API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/02/27

jroosen
Feb 28th, 2019
2,202
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.40 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 02/27/19 as of 02/28/19 01:30 EST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 02/27/19 ####
  5. ```
  6.  
  7. http://119.9.136.146/sendincverif/support/question/En/201902/
  8. http://13.234.1.52/sendincverif/legal/question/En_en/201902/
  9. http://13.251.226.193/sendincverif/support/question/En_en/02-2019/
  10. http://178.62.226.34/photosite2/sendincsecure/service/ios/EN_en/02-2019/
  11. http://allwaysfresh.co.za/sendincverif/support/trust/EN_en/201902/
  12. http://amazon-kala.com/sendincsecure/service/secure/en_EN/022019/
  13. http://andrepitre.com/sendincverif/legal/verif/EN/2019-02/
  14. http://annual.fph.tu.ac.th/wp-content/uploads/sendincsecure/support/sec/EN_en/02-2019/
  15. http://beautyandfashionworld.com/sendincsec/messages/trust/EN/201902/
  16. http://clavirox.ro/sendincverif/support/sec/EN/201902/
  17. http://dansavanh.in.th/wp-includes/sendincverif/service/trust/EN/2019-02/
  18. http://edspack.com.br/2015/sendincsec/service/trust/En/201902/
  19. http://ejder.com.tr/sendincsecure/service/ios/En/022019/
  20. http://gk-innen-test.de/sendincsec/messages/secure/en_EN/201902/
  21. http://manisatan.com/sendincsec/service/verif/En_en/2019-02/
  22. http://miamibeachprivateinvestigators.com/sendincsec/messages/sec/EN/201902/
  23. http://pbj.undiksha.ac.id/wp-content/uploads/sendincverif/support/trust/en_EN/02-2019/
  24. http://research.fph.tu.ac.th/wp-content/uploads/sendincencrypt/service/verif/EN/02-2019/
  25. http://snki.ekon.go.id/sendincsec/support/question/EN_en/02-2019/
  26. http://stage.abichama.bm.vinil.co/wp-content/uploads/Telekom/Transaktion/022019/
  27. http://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
  28. http://tongdailyson.com/sendincverif/service/question/En/02-2019/
  29. http://view52.com/sendincencrypt/service/question/en_EN/022019/
  30. http://www.e-noble.com/sendinc/support/verif/En_en/02-2019/
  31. http://yduocvinhphuc.info/sendincverif/legal/question/En/2019-02/
  32. https://idealo.zendesk.com/attachments/token/689OpPfVaSj4L7Ncyi8FFt4xV/?name=RECH_20190227_3ESR06710.doc/
  33. https://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
  34. https://view52.com/sendincencrypt/service/question/en_EN/022019/
  35.  
  36. ```
  37. #### Epoch 2 Document/Downloader links seen for 02/27/19 ####
  38. ```
  39.  
  40. http://01asdfceas1234.com/a8iak-jgp3hj-mojzf.view/
  41. http://100.26.203.42/3zs8k-h63zl-wxelx.view/
  42. http://104.199.238.98/bz0r-ggs2ov-setm.view/
  43. http://104.223.40.40/wp-admin/my0m0-gnthea-trto.view/
  44. http://109.97.216.141/dyrb-x1hjw-oepj.view/
  45. http://119.9.136.146/ctkfp-ebmhpu-vifzs.view/
  46. http://128.199.207.179/3eih3-1ksxl-oejpj.view/
  47. http://12pm.strannayaskazka.ru/oow6-bz46h-kane.view/
  48. http://13.127.110.92/wcs3-94yxcd-vpne.view/
  49. http://13.127.212.245/6qjyn-g94xs-zeicf.view/
  50. http://13.211.153.58/8wsh-smllpg-xnzdx.view/
  51. http://13.250.36.131/jaftg-5e9j5-twec.view/
  52. http://132.145.153.89/4k1x2-m9oc0-vmmfj.view/
  53. http://159.89.153.180/ap98-at6by-cdkc.view/
  54. http://162.243.254.239/Addon/5dp3t-c8l8w-pubkt.view/
  55. http://178.128.238.130/9og3b-tgszo-jdfqj.view/
  56. http://178.128.54.239/2wsb-8t237v-vkxq.view/
  57. http://178.62.102.110/iy8ft-55dx13-hcviu.view/
  58. http://178.62.63.119/cr6g-34dfz-mpupi.view/
  59. http://18.130.138.223/d9qpf-ipr05r-dycvh.view/
  60. http://18.223.205.30/0r8o-ns4l5f-qtcg.view/
  61. http://18.232.11.96/8t71-ui9ht6-uelxv.view/
  62. http://183.179.198.165/p7fle-3rdesj-bddr.view/
  63. http://18930.website.snafu.de/qu6d-v4lnw-jufkf.view/
  64. http://192.241.218.154/2c3a-bpnq07-jjde.view/
  65. http://206.189.154.46/rixg-sujpf-fegbj.view/
  66. http://206.189.181.0/y5ci-9nntk-wybaz.view/
  67. http://206.189.94.136/ulzs-3fzff-wqwq.view/
  68. http://3.0.82.215/7j5g-9i3o2-yjhc.view/
  69. http://3.16.174.177/vf9h-i1ee8-atbe.view/
  70. http://3.87.40.220/sy2k-7cnec-gwpc.view/
  71. http://3.92.174.100/En/llc/RutK-agA_FxwEHKh-d2M/
  72. http://3.92.174.100/nwdl-roqek-acbn.view/
  73. http://35.189.54.101/tf2k8-5xqcb1-supyz.view/
  74. http://35.198.197.47/woczh-s0pyv-zuojh.view/
  75. http://35.201.228.154/uov1-dv9d5-jhnq.view/
  76. http://35.202.216.83/m13op-xrpdb-bznab.view/
  77. http://35.224.158.246/vf1a-nw8fy-ddld.view/
  78. http://35.225.3.162/2fzbr-ao0pz-cggvd.view/
  79. http://35.226.136.239/1w10a-avf50v-efqeg.view/
  80. http://35.231.137.207/r3jy-qcg2n2-udnfp.view/
  81. http://35.232.140.239/aw8w8-vm6sx-licn.view/
  82. http://35.232.194.7/32qzn-1ixps3-ozgwo.view/
  83. http://35.233.127.71/zjed1-iae7t-kdzwv.view/
  84. http://35.239.61.50/io50-1yac9-peyr.view/
  85. http://35.244.2.82/byoe3-yxdqu-sntk.view/
  86. http://37.139.27.218/plhfa-qwlkx-ucixl.view/
  87. http://47.74.7.148/veqv-e945w-jpkh.view/
  88. http://52.32.197.6/nanolumens/resources/8won5-8vavn-bdwko.view/
  89. http://54.233.125.210/k8y7-r0p2tp-ibbau.view/
  90. http://54.252.173.49/xyzj-jjpi2w-wlmwt.view/
  91. http://66.55.80.140/rzmh-kk0pto-mmeum.view/
  92. http://88.191.45.2/@eaDir/@tmp/79fk3-g90qy-pljw.view/
  93. http://91.239.233.236/k72fo-ym9bpe-mukci.view/
  94. http://agemars.dev.kubeitalia.it/En/xerox/Invoice_Notice/COqyT-goAp_CudGa-SW/
  95. http://ammedieval.org/wp-includes/0n8cz-gs36t-xhlf.view/
  96. http://arvd.begrip.sk/20jg-6sc6gb-buzh.view/
  97. http://avent.xyz/kc48-4x1o8-ybkw.view/
  98. http://basr.sunrisetheme.com/03dtc-pxqrlw-sjvs.view/
  99. http://beautyandfashionworld.com/074l-zvq2fa-mtpg.view/
  100. http://belgrafica.pt/5gg2a-hixf6-rtxq.view/
  101. http://blog.piotrszarmach.com/urilf-8t6kpt-quzah.view/
  102. http://blogmiranda.inces.gob.ve/zzsm-qqz8fm-fhtu.view/
  103. http://bookoftension.com/j4de6-53df2h-exle.view/
  104. http://broombroom.in/n3et-qje8bt-meoal.view/
  105. http://bsa.bcs-hosting.net/7qie-aiyqb-zmrxw.view/
  106. http://caroulepourtoit.com/EN_en/Inv/VKZSf-LvA_xJtebNcy-NR/
  107. http://cetconcept.com.my/wp-content/uploads/2019/01/niet-c5v8i-wgrly.view/
  108. http://citylink.com.pk/h53n9-picx6-rzlyj.view/
  109. http://cotafric.net/wp-content/uploads/mqex-6ftnhq-wrsir.view/
  110. http://crab888.com/bxiw-e556c-hkgdg.view/
  111. http://crmz.su/tcod-uqft2-ekuw.view/
  112. http://dctrcdd.davaocity.gov.ph/wp-content/w5dp2-jlcse-comcv.view/
  113. http://demopn.com/lab/components/l0hrg-ro7i0-hrrx.view/
  114. http://disperkim.kalselprov.go.id/d2l7h-ncojqd-xlub.view/
  115. http://dunnascomunica.com/dv9x-33toih-rsoew.view/
  116. http://ellegantcredit.co.ke/EN_en/llc/44361141978579/ryved-iAI_NLLFGNJI-IL/
  117. http://ellsworth.diagency.co.uk/gnp4c-ndbhmj-vfcju.view/
  118. http://emaildatabank.com/gnmvu-4uin4m-zmnuz.view/
  119. http://excelparts.com.pk/pvwm-gg48yb-mjtvd.view/
  120. http://frazer.devurai.com/rf4x-88d32b-vxcm.view/
  121. http://huongnghiep.ictu.edu.vn/7qhrj-plyho-ejnle.view/
  122. http://icon-eltl.unila.ac.id/ioqmh-mr89or-nwuf.view/
  123. http://insolution.co/qtp70-rwwqo-ljob.view/
  124. http://jcipenang.org/wp-content/uploads/US/document/Invoice_number/NoCmj-BJp_SuaYH-B2w/
  125. http://jrankerz.com/yodm-gwhd3-poqr.view/
  126. http://kenjosh.xyz/8f21c-58yryc-jzty.view/
  127. http://keytosupply.ru/i7vj1-c8sldh-iynu.view/
  128. http://koszulenawymiar.pl/im9f-4aycvi-hyve.view/
  129. http://kvartirio.com/i09h-4w9hx1-vvcb.view/
  130. http://lojamariadenazare.com/8vvqk-3i8l1-znpuu.view/
  131. http://machebella.com.br/jsoln-mu4e9-wvdza.view/
  132. http://mailysinger.info/fo01-571onr-qpzoz.view/
  133. http://multishop.ga/2mt3y-9gu359-ktbib.view/
  134. http://municipalismovalenciano.es/US/Bavl-scIE_MHkrBon-unA/
  135. http://nhinfotech.com/nz7t-z45ns-ezpje.view/
  136. http://noscan.us/fk19a-8tt27-yolal.view/
  137. http://petparents.com.br/En_us/Copy_Invoice/tHEZ-au0kE_TEkK-Z8n/
  138. http://privateinvestigatormiamibeach.com/US_us/ZVbJQ-VVAP_YtuMZao-gx/
  139. http://proffessia.ru/s5t0i-wnp0ba-ztswf.view/
  140. http://rednest.my/En/company/84696069014577/hXOpt-Qbm_XjbOgowbA-GaV/
  141. http://romanvolk.ru/templates/w2cp-aaj7c-kwffa.view/
  142. http://stage.abichama.bm.vinil.co/wp-content/uploads/weytt-39y5e-mcew.view/
  143. http://thanhlapdoanhnghiephnh.com/US/document/6191228/uuCL-3OEo_pscryV-Vzv/
  144. http://tricountydentalsociety.com/bj14-29r1v-nszyl.view/
  145. http://truenorthtimber.com/vrdn-mslda-vbmyr.view/
  146. http://whiskyshipper.com/wp-content/ubgn-f6fy9-fone.view/
  147. http://wp.10zan.com/wp-content/EN_en/scan/CsvlT-he7_GXt-RO9/
  148. http://www.51-iblog.com/wp-content/uploads/2oumc-xmenvg-edij.view/
  149. http://www.51-iblog.com/wp-content/uploads/6k0f-yqb5t-krgac.view/
  150. http://www.coolpedals.co.uk/wp-content/youd5-g9q0i7-irvh.view/
  151. http://www.timothymills.org.uk/pt7b-7rpbqh-dzidk.view/
  152. https://www.brolly.tech/En/download/Invoice/zCXX-Rv_DFgWt-I7s/
  153.  
  154. ```
  155. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  156. ```
  157.  
  158. Creation Time 2019-02-27 17:57:00 (DOC Based - ENG - 365 Blue Box)
  159. SHA256:
  160. 3de9427fff565381158fc2a9ace2752d9e7f74718979f86dbb495ebc0ed2bed1
  161. 7e480099ffa619624ecbd27fb03ef791c7d744543169347c9cea8b0a5864faf7
  162. 350db707bb1646c9fdcf34aed665d2d96d04839c97abcf7699187913550e829d
  163. ee641a025fa2915029633196c366c05946098e2d68461d60677b3cdbced029fb
  164. e57787c4e6d1867038f42a1f80b5cb1e3b301b0963fb2117238065b66ccaf8cc
  165. b6eb9668969730bafd90c1e2deae5443f737c49c957de9e8069b2b20e5206b4c
  166. 61a02eea7fc5427f72604f0a6c43f837dcc01bde7563a9693a72e1cacda7885d
  167. 2a404f7aac42dde69d2dcb72b770e7e5c0df5c905579f1934995591613f8912f
  168. 3ed4a477922e1682a82b0227ad9aac85151cd8dffea68665256840c75c9a7daa
  169. 431b758b9681f37b19f8ce51417c96fe3282b96af76f7c54a487cb48841b653b
  170. ac43bbfbce432eaa11ea5a48b8834459383eb80e9d160abec7c0b50ba524fe7a
  171. df16e20d8fa25c26f2f6068af0032e97bdda870acf83f6585d7b993bb0b5b375
  172. dfd949b077b215e6ff3ad53aedb276973368d8ebfdb3d61c3665ea77cae6d4c4
  173. 655b79dbc0dcde45579a4c53f19a8301a5b1a80edf8fccf3f0b3772ff42072dd
  174. 55ed8409eecf30e3d3e2e3ac22b2e77ea54c06962f56f79b9ba2fab7d970fc6a
  175. d3f0a4c947fe683a2460aad594d72115ab2bd1513c3e98da7734cff473a92ed8
  176. cbc6730e3f3f674459363499e08cd37d17bb09c5a3171995a8f485fe4d43c3f9
  177. c353a122489246c2d7d675149c20ede74791dcdc36c94633f1839833ebd94a1a
  178. 38bd9d5813db378a9575d749261c8e94c035701e84e7bc98a783a54161ba4524
  179. cb1a76ba21a90c53a6a0849ba6bea5131eb919b2cfb0559c4d6ea70fddcfe53b
  180. 39e7b2f64f71405675eb5f5d3a022130198a103ca33653ec3ded4d16fdbf959b
  181. 86fb425df71ce1b16f2b2eb1c186a5c2d94228d2f5b3e8c8b39783305f9af896
  182. cad7e5fa8f15772c1721ff6dac947dc7c75e2798494b5604e46a6514e6ee4e33
  183. 7a350aebad143538ebdf07657565991f52f79267ba59fff28c0da730823c72df
  184. 9df28f945789bdc76dd8aafd2c173e2d147b86cf9d90326b9fac76fdd2bd06e9
  185. 14929d8e2b88e31e7325ac397b12f53863d7a71a587369616b568320af68f811
  186. 07f479ec4a5065ba5f3b61013f21f07af2ad8589104c64174c8fdf42e17a2f8c
  187. 8ace3348e51eebabe1594eda98b1c5e1eb6487fa2e9dd96a8296286de16df7e5
  188. 5f9a3591cbae52677cc32db6df60a51eb29b088a3a0452a2413abe9a4b7f2d58
  189. a237972448dfd70bf77440e01e6b30ca703705efefe464f4566939e80bbdd948
  190. 2be438f8390083d19162697d33408f29d250f6a55c5d89478e6a44c359bae98d
  191. 9d19a573eaa3a6134c945e23944ef37109cfe54cabe69c95ca3239da4ccd6526
  192. 6c54d088a5832aeafdfe09ac71f31929bc6036b18bd050ee55d5877c99b0c7d1
  193. 00fdcd9777bab81d8dcda0b09525b9755ccf5d1aaf6125bb6ab50d20fe9d4f57
  194. 1b15fd9b6cbfdb0010a854026462cb27365adbe3c58961159e08fe4a17e73918
  195. 3da22388d32ca13a30ad5e1fcf3e252792b394955aeab4bcc2043c8f90d25836
  196. b2a016bb48d5fb564d965cd99d81435b6f8c0d9520d3715befa2d3f0b76c9671
  197. 10873c326fc35dd98727fdcf0baad4ac1c318b8811f0f9ae7785bc2cbf2c6226
  198. a120bce94be572168b2a8c7a84011ebdda3c0cc186734f0764b7f1d37e5d01d3
  199. 42cb7985412c1000bdd699fed2c189c4daf12c237a182423f36227f1e1cf5115
  200. ccb52b8a8cb37e80627a91314f798106ad2361caa7053877152574028f8fd647
  201. 8a5288077823dfd497621430c0038f8378d1e2000390c35da568f771ec309f7c
  202. 3d5611f7cfc08978d514dbded9342e6d1aa2def50dc6e36fe09da77ccbb18680
  203. d9e79e5b3ecbf821a7dd582f7b57b88ff7841a9c6b7bb974879195077ebdac50
  204. b899d07b28815ffc6ece9671f424b272740774217d12c103ec50bec9121cde4e
  205. 90e9a119405a5c9563fb875813d103617f9af4f27e21513dd8d3cce690758e69
  206. f61b85c2a00c2522eac2a55044598cb99126f07cecc92f5eadf218615d5afe3b
  207. 04f4d53da683b57017b08f05bada9075980bcaf03f620dafb00b69aab881b42c
  208. 316df27e602df69523549fb89f2e126be17f75ce42686d902c80634c0ffa500d
  209. f54849f9f1268900da31a41a1a64a03b4407001bb3abc2ca2c180f81f1471984
  210. 875f5f093d5edb996f38f4970fd52f0786a2429471bcba3e768079dc12de9530
  211. eb21c8edf63fae2f408ae71ef9a788a01e981bfaa34f8821a7aaa64593d17421
  212. 34582bbe51f7151b966e125a13a9e8b4eb27e36b4c7450ff0774905c1f40ea91
  213.  
  214. http://23.23.29.10/YaXUeO5K/
  215. http://35.204.88.6/heu0n72I/
  216. http://3.89.91.237/MLCMkrc/
  217. http://uat-essence.oablab.com/wp-includes/oY8j241xM/
  218. http://34.207.179.222/7SQrziN/
  219.  
  220.  
  221. Creation Time 2019-02-27 13:17:00 (DOCX Based - ENG - 365 Blue Box)
  222. SHA256:
  223. 1bb948ea6a642404c81eff109bd3bf4de8d17371bd084d3636e5638345cc5020
  224.  
  225. http://japanijob.com/UUC8iEfIfb/
  226. http://103.11.22.51/wp-content/uploads/yoarKX9/
  227. http://13.126.28.98/hPwXcgCZBx/
  228. http://159.65.146.232/ugitr4t4L/
  229. http://159.65.65.213/iz1Cc1GhZ/
  230.  
  231. Creation Time 2019-02-27 09:22:00 (DOCX Based - ENG - 365 Blue Box)
  232. SHA256:
  233. b99528c00d6ac14bf99ade801638f8deb78ba5c610ead5ca6ac68a69f95547bc
  234.  
  235. http://iso-wcert.com/JREjsr1Ai/
  236. http://emirates-tradingcc.com/wp-content/XUMY1h33zJ/
  237. http://healthytick.com/wp-content/uploads/j900PD5h/
  238. http://caminaconmigo.org/wp-content/uploads/q7wmIj0/
  239. http://neumaticosutilizados.com/tpexfplWv/
  240.  
  241. Creation Time 2019-02-26 18:49:00 (XML Based - ENG - 365 Blue Box)
  242. SHA256:
  243. aca06c8f7084de9ab72d8a361d327f4795a70e26296f196a5638fc6bb0641401
  244. d6fba7cc6d1bf18162b4f93ae9edf531ac5e7c4a94f5ec2b66d2132fd6a3497d
  245. 852f31e672b297f2cda4a45b1be84db54f35f90a1fcd86acda0a727e7a6a679c
  246. 91c28ce218ea2714f34e1f1282713030db675cc1a349a766ebb2e1cbbcf07853
  247. 09f58a77538eb0e8244611cd718661f7e60172d370e6e1bcb2209b4034172469
  248. 4eb3ef8eb656b01bdc72e086d3f29ae3b9a2b0de38e350f764f408b3675b6bb5
  249. 38fa382996c415286f4d6dd5eef8a91120b190cce21b4805f0ca98f2d842ae17
  250. f9ebb2d70e98c849f0f27ff3076d907a329309fffb7d85ad434f57e58cce108f
  251. 23621abfbfc0dd988d9c6348ce1d3f04f60786b5b5bb5fe81fa086c219710457
  252. b66a1fdd95b1100a673947c3d858ac69fb5cc46fa72ba89a44222a9894c6c8ac
  253. 3e691d74b5dd13743471203c0fd337561c02a04d9a314164dc335ad0f75f36fd
  254. fe83c159702930a78c43ff4befa164b315140c93b717d2a987742b7f9b56fb69
  255. b65abe2bc70d26f3180215006a72adfb5565602bb696736af655a5b1d5488081
  256. 832a005ede634155c1d720c308bcf0779e9700fb8e3698f3b01c06ac23670436
  257. 1f95c1af1e74ca80e647791eb97e3b67072b473244e0fda65da5dfff9a75a8a2
  258. 15cc699a8f1d97892ea2875ccf093cfbab3df5376f6e6b84648f0367e2716ceb
  259. 72f1564103c5c69cab5221731c42bb6eea30a8ce8d4da8015d052f71b3849f5f
  260. a7af93422d03617f5c577db58fe469937e831c79a7691406eb7b458e7f4715b6
  261. 192cd102c7fda37f2d7f0a6411ce9fb3a95a00bd6021280c466682d7850a94eb
  262. 1634cdef680710dd4cdad340e2e173d5804e2e8ceb15f7150fa84acf6d6aa450
  263. 2f37984c5d62da70df37fe6a990206053d5e6280e10425e4d27691278cf913c6
  264. 664e468efaeede7cacbfaf2b9cb325bd3604a138f67b3b7dffcf96942e7d6cd5
  265. c65c750562832bb907c0a992cd6ec5ee68dd83c16a0859c8e0b2baafe504c297
  266. da3b6dac8ad9b8b7c4d86fcbcf5b9af37b6b65714043d6f58e2237e47d870a92
  267. 5abb9539e39d237dc7205ab4459a0066273ed78eb95528b5cae3d7dfdaeb2027
  268. b033b23434817a743849e2a2d060ed9cb0532220f533e5cf55360722b6ea17e0
  269. 88e9d770691f6761c415039a8a068b5c11ee3025386b60b6254f89fdc60e676f
  270. eb65ed486e76055181a5fe9a616830adcade99b5525f582e7cd68435002aa04c
  271. 64856c155c23fd4314fe1abd7056d307e6572a084ae2c01a5781dd876f880b62
  272. 8278814ac97824ff9ef6c0681e3c16fe0bddd7c2b5809f3ae1e4a9b1aa3fb720
  273. 477c8c8851e7c2734d40d7edbc2ee3bb8b5b61f4e8312c9432122ae687d73e21
  274. 1029e48c442e39f8a765ff26b6fa8776aee70c7a1ce284ee505a2bd0f8840e8b
  275. 81648b4f2c4f298ffcb522debc9959974e865047bda75982ad318f245e2109ec
  276. 9abdc884ed6dc9bad81c048502b7f87c9b2ed0aefa90c2e3170de4477cdf22ec
  277. a4bb873c6b291a1620ac1144b101a611ec8e0aa54f95c86a4a86783bbd39bbc2
  278. 56b1fac56be6b0999ce5e950ae19a66434d6cabc1fcada83104bedf21c4cf163
  279. 51a5321b13a728495d186452985568a696f32c647175486063391b061d098811
  280. 95a8aa1411f276844ac6779e6c23b766e5ec06073b710307884935e73411b1a2
  281. c0661e6d4c86df3f68baba1cc3f90aef917d289feaa6910db1a2e61381694e98
  282.  
  283. http://senboutiquespa.com/l5oBTin/
  284. http://tktool.net/13BDYWM/
  285. http://icebox.hospedagemdesites.ws/NFUvcViiv5/
  286. http://specialaccessengineering.com.my/eof86bw/82NbuvX/
  287. http://siamsoil.co.th/S1st9g7E/
  288.  
  289. ```
  290. #### SHA256s for Epoch 1 Payload EXEs seen on 02/27/19 ####
  291. ```
  292.  
  293. 5e5e5437c59f0472cbb10c30181f94e62e2ac3f7a42b5bd0716e2f03fc2e6311
  294. c103b8019081da8b4dbd577398e83a29301b5c83e7ed0f9b53089208312c1c42
  295. 8ab3f8fa6ddc60cf5bcf51079f2d7f20bbe3121a73895f043da950c691efdb21
  296. f53df3ab0c3646c00b2cc3c946960ff9c95ddf2892197750e63c7b1b8e504960
  297. df6bd175938e67e075eba98b87f4262c84d1b808edd1c2e4b20f571ff8102f8f
  298. 9b7dc0c720016ac3a9206569800c9909ae7b3e57d60cc2ffc4daf3c3663dc144
  299. 3cb575ccdcbd7cb68ac152d544097e7e21fa3c592e113f35fe697e2da81411bd
  300. 656f37c567caa9dc30baa6356324b3f38db52850a744da3bc71366cdbc76d8e0
  301. ac0fb3eec03cf8e3829a0b7bf3eafacca8cfdc210bf345613f5a48d03a0830a4
  302. 719b3fca81609ed32e82dd9e42c18521ac1d7df510425e78577308178a8f9dda
  303. 8a75aecb5e76dfcf8dfbb7692bb150a6fc305a5389f9d70ef51906b61fbccf6d
  304. feed1171593f5f9b581ee4d2f3244125100b47268e2d48a2bb1fdaf081efa6b5
  305. 1381603b8c8723177a5ca91728e2768034a1fe634fa38fca3db4e2c2eebbe9d4
  306. 44a1d1b16d3c425559b2072b81657a81e6b3ff7231cd4260fe78aadc82a1ba4c
  307. b94d23cf2c6f8f5ba4bd489121886845d34dc57f1a8f26810d5aeb0546d784fd
  308. badc69f525deb8b872eda4e2978bb544dd2ab10af847a1605ad23ace67291e0d
  309. 9d8d3cb2f13dab7f5204bc3afc17dc5a8c5871e5873697b3e39cd0b048d7372c
  310. 0fb2094497f586c22bff3464d37d623eaefc20f86a66474ed3ef9a80952144a8
  311. 0929f459ae5009c32010e92a316a9e93e8b1f0f73caf061a167424379aba11a8
  312. f727c3dc8b34a826df5d90e0b8d725b0e23515ddcd77ab91f3bbe5e17ed0d56c
  313. 39c115bd859b949cb16ae0a452b66e8dcca4f9599cba8bcc57c19f4d54b3d5b6
  314. dbecf3ace0d6fa2996988a14fc3ec06cf5d78793f1ffd9015219518c5378d237
  315. c3e586fdb0151cb0968d077e22141cf92024571e2fdcc264a15423123892c1d6
  316. fa84261d86baead5678b335a77ed15b41ac2e712d9232a6944afacdbf7397ecb
  317. baaaff5b57a37a24d4731c5d0f358da0353a0f2bd65c34b25bbad1166c2ac1ea
  318. cca669e501cea23f2a20a2fdb846e3e2a6a3d571b017425524f9b3da31497f76
  319. 681ea4e186b8ebcd129145b052e5956470bf36c1fd44af601fcd5e985a728c1a
  320. 14822796f25ade0ac760f890e1abee2eed3b33164cf26ee85f41cf75a4ff5565
  321. 0c50c47860f4bce5196e13d92302cbb11783042c04e0661b9877382a21d42805
  322. 7ec2114faf2c117d3d19f6eaa1e321dde9af87ddf1c0601504e801c09a89b109
  323. ff28286015e374ec96eee2f0f8696f8c09d806c74f2f5c8bb88bee22dadb4d8b
  324. 004744bd4615962f7b18cedd09486a460b79e9d74023ecc9135f945b26a54e3c
  325. b0eca31c51ac29ab925ad55484d59cd3dbd08e33d14d77490329b0252d344e36
  326. 00683b6d0e708f056339a1c43b84dd10385c5a82caebc5e44cf2076f00938ac1
  327. f19c5156038ed054881d7585277b6aabcfac775167c1d829a90e74608c744f30
  328.  
  329. ```
  330. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  331. ```
  332.  
  333.  
  334. Creation Time 2019-02-27 13:08:00 (DOCX Based - ENG - 365 Blue Box)
  335. SHA256:
  336. d2ff05ca4592e4f36a5b5da1ca5229c5b6c464d7871fb3b60f5ec440c1afae1e
  337.  
  338. http://saigonthinhvuong.net/NuqnyGVMdzOnA/
  339. http://acdhon.com/wvJZL4qzJvJ/
  340. http://canhocaocap24h.info/JelJh5aIRIOmyK2/
  341. http://13.229.153.169/vLm7bTI1bXxCI8Tn_5hh7/
  342. http://ibakery.tungwahcsd.org/media/m8PnOehN8bW5h3q/
  343.  
  344. Creation Time 2019-02-26 17:22:00 (XML Based - ENG - 365 Blue Box)
  345. SHA256:
  346. 5bfec51fa15407b97649e82ac75431c0396834a58f479c5867a2c6cb3dc79f16
  347. 2f4a8b985f604f98966c8b90f9e0eeb15faf9b946a74098e7e02e1daed32321f
  348. b503f5345f1e2d0c94d3badad9dcb7e81693b7957dfdf678e7e38538c6ebe0e1
  349. 9da586512816c7ea64515606ddb2091b69ff2275dafa91e8e22cd35e3071e185
  350. 418fbb192d7dffd5566f8ae6103d6f4acd61617f8fa24ad798865cbffee8f316
  351. 39bdbe2bd134e87f809971d63830f3d7317573e648673a89ee7ee5db1dab6bd7
  352. 24ade1226ecf9646a624a0aae717841d1d95fcd73e6879f987976478b875feee
  353. 45cf732e41764f690bc76ffe3c102b22b46c0ee59276458e6d25c18cb8973c63
  354. 33c7c6dba2b9e22d96f5a15f9b9b2e5febc856c61e6db04bc6ad6402e14f6f69
  355. 1697aede6b63b12e4bd3c7fd5315f869bc03c8dcfe7ad124c68d2e2243baaf9b
  356. 4e18c01207fe70c74e7f683f04fbede2a2ac549d5705eff1e2957cfcc03b8171
  357. 9e431411937a9edea2200ee76b5c537c851e076a1c879321d7d8a3123aebe49d
  358. c5d6ccfa326d2811f3c73232234da81f462f443e675cf2c66ce528ddf9e0c00f
  359. 064ec7577a0395a67d194ff45ecd8212cf190a7d490eeb3d91037b9f54e20735
  360. 1c5154672bb992fb8dfde30f46bed885230d6f59f06109064d6640bf78e15644
  361. 5087d318c84a0da1f4285d235349d7adb282dd22ed82b57f333482e2ce490762
  362. d74a5240f866ba6fe1cd3191801478b52e1b6c6eb2d816071d7bc82857b2837c
  363. fd4e8e8b9b9012e0f749cb4aa5674c51e5a59cf61a7c1e03bd824002cc388f7f
  364. 5de9907b9809bc4bbf7681bd234e2a1b4ed94ed1fcce3d65458e7b8e5c9273a8
  365. d779789debf838e39c7b156c77d7608fe056cfdbe3912e310ac675c20e3b4366
  366. 6f3ea054beeae0724d4009af18e36320a13ea56caaea871e69650553bb0348c3
  367. 81145b2fb2844320be87e4a46c610e59bec1cd87927fee9ec27e030ea86cc277
  368. 66148dc14d4a2f6d80e3dbd5c7306d80b512cabef278730219ba8ff9a4cd9e77
  369. e55d99ff1e0089f1be742791bb4063d80064af7453d632ea4a92201ab4a3e3aa
  370. 11cbcbc4275ecb231eda3d05ee36174c171df853002b630ead6ac48df6a3a352
  371. 4257c368698066d0d22875607b377c75382bbf633ad33e1920974ee9853eaf29
  372. f64c4380f53448103e34059fc107f79cc9a3e3f30274b34e11c9e98e3f237a60
  373. 6b33974cf79a733076ed546329a0aa4c588594f6de2270114e003593d0d06098
  374. 689174eb7b2355558698cca49c0e9dee6ea2c80f67feff50d1d8adedc71d235e
  375. 9d6be45e1f04e6ccd2bf9eb63259037f9feca6afdbe115e391826b048f0ea6ef
  376. edae1160cf43fcea54b34250a4832d0be5393128bf5ed6e4c69029c70d9e50dd
  377. ca7ddb6228b5f173aee45abb7c6483c6bcd54fb089faa1a04a971b85b9d951db
  378. 77d6ec52d43bb8fc016e372a722e225f12fa2a13ccbdc044baf3227a7b5621f0
  379. 22cc274e9722677b5cbaa3bbb05f239d467eeaeb87914d7c6be602aaea19643b
  380. 0530a476eec6f9294ae9223e49787fe5046feac331f1ba645d70ca57932e791c
  381. 26151bade4306066274f3a6cbd3b822685802231cbdc2e011e20c6c86c696113
  382. 9b75ab63c39d355b22683608302b841dddd552fa78dacb9eb1afb87229f4bb57
  383. 4f658c3f7b071b9df4d99dfbe97d9b38ec634e96467ae7bf7c7e34ec84d8972e
  384. 1855a41ff3fa8bbdae33458f03070e2b89f3513b910d20bc7c14307949d23edc
  385.  
  386. http://www.bersamakacasepatan.com/XpYHO9Iss_YTI20Qvw/
  387. http://icon-stikepppni.org/zwPEso5VK4DW/
  388. http://nailart.cf/f81y3PKllFl8mU/
  389. http://moonyking.site/nIfkmaGIxu3_Ki/
  390. http://monikatex.ru/wp-admin/LBefv2g_2Wyik/
  391.  
  392. ```
  393. #### SHA256s for Epoch 2 Payload EXEs seen on 02/27/19 ####
  394. ```
  395.  
  396. 629a81a1043d9c984954c86b73d932e3c02eda0f7f8c8258ed7f498fb13f9c18
  397. 19bb9816b6a39461b9811ef4c3c911436e6e6b6dd61ba6392be31411d3ec7d38
  398. bf55bf5c08dd53d850dde5f00c9eb5ac8bfe975401b0f368094cd48486042f0c
  399. a8f618ae9cc76aa4ffd646dd9b2092f9970080efbb3198b16ba69543ab4a55dc
  400. 0895b6c912bdf4f3432dd2cc9c5aa32bb3e9dbbfa90c67e15460a3e20a38fdb5
  401. 4a0ed67ab6be9abbdd646a9372433b5537464f28a8616b773116b80cbbd7f6f6
  402. bd5e99ff3cd6ed8fd24683593c5cd1755e51360403fb565414b7cecba6ed874f
  403. 9900bc02c5ff5ddf0b1eb7267ee17ef6d716816f7e24b1eb7112c8c2a08c643c
  404. b8326fbb086bdd716e30ec0054374b7c17ccdc29660971293157bc9050a3d7c1
  405. 32de5df041fb6e4f58570297601f91e65c57daeef16538b62693aedf7bb2a596
  406. 59b40866ac8deccc26237c03c63dcea749de4b571b262c7c2e3c631203f401ab
  407. 04781ca20db88b190e9fbaa81edf36e59edf2cf1966f38b092dbe129fd9bc724
  408. 0d73fe7a06d60d97970220a2a8e4c7d48f863a8145a1b5b668d394d7f0a751f6
  409. eeffce156603c787adcf041edf0bfec4be1c45fbb31ecd8b0865e297c6af829f
  410. 0e075d5607c26416f4bae6b19021fea91d93dcecc1b09a17c6a77ff1575a9c69
  411. 13d79566a9a302000b2b1bcf9a1410e0ae5982c72f23baa3b437c7952f41f602
  412. b7e2b2735a13fc58c600f7cc65033c77cf6413afba5012663efc0ba5257da485
  413. 342485e407e0833b21adb6561f2ad541532c285411ed646e140c2c34caeab54a
  414. 8a477a0c8efc07abeb58e7754c7fa4b0f8994e3353a0b6d7af6da43cbb9e1773
  415. c5ab5334bb981c762b1e2534f41178883c668dab949e3e6374e28f2b7ae9623d
  416. 67b3dffd05ce5963dde839074b8c1c6384e9ba94ead43d2d9dbc797f0918e9f3
  417. 23c6247d3a41880d93f94392743124f6072cd21bfdb708e5376cc61b7a919596
  418. 355749c74abf61f21b2211d7afed9d48e47aeda8f0521245249a749dd8dbc53b
  419. e61ffb7b227c2c21a8b3dd90520a9717a1d2a1fafa952560fd4b0cb242c52c23
  420. c10b3f8510e3781ca3d8e5a5b4005bef0ad84def9f9e9fce83e27de7483f2736
  421. 9d8336d1d271e5712911abbe3b1e58e3d59fa170ea17bf853526d58500a7632f
  422. 946348ee25645799388a665f52bbf241d1505ad0bf8fda2afe04860d403b30e3
  423. a4ff456cda4200a91a75afd1a7a2bd97c57762c5bfd39635b53b39a428b96fe4
  424. 0968581a0204788e2749202e88d8bb5af91f59621afc78fd6ba4f3d3d0332f4e
  425. 99a859bc6ad77e9cede917f0cbed02c3c2ac096be54969191c8e86f0dc23e21e
  426. db8c839bf123eaf05229c178a34a5932c7f52b5a292096eb003abcc5508c87e9
  427. fc67db4480ec587e67eb86cdd728eb3ed709e699869b1ddbba1193b4c8a21bed
  428. d96ba1667275e1081494778a6f1173f8a3c0a4cc58394b61c5b583a523c00ea0
  429. 88f6f285e4223733943038cac220687d9eba3c067656d109be2e2e56efc649c2
  430. 1c5858044666f63c59465616034cce265ad0b35a492fa9988b5ca1e1002cd730
  431.  
  432. ```
  433. #### Epoch 1 C2s ####
  434. ```
  435.  
  436. 109.104.79.48:8080
  437. 123.168.4.66:465
  438. 138.68.139.199:443
  439. 144.76.117.247:8080
  440. 159.65.76.245:443
  441. 165.227.213.173:8080
  442. 168.226.35.218:80
  443. 173.94.53.3:8080
  444. 181.168.123.241:443
  445. 181.29.214.233:8080
  446. 181.56.165.97:53
  447. 183.87.87.73:80
  448. 185.86.148.222:8080
  449. 186.103.141.250:20
  450. 186.137.133.132:8080
  451. 186.176.27.230:8080
  452. 186.68.100.2:20
  453. 189.130.56.200:50000
  454. 190.191.218.44:80
  455. 192.155.90.90:7080
  456. 192.163.199.254:8080
  457. 194.154.80.106:443
  458. 200.27.55.100:443
  459. 201.212.113.14:50000
  460. 208.180.246.147:80
  461. 209.159.244.240:443
  462. 210.2.86.72:8080
  463. 219.94.254.93:8080
  464. 23.233.240.77:8443
  465. 23.254.203.51:8080
  466. 24.219.3.156:80
  467. 41.60.202.26:22
  468. 5.9.128.163:8080
  469. 51.255.50.164:8080
  470. 66.209.69.165:443
  471. 69.163.33.82:8080
  472. 70.114.194.228:80
  473. 70.177.115.200:20
  474. 70.50.87.59:8443
  475. 71.183.45.61:80
  476. 72.137.188.42:8080
  477. 72.47.248.48:8080
  478. 73.115.132.124:80
  479. 74.59.106.11:8080
  480. 92.48.118.27:8080
  481.  
  482. ```
  483. #### Spam/Stealer C2s ####
  484. ```
  485.  
  486. 104.236.185.25:8080
  487. 187.134.63.166:8080
  488. 189.180.186.235:8080
  489. 189.244.82.217:143
  490. 212.112.113.235:80
  491. 24.191.37.42:443
  492. 50.116.63.9:7080
  493. 73.185.42.52:8080
  494. 75.166.252.40:80
  495.  
  496. ```
  497. #### Current Epoch 1 RSA Public Key ####
  498. ```
  499.  
  500. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  501.  
  502. ```
  503. #### Epoch 2 C2s ####
  504. ```
  505.  
  506. 107.10.49.252:80
  507. 108.16.93.238:443
  508. 110.36.217.66:53
  509. 133.242.164.31:7080
  510. 138.201.140.110:8080
  511. 147.135.210.39:8080
  512. 153.121.36.202:7080
  513. 167.114.210.191:8080
  514. 172.98.243.40:80
  515. 173.167.83.97:8080
  516. 173.21.116.239:80
  517. 173.255.196.209:8080
  518. 173.255.250.241:443
  519. 178.62.37.188:443
  520. 189.156.244.117
  521. 189.252.59.243:443
  522. 190.180.44.175:8443
  523. 191.92.83.137:990
  524. 201.110.114.161:443
  525. 201.137.254.209:465
  526. 201.137.255.80:20
  527. 201.143.123.254:8080
  528. 208.78.100.202:8080
  529. 211.115.111.19:443
  530. 217.13.106.160:7080
  531. 24.151.31.150:465
  532. 24.185.185.187:443
  533. 24.201.132.122:7080
  534. 45.123.3.54:443
  535. 45.63.17.206:8080
  536. 47.204.55.229:8080
  537. 5.230.147.179:8080
  538. 50.31.0.160:8080
  539. 54.36.119.105:443
  540. 62.75.187.192:8080
  541. 62.75.191.231:8080
  542. 64.17.83.46:80
  543. 64.228.72.40:7080
  544. 66.193.130.13:80
  545. 67.205.149.117:443
  546. 69.198.17.7:8080
  547. 72.214.54.39:443
  548. 75.132.60.192:80
  549. 75.91.3.133:443
  550. 75.99.239.150:995
  551. 83.222.124.62:8080
  552. 87.106.210.123:80
  553. 94.76.200.114:8080
  554.  
  555.  
  556. ```
  557. #### Epoch 2 - Spam/Stealer C2s ####
  558. ```
  559.  
  560. 183.82.123.254:80
  561. 198.58.114.91:4143
  562. 213.136.86.219:7080
  563. 37.209.252.79:80
  564. 64.228.72.40:8090
  565. 67.202.178.142:443
  566. 78.149.210.211:22
  567.  
  568. ```
  569. #### Current Epoch 2 RSA Public Key ####
  570. ```
  571.  
  572. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  573.  
  574. ```
  575. #### Credits and Notes Section ####
  576. ```
  577. Updated 7/13/18
  578. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  579. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  580. https://pastebin.com/u/jroosen
  581.  
  582. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  583. I am providing them for your benefit in case you want to parse them to be sure.
  584.  
  585. ```
  586. #### What is Epoch 1 and Epoch 2? ####
  587. ```
  588.  
  589. What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.
  590.  
  591. I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
  592. communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
  593. version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
  594. C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
  595. entity/group. Here are some observations I have noted since I have been watching these botnets:
  596.  
  597. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
  598. document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
  599. in maldocs on Epoch 2 at any time.
  600. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  601. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  602. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
  603. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
  604. have a document hosted on host.tld/B.
  605. - The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
  606. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  607. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  608. - C2s are never shared between Epochs/Botnets.
  609. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to
  610. stay ahead of AV defs.
  611. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  612. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  613. - The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.
  614.  
  615. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  616.  
  617. ```
  618. #### Community Lists ####
  619. ```
  620.  
  621. https://pastebin.com/uVA5KzfF - @executemalware
  622.  
  623.  
  624. ```
  625. #### Credits ####
  626. ```
  627. (OC from @JRoosen and/or combination work of the following)
  628.  
  629. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
  630. @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
  631. @shotgunner101, @HerbieZimmerman, @Outkast_TI
  632.  
  633. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
  634. @gorimpthon, @Racco42, @Jan0fficial
  635.  
  636. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
  637. @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
  638. @OguzhanTopgul, @HerbieZimmerman
  639.  
  640. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  641.  
  642. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with this!
  643.  
  644. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  645. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
  646. and @Virustotal for providing services/software no charge to this cause!
  647.  
  648. ```
  649. #### Daily Log ####
  650. ```
  651.  
  652. Today was a very odd day in Emotet land. I did receive over 100+ malspams today but they were basically all attachments. The morning was quiet for
  653. me and we noted that the E2 botnet was not doing much of anything until after 1300UTC. The E1 botnet was spamming mostly attachments all day and
  654. this shows in the URL count for today. E2 was spamming some PDFs and they had URI links embedded like normal. The URLs in E2 have changed to an
  655. odd format that seem have final directory of the following regex: \/([a-z0-9\-]{14,})\.view\/
  656.  
  657.  
  658. For me the malspam started at about 11:50 EST and was more Invoice crap with mostly familiar generic templates. Subjects included these familiar
  659. annoyances:
  660.  
  661. February Invoice INV-Z681522 from Vendor Spoof
  662. Invoice No - X88510
  663. Invoice number E423999
  664. OVERDUE INVOICE
  665. Re: Your recent invoice request for your account
  666. Reminder: Your invoice from Spoofed Full Name - item # 4637226
  667. Sales Invoice Account
  668. Sales Invoice 1-W0397 from Spoofed Full Name
  669. SERVICE INVOICE
  670. Spoofed Full Name Invoice Ready To View
  671. Spoofed Full Name - Invoice No. 038679
  672. Spoofed Full Name report: Complete invoice O748590 - February 27 2019
  673. Spoofed Full Name Recordatorio de pago
  674.  
  675. Most of the email was received from 13:50 to 15:00 EST and I saw nothing more after 15:45 EST.
  676.  
  677.  
  678. Interestingly, E2 started to spam some UPS Package type templates towards the end of the day. Pictures attached to report.
  679. They still have not learned that Tracking for UPS does not start with anything other than 1Z usually and other random letters/numbers
  680. are an easy block. The valid formats are the following:
  681.  
  682. 1Z9999999999999999
  683. 999999999999
  684. T9999999999
  685. 999999999
  686.  
  687. From https://www.ups.com/us/en/tracking/help/tracking/tnh.page
  688.  
  689. The docs went back to DOCX formats for both epochs and E2 remained 1 single quintet of payloads all day. E1 had 2 quintets of
  690. DOCX payloads and then went back to 1 final quintet in the DOC format.
  691.  
  692. E1 C2s changed and combos decreased from 47 combos to 45. - Recorded above.
  693. E2 C2s changed and combos decreased from 52 combos to 48. - Recorded above.
  694.  
  695. I am starting to run out of time to do this as I do have a dayjob and have stuff to do. This is why I made the poll up here:
  696. https://twitter.com/Cryptolaemus1/status/1100282263416258560
  697. If you have time vote on it and/or comment.
  698.  
  699. Till Tomorrow. I am sure they will come back strong after a weak day like today.
  700.  
  701. ```
  702. #### Sandbox 02/27/19 ####
  703. (all with fakenet and MITM unless spam/secondary infection)
  704. ```
  705.  
  706. Epoch 1 C2 run on 2019-02-28 at 05:15 UTC - https://app.any.run/tasks/f506eb34-2f23-4ae4-91b1-00933d52c277
  707.  
  708. ```
  709.  
  710. ```
  711.  
  712. Epoch 2 C2 run on 2019-02-28 at 05:30 UTC - https://app.any.run/tasks/e4e991be-0496-4da3-81f3-abb4a21bd4b6
  713.  
  714.  
  715. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!