Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 05/20/19 as of 05/21/19 01:00 BST ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/20/19 ####
- ```
- <none>
- ```
- #### Epoch 2 Document/Downloader links seen for 05/20/19 ####
- ```
- http://24mm.site/wp-content/pzCNFBGPe/
- http://9coderz.com/wp-admin/lm/lm/VtuGyUdGncbiGlUmipu/
- http://agroborobudur.com/Kopi-kinanthi/Dane/s3i4woquxza009qhz8tngvpio_t1ndfy5c-8779808509668/
- http://airconfidencebd.org/wp-content/hfrhybo35jocmt9rykxk92d9_ws2nvv-804221103844/
- http://akoagro.com/wp-includes/FILE/fsrauTLdLBq/
- http://alageum.chook.kz/wp-content/uploads/Scan/04263hkou_u9q456yn8-3307251785606/
- http://ambil-hadiahpb.cf/css/Document/zvv6pzemxix7bkqkxcdven37o7v7p8_w4gnn62w-746465135047600/
- http://anase.org/wp-content/Pages/iq89n0t5_yfxzp-070843819/
- http://an-premium.ru/wp-admin/7b6ech5-svgat05-fnyjvh/
- http://anpuchem.cn/wp-admin/2spx3-fd0s9jc-wxcnzqe/
- http://appsville.global/wp-includes/6m7d5hr-jolf92s-dxvkhvz/
- http://aradministracionintegral.com/wp-content/uploads/q4qzpxt57s_s90s0-562133435485/
- http://atkt.markv.in/_notes/FILE/OCTbubxwjOUENnC/
- http://azbeton.ro/wp-content/Document/vtjHcnFgqglXQqzqEkohRLJd/
- http://b118group.com/wp/b0gk3v7xqs_8737y8-565189409480/
- http://batdongsanminhmanh.com/wp-content/uploads/Plik/VSHZLPQDixgGn/
- http://bcaa.gq/wp-includes/Pages/WoJUHWDOFhNKDkbe/
- http://bestit.biz/suspended.page/esp/ZrnXUqWtuAfQZQRQSBUrFxEDGWGwvk/
- http://bkr.al/cgi-bin/40zpx-msvngf-sstoene/
- http://bkr.al/cgi-bin/64799-4om1s-llzcc/
- http://blog.chewigem.com/wp-includes/esp/atHZLyKKQKvkNKho/
- http://blog.dmtours.lk/wp-content/FILE/ruaXvPMVnjujCTjeLLT/
- http://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
- http://bloomfire.com/wp-content/plugins/DOC/FoQojoiYS/
- http://boilerservice-cambridge.co.uk/muun/esp/IhCsETyWZrho/
- http://bonizz.com/DMC/parts_service/5eh2hsadldjems1kq3wlh403v_e39t3mz1ud-335687791589/
- http://branner-chile.com/wp-admin/s5045m4kdv2yxwdez6m21k7oq5xe_smdxp-8989005213940/
- http://bridgesearch.com/stats/lm/on6io5qd9ehr135ii96ueery_0zik0pyx4-290001900664299/
- http://caddish-seventies.000webhostapp.com/wp-admin/4ur9tmys2h_75g6pp-73387052/
- http://carlyarts.tk/cgi-bin/0hz63w-s3alcb-vjrm/
- http://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
- http://chinmayacorp.com/COPYRIGHT/Plik/tjDkGOTPHOJ/
- http://chinyami.co.tz/wordpress/i5q3jawbcp9_03ums9-7667848091/
- http://chirurgien-ophtalmo-retine.fr/wp-admin/Scan/trrMBcbN/
- http://cielecka.pl/ilum.pl/Document/f7djienirh5otecveisehl6oi_tn22d-108070575/
- http://colegioadventistadeibague.edu.co/wp-includes/DOC/9qzrb8epfmvac53u0v2um9uk3vkkc0_llqs4z0i5-693725156265103/
- http://congchunggiakhanh.vn/wp-content/lm/lmjQDFYXEANYNpuvmqbCJs/
- http://consortiumgardois.eu/images/FILE/kzfYkwNCziLHPSLvhPexT/
- http://coronadobaptistchurch.org/wp-includes/paclm/nrzbbwc9xordu0f1pojvw03um0v42_ucm04gi-866893424118465/
- http://corporateipr.com/m9c/phutz63-w90emms-oukwmr/
- http://crsigns.co.uk/wp-includes/rncjoymd9s61_ahrbb-46845098052870/
- http://dag.gog.pk/wp-includes/PLIK/wndpifvajs/
- http://daizys.nl/BKP-06-05-019/sites/HxflDlFmdMdWWyqIrRZHCGWSE/
- http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC/
- http://diarioprimeraplana.com.mx/wp-admin/04t8ju-5o1m33-exgwn/
- http://dieutrigan.com.vn/cgi-bin/g2udma1-tpa02r-feyuejx/g2udma1-tpa02r-feyuejx/
- http://disperumkim.baliprov.go.id/wp-content/JAaJgGgshskUmKanMFIDcM/
- http://door-craft.ru/9eui/wzAolMvPwpd/
- http://dronint.com/wp-admin/tt4up7x-989rvv-uykocm/
- http://dukkank.com/wp-admin/pr9ybbym351h_l9tw4u8-16488044/
- http://ecommercefajeza.web.id/wp/tbkh1v-qjzzn3-wvojp/
- http://economika.com.ve/email/paclm/dsbzhob4b8seeq_zl3zlxclc7-7223513679032/
- http://e-controlempresarial.com/wp/paclm/02oyix5wanbeegnxcnudm_m9wha6e-6640018143938/
- http://egplms.okmot.kg/wp-includes/mf75rsm-y1pndse-apjgbfv/
- http://emcimed.ml/wp-admin/INC/beCmcstHEcYWSdunsNpV/
- http://esquso.com/wp-includes/parts_service/zncgw5r30ehtff4w4_nvu506u-84590229280717/
- http://eticasolucoes.com.br/controle/FILE/urjm9ad0e20oke9_yys4j-1833857769/
- http://eurofutura.com/carloghio/parts_service/JYRByxVSfhNOpVVTASyyBhBR/
- http://exenture.net/mySHiT/mhv8eiw14_tj1q863agg-191035311473/
- http://finanskral.site/wp-includes/Dane/OpNAvrtH/
- http://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
- http://focuseducationcentre.cf/zayarlin/Document/bEjkgNhfyDTjBiljqJwhvIaDu/
- http://ford-capital.com/wp-includes/uq78wg-g5po55l-edvmjx/
- http://franshizaturbo.ru/wp-admin/gjPayGQZRuvZKW/
- http://furniflair.com/assets/6mm2ev14i5rh5iu_1lvoybr-682572903489141/
- http://gamingproapps.com/wp-admin/05wvu0-b8bm2-mujg/
- http://gatewaymontessori.edu.gh/5r0x/INC/sor5jniomi1bw8se6reyjodziydt_dk6pdtw-885852414780/
- http://giangdinh.vn/wp-admin/LLC/AmMcutbAcsZgoLPpvSBSFJFL/
- http://giaoducvacongnghe.com/wp-admin/parts_service/s5nvqu5cu5xiavsm_tt4g6sg-9685915454/
- http://gilmatas.000webhostapp.com/wp-admin/yznvck5zdjh_m6ewq2-12021270394/
- http://gite-la-gerbiere.fr/lib/bf1vgc-kym3vl-moyonq/
- http://graminea.or.id/cgi-bin/esp/dRfhYjIAqKiRZKZtpFcXvsFYUD/
- http://greencampus.uho.ac.id/wp-content/uploads/vyeow9-3fruh-vbno/
- http://grinq.com.ua/wp-content/qon3os-lg1iwjy-xwfjr/
- http://grupoxn.com/wp-content/h2uy3p-uanu36y-qpfbabc/
- http://guidafinanziamentieuropei.it/dup-installer/esp/whISpSbNpvwrdNdxBlTfEMDIUKOs/
- http://halcelemates.com.ng/cgi-bin/qspgn-miqx4yz-hudi/
- http://havistore.net/wp-includes/wt6adv7-xupjzl1-sidkes/
- http://hestoghundehuset.dk/wp-admin/mPKrLBEEMiHVhKYpHeEc/
- http://homeedge.co.in/wp-includes/Inf/3h8bwmc8sg8bhgmb6oajbqfth1lw6_u963i9ar-5947272013/
- http://ihcihc.org/cgi-bin/DOC/JQbRvcTvKHPxixBpVIs/
- http://itcshop.com.ng/fasttrackcash/Inf/qrjYUODRuCg/
- http://jajiedgenet.name.ng/wp/DOK/x963ssn0_skxizz6j-099060478701887/
- http://javed.co.uk/wp-admin/f3pafo-bac855-vrgxw/
- http://kauzar.com.br/wp-admin/9naj-wg0geu-jvhkq/
- http://keffesrdf.org.ng/dir/jh2cg-cxh72-ocnv/
- http://kgdotcom.my/wp-content/e6k9v2v6m0_tfl09azf-288153120/
- http://khusalrefrigeration.com/wp-content/i63i-fc189k-plkiv/
- http://kipsoft.vn/wp-admin/uXHCWQYIsUwy/
- http://krasotatver.ru/wp-admin/n53x-uxotfh-dxkbol/
- http://kuramodev.com/wp-admin/esp/2lcrz1uaq99jqg6x_btdci7az-5511668994948/
- http://les.nyc/wp-content/uploads/zuxbjd6mgcbofmz_1lwfz-96882379608/
- http://lesantivirus.net/css/esp/LvxnSHShDjxTiArIvTtXhDOGX/
- http://lizerubens.be/wp-admin/parts_service/IWuXVRHMja/
- http://lnemacs.com/updatecoreo/paclm/QOqcLyIDnqskRUPrQtAY/
- http://logicsoccer.vip/wp-includes/PLIK/DyyyskgffSivMY/
- http://luisromero.es/cafe/LLC/d02zuso2z3r0o07_uge4o-3011321187376/
- http://luz.ch/fuurball/paclm/tayiwtdw9gvgb21rvi815umr4_l1k2tafz-916097634479/
- http://lyvestore.com/wp-content/uploads/nsm60x-6fzovcr-gtkxgtl/
- http://manorviews.co.nz/images/paclm/mcpf0o3f5me1zh2x2xarr5c_c2kog9qp6-11133861/
- http://marbellastreaming.com/admin/3b1zwi824hbk1pe2coubcbob_5nlp4bh-14804269498/
- http://markantic.com/wp-includes/LLC/oXitshkRMjCSa/
- http://markelliotson.com/sites/k47y5hwtw8h_aqzp3l-449059094/
- http://masana.cat/pix/parts_service/wBwhQtYEVIEpsMPtRsyl/
- http://mattress.com.pk/wp-admin/Inf/nyKIfXKe/
- http://mattshortland.com/ozXYuMOiYlguFF/
- http://mayupan.com/css/Pages/jamcysmfx_d379k-789309688595/
- http://mazzglobal.com/51655165g/sites/zuutn9zkjzzsbhffa5d0fpvaw9z_jzv2j6b-263923452810966/
- http://mentfort.com/wp-admin/r4g71c-hi527kb-verjplp/
- http://mic3412.ir/wp-includes/LLC/hsnp7lhg0fbqhj1dph7c4fmspwvz_r66ocyu3-858421356/
- http://mickreevesmodels.co.uk/micks_chat/INC/KfNJTKdmSYiueWhbqeYVzigbOaUj/
- http://misbragasusadas.com/wp-admin/paclm/okb30cee6xhg1cbi279ssznmewh88k_mimhl-536403870815322/
- http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/
- http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb//
- http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/\/
- http://mmgbarbers.sk/wp-content/hmESzqKrW/
- http://monsterz.net/blog2/FILE/fCuLIWGTqBVwcPDfUQRVodcKJxEmI/
- http://m-ros.es/wp-admin/nfbyibe-l6cpr-wvgd/
- http://mtaconsulting.com/wp-content/Pages/ntq8h5pnhzsb_c98jimy0lh-77243452881/
- http://multicapmais.com/js/esp/jLOgrxpWZ/
- http://mwvisual.com/scfv/bYofxzLIBlDANzJQJhwNsOgzvfU/
- http://myofficeplus.com/Document/zJLRnsotorjEVuGxH/
- http://ndm-services.co.uk/DOC/gsnhdhup7vp8u3onxtqzbn_mso4v7e-4060977015/
- http://nforsdt.org.np/cgi-bin/LLC/rJhJsoFerEAbFVKOgJweNESInf/
- http://noons.ru/wp-admin/DOK/mpmd1xmzhl8ijhcvdh2d40r249a_07m8onqzs-192022041933115/
- http://novaoptica.pt/wp-admin/rnsoyvw-8y64rg-ppgc/
- http://ovakast.com/wp-admin/zbb9q-if7z3-xncfy/
- http://paywhatyouwant.io/cgi-bin/INC/RycXLpkwbaXNzSdOQYrWlxXoi/
- http://planetkram.com/cgi-bin/FILE/lydb59kvj94x2qxaf0lo_95s38g-70862676621395/
- http://priatman.co.id/old/gmvor-qkevv-kmjsj/
- http://priatman.co.id/old/gmvor-qkevv-kmjsj//
- http://print-consult.be/ResponsiveImageGallery/61p114nlua4w2_8mcik3tixr-083144052/
- http://qwelaproducts.co.za/wp/voo74gu-yc23wv6-eysshi/
- http://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
- http://rociton.com.bd/wp-content/parts_service/f40sb8gz9nnsppjgt7tclxs_gq8nvjogop-96874256/
- http://sanalkeyfi.com/wp-includes/Dok/qauowl45eharem4bo5i0_9vtspc-07835495394/
- http://sawitandtravel.com/cgi-bin/4xaib1-5gzkqtk-ncyncpf/
- http://seabird.com.ph/html5lightbox/e49fc-v1zh9o-zrdsp/
- http://servicehl.ma/wp/p0fc-ukirhb-npri/
- http://sexlustoys.com/app/heotbm4-5ea4e-qbhgzg/
- http://shadzisti.ir/wp-includes/bka7-9lmu27-vhofm/
- http://skilancein.000webhostapp.com/assets/INF/BztYZLgGvYARNnbzPsTRtTUGJy/
- http://slppoffice.lk/wp-admin/cjr9zzp-rf7yx2-rbvxv/
- http://smake.in/wp-admin/4ssh779-i04deq-vsarad/
- http://smartschools.co.zw/wp-content/f8sy-k74kuj-xsaidw/
- http://snowballnaturals.com/cgi-bin/gsai-g663ics-kgisfcn/
- http://sofiaymanuel.website/wp-admin/i4zx84z-shgopmw-trhyisa/
- http://sreelabels.com/wp/x1zu-9l83g-fhhdw/
- http://steventoddart.com/cgi-bin/78djj4-9rsc3m6-rwtqz/
- http://subkhonov.com/LLC/Document/qWrWCtrmDmBwslubhyvcaBfWhiQX/
- http://sulkanvariasimotor.com/cgi-bin/Dane/QdSsDaRPbt/
- http://supercopa.cl/assets/esp/zugnnetz0suvx017j01zwr3_x33y9-0543142109882/
- http://swansgateshoppingcentre.com/wp-includes/Scan/ok6ulsnds83m0s_6gz9lcuo8c-605978940826/
- http://teknikkuvvet.com/wp-content/gmnaj-28u4pg-jpec/
- http://teknisi-it.id/COPYRIGHT/FILE/VppKShnPdkhRjUEXEeooCIIAhwbUDA/
- http://theoptimacreative.com/backer/DOC/lzdtnRntp/
- http://thptngochoi.edu.vn/xxattl/83dp4mk-3qxhlx-nvjq/
- http://tollfreeservice.in/wp-includes/Scan/a2pifq3p6qv3z9qrh_8g7y3a-09960395/
- http://toorya.in/wp-content/csbluri-69vjyo-gvib/
- http://trademarkloft.com/wp/LLC/MRWfXNPWcWfmIEtA/
- http://vinyasayogaschool.co.in/wp-admin/Pages/srSdAHPKkqZbXQVsEkPcjTBAUxFM/
- http://vnmax.net/TTTN-Green/7yurlqz-imfjsfr-vcha/
- http://voctech-resources.com/cgi-bin/Scan/yygznlklj5_donv8-334023278047356/
- http://wpstride.com/wp-content/lm/3oszpkgom9175aa_8danqb3v-845337550891852/
- http://www.912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
- http://www.cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
- http://www.eratoact.de/wp-admin/xVJZSsilspLhyBCBboC/
- http://www.iowaselectvbc.com/wp-content/esp/ESCejHjQIz/
- http://www.maria-hilber.at/wordpress/y0og46-pud86sj-qmdnev/
- http://www.nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
- http://www.vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
- http://xpelair.com.ng/wp-admin/uwenu-wdun3-aurp/
- http://zhas-daryn.kz/toreshim.kz/LLC/ndpZCyBJjxPtWoCjvwxzqByfXVQsuT/
- http://zipzapride.com/wp-content/4auq0kq-t4jx2-nzaey/
- http://zmeyerz.com/homepage_files/paclm/ATMrNHzXJjfIFDTQmcCNmiPHPRUXO/
- https://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
- https://bloomfire.com/wp-content/plugins/DOC/FoQojoiYS/
- https://cargokz.kz/wp-admin/2mxjeu3-75keej-yodnse/
- https://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
- https://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
- https://discoversabah.my/wp-content/Plik/PASGCJIBOXFgLSfvWGkDq/
- https://euma.vn/yfbh/pvhwwa-xg74b4-bknrdh/
- https://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
- https://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
- https://hlclighting.ca/wp/Scan/oylkuxb7d3zafh4_yyzho55c-730553405724/
- https://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
- https://kbolotin.com/wp-content/w4bp-8yhaza-zqxtij/
- https://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
- https://longokura.com/wp-includes/Pages/RphdkFQwbj/
- https://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
- https://luppie.eu/icon/Document/FIFEgoVJlq/
- https://marin-ostrov.ru/wp-includes/DOC/bOlcIxbcgMoMfhfz/
- https://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
- https://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
- https://proxindo.id/wp-admin/FILE/vgsupeyhnlc8ka4tbdu72wde7khpa_1ganzrzry-05828045/
- https://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
- https://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
- https://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
- https://topaqiqah.com/wp-admin/iwrivz-kuvph-szzyiic/
- https://www.iowaselectvbc.com/wp-content/esp/ESCejHjQIz/
- https://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
- https://www.mulard.co.il/wp-content/nyfntba53q421e5_w8kt7s9ow-26401916920/
- https://www.sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:05:20 18:19:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 90ad84b36bb06c3b8ee5d356c3ede4116a25b75d3473ef03e6cc16dd15fe8beb
- http://qone-underwear.com/wp-includes/4p8n17709/
- https://kobac-kawaguchi01.com/wp-admin/wic5/
- http://tajdintravels.com/cgi-bin/9b40471/
- http://bombafmradio.net/_vti_log/5hu7x820/
- http://soprab.com/cgi-bin/blnnz83/
- Creation Time 2019:05:20 12:40:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 72395c97b8790a56a8f763c174b0870c76401eb81cd802784c326dc2b9bffa8f
- 495cbb79182be997e8a7f3729a63b711c3ba5e44e802c7e2057ba7d59033238c
- e2a4749668e5f74d4bfd4491baca23363c25a53c1b0456ecd58ddf5238f725ce
- 96e9250c6b0153f6de8096cd972302e1779a5f6d2eb4c715a2177b873cdc2ef7
- 57c73359315ef3e5f96915cc4c32774a2875c014f7bc9d8aa7ae2bebed588ab0
- http://seogood.net/wp/b4pxre6304/
- http://agro-millenial.com/setupconfigo/0st9376/
- https://proyectonoviembre.com/V2.0.0/7ouvu47/
- http://royalamericanconstruction.com/fwmihe/04qf6uy0/
- http://farodebabel.com/4xhzvd7/nl12/
- Creation Time 2019:05:20 06:20:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- ab32f1046ef9a51b26e413df606afd4811c3655c665220060f72bdc2c23d4896
- 599ecf8cbea461292c86d672b778fcb5dd43bf83c69416fb25e4ca83b37461b8
- eb1c76f474a6ddaf3430837b434e4a4b53ca9349c9ea280f2093e684d64b9bf3
- 383d09e70ff1eeb4237ad4b9191a4163ed92fb1bec03ef4cbc7c09ebe471827e
- 78d4a89f5558172a6369de73c4a4fcaeaf6658f40a6cbb52d3b703d58c15b0cb
- 3a3a3ce662207abed7142ba0a3fef5ed404fae0da85cee9150bc72f84a44922d
- a4d0f1eaaf69fd8eaec8340cc4d82b543b039525f45edf9809f91df272a3ee13
- 7a1aed13987b3c25c14e41c0cb99b1e955069eae5dd8c40a744ea3ff3e0f35b5
- 6457f95bd35161fddc97a87fc16c9f4c2bd0d5f412dd62ed6d3d209ad3d457c4
- e2a2ce0b605642f4f99516714c345a594dd348d758a4cb70c2efe6418de89ba0
- 232ff27ab72fd11c77a982e98cdf1936888a5c86b49a3ba9ef8bf74a9ed11e09
- 8f9c24ec7356f074f6296cc93d9a2b801735be454b81051e90f52a3507cce8eb
- 61f00daa004945fedc680f182c01b0ba543c9a2383361fc0812a716fa1c95295
- dc7451322a2c3ec5000a251fd69ee78f8a9d9df77ec14f2d9671f02917fa4617
- 64458368d954b71a4d1dda78684d2a1d0f37fa4104c5d845a08e173e4238b7c3
- e352a2d273403fe35b6c1b9331dbfb1dc21c52856f1e928d33647430f0696212
- 2a467716313a55305130586d623247be7ba78a2bc75cb074dbb2c8da4c38678e
- 2f87ab37797dfe5f40d180808dd55d27633336885c1da8679b8a43410c573d8a
- faf7082318955d662b2e456ed89481bb1ef089d039668646f86c4ac852b27353
- http://tenantscreeningasia.com/wp-admin/zpjdvy17/
- http://bystekstil.com/wp-admin/zm6481/
- http://eric-mandala.com/wp-content/fj68724812/
- http://avitrons.com/uma-site/isi2/
- http://developing.soulbrights.com/wp/s445/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/17-19/19 ####
- ```
- 886ab67d0704721367c7ccd41585514e999baf4fe1114779db6d981efc85672f
- e5be3c0b66d7c3c2986202faf860f4cce41892db64c91e8322a57c2e4c23ecf0
- 315b772f4cee9ce22ae23a59a0abb252675aef655ba3e3d06a2f3b282d80768f
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:05:20 18:13:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- b17213bfb8a22ff2a198592df2a0baf8d02f92eb3ec7b3699c5f292b5f6a7a04
- 2f57c6b1c6febcdcdc135699a6acbd901e3465d20a0d37d6d7f259613546da31
- c204f878c7b3aa06ee3fce9b8fbb6ee3f8397577af54ed2a6492283253b35eb1
- 283d6dad28c745cee59164b405b3521c144aad24ca59b7c867b87399d72add8e
- 8641718f775aedb364b51fdf2c2d18bd477078da7b6f821ffab2d158ebbc0101
- 46de4a22e963ff2f3a810faf1c0fad46c36b32705c54d51408274d18f6e686b3
- 9994c27bf6623c68a9732076d84e0e4a9221db5d209f3490d5f4b47a7007a4d1
- 87680943843072a4bd669fe8edb183916c0ee5ed9d403d4a463123965e610c25
- 619def5ec3fd82bee5b661750a1309a073fec8799536af4fc64ef6f8c3a98979
- 3587b931d94a58155bbd5e7e27977f51cfbf9aff4291362ffb6ea4c94fd3b5c0
- 6523b344eb8dd9b3f099f0aa25fa2d9bfa16d9c1caa56695204091791a88b7cb
- b5056a4428f82d032102daf7cbe6f648d82ea7724293af72d1788dd8e5e74302
- e7aefcf97bad9e796337a954117569c61e8faf1ebfb08839199604b9aad34305
- 0576aec423863e025d8c2cea9119882a1882d99724e356afdf7b9c2d96ccb3b6
- 2de18891f8d93226dc5df80343e0f759542f14342426d09db5c31d3bcf630e9c
- 7f4b3711c74f79f401d843772214f41da7b8d90737249dea3f69db59226c6aec
- a9910865fe8d8bd01e4e10342a490f37c0823e3a9b43443eea93170fa8e47d5b
- 86a158f2e24d60c37abde13925c2a99d891c76880af6a41ed503de7294e31ab0
- 38ef8196cfaf9f09cd3ff08df840ffdbfaf1c2cdbfab3e18a5f24c45dcb8a72c
- aab4a251bf1690bf51760aa99bea2076a85b26aed84344b551e6d314fda3975a
- cc3f852315a47cc2a78b773579fc7eec09623945d33f2d0f9a311690e641a4ea
- b589acfd6333605b36449a131b0c626a808ecc6938c38200184e6f2376f7fa56
- 00d8178a8cf260df4942ef4cf03c3f4f11d9c034a6a181cc6e7806b255758e04
- 357d596ddd8bb719202cfbc892d55f97d9b06bf86ca37ebe59fe805f256ce015
- e328f1136596f48a867eb7c36c92fcedd80584cef699b77e314e027510a6e8bb
- 42f3770abd98e2f6fcd9e9dcfd7aa71a6693fb67c69e993843a512cf58b14a30
- efa7e27185172a8344eac0c1f21273672595d9324a8fa9d086aa5fe94ecc2fc7
- b1a6e88834682261eb79f27a381f6bbf045a0d804ee8dce51fbddc969ca2d8bf
- 41896e7f04ae54fa3d4357388ec0dec407c22ec1c8a8c57a3e625a766db6813a
- 7dab121b27a98dfaba72396c5e9a60192f8227d91ddcaed0d893889cbdba0298
- 4c70edc94e025f1a4b012f6e926126336f841b336db7c1fea476f0757366d852
- bb1c8d0d78ebf2a71952397d277bb1641232f101af3d5a8b8b2a55f72ff5f7e6
- 9630e97dd14ee791ffcc2faf3c333e3d19145f087026542ef5ae5a240d69e1f7
- 196d741936acab6ead7620a52119e0cc64b6855aaab814026040b25c9296473b
- https://overcreative.com/css/shecgesia_cjtf7s6-2586658720/
- http://antonresidential.com/wkdrlk/papkaa17/NujUJetNy/
- http://gawaher-services.com/nngb24y/vXGApWUwd/
- http://thepropertydealerz.com/cgi-bin/5ze7vs_tgt6e3k-5/
- http://guimaraesconstrutorasjc.com.br/wp-content/NTlTZtAUB/
- Creation Time 2019:05:20 12:33:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- e130a889b149e876b20a3fbd1229d3046dc4389cec91b305110ad34b3d1f9437
- 1bb372951c973ae6a676d5cfb6d6255c5046a4487de3f2c434e67033276d4096
- db8a9012a390b1544d849d02dedfb56c572bea38f1ec7ab3d9051a275794074c
- 48236d5717abdb07bbfb9566a5a9cd723b2caf834de4301a0b0a979165a053eb
- b714b36b234f97e0ff98272689a78bd8321b9a1498d1eccc44972aaeb755df42
- f22da8acd690ddf140b2f21e5377bdd30ba85fa25986ffa999d00ba33359927e
- 29da17543f235e1b14db2dbda159ed4ef665d1bb71a80ff3ac09e4f350cc64f9
- 921fb28561275036e0c28871e490ee48aa1cbd637489854121dd781959cf3f3d
- fdd5e796770981d0d7307cff882d7912353355aa6e34d03b3ec17bec44741957
- 83a5c771fc83d7e8de55f32089e031a80c808cd903950311b0bff1103b96db7b
- 33a4c297c96c8e0221d6ec50d18aa5305dfcc92776eeb60c0d0c19d0ecb13976
- d8e26ff205e06a0681195653d61bcd5629807e0febf5df8617ad3f72bcc6c04b
- ffa40a4130de3297baa84b22501ff6c24a862a446257abac41132cdfe42d3de8
- 8578d981b824c9ce244f8950f55e709b0a2fdf105d426f5faede3b92b2b4bc25
- c4548a16dbfbb5fdd5172d70bc93ea07af48b0301ef25ad94b72d4feb16a4488
- 07e2bde9b08db773d50209807557afd29751323799d3e62bf17afb674547c6c7
- bd6c197ad44457a5c4c73e157469bbd6c737b8ce4867ecbbc8aedbf3b73066aa
- 5713bb6bad1348b4e4c031673b4a1b028ddd2981f355eff51135f3307a4dec99
- b0afa6464395b631fb978a358a9e890a9187a88f26975b2f85b84f0db8ea838f
- 4ec927bdfdb5ca162d170e3510ffdca15a839529fcde333a2caac286631e7ddd
- f44d4f34c647cf685fb3cf8c1fcea4de77b15b00f1b810f37383243f8d6a3b72
- 2681fe5afa78ad3ca3edec710e9eb01e50b58c39f35d413415053018b52e04dd
- ff7bb28da6878c1d0bb3a72782d355fd917c7df53638fc995f7528d8a65da5ac
- b419db93d5dc35652c6f34cd52f5dc2891397d66c8a421f802abf2067fdf3cc0
- e31a818e5f32462630808e6fe5910eb2b57c04f444ec5be7f290ae00eaa9b926
- fc696a3b641ba9516c85f48bcb9b2b68ccc8ebb3946acc8ab7fb962e328ab359
- 0eab3af784eeeaaf4f10c2a98a7dcd2a15c394e02b57c58a1ec271e1de1b70bd
- 195db4dc248fa14b23fbcf63f959289a822689f25bda203e521cfa0b11951936
- 70815321613db330b58d461f800d0eb271c09bdd10f208bbc01cb82d349d74cb
- fb50d4bf2260c45ee78c454a3143c1268b9099175feaf6febaea038df1040517
- 6b3a441f6c646464a804220fe4ef75f78744a666177ff8cefde90749e2581d19
- 4ee136ec6b4ad8365d472457b32c3eef46f3784edab4a3d3ffe20494d6a38f7b
- 20fba937d09e7ddae71abc240620ef9530615e351f9b47acca46e014e873dd83
- fbdfb2cded799f1f778c4394d9e708695881636323461a4fbf29267601919aab
- http://tongdaifpt.net/wp-includes/hylKLdJWOh/
- http://e-salampro.com/sasnekat.com/awc2601b_kf95uldy4-36/
- http://filto.ml/cgi-bin/aMqquEsQw/
- http://qpdigitech.com/wp-admin/xmt6ku59pl_86bt8fv-73919803/
- http://omestremarceneiro.com.br/wp-includes/cgey_vp867s238-17/
- Creation Time 2019:05:20 07:57:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- cdc216f48ec57a6c822139b6534330e8feea8b7bc83ad85614fa52ca372413c2
- 1a6998feaae1494f19fb32974d120238e95898ff794ce381575382b4726bfa88
- bad3fcef0f0273a00991a0974805591f8dfd6e7bbbfb2b5d985c2110e72b8a73
- ee7eeb0aa1f4c91f1625cf75ed82a745e2b4785d2f9fd6bc181e2cf45dabc6d7
- 3963c8a59d23d0ea475ebf9b02838309841cb740e093ee9c3f7d392ca4bd63fb
- fda0fe2182c97b161f56da2d76e8eb21a39e66483e0419726dcfdc2889c521d4
- 5eb312406ba2bcf9bd4f0ac5e8531ef13e26c67fc49e82f1468bbcbafa8894cb
- a6a7d60880d6e5eaac0ee87edfca1f187cd002f7f3f3c37668f401d7f3ff33fa
- 281546d6de344a2441e0e834fc955847a0508c912df7e433107a151a3c74fc45
- 584c92b6baa5b3f032fdd06a9774cd85579acfc5a92229de44f853e6d12a24d3
- 6af8af05389a1dc356e8c5edccbd10149edf3a0d88f4c3db0a94b771e18d0dbc
- 72acb065ab44edb2373591d3edc8e9df9cf830315f8caadfb5b4e0095fe4176c
- 29cd670e6844fcd65447443c8269cc46f82c744951fc31f73bcab64dbe18bdff
- c5a0b5b5dd17588a8d9ac64d9fccabdebadc31b749534b1e2745fb69f70f958d
- http://saminprinter.com/wp-includes/yrkvm4vyy_ybidb-43745207/
- http://santuarioaparecidamontese.com.br/wp-includes/7jn9p7_qou49bjodx-33953/
- http://serwiskonsol.com/wp-content/JEsfYuiPMv/
- https://ppdiamonds.co/wp-content/m45zv037uc_nent85daai-282067/
- http://aworldtourism.com/wp-includes/1fcjc8_m4lnj7ffng-755100/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/17-19/19 ####
- ```
- 8274749a1f4910e88944bc47d74aa0760cf6eb24712fcafbc0d744047a9839e9
- f76fd135b6ca6580ab454f45bb27b67b55ef30d24e5e4b2423d3d351243fdd3a
- 8b6d9742b2cde735b64b68e9a5cc99a4c7caab09a036aa9cb418f761a557f3ba
- 360fa23df3fecf60395efec34e214793a202edee19e28647c2fb1cd86d3e3b47
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 111.67.12.221:8080
- 134.101.222.153:80
- 154.120.228.126:143
- 159.69.2.128:7080
- 163.18.23.242:80
- 175.107.200.27:443
- 181.110.239.26:80
- 181.143.101.18:8080
- 181.15.177.100:443
- 181.15.243.22:80
- 181.16.127.226:443
- 181.164.227.212:80
- 181.198.67.178:20
- 181.199.151.19:80
- 181.211.130.109:443
- 181.29.101.13:80
- 181.31.49.178:80
- 181.39.134.122:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.71.75.2:80
- 187.178.9.19:20
- 187.188.166.192:80
- 187.190.237.104:8080
- 187.242.204.142:80
- 189.196.140.187:80
- 190.113.233.4:7080
- 190.117.206.153:443
- 190.123.35.82:50000
- 190.13.211.174:21
- 190.147.116.32:21
- 190.147.12.71:443
- 190.180.52.146:20
- 191.97.116.232:443
- 192.155.90.90:7080
- 196.6.112.70:443
- 200.107.105.16:465
- 200.127.0.8:80
- 200.28.131.215:443
- 200.32.61.210:8080
- 200.45.57.96:143
- 200.57.102.71:8443
- 200.58.171.51:80
- 200.80.198.34:80
- 201.251.229.37:80
- 203.25.159.3:8080
- 205.186.154.130:80
- 216.154.222.52:7080
- 216.98.148.136:4143
- 217.113.27.158:443
- 217.199.175.216:8080
- 217.92.171.167:53
- 218.161.88.253:8080
- 219.74.237.49:443
- 219.94.254.93:8080
- 23.254.203.51:8080
- 31.179.135.186:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.73.124.235:8080
- 46.249.204.99:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 66.209.69.165:443
- 69.163.33.82:8080
- 72.47.248.48:8080
- 79.143.182.254:8080
- 80.0.106.83:80
- 81.143.213.156:7080
- 81.183.213.36:80
- 81.213.182.115:8443
- 81.3.6.78:7080
- 82.226.163.9:80
- 85.132.96.242:80
- 86.155.233.74:8080
- 89.134.144.41:8080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- <not updated>
- 61.92.159.208:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.53.44.20
- 104.236.206.44:8080
- 109.194.50.231
- 133.242.156.30:7080
- 134.196.53.52:7080
- 136.243.177.26:8080
- 138.201.140.110:8080
- 147.135.210.39:8080
- 149.255.56.242:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 174.136.14.100:8080
- 175.100.138.82:22
- 177.230.108.144:22
- 177.242.202.30:8080
- 177.242.214.30
- 177.246.193.139:20
- 178.152.78.149:20
- 178.62.37.188:443
- 178.79.161.166:443
- 179.32.19.219:22
- 181.129.30.82
- 181.175.142.212:990
- 182.176.132.213:8090
- 182.188.47.206:990
- 183.82.100.135
- 183.82.110.170:53
- 186.113.19.171
- 186.4.167.166
- 186.4.234.27:443
- 187.189.195.208:8443
- 189.154.42.168
- 189.209.217.49
- 190.145.67.134:8090
- 190.147.53.122:990
- 190.25.255.98
- 190.25.255.98:443
- 190.72.136.214:465
- 191.92.69.115
- 2.50.4.159:443
- 200.21.90.6
- 200.85.46.122
- 201.199.89.223:8443
- 201.220.152.101
- 201.238.152.20:465
- 207.44.45.27:22
- 211.248.17.209:443
- 211.63.71.72:8080
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 24.139.205.186:8080
- 41.220.119.246
- 45.123.3.54:443
- 45.33.49.124:443
- 45.55.201.204:7080
- 46.100.165.6:53
- 46.105.131.87
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.9.168.7:443
- 58.9.168.7:990
- 59.103.164.174
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 69.251.12.43
- 69.45.19.145:8080
- 71.244.60.230:8080
- 73.189.66.63
- 77.56.253.112
- 78.186.5.109:443
- 78.188.7.213:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 86.151.202.16:20
- 87.106.139.101:8080
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.76.200.114:8080
- 95.128.43.213:8080
- 98.142.208.27:443
- 98.144.73.193
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- <not updated>
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-20-19 ####
- ```
- Absolutely no sign of emotet to me today in UK. Plenty of other crap though.
- Polish language templates are in circulation, following on from the wave reported last week.
- A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
- I missed a couple of E2 EXE sets on 17/05 - I will update and repost the additional IOCs
- General News:
- German warnings on emotet
- https://www.pcwelt.de/news/Polizei-warnt-Trojaner-versteckt-sich-in-Antwort-Mail-10595144.html
- REVIEW:
- If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
- to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
- https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
- or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
- I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
- You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
- https://twitter.com/JayTHL/status/1126204098670411779
- Email Template Report:
- Generic templates on the most part, the usual body text listed below.
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- - The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- "Load instructions attached"
- "A printer friendly attachment is now included with each email."
- "Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns
- E1
- *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
- https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
- E2
- https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
- These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
- Payloads Report:
- E1 would seem to be attachment-based only, no sign of active URLs.
- DOC hashes above were drawn from anyrun.
- E2 ran to just over 200 URL at time of writing,
- Both Trickbot and Dreambot were seen as secondary infections today
- E1 EXE - only 3 hashes observed, all ~74k
- E2 EXE - only 4 hashes observed, all ~74k
- C2 Report:
- C2s DID change for E1 and increased from 80 to 83 combos in total. - recorded above
- C2s DID change for E2 and decreased from 92 to 84 combos in total. - recorded above
- Closing:
- I am out of office for next couple of days but will get the key indicator lists together
- @ps66uk
- TT
- ```
- #### Sandbox 05/20/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-05-20 (private report)
- ```
- ```
- Epoch 2 C2 run on 2019-05-20 at 22:30 UTC - https://app.any.run/tasks/67276dba-a4eb-404b-88a2-fb0add7d857f
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement