SHARE
TWEET

Emotet Malware IoCs 2019/10/14

jroosen Oct 15th, 2019 728 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## Emotet Malware Document links/IOCs for 10/14/19 as of 10/15/19 02:00 EDT ##
  2. *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
  3.  
  4. ### Document Downloader Links ###
  5.  
  6. #### Epoch 1 Document/Downloader links ####
  7. ```
  8. <none>
  9. ```
  10. #### Epoch 2 Document/Downloader links ####
  11. ```
  12.  
  13. http://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
  14. http://abelincolnplumbing.com/sitemap/lph4cp3uhcerg4eyyfuj8wshre/
  15. http://alplastkuchnie.pl/wp-admin/qAwZmwwdEVNlKHZaHKYRdof/
  16. http://amoozeshstore.ir/css/ju23ib8mkvwx9nfvywvhm9gfa3xvgsup/
  17. http://cbdagshai.org/sitebuok/UACPuLDcSixTBVcsnbBnxMjZgGO/
  18. http://decorstyle.ig.com.br/wp-content/languages/cAYciQWuiFGdqx/
  19. http://deepaktech.xyz/wp-admin/owv2o9utn5ybr2w021v42hr/
  20. http://doubscoton.fr/ghana-visa/FAPIgpcXAJZExV/
  21. http://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
  22. http://fdni.ir/wp-admin/xcJOXZbVVOXkzXGywrHHPlDOcurfB/
  23. http://gotranslate.co/wp-admin/0qan9gc71sjc51hwn7/
  24. http://industrialautomation.vertscend.in/gbxhlu/RXXCNToKkSXunJagB/
  25. http://jeevandeepayurveda.com/wp-content/fjp09eio1v6fzk1uoc/
  26. http://kaihuai.xyz/wp-admin/b37vn6ao7zk7hw8/
  27. http://lalauwinoise.fr/wp-includes/OzmjVEceMTOYTwlEOevysMitLPPs/
  28. http://learnsleek.com/wp-content/ijUHATFHxEYqStdqqWYOzIgGMub/
  29. http://massivewebtech.com/sitemap/8ea4r1anrxfvdg4te/
  30. http://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
  31. http://mrig.ro/wp-includes/ufbvyk2mhgbmee6totfxv7vb6b93o/
  32. http://newregionalsmartschool.com/tgpm/kw2iifsv3rqdg4tb/
  33. http://nhuantienthanh.com/wp-admin/jdzl3tlek09vqu07oy4mlp6px7eqe/
  34. http://ntvlaw.vn/wp-admin/wjacatidryjun84ulq3d9dlt7cny/
  35. http://pandajj.jp/mobile/u7uo2wgjrrriurf2813wntl14t/
  36. http://pandasoftwares.com/wp-content/RQcjMMAXnOoYnCOiIOdFwhhRI/
  37. http://phukiennhabepgiare.com/asgypk/sklsdbzy202mcb/
  38. http://propase.de/bia/SdSLXJuUwuNru/
  39. http://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
  40. http://studology.com/zli/mpBanLFRPNom/
  41. http://thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
  42. http://www.aventuras-picantes.com/wp-snapshots/FthxqcoxgzZWUqXGmYLgQJsIqlLQD/
  43. http://www.picogram.co.kr/fo/wp-content/6p50vmcpqc4rbmlx3axg7gbixvotx9v7h0/
  44. http://www.thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
  45. https://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
  46. https://berryevent.es/test/aELPvIcOyjzNDQtIXgRlcJFg/
  47. https://doubscoton.fr/ghana-visa/FAPIgpcXAJZExV/
  48. https://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
  49. https://gotranslate.co/wp-admin/0qan9gc71sjc51hwn7/
  50. https://iglogistics.in/sitemap/IWsGGmeNX/
  51. https://imtglobals.com/wp-includes/FaaMfPCN/
  52. https://infinite-help.org/blogs/uuw3a2dqi4y4e9lts/
  53. https://jeevandeepayurveda.com/wp-content/fjp09eio1v6fzk1uoc/
  54. https://kore.lk/wp-includes/EgvhkmnRVU/
  55. https://ksiazkitomojacodziennosc.pl/wp-includes/ktvTNpjKvNKIeFdg/
  56. https://merrylu.co.il/wp-includes/wvejvajn61tz9gui/
  57. https://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
  58. https://norbertwaszak.pl/tmp/NNzfYHoDAXOmfclUEtxocIEJoO/
  59. https://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
  60. https://pandasoftwares.com/wp-content/RQcjMMAXnOoYnCOiIOdFwhhRI/
  61. https://primesoftwaresolutions.com/wp-admin/fyt6ycm7c8tz2oq3uzrazxuol30ifhe7/
  62. https://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
  63. https://sarkargar.com/blogs/vHuhpjaWEPVevmMUoLBfkeVyaS/
  64. https://sellkorbo.com/wp-includes/FywTzFQMebzaYU/
  65. https://waresky.com/wp-admin/tWrcMNyDzpAfwnqEGQDevraTE/
  66. https://wecanaccess.com/wp-includes/VtbByXZpxRiM/
  67. https://www.energie-service.fr/wp-includes/lzs1qc7ohyjh4fj7ns2oxgxrjmjr/
  68. https://www.paigeplacements.co.uk/wp-admin/fxZIEjGhIqiNFewKdta/
  69. https://www.talentscoutz.nl/exact_lib/aSUnhzOjlkARZUremYcWP/
  70.  
  71. ```
  72. #### Epoch 3 Document/Downloader links ####
  73. ```
  74. <none>
  75. ```
  76.  
  77. ### Payloads per Epoch by Document ###
  78.  
  79. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  80. ```
  81. Creation Time   2019:10:14 21:43:00 (Attachment Only - Doc based - Office 365 Light Blue)
  82. SHA256:
  83. 98e6e1fcfcdcd781dc6a6ee78308caebff2089564750ac7cdec363759f64069d
  84. 1aff9b8cd34eb9f94eb1d595f919826dd34484594b1347ed0df0fa4ee69ffded
  85. ea12af3ca9287acb75995ae2f3bd9f015208b73392e485129c7a73ec90cb0071
  86. 6562aec794ffea9ec4f8bddde4f20d67c20d04f73c3b8178a3a59a897d2cfb3c
  87. bc3af0beb53c90a6ae67319fa91676ab76a0b833149429c1c40b616610fa5c4b
  88. 115024d05c7208312469cb4bbae754d6e883c4ef6f1710a7ae3a2754f01335e5
  89. d69691f4567bd9f036fe6331e8e8823ad4914988c7df0fdc459d7236d0972548
  90. 6dcbaf2188565661608649c6ae0e0a5b274add5bd0c1ac2a7fafb3c9d286823f
  91. ef722fab41d2e7a9a3a9fb19840cfd21d4f995573852e12bc60102e0d0f8cf0b
  92. f71129f0c7868ac0ce98560b0ae66c2c7fc749aab2614babe5f1d854f89b10b3
  93. 06f1f3ab993e994fe2b14126c50f009854081f55e52e26d5f0e2a325c5c5280f
  94. c559ce796c179fc7eb3bd1b158ae13a49977fc5ba41f3b01fe9f0e74e3cd2816
  95.  
  96. http://rastreon.com/wp-admin/901/
  97. http://www.offmaxindia.com/wp-includes/smu471/
  98. http://ahenkhaircenter.com/blogs/k8iuno285918/
  99. http://bluem-man.com/wp-content/uploads/2019/10/btrua567818/
  100. https://agusbatik.xyz/wp-includes/5e6252/
  101.  
  102. Creation Time   2019:10:14 14:00:00 (Attachment Only - Doc based - Activation Wizard)
  103. SHA256:
  104. 01229fde004126ba6df17483f9b09d931d2cb8176d1e7ea93429060ad1acd953
  105. 821bbf19e0ecadb7bfca5653af68b7621f36056ffeab88439f3f8ded3d4d9e78
  106. 6344da18eb94a826503a8fdc8484c6e3d090d64e9b45af94dfb0815cbdf78832
  107. fef332a512d0c08388093254e894647cc0467180ccfed2f62d48935141203fb3
  108. e05140800d32b3a3bb25e4cb9965233eedbc26f3f7b245388e0ba3ff000a684e
  109. 9ae7f9cee0f7fe878d1202d43474a2c4b743e885d0cb6bb69fc3ae866c29d51a
  110. 833f5ead05a94b8b5a5caf92c435c84c9915353a7e66e82924c4684172cf6c55
  111. a4affe707d20a6ae831e018abf97987cf6cb17b032e137d548344265f7d61e20
  112. d1b64bb432f11c7fb3381db7b69f3e5ef807263fc50c26a5ddf51199b032881e
  113. 0dcc8eb548067469f061ed2c8530f0c1700b7269e00a10717f4b32ec07f23751
  114. 70740940b8e5ab3572f1e383c3d9471896da25889b8a411a751d7d7e6178b9bd
  115. 1c5e88478951954d44d7267b187e20097935571960244751f175dc59e51eabdd
  116. c03a2eca9f700c25e42a378b4858ea9e7f588265330f54499a5e858a6d2b3601
  117. b7ea6f2300ac885f1f5eb15ee6f6d483d836c6a0cb27c7d9e1424847022004aa
  118. 279f05b4d38cffa688fe7126a2852e01b5c39b9a992eed4c1f81ec3c22fc07c1
  119. 178c41b40d0ecfa10d5a5441b4a1ed1c440b6ba64f9042afb5b0c073cdcab8ec
  120. 066141f452bc59cbad7e80ca2de0d905f407a922c94aa22bc85e21977a394ae0
  121. 0424b0d25db89ef0323da9a4bbaeab6889efd33390e64f4fb4176653fae49ed3
  122.  
  123. http://andrewsiceloff.com/wp-admin/cj2d0009/
  124. http://beansmedia.com/zeus16/wp-includes/tubaw5y35/
  125. http://abhidhammasociety.com/wp-snapshots/ih3vzdc9/
  126. http://pcf08.com/wp-content/02447/
  127. http://acquiring-talent.com/dpaj/05gd575/
  128.  
  129.  
  130. Creation Time   2019:10:14 06:26:00 (Attachment Only - Doc based - Office 365 Light Blue)
  131. SHA256:
  132. e0aad4bfa80b2319ccc82e57255980fcdf1b2ec97f226e164bece5c89292ac98
  133. 22658d77fd5039916ac02479db779439c25e0b522606521493bcb7bf05156efc
  134. 07a87371066aab8a4bbfe91b8902a7e7f105d6ac12e06bbec1c2166797257f02
  135. 2440413f7987ab520445c2e8c9ee31e727f032ad23d9e0af148727ccc226b492
  136. 4af96f2f51c9c90f3aba74d15ac64f03f128e63c21b167902ab123cf0470d396
  137. b22b335375bb18a4a410841873cb9dc67b7576ef6f36ce5401c3195d2a319606
  138. bb441f7bd6348033492fcecfb8134b1f083c9ce231c2b8e08fd66e15a3cac3c2
  139. c03f88ae1e5da27428ba3ea3be82fc837f901c0cdc7a795c2f9399802d773cc1
  140. e1b1419fa89dc0ac9f63ff134e8c3942399a0d9061ae68ba7e8fef7ac1620769
  141. f7434e1b582f41f5bf7ab94526165ca3fb75a28e9027858e89307130129d5cb4
  142. 51ed11c8c22dd61a87c19f4e18c926faf61f169083bd07b451370a59f25cca5e
  143. 7d0631daed8c62fa643d21a6fa7966829bbeae4fa24d8311f6745d20dddb87aa
  144. e4b94f3779381664253d1f0b536da20ea9b8c2c3d2f29c066b7c830ff9fbcd39
  145. 13ee328a94a3dccc2ebc3418fedf2feaba59dd58c5543ae3d35f7f5495e4852d
  146. 91c8914a73f4f9822a7764b63bb8aa4791534c8bbf24581dae431c75871a1887
  147. 74da0d14b6272caadda205ca00d01fc8b9c27f12a9ef296c38a848326e700eec
  148. 8a29a5e93475cbd533260056742186aacbff486a9ec602efe43225a3bef0bbb9
  149. 91b7731d0baea45c46e04d0ae90e40911c484a6833b71af1cabcf7dabebfccd9
  150. a19bd9ffd0774cfc6961c9bc12a7927f83880712a888d8c8f14166cacecb699a
  151. 5b6cd9d142d1490cfe1cbdb69b6ced76328762769a5dafcbc419486db3d2ef28
  152. fcf52143a611e85d6f76ac31d3574ebf4b0b9e6a65593cbf7bc3e6b273add324
  153. aacaffd95b11bc2adfa5c9ca23deadf0389369e8c0619ce251776f3aee38e249
  154. 750b8560c0ed92477d795d9765a816c4530b2facf801d9b270edecdcb5248ab0
  155. 7094ace73d2f97f7ddca29ffe4c64a2771d28dfcdedbaa3a6320afc86f80603a
  156. 278cd91b9d1b2631d22436891a8ddde52d0baf6f925a22e6f31e29697e9115fb
  157. cd094fc2717295f64cbe858dcaf1be806258d9ae24fc38b21bf51b656c8136f7
  158. 5d78217b0e599e1d53787f7ce8ac2fd639b0218819ef22e6a1f9fb66acb52974
  159. 8f07a60385a56e9fd6b1eae0da32a77b689a19ca167b481e0bd7af45dcade9d3
  160. 033d959d2b20ca148c5c2d492783092ee6ce9ba886a996b4ccfe7c8fb1e9c5c4
  161.  
  162. http://coastaltherapy.com/wp-includes/chz0u9347/
  163. http://brandsofzambia.com/wp-includes/0qssg3841/
  164. https://buseacycle.com/cgi-bin/gk056/
  165. http://www.bokslink.com/wp-includes/pk97096/
  166. https://www.hollywoodclub.xyz/wp-includes/ua67v3288/
  167.  
  168.  
  169. ```
  170. #### SHA256s for Epoch 1 Payload EXEs ####
  171. ```
  172.  
  173. 03150e8e65c02b6b7d8475ebf3c8f4bb79290fa56422a87614d236033ee2b48b
  174. bf1b7b86355d25582395bfcf29fbeee255735f1414295f2e762622a77992cfce
  175. 7101298b8c908a3df85eb5e911abd19df2577b0205e82d18a62cb159950420bb
  176. 90a311f70635ee979eb4d453d7433c25b00631e88e678fc0b25511531452423a
  177. 4b28154f980d8fec3b4a0367c107f3966f9358bd27ca20385d3e1422a61bcf67
  178. eba85bb06013b34ddcd137039de98f8839a16e7173cd530601fec1420b1c6f2b
  179. 7241c208a1068273eca2d48b01329dd24c028069ee6ba9a0682f340502fdac1b
  180. 19ba380dc6cd0bd5138b58bdcf436094783bb552450acf00f3e622c8abd3c037
  181. 803a45ac7528778b79aa8eb3121df53ace507a11ec237fc11789bc86b20e58e8
  182. 186124390f7320e38060af72b6370e20a6d8407b64f392c34d8e5708d06342e2
  183. 00dce1e20b8469aecc0938f2ddec66b813c12dedb50b0b67c3e6a3032c3ca0b0
  184. 2a274443136d602107f0572bd62ef67d0b056a7fd007d880e0a4f8277d94dd46
  185.  
  186. ```
  187. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  188. ```
  189. Creation Time   2019:10:14 22:53:00 (Attachment Only - Doc based - Activation Wizard)
  190. SHA256:
  191. 53620e1b75287e983e410de49de97d665037b3684d84ce040d4ba8a6481b8f58
  192. 36fb67228a8d4b9aa6722d8a8f935a6b98787dc11f436048ec67a9be5b5cbde2
  193. 9430e0cd15e3ddfe6566b33b0c52570affed58d1b859dfedcd39d3a76d5d168d
  194. b3d0e41cee035547d96aef38a7238087911795634a2183e561e76d1c1924db8e
  195. 1b9cec27e9674373d03393625901fe65ba9fff893327729d2b8a3e6198e2bac9
  196. 4c90b077a74cc32600d1979f423d132780919fe912341b0e8f7849eb8efcb96b
  197. 25f5c4b163d0c957f4d1a29c7067c5b3af65d849ac9941d482b21f8e0663ae56
  198.  
  199. http://stn.methodist.org.hk/wp-includes/T8jR1an1/
  200. https://collectables.nojosh.com.au/wp-content/U/
  201. https://elemanbank.com/test/7/
  202. http://ndcgc.org/compview/CO7k5c/
  203. https://myboho.store/generalo/U3DnzUY/
  204.  
  205. Creation Time   2019-10-14 21:55:00 (Attachment Only - Doc based - Activation Wizard)
  206. SHA256:
  207. 65465e0a3fe7e6e272964075299237890df38d972ce142681c8b8750e3f0c416
  208. 4dfaf2ee35f6a30e2336ba472d6bef789180ee3b2a334130a45341022e65d3e0
  209.  
  210. https://voiceacademyusa.com/85rs/cfEfsshfH9/
  211. https://topinarabic.com/oht0878/bz/
  212. https://bestbusinesssoftware.net/img/8Xz/
  213. http://armmonya.com/landingpagemayo/5mth/
  214. http://www.southtrustlaw.com/wp-content/n0wghBtL/
  215.  
  216. Creation Time   2019:10:14 14:06:00 (Attachment Only - Doc based - Activation Wizard)
  217. SHA256:
  218. e293ac4fd9ae3f24c026134f7e8916b8cd5dbd60052f9fc142b99fc26dff4a34
  219. 6806781932608a121e4ecbc70bdb5d52b6e7cf3a8ea7d04a6054564412a1507b
  220. 63e1801ee2c4b9fd49980188f100d78efb85c360a5772a4eeafce7eee56c3d9c
  221. 8027f994b15a87a2979b7bc3d2859fe870f4e48390f4111a8cb2a5bdec3ade87
  222. e2573050b86260f2cb314e404d4707a0e1c4a55ca6744be8ea208a4bd506b772
  223. fe03ad92a84a4921f451efe03720355bc824ff6ae8adef6db61df37d8f55fc02
  224. b9eace5099f9b21ed788af60fd9c3b3cf9509a3399b9b3544dad335a6db19f42
  225. 47743ded84b237578256ff3b47733a5f21a16e6e5e01a3343cfaef68d886012b
  226. e856662ba9743307b0729746e88844935cacc1f126cbd2709c5f10916676ebd5
  227. 3a1de6759fc0039067506c5ab0ebd5ad36c0173697eb7471a92ea7f86dc79cd3
  228. 2145862aba3d8cc8826acd44d477a75272b352ec7dbcdd8d9c97384a7859aff6
  229. 67f4da0d309df5ca4c0c471d66467216c8340344d46e6cb8e89f69b52f420da7
  230. 6c99037935694767f5e9184f14b22c663d21fe7ca5d285831443e03481aea304
  231. 6b325be6419e72c49b00c5ba558a209c71c6ff7d4eccadc3aeb2bbab0a8278f2
  232. 64b77f1692bb7c3b025efe878f74c2ad7b9f26122b5f6337ea9977dd14b17345
  233. 9b5efc2d114906c3a4aa5216a643f746e7567bfe68e0189c2c392825f2037245
  234. 30f719049a3c0ffa36ce6f8d3c16b59b45cc6b0d8819a7cff3c3f800e826477c
  235. 8edb637175120d1ea84fb7c7485289e37fa637b81f17842bfad637d01acc21df
  236.  
  237. https://filegst.com/wp-admin/Kl/
  238. https://www.merceko.com/wp-content/1ek7/
  239. https://kampusmania.com/wp-content/4f2c8/
  240. https://vps333.com/07h31/1gjy9/
  241. http://nuttlefiberart.com/wp-admin/eIDCaO/
  242.  
  243. Creation Time   2019:10:14 08:04:00 (Attachment Only - Doc based - Activation Wizard)
  244. SHA256:
  245. aaacb4245b5148a8aebac72aca353c26f6416244245f1133fc970eead5a09263
  246. 743cbe14b1ce2c36a33f6047b578814d0971914d4ea19528ccaa9f6587512041
  247. 98d55bf21166e777fd12058e82b8a8533516e0393bc76c8b7a5c3543b435d88e
  248. 9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1
  249. beb93578e6fdbd88ee83913aab8d262d52171d49bb33e1595a675792bf14f7df
  250. b3a4b4a64add212bd94c23dec191bfb2f0d9f03bea4e30784a4b3a7418a75d15
  251. 47768d7b832e4b1a88f974b7feb09b8064ac6bc6b518ecf0a8a46170e9c9089b
  252. 9b10e585c2cd4b8437f2bb9f585d183ddfa0cf97eb52260a69d8ef470c6468c9
  253. 51d5ff4595dd43f58bfd451d1cebe4c70d839c5b378f5624cf8d6107fcd3138f
  254. 5313c089b467c74d15a3e25f3276e4bb54646e714b74b47346f95b3dfb05028d
  255. 47b62e5bf50472c44ecd7c55259fa5624b3919cd5b7df7ba141d4138de3697fd
  256. d4e4f73d81aee3a5fd62fa44adc8507c75702f34ba1765f37640b8f008ee83d4
  257. 88d5157106592f38933c47902588fd3291efd1fdd677cbd859991463f9231f90
  258. 62a736710fdeb5a0d6fe03346fc9e71fd9254c3f3e9c1ba3c5f07b43a39abdc9
  259. b874c8afd60d9e34fc10d5b2e99a1e4fc96fd7827e24c7479e9127a88ad30444
  260.  
  261. http://deredia.com/cgi-bin/SSAnMNgWb8/
  262. http://chuaviemxoangyduc.com/q5jh8d/P/
  263. http://www.bompas.fr.mialias.net/wp/o/
  264. http://www.geoexpert.gr/wp-includes/k6m/
  265. http://rsudsuka.demakkab.go.id/error/av33/
  266.  
  267. Creation Time   2019:10:14 05:52:00 (URLs - Doc based - Activation Wizard)
  268. SHA256:
  269. ece6cafc7d33ff5c5e1088557d6910bf1ca80076c9c7380f677179ae4c87fe91
  270. c73a32d51b8ff9bef3b5efbccef5c3299ef574c2792788579e3f6f489d197c85
  271. a2b091adb5da4474fce9323b1c130b1292bb2a5b19c8c599f6f29ee74f928e21
  272. ae3bbc6f6fca6185867937591db90f11e3a9c7e75842def8c0804f521057ddc4
  273. 7cfb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c
  274. 90db1a86fc31835ddde90b668303a4ee1ac0235e0c118a0df7566c67bec85e8c
  275. 40bbb3fe88e19da7f1bb228cdac548be3e7cae38cbfdd4854a0c0f2a94de7a3c
  276. f2202d9be7f00d20a9d710d138c691924aa965e87c2760b6ce5b691edb47a0f5
  277. d71b3132e0f94efd3c496494f4d4d52a9617a5e2fe065c696a2df578b67efed7
  278. 1ed97850eda185c45b83ae3c95913540e6ce99843f08330ee53528022b489cbb
  279. 479b2d71bbc158ca3b6a4483234f031c63607d0a82bf47b6a9fda4ee09af8590
  280. 287851d55cc6e6edbc6699ddc667e03264012594d0cd8aa493b14f7f812ad353
  281. df97775b296bfb453612a0168eba8045f2e50f1a7f7ef2215d6c9351b5e988fa
  282. 92456f1a9db8890926fcd83f58c9f172ea97b0a01156d1e9a5899b6793ed71b2
  283. 48986c0d387f6ddfc7be16cf868ca579dd63640bb6181a93fae20f4ef0ccbcc0
  284. 42c71c3ca07f4957ffc521984c302d544ed3b977b67eecda2de6906229f55070
  285. c57c38061c7d2db913a18e151c2065fccb09250b6498f1e026bb0b4e0ce89315
  286.  
  287.  
  288. http://tendenciasv.com/wp-admin/1d972a/
  289. http://www.correlation.ca/fonts/FSKrYOc/
  290. http://www.moneyhairparty.com/class.local/parts_service/s4y0/
  291. http://www.divinedollzco.com/wp-content/upgrade/kcbg/
  292. http://dncvietnam.com/wp-includes/4bv4z7u/
  293.  
  294.  
  295. ```
  296. #### SHA256s for Epoch 2 Payload EXEs ####
  297. ```
  298.  
  299. 18235ac8c4482d9c0ca96be91ed18cbc601fa793f03d1820d8ffe492d6ff42ec
  300. f80d1675a57f1bd13e2a39ea36614457cf67ba0dcd855f5eff60984f56db0c12
  301. a33353b8af41a2c8c526cf73db3a091e48056c4b5e4e0c1ec13f416bde627754
  302. 7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b
  303. 4a1d45b5fbe5029805fcd500f8c2f8ee68b04a2b376b5a2e92d665fb6abe421c
  304. 141bf6620706cf5c4ee1ceeed26f238399fb1a9e2e9276bdf163f8d4792f0f1f
  305. 078f898a197b903c5825119f4d6f47f12552a93f471d1ca9a203f9b313e8da04
  306. 6231c216cefa2b2a468ed366dc3c79dc6f0be1d28f2811f8a3ee7627e071b4a1
  307. a4532a333319600efa847ac6b63b58e855838df70063ceeb58d605f81d223922
  308.  
  309. ```
  310. #### Epoch 3 Payloads by Document SHA256 - All Times UTC ####
  311. ```
  312. Creation Time   2019-10-14 21:18:00 (Attachment Only - Doc based - Protected View)
  313. SHA256:
  314. b736c4a412b303fd853a53f42b6e79efb4980b126731f1570f9c604bc7c8a76f
  315. efcb946a760e6a3d26b520206a6fb4e78f1be826525eedea234fa15564ac4eb4
  316. d4687b8be48f9149f0b47b86bf7a04b5bb3c3c537fe0f80bb719d2db8f27b618
  317.  
  318. https://bulby.pl/wp-includes/qBzhlPwzp/
  319. https://radiokameleon.ba/wp-includes/cvsky29-prh8p1-157/
  320. http://cc14927-wordpress.tw1.ru/sitemap/p3oyypjxz-0a64sp-1997516/
  321. http://smilesanitations.com/calendar/ZmLeHr/
  322. http://greenseeblickhotel.com/wp-admin/ZuvFbm/
  323.  
  324.  
  325. Creation Time   2019-10-14 19:00:00 (Attachment Only - Doc based - Product Notice)
  326. SHA256:
  327. a0a3c98ab38bfa6e739ec9a7aea6e80c85df17e2185d4ab5656aea0b04ee56c4
  328. 5fd76eadfce3d67e09ae1d239565a7122398ce62d9f1eec700683b9b491594d8
  329. d941f0ef8f88684073db4c7c42d70e07b8cfcfbce4c6cb44dccf8d5770aba8c1
  330. f5115574fb3307957692fd9fa1c519b553f48e23a444b119b7316b6aa596903c
  331.  
  332. http://tour.nicestore.co.kr/wp-content/kCEtESh/
  333. http://4carisma.com/emailblasttest/uOrzSi/
  334. https://staging.smsmagica.com/wp-content/fbzkgca-ax2qpb-051/
  335. http://www.alphadomus.co.nz/widgets/kv8sd5y/CVghpHSg/
  336. https://imm2h.my/cgi-bin/AwkVtxRys/
  337.  
  338. Creation Time   2019:10:14 14:12:00 (Attachment Only - Doc based - Activation Wizard)
  339. SHA256:
  340. 1dee09b40f84fedce8227e251073f269971a16e39e75af46c3658f0802c828f3
  341. 02637a928a1357211f2aa024dea577c20facd413ab3fc38d63aff28a244f8942
  342. 9c737f17d9ac55e290f8c6166fec9ddd812eef3ff9e846fbaf9205dd93ff5570
  343. 4911743db8475a1f84e3433b32947f561bc6d9aa877357f753081e8b4adfd617
  344. 743839dc9bd260d177aa80127c1004b26b979c809ce86abf6fa40f2d41f6354c
  345. e8c7bb58ef823d08eb194fb1fedb0bfb208a2243f964187b2fd4605cdd473f9b
  346. 3b2fe8d9f982bb6ebb3daf8a0ee1025c70e739d2c81ee8c7166387ed5e495574
  347. 29a608717722de33cd8c30dbe63a278d9ddbee3a7d3d4683f66df5b469a45137
  348. e264ae6197e494f76996920dd014893569ce52b0c59b33c5b05ebe7ee56bb0aa
  349.  
  350.  
  351. https://shreeumiyagroup.com/cgi-bin/ib5et-43gf-415252037/
  352. https://electrokav.com/wp-content/JKJEKOXEZ/
  353. http://amitnawani.com/wp-content/xMGvEIgX/
  354. https://janekvaltin.com/ubpos/x4at35ypd3-ylzvfos-017391080/
  355. https://duperadz.com/wp-includes/YzdCIlU/
  356.  
  357.  
  358.  
  359. Creation Time   2019:10:14 06:34:00 (Attachment Only - Doc based - Activation Wizard)
  360. SHA256:
  361. 0fd6a365a2d09c09849e41d21fc1cc9f6772fecb3e84d18ebe4bc27f4c17c4b9
  362. e3456221e5332e6179fccb616e43aae746a7754f8b2648722c6650cb0cf51e44
  363. a42446ed70bd4f68d6b40e0778dc63abf2c5a0990d16320c455e0663c0edf58d
  364. daf97cac595f41a4b47302c6fa18fd67ccecb5cb7bae4038f888e75600116353
  365. 32f63e43025bec0ab84d29606245f390e5540cfce5f7f419c07aea437143ec4b
  366. b87b20f4d500add0436edac27734ce0c609d10379beda7ffb02f705ab8ee13c2
  367. 2b749588aa3523e9644d17fe2bf784136c663d893186acb91cba6db46f76077f
  368. dc09e23329319098cdc638d024b525e1607a120794b0056ca55aefcd09498c96
  369. d950ccbe9ff2214b1d3c97b5f349a6aa1a0edb5223a5fb9a785ec95f0b505f44
  370. d39a6a1d0951def6197cfe68fefec82c9cb08e7cc0c24b8b30fd132c4e62c830
  371. 418ddce03eae7264ec5dbb8288fd6dcae6e0f655f30ad96147df6920d2d0337e
  372. bdeb9cfdc8fa093d0801cfd7dc03b3de8133c502e9c93e83917c7a4e79db10fb
  373. 39713c39c938ba2f28025c5e1d02826985e3967edf79cd8ca1bd989c816bd744
  374. 4f31de253eae084511f793b019fe32cea798953adf38e73c00de8ebcba78b113
  375. 609c04e060ff983b5ac38b03f2931629fa2af411a284503966fae46980dd31fd
  376. 6088fef0ba3079e5fe8a1fbb8f266de203a4ca065fc1ca3868536ccc37d69e4f
  377. 449c00a2fee32d17f30e14d0138f2b5e3cb7d269c0f5f200875ef7d6ab65e893
  378. bdefb45ba3f52e28044c332452111de6238fdf5bacfd02850a49b0b8cb1885c6
  379. 69fc66a5d03a564ad445bf91235d9134a1b9f61544f9373b2839af65dcb4d659
  380. 79c1ce11d724cde41d6003f7a70e296e781249d95ab34949b77d72f25eed0612
  381. 89fc4f5028d780923b7d20846ea8bff55c93bb68dccf1cc8b1f7cd87eec0726f
  382. bc332d26f3170ad635237b6c65cda8de6315f77ef68d32547267104d6d958ba6
  383. a9ab016ccaf853bde09b7ef4af37fdfe991d55924bb7762ac587e0789f2f586e
  384. 6b6ae5fa4e8db2885801ae4ba3c9e5f3af88f8bb8252e2c70fc8cb9caca59628
  385. 0aedb6ed1158d94c065e72b403d86d09fc4e701f86e6f25f599735241ee691a4
  386.  
  387.  
  388. http://sgnr.in/dietitiansakshi/a4deno3w-7ke7y2-706370412/
  389. http://pedrootavio.top/cgi-bin/9iale-ca6dtr6gk-56151762/
  390. https://j-cta.org/wp-admin/LgboYIm/
  391. https://thehomebenefitprogram.com/wp-includes/HrciCN/
  392. https://adanzyeyapi.com/wp-includes/4v0p-t1e6s6m6-098/
  393.  
  394.  
  395. Creation Time   2019:10:11 18:58:00 (Attachment Only - Doc based - Activation Wizard)
  396. SHA256:
  397. 8ad4219d6ad69b1f42d1be3af394cba0fd2f824c1a99e9e19ff19afb4fc1fbb6
  398.  
  399. https://sabal.com/wp-admin/fQZAoTt/
  400. http://www.spectradubai.com/cgi-bin/SPYhlL/
  401. http://tendenciasv.com/wp-admin/tbj3o8-lrayg3nw48-6757766/
  402. http://institutobiodelta.com.br/wp-content/kg34rqzas-1esvd9avn-4822/
  403. http://echoxc.com/wp-content/dZPTRTmS/
  404.  
  405.  
  406. ```
  407. #### SHA256s for Epoch 3 Payload EXEs ####
  408. ```
  409.  
  410. bd16d173440debec2eb2c8a056584edf4a7a32d2a42bf73b8e4a59f364ec6710
  411. 3eecb70a724f130e93f0d9e64b374864c4fadd76ba4b2977ad6dead44a6d2f53
  412. d26610e4560edbdcba6d4c93f9e9ded03103c036033838ef09c11daea9e305ca
  413. 10b43555bdddeba125afd25463be6ae1d30fd6b822f2cebc09fddd894f501744
  414. 48bcd0ae01752f80eb96c86850c837b19e68bfc72ac316a7c3378e2320f39022
  415. 507f386cda99a321f7c5c3b88e91532e154fc98d177904086710bdd73810c2c7
  416.  
  417. ```
  418. ### C2's Per Epoch ###
  419.  
  420. #### Epoch 1 C2s ####
  421. ```
  422. 109.104.79.48:8080
  423. 109.169.86.13:8080
  424. 110.36.234.146:80
  425. 114.79.134.129:443
  426. 119.159.150.176:443
  427. 119.59.124.163:8080
  428. 119.92.51.40:8080
  429. 123.168.4.66:22
  430. 125.99.61.162:7080
  431. 138.68.106.4:7080
  432. 139.5.237.27:443
  433. 142.93.82.57:8080
  434. 149.62.173.247:8080
  435. 151.80.142.33:80
  436. 159.203.204.126:8080
  437. 170.84.133.72:7080
  438. 170.84.133.72:8443
  439. 178.249.187.151:8080
  440. 178.79.163.131:8080
  441. 181.143.101.18:8080
  442. 181.188.149.134:80
  443. 181.29.101.13:8080
  444. 181.36.42.205:443
  445. 181.44.166.242:80
  446. 183.82.97.25:80
  447. 184.69.214.94:20
  448. 185.187.198.10:8080
  449. 185.86.148.222:8080
  450. 186.0.95.172:80
  451. 186.1.41.111:443
  452. 187.188.166.192:80
  453. 189.160.49.234:8443
  454. 189.166.68.89:443
  455. 189.180.243.255:8080
  456. 190.1.37.125:443
  457. 190.10.194.42:8080
  458. 190.104.253.234:990
  459. 190.158.19.141:80
  460. 190.221.50.210:8080
  461. 190.230.60.129:80
  462. 190.230.60.129:8080
  463. 190.38.14.52:80
  464. 190.85.152.186:8080
  465. 190.97.30.167:990
  466. 191.82.16.60:80
  467. 200.51.94.251:143
  468. 200.57.102.71:8443
  469. 200.58.171.51:80
  470. 201.163.74.202:443
  471. 201.199.93.30:443
  472. 203.25.159.3:8080
  473. 212.71.237.140:8080
  474. 216.98.148.181:8080
  475. 217.199.160.224:8080
  476. 46.101.212.195:8080
  477. 46.163.144.228:80
  478. 46.28.111.142:7080
  479. 46.29.183.211:8080
  480. 46.41.151.103:8080
  481. 5.1.86.195:8080
  482. 5.196.35.138:7080
  483. 5.77.13.70:80
  484. 50.28.51.143:8080
  485. 51.15.8.192:8080
  486. 62.75.143.100:7080
  487. 62.75.160.178:8080
  488. 68.183.170.114:8080
  489. 68.183.190.199:8080
  490. 71.244.60.230:7080
  491. 71.244.60.231:7080
  492. 76.69.29.42:80
  493. 77.245.101.134:8080
  494. 77.55.211.77:8080
  495. 79.129.0.173:8080
  496. 79.143.182.254:8080
  497. 80.85.87.122:8080
  498. 81.169.140.14:443
  499. 82.196.15.205:8080
  500. 86.42.166.147:80
  501. 87.106.77.40:7080
  502. 88.250.223.190:8080
  503. 89.188.124.145:443
  504. 91.205.215.57:7080
  505. 91.83.93.105:8080
  506. 91.83.93.124:7080
  507. 94.183.71.206:7080
  508. ```
  509. #### Epoch 1 - Spam C2s ####
  510. ```
  511. 37.187.5.82:8080
  512. 45.55.82.2:8080
  513. 185.94.252.27:8080
  514. ```
  515. #### Epoch 1 - Stealer C2s ####
  516. ```
  517. 75.127.72.18:8080
  518. 190.115.18.139:8080
  519. 66.228.32.31:443
  520. ```
  521. #### Current Epoch 1 RSA Public Key ####
  522. ```
  523. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
  524. KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
  525. h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
  526. ```
  527. #### Epoch 2 C2s ####
  528. ```
  529. 101.187.237.217:20
  530. 104.131.11.150:8080
  531. 104.131.44.150:8080
  532. 104.236.246.93:8080
  533. 115.78.95.230:443
  534. 124.240.198.66:80
  535. 133.167.80.63:7080
  536. 136.243.177.26:8080
  537. 138.201.140.110:8080
  538. 144.139.247.220:80
  539. 149.202.153.252:8080
  540. 152.89.236.214:8080
  541. 159.65.25.128:8080
  542. 167.71.10.37:8080
  543. 169.239.182.217:8080
  544. 173.212.203.26:8080
  545. 178.79.161.166:443
  546. 181.143.194.138:443
  547. 181.143.53.227:21
  548. 181.31.213.158:8080
  549. 182.176.106.43:995
  550. 182.176.132.213:8090
  551. 182.76.6.2:8080
  552. 185.187.198.15:80
  553. 185.94.252.13:443
  554. 186.75.241.230:80
  555. 189.209.217.49:80
  556. 190.106.97.230:443
  557. 190.108.228.48:990
  558. 190.145.67.134:8090
  559. 190.18.146.70:80
  560. 190.211.207.11:443
  561. 190.226.44.20:21
  562. 190.228.72.244:53
  563. 190.53.135.159:21
  564. 192.254.173.31:8080
  565. 192.81.213.192:8080
  566. 198.199.114.69:8080
  567. 199.255.156.210:8080
  568. 200.71.148.138:8080
  569. 201.184.105.242:443
  570. 201.251.43.69:8080
  571. 206.189.98.125:8080
  572. 211.63.71.72:8080
  573. 212.71.234.16:8080
  574. 217.160.182.191:8080
  575. 222.214.218.192:8080
  576. 24.45.195.162:7080
  577. 24.45.195.162:8443
  578. 27.147.163.188:8080
  579. 27.4.80.183:443
  580. 31.12.67.62:7080
  581. 31.172.240.91:8080
  582. 37.157.194.134:443
  583. 41.220.119.246:80
  584. 45.33.49.124:443
  585. 46.105.131.87:80
  586. 47.41.213.2:22
  587. 5.196.74.210:8080
  588. 59.103.164.174:80
  589. 62.75.187.192:8080
  590. 67.225.229.55:8080
  591. 78.24.219.147:8080
  592. 80.11.163.139:21
  593. 80.11.163.139:443
  594. 85.104.59.244:20
  595. 85.106.1.166:50000
  596. 85.54.169.141:8080
  597. 86.98.25.30:53
  598. 87.106.136.232:8080
  599. 87.106.139.101:8080
  600. 87.230.19.21:8080
  601. 91.205.215.66:8080
  602. 92.222.216.44:8080
  603. 92.233.128.13:143
  604. 94.192.225.46:80
  605. 94.205.247.10:80
  606. 95.128.43.213:8080
  607. ```
  608. #### Epoch 2 - Spam C2s ####
  609. ```
  610. 23.253.207.142:8080
  611. 185.187.198.4:8080
  612. 46.228.205.245:4143
  613. ```
  614. #### Epoch 2 - Stealer C2s ####
  615. ```
  616. 173.214.174.107:443
  617. 104.131.58.132:8080
  618. 176.31.200.130:8080
  619. 46.105.131.69:443
  620. 24.45.195.162:7080
  621. 24.45.195.162:8443
  622. 80.11.163.139:443
  623. 94.192.225.46:80
  624. 209.141.41.136:8080
  625. 46.29.183.210:8080
  626. 198.58.112.7:443
  627. 185.42.221.78:443
  628. ```
  629. #### Current Epoch 2 RSA Public Key ####
  630. ```
  631. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
  632. PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
  633. AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
  634. ```
  635. #### Epoch 3 C2s ####
  636. ```
  637. 113.52.135.33:7080
  638. 138.197.140.163:8080
  639. 143.95.101.72:8080
  640. 144.76.62.10:8080
  641. 157.7.164.178:8081
  642. 173.249.157.58:8080
  643. 176.58.93.123:80
  644. 178.249.187.150:7080
  645. 181.113.229.139:990
  646. 181.47.235.26:993
  647. 186.10.16.244:53
  648. 190.117.206.153:443
  649. 190.13.146.47:443
  650. 192.241.220.183:8080
  651. 200.55.168.82:20
  652. 201.196.15.79:990
  653. 203.99.182.135:443
  654. 203.99.187.137:443
  655. 203.99.188.203:990
  656. 212.112.113.235:80
  657. 213.138.100.98:8080
  658. 216.70.88.55:8080
  659. 216.75.37.196:8080
  660. 5.189.148.98:8080
  661. 51.38.134.203:8080
  662. 70.32.94.58:8080
  663. 78.109.34.178:443
  664. 83.169.33.157:8080
  665. 91.109.5.28:8080
  666. 93.78.205.196:443
  667. 94.177.253.126:80
  668. 95.216.207.86:7080
  669. ```
  670. #### Epoch 3 - Spam C2s ####
  671. ```
  672. 192.241.241.221:443
  673. 185.187.198.5:8080
  674. 41.185.29.128:8080
  675. ```
  676. #### Epoch 3 - Stealer C2s ####
  677. ```
  678. 178.32.255.133:443
  679. 198.46.150.196:7080
  680. ```
  681. #### Current Epoch 3 RSA Public Key ####
  682. ```
  683. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
  684. 4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
  685. iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
  686. ```
  687. #### Credits and Notes Section ####
  688. ```
  689.  
  690. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
  691. because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
  692. this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  693. https://pastebin.com/u/jroosen
  694.  
  695. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  696. I am providing them for your benefit in case you want to parse them to be sure.
  697.  
  698. ```
  699. #### What is Epoch 1, Epoch 2 and Epoch 3? ####
  700. ```
  701.  
  702. (09/17/19)
  703. With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
  704.  
  705. ```
  706. #### Community Lists/Samples ####
  707. ```
  708.  
  709. https://pastebin.com/NBrrVSpT - @excutemalware
  710.  
  711. https://otx.alienvault.com/pulse/5da4cfc209cc7632c784efcc - @SecSome
  712.  
  713. https://twitter.com/reecdeep/status/1183685203363090432
  714. https://pastebin.com/2xSMEALG
  715.  
  716. https://twitter.com/Paladin3161/status/1183584219903053825
  717. https://pastebin.com/CMvn0vkB
  718.  
  719. https://twitter.com/Paladin3161/status/1183584028751843328
  720. https://pastebin.com/xcp7ZWhb
  721.  
  722. https://twitter.com/Paladin3161/status/1183723826787389441
  723. https://pastebin.com/5SVWPPpb
  724.  
  725. (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
  726. ```
  727. #### Credits ####
  728. ```
  729. Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
  730.  
  731. Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
  732.  
  733. C2 info/RSA Keys - @CapeSandbox, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
  734.  
  735. Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
  736.  
  737. Spam Templates - @devnullnoop, @lazyactivist192
  738.  
  739. Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  740. helping out with this!
  741.  
  742. Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
  743. https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
  744. @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
  745. at no charge to this cause!
  746.  
  747. ```
  748. ### Daily Log 10/14/19 ###
  749. ```
  750.  
  751. @ps66uk and @jroosen here:
  752. Getting out some bugs in our processes to get more streamlined. I wanted to take a second to thank everyone that helps us make this happen.
  753. Thank you for your time, your effort and even just answering a simple question here and there. All of the work of the community goes together
  754. to solve a bigger puzzle!
  755.  
  756. It is late tonight and I will fill more in tomorrow. - @jroosen
  757.  
  758. ```
  759. #### General News ####
  760. ```
  761.  
  762. Marco Ramilli found what seems to be highly targeted malspam against a business that happened to use a remote SOC. We are not
  763. sure this was more than a reply chain spam that happened to get lucky(or use some intelligence for once) to select the right
  764. email to use to reply. We have reached out to the author for more info though to be sure our suspicions are correct.
  765. Original Article:
  766. https://securityaffairs.co/wordpress/92501/malware/emotet-gang-targetes-external-soc.html
  767.  
  768. Herbie Zimmerman shared a handy way to get out the payload URLs from the latest series of docs here in his tweet:
  769. https://twitter.com/HerbieZimmerman/status/1183853997846941698
  770.  
  771. Brad over @malware_traffic tweeted about a Trickbot gtag: mor21 followup to an initial Emotet E1 Infection here:
  772. https://twitter.com/malware_traffic/status/1183773041177743360
  773.  
  774. ```
  775. #### Drops Report ####
  776. ```
  777. D00RT was once again reporting on what was dropping where:
  778.  
  779. emotet/trickbot - JP
  780. https://twitter.com/D00RT_RM/status/1183663002698027008
  781.  
  782. Brad over @malware_traffic tweeted about a Trickbot gtag: mor21 followup to an initial Emotet E1 Infection here:
  783. https://twitter.com/malware_traffic/status/1183773041177743360
  784.  
  785. We also observed Trickbot gtag: mor21 dropping all over the globe today.
  786.  
  787. ```
  788. #### Email Template Report ####
  789. ```
  790.  
  791. We are still seeing strong spamming globally in various languages. Reply chains and generic malspam. I am continuing to
  792. see a steady increase in attachment malspam as the botnets build in strength.
  793. I do not know what to make of the reasonably random distro of templates. Not sure why things vary like they do during the
  794. day but this chart that @ps66uk put together is interesting to watch how things fall into place on:
  795.  
  796. E1 ModifyDate:  2019:10:14 06:26:00 CreateDate: 2019:10:14 06:26:00 coastaltherapy.com      office 365 lt blue
  797. E2 ModifyDate:  2019:10:14 05:52:00 CreateDate: 2019:10:14 05:52:00 tendenciasv.com         wizard
  798. E3 ModifyDate:  2019:10:14 06:34:00 CreateDate: 2019:10:14 06:34:00 sgnr.in                 wizard
  799.  
  800. E1
  801. E2 ModifyDate:  2019:10:14 08:04:00 CreateDate: 2019:10:14 08:04:00 deredia.com             wizard
  802. E3
  803.  
  804. E1 ModifyDate:  2019:10:14 14:00:00 CreateDate: 2019:10:14 14:00:00 andrewsiceloff.com      wizard
  805. E2 ModifyDate:  2019:10:14 14:06:00 CreateDate: 2019:10:14 14:06:00 filegst.com             wizard
  806. E3 ModifyDate:  2019:10:14 14:12:00 CreateDate: 2019:10:14 14:12:00 shreeumiyagroup.com     wizard
  807.  
  808. E1 ModifyDate:  2019:10:14 21:43:00 CreateDate: 2019:10:14 21:43:00 rastreon.com            office 365 lt blue
  809. E2 ModifyDate:  2019:10:14 21:55:00 CreateDate: 2019:10:14 21:55:00 voiceacademyusa.com     wizard
  810. E3 ModifyDate:  2019:10:14 19:00:00 CreateDate: 2019:10:14 19:00:00 tour.nicestore.co.kr    product notice
  811.  
  812. E1
  813. E2 ModifyDate:  2019:10:14 22:53:00 CreateDate: 2019:10:14 22:53:00 stn.methodist.org.hk    wizard
  814. E3 ModifyDate:  2019:10:14 21:18:00 CreateDate: 2019:10:14 21:18:00 bulby.pl                activation
  815.  
  816. ```
  817. #### Link Regex Report ####
  818. ```
  819. (These are experimental, use at your own risk.)
  820. Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works lately:
  821.  
  822. These were updated:
  823. https?:\/\/.+?\/(administrator|academy|alphabet|App_Data|assets|backup|beta|blogs|cache|cgi-bin|checkformats|cfm|consultation|core|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|gallery|GoogleSpeech|hino|homepage|images|INC|Inf|INF|js|lib|LLC|lm|menusa|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|SOUBORY|test|trademark|themes|tmp|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-Enfold|wp-includes)\/([A-Za-z0-9|]{7,36})\/(\"|\n)
  824. https?:\/\/.+?\/([0-9a-z\-_]{3,11})\/([A-Z0-9\/]{7,32})?([A-Za-z]{7,32})\/(\"|\n)
  825.  
  826. These were not:
  827. https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  828. https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/
  829.  
  830. Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
  831. this does not help.
  832.  
  833. ```
  834. #### Payloads Report ####
  835. ```
  836.  
  837. Something seemed to stop up the pipeline today at the Emotet malware factory around 15:00UTC. I am not sure exactly what
  838. happened but we only saw 5-8 hash busts on each epoch. Some of them had a lot of corrupted downloads of late. This may mean
  839. C2 issues.
  840.  
  841. There was a newer loader released today around 21:00UTC that is smaller than 200KB but I am not sure what the changes are yet.
  842. If @lazyactivist192 has time he may be able to see what he can find out tomorrow.
  843.  
  844. ```
  845. #### C2 Report ####
  846. ```
  847.  
  848. E1 86
  849. E2 78
  850. E3 32
  851.  
  852. 110.36.234.146:80 moved from E3 to E1 - while this is quite rare, we have seen it happen before. Out of all the C2s, this
  853. happens maybe handful times a month for unknown reasons.
  854.  
  855. ```
  856.  
  857. #### Closing ####
  858.  
  859. ```
  860.  
  861. Looks like there may be some distro/c2 problems in Emotet land. It could also be harbinger of change too.
  862. Be on the lookout!
  863.  
  864. TT
  865.  
  866. ```
  867. #### Sandbox 10/14/19 ####
  868.  
  869. ```
  870.  
  871. E1
  872. https://capesandbox.com/analysis/2997/
  873.  
  874.  
  875. E2
  876. https://capesandbox.com/analysis/2995/
  877.  
  878.  
  879. E3
  880. https://capesandbox.com/analysis/2996/
  881.  
  882. ```
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top