Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 05/15/19 as of 05/15/19 23:59 EDT ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/15/19 ####
- ```
- Seen only in attachments
- ```
- #### Epoch 2 Document/Downloader links seen for 05/15/19 ####
- ```
- http://abrcs.org/wp-admin/paclm/vxresoYsFSgSYXlDbcweliPhGiB/
- http://acaraberita.me/wp-admin/LLC/baWsFnKSLkasxgAFLSQjbukmMLcl/
- http://agromex.net/fonts/FILE/vEMrGXSieqiCyq/
- http://agromex.net/fonts/Plik/1ho34bbk7909_zm2ga7-0892900813279/
- http://agromex.net/fonts/Plik/jZKpWwXGzL/
- http://alfaproject4.eu/wp-content/parts_service/ke9dlk0dw8wazsuf_b0ikb578mb-741227932410/
- http://aliciarivas.edu.sv/Sub-Dominios/LLC/mu3dfytk5bf8_sww2nxyr-15974204223/
- http://amantiwari.in/wp-content/LLC/rvgily845pklgo9hrz0q90mqro2e6_9arpd-4423382856003/
- http://amitrade.vn/sitemaps/paclm/pqr6wwhr_jop51owzx9-5887999294974/
- http://anjoue.jp/academy/9x81l-c8ja2-wrakkkd/
- http://arqdesignconstruct.com/cgi-bin/dopt-5s67xnx-zczzanv/
- http://auhealthcare.in/wp-admin/Scan/dhyhfkp3rpj8hi10fvk_pna118wt6-536580263/
- http://autoecole-hammamet.tn/v8ys1qx/parts_service/TjNafnPBWWLskdsPJPqjfNAFK/
- http://autorepairmanuals.ws/homepage/bSDjvZYCUYyxvldpcWiSpz/
- http://ayashige.sakura.ne.jp/CGI/parts_service/ksDqudmXNvlaBwGVoFEf/
- http://bamboosocietyofindia.in/cgi-bin/20h6e4dfqhg4_rd59p-5910102145/
- http://bangkokyouthcenter.com/wp-admin/Scan/ythmkuqzd_jmgn2yp-175573459555500/
- http://beansmedia.com/zeus16/wp-includes/8zvnh9-jp0og-zqdrbu/
- http://biotopcare.top/wp-includes/d2mh-2c1t9xe-ptus/
- http://biyoistatistikdoktoru.com/wp-content/esp/xsimCoaDSxl/
- http://blackdog.sakura.ne.jp/bbs/fv1i3uw-kdm0fvw-acfnf/
- http://blog.citta.website/@eaDir/@tmp/INC/OCKgnGWSrlj/
- http://blog.ieeeuet.org.pk/cgi-bin/LLC/j45hduf8sk3hzb_6k8v3y-361818336957/
- http://bluehutdoors.in/wp-admin/sudwuKtj/
- http://bmeinc.com/wp-content/INC/a24udhcv9f9t7y2sdbyil3qoo2fw_4u1gm2kr-594966293776422/
- http://bookipi.net/cgi-bin/parts_service/VSvJSSSRemqMcXTcXFMkCHm/
- http://burakdizdar.com/wp-includes/DOK/vgvXUipTXuB/
- http://burnbellyfatnews.com/wp-content/PLIK/1tmc1r6efejf658lnf3n_n1xx7n5e-7916936653/
- http://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
- http://cayyolutesisat.net/yed/FILE/mWBBKzQkaamEYgxMlJbWeakRl/
- http://chitranipictures.in/wp-content/DOC/IDnxFUZLywHSGXARYDJBUemDjgtbH/
- http://chthonian-win.000webhostapp.com/wp-admin/DOC/a8wtvbgz1_aphcj-081209384764/
- http://clienta.live/wp-content/Pages/SYumHtmxwPXbqYndkYYsMBVm/
- http://clubhousemalvern.com.au/cgi-bin/kpqm3a5wt4kl8m3j5mss9u_etynuc-7757850886/
- http://cmtmapi.com/wp-includes/iqPXmstyTYBMrANrUNufDPtb/
- http://coebioetica.salud-oaxaca.gob.mx/wp-content/uploads/nts68xu-zmfzf-rumb/
- http://comicsquare.com.ng/wp-content/DOK/mwzQlQkCtXLuO/
- http://danikarnaen.com/wp-includes/p0en0-m32wp-jrkpw/
- http://doan-xemwebsite.000webhostapp.com/wp-admin/Dane/NREalrdAjwy/
- http://dorreensaffron.vn/wp-content/uqt6yec3dw_zp5io-680559949308/
- http://ducks.org.tw/wordpress/Pages/RKtrGoDHMOciTJFzvhBUffXujHO/
- http://duduk-reed.ml/wp-admin/Dane/xjcmndp3_5ia73am8h1-0167599334/
- http://dumka.if.ua/wp-snapshots/zrm7b-ax74kc-tsnfhod/
- http://ecosense.solutions/wp-content/DOC/jplexvqj5jlufp_pc7wo5xt-33560198/
- http://educ-pb.cz/rix4u/qxqacf-wwt9gd6-tbwf/
- http://electladyproductions.com/wp-includes/ix6v12l-hglnvy-lvsurcu/
- http://elephant7shop.com/wp-snapshots/sites/VwFWTDwJBGtNo/
- http://elespaciodepopito.com.ar/cgi-bin/Pages/KgaILaBUBERrNMPzUdrGAoSHi/
- http://elsafaschool.com/natiga/8h4j5m8mukt0rou0rpwgph29_ucuwbq4r-45493048276/
- http://emieni.com.br/wp-admin/LLC/sRGACqEiQSmiDRCHZ/
- http://eroticcall.top/server/INF/CZmAQNvCPBKTAuaTFjCcvEJM/
- http://espacoprimeoffice.com.br/voso/Scan/efkPxQdfeTBXyaTcyaeUwKvHUx/
- http://estereokadosh.com/wp-content/obeUnyiAig/
- http://fabaf.in/wp-content/xQzYymSsFWmifpwkWxFs/
- http://farabtrade.com/wp-admin/LLC/PCbgNXIBFVlbcqxUuKbLbdLJMMvPw/
- http://finance2.mcu.ac.th/wp-content/uploads/lm/603wpwtgwgny2x9ew_d4148x-68211475/
- http://fireprotectionservicespennsylvania.review/wp-content/parts_service/biav6xutxs0dvm4_vmzz6006z7-80650476624977/
- http://gabinaud.pt/wp-admin/86ur-rthnt-boeugbv/
- http://gestaonfe.com.br/images/tsf79gpe1yrtdtnjt61y3f90j_hi870-054128199/
- http://giadaarquitetura.com.br/wp-content/Pages/RKdnHgotCgUfegMeu/
- http://giaoducvacongnghe.com/wp-admin/2q08cc-148uim-innmts/
- http://glumory.co.id/wp-admin/xbp1-h2zdjaa-hhncva/
- http://goegamer.eu/wp-admin/Scan/GSkVpDUuOXCHrHQOdCiPpJyHg/
- http://gogobyte.mx/wp-includes/lm/OmYLVmfsznpdvM/
- http://gomypass.com/wp-snapshot/Scan/dkqsehu8yatspxp10w32fx_xcu1yo-9516608289/
- http://govche.in/vivek/lm/prtLAvbLhs/
- http://greenland.jo/wp-content/INC/y0kwbjc359gze7_cwmyx0f-409158997486/
- http://gwangjuhotels.kr/wp-content/themes/INC/cezep04e9rsrtvyu9mvwzzfr51zkv_gsml0g-706374977/
- http://habito.in/wp-content/FILE/ljfubtzjqsh8cwl9bshlf792ra6q_1o4nlr0zeq-6153969657/
- http://helpforhealth.co.nz/css/acbm9-kwj7h-peujkrt/
- http://henrique.solutions/yuri/paclm/KXBRPwQCMigJWyNTbDuXuk/
- http://honjia-machine.com/wyxey/jvha7a-b5yoc-hovoj/
- http://hostcenter.ir/hctf/x718-t4640gr-ybwh/
- http://hottnews.tk/wp-admin/i6sbr3gzf7d81ttfsbgcfi_0ep5rrxd-532243386/
- http://hsp-shuto.jp/menu/INC/7s7vagi5dl7o0yn44xh4mnlqn_4lxrc1v-96663874/
- http://iamchrisgreene.com/Plik/VqCxNTUpwJgyyf/
- http://iberias.ge/ajax/Document/j819r2b5acjauddmy7g_3dviw-346222721021/
- http://ichikawa.net/wvvccw/4emi86-ncwpn4-dggzjy/
- http://iclebyte.com/cgi-bin/DOC/8npze9i7vr0g_v7jx3y-49079503304628/
- http://idealtech.com.pk/axcv/nu6i7-8d8qjw-kykosad/
- http://i-dog.jp/higashiosaka-yao/DOC/94ehnjdukkpk4c888qpw3fjb_hdlhca-0736735396873/
- http://i-life-net.com/ban/LLC/vuz91b8m_g2e8k-70032498/
- http://indahtour.com/test/iieub-ppe0zks-ekjb/
- http://indoorpublicidade.com.br/wp-includes/n3jq0t422r2_7hnky38vs3-83093705/
- http://ipdesign.pt/dtm/7bvpw7w-f69b1n-cylu/
- http://irismal.com/ecsmFileTransfer/DOC/wwxjrul2118b7fp_1sy9y-49325124795289/
- http://itconsortium.net/images/INC/d9e9o214zkleefgzhcv_ete0631837-48808070802/
- http://its.net.pe/wp-content/fb3bwwdxnfbl6p6k8se4_dkoa5q96-4422471396/
- http://jamsand.com/about_3/paclm/OsllaPAGnGOHMo/
- http://janicekaiman.com/wp-content/Inf/BBoojXxFUoQKuLCqNQTKsITdA/
- http://jerrytech.tk/mysql/paclm/uIQPvRCmDytqBucg/
- http://jsminfot.tk/restaurant/Pages/OMbKDeLMwJsxFYxSTWSsCRKcvmqi/
- http://kanoan.com/cgi-bin/KnLSEhvhByrMdJyndQuqH/
- http://karenanndesign.com/_vti_bin/esp/8mdys2sisoj5veh_cegy3gle-41684013/
- http://karpasbulvar17.com/wp-admin/INC/JcBMtYcW/
- http://kazancakademim.com/wp-admin/paclm/1mq88ln97dsk_toxhqwl1d-012916449/
- http://kbpbiosciences.com/@eaDir/Scan/ApOmjVKn/
- http://keita173.net/0kyoto20120906/paclm/LeOfdbEAOzLxiCTomMgbwoUuOAM/
- http://kevinwitkowski.ca/webalizer/LLC/gQYyFJYIIRbWqTghvlxLBHPifI/
- http://kndesign.com.br/alarme_files/DOC/CMaBzJzQQmzlagoVZdgFCEGHDaDZo/
- http://kodlacan.site/permalink/DANE/wtSKvxFllItEwQq/
- http://kongendo.com/images/Pages/lDpbdoYAkjtKVaTAkZKaf/
- http://koroom.net/39/esp/hgkrmao0oggay4b39y2fs0oa_wkkjz-94827413647/
- http://kreditekfa.co.id/wp-includes/Document/01lk3ku2q2dyl6bi5an9dmtdj9y_mfe4yzn3-59374554445886/
- http://kumalife.com/Library/Document/rqtpzqh7ys34_9p01g0g-6505566292/
- http://lab-quality.com/nmkh/INC/vrAqqzJgLmVzNQoLVPd/
- http://lat.ffcc.co/9hrSXJm/wjc4gsnfa5z_2dc3may-04874681/
- http://leandropacheco.adv.br/wp-content/j763or8c_7pre9-275868498/
- http://lejintian.cn/wp-admin/parts_service/u0hovmjmmyv1l32_tyg484j-650166756659060/
- http://lencoltermicosonobom.com.br/wp-content/pBNlLhfN/
- http://likenow.tv/wp-admin/INC/RhgBqAEYbWYVSZvzwmHKMsyeF/
- http://magitech.tk/wp-content/zx5plu9ooe08rf8tmozcgxrzp_r160ttiksb-41507208131/
- http://maskisudeposu.com/wp-content/FtRpaahRJaaJuPGL/
- http://masterestan.com/wp-admin/FILE/DRVaGGtISElAvBdWmdhOlJdkUe/
- http://mastertek.ir/wp-content/ykii-hi3m5p-qjpnr/
- http://meb.com.vn/wp-admin/bigjln-ru1tn-srhsmwc/
- http://meble.grudziadz24h.eu/wp-admin/2s7cq8n-onb70gi-bjazkwq/
- http://mediainmuebles.es/wp-content/a7hkg14j_zol3szqgm-91365872286240/
- http://medyalogg.com/wp-content/ai1wm-backups/7eb18l-ehu6s9f-glgoyh/
- http://meravilla.it/wp-admin/DOK/rSaOyFOigqqczbRsiZQYzxjFLvIOX/
- http://metalrecycling.com.co/wp-includes/sites/it4cumyuruk22450hrl48c_ggu53-816092320311/
- http://miagoth.com/wp-content/nh8h0yt-m8tsv-fhydcq/
- http://mobilesforu.ga/wp-content/2gw5vwnbwy1_yuqjdfsjr9-58449743431751/
- http://mobradio.com.br/wp-admin/INC/OdTgzACDP/
- http://monnaomotona.co.bw/administrator/Scan/xAxUgGUtJUIclo/
- http://mpsday.la/wp-admin/bukpnqpqopcjez0do9f6kdc_9po699-75518771132/
- http://musicaparalaintegracion.org/wp-admin/f2v2dka50xoo6rmpa_iqxp512-474972950458877/
- http://musmanbaig.com/wp/esp/dvaDfUEekBoSaXjEBCVHcOWKDdMeW/
- http://nature-creativ.fr/wp-admin/Document/druVFmMEHJaEgMCYeUgcOoSXXe/
- http://newindianews.net/wp-includes/sites/ho7vbirzu_9n96r3h6-804129012/
- http://nissandongha.com/nwlv/ns27hw-99jsfnm-otiw/
- http://nissanvinh.com.vn/wp-content/FILE/DZsTsBDFMrxcrYLYcPikagMV/
- http://nofy-nosybe.com/wp-includes/DOC/3vm5r6dd1zh7a24heu6i1v_pdzt60yww-952543362/
- http://nordflaten.art/wp-content/sites/26rred8x295xuzyy0jcp3m3dcqxh_6i5wsry-61885523307/
- http://novocal.com.vn/wp-admin/bh24s1-4rs2e14-mlmrf/
- http://omshanti.lv/wp-includes/esp/BQXuTRGchODynXgEirQ/
- http://onebyone.tk/wp-admin/LLC/7706vgdssf94_42cb3wl6o3-452615088702/
- http://opspack.tech/wp-admin/Scan/HuvKLKDAVrvsaIacoy/
- http://orientaltourism.com.ua/wp-includes/o0v7314-lskye-wiwrc/
- http://osarofc.com/wp-content/0xza-146jk-vneaa/
- http://parquet-san.com.ua/TEST777/hk7hh5-owhzas9-zcvvrf/
- http://pbj.undiksha.ac.id/wp-content/uploads/is8sa-zp7sjl-kswybet/
- http://poomcoop.kr/wp-includes/FILE/0iv4itsyce4ebg1la6p6h2s_v7fn0sh9-21612429090/
- http://pornhaven.me/wp-admin/Plik/obLBGjXEosW/
- http://profair.kz/profair.kz/w9ffwow-qc2x2-yxff/
- http://pyneappl.com/wp-admin/r4x2cea-v6nathl-viladac/
- http://radi.org.ng/wp-content/paclm/LKkyuOCjRqsBtQA/
- http://radiomediavillage.com/bin/DOC/llwYAboSHCIGNNMARHVlBwgaSW/
- http://radiomito.fm/cgi-bin/paclm/4wtdjxun7yoe6prhwdmykvhutvm_trqasxx4-37436569/
- http://ranbaxylabs.com/wp-includes/2q33-1ptyaz-klqzcpb/
- http://realhr.in/wp-content/FILE/LMtUKTFHGjegGqzXeqpOliQXBZmVB/
- http://reffd.com/wp-content/Plik/UZHvFUEKQ/
- http://regalosdemaria.com.br/wp-includes/paclm/BghjjRFZMncgnELOp/
- http://reklamkalemi.net/wp-content/Document/yoBVKLGgeVAxTJGONEvfCtwqGFBTn/
- http://rodame.com/wp-includes/Dok/gnkdmt0smywgujlkye50o2vrh5uyj_rleqlnqiq-017770738/
- http://rollshtora.by/wp-includes/parts_service/yrZKGYOOoptluKTeuKvdqSrqUx/
- http://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
- http://samsunmansethaber.com/wp-content/ngucluy9ylb4zygoi_uxqputkn27-483516794/
- http://sa-pient.com/wp-admin/INF/RMXgMrSzIFWYQcgaDxblxFn/
- http://saraikani.com/wp-content/k8hnlok-v3ab90j-xutmihs/
- http://sarayemesri.com/wp-includes/gbp72vu-pyn3pwn-ghysyjm/
- http://sarilahotel.com/wp-admin/parts_service/yjn2nqilx9sg7nbcnh61y_3ltruvczp-892693941531/
- http://saturday-school.org/wp-content/52x264qdz9q3tstfzyagovrst6j3d_d0nfmfe5hs-35969571794/
- http://shanghaitour.site/wp-content/3ha3f-865hco8-zqwnau/
- http://shdesigner.com/cgi-bin/esp/FSgyAKIBQNSZp/
- http://shdesigner.com/cgi-bin/esp/FSgyAKIBQNSZp/\/
- http://sinlygwan.com.my/wp-content/uploads/Document/aaMvzztMSMSzJcPewhyDdpTcQbAD/
- http://siragehad.com/wp-admin/lm/19zrzebriefqhegi_482ss92-87064803611642/
- http://skylineindia.in/wp-admin/Scan/VAscYQjBlBTEsDRpM/
- http://sleekinnovations.com.ng/wp-admin/DOK/m5kydrv1nj1288p7y4e35oox3j_x203fr-98860666476178/
- http://smaki-natury.eu/wp-includes/n8ir7na-yshm171-vzozudw/
- http://smart-dentist.pp.ua/wp-admin/INC/i2crllps52mifvmdtiwthhlwhucuz_jza9slq3n-60901708884028/
- http://s-maruay.com/administrator/FILE/aTKnyvvbxQhUZIE/
- http://smooth-moves.com/ykoc/parts_service/r8gs26y5btcy1jxjgfaz4j9_c8tk06-38744374962491/
- http://soladeouro.pt/wp-admin/sites/GGJwUfMENUwSroMLKKyFeeJHDaMJer/
- http://soulbonanza.com/lounge/DOK/i5ruldd6w7op8wn8cj1dyz63udh1_a8syl-969837728830/
- http://staffline.com.co/cgi-bin/DOC/oj0lcem89wh0xbb11kvk_29w4e6xt-784623781995/
- http://stage.bakeli.tech/cgi-bin/cr8sn021qkbl2krv_a8zbzq4jpi-7592281876/
- http://stationpowered.com/wp-admin/paclm/tubtrysd/
- http://stijnbiemans.nl/wp-content/pw6fms-s6lbuj3-aierldo/
- http://targetrentalcar.ma/wp-admin/paclm/bWGnKCtnEPxyYVYP/
- http://teksint.ru/includes/Pages/bsjzQNJVlReGtbwvpFM/
- http://temizsudeposu.com/wp-admin/pllcWdhqzKxelzKz/
- http://thanhlongland.vn/wp-admin/aFPuEMMIHXcLTKWGgzHdq/
- http://tokoagung.web.id/mikhmon/parts_service/VOiGbJVVelmFDeXTv/
- http://tosetaban.com/en/3uivg-6kowc-kchpjb/
- http://tuyenvolk.000webhostapp.com/wp-admin/paclm/w5x74v9u5q6p1wj_xo30hwvbr-9914872349/
- http://uniformes.com.tn/js/parts_service/PRsuIafsWAkdxoVXJVmSjmf/
- http://unioncomm.co.kr/wp-includes/IXR/INC/SzbKyZNfCGqyCBxTlmKxv/
- http://veoreport.com/cgi-bin/XjKasTavHOhSuowm/
- http://veresk-studio.ru/wp-admin/p1ptsd5l06catpoq4_jdd5y3sp39-95860538271/
- http://wciagniki.eu/wp-admin/DOC/FlHkZDrRtGWKxFYgqBHfiNbeCpBMEP/
- http://wciagniki.eu/wp-admin/DOC/FlHkZDrRtGWKxFYgqBHfiNbeCpBMEP/%20/
- http://wedewer.com/wedding/i0hlzp-zxfbg-rhaxtm/
- http://weseleopole.pl/wp-content/esp/MhYFThDgwjpSCpqovlBDVJdVjOzow/
- http://winnersystems.pe/wp-content/Plik/ewlho76c6_rpvf7r668-6979499490/
- http://wisam.xyz/wp/parts_service/2fphhsvocoyrnbvi5njyuual5_0o59ex-0066139507/
- http://woxear.com/wp-admin/n5ovoylp7ezibjd9bg0dp_31vhle6j1e-1556384229959/
- http://wp.devsite.com.pe/Search-Replace-DB-master/paclm/kLTkcmEtLuWCz/
- http://www.mahala.es/live/c453k5-fn42h-iklsbb/
- http://www.nextleveltravel.es/language/INC/daTpvRgY/
- http://www.travlsocial.com/gyiodv/Document/JgNOOIjYDCQIxgoUAewiQdbxaTOG/
- http://wz6.com.cn/wp-admin/LLC/NlYeMdMPe/
- http://xenang24h.net/wp-content/qsyn-wivtse-eywijza/
- http://xn--c1akg2c.xn--p1ai/wiki/images/parts_service/sk3oe3zcspzdec_1u0sqevw-31877200/
- http://yzanmh.top/wp-admin/Scan/DXNPUbuCttexXHxPvlxGzloDKtaInN/
- http://zalog78.ru/wp-includes/parts_service/ulbgyx64j94a1o3n_vvsjjeegli-584173111/
- http://zestevents.co/wp-includes/7gyqq1-gxxjn89-klybthd/
- http://zhozh.ru/wp-includes/lm/kcTMaXPJURcfuo/
- https://aseanarmy.mil.id/adminos/lm/AHFYbndZNarqnjoX/
- https://buenoschollos.es/wp-admin/Pages/2cudm68w7lue6xxd32woevdmpa_1mmc3j9o-3719672984/
- https://carpartsviet22.site/autoleek/paclm/zvbaHUvVb/
- https://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
- https://epi-basel.ch/b/Document/hfvfXJUXKywglfdWggiWtrISdIDfQ/
- https://hsp-shuto.jp/menu/INC/7s7vagi5dl7o0yn44xh4mnlqn_4lxrc1v-96663874/
- https://huskennemerland.nl/wp-content/Dane/GdkPYoUjjerintLfNC/
- https://icurse.nl/jeffrey/wtfvv-robj69a-sauettl/
- https://informatika3b.com/marcador/EuvgsJKTUOMOCzkSzMPQ/
- https://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
- https://lodicak.sk/wp-includes/LLC/brkiwgsxg/
- https://mrts.ga/gallery/img/uploads/BmSCADCNVDuCFiJ/
- https://onextrasomma.com/wp-content/parts_service/oglr7g1ozcgl7iem9rugqohcuhrt8_itksg7f4w-7376898186/
- https://phukiensinhnhattuyetnhi.vn/wp-admin/Dok/dAsiYLWHSXSjuKMqwUmSZ/
- https://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
- https://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
- https://schroeffunderingholland.nl/wp-content/Scan/BUjiOhqDVnmiI/
- https://sportboutiqueheleen.nl/wp-admin/sites/ifeqze447_cad5c0-88908196117026/
- https://stationpowered.com/wp-admin/paclm/tubtrysd/
- https://tajrobtk.com/wellsfargotextcenter/HRBcyHIxb/
- https://www.bat.archi/wp-admin/lm/bw0n1svwvd8shr5yf1uy546xj6s0e_za6ahbfsa-93869808191/
- https://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
- https://www.kaum.com/wp-content/plugins/sites/l006jmwzvwk6cr2ie6_8f1de-04921188537/
- https://www.travlsocial.com/gyiodv/Document/JgNOOIjYDCQIxgoUAewiQdbxaTOG/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-15 19:56:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 2111f3703bb08e49ac15cac50018d916092243375ff295f2a465b095bc8ad388
- http://pawarsoftwares.com/shree/o7u4s7u3775/
- http://tarakangroupsro.com/wp-includes/s350496/
- http://stampa3dplus.com/wp/mf9pbly5824/
- https://mondainamsterdam.com/xkcm/9o1i83/
- http://jiyasweetsandrestaurant.com/wp-content/jsa08124/
- Creation Time 2019-05-15 14:20:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- a3156fbf1ceedd1083118ff6deecf4b704e42e3a076cfca1cf14fad64d3da67c
- f6087311ff333cfcc436f204318c5fa5a1cdde58f460a5c8c034d4373fb5c57f
- 5219ef99f614acc503dc7c4049238f1fbd06832d95e27be8358a86e9f1a5b31f
- 313e7e5ab7e05ec7d2b2d8434325edfc3f2d48c676178fe16827fec2f9e8a193
- 69f97037831e1d0666adf2fefb028a65d557e9ffe1ba0e421d04ce90d74be5e2
- 4ce396cf7261b508ec089ae8a900f8be3a9d9e34489866ad90881c1111eaee04
- 5955a0454e97b2bb233ceb312f11f2ceda984f1df88917eed5cbe0d252e10b09
- http://rojmall.com/wp-includes/rpu7qe375/
- http://aleatemadeg.com/wp-includes/hrpps344485/
- http://60708090.xyz/wp-admin/jziinti061/
- http://feti-navi.net/wp-admin/a8a625687/
- http://tavay.net/wp-admin/nfjyi8m1/
- Creation Time 2019-05-15 06:58:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 328442d28eb42113eeb05cb90a710207bf12a56be45e9307d14eecf16e16eb72
- 8dfe30a3242a582c8ae717454febdc5831f45c8b54679ed2f54c5f925b68c0bf
- 69659aab4abe650e8ef70e9902ebb45e5b8ddf9c1990f66af717c6094436cc5f
- 8b03d9329a029e7797d43eea6c3fb69f1245674322818fbb17e1b0180a63b707
- ee5d1c80f535338a9bbb6c958d70f114d436cefa5e481f52b1ac5b160b53b81b
- 61185f54e0c230140cb9396fc379ab8fc3d0bdff4ce983b26c5126be95d70d1b
- cafa1b1f3922975c0ecdabffb2e0540d0509fccd8067d9f7f8a635f5bd8a5314
- 4a15c55e95d500bffa89a127cb065325d75ae84a08f3780a49a7bf975235aa57
- 5c19a97afe840b05235d6d3a3dcc142a3c5c5baf1949f9e78a6a7a658a26cb21
- a0aedc90de8688c7e1e51fc82ad700aca8e0c620dd69b2c68b7b235d1587e34f
- 292e79db7dd867a1a7d33de7e19e91e1ba203e09f7409fdaed1962017cecf7c7
- 10637e759d7d2314bb65eb9e64c57b756b9400cc8d291f317f5c5267feb0aaa4
- 8dfae420b8822be3d2bd1fcf42a3a1797a79c9fff8568eb7540bdd7b02758f51
- 2ff43b151ff2baca5cdd1af702ea2dc2802d06be66172e32c3b9eb7fb3685ca8
- d9e961726d5477178f886755b1ad568dd60435f80c6be8804f7fe0cabdebdea3
- 6522cca08dd748d4de5f533e81373e37f3a5e890ec2af3714033f745695b5699
- 6c0a1a2aef667257cb7d6e70e96d77ae73ad4ef69bef34ac6b72a9ec4526cfa0
- f20eaad09405cda54df004d4c0f0bf0a4c519320526e7dafb4d013cf4a96c6bb
- 8dfae420b8822be3d2bd1fcf42a3a1797a79c9fff8568eb7540bdd7b02758f51
- 11839cc29827cdabe0150922e1f8ac693cf4b1f88eae795283ebe375796f6577
- 47574a85d9275c941a6de8879c84c062d38c56d0e174d101672693998ed1cbd2
- d9e961726d5477178f886755b1ad568dd60435f80c6be8804f7fe0cabdebdea3
- http://elememory.com/wp-admin/9y80024/
- http://aktpl.com/wp-includes/zv1x90/
- http://risingindianews.com/wp-includes/l2/
- http://fifidossaltosaltos.com/yfpo/ufjeix07/
- http://weartexhibitions.com/eqplsj/b1v3z10/
- Creation Time 2019-05-14 16:58:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- ad3bd25e5369a634ca73916b76e1a5e4d83ce7eb41025dc7e0d8bc3c25bdb46d
- 6645a5f0656f769fddc8fd7ff748c698b17aa17a7671f6e79f429463c01a3581
- 4919226d79001ff770e78b9d654577e4baa97719da2d32cd4d12c8babda318ad
- http://12bdb.com/wp-admin/qm6xxb651/
- http://flystuff.com/wp-content/uploads/ual30/
- http://icaninfotech.com/wp-admin/20/
- http://spacermedia.com/wp-includes/l4ic57758/
- http://rmhwclinic.com/wp-content/sy3/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/15/19 ####
- ```
- 64c2327fb3dafb942c37240874cb201c5614e9b68d19503963cc4c664d8f18c0
- 17120e2006e4ac0f68eafedb960617b2d0ce56b163d4715d4c194c0b9e6584d3
- fb40eb674e785d753e45d9cde9e70a9316bd04b84b171efd80758839be200a10
- 371220c9489525eb65b39042f8d4d1ec1a61c06fa9403df2eae83e99f7e45682
- 26d9569baab5a093d2dd665e100ef0ece0fcb78769235e6e9955eb5b9cd4ba8d
- 1cdae96fed935196efe5395aca8a23e18ad3c1061261991bba980ee20480f96e
- b0f8cc8cd7a02ec7f26ce6bcf6c4696bd7bdce74c653a5f05620d52b36beb0e4
- 58a34f248fce1d5b939e381acdad7387cbd0203dc50a25da037137f88c48d2a4
- 7580e3a3c802cbe0b228215799d6cc4c2836d0317821040babb83ff5a921c226
- 1d527da78114511c91670d2c8ed8638519d2db9a9446df095d3b86991e1ea349
- 57caee9184341c206a508b37b2768ae8b277c22592d050ec679432262fac19db
- 13190d0f9b60449c530897199dc1ded64bd823c7d158736229a90fa874609971
- 8fa7bf34e78b67ba8d97ef0cba317c5347159ce493433a1460205e4312b75941
- 0d0240039be3abeadefa5dee9bcc36370c3a421309725506604d1ad94f79c395
- dc9dbd730fd6acff7bfcbf9047477e24a28c9a0462f594823ef6bb873c5bd138
- e7ef217c0b15d2389117dd898d7b39c07109407e02cc410ceb2a24c6d17f92c2
- 9cea5ad4e113fc547aa3dd0a493e7f5eec757767ad44885a77b233df456c6ee2
- 266d1b7edf2f97826491f5090d7a4d768c455c748dfba7fdf452bb3c57fb93bb
- 6abd86a4e480342515a85acfe206cd39435d1b284549152a44b703e986f5868d
- e0e8c117215367206b3dcb03ec520f2ec85e1b8883371c24cb3a841b119101aa
- 6309424bfb92b0438cb472be7fcb937e951f5a72364ca934293272066fed2ffb
- b49783c68734dbea136cda05eff6f285a2fdd3b227a200e9f4e9e1623b5c4358
- 87003f66d102cd1e47cf59a5e7c4f03113939225751082d0e413ea378c8c6af1
- f1404f118b2a3ce1120a59c0e7c02f4917350c22c6d85ebb4f44c0b04cda5ed1
- 01d9ea70429adc72e09f0aeff996fc30ff5c761b0dd846b76c4541a392b78dba
- d7f48cc941cf9a4e3540d50e7d761f681bbce5a3acb163f054f51d6ba0b04b55
- c59169cfd0099280ab6abfebb9cb6dd6d1bdb3f157317b5af628d8fb089b97cc
- 6dc3a811d504fc16f43ebae9c6c35983772cbfdba48bb44036bfeb9aec1237e1
- 53038bc3205b9747b291bc11b24a2dcb536551c897c8bdbd53559907e7ac998b
- 1ada223a49ba749cabde7a4f4a5245047077159adfabb4fb4109db8612e0812d
- 9ea4a2c13003aff75c32fb381d9c292877df178e343088b807b2cfe9fd376df5
- a4b1891b9fd51621e0b47c2dec716ad03d7da9880177ecb67927738188a60a50
- b41f0b68b316ab049ce081b2a25810d07c29994e835b7564aac908809667656d
- b41af3e559c7e5f83d78ec176f080cc1aa0ae4759ef9e511d48eead6d73c45f6
- a75f79a01ba0d647d47d2328eda950f6a7f28fd03922e323ae22c28a77100ba3
- ab17175b152dcc4e3e2099e96486847f196d101249d4515c0556280401230c49
- 51526650655967bb421a1b43ab5aa7c2e86dcceb9438ad71e4e0b578a2bed7bf
- 45763ae36929f02957af3d864acc86cd65aaf08dbb66d76e3e3ff6ad35055a26
- e57849f7a16c48f509286ac3ae5ad21bad2572a685b5323d4aa8eb8201081b45
- 71c2384bd841114727a5362c789b6b65fa8aa69b141ad0da77d92ca9352a58ae
- 7e8e707b52940d081f1ae1b4a12f5216e55a8381d4f42da99f8e82f0aa51d897
- 2923f38e771bc61a7f64886179ab2d0e363992cd6b15ba3fdf6091d3146e6274
- 31e1ae0b3193d06d8a0926f1ea67599576a188b3800e8f74618b0faca990a284
- e525501dcfd819e6833febe0fcf920ec1c6d9c25cc18700e783e383fd21a8173
- 7b3509f6d4c45b1081bcc031e07c4d310268a31992c1ff3f80a9f306f4849885
- dfde9f01184bdd3870172c825fd88d86f749e02bac86e9128d6464a97c85d75f
- d627ac1dcd6079cb3262887c42615b42bc00100dedf546613d6b7a9da29e2aa7
- 727f2a638535f67ae3a7cead0cc6ca9e3818826bd75fb2b41055764d0a75f7b1
- 0a711882e0f86c37488faed5425dbbadb6b743909fe35d4017ba1e72b5f118e8
- 8cb60c924d643ed0beea9edb3ae373e3199ac2c7ef038b26d7fa41538f2587ac
- 10b11b9af10275d12df2a014a266390282bbbad87181791beb692a10c0c83e71
- 589cfd7d6a2411579736ad02da604358a717e54f6ba799cfe32c214b5703a5dc
- 287188451288b0d259ec912ac1fbb062eca739d074d2dfd41f37a79a206f90b0
- e3e0bb1e6589f0393f2ac477e0c019b3698dc8352f2cecb70b8e72b9f653b089
- a1d1c5ef96db18e3cfe1b8f78a70cb09ea7604b946c05325d92335991aaf75b4
- 696fa5ba8eb0298fb9452fab5ffb0fbf2ac9cec7cc0ba6adcf754f8ddcf9de20
- e257bb5a3ce487b971968c07954725cd29cba4b20d7e9fac5c79dd8a6f497c31
- c54188ac80c9b4550200368adbc40b3e9a5bfdfaf001a879d042c2ef5a4cd18d
- bf011bf787aef5314cdc7fa9d75b7adf520edf1bffdceddb0f6c0d422b367882
- a822af1bb648c64bbaea50e827c4439023017db1b3f47a127ff2b2e846f3c5b3
- 7b5ce1ab6bc29050aece18e55fc4fbeeec7a652fe18554e95b6ddee72c11d854
- e7c71fd2954c4df629edbb68a9ac035f4d81d232c678042bd3bb971308b7cd85
- aa05d217ae03d6b384751da1133b6b181e2ce148101b913c45dd0c672e94e453
- 19200e21c501b65c705217bf6930117c22d4c747f3ff2f7bb13f6dcca8547d42
- f189c92133ed3c4bace033bbb85bc1e3b24946d6b145785dd9f263a57df39454
- 0bf2b8f3f0fc5daccd38591e1afd6be0651d7ab04a2875cb7bee8cd2804809b0
- bbe7ac3ddf6ca2e2a002ddfd76741025d283d4b64953467c7018b489003ec2e5
- 6ffe96f3abec30fb4a73271ed0aa96d9c994cce3ca8529ab7543eeec1102d2e1
- f95b4b9b27c47dbae3b48dff7e2766a5845be83eabeaf03b4017de3f5b9562c7
- aebdbc96bfff0899e4501945da7b29029705ef68d3248ffe4fccea30c238b2c2
- 18a10e97e13749be4bf91b285da6b192b137f560ed9201ab8e0c7dd14c0f546d
- 8cc08f998d9f45da55ac9459a5471a6f6190a35088087b774a804e0444e5fd9c
- 88a4dc2c391af97856d731538cdc19d52b48b6a493b9147e0ed571f567d88d71
- 6f2b419364c3039f1172c610438f967bddc043a59598748e1af5279cc24dee86
- 3d6943816af9da61b65c12a6e4d8ce6bea41056778cdc8ad3bc3986e62143260
- 8c662ba3ba447018153843e599da26c82a9fe9456325598b0cbbe647e404f67c
- 992a78db189848326417e8b493baa7cff9914e7208f98b2025233c70aa848c51
- a5a624a9bfd0a5017e6373de52c75662c9030ff704db7ef120a7bf46a54ab4a0
- da749c0cf803d879ff440de2a47e00b879feccc1311e2ebba4c92f82d6c27ab8
- 9b60a3309884a11f07956c476303858116654dd2c96b10c849473a5708e74995
- bef675d50685f173fb0ba215ff275ce563fdb0e2c03935bfbb7641eca5f2640e
- 1d12e81be801e708a739843e4bc86e19dcad056c1daaa2ec5e440ff04e18678f
- 246174fb6ebbcb09679e7ef89431a5fa39b1d38f7fec9677ba46709131485a80
- 404baa60fdb6e5b296a80d14bba941876b68ccea3c68432dbae67c0156bf0d8a
- 05b3ea03295f365020c0e855336b090a58e0474e0a6cdc3f7c427b93631f8945
- 41666821f448ab565de554326dfb66f1d0a6affbc29352e21be56dbc4a322d19
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-15 19:18:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 876ef1c3b8aa4aa4e88e33f1b71e2507969d126edc5a111553480ebb3fe12459
- b8304bea7cd5270509a5196224eceffcdd199ef4e303c65d5af104cea4239a35
- acec5b482ad5a4de84e5e7f3146c7e04131d0a04b6874d552f33a97812fc9e38
- 3ba1cad4f797c189510cbffa728b2b1b85ad1400d5ecbee223e262f03acf0443
- e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
- c3bd3e3df0bb391b3a5808ca3c517abc5d4731441df38b7e30b69ce7bb3dff6f
- 400a5d6d21230c8fe91fed9cb2fa2ddae199cfa892462281452b106bd219a782
- 9b7e99499d0dcd4959e69800de74b8356b9ce5da4fc2e5897c3edfcead8bd8d3
- 706373653bea1bfd1d577a640e2942a16d064636f6a9aec85b58da3b0cb7ce2b
- d3d69226a3f6759d15a4b94a3ad99da3e20a28113194cff91dfe345c1696a7a9
- 75f8716c14b028fee42ba751d4aae0ececdead291572bc36b8f9afeb1e71fb0b
- 7ad693a3fd9da1b97c0e7f85fb37bf15f511168d2aa397ffcd4d0f3aeacc84db
- 942c724bdf60dba3fad9f8695be9b19d96df15a8314d35fd82055b62610f62cd
- 5b4be5216d7eb192ca92a660ecb8fb86adae5da2727485141e9e9f02d6a24544
- 3299e6f7204ea1a44782d496c99329b76218b70233892426c02f872221548784
- 1d174cf281f20a5f318e24b5df536ff2d04d6ea854a81d8d45a519cf3ca60ac2
- 9762ba52106a0148507908106036e0685026493dc390413549e1d4621b193c04
- 4821d11f5f6c1d360fb783467ccf365e9e9d412b9d63e262004e592bf8083d03
- 4d9b585b5bb977301647ee51bffa8dc42b2f2ef1568a1693cada306de09d134d
- 724c3189c486f06b9090c094256d1ff91fd4e235ccc39a0bd96dfd1b9e2e91e7
- http://tomasoleksak.com/wp-includes/zm2ga7ha2l_5q8wl-2798/
- http://mmassyifa.com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
- https://aaliotti.esp-monsite.org/wp-content/6orh12qu_7dsv031ip-0075691/
- http://adsprout.co/wp/oMrTbPUxE/
- http://springhelp.co.za/wp/jMSZNshHRf/
- Creation Time 2019-05-15 14:15:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- bc97596fe24b9ea6dbdf3b79905e7605a182c0dbe9425be238d91a8ccd3416aa
- d29f6030fc82c182401170d9f7c16805011d26e3b2e6517be9329aac5f76eab8
- dca1f72df40ae287350b5f56dee80a00c578ae6947e1cdc2b30e8a8729c570b3
- 5d96199193fd88fe85736d9fbcbf089927a15256528555e4e83b198a730c1824
- 0924abfc228a5127ff1dd3298b6eb682405d434c552c3fe479280e5acbec25f8
- 3a26799b284110e4dbb03656850eb1dd8ccbf78f1c4ef641d980668649994c3e
- 92628f8542e2c4f401c94d5fdb03d4ccade61a51becae5b7f9443d5dfc57f48f
- bd82d8791edc039ad7fe29fed742630ec59e1253cc58e9c9a4650f21f55095a6
- 682353178ae0d75d866f1fb4f0f888f86fd1f6b30c2100562af83def2616c2e6
- fdf0e5c1d38c12d7877c65b2bb16aaedf41cd907636554ef9eb7d372bd647fa4
- 4492ed4c96bc6045ccf82f5d529b9d9dd0cfb99508cab52a43dbab4b035beec2
- 0fcf7cf2c7214cce93fe5ac19b40adf15fbaf85d7a3ba0448346419024d04556
- e61ecdeb7d0d5e709511bf3a05f93ec484b55209dab718cf51d22579be2d711a
- e17fe81a4b7570eb64abd9164e3656ce6e707f976a81679e19cac3b3e51b61bb
- 7873556779ae9d41b3826ee5a1bf4c89388e9dadfb3286ce43e5ec52ead674d6
- 7982f9b9f14867cad8e4484a6913b351f8bef1f424d7054841dc92e0369c9ee9
- 3e7c9a76109feaa7e7d079401d59530c4685c532a45521c8665462efca4a7e71
- 04d4be108e974493c8202e5d8ee64d0108c07bf3518a0e3275045d88f6859936
- cd223f60662186903ce90dec6904622b66d75b694f6ce21330b1e475de1d973e
- ede61ea068666c707af52a910a2867ac9056b307e44e67c879525ac6d9e16e3e
- ff21a92675a320b32d9880963ff053baa155739a9ab3dd0c75914cc32c2f8fdd
- f90ceeea4c6b2a250b65dc3d9a32450dfd933dce742dbdc7accd95f0ab0c309a
- 1e9eee2a36d0fb0264fe6f45e68574395cb5f43a494371c347d6b5eb1f0a9768
- fa4653f09cbefa0862e457cdc243982df3fae03f9722bf596ff74658394ea67f
- c36b1f3a264e5471d01200b112b4261ef77cbb7138e147d3ab91e78d962fc48e
- ac6fa29a2bbaf4c70d7420fbfd5f0f0c206af78cafa180de6064086da3e0f27d
- 530d831a6bd6131d50a016d892294855ec878184c15b459367d331af006ffb4e
- a5880e0b0795ff59ff9c1dae8192c22ccb1fae7316a867a0dd9ccf54bd93ccda
- 0e8f14f5ab762828fa27495bfe232f34727b30c00fc3a413d14adc85f5028490
- 4171885b42a0b28e5e5a3d2e74e910f279eb7f6391b21c1db494505cb17b200f
- 5f4334cd07236b87b412dd33aa8abfbb144aadb18b1b0b7fc73356b91b575441
- 6863324974137d1b6ad13c241ea234ca83e218e62011cf187b085831459b4e9d
- 53cb16e937c5e92af6b4581190fcb628662b76ba6a5b4ede2d5cf3be210044bd
- 3a1cb2260605a1e551c62cd3e0e374e321b29d3990939b36c871c1dcc77edf84
- 8df835a0bf2251c91d7c607742cd028f8a97a2dd9adb2c95643d6cff5b302e5f
- d4777218f3750320270743da37a31cf730e086528c09a9952198a8f7bb10b26a
- 9a402e62f564f1507f057181f9e6a2381798591cefb97978fa82122fbb072ab1
- 827608c8a4854bfc571b21271fb2b6311a05daa95f60b0cc69de8dcca02d1d64
- bad82e85dc57ee2da146b15b51eee53cb542f7b835c59a8d3a75dd133e31e7a6
- d93f100a7450d1221718b34f4579afad93550525b4dba71d211822f4399e8fa9
- c8e902a29b0f2bf62dce9d3e68e38abddae4bcb84f533e7edf03b02111c43e51
- 3b4cb1b6586403b5129ff15e9af7e18de91b60d5e0aaf20cc7ed3120ab10c3a7
- b593b09f27224656a01d5aabf8cfa0ac8dc8dfc13fe8e307cc9bcc9c44fe9f7f
- be8ba4d9082afa61749b0e8492243a0bd67052fadccb26d0f8bbb373e698e970
- ce9866e2f62102481bed0ec69ea30044ad9db02002ffc85a5e2c6c0d0a46035f
- 89d27d3e106583ef2e07d184e62702f5653f94454be7bef136968ab9b0f1570e
- b5257875d4e82a9cdd0ee182e4dc194174f7e0564854083657b84ef818d892f5
- 86c58ddbedfa222998b78d8fcf57e1b1d273a2c21f5bffe1033451c2dce7679f
- 773755f3164a339938ccb87bd223515247a372db0b400677b7a0a11709b4e070
- 4249181338e4936a2908a63a08117386ce7134b7873d1dacffbc1690cf8dc7d7
- http://shophanquoc.net/wp-content/73it74nh83_js5m6-716/
- http://sanvieclamngoainuoc.com/wp-content/QrzwTpywLM/
- https://inhuiscreative.com/wp-content/qdbb0_jgb5c-981069283/
- http://gmrs-roanoke.com/wp-content/bKrtHYcBh/
- http://blog.canmertdogan.com/wp-includes/zpuFONhf/
- Creation Time 2019-05-15 07:34:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 049a78fdd15678f268dde513c39b7b8ad7bd4a76db05fc2fb30d63dbd88e7f3f
- 90e4c4d3e28cbb8079e45b77198bedfb25fa9dc5383277f2cbaf8bd0c7c7ce54
- a8cf43b1a7e95e6b6be6ce0bf0dd20a3831f3f292531b5312c9e40398d218343
- b56d126b99435483539fb9ea1db0d269d8b26900bd081bfd8558a4a89d1728a0
- 16aa0ba31a676c768374a4811756c18a79a99912f3c89123f81dd21c842a9626
- 03fddbbfa438e6fbc1e1220cbdc31a3ae18dcd2c77273a5a1624e4f03b62de8f
- 7a4881229ca767839e8b9995cbfcf443be9a032905dd8995ec5d6acb6ce050c4
- 0f7434ae82615ba5001794b3ccb0022f52f81301376fcffcf3efe0dbedd8c3d8
- 32ecf836ef107f60c8d76df92bc7bd42535e4ef9e29694f4655f1cb170bc667d
- aee14a20193ecb808fa3efdbeae5d59c6743fcd2998bff3c5227be448826bc1e
- 2b7840500d88aec77c60b247cbaebda3b372b2a80584cccbcf33e4079ac5282f
- 9cbf289774b328e8b65cad33374da81d3a8ac28281ba4b99edb25d98fb04aa2b
- 8ef8b790ded99130ae70abd8a3775835bb1a279799745994d01c9c9e1bce07d3
- e0b99a6df592160a770d28e1e763c47a63fbdb357ba4bfef9810a28ec4a4efcb
- 781057e4fc05d8206913611da110145548311a440f0922c5a238dcf4839f963b
- e3c0cd46f3b8a3d0eb6c333dcdcfe13c0f3c883c67905f40256be1368473f0cc
- b7f2802de808bbcb4d8f07514c4becc02c85a6df5099228089963ac96771fbb2
- 61ca42e19f2254dfd288f912afc1d7c7a20dcc2790687821acde622470f35308
- dc48137ae9dfa5d668ed911b8703f9725ed94ea241c40bc9bf3d159c094eafe7
- f2c356a5be1efb7ecd91c0cdf1d9526c539c7477f448eec89342ff38dac8d918
- 5964373413861ea4771be9df789ec174d7931e41721993a21289b4549c566186
- 13a46bce1ad2b5433a3915060639a5073ae68779da1b599658271d8e9f2932ea
- 6273492f7425010ac115b511226334f85378b15d21cf49e27e8ab35503a55adf
- 0e97304127079f3e4c6cc267f2f49eaf6e5a66736f8fd0e8ad73d6e4641243b7
- bdb00c63e7a50f94e9d416c9cf16ad4b4c1cbaca53558c2f26679450ede68559
- d0b346ed8262e30fb81abdb4fdb9873712fc265305dde4f2c2f4dec391341fbe
- 77c11c6c0263591de5f59f4d4f883da6363a7d294a2b9bda16d00f42009210e7
- 4f67ce8f4acfe18129b453caca39145cb95ec6ed11a9694fed841857f28a9c3e
- 769cc3e61d5656e37f834b89fec79ba90093a635e9fec85ae8d33164ba3d9149
- 574f6094f3e77af7915fc6c58b46b969a7f378c4fd2a197721f77013bbcd4f38
- 4d45957815c0e45c62f076946b505b1b4388d531436dc94238bf407a5e01f1fd
- 3adbfbd11a5299f0f18788996d5d89720bf672ebbc1008fea02ef732f50017c0
- e2c0d7da5e9f1c5f10816d04997eb2b84cb2992566d062568876c96e24636c2c
- 9b12451e5be682342adee2b45ade1255ca9d748a7f6e9b73b3b29b308d156098
- 5193eb38e48695aa084621411de74c0c61759e7dcc253ba2be0947a80c0b322e
- ba10319f5b905bc7b26bbf05ff764674e55ab6122773c20d797f38aeab63e977
- bf6ef8b65aa5222ab16969656bee2b7e5c9712cbfea83b6fa8d94b442a363ba8
- 1041bf0b05d7ab777252793a46fc9626d90002b87379aed40a1e735df59b4ce7
- 0dcd677e685098f3c450d99d81b96f6fc592e294fd75961f62364c318276d8aa
- ccbf4c1d8d50c097b3d50b2211242670f8dfafa0f62411cc9fbf671ccbe5b5a5
- http://drmarins.com/engl/pCAdOLWLJ/
- http://hybridbusinesssolutions.com.au/cgi-bin/t6ye0j_wyhf4yw-2/
- http://durakbufecengelkoy.com/wp-includes/GrIBQTnoO/
- http://performancevitality.net/partner/rq2totv_bryhdqjc2-17320/
- http://tnrkentonode.com/wp-admin/vxaljneq_f9vcwvsz03-015845519/
- Creation Time 2019-05-14 22:43:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- edd7683434bf4b5dcf6e62052c0d260f9ce2824bcd2e7fc527680dc96cf84fa0
- http://angelyosh.com/andreaputriana.online/QSSVHkBY/
- http://4im.us/wp-includes/cMHGNWRN/
- http://alankippax.info/wp-content/MvAXogsxrQ/
- http://solutionpub.dz/wp-admin/MajOQGpI/
- http://parttimepazarlama.com/sitemaps212/hrUpeljH/
- Creation Time 2019-05-14 16:10:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 41743d480c3a97d8475eaa4958e46a6e9df7a3f25a034194b5ba57e43e664ed2
- 6719d9db1a6b6ac88a386c24cba086025aebc504773433dca6fb569cd88bf929
- b0227e5477f2c043eef7f404c69eb02ffdfc15f99e973f12de0b86addf03d898
- 76cf785870fdb543f0e2b1e7fc610c97886a570cfde9f66b7dbe24e909e0344c
- 1583078312fe29c688d44c6c15a4ff2f303f6cfdc32e910629132515ae885a60
- b2c7523bbcf91ea107010fa04635d5dadefae7a6302d31fe48fa978909682257
- http://riversoftbd.com/wp-content/vFikaQjYg/
- http://dayiogluun.com/wp-admin/DhMoxPrwC/
- http://therattgang.com/wp-content/yos4u6h_pt8wdb-3/
- http://beyazgarage.com/cgi-bin/NuygiMFoRC/
- http://ksafety.it/awstats-icon/bhrdd5_52hq89-34/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/15/19 ####
- ```
- 4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
- 7d4dc03394db567dbb6a1294740c46af5684c8190ae27ae1a25d517d912cea69
- 5ee2b9406e31f3006b3327b19f1a62153d75ac9ee2fe97d27e9d1f64fb8589c3
- 1b176e194dcf0a586b4f9a6febc51dc2d24db6e93ee5bd44edd95581702c3274
- 5cd23bc71dfad1a730802b6ef10b6e4916410549f1daacb95af1c39796548cca
- 622414f8a0c309bf1aa3f47a3dd4ccdd1a0ccd6e656aae1101b95273ae1caf03
- 06a4e80c4b4c76b2b45085ae91dd9180554e2b8fb74671241c099a575af44e17
- 7d7f15be88432a9ad02cc7a96de1a1ab151b8475956c0273fa54dec83740bd4a
- 67c34af66619236307f635cf83afb4ed6680a578afb5a356ca19471174ab0d86
- bdc089224fa0992637594ac52ebee77f4c6c0d0f361a6ec868d74ca026a4c5ec
- 0edba0eb53c5aee4f55e0df924cdbc482c7c8edcf55667f8c914a0bf635820e7
- 3aa9537705eaa07e02f378c1ba6db7008dcffb28b21ff0b6f43a926a80c015e4
- e8c591db1758728370fa4b3cfd3d6089547ac597a3e6c01dca0cbe2c05b93180
- f17d51cd3a10beaf3e6334dc1dde4afd0be9b011dbaa531590b718b48d3fe36b
- 4d2ef6d38674d3125c423a6a0101a0470d35c69e85c4c37c268e08421e6b02f3
- 3b4cf098b9d31e1291c17ea18f70b16203d56b5b99cbce5c0a546cc3bc293af8
- 86fc83da4d0429091bda7724a0abd520461018fcce7a7063ecf4044eec37e75e
- 87c01a1010066527797657c15a3a34821ee67c2c5727465b7a66bcce6e48c8bb
- 70b814f6eabf53b272ed7dc19ae386949a1768c85824656f198ef0ca1dc73098
- e55f09940649d3f92c21332def35df46deba57b3e289a856749b67ed95d89925
- e55f09940649d3f92c21332def35df46deba57b3e289a856749b67ed95d89925
- 864c5f6a98bcf7e51401728526a26e6dcb8f5060e3b81f346c99899990beaea4
- 716e36ee071fd837df288137ae1ada0212e439c3f7c3fda949c3437a47623270
- 99eb678c926a8e3c93b6327959bf06d26db9c85ba6fee7d56412e788ca0ac285
- 40ede55df9f672b234c372b585a5b390f7d7168974c3757a344942ba71045c9d
- 6fe85f051e7a67e8f9a204f30f151482072976517fe4bbb5c28695c3b5193477
- 01be569ddaa5d619923ef2061a59554258c70a9106fddef8dd2286c561ac6aad
- c820852f8c821c9c9bae1fa839d605fe91ed88c8de5a829642adb798af03de62
- c6afadd4271e65f11fdb29dc0ee1792d3852e040b05eaa129e97cf496572d394
- 7cdd7778792ac0ea1600b6da97c843ce283ae3b02bd292389a0b6645abd3c4c1
- 5829b40f161c0104d6c8d45ded1b7019127dd8ed1067bcc136766b4d0c6d11ad
- c89521beafb0512674aa2379c2b3d088d5e9fc1974993b3de36b1a5acdd9d7df
- 18a2a257224bbf025e37369d6004dde1572d8ae29dac72f640c182a293fb4cfc
- b5f6146a99ccf88df5b48ffbf9e06e457b22cb111e1b7de9b1b63b8b20d85efb
- 178eed97038cc594652aa784b49f778e01cf5f6533fd6d336afc9adf7a23826b
- da6f1954d469d2f2273f6385fbe947e4e9c66d9edeb4f12239521ca9acdf6b63
- 67420468a8973bc7699370e70eb71dda7c9616f7797c4a903facc9c86d9f9b26
- 39afc2c85f7e4824b7692a5008fc22af5f32bde9d933f2a6b8f207657f937ba9
- f0abf117bbb9ad4c7a29b1205fde1687f943f460df9dec719db6eb9dac35124d
- b6b1ab181da4a70bc414cde451b06dd9a16041f392b5d0a90e0315de32a36719
- 53a127fdc57f3c39b0feca98c5b64919c28980d450fd701f3c839776b411b128
- 12ba09d1fb95a170e4fdcb28f1dc36882d2cb47e4a6d8219899abdc2005db6d4
- 844e3b338abefbf6b7e29f5947373616248b3548dee938add767eebc57feaeba
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 103.213.212.42:443
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 111.67.12.221:8080
- 154.120.228.126:143
- 163.18.23.242:80
- 175.107.200.27:443
- 181.110.239.26:80
- 181.143.101.18:8080
- 181.15.177.100:443
- 181.15.243.22:80
- 181.16.127.226:443
- 181.199.151.19:80
- 181.29.101.13:80
- 181.30.126.66:80
- 181.39.134.122:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.139.160.193:8080
- 187.178.9.19:20
- 187.188.166.192:80
- 187.242.204.142:80
- 189.143.52.49:443
- 189.196.140.187:80
- 190.113.233.4:7080
- 190.117.206.153:443
- 190.123.35.82:50000
- 190.13.211.174:21
- 190.147.116.32:21
- 190.180.52.146:20
- 190.85.206.228:80
- 191.97.116.232:443
- 192.155.90.90:7080
- 196.6.112.70:443
- 200.107.105.16:465
- 200.127.0.8:80
- 200.28.131.215:443
- 200.32.61.210:8080
- 200.45.57.96:143
- 200.57.102.71:8443
- 200.58.171.51:80
- 200.59.189.217:80
- 201.217.67.3:80
- 201.251.229.37:80
- 203.25.159.3:8080
- 205.186.154.130:80
- 213.172.88.13:80
- 216.98.148.136:4143
- 217.199.175.216:8080
- 217.92.171.167:53
- 218.161.88.253:8080
- 219.94.254.93:8080
- 23.254.203.51:8080
- 31.179.135.186:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.73.124.235:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 64.87.26.16:443
- 66.209.69.165:443
- 69.163.33.82:8080
- 72.47.248.48:8080
- 79.143.182.254:8080
- 81.183.213.36:80
- 81.3.6.78:7080
- 82.226.163.9:80
- 85.132.96.242:80
- 89.134.144.41:8080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- 61.92.159.208:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.255.150.84:80
- 103.53.44.20:80
- 133.242.156.30:7080
- 134.196.53.52:7080
- 136.243.177.26:8080
- 138.201.140.110:8080
- 138.68.13.161:8080
- 147.135.210.39:8080
- 149.167.86.174:990
- 149.255.56.242:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 173.255.196.209:8080
- 174.93.130.148:8443
- 175.100.138.82:22
- 177.230.108.144:22
- 177.242.202.30:8080
- 177.242.214.30:80
- 177.246.193.139:20
- 178.152.78.149:20
- 178.62.37.188:443
- 178.79.161.166:443
- 182.176.132.213:8090
- 182.188.47.206:990
- 183.82.100.135:80
- 183.82.110.170:53
- 186.113.19.171:80
- 186.4.167.166:80
- 186.4.234.27:443
- 187.189.195.208:8443
- 189.209.217.49:80
- 190.112.228.47:443
- 190.145.67.134:8090
- 190.25.255.98:443
- 190.25.255.98:80
- 190.72.136.214:465
- 191.92.69.115:80
- 2.50.4.159:443
- 200.21.90.6:80
- 200.85.46.122:80
- 201.199.89.223:8443
- 201.220.152.101:80
- 201.238.152.20:465
- 207.44.45.27:22
- 211.248.17.209:443
- 211.63.71.72:8080
- 213.14.166.152:990
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 24.139.205.186:8080
- 41.184.246.205:53
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 46.100.165.6:53
- 46.105.131.87:80
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.9.168.7:443
- 58.9.168.7:990
- 59.103.164.174:80
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 69.45.19.145:8080
- 71.244.60.230:8080
- 75.177.169.225:80
- 77.56.253.112:80
- 78.186.5.109:443
- 78.188.7.213:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 86.122.149.86:8080
- 87.106.139.101:8080
- 90.57.69.215:80
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.59.49.76:995
- 94.76.200.114:8080
- 95.128.43.213:8080
- 98.142.208.27:443
- 98.144.73.193:80
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://otx.alienvault.com/pulse/5cdc7dcab39d030f86e97ab7/ - @SecSome
- https://pastebin.com/tTPYiSHd - @ps66uk
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-14-19 ####
- ```
- General News:
- Unfortunately, no break for us and both botnets were at it again with low volume spam. Malspam was reported again from many
- in the community but I still received nothing today. Other researchers reported receiving a handful to several dozen malspams.
- It looks like E1 was still stuck in attachment mode but E2 did a burst of link based malspam. The document template is still
- the 365 Blue Box type but the builder changed as of Monday because we are starting to see the randomization of metadata in the
- Author/Comments and other fields. Additionally the new builder seems to use EvilClippy type techniques to block the viewing
- or editing of the VBA macros in Word. E.g. Word just crashes. Kirk Sayre -@bigmacjpg broke this news first here:
- https://twitter.com/bigmacjpg/status/1128742495591047168
- Later the author of EvilClippy(Carrie Roberts - @OrOneEqualsOne) decided to update the project in order to reveal the Emotet
- macros by adding the -gg option. This may be a bit of joke by using GG. GG indeed. :)
- https://twitter.com/OrOneEqualsOne/status/1128759076505116672
- In other news:
- Once again @JayTHL had a nice summary of our data from last night:
- https://twitter.com/JayTHL/status/1128516821370441729
- Also heard that Poland was getting hit hard with #emotet today but I was not able to confirm the details.
- This was stated here:
- https://twitter.com/c0t0d0s2/status/1128632394620313600
- REVIEW:
- If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
- to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
- https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
- or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
- I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
- You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
- https://twitter.com/JayTHL/status/1126204098670411779
- Email Template Report:
- The vast majority of malspam today seemed to be low volume attachments on both botnets. I did not receive anything but
- @executemalware and @ps66uk did. Here is what they saw:
- https://twitter.com/executemalware/status/1128830368872849408 - 25 with .DOC attachments and 2 with links.
- https://twitter.com/ps66uk/status/1128769883729219584 - 5 DOC attachments and 1 link.
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- - The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- "Load instructions attached"
- "A printer friendly attachment is now included with each email."
- "Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns - Changed one of the Regex's for E2 to pick up more common directories that were seen today.
- E1
- https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
- E2
- https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
- These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
- Payloads Report:
- Again stage 2 docs were all being delivered by attachment on E1. E2 seemed to be a mixture of DOC attachments and links.
- Once again the newish hybrid loader appeared on the E2 distro and C2 updates near 1900-2000 UTC. Not sure why they change
- at this point. It still is not hash busting and remains the same hash for many hours. E1 is doing all old V1 type loaders.
- C2 Report: C2 Combos are slowly falling now on the E2 botnet after reaching a record 95 combos over the weekend.
- C2 combos on E1 are slowly increasing.
- C2s DID change for E1 and increased from 69 to 74 combos in total. - recorded above
- C2s DID change for E2 and decreased from 90 to 84 combos in total. - recorded above
- Closing:
- Unfortunately I was fooled again by Ivan thinking that this was a break coming on. The reality may be that Ivan and the Emotet
- actors are changing their tactics to move to a lower volume spam operation with more attachment based malspams paired up with
- reply chain exfilterated data. Since the beginning of this month, the spamming patterns have for sure changed and it is not
- exactly clear as to why yet. Time will tell if this is just a phase for now or if this is the new norm.
- TT
- ```
- #### Sandbox 05/15/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-05-16 at 02:15 UTC - https://cape.contextis.com/analysis/74094/
- ```
- ```
- Epoch 2 C2 run on 2019-05-16 at 02:45 UTC - https://app.any.run/tasks/36c17906-7f37-42e8-ac3c-e2af53cfefc1
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement