Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 02/27/19 as of 02/28/19 01:30 EST ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 02/27/19 ####
- ```
- http://119.9.136.146/sendincverif/support/question/En/201902/
- http://13.234.1.52/sendincverif/legal/question/En_en/201902/
- http://13.251.226.193/sendincverif/support/question/En_en/02-2019/
- http://178.62.226.34/photosite2/sendincsecure/service/ios/EN_en/02-2019/
- http://allwaysfresh.co.za/sendincverif/support/trust/EN_en/201902/
- http://amazon-kala.com/sendincsecure/service/secure/en_EN/022019/
- http://andrepitre.com/sendincverif/legal/verif/EN/2019-02/
- http://annual.fph.tu.ac.th/wp-content/uploads/sendincsecure/support/sec/EN_en/02-2019/
- http://beautyandfashionworld.com/sendincsec/messages/trust/EN/201902/
- http://clavirox.ro/sendincverif/support/sec/EN/201902/
- http://dansavanh.in.th/wp-includes/sendincverif/service/trust/EN/2019-02/
- http://edspack.com.br/2015/sendincsec/service/trust/En/201902/
- http://ejder.com.tr/sendincsecure/service/ios/En/022019/
- http://gk-innen-test.de/sendincsec/messages/secure/en_EN/201902/
- http://manisatan.com/sendincsec/service/verif/En_en/2019-02/
- http://miamibeachprivateinvestigators.com/sendincsec/messages/sec/EN/201902/
- http://pbj.undiksha.ac.id/wp-content/uploads/sendincverif/support/trust/en_EN/02-2019/
- http://research.fph.tu.ac.th/wp-content/uploads/sendincencrypt/service/verif/EN/02-2019/
- http://snki.ekon.go.id/sendincsec/support/question/EN_en/02-2019/
- http://stage.abichama.bm.vinil.co/wp-content/uploads/Telekom/Transaktion/022019/
- http://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
- http://tongdailyson.com/sendincverif/service/question/En/02-2019/
- http://view52.com/sendincencrypt/service/question/en_EN/022019/
- http://www.e-noble.com/sendinc/support/verif/En_en/02-2019/
- http://yduocvinhphuc.info/sendincverif/legal/question/En/2019-02/
- https://idealo.zendesk.com/attachments/token/689OpPfVaSj4L7Ncyi8FFt4xV/?name=RECH_20190227_3ESR06710.doc/
- https://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
- https://view52.com/sendincencrypt/service/question/en_EN/022019/
- ```
- #### Epoch 2 Document/Downloader links seen for 02/27/19 ####
- ```
- http://01asdfceas1234.com/a8iak-jgp3hj-mojzf.view/
- http://100.26.203.42/3zs8k-h63zl-wxelx.view/
- http://104.199.238.98/bz0r-ggs2ov-setm.view/
- http://104.223.40.40/wp-admin/my0m0-gnthea-trto.view/
- http://109.97.216.141/dyrb-x1hjw-oepj.view/
- http://119.9.136.146/ctkfp-ebmhpu-vifzs.view/
- http://128.199.207.179/3eih3-1ksxl-oejpj.view/
- http://12pm.strannayaskazka.ru/oow6-bz46h-kane.view/
- http://13.127.110.92/wcs3-94yxcd-vpne.view/
- http://13.127.212.245/6qjyn-g94xs-zeicf.view/
- http://13.211.153.58/8wsh-smllpg-xnzdx.view/
- http://13.250.36.131/jaftg-5e9j5-twec.view/
- http://132.145.153.89/4k1x2-m9oc0-vmmfj.view/
- http://159.89.153.180/ap98-at6by-cdkc.view/
- http://162.243.254.239/Addon/5dp3t-c8l8w-pubkt.view/
- http://178.128.238.130/9og3b-tgszo-jdfqj.view/
- http://178.128.54.239/2wsb-8t237v-vkxq.view/
- http://178.62.102.110/iy8ft-55dx13-hcviu.view/
- http://178.62.63.119/cr6g-34dfz-mpupi.view/
- http://18.130.138.223/d9qpf-ipr05r-dycvh.view/
- http://18.223.205.30/0r8o-ns4l5f-qtcg.view/
- http://18.232.11.96/8t71-ui9ht6-uelxv.view/
- http://183.179.198.165/p7fle-3rdesj-bddr.view/
- http://18930.website.snafu.de/qu6d-v4lnw-jufkf.view/
- http://192.241.218.154/2c3a-bpnq07-jjde.view/
- http://206.189.154.46/rixg-sujpf-fegbj.view/
- http://206.189.181.0/y5ci-9nntk-wybaz.view/
- http://206.189.94.136/ulzs-3fzff-wqwq.view/
- http://3.0.82.215/7j5g-9i3o2-yjhc.view/
- http://3.16.174.177/vf9h-i1ee8-atbe.view/
- http://3.87.40.220/sy2k-7cnec-gwpc.view/
- http://3.92.174.100/En/llc/RutK-agA_FxwEHKh-d2M/
- http://3.92.174.100/nwdl-roqek-acbn.view/
- http://35.189.54.101/tf2k8-5xqcb1-supyz.view/
- http://35.198.197.47/woczh-s0pyv-zuojh.view/
- http://35.201.228.154/uov1-dv9d5-jhnq.view/
- http://35.202.216.83/m13op-xrpdb-bznab.view/
- http://35.224.158.246/vf1a-nw8fy-ddld.view/
- http://35.225.3.162/2fzbr-ao0pz-cggvd.view/
- http://35.226.136.239/1w10a-avf50v-efqeg.view/
- http://35.231.137.207/r3jy-qcg2n2-udnfp.view/
- http://35.232.140.239/aw8w8-vm6sx-licn.view/
- http://35.232.194.7/32qzn-1ixps3-ozgwo.view/
- http://35.233.127.71/zjed1-iae7t-kdzwv.view/
- http://35.239.61.50/io50-1yac9-peyr.view/
- http://35.244.2.82/byoe3-yxdqu-sntk.view/
- http://37.139.27.218/plhfa-qwlkx-ucixl.view/
- http://47.74.7.148/veqv-e945w-jpkh.view/
- http://52.32.197.6/nanolumens/resources/8won5-8vavn-bdwko.view/
- http://54.233.125.210/k8y7-r0p2tp-ibbau.view/
- http://54.252.173.49/xyzj-jjpi2w-wlmwt.view/
- http://66.55.80.140/rzmh-kk0pto-mmeum.view/
- http://88.191.45.2/@eaDir/@tmp/79fk3-g90qy-pljw.view/
- http://91.239.233.236/k72fo-ym9bpe-mukci.view/
- http://agemars.dev.kubeitalia.it/En/xerox/Invoice_Notice/COqyT-goAp_CudGa-SW/
- http://ammedieval.org/wp-includes/0n8cz-gs36t-xhlf.view/
- http://arvd.begrip.sk/20jg-6sc6gb-buzh.view/
- http://avent.xyz/kc48-4x1o8-ybkw.view/
- http://basr.sunrisetheme.com/03dtc-pxqrlw-sjvs.view/
- http://beautyandfashionworld.com/074l-zvq2fa-mtpg.view/
- http://belgrafica.pt/5gg2a-hixf6-rtxq.view/
- http://blog.piotrszarmach.com/urilf-8t6kpt-quzah.view/
- http://blogmiranda.inces.gob.ve/zzsm-qqz8fm-fhtu.view/
- http://bookoftension.com/j4de6-53df2h-exle.view/
- http://broombroom.in/n3et-qje8bt-meoal.view/
- http://bsa.bcs-hosting.net/7qie-aiyqb-zmrxw.view/
- http://caroulepourtoit.com/EN_en/Inv/VKZSf-LvA_xJtebNcy-NR/
- http://cetconcept.com.my/wp-content/uploads/2019/01/niet-c5v8i-wgrly.view/
- http://citylink.com.pk/h53n9-picx6-rzlyj.view/
- http://cotafric.net/wp-content/uploads/mqex-6ftnhq-wrsir.view/
- http://crab888.com/bxiw-e556c-hkgdg.view/
- http://crmz.su/tcod-uqft2-ekuw.view/
- http://dctrcdd.davaocity.gov.ph/wp-content/w5dp2-jlcse-comcv.view/
- http://demopn.com/lab/components/l0hrg-ro7i0-hrrx.view/
- http://disperkim.kalselprov.go.id/d2l7h-ncojqd-xlub.view/
- http://dunnascomunica.com/dv9x-33toih-rsoew.view/
- http://ellegantcredit.co.ke/EN_en/llc/44361141978579/ryved-iAI_NLLFGNJI-IL/
- http://ellsworth.diagency.co.uk/gnp4c-ndbhmj-vfcju.view/
- http://emaildatabank.com/gnmvu-4uin4m-zmnuz.view/
- http://excelparts.com.pk/pvwm-gg48yb-mjtvd.view/
- http://frazer.devurai.com/rf4x-88d32b-vxcm.view/
- http://huongnghiep.ictu.edu.vn/7qhrj-plyho-ejnle.view/
- http://icon-eltl.unila.ac.id/ioqmh-mr89or-nwuf.view/
- http://insolution.co/qtp70-rwwqo-ljob.view/
- http://jcipenang.org/wp-content/uploads/US/document/Invoice_number/NoCmj-BJp_SuaYH-B2w/
- http://jrankerz.com/yodm-gwhd3-poqr.view/
- http://kenjosh.xyz/8f21c-58yryc-jzty.view/
- http://keytosupply.ru/i7vj1-c8sldh-iynu.view/
- http://koszulenawymiar.pl/im9f-4aycvi-hyve.view/
- http://kvartirio.com/i09h-4w9hx1-vvcb.view/
- http://lojamariadenazare.com/8vvqk-3i8l1-znpuu.view/
- http://machebella.com.br/jsoln-mu4e9-wvdza.view/
- http://mailysinger.info/fo01-571onr-qpzoz.view/
- http://multishop.ga/2mt3y-9gu359-ktbib.view/
- http://municipalismovalenciano.es/US/Bavl-scIE_MHkrBon-unA/
- http://nhinfotech.com/nz7t-z45ns-ezpje.view/
- http://noscan.us/fk19a-8tt27-yolal.view/
- http://petparents.com.br/En_us/Copy_Invoice/tHEZ-au0kE_TEkK-Z8n/
- http://privateinvestigatormiamibeach.com/US_us/ZVbJQ-VVAP_YtuMZao-gx/
- http://proffessia.ru/s5t0i-wnp0ba-ztswf.view/
- http://rednest.my/En/company/84696069014577/hXOpt-Qbm_XjbOgowbA-GaV/
- http://romanvolk.ru/templates/w2cp-aaj7c-kwffa.view/
- http://stage.abichama.bm.vinil.co/wp-content/uploads/weytt-39y5e-mcew.view/
- http://thanhlapdoanhnghiephnh.com/US/document/6191228/uuCL-3OEo_pscryV-Vzv/
- http://tricountydentalsociety.com/bj14-29r1v-nszyl.view/
- http://truenorthtimber.com/vrdn-mslda-vbmyr.view/
- http://whiskyshipper.com/wp-content/ubgn-f6fy9-fone.view/
- http://wp.10zan.com/wp-content/EN_en/scan/CsvlT-he7_GXt-RO9/
- http://www.51-iblog.com/wp-content/uploads/2oumc-xmenvg-edij.view/
- http://www.51-iblog.com/wp-content/uploads/6k0f-yqb5t-krgac.view/
- http://www.coolpedals.co.uk/wp-content/youd5-g9q0i7-irvh.view/
- http://www.timothymills.org.uk/pt7b-7rpbqh-dzidk.view/
- https://www.brolly.tech/En/download/Invoice/zCXX-Rv_DFgWt-I7s/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-02-27 17:57:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 3de9427fff565381158fc2a9ace2752d9e7f74718979f86dbb495ebc0ed2bed1
- 7e480099ffa619624ecbd27fb03ef791c7d744543169347c9cea8b0a5864faf7
- 350db707bb1646c9fdcf34aed665d2d96d04839c97abcf7699187913550e829d
- ee641a025fa2915029633196c366c05946098e2d68461d60677b3cdbced029fb
- e57787c4e6d1867038f42a1f80b5cb1e3b301b0963fb2117238065b66ccaf8cc
- b6eb9668969730bafd90c1e2deae5443f737c49c957de9e8069b2b20e5206b4c
- 61a02eea7fc5427f72604f0a6c43f837dcc01bde7563a9693a72e1cacda7885d
- 2a404f7aac42dde69d2dcb72b770e7e5c0df5c905579f1934995591613f8912f
- 3ed4a477922e1682a82b0227ad9aac85151cd8dffea68665256840c75c9a7daa
- 431b758b9681f37b19f8ce51417c96fe3282b96af76f7c54a487cb48841b653b
- ac43bbfbce432eaa11ea5a48b8834459383eb80e9d160abec7c0b50ba524fe7a
- df16e20d8fa25c26f2f6068af0032e97bdda870acf83f6585d7b993bb0b5b375
- dfd949b077b215e6ff3ad53aedb276973368d8ebfdb3d61c3665ea77cae6d4c4
- 655b79dbc0dcde45579a4c53f19a8301a5b1a80edf8fccf3f0b3772ff42072dd
- 55ed8409eecf30e3d3e2e3ac22b2e77ea54c06962f56f79b9ba2fab7d970fc6a
- d3f0a4c947fe683a2460aad594d72115ab2bd1513c3e98da7734cff473a92ed8
- cbc6730e3f3f674459363499e08cd37d17bb09c5a3171995a8f485fe4d43c3f9
- c353a122489246c2d7d675149c20ede74791dcdc36c94633f1839833ebd94a1a
- 38bd9d5813db378a9575d749261c8e94c035701e84e7bc98a783a54161ba4524
- cb1a76ba21a90c53a6a0849ba6bea5131eb919b2cfb0559c4d6ea70fddcfe53b
- 39e7b2f64f71405675eb5f5d3a022130198a103ca33653ec3ded4d16fdbf959b
- 86fb425df71ce1b16f2b2eb1c186a5c2d94228d2f5b3e8c8b39783305f9af896
- cad7e5fa8f15772c1721ff6dac947dc7c75e2798494b5604e46a6514e6ee4e33
- 7a350aebad143538ebdf07657565991f52f79267ba59fff28c0da730823c72df
- 9df28f945789bdc76dd8aafd2c173e2d147b86cf9d90326b9fac76fdd2bd06e9
- 14929d8e2b88e31e7325ac397b12f53863d7a71a587369616b568320af68f811
- 07f479ec4a5065ba5f3b61013f21f07af2ad8589104c64174c8fdf42e17a2f8c
- 8ace3348e51eebabe1594eda98b1c5e1eb6487fa2e9dd96a8296286de16df7e5
- 5f9a3591cbae52677cc32db6df60a51eb29b088a3a0452a2413abe9a4b7f2d58
- a237972448dfd70bf77440e01e6b30ca703705efefe464f4566939e80bbdd948
- 2be438f8390083d19162697d33408f29d250f6a55c5d89478e6a44c359bae98d
- 9d19a573eaa3a6134c945e23944ef37109cfe54cabe69c95ca3239da4ccd6526
- 6c54d088a5832aeafdfe09ac71f31929bc6036b18bd050ee55d5877c99b0c7d1
- 00fdcd9777bab81d8dcda0b09525b9755ccf5d1aaf6125bb6ab50d20fe9d4f57
- 1b15fd9b6cbfdb0010a854026462cb27365adbe3c58961159e08fe4a17e73918
- 3da22388d32ca13a30ad5e1fcf3e252792b394955aeab4bcc2043c8f90d25836
- b2a016bb48d5fb564d965cd99d81435b6f8c0d9520d3715befa2d3f0b76c9671
- 10873c326fc35dd98727fdcf0baad4ac1c318b8811f0f9ae7785bc2cbf2c6226
- a120bce94be572168b2a8c7a84011ebdda3c0cc186734f0764b7f1d37e5d01d3
- 42cb7985412c1000bdd699fed2c189c4daf12c237a182423f36227f1e1cf5115
- ccb52b8a8cb37e80627a91314f798106ad2361caa7053877152574028f8fd647
- 8a5288077823dfd497621430c0038f8378d1e2000390c35da568f771ec309f7c
- 3d5611f7cfc08978d514dbded9342e6d1aa2def50dc6e36fe09da77ccbb18680
- d9e79e5b3ecbf821a7dd582f7b57b88ff7841a9c6b7bb974879195077ebdac50
- b899d07b28815ffc6ece9671f424b272740774217d12c103ec50bec9121cde4e
- 90e9a119405a5c9563fb875813d103617f9af4f27e21513dd8d3cce690758e69
- f61b85c2a00c2522eac2a55044598cb99126f07cecc92f5eadf218615d5afe3b
- 04f4d53da683b57017b08f05bada9075980bcaf03f620dafb00b69aab881b42c
- 316df27e602df69523549fb89f2e126be17f75ce42686d902c80634c0ffa500d
- f54849f9f1268900da31a41a1a64a03b4407001bb3abc2ca2c180f81f1471984
- 875f5f093d5edb996f38f4970fd52f0786a2429471bcba3e768079dc12de9530
- eb21c8edf63fae2f408ae71ef9a788a01e981bfaa34f8821a7aaa64593d17421
- 34582bbe51f7151b966e125a13a9e8b4eb27e36b4c7450ff0774905c1f40ea91
- http://23.23.29.10/YaXUeO5K/
- http://35.204.88.6/heu0n72I/
- http://3.89.91.237/MLCMkrc/
- http://uat-essence.oablab.com/wp-includes/oY8j241xM/
- http://34.207.179.222/7SQrziN/
- Creation Time 2019-02-27 13:17:00 (DOCX Based - ENG - 365 Blue Box)
- SHA256:
- 1bb948ea6a642404c81eff109bd3bf4de8d17371bd084d3636e5638345cc5020
- http://japanijob.com/UUC8iEfIfb/
- http://103.11.22.51/wp-content/uploads/yoarKX9/
- http://13.126.28.98/hPwXcgCZBx/
- http://159.65.146.232/ugitr4t4L/
- http://159.65.65.213/iz1Cc1GhZ/
- Creation Time 2019-02-27 09:22:00 (DOCX Based - ENG - 365 Blue Box)
- SHA256:
- b99528c00d6ac14bf99ade801638f8deb78ba5c610ead5ca6ac68a69f95547bc
- http://iso-wcert.com/JREjsr1Ai/
- http://emirates-tradingcc.com/wp-content/XUMY1h33zJ/
- http://healthytick.com/wp-content/uploads/j900PD5h/
- http://caminaconmigo.org/wp-content/uploads/q7wmIj0/
- http://neumaticosutilizados.com/tpexfplWv/
- Creation Time 2019-02-26 18:49:00 (XML Based - ENG - 365 Blue Box)
- SHA256:
- aca06c8f7084de9ab72d8a361d327f4795a70e26296f196a5638fc6bb0641401
- d6fba7cc6d1bf18162b4f93ae9edf531ac5e7c4a94f5ec2b66d2132fd6a3497d
- 852f31e672b297f2cda4a45b1be84db54f35f90a1fcd86acda0a727e7a6a679c
- 91c28ce218ea2714f34e1f1282713030db675cc1a349a766ebb2e1cbbcf07853
- 09f58a77538eb0e8244611cd718661f7e60172d370e6e1bcb2209b4034172469
- 4eb3ef8eb656b01bdc72e086d3f29ae3b9a2b0de38e350f764f408b3675b6bb5
- 38fa382996c415286f4d6dd5eef8a91120b190cce21b4805f0ca98f2d842ae17
- f9ebb2d70e98c849f0f27ff3076d907a329309fffb7d85ad434f57e58cce108f
- 23621abfbfc0dd988d9c6348ce1d3f04f60786b5b5bb5fe81fa086c219710457
- b66a1fdd95b1100a673947c3d858ac69fb5cc46fa72ba89a44222a9894c6c8ac
- 3e691d74b5dd13743471203c0fd337561c02a04d9a314164dc335ad0f75f36fd
- fe83c159702930a78c43ff4befa164b315140c93b717d2a987742b7f9b56fb69
- b65abe2bc70d26f3180215006a72adfb5565602bb696736af655a5b1d5488081
- 832a005ede634155c1d720c308bcf0779e9700fb8e3698f3b01c06ac23670436
- 1f95c1af1e74ca80e647791eb97e3b67072b473244e0fda65da5dfff9a75a8a2
- 15cc699a8f1d97892ea2875ccf093cfbab3df5376f6e6b84648f0367e2716ceb
- 72f1564103c5c69cab5221731c42bb6eea30a8ce8d4da8015d052f71b3849f5f
- a7af93422d03617f5c577db58fe469937e831c79a7691406eb7b458e7f4715b6
- 192cd102c7fda37f2d7f0a6411ce9fb3a95a00bd6021280c466682d7850a94eb
- 1634cdef680710dd4cdad340e2e173d5804e2e8ceb15f7150fa84acf6d6aa450
- 2f37984c5d62da70df37fe6a990206053d5e6280e10425e4d27691278cf913c6
- 664e468efaeede7cacbfaf2b9cb325bd3604a138f67b3b7dffcf96942e7d6cd5
- c65c750562832bb907c0a992cd6ec5ee68dd83c16a0859c8e0b2baafe504c297
- da3b6dac8ad9b8b7c4d86fcbcf5b9af37b6b65714043d6f58e2237e47d870a92
- 5abb9539e39d237dc7205ab4459a0066273ed78eb95528b5cae3d7dfdaeb2027
- b033b23434817a743849e2a2d060ed9cb0532220f533e5cf55360722b6ea17e0
- 88e9d770691f6761c415039a8a068b5c11ee3025386b60b6254f89fdc60e676f
- eb65ed486e76055181a5fe9a616830adcade99b5525f582e7cd68435002aa04c
- 64856c155c23fd4314fe1abd7056d307e6572a084ae2c01a5781dd876f880b62
- 8278814ac97824ff9ef6c0681e3c16fe0bddd7c2b5809f3ae1e4a9b1aa3fb720
- 477c8c8851e7c2734d40d7edbc2ee3bb8b5b61f4e8312c9432122ae687d73e21
- 1029e48c442e39f8a765ff26b6fa8776aee70c7a1ce284ee505a2bd0f8840e8b
- 81648b4f2c4f298ffcb522debc9959974e865047bda75982ad318f245e2109ec
- 9abdc884ed6dc9bad81c048502b7f87c9b2ed0aefa90c2e3170de4477cdf22ec
- a4bb873c6b291a1620ac1144b101a611ec8e0aa54f95c86a4a86783bbd39bbc2
- 56b1fac56be6b0999ce5e950ae19a66434d6cabc1fcada83104bedf21c4cf163
- 51a5321b13a728495d186452985568a696f32c647175486063391b061d098811
- 95a8aa1411f276844ac6779e6c23b766e5ec06073b710307884935e73411b1a2
- c0661e6d4c86df3f68baba1cc3f90aef917d289feaa6910db1a2e61381694e98
- http://senboutiquespa.com/l5oBTin/
- http://tktool.net/13BDYWM/
- http://icebox.hospedagemdesites.ws/NFUvcViiv5/
- http://specialaccessengineering.com.my/eof86bw/82NbuvX/
- http://siamsoil.co.th/S1st9g7E/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 02/27/19 ####
- ```
- 5e5e5437c59f0472cbb10c30181f94e62e2ac3f7a42b5bd0716e2f03fc2e6311
- c103b8019081da8b4dbd577398e83a29301b5c83e7ed0f9b53089208312c1c42
- 8ab3f8fa6ddc60cf5bcf51079f2d7f20bbe3121a73895f043da950c691efdb21
- f53df3ab0c3646c00b2cc3c946960ff9c95ddf2892197750e63c7b1b8e504960
- df6bd175938e67e075eba98b87f4262c84d1b808edd1c2e4b20f571ff8102f8f
- 9b7dc0c720016ac3a9206569800c9909ae7b3e57d60cc2ffc4daf3c3663dc144
- 3cb575ccdcbd7cb68ac152d544097e7e21fa3c592e113f35fe697e2da81411bd
- 656f37c567caa9dc30baa6356324b3f38db52850a744da3bc71366cdbc76d8e0
- ac0fb3eec03cf8e3829a0b7bf3eafacca8cfdc210bf345613f5a48d03a0830a4
- 719b3fca81609ed32e82dd9e42c18521ac1d7df510425e78577308178a8f9dda
- 8a75aecb5e76dfcf8dfbb7692bb150a6fc305a5389f9d70ef51906b61fbccf6d
- feed1171593f5f9b581ee4d2f3244125100b47268e2d48a2bb1fdaf081efa6b5
- 1381603b8c8723177a5ca91728e2768034a1fe634fa38fca3db4e2c2eebbe9d4
- 44a1d1b16d3c425559b2072b81657a81e6b3ff7231cd4260fe78aadc82a1ba4c
- b94d23cf2c6f8f5ba4bd489121886845d34dc57f1a8f26810d5aeb0546d784fd
- badc69f525deb8b872eda4e2978bb544dd2ab10af847a1605ad23ace67291e0d
- 9d8d3cb2f13dab7f5204bc3afc17dc5a8c5871e5873697b3e39cd0b048d7372c
- 0fb2094497f586c22bff3464d37d623eaefc20f86a66474ed3ef9a80952144a8
- 0929f459ae5009c32010e92a316a9e93e8b1f0f73caf061a167424379aba11a8
- f727c3dc8b34a826df5d90e0b8d725b0e23515ddcd77ab91f3bbe5e17ed0d56c
- 39c115bd859b949cb16ae0a452b66e8dcca4f9599cba8bcc57c19f4d54b3d5b6
- dbecf3ace0d6fa2996988a14fc3ec06cf5d78793f1ffd9015219518c5378d237
- c3e586fdb0151cb0968d077e22141cf92024571e2fdcc264a15423123892c1d6
- fa84261d86baead5678b335a77ed15b41ac2e712d9232a6944afacdbf7397ecb
- baaaff5b57a37a24d4731c5d0f358da0353a0f2bd65c34b25bbad1166c2ac1ea
- cca669e501cea23f2a20a2fdb846e3e2a6a3d571b017425524f9b3da31497f76
- 681ea4e186b8ebcd129145b052e5956470bf36c1fd44af601fcd5e985a728c1a
- 14822796f25ade0ac760f890e1abee2eed3b33164cf26ee85f41cf75a4ff5565
- 0c50c47860f4bce5196e13d92302cbb11783042c04e0661b9877382a21d42805
- 7ec2114faf2c117d3d19f6eaa1e321dde9af87ddf1c0601504e801c09a89b109
- ff28286015e374ec96eee2f0f8696f8c09d806c74f2f5c8bb88bee22dadb4d8b
- 004744bd4615962f7b18cedd09486a460b79e9d74023ecc9135f945b26a54e3c
- b0eca31c51ac29ab925ad55484d59cd3dbd08e33d14d77490329b0252d344e36
- 00683b6d0e708f056339a1c43b84dd10385c5a82caebc5e44cf2076f00938ac1
- f19c5156038ed054881d7585277b6aabcfac775167c1d829a90e74608c744f30
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-02-27 13:08:00 (DOCX Based - ENG - 365 Blue Box)
- SHA256:
- d2ff05ca4592e4f36a5b5da1ca5229c5b6c464d7871fb3b60f5ec440c1afae1e
- http://saigonthinhvuong.net/NuqnyGVMdzOnA/
- http://acdhon.com/wvJZL4qzJvJ/
- http://canhocaocap24h.info/JelJh5aIRIOmyK2/
- http://13.229.153.169/vLm7bTI1bXxCI8Tn_5hh7/
- http://ibakery.tungwahcsd.org/media/m8PnOehN8bW5h3q/
- Creation Time 2019-02-26 17:22:00 (XML Based - ENG - 365 Blue Box)
- SHA256:
- 5bfec51fa15407b97649e82ac75431c0396834a58f479c5867a2c6cb3dc79f16
- 2f4a8b985f604f98966c8b90f9e0eeb15faf9b946a74098e7e02e1daed32321f
- b503f5345f1e2d0c94d3badad9dcb7e81693b7957dfdf678e7e38538c6ebe0e1
- 9da586512816c7ea64515606ddb2091b69ff2275dafa91e8e22cd35e3071e185
- 418fbb192d7dffd5566f8ae6103d6f4acd61617f8fa24ad798865cbffee8f316
- 39bdbe2bd134e87f809971d63830f3d7317573e648673a89ee7ee5db1dab6bd7
- 24ade1226ecf9646a624a0aae717841d1d95fcd73e6879f987976478b875feee
- 45cf732e41764f690bc76ffe3c102b22b46c0ee59276458e6d25c18cb8973c63
- 33c7c6dba2b9e22d96f5a15f9b9b2e5febc856c61e6db04bc6ad6402e14f6f69
- 1697aede6b63b12e4bd3c7fd5315f869bc03c8dcfe7ad124c68d2e2243baaf9b
- 4e18c01207fe70c74e7f683f04fbede2a2ac549d5705eff1e2957cfcc03b8171
- 9e431411937a9edea2200ee76b5c537c851e076a1c879321d7d8a3123aebe49d
- c5d6ccfa326d2811f3c73232234da81f462f443e675cf2c66ce528ddf9e0c00f
- 064ec7577a0395a67d194ff45ecd8212cf190a7d490eeb3d91037b9f54e20735
- 1c5154672bb992fb8dfde30f46bed885230d6f59f06109064d6640bf78e15644
- 5087d318c84a0da1f4285d235349d7adb282dd22ed82b57f333482e2ce490762
- d74a5240f866ba6fe1cd3191801478b52e1b6c6eb2d816071d7bc82857b2837c
- fd4e8e8b9b9012e0f749cb4aa5674c51e5a59cf61a7c1e03bd824002cc388f7f
- 5de9907b9809bc4bbf7681bd234e2a1b4ed94ed1fcce3d65458e7b8e5c9273a8
- d779789debf838e39c7b156c77d7608fe056cfdbe3912e310ac675c20e3b4366
- 6f3ea054beeae0724d4009af18e36320a13ea56caaea871e69650553bb0348c3
- 81145b2fb2844320be87e4a46c610e59bec1cd87927fee9ec27e030ea86cc277
- 66148dc14d4a2f6d80e3dbd5c7306d80b512cabef278730219ba8ff9a4cd9e77
- e55d99ff1e0089f1be742791bb4063d80064af7453d632ea4a92201ab4a3e3aa
- 11cbcbc4275ecb231eda3d05ee36174c171df853002b630ead6ac48df6a3a352
- 4257c368698066d0d22875607b377c75382bbf633ad33e1920974ee9853eaf29
- f64c4380f53448103e34059fc107f79cc9a3e3f30274b34e11c9e98e3f237a60
- 6b33974cf79a733076ed546329a0aa4c588594f6de2270114e003593d0d06098
- 689174eb7b2355558698cca49c0e9dee6ea2c80f67feff50d1d8adedc71d235e
- 9d6be45e1f04e6ccd2bf9eb63259037f9feca6afdbe115e391826b048f0ea6ef
- edae1160cf43fcea54b34250a4832d0be5393128bf5ed6e4c69029c70d9e50dd
- ca7ddb6228b5f173aee45abb7c6483c6bcd54fb089faa1a04a971b85b9d951db
- 77d6ec52d43bb8fc016e372a722e225f12fa2a13ccbdc044baf3227a7b5621f0
- 22cc274e9722677b5cbaa3bbb05f239d467eeaeb87914d7c6be602aaea19643b
- 0530a476eec6f9294ae9223e49787fe5046feac331f1ba645d70ca57932e791c
- 26151bade4306066274f3a6cbd3b822685802231cbdc2e011e20c6c86c696113
- 9b75ab63c39d355b22683608302b841dddd552fa78dacb9eb1afb87229f4bb57
- 4f658c3f7b071b9df4d99dfbe97d9b38ec634e96467ae7bf7c7e34ec84d8972e
- 1855a41ff3fa8bbdae33458f03070e2b89f3513b910d20bc7c14307949d23edc
- http://www.bersamakacasepatan.com/XpYHO9Iss_YTI20Qvw/
- http://icon-stikepppni.org/zwPEso5VK4DW/
- http://nailart.cf/f81y3PKllFl8mU/
- http://moonyking.site/nIfkmaGIxu3_Ki/
- http://monikatex.ru/wp-admin/LBefv2g_2Wyik/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 02/27/19 ####
- ```
- 629a81a1043d9c984954c86b73d932e3c02eda0f7f8c8258ed7f498fb13f9c18
- 19bb9816b6a39461b9811ef4c3c911436e6e6b6dd61ba6392be31411d3ec7d38
- bf55bf5c08dd53d850dde5f00c9eb5ac8bfe975401b0f368094cd48486042f0c
- a8f618ae9cc76aa4ffd646dd9b2092f9970080efbb3198b16ba69543ab4a55dc
- 0895b6c912bdf4f3432dd2cc9c5aa32bb3e9dbbfa90c67e15460a3e20a38fdb5
- 4a0ed67ab6be9abbdd646a9372433b5537464f28a8616b773116b80cbbd7f6f6
- bd5e99ff3cd6ed8fd24683593c5cd1755e51360403fb565414b7cecba6ed874f
- 9900bc02c5ff5ddf0b1eb7267ee17ef6d716816f7e24b1eb7112c8c2a08c643c
- b8326fbb086bdd716e30ec0054374b7c17ccdc29660971293157bc9050a3d7c1
- 32de5df041fb6e4f58570297601f91e65c57daeef16538b62693aedf7bb2a596
- 59b40866ac8deccc26237c03c63dcea749de4b571b262c7c2e3c631203f401ab
- 04781ca20db88b190e9fbaa81edf36e59edf2cf1966f38b092dbe129fd9bc724
- 0d73fe7a06d60d97970220a2a8e4c7d48f863a8145a1b5b668d394d7f0a751f6
- eeffce156603c787adcf041edf0bfec4be1c45fbb31ecd8b0865e297c6af829f
- 0e075d5607c26416f4bae6b19021fea91d93dcecc1b09a17c6a77ff1575a9c69
- 13d79566a9a302000b2b1bcf9a1410e0ae5982c72f23baa3b437c7952f41f602
- b7e2b2735a13fc58c600f7cc65033c77cf6413afba5012663efc0ba5257da485
- 342485e407e0833b21adb6561f2ad541532c285411ed646e140c2c34caeab54a
- 8a477a0c8efc07abeb58e7754c7fa4b0f8994e3353a0b6d7af6da43cbb9e1773
- c5ab5334bb981c762b1e2534f41178883c668dab949e3e6374e28f2b7ae9623d
- 67b3dffd05ce5963dde839074b8c1c6384e9ba94ead43d2d9dbc797f0918e9f3
- 23c6247d3a41880d93f94392743124f6072cd21bfdb708e5376cc61b7a919596
- 355749c74abf61f21b2211d7afed9d48e47aeda8f0521245249a749dd8dbc53b
- e61ffb7b227c2c21a8b3dd90520a9717a1d2a1fafa952560fd4b0cb242c52c23
- c10b3f8510e3781ca3d8e5a5b4005bef0ad84def9f9e9fce83e27de7483f2736
- 9d8336d1d271e5712911abbe3b1e58e3d59fa170ea17bf853526d58500a7632f
- 946348ee25645799388a665f52bbf241d1505ad0bf8fda2afe04860d403b30e3
- a4ff456cda4200a91a75afd1a7a2bd97c57762c5bfd39635b53b39a428b96fe4
- 0968581a0204788e2749202e88d8bb5af91f59621afc78fd6ba4f3d3d0332f4e
- 99a859bc6ad77e9cede917f0cbed02c3c2ac096be54969191c8e86f0dc23e21e
- db8c839bf123eaf05229c178a34a5932c7f52b5a292096eb003abcc5508c87e9
- fc67db4480ec587e67eb86cdd728eb3ed709e699869b1ddbba1193b4c8a21bed
- d96ba1667275e1081494778a6f1173f8a3c0a4cc58394b61c5b583a523c00ea0
- 88f6f285e4223733943038cac220687d9eba3c067656d109be2e2e56efc649c2
- 1c5858044666f63c59465616034cce265ad0b35a492fa9988b5ca1e1002cd730
- ```
- #### Epoch 1 C2s ####
- ```
- 109.104.79.48:8080
- 123.168.4.66:465
- 138.68.139.199:443
- 144.76.117.247:8080
- 159.65.76.245:443
- 165.227.213.173:8080
- 168.226.35.218:80
- 173.94.53.3:8080
- 181.168.123.241:443
- 181.29.214.233:8080
- 181.56.165.97:53
- 183.87.87.73:80
- 185.86.148.222:8080
- 186.103.141.250:20
- 186.137.133.132:8080
- 186.176.27.230:8080
- 186.68.100.2:20
- 189.130.56.200:50000
- 190.191.218.44:80
- 192.155.90.90:7080
- 192.163.199.254:8080
- 194.154.80.106:443
- 200.27.55.100:443
- 201.212.113.14:50000
- 208.180.246.147:80
- 209.159.244.240:443
- 210.2.86.72:8080
- 219.94.254.93:8080
- 23.233.240.77:8443
- 23.254.203.51:8080
- 24.219.3.156:80
- 41.60.202.26:22
- 5.9.128.163:8080
- 51.255.50.164:8080
- 66.209.69.165:443
- 69.163.33.82:8080
- 70.114.194.228:80
- 70.177.115.200:20
- 70.50.87.59:8443
- 71.183.45.61:80
- 72.137.188.42:8080
- 72.47.248.48:8080
- 73.115.132.124:80
- 74.59.106.11:8080
- 92.48.118.27:8080
- ```
- #### Spam/Stealer C2s ####
- ```
- 104.236.185.25:8080
- 187.134.63.166:8080
- 189.180.186.235:8080
- 189.244.82.217:143
- 212.112.113.235:80
- 24.191.37.42:443
- 50.116.63.9:7080
- 73.185.42.52:8080
- 75.166.252.40:80
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 107.10.49.252:80
- 108.16.93.238:443
- 110.36.217.66:53
- 133.242.164.31:7080
- 138.201.140.110:8080
- 147.135.210.39:8080
- 153.121.36.202:7080
- 167.114.210.191:8080
- 172.98.243.40:80
- 173.167.83.97:8080
- 173.21.116.239:80
- 173.255.196.209:8080
- 173.255.250.241:443
- 178.62.37.188:443
- 189.156.244.117
- 189.252.59.243:443
- 190.180.44.175:8443
- 191.92.83.137:990
- 201.110.114.161:443
- 201.137.254.209:465
- 201.137.255.80:20
- 201.143.123.254:8080
- 208.78.100.202:8080
- 211.115.111.19:443
- 217.13.106.160:7080
- 24.151.31.150:465
- 24.185.185.187:443
- 24.201.132.122:7080
- 45.123.3.54:443
- 45.63.17.206:8080
- 47.204.55.229:8080
- 5.230.147.179:8080
- 50.31.0.160:8080
- 54.36.119.105:443
- 62.75.187.192:8080
- 62.75.191.231:8080
- 64.17.83.46:80
- 64.228.72.40:7080
- 66.193.130.13:80
- 67.205.149.117:443
- 69.198.17.7:8080
- 72.214.54.39:443
- 75.132.60.192:80
- 75.91.3.133:443
- 75.99.239.150:995
- 83.222.124.62:8080
- 87.106.210.123:80
- 94.76.200.114:8080
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 183.82.123.254:80
- 198.58.114.91:4143
- 213.136.86.219:7080
- 37.209.252.79:80
- 64.228.72.40:8090
- 67.202.178.142:443
- 78.149.210.211:22
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- Updated 7/13/18
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
- communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
- version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
- C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
- entity/group. Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
- document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
- in maldocs on Epoch 2 at any time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
- have a document hosted on host.tld/B.
- - The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to
- stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/uVA5KzfF - @executemalware
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
- @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
- @shotgunner101, @HerbieZimmerman, @Outkast_TI
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
- @gorimpthon, @Racco42, @Jan0fficial
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
- @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
- @OguzhanTopgul, @HerbieZimmerman
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
- and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log ####
- ```
- Today was a very odd day in Emotet land. I did receive over 100+ malspams today but they were basically all attachments. The morning was quiet for
- me and we noted that the E2 botnet was not doing much of anything until after 1300UTC. The E1 botnet was spamming mostly attachments all day and
- this shows in the URL count for today. E2 was spamming some PDFs and they had URI links embedded like normal. The URLs in E2 have changed to an
- odd format that seem have final directory of the following regex: \/([a-z0-9\-]{14,})\.view\/
- For me the malspam started at about 11:50 EST and was more Invoice crap with mostly familiar generic templates. Subjects included these familiar
- annoyances:
- February Invoice INV-Z681522 from Vendor Spoof
- Invoice No - X88510
- Invoice number E423999
- OVERDUE INVOICE
- Re: Your recent invoice request for your account
- Reminder: Your invoice from Spoofed Full Name - item # 4637226
- Sales Invoice Account
- Sales Invoice 1-W0397 from Spoofed Full Name
- SERVICE INVOICE
- Spoofed Full Name Invoice Ready To View
- Spoofed Full Name - Invoice No. 038679
- Spoofed Full Name report: Complete invoice O748590 - February 27 2019
- Spoofed Full Name Recordatorio de pago
- Most of the email was received from 13:50 to 15:00 EST and I saw nothing more after 15:45 EST.
- Interestingly, E2 started to spam some UPS Package type templates towards the end of the day. Pictures attached to report.
- They still have not learned that Tracking for UPS does not start with anything other than 1Z usually and other random letters/numbers
- are an easy block. The valid formats are the following:
- 1Z9999999999999999
- 999999999999
- T9999999999
- 999999999
- From https://www.ups.com/us/en/tracking/help/tracking/tnh.page
- The docs went back to DOCX formats for both epochs and E2 remained 1 single quintet of payloads all day. E1 had 2 quintets of
- DOCX payloads and then went back to 1 final quintet in the DOC format.
- E1 C2s changed and combos decreased from 47 combos to 45. - Recorded above.
- E2 C2s changed and combos decreased from 52 combos to 48. - Recorded above.
- I am starting to run out of time to do this as I do have a dayjob and have stuff to do. This is why I made the poll up here:
- https://twitter.com/Cryptolaemus1/status/1100282263416258560
- If you have time vote on it and/or comment.
- Till Tomorrow. I am sure they will come back strong after a weak day like today.
- ```
- #### Sandbox 02/27/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-02-28 at 05:15 UTC - https://app.any.run/tasks/f506eb34-2f23-4ae4-91b1-00933d52c277
- ```
- ```
- Epoch 2 C2 run on 2019-02-28 at 05:30 UTC - https://app.any.run/tasks/e4e991be-0496-4da3-81f3-abb4a21bd4b6
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement