API tools faq
paste
jroosen

Emotet Malware IoCs 09/13/18

jroosen
Sep 14th, 2018
1,448
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.85 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ## Emotet Malware Document links/IOCs for 09/13/18 as of 09/13/18 23:59 ##
  3. *Notes and Credits now at the bottom* Follow me on twitter @jroosen for more updates.
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 09/13/18 ####
  6. ```
  7.  
  8. Seen only in .doc attachments.
  9.  
  10. ```
  11. #### Epoch 2 Document/Downloader links seen for 09/13/18 ####
  12. ```
  13. http://110.164.86.203/wp-content/uploads/3SFQJLDG/identity/Commercial/
  14. http://198.61.187.137/project/86AYMJ/com/Commercial/
  15. http://1energy.sk/20QSVKI/SWIFT/US/
  16. http://2x2print.com/404700RTYT/SEP/US/
  17. http://abakus-biuro.net/8539JHLOM/PAYROLL/Business/
  18. http://aile.pub/online.refund.Dvla.tax31000838/7GYOFZTT/PAYROLL/Personal/
  19. http://alabd-group.com/77EKMMGZ/BIZ/Business/
  20. http://alwaysaway.co.uk/doc/En/Paid-Invoices/
  21. http://amanita.com.my/903XOZ/PAYMENT/Business/
  22. http://apicecon.com.br/09012NQNFL/ACH/Smallbusiness/
  23. http://ardan.net/766646CVIO/PAYMENT/Smallbusiness/
  24. http://arianrayaneh.com/multimedia/4842RSTT/PAYROLL/Personal/
  25. http://bangkoktailor.biz/87CJSYV/PAYROLL/Commercial/
  26. http://bavmed.ru/DOC/US_us/Invoices-Overdue/
  27. http://bfs-dc.com/91964Z/PAYMENT/Business/
  28. http://bhgjxx.com/temp_6bd6c6c42b5ae81a4aa32aa263d99731/7351KFBDB/BIZ/Personal/
  29. http://binfish.ru/Sep2018/US_us/Past-Due-Invoice/
  30. http://blockcoin.co.in/files/EN_en/Paid-Invoice/
  31. http://bramlvx.com/544VXZXGHZ/PAYROLL/US/
  32. http://byacademy.fr/8706937YGVMNXM/PAYMENT/Smallbusiness/
  33. http://callansweringservicesoftware.com/Download/US/Service-Report-40234/
  34. http://casellamoving.com/69VQINXXJO/PAYROLL/Smallbusiness/
  35. http://challengerballtournament.com/418416IFUJ/biz/Personal/
  36. http://cleverspain.com/9QJAAPWCD/PAYROLL/US/
  37. http://collaborativeeconomyconference.com/55887OPVDW/oamo/Smallbusiness/
  38. http://cqfsbj.cn/8440684LVDKMWSR/PAYMENT/Commercial/
  39. http://cuentocontigo.net/5647VKHPSPV/SWIFT/Commercial/
  40. http://damiro.de/8EXFB/SWIFT/Smallbusiness/
  41. http://dansha-solutions.com/7574AFQXZHK/PAYMENT/Smallbusiness/
  42. http://daveandbrian.com/535287ONSAJHOA/identity/Smallbusiness/
  43. http://demicolon.com/dvrguru_revoerror/image/53LA/SWIFT/Business/
  44. http://demo.5v13.com/7498QLQMJLSN/SWIFT/US/
  45. http://demo1.lineabove.com/789075RLRZBZFZ/oamo/Personal/
  46. http://downinthecountry.com/048XUQTPIV/identity/Personal/
  47. http://duanvinhomeshanoi.net/000NAIDPEJ/BIZ/Smallbusiness/
  48. http://duratransgroup.com/1721558FYLUIW/BIZ/US/
  49. http://egomall.net/537173GAPZ/ACH/Personal/
  50. http://elidefire.my/9367677BZCEQILW/PAYROLL/Business/
  51. http://europroject.ro/3482AE/PAYROLL/Business/
  52. http://exxot.com/47BSUIJP/SEP/Smallbusiness/
  53. http://faratfilm.pl/86NH/PAYMENT/Business/
  54. http://farmasi.uin-malang.ac.id/wp-content/935ACFZSO/identity/Commercial/
  55. http://farozyapidenetim.com/907041JXJMTHC/identity/Commercial/
  56. http://fluorescent.cc/default/En/Outstanding-Invoices/
  57. http://folio101.com/29859NATGFOHJ/PAYROLL/Commercial/
  58. http://furnfeathers.co.uk/5IUIMNRBK/PAYMENT/US/
  59. http://g7wenden.de/Document/En/Document-needed/
  60. http://grupoembatec.com/4166240YQ/WIRE/US/
  61. http://hotelnoraipro.com/7932969XCYUKCM/PAYMENT/US/
  62. http://httpyiwujiadianweixiu.xyz/Corporation/En/Service-Invoice/
  63. http://imcfilmproduction.com/319952SLB/WIRE/Commercial/
  64. http://ingebo.cl/Document/EN_en/Inv-566468-PO-8B393306/
  65. http://ingridkaslik.com/48NJTKNT/SEP/Commercial/
  66. http://inmayjose.es/614K/SEP/US/
  67. http://jealousproductions.co.uk/6JHJYPMY/PAYROLL/Business/
  68. http://jtjdoprava.sk/146FEIYQZ/PAYMENT/Business/
  69. http://jxbaohusan.com/408019WUPITIGG/PAYROLL/Personal/
  70. http://karkasdom.dp.ua/7705752ZMA/BIZ/Personal/
  71. http://kdsk.ru/823VOKKH/identity/Commercial/
  72. http://kpopstarz.kienthucsong.info/Corporation/EN_en/Outstanding-Invoices/
  73. http://krasrazvitie.ru/3870029HXHQBIM/PAYMENT/Personal/
  74. http://kuganha.com/3365EPXTN/PAYROLL/Business/
  75. http://lauraolmedilla.com/doc/En/Sales-Invoice/
  76. http://leedye.com/6NP/PAYMENT/Personal/
  77. http://leulocati.com/297WQR/BIZ/Commercial/
  78. http://loristjohns.dabdemo.com/default/US_us/8-Past-Due-Invoices/
  79. http://lulagraysalon.com/220695DTM/PAYMENT/Smallbusiness/
  80. http://madarpoligrafia.pl/DOC/En_us/FILE/US_us/Scan/
  81. http://mail.vivafascino.com/470MXIBGD/SWIFT/Business/
  82. http://mainpartners.eu/6287508P/oamo/US/
  83. http://making-money-today.club/8827362NKRM/com/US/
  84. http://maxi-kuhni.ru/579653B/SWIFT/Commercial/
  85. http://med-up.pl/INFO/EN_en/Invoice-for-e/w-09/12/2018/
  86. http://mobileappo.com/LLC/En_us/Invoice/
  87. http://momentsindigital.com/8EGAAMVT/PAYMENT/Business/
  88. http://myafyanow.com/4YWMKOO/PAYROLL/Smallbusiness/
  89. http://mywholebody.net/Document/En_us/ACH-form/
  90. http://navyugenergy.com/wp-content/uploads/9OAXTTZV/SWIFT/Personal/
  91. http://newsite.iscapp.com/8973101JF/PAYMENT/Smallbusiness/
  92. http://nisho.us/23375MIQP/WIRE/Commercial/
  93. http://plasdo.com/MNXfUEtpo/702DXQ/PAYROLL/Commercial/
  94. http://premiereplasticsurgerylasvegas.com/0WBBL/WIRE/Commercial/
  95. http://prideagricintegratedfarms.com.ng/Sep2018/EN_en/Service-Invoice/
  96. http://prova.upyourfile.net/xerox/En_us/Need-to-send-the-attachment/
  97. http://ruralinnovationfund.varadev.com/5VSQTTY/ACH/Business/
  98. http://sellitti.com/8063779O/PAYROLL/US/
  99. http://sernet.com.ar/doc/En_us/Invoice-for-x/b-09/12/2018/
  100. http://signaturestairs.co.uk/984987KRRLUM/SEP/Personal/
  101. http://slajf.com/files/galeria/4614PZOJAL/SWIFT/Personal/
  102. http://soloanimal.com/55549LFBVBNXQ/PAYROLL/Business/
  103. http://soo.sg/epigami.com/blog/wp-content/uploads/2013/0931016LMVHF/com/US/
  104. http://stoobb.nl/default/EN_en/Inv-28167-PO-5S286034/
  105. http://summerlandrockers.org.au/0277YRFNQ/PAYMENT/Commercial/
  106. http://suportec.pt/files/US/Need-to-send-the-attachment/
  107. http://theme.colourspray.net/6220KZTRUR/PAYMENT/Personal/
  108. http://thepinkonionusa.com/249J/PAYMENT/Smallbusiness/
  109. http://tienphongmientrung.com/5408919R/PAYROLL/Business/
  110. http://valenciahillscondo.com/9694129WNFY/SWIFT/Business/
  111. http://valletbearings.com/831652JSXS/com/Commercial/
  112. http://versusgas.com/00BRSU/identity/Smallbusiness/
  113. http://versusgas.com/Sep2018/US_us/Open-Past-Due-Orders/
  114. http://vinastone.com/994WFILE/58AKWKTYMF/WIRE/Smallbusiness/
  115. http://vinmeconline.com/4TE/PAYMENT/Business/
  116. http://vong.info/wvvw/5FM/SWIFT/Business/
  117. http://webhall.com.br/526319JZGQK/SWIFT/Commercial/
  118. http://website.vtoc.vn/demo/hailoc/wp-snapshots/087849VTPT/com/Business/
  119. http://www.africimmo.com/886MIF/SWIFT/Personal/
  120. http://www.demicolon.com/dvrguru_revoerror/image/53LA/SWIFT/Business/
  121. http://www.duanvinhomeshanoi.net/000NAIDPEJ/BIZ/Smallbusiness/
  122. http://www.insurance4beauticians.com/Download/En_us/Summit-Companies-Invoice-9782424/
  123. http://www.mainpartners.eu/6287508P/oamo/US/
  124. http://www.offshoretraining.pl/0550248TOU/SEP/Commercial/
  125. http://www.teateaexpress.co.uk/9080980KHKLW/PAYROLL/Business/
  126. http://xn--b1axgdf5j.xn--j1amh/671GOTAHY/PAYMENT/Commercial/
  127. http://xuatbangiadinh.vn/588261LQO/PAYMENT/Personal/
  128.  
  129. ```
  130. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  131. ```
  132. Creation Time 2018-09-13 16:15:00
  133. SHA256:
  134. 8b3e7b0cd5c83967782bb2aa41996b97e8badd89b43171a48e7b28f94f443c7c
  135. 76b69f93b5532b1d050b38537035eee5c1aae94690d716aa96a1b926c36e6816
  136. 9a719afc937416f57b260e195384cb89fd72388fb25afe7e392063e5d06d4696
  137.  
  138. http://familiekoning.net/Sw51duCIY
  139. http://website.vtoc.vn/demo/hailoc/wp-snapshots/JeHXbk6WzM
  140. http://librusfan.ru/271vNHA
  141. http://tomas.datanom.fi/testlab/VJ1t3ol
  142. http://altarfx.com/8Es5z7sVJL
  143.  
  144.  
  145. Creation Time 2018-09-13 10:03:00
  146. SHA256:
  147. a254a407abb8e029d07a538acf703751acbe62ebd16b5001fc781bab0d07307c
  148. e269c50894d6177cfdad365f0ef6b4f9753a27d7aa912a42b992e21b0cd029ac
  149. 10acf1385e8fbb1bfb62041a7effd5a755f816d55f35fd48a28203b0adbc76c1
  150. 0b13d542741a96fcba31522717d8909559db32df07032a6e8b4f151a80ac69dd
  151. ddf54839be09c9dabb116921834b583b81c427a7578af5d423b38b499c51454c
  152. d35026ff318ef7be4b398c9b42734cdfba5e99252dfdc29b4a4e52f4e9e642b1
  153. 21609da4c930bbe91ac12d4d9710407594ec0b36d2eac3d441fde2657fc70f08
  154. 7747b7f224ff3188820d3695073df34915d7f41cabe71a118abf491758ca414f
  155. bbf6f733ffdbb38d83a68f2af2d158b7e641200223ef65a3d8248ea631906e76
  156. 51ec5de264d2103209bd33cbd5ddea9341ab298f5f89d801eed00459e21a2c9d
  157. e0e221ef3acebbc414fbc3d15d41d87695a42a2aa7db051af76ad793a0f31b05
  158. e90cb759ba47ff925aa1aef820bed3cb4c11c225ef436f313c1b0029879af433
  159.  
  160. http://vladetel.org/iDFxArAC
  161. http://vgd.vg/7MN5ZO8D
  162. http://madisonda.com/7klY6V30Z
  163. http://detss.com/3SHTOtr
  164. http://btesh.net/pQvrfzK
  165.  
  166. Creation Time 2018-09-12 21:06:00
  167. SHA256:
  168. a06bc650b069bbc9c3e5cc234acc67e7ab22e38746120eaaf7be7d0bcfebc42f
  169. 2a8c2ebeed73c172d347af258a0ade7ebc73d29897797d25f9c6259cdfeff059
  170. 6b1af34b51c15c8736ae891ca2e037bc118e531f72cf3917e2b4e37ed14e461d
  171. 3f4d0ab5723f2200e245b149d8e8ee9665d3d0a7868ce938061f197429999153
  172. b967b161ca4f18a30268ef7f6dff604d93edc59367ee7bab5e81360748a9732f
  173.  
  174. http://taltus.co.uk/EP4L639
  175. http://quintacasagrande.com/EJSAsCD
  176. http://glswp31.sprintsoft.ro/Y3IzCHzqIb
  177. http://vkontekste.net/f1OSAuOu5S
  178. http://dovgun.com/x7tDH1jMd9
  179.  
  180.  
  181. ```
  182. #### SHA256s for Epoch 1 Payload EXEs seen on 09/13/18 ####
  183. ```
  184. a74967811f710d6c2d2d6d2e061e14d9bbf6e61646ecd580715ad40088e3dea7
  185. 5ed869578abcc9f9e4983adc3482394f231b2144a36a34be75694f4280fa4581
  186. fcb4ddb8e1a15cdb0029274c93838971d854ef88507e00a47c9a75af47b33b81
  187. 82e4585f249339dd5a4a38b526e705d8b5a23a51bc2ea4fd2f9bcd979bef8f7e
  188. 2a24d5d2fb44adb3eeb4d2d5d031ebef0c43f316922e186eaf12a852ea8dcd60
  189. 78cab845b041d60868a8da045da24e4325001869e10b0cd1390c541a3a05e50a
  190.  
  191. ```
  192. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  193. ```
  194.  
  195. Creation Time 2018-09-13 22:24:00
  196. SHA256:
  197. bb96154cb4c626418818c1159dd38038fc88261375c76c321cb90e0382618356
  198. d8d62e64a5af68e3aa0844b8556577e12634a6570948a4cbd98ceaad7731d1ad
  199. 6521ea29a65d135ae2979e8ffcbaf70089ffb260de6f6558db1ebf8294106d80
  200. c3f2233ec52a49433a093f5e83ea01228c7088ead6cef9b914543b2268085bc6
  201. 83a36e458172a563eed121b9423f7f255b5cacd96a323086484a193a92131a94
  202. f298f4c8151700d3be8c7b0176abbe3f53a1651fa682e647c27cf6b5092dc5fe
  203. 9349ca5c47141bc0277a0dd9f25c5767e7d6378057c985488ccd3b4b552a25da
  204. a5207d69b06370cac30aa2f58046957fd42810ca4efd0b67dcd8f05f9179e7c4
  205. 07cfea6b95c5394dabb083033dad126eaee6c553e015c00960f8f329d64807a5
  206. 27795a1f8929bda0569f58f10730b59ea02c13f276b55a2b8cf8b0af68ba9f9c
  207. 9e1aa204229316126c9c36888efe8116c383ee37e7ca858fcfc52eeb33e6ec01
  208. 9abdce46e8797388d7fb880707085b2d43fba6f67e68bda260379f6f8e66d619
  209. 56be3018493c1b5f47eddfbd3ae3309607dfe38aef9a20f75835acac73dd082b
  210. da31738c4b7beaa1cfa7a0a8c47344fafc434416811e1ea12a725bcb10679090
  211. 04fc0253af169117c8ff80e1cab523aaf9b974d9dda2ffd17cc50c515fed1226
  212. 3db7160117739cd1ea76bcb1b53457c840f029a46a8fedfe33757953d01e71cd
  213. 91b105504038a4b273df18623e4de9eae1d98f1ae9a219d46d8f942689776d19
  214. 4bbb79a95ba782a7367045789b6859f2913d8ae965209fd1829fd2206da1a73a
  215. 68b01d54c485e4de4b6aa0d992b19f0eff0ec43ca876faff5626a67085135d57
  216. 476d751d78531b1edc5d777e514c2b1a8d50914ec76f7f16ad68bfec66784f15
  217.  
  218. http://gawus.com/klRialoB
  219. http://connecteur.apps-dev.fr/H1
  220. http://alliance-rnd.com/hYXxoC
  221. http://artwellness.net/j
  222. http://wiratechmesin.com/X
  223.  
  224. Creation Time 2018-09-13 20:12:00
  225. SHA256:
  226.  
  227. 79eb8ce2f6e869a1583b04fe69318a6d7d125022d96b5ee2e02adb27c9b09bbd
  228. e2b32187eeb3cd795da983342d10d6fef613e3363531444ae0ac5cab34553d5b
  229. 37f1ef7cba41c87894336943d3df8f77c799c8e0a913724372fee51b3b2f1359
  230. 4872f6d67a370ffaf1a8757a7d7eaa576b017d6a41ffdaee1e540359d80fb113
  231. 0916518b86d9538eba1f68130f630b27c21d7a6c8f4f2d419d1f26b470fc757f
  232. 8b808398cdf8bcb4dd059f8ae734fe5239594105ad4faacd6af89cf2bff68f32
  233.  
  234. http://kaijiang001.com/xxwBiLY
  235. http://ericsweredoski.com/C
  236. http://www.tri-solve.com/4ZO
  237. http://onlinelegalsoftware.com/RPtWwdec
  238. http://www.ultigamer.com/wp-admin/includes/d
  239.  
  240. Creation Time 2018-09-13 14:57:00
  241. SHA256:
  242. 1b1ca3aea7d761a91bb5dd9ac97b353320d065e08717fcabe0805eb0d9938c1b
  243. 824cb5f6f65d9e89f3fa79881bb8d41dd01089c25650eab57529c31eab46e798
  244. 8216b9bc7350597d772829a02f9ceaff4518c500f53588e88968c3ce21e0e9af
  245. 62d1d44a050ece5500a42b4a07dff0a7d11993f0469df963941313100020e962
  246. 0a35426736c00f1093d093059da49ac42b23113ea8019bcacf6769d5227dc795
  247. 5eb986d05ad832897acbc13e870ee4f2971f1901374615a41ee2f5f5fe91d68f
  248. 1c84d3a7b02bd30a0884d5a0ff5840f77490945045ae7b8055d408e8ec6de8ab
  249. 94cfd057c941845ed5bacf9290f6bd2f79311ed8fe0c9207ff13526df0efc7d0
  250. 1e87808f2a505c93cf95345d43b97124d655eb080d1263b785e08d3fe0bf206c
  251. e65548a144aeee2445a1ace2d57cb61582e904de973258056b6c4d55132a6343
  252. 80f27d7dfd3852253c47a67f11ee4cea9bb12a5370955ab32161bff0b189bb14
  253. 9955c6478408b2946ef1a557151fa68e28515bf07c1db05d0628963eea640141
  254. d4ed9ec5c2d5b17b5b2b28955c7dc1125a3376ea8e11d09a58f25d2ecdf6cfbb
  255. a7c54acf17f914288c551a6899259791047fec21d9705a7585be988227189837
  256. 1936f0ec1ecf544285fc94a531e77e608a3abe0eaab1d19632f247c7ba5acf7e
  257. 59651746ec22f0186a7ddaf454b1b858bf07b5197b411d7c485a9d6800db8e2b
  258. 0b3a20990ab9038b3964eb55717f1a15c25354a97945e2bbbee47995d5a233c1
  259. d108c4d7f9196112cb655063e9c3587380428deb543953be6250799355ed99ef
  260. 4f3b20b026bdadbc5b9744834db42bf6858f4a238068f44f335967461755578a
  261.  
  262. http://dbsunstyle.ru/U2MAj
  263. http://valorpositivo.com/10Zu2p4
  264. http://institutodeidiomas.ulp.edu.ar/wp-content/uploads/5k0l
  265. http://atklogistic.ru/jB75CAA
  266. http://itray.co.kr/wp-content/B6b2J
  267.  
  268. Creation Time 2018-09-13 10:11:00
  269. SHA256:
  270. 6207c24972e68133a2f34cac9e49035ae0dbece716af77006626d2232c2260f3
  271. ae14cb3d22626f71614f9c25c082d9165b1d8726943364c72b1ca1ec2641fc6f
  272. 5abafc4436cabaf8688ceb4cfc2a2c3f2b1ae06a34ffb9ecfe8ea5e06bc6d065
  273. 745f36d617fcc238ba47e7046463b4486a48512ef12c1a27b9d6314d7b7bce35
  274. 9fc740bc37aa0b29f27885daa6ee480a58aee5526710a5f99239b8921a159bc7
  275. 8ec0d258429998102d6974937b6acbb31005a714c65b96349883e76f7fefe822
  276. ea6090949f3c83cfd7091a3c0f96fd2ee79b10ea297f7cb8c67e218afe5ecdc3
  277. d28441e57833bfbbe1460f784f48ab2f8d6bc8d7478795f6ff64b5c1dd7ccafb
  278. 9df9d4884b2500037994a989411328a95a3cf5147b31477c5f01d71933fc3d6d
  279. c7874af7335c770faff29f4a78bd24092079ace115e3dc2fd7f498f361c3295c
  280. d4104c8b0ded4e59f51d21fc38de99fb4aef4da6f6e216b4b631f0da3253363c
  281. 5b13e439c9bc2479ec8aaaeabc516377178fdeafff910e94ec586e6b665aa031
  282. 0432b3023902e6923a125718c35108cdd55b58ddf985e3cc7efb5a4b79e1c208
  283. f704486b7acbe5a1bb8ebf08b81f2eca9ac98abb6a27c7e35bcfcfbc57e5d901
  284. 764122c8c7d3c80f2c4c5c812333b6d804683a90cd5c6ffe28d36e6bbd2ac90e
  285. 84705ead26ec41c8839f764d5534c666bb58078c55ab7c066cfc95db51023176
  286. 79e206f16b62c3727b50f8c02c461d794e8be5c0af2eb4be3d9eeca92ae7ded7
  287. 54d028fa1a679a62c8353bc90b03821e20892e399c11755a8d3243efa92027fb
  288. ee21e25fc479e08e637097ccd6469ee63f0970e139a3f3da675d1042fefbfd33
  289. 4c254727bf72c8de54c7a1554e6d6afeaea1ce89f7279e15005b5ff034881c8d
  290. ce7524428873a974c4fa9784f493cddcf68e440b8305f2efb8dbc6d8994e60b7
  291.  
  292. http://newspectiveaddress.com/rOTph
  293. http://lariotgrill.com/2z8FmXgi
  294. http://akgemc.com/fsHYxx
  295. http://webartikelbaru.web.id/3ykDP
  296. http://artikeltentangwanita.com/L8097n
  297.  
  298. Creation Time 2018-09-12 19:47:00
  299. SHA256:
  300. 8870a62f875161882a0c93807ccc85209554a068953ae16190484414b427b173
  301. 97c417918368f2b12dd4f531d6038f0f9b30c6a902fd17d43f6873f679cf1b11
  302. 2397e53241fe62832871bf56898653b33f4e416772ef5e36e674f082b3172328
  303. 0f27215d431683ca9e12bc565504b524a386c4815d19c60070205280676ef292
  304. 30594291490a1928a7bf89f633c88b3e8bb41c4ae795156309a0f076652d072c
  305. bdfb9ea5785db7461ad1c99e51e3e40b7e64329af163fcbe9ed2801feac887e7
  306. 9f2b391d98faa49081c4d876e166d99dd7130764ddc8e9a6bf2c23a15ad2837b
  307. d60b8789a0fbcd9209a9bba2a830e597282207641f479d9abe6f6607b4eeb256
  308. dafe595d8dc3cf275a9d6bea2e5151d40480a2d4b0e6c020b8065fe1a7972c80
  309. eeee3eda1a4e448a8909834a595467eaf54e5b161192168172057b0e2426b3d0
  310. 0e27e6f4d8da29d389fa3beecd8126d0b11698262a1c828d1dce799a274c3d29
  311. 83cc9bcaed258c00f23162e6cb665b456627869187fd543a49787808a1247127
  312. 91ce571ce305b5ec80a29d34599b3eb6c197ecd668e4daa3907115a56dcbd986
  313. 7f3e9c4a40ec41639e6c8d9db032229d6c58002874ed5d4cdc5fd03e622d25ed
  314. 1316c887d94e24f942b882ecbe7314ef4746e2800122b27bb0086e8aacbb8b00
  315. 5c5cd138b91a3d2baa90a02319e99a8a8804e4a08b2ffe6c57350cdc9a434734
  316. 1fdf0df4133e95138d2df0a009a4ae8224192758ed904b2628ae83a21411f70d
  317. 7dfa2a928330bcb0f33f6d4c5d97a88237f33bdf80efd982ef13b3fe1d964b5e
  318. feae1530ee01928ffa77b463da09e66f74220772ee2678e8047869a3145868b5
  319. 55c2cb81ad2856f39d7ebb41b399900e073fb98afeddbc5efb4f2842d429bcbc
  320. db5230bcc93d32f53678e4d45233561b27d5ad42aaa74f8edf3352220bd8523f
  321. 879d69ece9f3af526b2c17a21f0894ad06e7760a4d015b06f59a27579918edd8
  322. 2f832c6ae5974b67d30fd1125a5298047179d68d2fd9bf3e988f8bdcda63762d
  323. 48a5d05b5f703d2e64f35ddf18f1dc8ecfcbe71305cb0ac6324860bc01bb0d41
  324. aa44a4b26f945e7204d6ee644a5cde053dc131b4f05f007de58ebf2fa180a90f
  325. da2a56412ba9240e01d478074dfee4cd0ef92d0d8d1d2b42b01411212c2e6e83
  326. c64c8cb54c57849ca6c0d5a741e0726e4337b3df8dbd389e912c9a7899e3b311
  327. 3c6ca8020f39b252aa19db566ce0c87559ab1ec0784415815d4aabe9262ce501
  328. e9465d59e1b17072a433ac9f3e0db2eaf49afda401f0cd41e340eb084d99ac9f
  329. aa2161d4e4cda6b43839cc8d34aa992e38458c4a5702abd784dd9ae3a8832efd
  330. 40be53a0bb0ca1a290e96aebb2c6cd2317cea1fae4028e59229fc877fb4a6895
  331. d88af38c197e419d5c43ea5338ba41d7f77d6c9e5f4b7d5cb013670d28f06d6c
  332. f3458f43aa17ab5f31e01e807e13595696e918d53358ea85daa93c274a35a1a7
  333. 39e528ba3723a89b1abfd4ea526e999e1819878f825741f2aac35707ba3cda4e
  334. fdd4bdf80d2ed4dcc5eda75437173016e2f67a405cb2bf15b728052de2ac08ea
  335. b3e3f957528379284a50d3c3efe1acb675266f10f52b3e4c98e29ed1124435d3
  336. e6a578c89917327adb9fcd46a34823c0f2b34ec26d7e0bcdd08f2fdd0b3e534a
  337. d255e74d39fb90e116b46e8ae8a9285ebf292696285a84be8fb17bf3891a2da4
  338. a35039516c11525f68fad74dd01d54e3169855a1508abf923455ef469166e722
  339. 9b88ff4c7a6c39af6293e1b5a8002b9f56f2621d2dfdf33d55b5e1d7794511de
  340. a12728a25409259b1e7c50f3e7a3bbb6b9b428a67ad778970e8137f02218e2cf
  341. 2ac61b1ec360650ca38fb547d208e345f7abfc93d3ad8413bcaa21aadddce806
  342. 9dcfac123de75bcfc9f7c7583b6592522dbc3f8cf4a09cd0f29708255ec19e47
  343. 9455157454afce9ad1650f3c80c80ecc9654616e37235302df6c7610bd3e57c2
  344. 751b6ae3eef95b7b8ea335f62aaeb43851b59dc13c4eacfb962545666d156164
  345. a3fb9df5e722abe9b8ae3e3ca64379da758492cd5b9ce43ddbe29b41178b6d66
  346.  
  347. http://mooremakeup.com/k
  348. http://crossroadstamp.com/0
  349. http://ntsuporte.com.br/kl5
  350. http://oooka.biz/RaQOFhRM
  351. http://parusalon.ru/idb
  352.  
  353. ```
  354. #### SHA256s for Epoch 2 Payload EXEs seen on 09/12/18 ####
  355. ```
  356. 214d0fede2c22de3a9e8803ceaf6ff520a5e6ee24d29dd54d0be664c32be42fc
  357. f797a8568c12e957271041dbb846f00945b4b734c2d8fec2d584da1a5746dea3
  358. 69bdc32fab30602af0d819e4961e7d1e909dce4fe653278dc2e9c80c66f993f4
  359. 5870b8085afcf093a83add8e93cb632783f0b25eb443c51475b57ca2ff90e1a4
  360. 5b91f4f734c4bc4873766a9d537cc9ce9682596e54ef51597fedfa82b0dd8d37
  361. Trickbot 825fd92d285d77a6184f447337bac2386ffa94e321de018fb86b0fcd615daee4
  362. 330a58a04a5aef9c8f511a4eb55adf4bedcd3143a35b94c201cc88fd1b9a990d
  363. 74e426f6b6a5657d937e78bac99afeec3bc3e8870248dbd3de33340cb39e59a4
  364.  
  365. ```
  366. #### Epoch 1 C2s by port ####
  367. `+` indicates new/returned since last posting
  368.  
  369. 20:
  370. + 108.53.148.199
  371. + 70.184.148.77
  372.  
  373. +22:
  374. + 72.50.72.164
  375.  
  376. +53:
  377. + 201.244.125.210
  378.  
  379. 80:
  380. + 181.123.205.219
  381. + 189.151.46.3
  382. + 200.105.149.226
  383. 37.120.175.15
  384. + 96.242.246.128
  385. + 96.245.253.186
  386.  
  387. 443:
  388. 198.199.185.25
  389. 49.212.135.76
  390.  
  391. 4143:
  392. 217.13.106.203
  393.  
  394. 7080:
  395. 139.162.237.94
  396. + 87.114.250.38
  397.  
  398. 8080:
  399. 104.236.25.85
  400. 133.242.208.183
  401. 139.59.242.76
  402. 178.63.118.195
  403. + 190.189.12.16
  404. 203.198.129.4
  405. 210.2.86.94
  406. + 220.253.68.95
  407. + 71.45.208.246
  408.  
  409. 8090:
  410. + 98.229.127.243
  411.  
  412. 8443:
  413. + 69.70.248.98
  414.  
  415. 50000:
  416. + 96.23.80.242
  417.  
  418. #### Epoch 2 C2s by port ####
  419. `+` indicates new/returned since last posting
  420.  
  421. 20:
  422. + 74.196.132.156
  423.  
  424. 80:
  425. + 177.230.98.10
  426. + 187.177.53.149
  427. + 189.131.48.195
  428. + 199.48.135.55
  429. + 201.146.20.110
  430. + 201.163.74.202
  431. + 64.194.68.19
  432.  
  433. 443:
  434. 106.187.52.135
  435. 118.244.214.210
  436. 138.201.197.13
  437. 153.122.38.158
  438. 185.97.32.6
  439. 199.119.78.9
  440. 199.119.78.23
  441. 211.115.111.19
  442. + 68.15.57.174
  443. 95.141.175.240
  444.  
  445. 465:
  446. + 162.154.32.144
  447.  
  448. 995:
  449. + 64.250.162.198
  450.  
  451. 4143:
  452. 222.214.218.192
  453.  
  454.  
  455. 8080:
  456. + 115.47.147.24
  457. 146.185.170.222
  458. 157.7.164.23
  459. + 190.6.195.244
  460. 69.198.17.7
  461. + 76.70.25.209
  462. 78.47.182.42
  463. 84.200.106.120
  464.  
  465. 8081:
  466. 62.75.143.128
  467.  
  468. #### Credits and Notes Section ####
  469. Updated 7/13/18
  470. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
  471.  
  472. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
  473.  
  474.  
  475. UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
  476.  
  477. What is Epoch 1 and Epoch 2?
  478. Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
  479.  
  480. #### Community Lists ####
  481.  
  482.  
  483. #### Credits ####
  484. (OC and combination work)
  485. Doc DL URLs - @unixronin, @ps66uk, @avman1995, @dms1899, @Bitterman59, @pollo290987, @James_inthe_box, @malware_traffic
  486. C2 info - @pollo290987, @unixronin
  487. Payloads - @AmirRedh, @unixronin, @ps66uk, @pollo290987, @James_inthe_box, @dms1899 @MalSpamHunter, @Bitterman59, @malware_traffic
  488.  
  489. Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
  490.  
  491. Very special thanks to @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
  492.  
  493. #### Daily Log ####
  494.  
  495. Turns out I tripped the spam filter on Github and my account was flagged for manual review and that was the real issue. It was reenabled this morning quickly after explaining the issue to support. Good experience with support so far and night and day compared to Failbin.
  496.  
  497. Today I saw few more Doc attachments from epoch2 and most of them were in english this time. There was not the volume we had previous days and it seemed liked activity was backing off today. Also there was a change in the VBA macro obfuscation that @unixronin documented in his post: https://pastebin.com/jsKUQ9QA
  498.  
  499. It is worth noting that this week we have seen both epoch 1 and 2 dropping Trickbot. If you run the payloads near 5-8am EDT for a significant amount of minutes, you will likely get Trickbot it seems.
  500.  
  501. Not much else to speak of so far and we will see what tomorrow brings.
  502.  
  503.  
  504. #### Sandbox 09/13/18 ####
  505. (all with fakenet and MITM unless spam/secondary infection)
  506. Epoch 1 deploying Trickbot at 06:39 https://app.any.run/tasks/fd35ae0e-21cf-4b5e-8697-b92e3023be88
  507. Epoch 2 deploying Trickbot at 05:30 https://app.any.run/tasks/de3a7c15-bf5e-4eb0-bd9c-f6528c2387f8
  508.  
  509. Epoch 1 C2 run as of 09/14 at 00:30 https://app.any.run/tasks/4c91df1f-37e9-4383-b0b4-b1fbec507d18
  510. Epoch 2 C2 run as of 09/13 at 23:15 https://app.any.run/tasks/afe1515a-7f87-4386-b779-644c4185b33a
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!