API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/02/18

jroosen
Feb 18th, 2019
2,678
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 40.50 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 02/18/19 as of 02/18/19 23:59 EST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 02/18/19 ####
  5. ```
  6.  
  7. http://104.198.73.104/De_de/BYLZNG4781296/Rechnungs-docs/Fakturierung/
  8. http://128.199.68.28/DE/GHQQAE4843885/GER/RECHNUNG/
  9. http://13.233.173.191/wp-content/BXROAQEY9168432/gescanntes-Dokument/DETAILS/
  10. http://130.211.205.139/CPCVVB7382198/gescanntes-Dokument/DOC-Dokument/
  11. http://159.65.147.40/De_de/CUHHAUAPJV7448870/Rechnungs-Details/Fakturierung/
  12. http://159.65.65.213/Februar2019/LWCXWKUNAK6379960/GER/DOC/
  13. http://159.65.83.246/FZGYPXJMA2476395/Rechnungskorrektur/DOC/
  14. http://159.89.167.92/De_de/EHRMQNRQUL2815951/Rechnung/Hilfestellung/
  15. http://179.191.88.69/WJTTRDL1480899/gescanntes-Dokument/FORM/
  16. http://188.131.164.117/Februar2019/JDNQVNEO7659282/Bestellungen/Rechnungsanschrift/
  17. http://35.176.197.139/de_DE/GHDPILMPSQ4188201/DE/DETAILS/
  18. http://35.184.197.183/Februar2019/XCBJBUPQD4995786/Rechnungs-Details/DETAILS/
  19. http://35.190.186.53/De/SKTAPCYQTR6199495/Scan/Rechnungsanschrift/
  20. http://35.247.37.148/DE_de/BGIVSWSI9094709/Rech/Rechnungszahlung/
  21. http://37.139.27.218/DE/BDMYARSBK2827816/Rechnungs-docs/Hilfestellung/
  22. http://52.15.227.66/DE_de/MGDEZR5274786/Scan/FORM/
  23. http://52.202.101.89/Februar2019/WKSJVQLYO7325225/Rechnungs/RECHNUNG/
  24. http://52.66.236.210/de_DE/TAWMOAUYM5676668/Rechnungs/RECH/
  25. http://54.164.84.17/De/ZEDLYG0772400/GER/FORM/
  26. http://54.175.140.118/Februar2019/NFZJSULXU2729511/DE_de/Zahlungserinnerung/
  27. http://78.207.210.11/@eaDir/Februar2019/XQCNETYKHN1099130/Rechnungs-Details/Zahlungserinnerung/
  28. http://81.56.198.200/DE_de/AGWKTL2505139/Dokumente/DOC-Dokument/
  29. http://admin.staging.buildsmart.io/DE_de/WUWKARPH2053485/GER/DETAILS/
  30. http://agilife.pl/Februar2019/OTFLSOJ5769126/Rechnungskorrektur/Rechnungsanschrift/
  31. http://awcq60100.com/Februar2019/ABLZOCK6541214/Rech/DETAILS/
  32. http://bonex.it/DE/HFAPEFIFHT3691281/Rech/Fakturierung/
  33. http://botmechanic.io/DE_de/BJAWTAW9909728/de/Rechnungszahlung/
  34. http://burodetuin.nl/cgi-bin/Februar2019/UQSXLKW5998846/de/DOC/
  35. http://cild.edu.vn/De_de/NATLJPVGX8112407/DE/Zahlung/
  36. http://cityofpossibilities.org/THRQDXFN7136849/DE_de/RECH/
  37. http://detsad-kr.ru/DE/WJKDVRPDX2185849/GER/Fakturierung/
  38. http://distribuidorajb.com.ar/DE/SEZCOUTDJ0398039/Rechnungs/Rechnungsanschrift/
  39. http://distro.attaqwapreneur.com/Februar2019/MAHFTTWU4194090/Scan/Rechnungsanschrift/
  40. http://dverliga.ru/De/AICQOQUE6714139/Rechnungskorrektur/Zahlung/
  41. http://ejder.com.tr/DE/ZQNHKR1331264/Dokumente/RECHNUNG/
  42. http://fiat-fullback.ru/DE/BBTYHM4047363/Rechnung/Zahlungserinnerung/
  43. http://frog.cl/DE/TKOQRFP7767529/Rechnungskorrektur/RECHNUNG/
  44. http://fwpanels.com/de_DE/XTCQHGI2765105/gescanntes-Dokument/Hilfestellung/
  45. http://hipecard.yazdvip.ir/DE/SMLBOT6236729/Scan/FORM/
  46. http://kynanggiaotiepungxu.edu.vn/de_DE/BUSGNCMNM5925190/Bestellungen/Zahlungserinnerung/
  47. http://mantoerika.yazdvip.ir/DE_de/WEQPIZLBHX6750052/Rechnungs/DOC/
  48. http://missionautosalesinc.com/secure.myaccount.resourses.com/
  49. http://mostkuafor.com/DE/EDHANN2408104/gescanntes-Dokument/DOC-Dokument/
  50. http://mrm.lt/De_de/YLOAYY5488013/Rechnung/Rechnungszahlung/
  51. http://newsmediainvestigasi.com/DE_de/MAXFHCKAR7348726/Rech/DETAILS/
  52. http://nexusinfor.com/De_de/SBBHOFYW9696888/Bestellungen/Hilfestellung/
  53. http://noithatchungcudep.info/secure.myaccount.send.net/
  54. http://northcityspb.ru/MRFFHCACQ9991599/GER/Zahlungserinnerung/
  55. http://satellit-group.ru/DE_de/VECMWQG0468271/DE_de/Fakturierung/
  56. http://spb0969.ru/DE_de/NTXNDMPDA8611041/de/DOC/
  57. http://supportabc.xyz/De/RKJYJMUOS8480718/Dokumente/Zahlung/
  58. http://techboy.vn/verif.myacc.send.com/
  59. http://tych.pe/MXKHPBKMDT1868929/Rechnungs-Details/DOC/
  60. http://venta72.ru/SGRKGTJD9577207/Rechnungskorrektur/RECH/
  61. http://weiweinote.com/LTBKFA0017321/DE/DOC/
  62. http://wp.berbahku.id.or.id/de_DE/UFEKRWODEJ5915731/Rechnungskorrektur/DETAILS/
  63. http://www.aemo-mecanique-usinage.fr/BWYBZL6197494/Rechnungs/DOC-Dokument/
  64. http://xn--90achbqoo0ahef9czcb.xn--p1ai/De/GMDUJUPLUH2801383/Rechnungs-docs/Fakturierung/
  65. http://xn----dtbicbmcv0cdfeb.xn--p1ai/de_DE/QAPGQSYCC2946215/Scan/Fakturierung/
  66. http://yushifandb.co.th/De_de/TMJSLPUHS2572234/Rechnung/RECH/
  67. http://zprb.ru/De_de/XEUWGET8456947/Rechnungs/RECHNUNG/
  68. https://agilife.pl/Februar2019/OTFLSOJ5769126/Rechnungskorrektur/Rechnungsanschrift/
  69. https://cairnterrier.in.ua/DE/XINLADBU3186389/Rechnung/Rechnungszahlung/
  70.  
  71. ```
  72. #### Epoch 2 Document/Downloader links seen for 02/18/19 ####
  73. ```
  74.  
  75. http://103.11.22.51/wp-content/uploads/De_de/MFNCUOH4242924/Rechnungs/Fakturierung/
  76. http://104.155.134.95/de_DE/PHRJHNS1706006/Bestellungen/RECHNUNG/
  77. http://119.254.12.142/De_de/UDUAGTZ8720587/Rechnungskorrektur/Zahlungserinnerung/
  78. http://128.199.172.4/DE_de/SBWMHZD3362582/DE/RECHNUNG/
  79. http://128.199.207.179/De_de/XAQWGLP5525711/DE/Rechnungszahlung/
  80. http://13.126.28.98/de_DE/ERVBUB9959354/Rechnungskorrektur/Zahlung/
  81. http://13.239.63.5/De_de/PTHJMWEKE6025428/gescanntes-Dokument/Rechnungszahlung/
  82. http://132.145.153.89/de_DE/USZFAV9571004/Rechnungs-Details/Hilfestellung/
  83. http://138.197.72.9/De_de/DAWSAA4214739/DE/DOC-Dokument/
  84. http://139.59.130.73/Februar2019/GOQXXVYNC1427879/Rechnung/DETAILS/
  85. http://139.59.182.250/DE_de/YEMZQWL7122420/DE_de/DETAILS/
  86. http://139.59.6.216/De/MOKKBK2937470/de/FORM/
  87. http://159.203.101.9/de_DE/XNTTSEBRUB9943814/Scan/DOC/
  88. http://159.65.142.218/wp-admin/De_de/LBYFVB4427436/Bestellungen/DOC-Dokument/
  89. http://159.65.146.232/De_de/JVKBEGN3447167/Rechnungs-docs/RECH/
  90. http://159.89.153.180/Februar2019/KIGORQGG3636393/Rechnungs-Details/Rechnungsanschrift/
  91. http://160.16.198.220/De/AQUUZPMII3442933/Rechnungs/Fakturierung/
  92. http://162.243.254.239/wordpress/JKMTGSV2656883/DE/FORM/
  93. http://167.99.10.129/De/TWVNEO1831802/GER/DOC/
  94. http://178.128.54.239/DE_de/LVDCUAUGYB6443381/de/DETAILS/
  95. http://178.236.210.22/DE_de/VXLQHV3545501/Rechnungskorrektur/DOC-Dokument/
  96. http://178.62.102.110/Februar2019/AUNPVURZA9802560/Rechnung/RECHNUNG/
  97. http://178.62.213.188/DE_de/VLETOOSN3411887/Rechnung/Rechnungszahlung/
  98. http://178.62.233.192/DE/IIGBOEF2759358/Rechnungs/RECH/
  99. http://18.218.56.72/wp-content/Februar2019/MCUQNVLYB6133013/GER/Zahlungserinnerung/
  100. http://193.77.216.20/jwzedo5/Februar2019/UGSIRFQS9041754/Bestellungen/DETAILS/
  101. http://1lorawicz.pl/plan/DE/CUAOQJEB9148804/Rechnung/DOC-Dokument/
  102. http://204.48.21.209/De/LTJPKWLIQJ3955553/Scan/Rechnungszahlung/
  103. http://206.189.154.46/De_de/IOYGXFOS4586915/Rechnungs-Details/RECHNUNG/
  104. http://206.189.45.178/wp-content/uploads/de_DE/BUEBJWJE6755100/Rechnungs-docs/Fakturierung/
  105. http://207.154.223.104/De/MUDMLVMRE9635299/Dokumente/Zahlungserinnerung/
  106. http://211.238.147.196/@eaDir/DE/FSGARB7511034/Dokumente/DETAILS/
  107. http://3.92.174.100/DE_de/LKYFRY3430810/Rechnungs/Hilfestellung/
  108. http://35.202.250.4/DE_de/CUEXGZE7905319/Rechnungs/DOC-Dokument/
  109. http://35.204.88.6/De_de/QNXXBL2550799/DE/Zahlung/
  110. http://35.232.73.116/DE/DSWTSAJ2444068/Rechnungs/Zahlung/
  111. http://52.63.119.3/DE/WJVLFQXIL7243103/Scan/FORM/
  112. http://54.153.245.124/DE_de/JHKUWXVZVW5112482/Dokumente/DOC/
  113. http://54.250.159.171/ITYUILQHPS2527864/de/Zahlung/
  114. http://82.253.156.136/wordpress/Februar2019/RXZOTII4866226/GER/Rechnungszahlung/
  115. http://alainghazal.com/Februar2019/PYORQFTPOS2153499/Rechnung/RECHNUNG/
  116. http://allaboutpoolsnbuilder.com/Februar2019/PKATHTY6838758/Rechnung/Zahlung/
  117. http://aplikasipln.fharhanamrin.rantauengineering.com/FOHTDRF5995383/Scan/Fakturierung/
  118. http://barabooseniorhigh.com/DE_de/LUECCPG5866963/Rechnungskorrektur/Hilfestellung/
  119. http://beheshtimaal.com/KWHUYEGC0155327/Rechnungs/RECHNUNG/
  120. http://buonbantenmien.com/3/JWRWSGF6549672/Scan/RECH/
  121. http://carolechabrand.it/de_DE/GSEPXGJ2403092/Rechnungs-Details/DOC/
  122. http://cashin.ca/Februar2019/SPGLYDBXW6053074/de/DOC-Dokument/
  123. http://decorinfo.ru/De/JKDLFMSWI8662303/DE/Zahlungserinnerung/
  124. http://eosago99.com/PSAMJW1792232/Rechnung/Rechnungsanschrift/
  125. http://ewan-eg.com/de_DE/HIUDFO6011424/Rech/Zahlung/
  126. http://eyestopper.ru/TKYVBPI8437659/de/Hilfestellung/
  127. http://further.tv/DE_de/LGYBBUEKN1115866/Rech/DETAILS/
  128. http://galeriakolash.com.ve/De/PECCOV0210662/DE/Zahlung/
  129. http://galeriakolash.galeriacollage.com.ve/De/NHZOESIUOR0344688/Rechnungs-Details/DOC-Dokument/
  130. http://galinakulesh.ru/De/ANKKROCDIT2353710/Rechnung/DOC/
  131. http://groundswellfilms.org/DE/IRWIOMG1185760/Rechnungskorrektur/DETAILS/
  132. http://helpdesk.lesitedemamsp.fr/de_DE/WQBBQPHN1301557/Rechnung/DOC/
  133. http://hifucancertreatment.com/wp-content/uploads/de_DE/BSRXYIQAH6181297/Rechnungs/FORM/
  134. http://hourofcode.cn/De_de/WMUPSXLK9917373/Rechnungskorrektur/Zahlungserinnerung/
  135. http://idecor.ge/DE/XMMMRMPJZ4243628/Rechnungs/Zahlungserinnerung/
  136. http://ingramjapan.com/De_de/FCDVLUUVGM0238569/Rechnung/RECHNUNG/
  137. http://ipnat.ru/De_de/IFNOTCYMM5341168/Rechnungs-docs/Rechnungsanschrift/
  138. http://istratrans.ru/De_de/NLYWTFWPQI5623799/DE_de/RECH/
  139. http://kanyambu35.co.ke/De/CLWCXLVHSR8056391/Dokumente/DOC-Dokument/
  140. http://karditsa.org/DE/MXIESK6756803/Rechnungs-Details/Zahlungserinnerung/
  141. http://karkw.org/de_DE/QMICAF5230385/Dokumente/Rechnungsanschrift/
  142. http://kgr.kirov.spb.ru/ZYYQSI0013717/Bestellungen/DETAILS/
  143. http://khobep.com/de_DE/DDJRDCWEP8029756/DE/Rechnungsanschrift/
  144. http://kostrzewapr.pl/css/de_DE/TDXIKZH6760304/Rechnungskorrektur/Rechnungsanschrift/
  145. http://krisen.ca/De/ZVHWKN4733448/Rechnungs/DETAILS/
  146. http://kymviet.vn/DE/EZDLUNRUN6131816/Rechnungs-Details/DOC/
  147. http://kynangbanhang.edu.vn/De/LIQUOO0102956/Scan/DOC-Dokument/
  148. http://laylalanemusic.com/Februar2019/HYBBPW0603269/Scan/Fakturierung/
  149. http://liketop.tk/de_DE/WGWLYMN2720375/Rechnungskorrektur/DETAILS/
  150. http://lionabrasives.ru/de_DE/BFYMRX9182365/de/DOC/
  151. http://matongcaocap.vn/FUFGICJN7853536/DE_de/DETAILS/
  152. http://mirkma.ru/de_DE/VVOLSVIL9729357/Dokumente/RECHNUNG/
  153. http://napier.eu/De/WHRKVNO6175983/de/DETAILS/
  154. http://noithatshop.vn/De_de/XRCCGFKM2305539/gescanntes-Dokument/Rechnungszahlung/
  155. http://portriverhotel.com/css/dinpro/En/YFtq-11q_xCwzU-Rq/
  156. http://print.abcreative.com/De/SONZEYFXJ6721894/Bestellungen/DETAILS/
  157. http://stemcoderacademy.com/DE/VQUILFX0406115/Dokumente/Fakturierung/
  158. http://tekirmak.com.tr/De/KCRBCU2888095/Bestellungen/RECH/
  159. http://testcrowd.nl/DE/LYKRPNFHZ3597305/Rechnungs/Zahlung/
  160. http://thales-las.cfdt-fgmm.fr/cgi-bin/de_DE/HGBRXR0176258/Rechnung/FORM/
  161. http://trandinhtuan.edu.vn/De_de/NISYRS5770062/Rech/FORM/
  162. http://truenorthtimber.com/de_DE/GDWQWYRJ1104890/Rechnungs-Details/RECH/
  163. http://webnuskin.com/de_DE/LVUAKDIXT4378740/Rechnungskorrektur/Zahlung/
  164. http://weresolve.ca/de_DE/QPTCOWC0822892/Rechnung/RECH/
  165. http://wordpress-219768-716732.cloudwaysapps.com/De_de/QGMZIZ7416457/Scan/FORM/
  166. http://wpdemo.wctravel.com.au/de_DE/KSJTVKDT4906944/Rechnungs/RECH/
  167. http://www.cbmagency.com/de_DE/QBSGHSS9028403/Rechnung/DETAILS/
  168. http://www.difalabarghoo.ir/De_de/UMKZAQYHN9698380/Rechnungs-Details/RECH/
  169. http://www.dkstudy.com/Februar2019/VTDXDMEZW2724842/Dokumente/DOC/
  170. http://xn----7sbb4abj9beddh.xn--p1ai/NTBKZKEVG2036428/GER/Fakturierung/
  171. https://carolechabrand.it/de_DE/GSEPXGJ2403092/Rechnungs-Details/DOC/
  172. https://lun.otrweb.ru/De/ZXNGMWN0894915/Rechnungskorrektur/DOC/
  173. https://noithatshop.vn/De_de/XRCCGFKM2305539/gescanntes-Dokument/Rechnungszahlung/
  174. https://tischer.ro/de_DE/IIYPFPERH0105487/DE_de/Fakturierung/
  175.  
  176. ```
  177. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  178. ```
  179.  
  180. Creation Time 2019-02-18 18:54:00 (DOC Based - ENG - Unzoomed Indigo/White)
  181. SHA256:
  182. 3b81a6184ce2017074d8c94ade45c371c220366419298aa65012d180f871b694
  183. 4362000df249ba4e48f665758841249f6cb213654de7b91c8edd00e28ab654e4
  184. a2c1f7aae555ab418f17ae41731c9d31d90e39c9f8a5432f0c571b7115eb4800
  185. c8e3d3f791f1d149f60e5a68fe1b1e01f45ba9f9b2085fcee7541d625e2a5d18
  186. c3fadecfd5653fc05a791e6c9062a3a59329e33a48e77a5cc735364d01724485
  187. 4a5fe09fd3f776a86ecdbfdd0c6fe9abfd962a16444ec8bdd2dd03704fbdac6d
  188. 8522b822e93f7750895192ecc2744c9d57cbaa2092a49995c2436e20a4becf82
  189. 8c1014a7146825699082898e9e410e4688baeb4dbc86989541a6377994a6996a
  190. fd9c717c8349d58257717d05a764b81b81de8c6d475267a1659b065d74bc8e57
  191. f39200b358da45b38abf8ac8928393bd15e2aa98f597e969401515a299e6473a
  192. 2cc2fbcac3c4262c49e3ad49903d4e9ebc5fbaaf9a2ad65ff53f808380b70a12
  193. 36a10ae120c5f992c9791ce301c7ad1bd6adb39a96ff78e4a9d15bd46f76d866
  194. 0f25037f951fd8f0f1c2f4b94ec84d3aa8daa3f7d5774056136769ecb800dc6e
  195. 89d61e33ab819e39299ed9c566756456c0b41453709ebcfc0cef19b42017b644
  196. 335b40ff58a6cf92f16ad95349e2cb9dc42d71654cebaff642fbbc168749bf26
  197. 915328625c1a42adeb1bd8c6305d4b93a2a3f652fc635f31f21555aa5d003a17
  198. 94d5bfa9a461d2a11cc9e56b38febd9c3073cf66098db078fa000995754d09f5
  199. 20d423e1f46d22c1053227ba3be6628c75e1065b698202b21825869147aa30ec
  200. 069185a0da074e0ece155c5cda364e5092b2573131fdc2c95002b18c44937a1d
  201. cf567994cb7b1ff5df6cd35d4d14b6eaa91510494d3c84890d92502c7b77d3f4
  202. 106b4d87576a07cc74f8ba9519d9730b50dc7309e69d0e7764822af981d98e61
  203. 9d9220fc117afe407cf46164624a275f181cac8f4601abb44b6491ee2bb8e87a
  204. c0806a25e475218e8f10ff200b7c7d8db7717649fe24a5f2fe42e377ecb00eae
  205. 51f8683c6eed0994818e4c409a4208c0885edcb4815e85f7a0804d14de46cb88
  206. 2ee653e0f34bbcf45c9ffa11d530ee6428d284183f0ba10d8f70f1cb370e0d5e
  207.  
  208. http://mediarox.com/nozFMMKz6j/
  209. http://bobvr.com/ciww6cO/
  210. http://clipestan.com/mJPjii8pE/
  211. http://ulco.tv/1v7wu20/
  212. http://keshtafzoon.com/h6HzOs2uog/
  213.  
  214. Creation Time 2019-02-18 14:23:00 (Attachment Only Doc - Eng - Unzoomed Indgo/White)
  215. SHA256:
  216. 9e17edb77fd3577752dfbe1cf620166845c80ad7f3e92531d2795e8c81043dce
  217. bc088045f8df0ec71576d5477c67b08e89ea13d899b25551a85adc8f805db672
  218. 7f3543a745ae3840da1ee4f03f4ca111d6530806ab0c07fabd5ffd02dc678d73
  219. 88cd332b15627991a0e6f7a580a9580b8d30c9fa083aeb80dc2354e940f716b5
  220. a42697283e06bddba5f1ce5cddf7033c19b611f3169ba134d2a1f0781611d68f
  221. bdfb3964a30b73108f8a2af6c99acdc4a092a6ab46006d300f02b541ca22b217
  222. 62417bd47b26b8e0b1883bbde76ef5501c2fe61ebe6ae3266cb5289aafafa324
  223.  
  224. http://139.59.64.173/GNsd8HGbEt/
  225. http://118.25.176.38/spLxFZDWCy/
  226. http://13.233.31.203/pNuYMISS/
  227. http://allens.youcheckit.ca/yVxEv19/
  228. http://13.126.61.11/7yxtlsVP/
  229.  
  230. Creation Time 2019-02-18 10:15:00 (DOC Based - ENG - Unzoomed Indigo/White)
  231. SHA256:
  232. 9327123f9bf1a583efe9ecae72802c0707f0992e8443633b24d17d0277a08c9a
  233. 4db8c7a64afa55409a39042cd1ba8561230da23185f0b62a6e2243ad3efef4be
  234. cc2ca1d0f51e45f8c49e709add3452d84db22a415bfe06f059169fb4f0b01c86
  235. 728ac6a6ecc8cb0ad93c31e9ebaf1693fe82875f1112151e6ae08c26bb723d07
  236. ecb3d2f8fbf5ca7a38e9dd018c3004c734ace8863bca8daf0a902fb249fa376f
  237. f2c0f1ec9013ae3baca86e3f15f5983b80c848ab422949d52fd8f9f6d7123fb8
  238. b047d63eaabc2cf33fd6bf7a49d0139297f187031731e53e08211e097e512ee1
  239. 4b9905dadf4bb37fdca57b47c5ee0369405c8141b8e521bdd55da9a5349a328e
  240. aa6b8c7b973b399e4f97c49c7ef5220e17cec0866dbe4848517268a743655040
  241. 0f3476de027b81a6adcaa1292e94ffa25b5f885d858c5f308f96e16d67f23eb7
  242. a8828feed177a0befa7ece8b0117a4353ecbcedeabb956b64d440c3722e1b314
  243. ef630241e2ae54cd95e605ee352385172ba6b8955a662f0364ae0dab16ac7db3
  244. c312058ec1d7c3f314a94b6e0afac2f384460cbb76a78c573ce94ae87aeda5f1
  245. 074efc192d48350c8a51391ac76d7677eee8c8bb964434b4e66632fca344d0a4
  246. 6abf3e704bfcb0abba645a48479ae42a3ff566be8b743c544b1116f22aa1a134
  247. 555f375a68280e8741675857cf6e3620ce754acd058377a65b93640911ab4ec5
  248. fe38b34fcf9a39f3f5e382c53148a210c63f45d5185f6f353390f9d21bb12d8b
  249. e6c61d411dabfb3a2abd81ea36cd40138c8c48a18b832580ac6d5d60c2366a82
  250. 553ee2ce6d47e651311ef3474dd28614352e96299a05e960920bf5d33de1c0ca
  251. 10c67c350aeaaec9a1de095dfb31aac0fc72afab36f9e8390005a5ba4748d2b1
  252. 7279c31b5e13aee7d9e0240495ab1ea5bc7b141ea5fbc3c1db3ef13e6968bc4e
  253. 798de37142e18c06bb76958382e3708505a2e47fecd2679851f4b0b1e8c687a3
  254. a27a49dcf93b29865290b7e3301bec0cd3210158dc8f1521c6ab7c370c1b7e5a
  255. 64092e6d7d199e295f371f250a5c54a140e65a4e34f8e50c1a2f7fb7e4ed644f
  256. c87e195036157d7a628ab1c6a99248d88d2fd128bc2d4853f9eb7a6070ad04f9
  257. 6271e9f0a1f2d4bbd6c6fef2b7823aa180ab68eb93676a33f55088deb8169746
  258. 4be4a46ef25e71de87371345da22d043385a72a479adf2ed56326cd69b2d500d
  259. 923895d1e2d057846792929ae2ff2e9925b91b2c908693347308e8423c48e642
  260. 9fe817eb63df61efdbb8c94488f81ac251643dc4209c07356b353f86eac7a16b
  261.  
  262. http://bazee365.com/v59HxZy/
  263. http://giancarloraso.com/xwSiP547/
  264. http://13.233.183.227/5VfqqsmV/
  265. http://128.199.187.124/v35hrbFz/
  266. http://104.223.40.40/8CqRIJhG4/
  267.  
  268. Creation Time 2019-02-15 19:58:00 (XML Based - ENG - Off-Center - Light Blue White)
  269. SHA256:
  270. 578109d64ed9c185e12a5d4c83f3059c34cf1ea61cb77e4ec1174fc25d186153
  271. 45afc9f4d53e3fbff96f519bd65b02a363a211883f528affadefa2e52f082ae1
  272. 69e06a409da3594ed4c019fde55ea24dfbcaa0fcb0c565ad67045a9e95e4818f
  273. 01b02b129fd2922c3f95341380a56f59d8d66cc1182e1e8806905bd98bc7cae6
  274. c848b029189f309e69a7f761d8d444c90c51554539556bb3980273fa7d77a12a
  275. 4dc383917b808055b3f576594ea71fabdd1841eacc252aac3976dba7abc8e351
  276. 7a05499c076f56bfa443af34459ee61e06057d5f33aa3e7d16687347b0208a7d
  277. c51e3d1c6f2b10da70fa41348cf2ffe32d9b867bf113b550d9cf00e1ad03d3ad
  278. ad646e6a26b647c69c4b917b20f9335dead13f9d24cf79b920014e2a90985934
  279. ce954101718414a6515eb603c2a09e99631cdd1e4acdb33cf73fdc13d441daa1
  280. 64ff57f6b7796927713bfdf8140757b4248e0c0972126b0cce662ebbfc8de9c8
  281. 616f316670f9fcaf0f768b829a51c7289b390da7a90ae3856333d2c6e5219140
  282. af22751ee222f7fec37e1630103aae36c78ca3a91f7bb98e080960d92e678b07
  283. c956ef818390cb2697c089e1eb8fd0e002201a2e2735b2b286e42cfe155b0a8e
  284. 67c0bda6446b4138ae36e17b5e72ee8c851fc6e8e4b4061403086c503738d1a5
  285. 96f13308155b96a6f917b12b813b34b0575e30016d080cb5175920a11538fe8f
  286. e8a365e79f424b70afaf0d814137e62ee618d7886f90f14013d8cd9367cd3a33
  287. 317ef73ee5154bd08d6594b2ec0ad0e1aca1afae8fb2b2cb2cb14d780d3daa20
  288. 22ae5c6e60f38d6c1a03b80f03a48b4a40c0e8f20805a105ef69e6b01f07b45e
  289. f9d014f5a743c882181dba1fb4076fd6def1f781916b07dae29f7c462e86b041
  290. f803f65f511bfbdd34e622c08cf3d3ce5fe8d8a3921a2f9e469a3a25f5177436
  291. 1b0e74a2428e0658349b91bdfa1faf0aa268ead29a31d6f664f2b0dadfb9a29c
  292. 1a6342aa6a54cf5fadfce1d87f53798968f7c1a9cab190f9a72f28a2de876813
  293. 80a07cb0ec7e186a444c9848f53909e96de63eb4083b4a764b2654b9d661cf35
  294. d0fb8300180c5ab257a79b5cd5bcaff81a2ecf535c067913bffe59477bfb0036
  295. 8b5c1d8ba88f090f1cf161a918b08e550e0d9efc0a59a26311b5d37420cf9474
  296. d4984651bbc1b31745ba052b58e4a28779a041e902dad1a7dbcee466ca32a629
  297. 270a6a024f528ca7aaf896af939d722ceca1801460af7e7851b441f4ec990cae
  298. a98d0840d8e56233527d8a6bc89f5131655cfc6bad53c64703c54347d0e51650
  299. 7c7137011ffde45351b95b324cfa5302ffc580721672e88c79cddf62ddeb10e9
  300. 0f7774ccc170235a1b006fd4395166a7786b0e8f9f4a87e20568bb317909cec5
  301. b1f8014308b3d44eea52d71078b4d8d8c00bc77a39e90dcf85453f5220d65577
  302. e48ebb4422f4feaf82849e16b561e151426d8f9de7281f60dc81ea7206ffdeeb
  303. 66e662873a8192d26208880fdb622e8d7774bf6670e90a4db92a0745bf376ef4
  304. f231ed302b729be363c90c6d2e1759ed55eba9a10cc89c34d2224eb6f69f9968
  305. 318339f86a202cdaac198784651b9be4915fdeefa9fbeefe75f94babfe6c038d
  306. efdc800a7bea01fe83523a9136685a053c61db0287571e0d012b018f0e3aa6b5
  307. 795232ca3eaf96e9f9de4e70eb39ac64df94c420e0f836f09b80713af626084a
  308.  
  309. http://rhlnetwork.com/uuf31PTan3/
  310. http://eventcherry.com/EPRpYDL/
  311. http://themodellabel.com/QByaBRWa/
  312. http://128.199.172.4/J1EuGgi0sx/
  313. http://207.154.223.104/sycTwoHI4/
  314.  
  315. ```
  316. #### SHA256s for Epoch 1 Payload EXEs seen on 02/15-18/19 ####
  317. ```
  318.  
  319. 46808114a806dacec162366d36206a5f3e425dfb61cd1d6bf5a1f4c0c5e91363
  320. cdb6dc50d0517c13b1095e7e82f7e6d9e33dbf12672f6e7ed3fdc8be6a8323cf
  321. a84ae4bc1a6fa76a67dd6995bd469e41f6446fb21fcc20d67746bb04d7f7abfd
  322. 6b410b75b456ea12c18acac5c89f31c9b07e59896613110319ff796368aa6144
  323. b373d06a65e65b3565d92e062ad5e52d317069da13ca70e09074e9caf8498714
  324. 544db4789f522ec9f08dfb0e33224a3dd6c8bbe6f3fa7c8bef659403bbb96576
  325. 9381b2d75175c7395c277f83b5a3573d4704168890ccf16e4feafab943f0ea1b
  326. b4dad139fdba8fc54f1ff643430fdef27ee4ce51b3e326f610dc5abbd4dcc64a
  327. d00d62fa995facc808f552a1deb3e13f21a59e89946dff8aebd4b0f25f21b859
  328. c17d275d7f5ce7bd03a39a31394b9787c57ad731d39ead52b2d339966cfb5846
  329. 1d3dd85f2301227dbe75341bcaac27befbfa6b69aa6ff3048088cd1efba17291
  330. 8b77167c3e564c5aa43c37773d51ad4700642bf6a54ba3f1065f4f3314b11816
  331. b16fb2215235cdaa02f7f66fa9e711739b6fd5f73c4796330436bb8c9dc2dc5a
  332. 015f83eff8d862d994a08f37bfb4699be86a7e8d465099596454638031d2d4e0
  333. 4057b05c514362abdf70559761f2da4a31ed049b746053898eebbb1f55d077c1
  334. 01da7bbc931a6172b0ec7b97735e8cdcde2581e9ded992fce201d76517fcad0d
  335. 77f3f096bc7cdd196d7cf9cbf92b0319929efa2802845d5574ac66f694e4c3a6
  336. c84aff2215c1e48cc94cf4be565f36cf7cfdf4bd62b8d2fcf4f5da3302d497da
  337. 18899a91a5b65012a7b8f60917a2abd1c11132951d1d8cf884e2d9b927c1a337
  338. 55a3258c1a2be0d5cc4925eca482237206c28c2b375f2d7727d4e1b9c020caae
  339. 5f061017bfe9869f3d386649773ea3c88d2e9e4e4074487bf94d3ce6f7c5152b
  340. fed0cfcc60897e8b59670b63d911c4c8ec5ca7f134bd11ccc11f52d507cc9a48
  341. cd8a017f7b1838619dcbe44127b259f7d72c9bd05d8135be612c55322dad899a
  342. f0b1efed74269ae08e2c6416a8b05a953f1f21e87ae84d776338373c27c7bad4
  343. e4e4ed3d6288ace0a684f7e6fe12ea951257d5be11aa5fe15bc0ab6fd457f5dd
  344. fd10b6e6a4f13b699fdb1c2d601aa11fcfd9c24679321f19d0c23a8b5adebb7a
  345. 7ae5d64627fe55da97d982f55f9a42f23d8821dcc6de00341494aa4ae3bd15c4
  346. 8f58b91ac8ecebb19e23dbd5b8ccd2dec28f155de7f29906867dd06dce506d69
  347.  
  348. ```
  349. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  350. ```
  351.  
  352. Creation Time 2019-02-18 18:44:00 (DOC Based - ENG - Unzoomed Indigo/White)
  353. SHA256:
  354. 4bc0ebf4e04816770e0176a8f1ba04404a6d8b09150d21bcfaf3387ffed06606
  355. ead6c49ec05dba34fa1c58c16a3dcb0e9c3e88691484e2342f08d4e771067299
  356. 0349453748c3c3fe4631e5c17665a702f7ca1ba8cc2c7508a91d686e17d41098
  357. ea023e24f29e18264371462259890bd180aa09750a269a88bbc63d3da9afbf06
  358. 6f52cc28f5b7d356b6a0876f2d4c2fc0696030a17be6d57be4e7e3fba07cd9d3
  359. 1c34eb54a94f3345af1c8834a4800acd656f25efe3b671ea1d015d2580065235
  360. 4562e65b2403fa04415f430187c09746fde41f570aa8740ec7402a17b7715510
  361. 7e7d214153af23923f9b130a044a9134f0168005495d59354f5179b5336846ef
  362. 4392d56f6bda858b04d0a4cfe1112fba4a80c56bd916618b804e02b703465dea
  363. c0bf04a6c64c8f49e02154e39d8955df3f31753d29448e74524dc59be5da0027
  364. fc35dac8265fee007fc1ee7006d322c8d35922133235641a5f45afb43b2ac123
  365. c535ec10efe8d02a81a11b74ad99db24757eccb6dd6754f6740989bcab3c5e95
  366. a669d932abcd7f26520d30e00454181a843f5508e589b92b5b3ca482d39b518c
  367. a09c3994381170f1617a543772fae618a6189aa4b39836accea08bc253b51d2f
  368. bcfdfdd35de7480138580a5682fad18d187988e7950acb9d9e8ed4597a88938b
  369. 91dca635727dd1e0ddb5ac65c13c6febaba75ef30cc5dafb804eabf13a12cd38
  370. ae93a9504c927d519d64ce6863ea63a9fe1b6d6c89f195c8076b3f4a003e5c3f
  371. 88863e1d3d557ee78bf2b3463bbb321241c85dc98dab599f15f7ea138ce88eb3
  372. ad850a4f112e44061a48f9dbf4a3eb1e9862e15c1707157f6f235a3a37b56977
  373. b64b748acd4e8f68f52265b45208deb68082482d538e73c2feb9bcf3245e0531
  374. 3c752d39725f5e49b65d57292fd3ffa472f8fce3417e5f2fd1e617b6d5ee4814
  375. 7cd801017bc12a450adade03af17c6673e45b29aa796071b3969eb3227900032
  376. ba5f4cf8e85a0010fc33022e6c32c49dc5c1abc4d776f1e8ac8d5374dbd6fde0
  377. f4fe9493460e5392b666177032780d2cbfe9f0b9a8547c9805a02b2f24f1fd9d
  378. 0946a30abd52ef463b6a390efba6595d2a7917df95d3739df77e3ca57d1ecc8b
  379.  
  380. http://serhatevren.godohosting.com/postureview/5Dh6609/
  381. http://mak-sports.kz/NhsgZulkV4l2Xmd9/
  382. http://cngda.tw/sYnlclNQk_k/
  383. http://demo.liuzhixiong.top/l3z2JeDP/75NVhl2Eh7p_z9Qg1a11d/
  384. http://embrava.eu/8z6qORzu/
  385.  
  386. Creation Time 2019-02-18 15:26:00 (DOC Based - ENG - Unzoomed Indigo/White)
  387. SHA256:
  388. b93c3fb02d9c19f6713e50182b4314e9ba58335471692d895400967146ad7f62
  389. 0a091593757cd2d16b4ca2ed1806b73f1222f4367d6d78e0df8ee98c247ef1f6
  390. 95752e532069069044d9698b009ed535e76e5cbff27c97eae8900401c356972b
  391. ecdd3d89feb4d8293e35ce74751f13b477410bef9f1187a2c1141e2a41d8aeaa
  392. 2c4e81086a66b36a10f9f68fa97d8afd4f44f99b6b3015c168e31704006d61a0
  393. 69c671f831350e0bbe67380f2fe91561dbabec89d5dd4ec9d9de25c07d73bf0a
  394. d7d25612960118eb311c2c86193e3c4f41d1924640a6458fd7d24b84e1884be6
  395. 0966f1271c4cdd0f66bca3520ffe406d4ba14aaa06a7b14aa505c78958fead20
  396. 52a1a1863cc969cd93d48371e9d24e59cb691a8442477a4d8b1c25c51e71eb13
  397. 8534f2b175d35171ec2b01b22f001808e2781980de552ecc830b1cc21fdd0890
  398. 7e99837960820dcc7b4951c6aacd3f9ab692744a3eb2302992cea8908bf0702d
  399. c70695255812827df20d94628798e650dfd13d97423b85eebdf401ac1f4de20d
  400. ee1ff0182bc19d430e12a8c88b8a9216e9dc41c8bd055f8d633e4cca8910dff0
  401. a2433c8330b53367c141db68212f3124e317a356f9749429a9ebdff0258f2d02
  402. 0b6003563af9034d9a22f96adb0559f04b3753d0d4d9e6e76dd49504a427317e
  403. 27b0bd35f9ee7752e45d40707a3a777d20c8563e7067007101ec8de9d1c271da
  404. 7c6a02a0103d4e4c2f129ba65123d40f740e71160eaefda43e83ce5e9d5ae6a9
  405. 265a6869c2a2f0b3f35b316eda5e78492ae2a574530c39a1673845245a342d67
  406. 97dd1f132ad86b0e77f401be2d6837f86c0148c3ac3c0a9c1e864cc1ec4b1367
  407. 7701b8f968a514855a7d5fc3cfc808b10740a52ef3eb50cab1d63d242f17eeab
  408. d5bb7e88819c34201dc60d6e5d1c5f996912da15858150d7b2e58835145b6613
  409. ce52297ecfa43e2037c8c3e766c996ac0699a49b86142963e315f07b87e5cd54
  410. 031ea47fb91a8493c6db77073bae2815a4b0b7a2c29fbab50d719bf5bc311dee
  411. ccabeb049a502669840889f0deb0290a4b25bb46fc78c2cba581abc56abcaafe
  412. 50e4b5836ca54dfab84057364aa97005407a31ab85246d8c5e2c31a4246f8604
  413. dd5dfce28a80c5539d96c685ab3457f8dacd40cd4eb616268914861242ead8ab
  414. 327c64ca7348a0e2e4651a332776d10216cd77f77761766a12094cabe446ca4d
  415. 2a1ca1f2eb72dd935b9ae4594eb332d9ee7363b70f1fa40e6b3a1a4dbdb44e1f
  416.  
  417. http://tolstyakitut.ru/o0ElrRO0W3YrOg/
  418. http://tattoolabmaxakula.kz/7644n6N6iKSe/
  419. http://www.timothymills.org.uk/E0oKOa0DyCN6/
  420. http://navigatorpojizni.ru/ZrEoOhqkHHmLY_OnadByEhs/
  421. http://fenichka.ru/nh7sQadFRxH9/
  422.  
  423. Creation Time 2019-02-18 08:21:00 (DOC Based - ENG - Unzoomed Indigo/White)
  424. SHA256:
  425. 2dda30d522c1b72d38f8609a3bde18de25aa57ad7ba7d90cffdfc0db5cf6e977
  426. a7ce8b9bba9d84d7de6962015db1570c899c6992eb6de6ce21ccd17ea7fb0751
  427. 380111d3408eed7a855ef759d4304570286eb4478d35b0ad1f35cb17b853b353
  428. 966f140946cf716697fdf17810b05a50a6141ea10a16a87136f18cad063f017a
  429. ebc532cdc9efeb2d1cc69c05df9cb8eda527dbff807c3e4f28d78883c60d1640
  430. f3766de981afc0094e4612818e204d70beea730a9ede6174dc07a8f32cc92932
  431. 1328ac0cb151437871e7f39f72b20c13fb9fc292adb78054f30a8f958404e4c6
  432. d838f3722647cf9a8729ce91a19b10ddf0db61da173593e75fe8e6d8eda7ef55
  433. 04f224b5481bfce2fffc81b988cd4b29dde212a1a542b6180a72400ef1d4b506
  434. 955bdc9464d21e2fea34bfa53bd601ea1becc630f8d5d54e47ebc286dbee4163
  435. 9038fb2028a55402c5dc3ca642d549423d57f0f272561151890d2e0a7c2020fa
  436. 57759d00713be2f0231595b5eb6afbe268895f7e0c9de5130c357b5f5f4621bf
  437. 1caa72377c62835653e1c1b062e418c62b689f8b6e600b739201a1300bae1bf5
  438. 329d3a228e0f1dc6ec487e04691fd956ff0342642728e4162bbefe7d023c7566
  439. 55a56fe6c486efccba6fbbdfdd5df7f30ffd0a64b4a0482a40b17c62ffcc1ee2
  440. 035a31f3e89f09e7a56b2b7ed29da67281fb6a2f565db4ef8c3e50687ad2f238
  441. c3fcf10e8e956c1eda86f8ce64ba60dcdf799f0e029e4c74281e2648fbb68229
  442.  
  443. http://masjidsolar.nl/xMPn6P4SWc_Nor4jjjBg/
  444. http://zolotoykluch69.ru/bzdDJhsZP/
  445. http://mask.studio/Kv0yxkyQ34/
  446. http://saleswork.nl/Hb48aHy9VnAy8/
  447. http://clashofclansgems.nl/we0vzgRVrBht_n0msiZXJ/
  448.  
  449. Creation Time 2019-02-15 20:27:00 (XML Based - ENG - Unzoomed Indigo/White)
  450. SHA256:
  451. 93675c4b5af94b1e065b31addd0b6aa99be51dc902896560a62bd8d87c30a9f5
  452. 4da1cf7ad1505f830de348c2e6b3e887dc9df100039666b3c94df38d9e9f132a
  453. 8082c4f56f1918bfc374e99f7c752084dd98802c32221a58c0bdab89fdec712a
  454. 59b25e2756ec3e2c0a30d5c82fddad232d138fc27c598287160b58dd185e22f0
  455. 2b2d6fc4b2c2c1cc7f3437a68ea4a53c86fe3fd59086844a45a178a7d66eb9db
  456. 8c1e2c45a9542ca5afd84eb96fd60498c3d8cf5b245b7be245a855fe671cfa8d
  457. b7842825b5309e80b93452d0302d812f5ae4db552dfb9ee859065ee878c661f9
  458. 3536690140c70bc0d34f1e54ccc3e19529febe0ecac53120b7603688e8afe67b
  459. e3034c6b354ef2e988570aa8a3852edf69d9b5106655b0416f8c695745dee1bb
  460. 3d2a105015f76f25982e4b7525df9ff95d0fcb9e6030d20a0de31435be09be3a
  461. dee7a035c13d11cd62b85e03e430784c8bc82675c8c5bff1e2414f92d9cccfec
  462. 7ffd4fe72e26e0697e50febd61eeb68a8ac2082f6647804ff218e7e53a158559
  463. 13d37c13ebe92f998138f4953ef9fa3487ee94337ff3c6a7f618e01f2f9121c0
  464. 28c9ea98543527cd59aded6410c1540de3e092658690eb6911e18d22ffc46c5e
  465. fad9aa6519064347dfcd23a81b2e6d3130ed8cb28a28f864c21f7816ed922e8c
  466. 7dbe3fa34f083a40aa32362e54ab0c7daa2a640c2a34d95fd931c40417a95198
  467. 469313aebde6e553b5075a77503377b1b336466fbc8d5ae410793434a552ff2c
  468. 17710c1404357c70866616eb1175eaaf5a5b48fc21e5c4f07700c890610741fb
  469. 2d16e7c225fbf5166db769a0edb7d3ef2815ed9402687d85e4934f28f8f5c01a
  470. 9904915a0e2796c3cc33ff1698cb4db6e66cbb12de617d5f4cda222e549928c4
  471.  
  472. http://tellusvillas.com/l2BOnRc5q_pGXL6RE/
  473. http://markkellylive.com.au/nzB1yr7bR8Jf_VXGMg/
  474. http://195.88.208.202/GkR3jnNg/
  475. http://138.197.72.9/5jEtWZHLS/
  476. http://13.126.61.11/qpA8kpDj8_rp/
  477.  
  478. ```
  479. #### SHA256s for Epoch 2 Payload EXEs seen on 02/15-18/19 ####
  480. ```
  481.  
  482. dfdaf3779f2be13c800bb3bb43e48a40c9c3dc4904471fbcdebb055dc621dfda
  483. 9a9eea500032b90d1e81ab867b6caa52b8cd3aa1fffd8819be147e61bf85af31
  484. 364d2a2d5f0da46ba889333ee7d3691d3a81cc690d30ddfd2a2374ba5afa2255
  485. 8a8b8095a0c6fb729338c8c476b6f2fc2caac15c77702d254c1614ba000ecc18
  486. 8da48899852a94fd11aedefd26ce8798278cae2ded960f95c5821392fa09e65e
  487. f5c71a543d2d460aad11e09e9c60f2e6f08b4fdba44d0eefd5cc5355fc4723dd
  488. edd83fa37a15535f80474933779e557811bdb4cf3617c9be4ab5ab3765d85cf9
  489. f8cf3687e565d1afae731cd04e8db7cd31d07dd3d3444fc0776ea407e54cf0f9
  490. c2e5a2b4ee295bdc133e8292d1f8293b2c1607ec390c3f993f1c1d93b49d3132
  491. 01b0007288f99523404d70dcba0e7b02569f1ba8417aacbcc02245a916f93f40
  492. ea89e3691ccf870e0caa693237b66651bae097e877eb58a6587c1ea4ccfa9b50
  493. 32a5eeb6bff6b9ca43bce1f55556520dc7d00f09f813a177bd47215be087a266
  494. 26b6de5fb056c5e1d843a7907198ed22668aa2b39a49c336d247c17130119fd0
  495. 00c781bca14cbdb159d5cb744424e276210477b61397dfe6bce0dc3385d1427c
  496. 5791632648e3e754dc312d30a0333333c460ba4c1487e6dd7689b513ff617ef6
  497. 7e86db8250f6d09ee52a43193fc7ad273d54aedf7bf35ee0ef66f8ebf6009c7c
  498. 2d5ed25787db07b723fb4efc961f8af9b8370bff87aab74414b2b1d3d7ecf45a
  499. ff5d4155fadae2f47d965fe88c40646c9f95c506880ad1c49ef3f596f816133f
  500. 37a5d4455f20268ec789f79b65ad4698904464787974e548ff5060fd263fbe8d
  501. 407024d5e90c03e52fadbe6c39194789a41146b0525dcb83738ffbe9bd223768
  502. d99aecf7efc03c48cf453b3dd4bf3a9b0354f53500aa4898db2d76ac20b6073a
  503. 98edd17e7d9fd81f5a9901f798e07a1551ce5560f4913a5ad44c8d334ac98a27
  504. 16c93d09c97e91d93c84457beb3f80ca32162470fb1c3d0172d0fea1ecc914a4
  505. e4301c935a41da05a611b4512b46c712af2effbbbb5109cf45fd275ebe60fa2f
  506. 6c183cf32126483c718fb6f7e0b786ded6b49e02d9b096ffc436b540b7c95409
  507. a6d0246b6dcfa90d726ec70bbafdb698f379a52727517f05971bf7a37a82fb3c
  508. 02fdb56573b8915d070e00f1246e7fdce4c76033dd50d1bfebbbfafacbf7003b
  509. 2db67f4216d02d6c9b2ed89ad66d4a8b55a96fcb531da9a51c569e9fa899195c
  510. 4f775d983e96bbede94d8805fe4113a9d24e5475cac0860f0691fa9f9920176c
  511. c8dd1801b00290747ecb6a33e3450e164b699a941e167ed21e7f012a293d6fac
  512. 74f41a998fb71f4352f3db8b0b9a747ec1f90be88fc5a3a6069864e9d4b3b7d4
  513. 7a40f325178af1ab386adbf4e38a8ca751bcf36683069059aaaadb3ef9083754
  514. 2b9f0eed613b7c8b1ecfc2c8c26832454656009d30e923db6c5be4974c049de2
  515. 99507611167da5bca060933f3089b3e87e559d7536549e13c8d9871a46cb3745
  516. cb034ce1960b508b94a5896f8760b11a67eb9e978eda6c4113a90972f5020421
  517. 39fa76e67f64e98772315b9388f3180c5ace09db02590a10165c85117700a2d3
  518. 346db89a71e9af19079148c3da2c16115ecbabccd92bea954a533a64b8f47fd6
  519. 946cc1ffb15fcfa2ef68d41b324c1ef191f3e88aeaf3457dbfa3ded2e5e63d3e
  520. 37b6b81a62ffa02f034e31acebe66f07a9bb15fc9b52030f473363398368b705
  521. 49c81713eb9df8d8ed2be5ecc61a1cb7328a5c0873132663623c3d8782d46ebc
  522. e9ba0c851f951fcf2a5dbab4bb98cbb77b6dbf4e35c8f6f293084496ded94ceb
  523. 8ba0114f87e18fa38a9700471363d6a71bf421bab76d7945214b19c6bd08f581
  524. 481b9ebb307c62af10a106f1db98ec2061e84886d5be0b30d9ac31b44b686297
  525. ca6d0f21d5296c5aec857fc31d9a7754e2d5a29358a9485ec66f0b5256e40868
  526. 69e9ea2dd6487b4c040996fbf3423e3e6f85ef8b38332ad6a1d42a566955301a
  527. 1bf957fa8308d292e02c3ae41c8f4c05c737f4547443fe79d1abc4c94e2a906b
  528. 12106ff6f6bccdc6010afbd538683e95cac68895392736f6de8782f1874362ce
  529. 3ddef7b8f343adc8329992e77e4db864f8280079ced5b568439aab1b8d5d0637
  530. 0e84c39c9834b9576abe0cd4ac217b458114e3cae1aae02e8635f777ef58e829
  531. 6904d1cbef391cba695a60fe12938a62b6115f1ebcf5fcdc1430714d13fcf6ac
  532. 998e3fc9e299169673b7343471b28e784978ef6c6a61b4c80c1aa1e6a9d18828
  533. fcbd6d030ca2af04b048b074b53213e08f024169acc8f25febec0416456f52a9
  534. 036bbabddd5839622989c37533d8e515064a68709e2cff7465fef14359481af4
  535. 70fa304db9ca1b2e55f417b6ce543330d3d50e9e1e6a394a49a7d9b6f1df8138
  536. 09abaeedacdb461055b081ca3aab1e414a66ad10e9175bf593c4969c8c663600
  537. 26f21796ba7b4221db302b6659d9ff1122907b68a9a5df1d715e0d1dc7bc6e97
  538. 4cea9443e5637bb1eff5d9d52fdb4f899cd57856c53af3b0872acfd2dfcbea26
  539. 13321c3594f36934de0ef980a69c17452e64dce253cebf5888f7eba3b86c013f
  540.  
  541. ```
  542. #### Epoch 1 C2s ####
  543. ```
  544.  
  545. 109.104.79.48:8080
  546. 12.6.183.21:8080
  547. 138.68.139.199:443
  548. 144.76.117.247:8080
  549. 159.65.76.245:443
  550. 162.247.42.61:80
  551. 165.227.213.173:8080
  552. 168.226.35.218:80
  553. 179.62.48.123:143
  554. 181.15.224.57:80
  555. 181.56.165.97:53
  556. 185.86.148.222:8080
  557. 186.15.180.71:443
  558. 186.4.127.72:995
  559. 186.72.205.234:22
  560. 189.173.176.115:443
  561. 189.251.40.71:8080
  562. 190.117.226.104:8080
  563. 192.155.90.90:7080
  564. 192.163.199.254:8080
  565. 200.114.142.15:80
  566. 201.124.46.8:8080
  567. 201.183.238.18:443
  568. 201.212.113.14:50000
  569. 201.217.133.34:80
  570. 208.180.246.147:80
  571. 209.159.244.240:443
  572. 210.2.86.72:8080
  573. 219.94.254.93:8080
  574. 23.254.203.51:8080
  575. 24.194.252.25:80
  576. 5.9.128.163:8080
  577. 51.255.50.164:8080
  578. 51.77.109.100:80
  579. 66.209.69.165:443
  580. 69.163.33.82:8080
  581. 70.167.72.96:143
  582. 70.24.147.245:443
  583. 71.40.213.82:8080
  584. 72.47.248.48:8080
  585. 74.45.170.110:80
  586. 76.94.36.57:80
  587. 80.15.172.81:50000
  588. 88.225.226.91:443
  589. 90.63.245.70:8080
  590. 92.48.118.27:8080
  591. 98.121.75.14:80
  592. 98.238.127.216:21
  593.  
  594. ```
  595. #### Spam/Stealer C2s ####
  596. ```
  597.  
  598. 104.236.185.25:8080
  599. 212.112.113.235
  600. 216.98.148.157:8080
  601. 50.116.63.8:7080
  602. 73.185.42.52:8080
  603.  
  604. ```
  605. #### Current Epoch 1 RSA Public Key ####
  606. ```
  607.  
  608. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  609.  
  610. ```
  611. #### Epoch 2 C2s ####
  612. ```
  613.  
  614. 100.35.190.8:443
  615. 104.228.227.210:80
  616. 12.195.47.98:7080
  617. 129.24.37.8:443
  618. 133.242.164.31:7080
  619. 138.201.140.110:8080
  620. 153.121.36.202:7080
  621. 155.186.224.38:443
  622. 173.255.196.209:8080
  623. 173.255.250.241:443
  624. 178.62.37.188:443
  625. 181.1.124.16:8080
  626. 184.54.110.31:990
  627. 189.131.93.44:990
  628. 190.114.242.130:20
  629. 204.197.152.162:8090
  630. 208.78.100.202:8080
  631. 211.115.111.19:443
  632. 216.201.162.158:20
  633. 217.13.106.160:7080
  634. 24.155.49.236:8080
  635. 24.185.185.187:443
  636. 24.227.158.234:21
  637. 24.228.124.151:7080
  638. 38.27.109.250:21
  639. 45.123.3.54:443
  640. 45.63.17.206:8080
  641. 5.230.147.179:8080
  642. 50.31.0.160:8080
  643. 50.93.34.66:443
  644. 62.75.187.192:8080
  645. 62.75.191.231:8080
  646. 63.227.80.10:8080
  647. 66.216.234.131:443
  648. 67.205.149.117:443
  649. 67.249.245.159:443
  650. 67.254.13.154:80
  651. 69.198.17.7:8080
  652. 75.99.7.18:8443
  653. 76.94.226.173:20
  654. 79.75.233.224:21
  655. 82.14.53.90:22
  656. 83.222.124.62:8080
  657. 87.106.210.123:80
  658. 94.76.200.114:8080
  659. 95.10.12.151:80
  660. 96.47.92.60:443
  661. 96.60.95.245:53
  662. 98.0.245.234:22
  663. 98.31.4.186:21
  664.  
  665. ```
  666. #### Epoch 2 - Spam/Stealer C2s ####
  667. ```
  668.  
  669. 198.199.96.164:443
  670. 198.58.114.91:4143
  671. 66.38.64.143
  672.  
  673. ```
  674. #### Current Epoch 2 RSA Public Key ####
  675. ```
  676.  
  677. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  678.  
  679. ```
  680. #### Credits and Notes Section ####
  681. ```
  682. Updated 7/13/18
  683. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  684. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  685. https://pastebin.com/u/jroosen
  686.  
  687. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  688. I am providing them for your benefit in case you want to parse them to be sure.
  689.  
  690. ```
  691. #### What is Epoch 1 and Epoch 2? ####
  692. ```
  693.  
  694. What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.
  695.  
  696. I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
  697. communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
  698. version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
  699. C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
  700. entity/group. Here are some observations I have noted since I have been watching these botnets:
  701.  
  702. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
  703. document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
  704. in maldocs on Epoch 2 at any time.
  705. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  706. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  707. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
  708. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
  709. have a document hosted on host.tld/B.
  710. - The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
  711. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  712. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  713. - C2s are never shared between Epochs/Botnets.
  714. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
  715. of AV defs.
  716. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  717. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  718. - The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.
  719.  
  720. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  721.  
  722. ```
  723. #### Community Lists ####
  724. ```
  725.  
  726. - @pollo290987
  727. https://otx.alienvault.com/pulse/5c6affbf0cd6c22d6964a3ce/ - @SecSome
  728.  
  729. ```
  730. #### Credits ####
  731. ```
  732. (OC from @JRoosen and/or combination work of the following)
  733.  
  734. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
  735. @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
  736. @shotgunner101, @HerbieZimmerman, @Outkast_TI
  737.  
  738. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
  739. @gorimpthon, @Racco42, @Jan0fficial
  740.  
  741. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
  742. @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
  743. @OguzhanTopgul, @HerbieZimmerman
  744.  
  745. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  746.  
  747. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
  748.  
  749. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  750. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
  751. and @Virustotal for providing services/software no charge to this cause!
  752.  
  753. ```
  754. #### Daily Log ####
  755. ```
  756.  
  757. Received only about 3 malspams today. Seemed like folks outside of the USA received a lot more today. This was noted by some of us here:
  758.  
  759. https://twitter.com/executemalware/status/1097620707213799425
  760.  
  761. @ps66uk received a large of amount of malspam for his environment yesterday. Here is his report:
  762.  
  763. https://twitter.com/ps66uk/status/1097602363714613248
  764.  
  765. This may be due to President's Day or perhaps a shift in targeting. Hard to say for sure. 2 of the 3 malspams I got were in Spanish also.
  766. All of them were attachments and either DOC or PDF attachments. There seemed to be a heavy push for German URLs lately but oddly I did not
  767. notice any German malspam. @certbund did and reported on it here:
  768. https://twitter.com/certbund/status/1097484685993799680
  769.  
  770. There was also O2 invoice malspam and banking account suspended pdf templates in use. Oddly I saw a Santander Bank
  771. version and I never saw this bank being targeted before.
  772.  
  773. Spamming stopped at about 23:00UTC for bot botnets. Oddly Binary distro stopped around the same time. Not sure if it is a break time or if they
  774. are going to fire it all back up in a few hours. Time will tell.
  775.  
  776.  
  777. E1 C2s are the same as 2/15/18s report. - Recorded above.
  778. E2 C2s changed but the count is still the same. Recorded above.
  779.  
  780. Tune in tomorrow for a break time update or spam restart.
  781.  
  782. TT
  783.  
  784. ```
  785. #### Sandbox 02/18/19 ####
  786. (all with fakenet and MITM unless spam/secondary infection)
  787. ```
  788.  
  789. Epoch 1 C2 run on 2019-02-19 at 05:00 UTC - https://cape.contextis.com/analysis/38199/
  790.  
  791. ```
  792.  
  793. ```
  794.  
  795. Epoch 2 C2 run on 2019-02-19 at 05:00 UTC - https://cape.contextis.com/analysis/38198/
  796.  
  797. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!