd54d0be664c32be42fc
- f797a8568c12e957271041dbb846f00945b4b734c2d8fec2d584da1a5746dea3
- 69bdc32fab30602af0d819e4961e7d1e909dce4fe653278dc2e9c80c66f993f4
- 5870b8085afcf093a83add8e93cb632783f0b25eb443c51475b57ca2ff90e1a4
- 5b91f4f734c4bc4873766a9d537cc9ce9682596e54ef51597fedfa82b0dd8d37
- Trickbot 825fd92d285d77a6184f447337bac2386ffa94e321de018fb86b0fcd615daee4
- 330a58a04a5aef9c8f511a4eb55adf4bedcd3143a35b94c201cc88fd1b9a990d
- 74e426f6b6a5657d937e78bac99afeec3bc3e8870248dbd3de33340cb39e59a4
- ```
- #### Epoch 1 C2s by port ####
- `+` indicates new/returned since last posting
- 20:
- + 108.53.148.199
- + 70.184.148.77
- +22:
- + 72.50.72.164
- +53:
- + 201.244.125.210
- 80:
- + 181.123.205.219
- + 189.151.46.3
- + 200.105.149.226
- 37.120.175.15
- + 96.242.246.128
- + 96.245.253.186
- 443:
- 198.199.185.25
- 49.212.135.76
- 4143:
- 217.13.106.203
- 7080:
- 139.162.237.94
- + 87.114.250.38
- 8080:
- 104.236.25.85
- 133.242.208.183
- 139.59.242.76
- 178.63.118.195
- + 190.189.12.16
- 203.198.129.4
- 210.2.86.94
- + 220.253.68.95
- + 71.45.208.246
- 8090:
- + 98.229.127.243
- 8443:
- + 69.70.248.98
- 50000:
- + 96.23.80.242
- #### Epoch 2 C2s by port ####
- `+` indicates new/returned since last posting
- 20:
- + 74.196.132.156
- 80:
- + 177.230.98.10
- + 187.177.53.149
- + 189.131.48.195
- + 199.48.135.55
- + 201.146.20.110
- + 201.163.74.202
- + 64.194.68.19
- 443:
- 106.187.52.135
- 118.244.214.210
- 138.201.197.13
- 153.122.38.158
- 185.97.32.6
- 199.119.78.9
- 199.119.78.23
- 211.115.111.19
- + 68.15.57.174
- 95.141.175.240
- 465:
- + 162.154.32.144
- 995:
- + 64.250.162.198
- 4143:
- 222.214.218.192
- 8080:
- + 115.47.147.24
- 146.185.170.222
- 157.7.164.23
- + 190.6.195.244
- 69.198.17.7
- + 76.70.25.209
- 78.47.182.42
- 84.200.106.120
- 8081:
- 62.75.143.128
- #### Credits and Notes Section ####
- Updated 7/13/18
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
- UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
- What is Epoch 1 and Epoch 2?
- Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
- #### Community Lists ####
- #### Credits ####
- (OC and combination work)
- Doc DL URLs - @unixronin, @ps66uk, @avman1995, @dms1899, @Bitterman59, @pollo290987, @James_inthe_box, @malware_traffic
- C2 info - @pollo290987, @unixronin
- Payloads - @AmirRedh, @unixronin, @ps66uk, @pollo290987, @James_inthe_box, @dms1899 @MalSpamHunter, @Bitterman59, @malware_traffic
- Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
- Very special thanks to @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
- #### Daily Log ####
- Turns out I tripped the spam filter on Github and my account was flagged for manual review and that was the real issue. It was reenabled this morning quickly after explaining the issue to support. Good experience with support so far and night and day compared to Failbin.
- Today I saw few more Doc attachments from epoch2 and most of them were in english this time. There was not the volume we had previous days and it seemed liked activity was backing off today. Also there was a change in the VBA macro obfuscation that @unixronin documented in his post: https://pastebin.com/jsKUQ9QA
- It is worth noting that this week we have seen both epoch 1 and 2 dropping Trickbot. If you run the payloads near 5-8am EDT for a significant amount of minutes, you will likely get Trickbot it seems.
- Not much else to speak of so far and we will see what tomorrow brings.
- #### Sandbox 09/13/18 ####
- (all with fakenet and MITM unless spam/secondary infection)
- Epoch 1 deploying Trickbot at 06:39 https://app.any.run/tasks/fd35ae0e-21cf-4b5e-8697-b92e3023be88
- Epoch 2 deploying Trickbot at 05:30 https://app.any.run/tasks/de3a7c15-bf5e-4eb0-bd9c-f6528c2387f8
- Epoch 1 C2 run as of 09/14 at 00:30 https://app.any.run/tasks/4c91df1f-37e9-4383-b0b4-b1fbec507d18
- Epoch 2 C2 run as of 09/13 at 23:15 https://app.any.run/tasks/afe1515a-7f87-4386-b779-644c4185b33a
Add Comment
Please, Sign In to add comment