API tools faq
paste
Advertisement
ps66uk

#Emotet Malware IoCs 2019/05/20

ps66uk
May 20th, 2019
3,071
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 37.13 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 05/20/19 as of 05/21/19 01:00 BST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 05/20/19 ####
  6. ```
  7.  
  8. <none>
  9.  
  10.  
  11. ```
  12. #### Epoch 2 Document/Downloader links seen for 05/20/19 ####
  13. ```
  14.  
  15. http://24mm.site/wp-content/pzCNFBGPe/
  16. http://9coderz.com/wp-admin/lm/lm/VtuGyUdGncbiGlUmipu/
  17. http://agroborobudur.com/Kopi-kinanthi/Dane/s3i4woquxza009qhz8tngvpio_t1ndfy5c-8779808509668/
  18. http://airconfidencebd.org/wp-content/hfrhybo35jocmt9rykxk92d9_ws2nvv-804221103844/
  19. http://akoagro.com/wp-includes/FILE/fsrauTLdLBq/
  20. http://alageum.chook.kz/wp-content/uploads/Scan/04263hkou_u9q456yn8-3307251785606/
  21. http://ambil-hadiahpb.cf/css/Document/zvv6pzemxix7bkqkxcdven37o7v7p8_w4gnn62w-746465135047600/
  22. http://anase.org/wp-content/Pages/iq89n0t5_yfxzp-070843819/
  23. http://an-premium.ru/wp-admin/7b6ech5-svgat05-fnyjvh/
  24. http://anpuchem.cn/wp-admin/2spx3-fd0s9jc-wxcnzqe/
  25. http://appsville.global/wp-includes/6m7d5hr-jolf92s-dxvkhvz/
  26. http://aradministracionintegral.com/wp-content/uploads/q4qzpxt57s_s90s0-562133435485/
  27. http://atkt.markv.in/_notes/FILE/OCTbubxwjOUENnC/
  28. http://azbeton.ro/wp-content/Document/vtjHcnFgqglXQqzqEkohRLJd/
  29. http://b118group.com/wp/b0gk3v7xqs_8737y8-565189409480/
  30. http://batdongsanminhmanh.com/wp-content/uploads/Plik/VSHZLPQDixgGn/
  31. http://bcaa.gq/wp-includes/Pages/WoJUHWDOFhNKDkbe/
  32. http://bestit.biz/suspended.page/esp/ZrnXUqWtuAfQZQRQSBUrFxEDGWGwvk/
  33. http://bkr.al/cgi-bin/40zpx-msvngf-sstoene/
  34. http://bkr.al/cgi-bin/64799-4om1s-llzcc/
  35. http://blog.chewigem.com/wp-includes/esp/atHZLyKKQKvkNKho/
  36. http://blog.dmtours.lk/wp-content/FILE/ruaXvPMVnjujCTjeLLT/
  37. http://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
  38. http://bloomfire.com/wp-content/plugins/DOC/FoQojoiYS/
  39. http://boilerservice-cambridge.co.uk/muun/esp/IhCsETyWZrho/
  40. http://bonizz.com/DMC/parts_service/5eh2hsadldjems1kq3wlh403v_e39t3mz1ud-335687791589/
  41. http://branner-chile.com/wp-admin/s5045m4kdv2yxwdez6m21k7oq5xe_smdxp-8989005213940/
  42. http://bridgesearch.com/stats/lm/on6io5qd9ehr135ii96ueery_0zik0pyx4-290001900664299/
  43. http://caddish-seventies.000webhostapp.com/wp-admin/4ur9tmys2h_75g6pp-73387052/
  44. http://carlyarts.tk/cgi-bin/0hz63w-s3alcb-vjrm/
  45. http://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
  46. http://chinmayacorp.com/COPYRIGHT/Plik/tjDkGOTPHOJ/
  47. http://chinyami.co.tz/wordpress/i5q3jawbcp9_03ums9-7667848091/
  48. http://chirurgien-ophtalmo-retine.fr/wp-admin/Scan/trrMBcbN/
  49. http://cielecka.pl/ilum.pl/Document/f7djienirh5otecveisehl6oi_tn22d-108070575/
  50. http://colegioadventistadeibague.edu.co/wp-includes/DOC/9qzrb8epfmvac53u0v2um9uk3vkkc0_llqs4z0i5-693725156265103/
  51. http://congchunggiakhanh.vn/wp-content/lm/lmjQDFYXEANYNpuvmqbCJs/
  52. http://consortiumgardois.eu/images/FILE/kzfYkwNCziLHPSLvhPexT/
  53. http://coronadobaptistchurch.org/wp-includes/paclm/nrzbbwc9xordu0f1pojvw03um0v42_ucm04gi-866893424118465/
  54. http://corporateipr.com/m9c/phutz63-w90emms-oukwmr/
  55. http://crsigns.co.uk/wp-includes/rncjoymd9s61_ahrbb-46845098052870/
  56. http://dag.gog.pk/wp-includes/PLIK/wndpifvajs/
  57. http://daizys.nl/BKP-06-05-019/sites/HxflDlFmdMdWWyqIrRZHCGWSE/
  58. http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC/
  59. http://diarioprimeraplana.com.mx/wp-admin/04t8ju-5o1m33-exgwn/
  60. http://dieutrigan.com.vn/cgi-bin/g2udma1-tpa02r-feyuejx/g2udma1-tpa02r-feyuejx/
  61. http://disperumkim.baliprov.go.id/wp-content/JAaJgGgshskUmKanMFIDcM/
  62. http://door-craft.ru/9eui/wzAolMvPwpd/
  63. http://dronint.com/wp-admin/tt4up7x-989rvv-uykocm/
  64. http://dukkank.com/wp-admin/pr9ybbym351h_l9tw4u8-16488044/
  65. http://ecommercefajeza.web.id/wp/tbkh1v-qjzzn3-wvojp/
  66. http://economika.com.ve/email/paclm/dsbzhob4b8seeq_zl3zlxclc7-7223513679032/
  67. http://e-controlempresarial.com/wp/paclm/02oyix5wanbeegnxcnudm_m9wha6e-6640018143938/
  68. http://egplms.okmot.kg/wp-includes/mf75rsm-y1pndse-apjgbfv/
  69. http://emcimed.ml/wp-admin/INC/beCmcstHEcYWSdunsNpV/
  70. http://esquso.com/wp-includes/parts_service/zncgw5r30ehtff4w4_nvu506u-84590229280717/
  71. http://eticasolucoes.com.br/controle/FILE/urjm9ad0e20oke9_yys4j-1833857769/
  72. http://eurofutura.com/carloghio/parts_service/JYRByxVSfhNOpVVTASyyBhBR/
  73. http://exenture.net/mySHiT/mhv8eiw14_tj1q863agg-191035311473/
  74. http://finanskral.site/wp-includes/Dane/OpNAvrtH/
  75. http://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
  76. http://focuseducationcentre.cf/zayarlin/Document/bEjkgNhfyDTjBiljqJwhvIaDu/
  77. http://ford-capital.com/wp-includes/uq78wg-g5po55l-edvmjx/
  78. http://franshizaturbo.ru/wp-admin/gjPayGQZRuvZKW/
  79. http://furniflair.com/assets/6mm2ev14i5rh5iu_1lvoybr-682572903489141/
  80. http://gamingproapps.com/wp-admin/05wvu0-b8bm2-mujg/
  81. http://gatewaymontessori.edu.gh/5r0x/INC/sor5jniomi1bw8se6reyjodziydt_dk6pdtw-885852414780/
  82. http://giangdinh.vn/wp-admin/LLC/AmMcutbAcsZgoLPpvSBSFJFL/
  83. http://giaoducvacongnghe.com/wp-admin/parts_service/s5nvqu5cu5xiavsm_tt4g6sg-9685915454/
  84. http://gilmatas.000webhostapp.com/wp-admin/yznvck5zdjh_m6ewq2-12021270394/
  85. http://gite-la-gerbiere.fr/lib/bf1vgc-kym3vl-moyonq/
  86. http://graminea.or.id/cgi-bin/esp/dRfhYjIAqKiRZKZtpFcXvsFYUD/
  87. http://greencampus.uho.ac.id/wp-content/uploads/vyeow9-3fruh-vbno/
  88. http://grinq.com.ua/wp-content/qon3os-lg1iwjy-xwfjr/
  89. http://grupoxn.com/wp-content/h2uy3p-uanu36y-qpfbabc/
  90. http://guidafinanziamentieuropei.it/dup-installer/esp/whISpSbNpvwrdNdxBlTfEMDIUKOs/
  91. http://halcelemates.com.ng/cgi-bin/qspgn-miqx4yz-hudi/
  92. http://havistore.net/wp-includes/wt6adv7-xupjzl1-sidkes/
  93. http://hestoghundehuset.dk/wp-admin/mPKrLBEEMiHVhKYpHeEc/
  94. http://homeedge.co.in/wp-includes/Inf/3h8bwmc8sg8bhgmb6oajbqfth1lw6_u963i9ar-5947272013/
  95. http://ihcihc.org/cgi-bin/DOC/JQbRvcTvKHPxixBpVIs/
  96. http://itcshop.com.ng/fasttrackcash/Inf/qrjYUODRuCg/
  97. http://jajiedgenet.name.ng/wp/DOK/x963ssn0_skxizz6j-099060478701887/
  98. http://javed.co.uk/wp-admin/f3pafo-bac855-vrgxw/
  99. http://kauzar.com.br/wp-admin/9naj-wg0geu-jvhkq/
  100. http://keffesrdf.org.ng/dir/jh2cg-cxh72-ocnv/
  101. http://kgdotcom.my/wp-content/e6k9v2v6m0_tfl09azf-288153120/
  102. http://khusalrefrigeration.com/wp-content/i63i-fc189k-plkiv/
  103. http://kipsoft.vn/wp-admin/uXHCWQYIsUwy/
  104. http://krasotatver.ru/wp-admin/n53x-uxotfh-dxkbol/
  105. http://kuramodev.com/wp-admin/esp/2lcrz1uaq99jqg6x_btdci7az-5511668994948/
  106. http://les.nyc/wp-content/uploads/zuxbjd6mgcbofmz_1lwfz-96882379608/
  107. http://lesantivirus.net/css/esp/LvxnSHShDjxTiArIvTtXhDOGX/
  108. http://lizerubens.be/wp-admin/parts_service/IWuXVRHMja/
  109. http://lnemacs.com/updatecoreo/paclm/QOqcLyIDnqskRUPrQtAY/
  110. http://logicsoccer.vip/wp-includes/PLIK/DyyyskgffSivMY/
  111. http://luisromero.es/cafe/LLC/d02zuso2z3r0o07_uge4o-3011321187376/
  112. http://luz.ch/fuurball/paclm/tayiwtdw9gvgb21rvi815umr4_l1k2tafz-916097634479/
  113. http://lyvestore.com/wp-content/uploads/nsm60x-6fzovcr-gtkxgtl/
  114. http://manorviews.co.nz/images/paclm/mcpf0o3f5me1zh2x2xarr5c_c2kog9qp6-11133861/
  115. http://marbellastreaming.com/admin/3b1zwi824hbk1pe2coubcbob_5nlp4bh-14804269498/
  116. http://markantic.com/wp-includes/LLC/oXitshkRMjCSa/
  117. http://markelliotson.com/sites/k47y5hwtw8h_aqzp3l-449059094/
  118. http://masana.cat/pix/parts_service/wBwhQtYEVIEpsMPtRsyl/
  119. http://mattress.com.pk/wp-admin/Inf/nyKIfXKe/
  120. http://mattshortland.com/ozXYuMOiYlguFF/
  121. http://mayupan.com/css/Pages/jamcysmfx_d379k-789309688595/
  122. http://mazzglobal.com/51655165g/sites/zuutn9zkjzzsbhffa5d0fpvaw9z_jzv2j6b-263923452810966/
  123. http://mentfort.com/wp-admin/r4g71c-hi527kb-verjplp/
  124. http://mic3412.ir/wp-includes/LLC/hsnp7lhg0fbqhj1dph7c4fmspwvz_r66ocyu3-858421356/
  125. http://mickreevesmodels.co.uk/micks_chat/INC/KfNJTKdmSYiueWhbqeYVzigbOaUj/
  126. http://misbragasusadas.com/wp-admin/paclm/okb30cee6xhg1cbi279ssznmewh88k_mimhl-536403870815322/
  127. http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/
  128. http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb//
  129. http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/\/
  130. http://mmgbarbers.sk/wp-content/hmESzqKrW/
  131. http://monsterz.net/blog2/FILE/fCuLIWGTqBVwcPDfUQRVodcKJxEmI/
  132. http://m-ros.es/wp-admin/nfbyibe-l6cpr-wvgd/
  133. http://mtaconsulting.com/wp-content/Pages/ntq8h5pnhzsb_c98jimy0lh-77243452881/
  134. http://multicapmais.com/js/esp/jLOgrxpWZ/
  135. http://mwvisual.com/scfv/bYofxzLIBlDANzJQJhwNsOgzvfU/
  136. http://myofficeplus.com/Document/zJLRnsotorjEVuGxH/
  137. http://ndm-services.co.uk/DOC/gsnhdhup7vp8u3onxtqzbn_mso4v7e-4060977015/
  138. http://nforsdt.org.np/cgi-bin/LLC/rJhJsoFerEAbFVKOgJweNESInf/
  139. http://noons.ru/wp-admin/DOK/mpmd1xmzhl8ijhcvdh2d40r249a_07m8onqzs-192022041933115/
  140. http://novaoptica.pt/wp-admin/rnsoyvw-8y64rg-ppgc/
  141. http://ovakast.com/wp-admin/zbb9q-if7z3-xncfy/
  142. http://paywhatyouwant.io/cgi-bin/INC/RycXLpkwbaXNzSdOQYrWlxXoi/
  143. http://planetkram.com/cgi-bin/FILE/lydb59kvj94x2qxaf0lo_95s38g-70862676621395/
  144. http://priatman.co.id/old/gmvor-qkevv-kmjsj/
  145. http://priatman.co.id/old/gmvor-qkevv-kmjsj//
  146. http://print-consult.be/ResponsiveImageGallery/61p114nlua4w2_8mcik3tixr-083144052/
  147. http://qwelaproducts.co.za/wp/voo74gu-yc23wv6-eysshi/
  148. http://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
  149. http://rociton.com.bd/wp-content/parts_service/f40sb8gz9nnsppjgt7tclxs_gq8nvjogop-96874256/
  150. http://sanalkeyfi.com/wp-includes/Dok/qauowl45eharem4bo5i0_9vtspc-07835495394/
  151. http://sawitandtravel.com/cgi-bin/4xaib1-5gzkqtk-ncyncpf/
  152. http://seabird.com.ph/html5lightbox/e49fc-v1zh9o-zrdsp/
  153. http://servicehl.ma/wp/p0fc-ukirhb-npri/
  154. http://sexlustoys.com/app/heotbm4-5ea4e-qbhgzg/
  155. http://shadzisti.ir/wp-includes/bka7-9lmu27-vhofm/
  156. http://skilancein.000webhostapp.com/assets/INF/BztYZLgGvYARNnbzPsTRtTUGJy/
  157. http://slppoffice.lk/wp-admin/cjr9zzp-rf7yx2-rbvxv/
  158. http://smake.in/wp-admin/4ssh779-i04deq-vsarad/
  159. http://smartschools.co.zw/wp-content/f8sy-k74kuj-xsaidw/
  160. http://snowballnaturals.com/cgi-bin/gsai-g663ics-kgisfcn/
  161. http://sofiaymanuel.website/wp-admin/i4zx84z-shgopmw-trhyisa/
  162. http://sreelabels.com/wp/x1zu-9l83g-fhhdw/
  163. http://steventoddart.com/cgi-bin/78djj4-9rsc3m6-rwtqz/
  164. http://subkhonov.com/LLC/Document/qWrWCtrmDmBwslubhyvcaBfWhiQX/
  165. http://sulkanvariasimotor.com/cgi-bin/Dane/QdSsDaRPbt/
  166. http://supercopa.cl/assets/esp/zugnnetz0suvx017j01zwr3_x33y9-0543142109882/
  167. http://swansgateshoppingcentre.com/wp-includes/Scan/ok6ulsnds83m0s_6gz9lcuo8c-605978940826/
  168. http://teknikkuvvet.com/wp-content/gmnaj-28u4pg-jpec/
  169. http://teknisi-it.id/COPYRIGHT/FILE/VppKShnPdkhRjUEXEeooCIIAhwbUDA/
  170. http://theoptimacreative.com/backer/DOC/lzdtnRntp/
  171. http://thptngochoi.edu.vn/xxattl/83dp4mk-3qxhlx-nvjq/
  172. http://tollfreeservice.in/wp-includes/Scan/a2pifq3p6qv3z9qrh_8g7y3a-09960395/
  173. http://toorya.in/wp-content/csbluri-69vjyo-gvib/
  174. http://trademarkloft.com/wp/LLC/MRWfXNPWcWfmIEtA/
  175. http://vinyasayogaschool.co.in/wp-admin/Pages/srSdAHPKkqZbXQVsEkPcjTBAUxFM/
  176. http://vnmax.net/TTTN-Green/7yurlqz-imfjsfr-vcha/
  177. http://voctech-resources.com/cgi-bin/Scan/yygznlklj5_donv8-334023278047356/
  178. http://wpstride.com/wp-content/lm/3oszpkgom9175aa_8danqb3v-845337550891852/
  179. http://www.912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
  180. http://www.cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
  181. http://www.eratoact.de/wp-admin/xVJZSsilspLhyBCBboC/
  182. http://www.iowaselectvbc.com/wp-content/esp/ESCejHjQIz/
  183. http://www.maria-hilber.at/wordpress/y0og46-pud86sj-qmdnev/
  184. http://www.nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
  185. http://www.vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
  186. http://xpelair.com.ng/wp-admin/uwenu-wdun3-aurp/
  187. http://zhas-daryn.kz/toreshim.kz/LLC/ndpZCyBJjxPtWoCjvwxzqByfXVQsuT/
  188. http://zipzapride.com/wp-content/4auq0kq-t4jx2-nzaey/
  189. http://zmeyerz.com/homepage_files/paclm/ATMrNHzXJjfIFDTQmcCNmiPHPRUXO/
  190. https://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
  191. https://bloomfire.com/wp-content/plugins/DOC/FoQojoiYS/
  192. https://cargokz.kz/wp-admin/2mxjeu3-75keej-yodnse/
  193. https://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
  194. https://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
  195. https://discoversabah.my/wp-content/Plik/PASGCJIBOXFgLSfvWGkDq/
  196. https://euma.vn/yfbh/pvhwwa-xg74b4-bknrdh/
  197. https://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
  198. https://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
  199. https://hlclighting.ca/wp/Scan/oylkuxb7d3zafh4_yyzho55c-730553405724/
  200. https://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
  201. https://kbolotin.com/wp-content/w4bp-8yhaza-zqxtij/
  202. https://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
  203. https://longokura.com/wp-includes/Pages/RphdkFQwbj/
  204. https://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
  205. https://luppie.eu/icon/Document/FIFEgoVJlq/
  206. https://marin-ostrov.ru/wp-includes/DOC/bOlcIxbcgMoMfhfz/
  207. https://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
  208. https://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
  209. https://proxindo.id/wp-admin/FILE/vgsupeyhnlc8ka4tbdu72wde7khpa_1ganzrzry-05828045/
  210. https://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
  211. https://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
  212. https://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
  213. https://topaqiqah.com/wp-admin/iwrivz-kuvph-szzyiic/
  214. https://www.iowaselectvbc.com/wp-content/esp/ESCejHjQIz/
  215. https://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
  216. https://www.mulard.co.il/wp-content/nyfntba53q421e5_w8kt7s9ow-26401916920/
  217. https://www.sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
  218.  
  219.  
  220. ```
  221. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  222. ```
  223.  
  224. Creation Time 2019:05:20 18:19:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  225. SHA256:
  226. 90ad84b36bb06c3b8ee5d356c3ede4116a25b75d3473ef03e6cc16dd15fe8beb
  227.  
  228. http://qone-underwear.com/wp-includes/4p8n17709/
  229. https://kobac-kawaguchi01.com/wp-admin/wic5/
  230. http://tajdintravels.com/cgi-bin/9b40471/
  231. http://bombafmradio.net/_vti_log/5hu7x820/
  232. http://soprab.com/cgi-bin/blnnz83/
  233.  
  234.  
  235. Creation Time 2019:05:20 12:40:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  236. SHA256:
  237. 72395c97b8790a56a8f763c174b0870c76401eb81cd802784c326dc2b9bffa8f
  238. 495cbb79182be997e8a7f3729a63b711c3ba5e44e802c7e2057ba7d59033238c
  239. e2a4749668e5f74d4bfd4491baca23363c25a53c1b0456ecd58ddf5238f725ce
  240. 96e9250c6b0153f6de8096cd972302e1779a5f6d2eb4c715a2177b873cdc2ef7
  241. 57c73359315ef3e5f96915cc4c32774a2875c014f7bc9d8aa7ae2bebed588ab0
  242.  
  243. http://seogood.net/wp/b4pxre6304/
  244. http://agro-millenial.com/setupconfigo/0st9376/
  245. https://proyectonoviembre.com/V2.0.0/7ouvu47/
  246. http://royalamericanconstruction.com/fwmihe/04qf6uy0/
  247. http://farodebabel.com/4xhzvd7/nl12/
  248.  
  249.  
  250. Creation Time 2019:05:20 06:20:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  251. SHA256:
  252. ab32f1046ef9a51b26e413df606afd4811c3655c665220060f72bdc2c23d4896
  253. 599ecf8cbea461292c86d672b778fcb5dd43bf83c69416fb25e4ca83b37461b8
  254. eb1c76f474a6ddaf3430837b434e4a4b53ca9349c9ea280f2093e684d64b9bf3
  255. 383d09e70ff1eeb4237ad4b9191a4163ed92fb1bec03ef4cbc7c09ebe471827e
  256. 78d4a89f5558172a6369de73c4a4fcaeaf6658f40a6cbb52d3b703d58c15b0cb
  257. 3a3a3ce662207abed7142ba0a3fef5ed404fae0da85cee9150bc72f84a44922d
  258. a4d0f1eaaf69fd8eaec8340cc4d82b543b039525f45edf9809f91df272a3ee13
  259. 7a1aed13987b3c25c14e41c0cb99b1e955069eae5dd8c40a744ea3ff3e0f35b5
  260. 6457f95bd35161fddc97a87fc16c9f4c2bd0d5f412dd62ed6d3d209ad3d457c4
  261. e2a2ce0b605642f4f99516714c345a594dd348d758a4cb70c2efe6418de89ba0
  262. 232ff27ab72fd11c77a982e98cdf1936888a5c86b49a3ba9ef8bf74a9ed11e09
  263. 8f9c24ec7356f074f6296cc93d9a2b801735be454b81051e90f52a3507cce8eb
  264. 61f00daa004945fedc680f182c01b0ba543c9a2383361fc0812a716fa1c95295
  265. dc7451322a2c3ec5000a251fd69ee78f8a9d9df77ec14f2d9671f02917fa4617
  266. 64458368d954b71a4d1dda78684d2a1d0f37fa4104c5d845a08e173e4238b7c3
  267. e352a2d273403fe35b6c1b9331dbfb1dc21c52856f1e928d33647430f0696212
  268. 2a467716313a55305130586d623247be7ba78a2bc75cb074dbb2c8da4c38678e
  269. 2f87ab37797dfe5f40d180808dd55d27633336885c1da8679b8a43410c573d8a
  270. faf7082318955d662b2e456ed89481bb1ef089d039668646f86c4ac852b27353
  271.  
  272. http://tenantscreeningasia.com/wp-admin/zpjdvy17/
  273. http://bystekstil.com/wp-admin/zm6481/
  274. http://eric-mandala.com/wp-content/fj68724812/
  275. http://avitrons.com/uma-site/isi2/
  276. http://developing.soulbrights.com/wp/s445/
  277.  
  278.  
  279. ```
  280. #### SHA256s for Epoch 1 Payload EXEs seen on 05/17-19/19 ####
  281. ```
  282.  
  283. 886ab67d0704721367c7ccd41585514e999baf4fe1114779db6d981efc85672f
  284. e5be3c0b66d7c3c2986202faf860f4cce41892db64c91e8322a57c2e4c23ecf0
  285. 315b772f4cee9ce22ae23a59a0abb252675aef655ba3e3d06a2f3b282d80768f
  286.  
  287.  
  288. ```
  289. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  290. ```
  291.  
  292. Creation Time 2019:05:20 18:13:00 (DOC Based - ENG - 365 Blue Box)
  293. SHA256:
  294. b17213bfb8a22ff2a198592df2a0baf8d02f92eb3ec7b3699c5f292b5f6a7a04
  295. 2f57c6b1c6febcdcdc135699a6acbd901e3465d20a0d37d6d7f259613546da31
  296. c204f878c7b3aa06ee3fce9b8fbb6ee3f8397577af54ed2a6492283253b35eb1
  297. 283d6dad28c745cee59164b405b3521c144aad24ca59b7c867b87399d72add8e
  298. 8641718f775aedb364b51fdf2c2d18bd477078da7b6f821ffab2d158ebbc0101
  299. 46de4a22e963ff2f3a810faf1c0fad46c36b32705c54d51408274d18f6e686b3
  300. 9994c27bf6623c68a9732076d84e0e4a9221db5d209f3490d5f4b47a7007a4d1
  301. 87680943843072a4bd669fe8edb183916c0ee5ed9d403d4a463123965e610c25
  302. 619def5ec3fd82bee5b661750a1309a073fec8799536af4fc64ef6f8c3a98979
  303. 3587b931d94a58155bbd5e7e27977f51cfbf9aff4291362ffb6ea4c94fd3b5c0
  304. 6523b344eb8dd9b3f099f0aa25fa2d9bfa16d9c1caa56695204091791a88b7cb
  305. b5056a4428f82d032102daf7cbe6f648d82ea7724293af72d1788dd8e5e74302
  306. e7aefcf97bad9e796337a954117569c61e8faf1ebfb08839199604b9aad34305
  307. 0576aec423863e025d8c2cea9119882a1882d99724e356afdf7b9c2d96ccb3b6
  308. 2de18891f8d93226dc5df80343e0f759542f14342426d09db5c31d3bcf630e9c
  309. 7f4b3711c74f79f401d843772214f41da7b8d90737249dea3f69db59226c6aec
  310. a9910865fe8d8bd01e4e10342a490f37c0823e3a9b43443eea93170fa8e47d5b
  311. 86a158f2e24d60c37abde13925c2a99d891c76880af6a41ed503de7294e31ab0
  312. 38ef8196cfaf9f09cd3ff08df840ffdbfaf1c2cdbfab3e18a5f24c45dcb8a72c
  313. aab4a251bf1690bf51760aa99bea2076a85b26aed84344b551e6d314fda3975a
  314. cc3f852315a47cc2a78b773579fc7eec09623945d33f2d0f9a311690e641a4ea
  315. b589acfd6333605b36449a131b0c626a808ecc6938c38200184e6f2376f7fa56
  316. 00d8178a8cf260df4942ef4cf03c3f4f11d9c034a6a181cc6e7806b255758e04
  317. 357d596ddd8bb719202cfbc892d55f97d9b06bf86ca37ebe59fe805f256ce015
  318. e328f1136596f48a867eb7c36c92fcedd80584cef699b77e314e027510a6e8bb
  319. 42f3770abd98e2f6fcd9e9dcfd7aa71a6693fb67c69e993843a512cf58b14a30
  320. efa7e27185172a8344eac0c1f21273672595d9324a8fa9d086aa5fe94ecc2fc7
  321. b1a6e88834682261eb79f27a381f6bbf045a0d804ee8dce51fbddc969ca2d8bf
  322. 41896e7f04ae54fa3d4357388ec0dec407c22ec1c8a8c57a3e625a766db6813a
  323. 7dab121b27a98dfaba72396c5e9a60192f8227d91ddcaed0d893889cbdba0298
  324. 4c70edc94e025f1a4b012f6e926126336f841b336db7c1fea476f0757366d852
  325. bb1c8d0d78ebf2a71952397d277bb1641232f101af3d5a8b8b2a55f72ff5f7e6
  326. 9630e97dd14ee791ffcc2faf3c333e3d19145f087026542ef5ae5a240d69e1f7
  327. 196d741936acab6ead7620a52119e0cc64b6855aaab814026040b25c9296473b
  328.  
  329. https://overcreative.com/css/shecgesia_cjtf7s6-2586658720/
  330. http://antonresidential.com/wkdrlk/papkaa17/NujUJetNy/
  331. http://gawaher-services.com/nngb24y/vXGApWUwd/
  332. http://thepropertydealerz.com/cgi-bin/5ze7vs_tgt6e3k-5/
  333. http://guimaraesconstrutorasjc.com.br/wp-content/NTlTZtAUB/
  334.  
  335.  
  336. Creation Time 2019:05:20 12:33:00 (DOC Based - ENG - 365 Blue Box)
  337. SHA256:
  338. e130a889b149e876b20a3fbd1229d3046dc4389cec91b305110ad34b3d1f9437
  339. 1bb372951c973ae6a676d5cfb6d6255c5046a4487de3f2c434e67033276d4096
  340. db8a9012a390b1544d849d02dedfb56c572bea38f1ec7ab3d9051a275794074c
  341. 48236d5717abdb07bbfb9566a5a9cd723b2caf834de4301a0b0a979165a053eb
  342. b714b36b234f97e0ff98272689a78bd8321b9a1498d1eccc44972aaeb755df42
  343. f22da8acd690ddf140b2f21e5377bdd30ba85fa25986ffa999d00ba33359927e
  344. 29da17543f235e1b14db2dbda159ed4ef665d1bb71a80ff3ac09e4f350cc64f9
  345. 921fb28561275036e0c28871e490ee48aa1cbd637489854121dd781959cf3f3d
  346. fdd5e796770981d0d7307cff882d7912353355aa6e34d03b3ec17bec44741957
  347. 83a5c771fc83d7e8de55f32089e031a80c808cd903950311b0bff1103b96db7b
  348. 33a4c297c96c8e0221d6ec50d18aa5305dfcc92776eeb60c0d0c19d0ecb13976
  349. d8e26ff205e06a0681195653d61bcd5629807e0febf5df8617ad3f72bcc6c04b
  350. ffa40a4130de3297baa84b22501ff6c24a862a446257abac41132cdfe42d3de8
  351. 8578d981b824c9ce244f8950f55e709b0a2fdf105d426f5faede3b92b2b4bc25
  352. c4548a16dbfbb5fdd5172d70bc93ea07af48b0301ef25ad94b72d4feb16a4488
  353. 07e2bde9b08db773d50209807557afd29751323799d3e62bf17afb674547c6c7
  354. bd6c197ad44457a5c4c73e157469bbd6c737b8ce4867ecbbc8aedbf3b73066aa
  355. 5713bb6bad1348b4e4c031673b4a1b028ddd2981f355eff51135f3307a4dec99
  356. b0afa6464395b631fb978a358a9e890a9187a88f26975b2f85b84f0db8ea838f
  357. 4ec927bdfdb5ca162d170e3510ffdca15a839529fcde333a2caac286631e7ddd
  358. f44d4f34c647cf685fb3cf8c1fcea4de77b15b00f1b810f37383243f8d6a3b72
  359. 2681fe5afa78ad3ca3edec710e9eb01e50b58c39f35d413415053018b52e04dd
  360. ff7bb28da6878c1d0bb3a72782d355fd917c7df53638fc995f7528d8a65da5ac
  361. b419db93d5dc35652c6f34cd52f5dc2891397d66c8a421f802abf2067fdf3cc0
  362. e31a818e5f32462630808e6fe5910eb2b57c04f444ec5be7f290ae00eaa9b926
  363. fc696a3b641ba9516c85f48bcb9b2b68ccc8ebb3946acc8ab7fb962e328ab359
  364. 0eab3af784eeeaaf4f10c2a98a7dcd2a15c394e02b57c58a1ec271e1de1b70bd
  365. 195db4dc248fa14b23fbcf63f959289a822689f25bda203e521cfa0b11951936
  366. 70815321613db330b58d461f800d0eb271c09bdd10f208bbc01cb82d349d74cb
  367. fb50d4bf2260c45ee78c454a3143c1268b9099175feaf6febaea038df1040517
  368. 6b3a441f6c646464a804220fe4ef75f78744a666177ff8cefde90749e2581d19
  369. 4ee136ec6b4ad8365d472457b32c3eef46f3784edab4a3d3ffe20494d6a38f7b
  370. 20fba937d09e7ddae71abc240620ef9530615e351f9b47acca46e014e873dd83
  371. fbdfb2cded799f1f778c4394d9e708695881636323461a4fbf29267601919aab
  372.  
  373. http://tongdaifpt.net/wp-includes/hylKLdJWOh/
  374. http://e-salampro.com/sasnekat.com/awc2601b_kf95uldy4-36/
  375. http://filto.ml/cgi-bin/aMqquEsQw/
  376. http://qpdigitech.com/wp-admin/xmt6ku59pl_86bt8fv-73919803/
  377. http://omestremarceneiro.com.br/wp-includes/cgey_vp867s238-17/
  378.  
  379.  
  380. Creation Time 2019:05:20 07:57:00 (DOC Based - ENG - 365 Blue Box)
  381. SHA256:
  382. cdc216f48ec57a6c822139b6534330e8feea8b7bc83ad85614fa52ca372413c2
  383. 1a6998feaae1494f19fb32974d120238e95898ff794ce381575382b4726bfa88
  384. bad3fcef0f0273a00991a0974805591f8dfd6e7bbbfb2b5d985c2110e72b8a73
  385. ee7eeb0aa1f4c91f1625cf75ed82a745e2b4785d2f9fd6bc181e2cf45dabc6d7
  386. 3963c8a59d23d0ea475ebf9b02838309841cb740e093ee9c3f7d392ca4bd63fb
  387. fda0fe2182c97b161f56da2d76e8eb21a39e66483e0419726dcfdc2889c521d4
  388. 5eb312406ba2bcf9bd4f0ac5e8531ef13e26c67fc49e82f1468bbcbafa8894cb
  389. a6a7d60880d6e5eaac0ee87edfca1f187cd002f7f3f3c37668f401d7f3ff33fa
  390. 281546d6de344a2441e0e834fc955847a0508c912df7e433107a151a3c74fc45
  391. 584c92b6baa5b3f032fdd06a9774cd85579acfc5a92229de44f853e6d12a24d3
  392. 6af8af05389a1dc356e8c5edccbd10149edf3a0d88f4c3db0a94b771e18d0dbc
  393. 72acb065ab44edb2373591d3edc8e9df9cf830315f8caadfb5b4e0095fe4176c
  394. 29cd670e6844fcd65447443c8269cc46f82c744951fc31f73bcab64dbe18bdff
  395. c5a0b5b5dd17588a8d9ac64d9fccabdebadc31b749534b1e2745fb69f70f958d
  396.  
  397. http://saminprinter.com/wp-includes/yrkvm4vyy_ybidb-43745207/
  398. http://santuarioaparecidamontese.com.br/wp-includes/7jn9p7_qou49bjodx-33953/
  399. http://serwiskonsol.com/wp-content/JEsfYuiPMv/
  400. https://ppdiamonds.co/wp-content/m45zv037uc_nent85daai-282067/
  401. http://aworldtourism.com/wp-includes/1fcjc8_m4lnj7ffng-755100/
  402.  
  403.  
  404. ```
  405. #### SHA256s for Epoch 2 Payload EXEs seen on 05/17-19/19 ####
  406. ```
  407. 8274749a1f4910e88944bc47d74aa0760cf6eb24712fcafbc0d744047a9839e9
  408. f76fd135b6ca6580ab454f45bb27b67b55ef30d24e5e4b2423d3d351243fdd3a
  409. 8b6d9742b2cde735b64b68e9a5cc99a4c7caab09a036aa9cb418f761a557f3ba
  410. 360fa23df3fecf60395efec34e214793a202edee19e28647c2fb1cd86d3e3b47
  411.  
  412.  
  413. ```
  414. #### Epoch 1 C2s ####
  415. ```
  416.  
  417. 103.201.150.209:80
  418. 105.224.171.102:80
  419. 109.104.79.48:8080
  420. 109.73.52.242:8080
  421. 111.67.12.221:8080
  422. 134.101.222.153:80
  423. 154.120.228.126:143
  424. 159.69.2.128:7080
  425. 163.18.23.242:80
  426. 175.107.200.27:443
  427. 181.110.239.26:80
  428. 181.143.101.18:8080
  429. 181.15.177.100:443
  430. 181.15.243.22:80
  431. 181.16.127.226:443
  432. 181.164.227.212:80
  433. 181.198.67.178:20
  434. 181.199.151.19:80
  435. 181.211.130.109:443
  436. 181.29.101.13:80
  437. 181.31.49.178:80
  438. 181.39.134.122:80
  439. 185.129.93.140:80
  440. 185.86.148.222:8080
  441. 185.94.252.27:443
  442. 186.71.75.2:80
  443. 187.178.9.19:20
  444. 187.188.166.192:80
  445. 187.190.237.104:8080
  446. 187.242.204.142:80
  447. 189.196.140.187:80
  448. 190.113.233.4:7080
  449. 190.117.206.153:443
  450. 190.123.35.82:50000
  451. 190.13.211.174:21
  452. 190.147.116.32:21
  453. 190.147.12.71:443
  454. 190.180.52.146:20
  455. 191.97.116.232:443
  456. 192.155.90.90:7080
  457. 196.6.112.70:443
  458. 200.107.105.16:465
  459. 200.127.0.8:80
  460. 200.28.131.215:443
  461. 200.32.61.210:8080
  462. 200.45.57.96:143
  463. 200.57.102.71:8443
  464. 200.58.171.51:80
  465. 200.80.198.34:80
  466. 201.251.229.37:80
  467. 203.25.159.3:8080
  468. 205.186.154.130:80
  469. 216.154.222.52:7080
  470. 216.98.148.136:4143
  471. 217.113.27.158:443
  472. 217.199.175.216:8080
  473. 217.92.171.167:53
  474. 218.161.88.253:8080
  475. 219.74.237.49:443
  476. 219.94.254.93:8080
  477. 23.254.203.51:8080
  478. 31.179.135.186:80
  479. 37.59.1.74:8080
  480. 43.229.62.186:8080
  481. 45.73.124.235:8080
  482. 46.249.204.99:8080
  483. 51.255.50.164:8080
  484. 62.75.143.100:7080
  485. 66.209.69.165:443
  486. 69.163.33.82:8080
  487. 72.47.248.48:8080
  488. 79.143.182.254:8080
  489. 80.0.106.83:80
  490. 81.143.213.156:7080
  491. 81.183.213.36:80
  492. 81.213.182.115:8443
  493. 81.3.6.78:7080
  494. 82.226.163.9:80
  495. 85.132.96.242:80
  496. 86.155.233.74:8080
  497. 89.134.144.41:8080
  498. 91.205.215.57:7080
  499. 91.83.93.124:7080
  500.  
  501.  
  502. ```
  503. #### Epoch 1 - Spam/Stealer C2s ####
  504. ```
  505. <not updated>
  506. 61.92.159.208:8080
  507. 104.236.185.25:8080
  508. 50.116.63.9:7080
  509.  
  510.  
  511. ```
  512. #### Current Epoch 1 RSA Public Key ####
  513. ```
  514.  
  515. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  516.  
  517.  
  518. ```
  519. #### Epoch 2 C2s ####
  520. ```
  521.  
  522. 103.53.44.20
  523. 104.236.206.44:8080
  524. 109.194.50.231
  525. 133.242.156.30:7080
  526. 134.196.53.52:7080
  527. 136.243.177.26:8080
  528. 138.201.140.110:8080
  529. 147.135.210.39:8080
  530. 149.255.56.242:8080
  531. 162.243.125.212:8080
  532. 167.114.210.191:8080
  533. 169.239.182.217:8080
  534. 174.136.14.100:8080
  535. 175.100.138.82:22
  536. 177.230.108.144:22
  537. 177.242.202.30:8080
  538. 177.242.214.30
  539. 177.246.193.139:20
  540. 178.152.78.149:20
  541. 178.62.37.188:443
  542. 178.79.161.166:443
  543. 179.32.19.219:22
  544. 181.129.30.82
  545. 181.175.142.212:990
  546. 182.176.132.213:8090
  547. 182.188.47.206:990
  548. 183.82.100.135
  549. 183.82.110.170:53
  550. 186.113.19.171
  551. 186.4.167.166
  552. 186.4.234.27:443
  553. 187.189.195.208:8443
  554. 189.154.42.168
  555. 189.209.217.49
  556. 190.145.67.134:8090
  557. 190.147.53.122:990
  558. 190.25.255.98
  559. 190.25.255.98:443
  560. 190.72.136.214:465
  561. 191.92.69.115
  562. 2.50.4.159:443
  563. 200.21.90.6
  564. 200.85.46.122
  565. 201.199.89.223:8443
  566. 201.220.152.101
  567. 201.238.152.20:465
  568. 207.44.45.27:22
  569. 211.248.17.209:443
  570. 211.63.71.72:8080
  571. 216.98.148.156:8080
  572. 217.13.106.160:7080
  573. 222.214.218.136:4143
  574. 24.139.205.186:8080
  575. 41.220.119.246
  576. 45.123.3.54:443
  577. 45.33.49.124:443
  578. 45.55.201.204:7080
  579. 46.100.165.6:53
  580. 46.105.131.87
  581. 50.31.0.160:8080
  582. 50.99.132.7:465
  583. 58.9.168.7:443
  584. 58.9.168.7:990
  585. 59.103.164.174
  586. 62.75.187.192:8080
  587. 64.13.225.150:8080
  588. 66.84.11.168:8080
  589. 69.251.12.43
  590. 69.45.19.145:8080
  591. 71.244.60.230:8080
  592. 73.189.66.63
  593. 77.56.253.112
  594. 78.186.5.109:443
  595. 78.188.7.213:8090
  596. 84.241.10.111:53
  597. 85.104.59.244:20
  598. 86.151.202.16:20
  599. 87.106.139.101:8080
  600. 91.205.215.66:8080
  601. 92.154.101.154:50000
  602. 94.76.200.114:8080
  603. 95.128.43.213:8080
  604. 98.142.208.27:443
  605. 98.144.73.193
  606.  
  607.  
  608. ```
  609. #### Epoch 2 - Spam/Stealer C2s ####
  610. ```
  611. <not updated>
  612. 198.58.114.91:4143
  613. 213.136.86.219:7080
  614. 91.205.215.10:7080
  615.  
  616.  
  617. ```
  618. #### Current Epoch 2 RSA Public Key ####
  619. ```
  620.  
  621. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  622.  
  623.  
  624. ```
  625. #### Credits and Notes Section ####
  626. ```
  627.  
  628. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  629. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  630. https://pastebin.com/u/jroosen
  631.  
  632. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  633. I am providing them for your benefit in case you want to parse them to be sure.
  634.  
  635. ```
  636. #### What is Epoch 1 and Epoch 2? ####
  637. ```
  638.  
  639. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  640.  
  641. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  642. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  643. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  644. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  645. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  646. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  647. time period.
  648. Here are some observations I have noted since I have been watching these botnets:
  649.  
  650. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  651. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  652. being delivered in maldocs on Epoch 2 at any one time.
  653. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  654. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  655. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  656. Monday morning/Sunday night.
  657. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  658. Epoch 2 may have a document hosted on host.tld/B.
  659. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  660. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  661. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  662. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  663. - C2s are never shared between Epochs/Botnets.
  664. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  665. via C2 to stay ahead of AV defs.
  666. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  667. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  668. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  669. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  670. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  671. spam template, word template, document type and even payload.
  672.  
  673. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  674.  
  675. ```
  676. #### Community Lists ####
  677. ```
  678.  
  679.  
  680.  
  681. ```
  682. #### Credits ####
  683. ```
  684. (OC from @JRoosen and/or combination work of the following)
  685.  
  686. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  687. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  688. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  689.  
  690. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  691. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  692.  
  693. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  694. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  695. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  696.  
  697. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  698.  
  699. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  700. helping out with this!
  701.  
  702. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  703. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  704. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  705.  
  706. ```
  707. #### Daily Log 05-20-19 ####
  708. ```
  709.  
  710. Absolutely no sign of emotet to me today in UK. Plenty of other crap though.
  711.  
  712. Polish language templates are in circulation, following on from the wave reported last week.
  713.  
  714. A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
  715.  
  716. I missed a couple of E2 EXE sets on 17/05 - I will update and repost the additional IOCs
  717.  
  718.  
  719. General News:
  720.  
  721. German warnings on emotet
  722. https://www.pcwelt.de/news/Polizei-warnt-Trojaner-versteckt-sich-in-Antwort-Mail-10595144.html
  723.  
  724.  
  725.  
  726. REVIEW:
  727. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  728. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  729. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  730. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  731. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  732. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  733. https://twitter.com/JayTHL/status/1126204098670411779
  734.  
  735. Email Template Report:
  736.  
  737. Generic templates on the most part, the usual body text listed below.
  738.  
  739. Review:
  740. What we know about the threaded templates/reply chain:(changes are marked with *)
  741.  
  742. - Emails are sourced from once (or still) compromised users all over the world.
  743. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  744. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  745. back as far as June 2018.
  746. - Now on E1 and E2.
  747. - Now seeing German based templates that are essentially the same thing but in German.
  748. - The injected reply is usually prefaced with the following:
  749. "Attached is your confidential docs."
  750. "Attached please find the wire transfer form."
  751. "Thank you for your help. Please see the attached."
  752. "Load instructions attached"
  753. "A printer friendly attachment is now included with each email."
  754. "Click on the attachment to open or save the printer friendly version of your report."
  755. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  756. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  757. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  758. - These templates are pretty limited in run and not very numerous.
  759.  
  760. Link Regex Report:
  761.  
  762. Regex directory patterns
  763.  
  764. E1
  765. *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
  766. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  767. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  768. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  769.  
  770. E2
  771. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  772. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  773. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  774.  
  775. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  776.  
  777. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
  778.  
  779.  
  780. Payloads Report:
  781.  
  782. E1 would seem to be attachment-based only, no sign of active URLs.
  783. DOC hashes above were drawn from anyrun.
  784.  
  785. E2 ran to just over 200 URL at time of writing,
  786.  
  787. Both Trickbot and Dreambot were seen as secondary infections today
  788.  
  789. E1 EXE - only 3 hashes observed, all ~74k
  790. E2 EXE - only 4 hashes observed, all ~74k
  791.  
  792.  
  793. C2 Report:
  794.  
  795. C2s DID change for E1 and increased from 80 to 83 combos in total. - recorded above
  796. C2s DID change for E2 and decreased from 92 to 84 combos in total. - recorded above
  797.  
  798.  
  799. Closing:
  800.  
  801. I am out of office for next couple of days but will get the key indicator lists together
  802. @ps66uk
  803.  
  804. TT
  805.  
  806. ```
  807. #### Sandbox 05/20/19 ####
  808. (all with fakenet and MITM unless spam/secondary infection)
  809. ```
  810.  
  811. Epoch 1 C2 run on 2019-05-20 (private report)
  812. ```
  813.  
  814. ```
  815.  
  816. Epoch 2 C2 run on 2019-05-20 at 22:30 UTC - https://app.any.run/tasks/67276dba-a4eb-404b-88a2-fb0add7d857f
  817.  
  818. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!