SHARE
TWEET

#Emotet Malware IoCs 2019/05/21

ps66uk May 21st, 2019 1,024 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ---
  2. layout: post
  3. title:  "Daily Emotet IoCs and Notes for 05/21/19"
  4. date:   2019-05-21 23:59 +0100
  5. categories: emotet
  6. ---
  7.  
  8. ## Emotet Malware Document links/IOCs for 05/21/19 as of 05/22/19 01:00 BST ##
  9. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  10.  
  11.  
  12. #### Epoch 1 Document/Downloader links seen for 05/21/19 ####
  13. ```
  14.  
  15. <none>
  16.  
  17.  
  18. ```
  19. #### Epoch 2 Document/Downloader links seen for 05/21/19 ####
  20. ```
  21.  
  22. http://3glav.ru/css/lm/LElPNvTAyeCNgL/
  23. http://912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
  24. http://9coderz.com/wp-admin/lm/lm/VtuGyUdGncbiGlUmipu/
  25. http://adil-darugar.fr/wp-admin/Scan/trrMBcbN/
  26. http://advokat-kov.ru/new/Document/dcm61tc0sudmm5n860qu1ra_ubwtq8m-5670754007/
  27. http://aio.sakura.ne.jp/forum3d/c9q8c85-7x79nvt-zefc/
  28. http://airconfidencebd.org/wp-content/hfrhybo35jocmt9rykxk92d9_ws2nvv-804221103844/
  29. http://akihi.net/BBS/omra-4vws5-ilkw/
  30. http://akoagro.com/wp-includes/FILE/fsrauTLdLBq/
  31. http://aktpl.com/wp-includes/f8kqjc4-rsaxk-cgivh/
  32. http://alageum.chook.kz/wp-content/uploads/Scan/04263hkou_u9q456yn8-3307251785606/
  33. http://alphalif.se/css/esp/vcpf5ck3gkufnd1tcz06m1dpe0wu_2kkhrv2r7-223819466498611/
  34. http://ambil-hadiahpb.cf/css/Document/zvv6pzemxix7bkqkxcdven37o7v7p8_w4gnn62w-746465135047600/
  35. http://anase.org/wp-content/Pages/iq89n0t5_yfxzp-070843819/
  36. http://an-premium.ru/wp-admin/7b6ech5-svgat05-fnyjvh/
  37. http://anpuchem.cn/wp-admin/2spx3-fd0s9jc-wxcnzqe/
  38. http://appsville.global/wp-includes/6m7d5hr-jolf92s-dxvkhvz/
  39. http://aradministracionintegral.com/wp-content/uploads/q4qzpxt57s_s90s0-562133435485/
  40. http://asatc.ovh/wp-admin/rctqjq-n5326-wzslqtb/
  41. http://atkt.markv.in/_notes/FILE/OCTbubxwjOUENnC/
  42. http://ayashige.sakura.ne.jp/FAQ/wp3mn-06n4afc-usedfbr/
  43. http://azbeton.ro/wp-content/Document/vtjHcnFgqglXQqzqEkohRLJd/
  44. http://b118group.com/wp/b0gk3v7xqs_8737y8-565189409480/
  45. http://batdongsanminhmanh.com/wp-content/uploads/Plik/VSHZLPQDixgGn/
  46. http://bcaa.gq/wp-includes/Pages/WoJUHWDOFhNKDkbe/
  47. http://bestit.biz/suspended.page/esp/ZrnXUqWtuAfQZQRQSBUrFxEDGWGwvk/
  48. http://biyoistatistikdoktoru.com/wp-content/0094ofi-io04bs-wgexsrj/
  49. http://blog.dmtours.lk/wp-content/FILE/ruaXvPMVnjujCTjeLLT/
  50. http://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
  51. http://blog.tactfudosan.com/wordpress/Document/KAsyYWOZLfoEhvrJgr/
  52. http://blogs.ct.utfpr.edu.br/mansano/9nlp-wepue-agwyqrc/
  53. http://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
  54. http://boilerservice-cambridge.co.uk/muun/esp/IhCsETyWZrho/
  55. http://bonizz.com/DMC/parts_service/5eh2hsadldjems1kq3wlh403v_e39t3mz1ud-335687791589/
  56. http://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
  57. http://caddish-seventies.000webhostapp.com/wp-admin/4ur9tmys2h_75g6pp-73387052/
  58. http://carlyarts.tk/cgi-bin/0hz63w-s3alcb-vjrm/
  59. http://chinmayacorp.com/COPYRIGHT/Plik/tjDkGOTPHOJ/
  60. http://chirurgien-ophtalmo-retine.fr/wp-admin/Scan/trrMBcbN/
  61. http://cielecka.pl/ilum.pl/Document/f7djienirh5otecveisehl6oi_tn22d-108070575/
  62. http://cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
  63. http://congchunggiakhanh.vn/wp-content/lm/lmjQDFYXEANYNpuvmqbCJs/
  64. http://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
  65. http://consortiumgardois.eu/images/FILE/kzfYkwNCziLHPSLvhPexT/
  66. http://coronadobaptistchurch.org/wp-includes/paclm/nrzbbwc9xordu0f1pojvw03um0v42_ucm04gi-866893424118465/
  67. http://corporateipr.com/m9c/phutz63-w90emms-oukwmr/
  68. http://crsigns.co.uk/wp-includes/rncjoymd9s61_ahrbb-46845098052870/
  69. http://dag.gog.pk/wp-includes/PLIK/wndpifvajs/
  70. http://daizys.nl/BKP-06-05-019/sites/HxflDlFmdMdWWyqIrRZHCGWSE/
  71. http://data.iain-manado.ac.id/wp-content/jvqzpj-qqv5yn-iujro/
  72. http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC/
  73. http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC//
  74. http://demositem.cf/wp-admin/lm/gfjj522nshq21esba0bgt5_ig360-20814056176637/
  75. http://diarioprimeraplana.com.mx/wp-admin/04t8ju-5o1m33-exgwn/
  76. http://disperumkim.baliprov.go.id/wp-content/JAaJgGgshskUmKanMFIDcM/
  77. http://dnmartin.net/wp-includes/v62mbu6-bulqh0-mqvdot/
  78. http://dog-mdfc.sakura.ne.jp/img/5oxre-zuektz-igln/
  79. http://dronint.com/wp-admin/tt4up7x-989rvv-uykocm/
  80. http://ds-cocoa.com/form/mfcz-els553-gutvyak/
  81. http://duwon.net/wpp-app/co8s3b-3tkel3v-sgew/
  82. http://ecommercefajeza.web.id/wp/tbkh1v-qjzzn3-wvojp/
  83. http://economika.com.ve/email/paclm/dsbzhob4b8seeq_zl3zlxclc7-7223513679032/
  84. http://e-controlempresarial.com/wp/paclm/02oyix5wanbeegnxcnudm_m9wha6e-6640018143938/
  85. http://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
  86. http://egplms.okmot.kg/wp-includes/mf75rsm-y1pndse-apjgbfv/
  87. http://emcimed.ml/wp-admin/INC/beCmcstHEcYWSdunsNpV/
  88. http://esquso.com/wp-includes/parts_service/zncgw5r30ehtff4w4_nvu506u-84590229280717/
  89. http://eticasolucoes.com.br/controle/FILE/urjm9ad0e20oke9_yys4j-1833857769/
  90. http://eurofutura.com/carloghio/parts_service/JYRByxVSfhNOpVVTASyyBhBR/
  91. http://exenture.net/mySHiT/mhv8eiw14_tj1q863agg-191035311473/
  92. http://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
  93. http://faggioni.site/c/LLC/vyjd8e7lofux_y85bv-123015212024842/
  94. http://fearis.sakura.ne.jp/data/yrvn-jsbee-qckg/
  95. http://fills.info/d907-e9y5h-tahwufs/
  96. http://filosofiya.moscow/2vx0z2/m0jt45-5vk7cj-kzcs/
  97. http://fireprotectionservicespennsylvania.review/wp-content/k3nlc-jupmj-vxzwydm/
  98. http://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
  99. http://focuseducationcentre.cf/zayarlin/Document/bEjkgNhfyDTjBiljqJwhvIaDu/
  100. http://gamingproapps.com/wp-admin/05wvu0-b8bm2-mujg/
  101. http://garage-ucg.com/_mm/cshqzve-2wrp3b6-acmsyoc/
  102. http://gatewaymontessori.edu.gh/5r0x/INC/sor5jniomi1bw8se6reyjodziydt_dk6pdtw-885852414780/
  103. http://giangdinh.vn/wp-admin/LLC/AmMcutbAcsZgoLPpvSBSFJFL/
  104. http://giaoducvacongnghe.com/wp-admin/parts_service/s5nvqu5cu5xiavsm_tt4g6sg-9685915454/
  105. http://gilmatas.000webhostapp.com/wp-admin/yznvck5zdjh_m6ewq2-12021270394/
  106. http://gite-la-gerbiere.fr/lib/bf1vgc-kym3vl-moyonq/
  107. http://glumory.co.id/wp-admin/qlomqukhp4rm409zcqi35hdp_3ezcpjzr5-7274514462/
  108. http://graminea.or.id/cgi-bin/esp/dRfhYjIAqKiRZKZtpFcXvsFYUD/
  109. http://greencampus.uho.ac.id/wp-content/uploads/vyeow9-3fruh-vbno/
  110. http://grinq.com.ua/wp-content/qon3os-lg1iwjy-xwfjr/
  111. http://grupoxn.com/wp-content/h2uy3p-uanu36y-qpfbabc/
  112. http://guidafinanziamentieuropei.it/dup-installer/esp/whISpSbNpvwrdNdxBlTfEMDIUKOs/
  113. http://halcelemates.com.ng/cgi-bin/qspgn-miqx4yz-hudi/
  114. http://haovok.com/wp-content/uploads/2019/i6pygi1-skve9j1-upduf/
  115. http://haovok.com/wp-content/uploads/2019/vy24ysx-hdhlv8k-nyuqxqd/
  116. http://havistore.net/wp-includes/wt6adv7-xupjzl1-sidkes/
  117. http://hestoghundehuset.dk/wp-admin/mPKrLBEEMiHVhKYpHeEc/
  118. http://iamzb.com/aspnet_client/system_web/c0rft63-7sh4lwp-rskuhl/
  119. http://ibuying.pk/mvmbb6/ei43a-fw9o8-druj/
  120. http://ideenn.ml/wp-includes/esp/5et9jh3fkakhc0tqf6mf_36yoe7na2-28649149907/
  121. http://ipdesign.pt/wp-content/8j81y6r-r7axbj-coot/
  122. http://itcshop.com.ng/fasttrackcash/Inf/qrjYUODRuCg/
  123. http://jajiedgenet.name.ng/wp/DOK/x963ssn0_skxizz6j-099060478701887/
  124. http://javed.co.uk/wp-admin/f3pafo-bac855-vrgxw/
  125. http://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
  126. http://kauzar.com.br/wp-admin/9naj-wg0geu-jvhkq/
  127. http://kgdotcom.my/wp-content/e6k9v2v6m0_tfl09azf-288153120/
  128. http://kipsoft.vn/wp-admin/uXHCWQYIsUwy/
  129. http://kirakima.sakura.ne.jp/_yoru.oldcake/app/webroot/i23z-b91g84-kvrrlys/
  130. http://kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
  131. http://krasotatver.ru/wp-admin/n53x-uxotfh-dxkbol/
  132. http://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
  133. http://kujuaid.net/2006/9cs63i4-rbynm-zrnxuqw/
  134. http://kumakun.com/aikawa/2q13-86mdf3-hjxhhr/
  135. http://kuramodev.com/wp-admin/esp/2lcrz1uaq99jqg6x_btdci7az-5511668994948/
  136. http://lab-quality.com/wp-includes/549lfpr-f98te73-fkqna/
  137. http://lejintian.cn/wp-admin/bmyd-j0qwdr-gwyynxv/
  138. http://lencoltermicosonobom.com.br/wp-content/ina4-ows9b-vnirk/
  139. http://les.nyc/wp-content/uploads/zuxbjd6mgcbofmz_1lwfz-96882379608/
  140. http://lesantivirus.net/css/esp/LvxnSHShDjxTiArIvTtXhDOGX/
  141. http://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
  142. http://lizerubens.be/wp-admin/parts_service/IWuXVRHMja/
  143. http://lnemacs.com/updatecoreo/paclm/QOqcLyIDnqskRUPrQtAY/
  144. http://logicsoccer.vip/wp-includes/PLIK/DyyyskgffSivMY/
  145. http://longokura.com/wp-includes/Pages/RphdkFQwbj/
  146. http://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
  147. http://luisromero.es/cafe/LLC/d02zuso2z3r0o07_uge4o-3011321187376/
  148. http://luxconstruction.mackmckie.me/cgi-bin/LLC/jbiat3az5san8nte6g_mhl1i2rv-47824935/
  149. http://luz.ch/fuurball/paclm/tayiwtdw9gvgb21rvi815umr4_l1k2tafz-916097634479/
  150. http://maloninc.com/archive/lienu7-gmeqaps-nrnqb/
  151. http://manorviews.co.nz/images/paclm/mcpf0o3f5me1zh2x2xarr5c_c2kog9qp6-11133861/
  152. http://marbellastreaming.com/admin/3b1zwi824hbk1pe2coubcbob_5nlp4bh-14804269498/
  153. http://markantic.com/wp-includes/LLC/oXitshkRMjCSa/
  154. http://markelliotson.com/sites/k47y5hwtw8h_aqzp3l-449059094/
  155. http://masana.cat/pix/parts_service/wBwhQtYEVIEpsMPtRsyl/
  156. http://masterchoicepizza.com/wp-content/uploads/i650-0aa2od7-pdxlvg/
  157. http://masters-catering.kz/star/Scan/4srrh6lm3eqgk7goazhnkodrbaio_eaxlbr-436287246/
  158. http://mattshortland.com/ozXYuMOiYlguFF/
  159. http://mayupan.com/css/Pages/jamcysmfx_d379k-789309688595/
  160. http://mazzglobal.com/51655165g/sites/zuutn9zkjzzsbhffa5d0fpvaw9z_jzv2j6b-263923452810966/
  161. http://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
  162. http://melondisc.co.th/47bd/atyb-h8smk3-qvbbwsh/
  163. http://mic3412.ir/wp-includes/LLC/hsnp7lhg0fbqhj1dph7c4fmspwvz_r66ocyu3-858421356/
  164. http://mickreevesmodels.co.uk/micks_chat/INC/KfNJTKdmSYiueWhbqeYVzigbOaUj/
  165. http://misbragasusadas.com/wp-admin/paclm/okb30cee6xhg1cbi279ssznmewh88k_mimhl-536403870815322/
  166. http://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
  167. http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/
  168. http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb//
  169. http://mmgbarbers.sk/wp-content/hmESzqKrW/
  170. http://monsterz.net/blog2/FILE/fCuLIWGTqBVwcPDfUQRVodcKJxEmI/
  171. http://m-ros.es/wp-admin/nfbyibe-l6cpr-wvgd/
  172. http://mtaconsulting.com/wp-content/Pages/ntq8h5pnhzsb_c98jimy0lh-77243452881/
  173. http://multicapmais.com/js/esp/jLOgrxpWZ/
  174. http://mwvisual.com/scfv/bYofxzLIBlDANzJQJhwNsOgzvfU/
  175. http://myofficeplus.com/Document/zJLRnsotorjEVuGxH/
  176. http://ndm-services.co.uk/DOC/gsnhdhup7vp8u3onxtqzbn_mso4v7e-4060977015/
  177. http://nforsdt.org.np/cgi-bin/LLC/rJhJsoFerEAbFVKOgJweNESInf/
  178. http://ninhodosanimais.com.br/wp-admin/2r5n-hqg5fh-riwe/
  179. http://noons.ru/wp-admin/DOK/mpmd1xmzhl8ijhcvdh2d40r249a_07m8onqzs-192022041933115/
  180. http://novaoptica.pt/wp-admin/rnsoyvw-8y64rg-ppgc/
  181. http://nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
  182. http://osarofc.com/wp-content/0svg-ykzyl-eczxl/
  183. http://ovakast.com/wp-admin/zbb9q-if7z3-xncfy/
  184. http://paywhatyouwant.io/cgi-bin/INC/RycXLpkwbaXNzSdOQYrWlxXoi/
  185. http://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
  186. http://planetkram.com/cgi-bin/FILE/lydb59kvj94x2qxaf0lo_95s38g-70862676621395/
  187. http://pmalyshev.ru/wp-admin/FILE/x54foocsocq3hddk_c3e68-88316015852100/
  188. http://priatman.co.id/old/gmvor-qkevv-kmjsj/
  189. http://priatman.co.id/old/gmvor-qkevv-kmjsj//
  190. http://print-consult.be/ResponsiveImageGallery/61p114nlua4w2_8mcik3tixr-083144052/
  191. http://prom-alp.kz/wp-admin/1skay-qbj32qb-aoivyzz/
  192. http://qwelaproducts.co.za/wp/voo74gu-yc23wv6-eysshi/
  193. http://rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
  194. http://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
  195. http://rociton.com.bd/wp-content/parts_service/f40sb8gz9nnsppjgt7tclxs_gq8nvjogop-96874256/
  196. http://rzd-med.kz/wp-admin/parts_service/sw52j2qr0y_aaqn7hq5b-378256719777818/
  197. http://sanalkeyfi.com/wp-includes/Dok/qauowl45eharem4bo5i0_9vtspc-07835495394/
  198. http://sa-pient.com/wp-admin/uhiz5-waz5h1-oeokf/
  199. http://sawitandtravel.com/cgi-bin/4xaib1-5gzkqtk-ncyncpf/
  200. http://seabird.com.ph/html5lightbox/e49fc-v1zh9o-zrdsp/
  201. http://sexlustoys.com/app/heotbm4-5ea4e-qbhgzg/
  202. http://shadzisti.ir/wp-includes/bka7-9lmu27-vhofm/
  203. http://skilancein.000webhostapp.com/assets/INF/BztYZLgGvYARNnbzPsTRtTUGJy/
  204. http://slppoffice.lk/wp-admin/cjr9zzp-rf7yx2-rbvxv/
  205. http://smake.in/wp-admin/4ssh779-i04deq-vsarad/
  206. http://smartschools.co.zw/wp-content/f8sy-k74kuj-xsaidw/
  207. http://snowballnaturals.com/cgi-bin/gsai-g663ics-kgisfcn/
  208. http://songdung.vn/4d4ixle/zxkthq-p764b-mmzxllf/
  209. http://sreelabels.com/wp/x1zu-9l83g-fhhdw/
  210. http://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
  211. http://sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
  212. http://steventoddart.com/cgi-bin/78djj4-9rsc3m6-rwtqz/
  213. http://subkhonov.com/LLC/Document/qWrWCtrmDmBwslubhyvcaBfWhiQX/
  214. http://sulkanvariasimotor.com/cgi-bin/Dane/QdSsDaRPbt/
  215. http://supercopa.cl/assets/esp/zugnnetz0suvx017j01zwr3_x33y9-0543142109882/
  216. http://swansgateshoppingcentre.com/wp-includes/Scan/ok6ulsnds83m0s_6gz9lcuo8c-605978940826/
  217. http://tbwysx.cn/build/9631pb-3ndkdr6-ieae/
  218. http://teiamais.pt/wp-admin/ir05prk-vawjdhm-mwwvx/
  219. http://teknisi-it.id/COPYRIGHT/FILE/VppKShnPdkhRjUEXEeooCIIAhwbUDA/
  220. http://thegeekmind.pt/wp-admin/hyxd-4bsn17c-hfsreja/
  221. http://theoptimacreative.com/backer/DOC/lzdtnRntp/
  222. http://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
  223. http://toorya.in/wp-content/csbluri-69vjyo-gvib/
  224. http://torneosnh.com/lucho/qgyr-kn326x-dxbtpa/
  225. http://trademarkloft.com/wp/LLC/MRWfXNPWcWfmIEtA/
  226. http://travel2njoy.com/wp-admin/30f8i-871i1f1-hcbtiyx/
  227. http://trendybirdie.it/wp-admin/l26xb-qw1gs-nbrr/
  228. http://usemycredit.ml/wp-includes/lm/qr0k1llf_9epghq0f-911869644204054/
  229. http://veresk-studio.ru/wp-admin/e032ur-7ivwl-evprfzy/
  230. http://vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
  231. http://vinyasayogaschool.co.in/wp-admin/Pages/srSdAHPKkqZbXQVsEkPcjTBAUxFM/
  232. http://voctech-resources.com/cgi-bin/Scan/yygznlklj5_donv8-334023278047356/
  233. http://warwickvalleyliving.com/images/classes/89ofu-pyt3kp6-ucnuue/
  234. http://www.912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
  235. http://www.adil-darugar.fr/wp-admin/Scan/trrMBcbN/
  236. http://www.cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
  237. http://www.maria-hilber.at/wordpress/y0og46-pud86sj-qmdnev/
  238. http://www.nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
  239. http://www.rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
  240. http://www.vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
  241. http://xpelair.com.ng/wp-admin/uwenu-wdun3-aurp/
  242. http://yaxiang1976.com.tw/wp-admin/01hx-6w7iiy-boqkmey/
  243. http://yk-style.net/weibo/erjm9-7dlg8an-zsldtn/
  244. http://zhas-daryn.kz/toreshim.kz/LLC/ndpZCyBJjxPtWoCjvwxzqByfXVQsuT/
  245. http://zmeyerz.com/homepage_files/paclm/ATMrNHzXJjfIFDTQmcCNmiPHPRUXO/
  246. https://akihi.net/BBS/omra-4vws5-ilkw/
  247. https://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
  248. https://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
  249. https://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
  250. https://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
  251. https://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
  252. https://dnmartin.net/wp-includes/v62mbu6-bulqh0-mqvdot/
  253. https://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
  254. https://euma.vn/yfbh/pvhwwa-xg74b4-bknrdh/
  255. https://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
  256. https://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
  257. https://hlclighting.ca/wp/Scan/oylkuxb7d3zafh4_yyzho55c-730553405724/
  258. https://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
  259. https://katesemernya.ru/wp-content/parts_service/fl3u8puxwduomh55mrw44jisppz10r_nfmkflw-998458487096619/
  260. https://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
  261. https://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
  262. https://longokura.com/wp-includes/Pages/RphdkFQwbj/
  263. https://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
  264. https://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
  265. https://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
  266. https://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
  267. https://proxindo.id/wp-admin/FILE/vgsupeyhnlc8ka4tbdu72wde7khpa_1ganzrzry-05828045/
  268. https://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
  269. https://rzd-med.kz/wp-admin/parts_service/sw52j2qr0y_aaqn7hq5b-378256719777818/
  270. https://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
  271. https://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
  272. https://topaqiqah.com/wp-admin/iwrivz-kuvph-szzyiic/
  273. https://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
  274. https://www.sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
  275.  
  276.  
  277. ```
  278. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  279. ```
  280.  
  281. Creation Time   2019:05:21 15:47:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  282. SHA256:
  283. 3186aa73cfd05f2eb1377f4f2d4f1c1e92fcd17c16931a836685006c9e541d22
  284. b5b3b11a8102211cdc96d8c632632302c7581a2782188bba735064fc79a9dd92
  285. c3d9a7610c958cfb1e53f7f0347f039b7f886091b34e7b40c01b37b162966604
  286. f4222ea98ed930fc2bb5e61b8a6552c7e2d14068e1a8e4e5ca880d8ca7fb84de
  287. a2b9b0f88df424553ed318b9d60253acf17a87110ec122fd85b9d1eb48905c93
  288. 1f0ca6fb3208beccb72075ff4cb11d637bb78a28b008231f20cd559d23f54599
  289. 60687bd472c8e22c380001350f2211e246237ae722fc0bd6b0ad58d07630dc1c
  290. 54b34632fc88ff88fb0de3ea6861249c72c0606e379617189646ac1601f91a46
  291. cf5e0fbd285d9f04b16748729d7e284aa32224195016ef192626e6b6d8778825
  292. deaa8bd161e8f3e7c7b6fc6f698a83f2f8772529eb0d0b596c7be47b29b3d76e
  293. 7bb902370e4d515163f834fc59508529311503a60257ff22bfa17dc48c75950c
  294.  
  295. http://lucy-jade.com/wp-includes/tbzu5/
  296. http://feti-navi.net/wp-admin/gfod2z3668/
  297. http://vinkagu.com/wp-admin/1mc0544/
  298. http://hashkorea.com/wp-includes/sp0d763/
  299. http://phigvelers.com/Library/7tak1867/
  300.  
  301.  
  302. Creation Time   2019:05:21 11:11:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  303. SHA256:
  304. f9ab3d277291f373e3d2986e76401a707948eaef5d22cb884c278f962fd4d035
  305. 1b48a315a4e8c5a5b7095883e663dd0b43f40f9bb60d17bda594c37648371469
  306. b7c079f1f0580be195115872575caa40cd63137a5aaffdbd447708e1723dc4e3
  307. fa38aaec56c44bf5e2e151cfeaed8b47b19491e1fdec93c77baf5803c5f4d0d8
  308. 4cc271756b3556d783f24f14250e61f7ac3113dd3cccdf3ed91544b4e1254d21
  309. 04f15c494871ac098989011d3ea2d97fb75117407937a5bec50dfd87cdfdcdc4
  310. b408e06a045d97382580d5f1a7b1d5183368de3cb0cf3324647f1d802ba95bef
  311. d4813f30ddf8126ecbfff6875784ac8d0ed7396ed7f6fea7b48fc9d53a86c0ce
  312. 1a09ca29dffdc772442b2d5c3b5a5ba6aac16bb132b2f793e959f25bfd71d223
  313. 7bb6d38374d20b09092ee76894f5f10bfd4c18dfb75b1277e6a41f5b9bda0c31
  314. baf34bf1cc0f032834397222dd59c2557bf5f07cd0224e7f09e6195a35ca90bd
  315. e2b1de5edef455be4fc02f63386113d5f9388964c88a8b203f8c64b95dccfcf2
  316. 2d637c739528b1bb6ef74565459d1bba3879d812cdef35bef1db18502fc719b1
  317. ff032e980b8d7ace5618a79ffe8dc09a99d8b133de6d9adfee43690367475f37
  318. b7c079f1f0580be195115872575caa40cd63137a5aaffdbd447708e1723dc4e3
  319. 4ff3858e96b9e76a27c8441347cfebb98dd1ccc58748f794b8c797aa19df75d3
  320. b408e06a045d97382580d5f1a7b1d5183368de3cb0cf3324647f1d802ba95bef
  321. 7fbec185d4b8ea5ae64de6f2e47a48091582437d26f55c547eb62da373341431
  322. 98594d722c9887eccf2912c97c05c72c95d2cd03f795ae4752f307d28b8dfecb
  323.  
  324. http://indahtour.com/test/xyswwg35509/
  325. http://bike-nomad.com/thumbnails/525v731481/
  326. http://esnconsultants.com/medals/oftqcsg954/
  327. http://heuveling.net/l3d74/
  328. http://leeger.net/joomla/c60/
  329.  
  330.  
  331. Creation Time   2019:05:21 06:34:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  332. SHA256:
  333. 834731391b0defa34d6dd096260d88d3af4e1fe78eb152da8c75d95b80d3345e
  334. 0b5cec0a3865e2e0ba377217d7ff4496f9ed54659317318ffc5b8c58b3476afb
  335. ec362e5792698b74941f6f06159f2d713c1380f926756c267f6cf226306f3027
  336. b8492e02cf746690321944c8d37a32f8a4fbe6edf749f89b576eb6aff540c631
  337. 297d50491edaf2865e9a7373885527e50fc33c7deda6e964e3dc67bdc7ad4d9b
  338. e14b09b539e527769866b24ff31f22a977173876fe8eb0cd0c707ad61a2f57b6
  339. a02a597810a1af3c6c0ae138bc202ed4cb52b282c335ef4ff002386939442909
  340. 2bdb377ede44fad994ccf12a517461d5547ca0d3a5fd327599ac26100348ae07
  341. e5c395bb17baa9f804633f78c45f2af5b333e6b66a92a247018ee70d0d6d34e0
  342. 27911ae09f81e29840684c546276dd3e1401627c12f8097adc8a135dd4c1a3b4
  343. 55570679e088d70af551ec6fa946e413c40a333acdba4b089f4768780df18cc0
  344. d3f31e2cfc818d9a8deeada5caeb6354c3673021e0f396625cf42acf1452a08e
  345. 000f398424798d053f45b56c1326f3aae46357986172cb4434968564f7082340
  346. 4da31a497839d41fb1bad2694cebbcd58b05f3b900eb951539f7b68bf6064b1d
  347. f2882f50d8d76f576ae6ef158d018ea5cbd402742b2e72f61d448acc4433ba49
  348. b8492e02cf746690321944c8d37a32f8a4fbe6edf749f89b576eb6aff540c631
  349. bd27a9089dcf0492fe56ad777c70400668738cbc0661d6df0e448d5db3e6880d
  350. 942ac5d45abfb5aa4fabdaeb89ad88b3ac4a22a7619149b0d5745284f2d5f210
  351. 0939b437c0e22c3f99833a517bdaa2038f044a85f59e36bf4a358e72ac84ba30
  352. 51c7b0fb847932c47785886b721ce98dd2d6534b6904a65b1b73e4113a9647a2
  353.  
  354. http://nemexis.com/v2/iogkxow886/
  355. http://giumaithanhxuan.com/bipq/1265/
  356. http://lifetransformersgroup.com/cgi-bin/0px3t7/
  357. http://mejalook.com/blog/46nq99/
  358. http://mejiadigital.net/4a30/
  359.  
  360. also
  361. http://169.61.9.157/v2/iogkxow886/
  362.  
  363.  
  364. ```
  365. #### SHA256s for Epoch 1 Payload EXEs seen on 05/21/19 ####
  366. ```
  367.  
  368. bbb17749e7d4493a06e557a500eefd2f3472439ca955d2b2f74367c431d39348
  369. 9281bed7f99d4dc0c5066c7437bf66ef884b22e3c64386b60ba120ee7600fd71
  370. 1da42da7db4625dc10cc670638d2ec0f214173b4e2feea0828236de9b6683e5b
  371. 4cdc642df81767d815fa348ad81f7804678ee15b47785f2056d5818b55700c7a
  372.  
  373.  
  374. ```
  375. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  376. ```
  377.  
  378. Creation Time   2019:05:21 15:38:00 (Attachment only - DOC Based - ENG - 365 Blue Box)
  379. SHA256:
  380. 0bc575f2877b8823c88e054f060f9615f107f667ad9b3ab7ef81342257f62ae0
  381. 7d90829f67ffeaa277c1f148853d1bc8029b50061fcb67f954794ae02da8e6d5
  382. 005031fa9bc41b117502d84a3bc07e4d0dcdefad19bceac8d55f982628b66497
  383. be426ab8a0fd5fa32dbd356f2cf9ffb1f470c11f521bde62bf1130c6b4824a93
  384.  
  385. http://tataaquila.com/wp-content/VnZCUGsIx/
  386. http://quangcaobanghieu.vn/wp-admin/mnxcr_prcplofs-543418/
  387. http://entertech.pt/ftp_sat/pfd770s9cd_tv21zy-3/
  388. http://mentes.bolt.hu/zscf/ZnHNjKBqK/
  389. https://midnighthare.co.uk/joomla/qCwEdMNIU/
  390.  
  391.  
  392. Creation Time   2019:05:21 11:29:00 (DOC Based - ENG - 365 Blue Box)
  393. SHA256:
  394. 728d0def3186dc60e0b0ae365fe750930be37151b1a1e8165a25288026dd2b16
  395. 18cfb63256920dbdbfb323029eefefb87868d876d3a3e20374c78bcb36912222
  396. d3be1c51eb2242f7e9075192475a9c79797f2444ff427ae31ae7d98323cbe6aa
  397. 1fed16048c546058c202c2e4ac47e2724345734bc81e2ddd417470bbde6a458b
  398. 65c01a898852e52de112235be2f89cbbe01875ec22602fa5b8759d1a6a99e074
  399. 52478e946ce21f5575e44e8ca7eea3fa4bc19884766d780b4d1c86008968de59
  400. 4aed490385893bc87057809f30522a8bd1f5fbb1e98228eacdaea0c7b32db406
  401. b2d41d179fd265f8c043a1e1320dbd29da3cc2f969b0608843c3ec8461aea9c1
  402. 88972b986e79467a4922b16b7e8de50e325535a0f75e480fef2b4eb883fbe87d
  403. 5dc74367c0888088fb09a1a4528071ed03d5a911f49b77278c2768799494e42b
  404. 9e76fa48088b08ad51c00814310c9e18c11de27b79dd3655252c371c13d646d3
  405. ab56d467250815ce59a4e180f4a1fce5e5b3dca9765e3efb63f42fddc16ab441
  406. bc53b88dd6f5907e4d225bf3bdd87dd0446ca9801f23b4f723b40a01df00217d
  407. 43214f8a94c8b6ab6e615e19deee6da3f3f1492e090cbeea4c216ff17d3cec7c
  408. 3fd03f7835e04318c0d189ed5125ce9bc8e593513bdf47b25c86c2543a4e119c
  409. d3ac2a40b74f11795c013911171f27ae3cc66c23fb836105b3417e93c8d6530e
  410. 3107bec7fa6f9a0def69ab8138e924f921d8434e9e07b4aa0aed8e5473a34ced
  411. 07c5f5aa86e104945318cec323bf33c2b8f3075be7faa05c819c87c7b5d3d84d
  412. c3c972f236a7821a015c19783efee3001cab85beb0be4d321eecd6892b35f4dc
  413. fe0a4235cacb127cdd5a233de289afd77aaa9466beab667fe94277cd1b0d6dbc
  414. 5eddaa7d2cca79266cb9f5a6cddf70a70c9b4c970289f6956969453f10cd3d0d
  415. 47656e32b028df9497bce411005c7694d400656330c94071b4ac073928654378
  416. 751d2fb9c58cca3176b5a0052b76ed9943ca49fdfba93624162a2934ab79e070
  417. 9733c729501430b4d4df9ac843c4ee8e700fb9986e3e0084c450a8842f8dbc80
  418. 7df44517d6b3d9c8f96b5eee9ec19bdb9ef9a9fec10df254878a8d97c7acc590
  419. 8a1268300ed1420980b983cc13772eba3468ed2dbefb1da04fe86222bec651f6
  420. 789a0c9cdda263bb30fd3ef55ca52f8a13ae62e48e411777bc2d743ffe32c1ed
  421. 9f7521fc26126b288e5680cc9e5f4d5c48b2cb0f00330e1c967cc19b43544a5c
  422. 3cf84933b09c7ba41dc44c87d7d25ab09bb483e9a65c61419533ca390ceeedf7
  423. 82b442d216bf026aaab691c10d73e9728b018985ab8836458d8eb7c0717e8431
  424. 56c3ed80ab25a9d8f9be95a185904784cb4f3317ebeba195c74e411374cf38a9
  425. 9b5dabab677cc2e0ea7c151f246e4c9591d51a04ce590fc079eb1666cc44f1b7
  426. 884ce8c4a4f79ad45ee76097b8574455992f335d468d3dc39b2da7230800db54
  427. 1f9135d4728db1169f5b2c9ca06799ee283292f4ec89e1297f97a281dd72ed9f
  428. 7ab11f10f3e8c44689c783fa8a81a4cb8198c8c4c590ee3b8a7098cfab26926d
  429. 2eec2788ab92c6656545389dd8870c596083c10f9c7de05e410ed6cc88996f1b
  430. e37911f348a0646d43bbd18ca495938da81550e77bcce2fdf6825ad4983746d7
  431. 0c8195dc142129c79c44a0cfd36ad7e7107a54bdb3fda3dfce49ea4ef4ff7f15
  432. c7fc9b8dac0a223d3dc280f2a3b161b2592304a055a1f6c9dcb385e329d44a4b
  433. b7c866e1206e59ccc9331f6bc979987fc8d4039e986d05591ba8d1080a77bba2
  434. fd07b84f52ac3c5692366db8c7fd6f7915062e311a26192c079c39990e38eddf
  435. 4058c92ce66ee6c95a068c47aa7c881305e2e84ac60d8b8f52d0735b42605686
  436. b570f6b13a46f9cd00bfeb5898b0789778a1af9853838cf09a969794f0f271b4
  437. e3a0c9da4600559e06487c241e247cd54062c0dc80e05a5554229213494ec110
  438. 72306a55d75df63a03d274eba3eef0568b5882f0e84fbc9969e85dc5ebf81358
  439. 31191c4cb6466678da508d0481f4dff50402262c264047215850d74eaaa4ed7d
  440. c70342a18c7acb9fcee47653f65d5fa6adc363ae35c94db9092c85a3c5e049ad
  441. 76458b834de22f4dff0ef5087e8ce583339ff73fae4018094b371b281c3bb5c7
  442. 192150e5d5005d3650f182bea9365cbb4a6cc50b57f72f48705f5c905e228554
  443. f1d8695c5978de94a912c3951bb5529653bbfd2852a913264a8486e9620284fb
  444.  
  445. http://mireiatorrent.com/wp-includes/bj07f0biw9_0sj91efi-0/
  446. http://msograteful.com/codImwUJbt/
  447. http://escoder.net/cgi-bin/OmrZcAEqS/
  448. http://priyainfosys.com/products/FSrnZTOgOA/
  449. http://llona.net/bqi776dm_agvux-6816533798/
  450.  
  451.  
  452. Creation Time   2019:05:21 07:46:00 (DOC Based - ENG - 365 Blue Box)
  453. SHA256:
  454. 739add20d743a8d00b6fc26c0e0985b6876748fe5fee82b81c62b49cb151f571
  455. f3a34ec584abd1dcdad7c65782cba7b633124e29a05649adb97b0e6492f37e4f
  456. 28b9a555d40cbe24c10a99bb5f18f99a26bac4d6ae19c80b7eb07cfa2c1466af
  457. a044a40de89da2345b2ebe7ba33c7cfd51693afc8e070bbb90158f4a21be57a6
  458. 6a1449aa4e7284a079bd98df27e9a86960108a897f0f7a785e769d94744a93c0
  459. d53204c2b76437fa76c196709795ca2a123dc8fda1815b38d95ddb98b274176d
  460. a6df8746b9d74d6fdd4109d3b81acce0399c6c3f8104a074d171eb8c4b09ffed
  461. 7c579c44bc0dfdbf7869860b97621b3a2da7d2e7a99f8c1faf944f76b0c9cc8f
  462. 31d241738b7f029d100af0d13b0822647caf41e507612398ce3c5017c67532e2
  463. 448747e9b705f47ab849ddf077736650b0e45ce63e7e42008a31d71228e3e793
  464. 5c0e8c8cb4b045e9683ca8f2e266b1fef7e1240fc1e3059e876c273745ea1592
  465. 0d916a1d131df981f5598d9f98538a2b637e8d924a40fa541c1bbe2852615df0
  466. 55da62fdf470a46c62d6189c5f83b709563510689c96b67136c15ca6411aa845
  467. c9d6408f645ddd2d73c96d56ed1a6ed7fa1be5d10062ee76bdb88da1b6db6056
  468. be4c3f33dfd43a0a47857c13cbab9d0fc05e10a94e1ab58553d8553de3634a0b
  469. 335a5fd3eca63f5a2fdd5496da37d5bd954bff56610be700434521b827ee1105
  470.  
  471. https://mobilizr.com/slagmite/vfao_7pkco0lob-674967226/
  472. http://mmesupport.com/upload_docs/7qnxu0_on92iv5o8u-07294/
  473. https://miv-survey.com/ws/xz8yftcm6t_bdxduwga3w-3/
  474. http://moolo.pl/pub/NauVcJcbPH/
  475. http://mstation.jp/2004christmas/ybgiax_c3bk83e7-33621494/
  476.  
  477. also
  478. https://www.slagmite.com/vfao_7pkco0lob-674967226/
  479.  
  480.  
  481. ```
  482. #### SHA256s for Epoch 2 Payload EXEs seen on 05/21/19 ####
  483. ```
  484.  
  485. 5043fefebe7b86a1f6c9cce3851198c9e57ec13bb20a092def794eed67520648
  486. 51465a36762cd888020e933c9ecd34d8834b38cb424616b5ab155c50791bcf79
  487. e53bde18c9de202dfe978dfd02a456fae1d1db6188491841fedadc306b10d68e
  488.  
  489.  
  490. ```
  491. #### Epoch 1 C2s ####
  492. ```
  493.  
  494. 103.201.150.209:80
  495. 105.224.171.102:80
  496. 109.104.79.48:8080
  497. 109.73.52.242:8080
  498. 110.93.196.197:80
  499. 111.67.12.221:8080
  500. 134.101.222.153:80
  501. 159.69.2.128:7080
  502. 163.18.23.242:80
  503. 175.107.200.27:443
  504. 181.110.239.26:80
  505. 181.143.101.18:8080
  506. 181.15.177.100:443
  507. 181.15.243.22:80
  508. 181.16.127.226:443
  509. 181.164.227.212:80
  510. 181.198.67.178:20
  511. 181.199.151.19:80
  512. 181.211.130.109:443
  513. 181.29.101.13:80
  514. 181.31.49.178:80
  515. 181.39.134.122:80
  516. 185.129.93.140:80
  517. 185.86.148.222:8080
  518. 185.94.252.27:443
  519. 186.71.75.2:80
  520. 186.86.177.193:80
  521. 187.178.9.19:20
  522. 187.188.166.192:80
  523. 187.190.237.104:8080
  524. 187.242.204.142:80
  525. 189.196.140.187:80
  526. 190.113.233.4:7080
  527. 190.117.206.153:443
  528. 190.123.35.82:50000
  529. 190.147.12.71:443
  530. 190.180.52.146:20
  531. 190.252.229.53:80
  532. 191.97.116.232:443
  533. 192.155.90.90:7080
  534. 196.6.112.70:443
  535. 200.107.105.16:465
  536. 200.127.0.8:80
  537. 200.28.131.215:443
  538. 200.32.61.210:8080
  539. 200.57.102.71:8443
  540. 200.58.171.51:80
  541. 200.80.198.34:80
  542. 201.251.229.37:80
  543. 203.25.159.3:8080
  544. 205.186.154.130:80
  545. 216.154.222.52:7080
  546. 216.98.148.136:4143
  547. 217.113.27.158:443
  548. 217.199.175.216:8080
  549. 217.92.171.167:53
  550. 218.161.88.253:8080
  551. 219.74.237.49:443
  552. 219.94.254.93:8080
  553. 23.254.203.51:8080
  554. 31.179.135.186:80
  555. 37.59.1.74:8080
  556. 43.229.62.186:8080
  557. 45.73.124.235:8080
  558. 46.21.105.59:8080
  559. 46.249.204.99:8080
  560. 51.255.50.164:8080
  561. 62.192.227.125:80
  562. 62.75.141.51:7080
  563. 62.75.143.100:7080
  564. 66.209.69.165:443
  565. 69.163.33.82:8080
  566. 71.244.60.231:8080
  567. 71.43.69.2:443
  568. 72.47.248.48:8080
  569. 79.143.182.254:8080
  570. 80.0.106.83:80
  571. 81.143.213.156:7080
  572. 81.183.213.36v
  573. 81.213.182.115:8443
  574. 81.3.6.78:7080
  575. 82.226.163.9:80
  576. 82.71.157.57:443
  577. 85.132.96.242:80
  578. 86.155.233.74:8080
  579. 87.246.58.59:80
  580. 89.134.144.41:8080
  581. 91.205.215.57:7080
  582. 91.83.93.124:7080
  583.  
  584.  
  585.  
  586. ```
  587. #### Epoch 1 - Spam/Stealer C2s ####
  588. ```
  589. <not updated>  
  590. 61.92.159.208:8080
  591. 104.236.185.25:8080
  592. 50.116.63.9:7080
  593.  
  594.  
  595. ```
  596. #### Current Epoch 1 RSA Public Key ####
  597. ```
  598.  
  599. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  600.  
  601.  
  602. ```
  603. #### Epoch 2 C2s ####
  604. ```
  605.  
  606. 103.11.83.52:443
  607. 103.53.44.20:80
  608. 104.236.206.44:8080
  609. 105.228.3.127:465
  610. 109.194.50.231:80
  611. 117.218.17.6:990
  612. 134.196.53.52:7080
  613. 134.209.14.155:8080
  614. 136.243.177.26:8080
  615. 138.201.140.110:8080
  616. 147.135.210.39:8080
  617. 162.243.125.212:8080
  618. 167.114.210.191:8080
  619. 169.239.182.217:8080
  620. 174.136.14.100:8080
  621. 174.96.5.251:465
  622. 175.100.138.82:22
  623. 177.230.108.144:22
  624. 177.242.202.30:8080
  625. 177.242.214.30:80
  626. 177.246.193.139:20
  627. 178.152.78.149:20
  628. 178.62.37.188:443
  629. 178.79.161.166:443
  630. 179.32.19.219:22
  631. 181.129.30.82:80
  632. 181.175.142.212:990
  633. 181.189.213.231:465
  634. 182.176.132.213:8090
  635. 182.176.94.236:20
  636. 182.188.47.206:990
  637. 183.82.100.135:80
  638. 183.82.110.170:53
  639. 186.113.19.171:80
  640. 186.4.167.166:80
  641. 186.4.234.27:443
  642. 187.177.154.167:990
  643. 187.189.195.208:8443
  644. 189.154.42.168:80
  645. 189.209.217.49:80
  646. 190.145.67.134:8090
  647. 190.147.53.122:990
  648. 190.25.255.98:443
  649. 190.25.255.98:80
  650. 190.72.136.214:465
  651. 191.92.69.115:80
  652. 2.50.4.159:443
  653. 200.21.90.6:80
  654. 200.85.46.122:80
  655. 201.199.89.223:8443
  656. 201.220.152.101:80
  657. 201.238.152.20:465
  658. 207.44.45.27:22
  659. 211.248.17.209:443
  660. 211.63.71.72:8080
  661. 216.98.148.156:8080
  662. 217.13.106.160:7080
  663. 222.214.218.136:4143
  664. 23.95.95.18:80
  665. 24.139.205.186:8080
  666. 41.220.119.246:80
  667. 45.123.3.54:443
  668. 45.33.49.124:443
  669. 45.55.201.204:7080
  670. 46.100.165.6:53
  671. 46.105.131.87:80
  672. 50.31.0.160:8080
  673. 50.99.132.7:465
  674. 58.9.168.7:443
  675. 58.9.168.7:990
  676. 59.103.164.174:80
  677. 62.75.187.192:8080
  678. 64.13.225.150:8080
  679. 66.84.11.168:8080
  680. 69.251.12.43:80
  681. 69.45.19.145:8080
  682. 71.244.60.230:8080
  683. 73.189.66.63:80
  684. 74.207.227.96:443
  685. 77.56.253.112:80
  686. 78.186.5.109:443
  687. 78.188.7.213:8090
  688. 84.241.10.111:53
  689. 85.104.59.244:20
  690. 86.151.202.16:20
  691. 87.106.136.232:8080
  692. 87.106.139.101:8080
  693. 91.205.215.66:8080
  694. 92.154.101.154:50000
  695. 94.76.200.114:8080
  696. 95.128.43.213:8080
  697. 98.142.208.27:443
  698. 98.144.73.193:80
  699.  
  700.  
  701. ```
  702. #### Epoch 2 - Spam/Stealer C2s ####
  703. ```
  704. <not updated>
  705. 198.58.114.91:4143
  706. 213.136.86.219:7080
  707. 91.205.215.10:7080
  708.  
  709.  
  710. ```
  711. #### Current Epoch 2 RSA Public Key ####
  712. ```
  713.  
  714. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  715.  
  716.  
  717. ```
  718. #### Credits and Notes Section ####
  719. ```
  720.  
  721. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  722. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  723. https://pastebin.com/u/jroosen
  724.  
  725. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  726. I am providing them for your benefit in case you want to parse them to be sure.
  727.  
  728. ```
  729. #### What is Epoch 1 and Epoch 2? ####
  730. ```
  731.  
  732. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  733.  
  734. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  735. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  736. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  737. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  738. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  739. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  740. time period.
  741. Here are some observations I have noted since I have been watching these botnets:
  742.  
  743. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  744. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  745. being delivered in maldocs on Epoch 2 at any one time.
  746. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  747. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  748. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  749. Monday morning/Sunday night.
  750. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  751. Epoch 2 may have a document hosted on host.tld/B.
  752. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  753. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  754. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  755. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  756. - C2s are never shared between Epochs/Botnets.
  757. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  758. via C2 to stay ahead of AV defs.
  759. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  760. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  761. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  762. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  763. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  764. spam template, word template, document type and even payload.
  765.  
  766. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  767.  
  768. ```
  769. #### Community Lists ####
  770. ```
  771.  
  772. Alienvault
  773. https://twitter.com/SecSome/status/1130907545290383360?s=20
  774.  
  775. @JayTHL analysis of domains
  776. https://twitter.com/JayTHL/status/1130705185691590656?s=20
  777.  
  778.  
  779. ```
  780. #### Credits ####
  781. ```
  782. (OC from @JRoosen and/or combination work of the following)
  783.  
  784. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  785. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  786. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  787.  
  788. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  789. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  790.  
  791. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  792. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  793. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  794.  
  795. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  796.  
  797. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  798. helping out with this!
  799.  
  800. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  801. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  802. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  803.  
  804. ```
  805. #### Daily Log 05-21-19 ####
  806. ```
  807.  
  808. Again no sign of emotet to me today in UK.
  809.  
  810. E1 running as DOC attachment-only again; observed hashes drawn from anyrun and hybridanalysis.
  811. Given there were 87 observed hashes in E2 DOC, there are likely additonal E1 hashes out there
  812.  
  813. After 250 URLs delivering 87 DOC hashes, E2 snuck in a DOC attachment-only run at the end of the day; observed hashes for latter drawn from anyrun and hybridanalysis.
  814.  
  815. Limited updates to both epoch EXE, 3 copies of 74k each.
  816.  
  817. A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
  818.  
  819.  
  820. General News:
  821.  
  822. <>
  823.  
  824.  
  825. REVIEW:
  826. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  827. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  828. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  829. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  830. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  831. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  832. https://twitter.com/JayTHL/status/1126204098670411779
  833.  
  834. Email Template Report:
  835.  
  836. Generic templates on the most part, the usual body text listed below.
  837.  
  838. Review:
  839. What we know about the threaded templates/reply chain:(changes are marked with *)
  840.  
  841. - Emails are sourced from once (or still) compromised users all over the world.
  842. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  843. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  844. back as far as June 2018.
  845. - Now on E1 and E2.
  846. - Now seeing German based templates that are essentially the same thing but in German.
  847. - The injected reply is usually prefaced with the following:
  848. "Attached is your confidential docs."
  849. "Attached please find the wire transfer form."
  850. "Thank you for your help. Please see the attached."
  851. "Load instructions attached"
  852. "A printer friendly attachment is now included with each email."
  853. "Click on the attachment to open or save the printer friendly version of your report."
  854. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  855. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  856. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  857. - These templates are pretty limited in run and not very numerous.
  858.  
  859. Link Regex Report:
  860.  
  861. Regex directory patterns
  862.  
  863. E1
  864. *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
  865. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  866. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  867. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  868.  
  869. E2
  870. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  871. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  872. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  873.  
  874. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  875.  
  876. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
  877.  
  878.  
  879. Payloads Report:
  880.  
  881. E1 emails would seem to be attachment-based only, no sign of active URLs.
  882. DOC hashes above were drawn from anyrun and hybridanalysis.
  883.  
  884. E2 emails about 250 URL, and that was just from two sets - the third E2 was attachment-only, no urls found. DOC finished updating ~20:20
  885.  
  886.  
  887. E1 EXE - only 4 hashes observed, three were ~74k, one was 14k (broken)
  888. E2 EXE - only 3 hashes observed, all ~74k
  889. This 74k EXE seems to be a V5
  890.  
  891. C2 Report:
  892.  
  893. Combining C2 from all E1 EXE gave 90 unique combos in total. - recorded above
  894.  
  895. Combining C2 from all E2 EXE gave 93 unique combos in total. - recorded above
  896.  
  897.  
  898. Closing:
  899.  
  900. I am out of office for next couple of days but will get the key indicator lists together
  901. @ps66uk
  902.  
  903. TT
  904.  
  905. ```
  906. #### Sandbox 05/21/19 ####
  907. (all with fakenet and MITM unless spam/secondary infection)
  908. ```
  909.  
  910. Epoch 1 C2 run on 2019-05-21
  911. https://app.any.run/tasks/a720cac8-b419-49d0-ade5-3e9a1c40f23a/
  912. https://app.any.run/tasks/5a3ad520-0643-4d7c-a616-762fd07f517e/
  913. https://app.any.run/tasks/caea02b7-8711-44f3-954b-8ec838862cf0/
  914. ```
  915.  
  916. ```
  917.  
  918. Epoch 2 C2 run on 2019-05-21
  919. https://app.any.run/tasks/221ca6b3-5303-4ee0-8d04-d09d72f2c813/
  920. https://app.any.run/tasks/0aae5596-2f41-4555-9447-9d085d186e8a/
  921. https://app.any.run/tasks/bca47fc4-5935-450b-97a3-a9cb7a84ead3/
  922. ```
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top