API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/05/15

jroosen
May 15th, 2019
3,909
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 52.67 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 05/15/19 as of 05/15/19 23:59 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 05/15/19 ####
  6. ```
  7.  
  8. Seen only in attachments
  9.  
  10. ```
  11. #### Epoch 2 Document/Downloader links seen for 05/15/19 ####
  12. ```
  13.  
  14. http://abrcs.org/wp-admin/paclm/vxresoYsFSgSYXlDbcweliPhGiB/
  15. http://acaraberita.me/wp-admin/LLC/baWsFnKSLkasxgAFLSQjbukmMLcl/
  16. http://agromex.net/fonts/FILE/vEMrGXSieqiCyq/
  17. http://agromex.net/fonts/Plik/1ho34bbk7909_zm2ga7-0892900813279/
  18. http://agromex.net/fonts/Plik/jZKpWwXGzL/
  19. http://alfaproject4.eu/wp-content/parts_service/ke9dlk0dw8wazsuf_b0ikb578mb-741227932410/
  20. http://aliciarivas.edu.sv/Sub-Dominios/LLC/mu3dfytk5bf8_sww2nxyr-15974204223/
  21. http://amantiwari.in/wp-content/LLC/rvgily845pklgo9hrz0q90mqro2e6_9arpd-4423382856003/
  22. http://amitrade.vn/sitemaps/paclm/pqr6wwhr_jop51owzx9-5887999294974/
  23. http://anjoue.jp/academy/9x81l-c8ja2-wrakkkd/
  24. http://arqdesignconstruct.com/cgi-bin/dopt-5s67xnx-zczzanv/
  25. http://auhealthcare.in/wp-admin/Scan/dhyhfkp3rpj8hi10fvk_pna118wt6-536580263/
  26. http://autoecole-hammamet.tn/v8ys1qx/parts_service/TjNafnPBWWLskdsPJPqjfNAFK/
  27. http://autorepairmanuals.ws/homepage/bSDjvZYCUYyxvldpcWiSpz/
  28. http://ayashige.sakura.ne.jp/CGI/parts_service/ksDqudmXNvlaBwGVoFEf/
  29. http://bamboosocietyofindia.in/cgi-bin/20h6e4dfqhg4_rd59p-5910102145/
  30. http://bangkokyouthcenter.com/wp-admin/Scan/ythmkuqzd_jmgn2yp-175573459555500/
  31. http://beansmedia.com/zeus16/wp-includes/8zvnh9-jp0og-zqdrbu/
  32. http://biotopcare.top/wp-includes/d2mh-2c1t9xe-ptus/
  33. http://biyoistatistikdoktoru.com/wp-content/esp/xsimCoaDSxl/
  34. http://blackdog.sakura.ne.jp/bbs/fv1i3uw-kdm0fvw-acfnf/
  35. http://blog.citta.website/@eaDir/@tmp/INC/OCKgnGWSrlj/
  36. http://blog.ieeeuet.org.pk/cgi-bin/LLC/j45hduf8sk3hzb_6k8v3y-361818336957/
  37. http://bluehutdoors.in/wp-admin/sudwuKtj/
  38. http://bmeinc.com/wp-content/INC/a24udhcv9f9t7y2sdbyil3qoo2fw_4u1gm2kr-594966293776422/
  39. http://bookipi.net/cgi-bin/parts_service/VSvJSSSRemqMcXTcXFMkCHm/
  40. http://burakdizdar.com/wp-includes/DOK/vgvXUipTXuB/
  41. http://burnbellyfatnews.com/wp-content/PLIK/1tmc1r6efejf658lnf3n_n1xx7n5e-7916936653/
  42. http://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
  43. http://cayyolutesisat.net/yed/FILE/mWBBKzQkaamEYgxMlJbWeakRl/
  44. http://chitranipictures.in/wp-content/DOC/IDnxFUZLywHSGXARYDJBUemDjgtbH/
  45. http://chthonian-win.000webhostapp.com/wp-admin/DOC/a8wtvbgz1_aphcj-081209384764/
  46. http://clienta.live/wp-content/Pages/SYumHtmxwPXbqYndkYYsMBVm/
  47. http://clubhousemalvern.com.au/cgi-bin/kpqm3a5wt4kl8m3j5mss9u_etynuc-7757850886/
  48. http://cmtmapi.com/wp-includes/iqPXmstyTYBMrANrUNufDPtb/
  49. http://coebioetica.salud-oaxaca.gob.mx/wp-content/uploads/nts68xu-zmfzf-rumb/
  50. http://comicsquare.com.ng/wp-content/DOK/mwzQlQkCtXLuO/
  51. http://danikarnaen.com/wp-includes/p0en0-m32wp-jrkpw/
  52. http://doan-xemwebsite.000webhostapp.com/wp-admin/Dane/NREalrdAjwy/
  53. http://dorreensaffron.vn/wp-content/uqt6yec3dw_zp5io-680559949308/
  54. http://ducks.org.tw/wordpress/Pages/RKtrGoDHMOciTJFzvhBUffXujHO/
  55. http://duduk-reed.ml/wp-admin/Dane/xjcmndp3_5ia73am8h1-0167599334/
  56. http://dumka.if.ua/wp-snapshots/zrm7b-ax74kc-tsnfhod/
  57. http://ecosense.solutions/wp-content/DOC/jplexvqj5jlufp_pc7wo5xt-33560198/
  58. http://educ-pb.cz/rix4u/qxqacf-wwt9gd6-tbwf/
  59. http://electladyproductions.com/wp-includes/ix6v12l-hglnvy-lvsurcu/
  60. http://elephant7shop.com/wp-snapshots/sites/VwFWTDwJBGtNo/
  61. http://elespaciodepopito.com.ar/cgi-bin/Pages/KgaILaBUBERrNMPzUdrGAoSHi/
  62. http://elsafaschool.com/natiga/8h4j5m8mukt0rou0rpwgph29_ucuwbq4r-45493048276/
  63. http://emieni.com.br/wp-admin/LLC/sRGACqEiQSmiDRCHZ/
  64. http://eroticcall.top/server/INF/CZmAQNvCPBKTAuaTFjCcvEJM/
  65. http://espacoprimeoffice.com.br/voso/Scan/efkPxQdfeTBXyaTcyaeUwKvHUx/
  66. http://estereokadosh.com/wp-content/obeUnyiAig/
  67. http://fabaf.in/wp-content/xQzYymSsFWmifpwkWxFs/
  68. http://farabtrade.com/wp-admin/LLC/PCbgNXIBFVlbcqxUuKbLbdLJMMvPw/
  69. http://finance2.mcu.ac.th/wp-content/uploads/lm/603wpwtgwgny2x9ew_d4148x-68211475/
  70. http://fireprotectionservicespennsylvania.review/wp-content/parts_service/biav6xutxs0dvm4_vmzz6006z7-80650476624977/
  71. http://gabinaud.pt/wp-admin/86ur-rthnt-boeugbv/
  72. http://gestaonfe.com.br/images/tsf79gpe1yrtdtnjt61y3f90j_hi870-054128199/
  73. http://giadaarquitetura.com.br/wp-content/Pages/RKdnHgotCgUfegMeu/
  74. http://giaoducvacongnghe.com/wp-admin/2q08cc-148uim-innmts/
  75. http://glumory.co.id/wp-admin/xbp1-h2zdjaa-hhncva/
  76. http://goegamer.eu/wp-admin/Scan/GSkVpDUuOXCHrHQOdCiPpJyHg/
  77. http://gogobyte.mx/wp-includes/lm/OmYLVmfsznpdvM/
  78. http://gomypass.com/wp-snapshot/Scan/dkqsehu8yatspxp10w32fx_xcu1yo-9516608289/
  79. http://govche.in/vivek/lm/prtLAvbLhs/
  80. http://greenland.jo/wp-content/INC/y0kwbjc359gze7_cwmyx0f-409158997486/
  81. http://gwangjuhotels.kr/wp-content/themes/INC/cezep04e9rsrtvyu9mvwzzfr51zkv_gsml0g-706374977/
  82. http://habito.in/wp-content/FILE/ljfubtzjqsh8cwl9bshlf792ra6q_1o4nlr0zeq-6153969657/
  83. http://helpforhealth.co.nz/css/acbm9-kwj7h-peujkrt/
  84. http://henrique.solutions/yuri/paclm/KXBRPwQCMigJWyNTbDuXuk/
  85. http://honjia-machine.com/wyxey/jvha7a-b5yoc-hovoj/
  86. http://hostcenter.ir/hctf/x718-t4640gr-ybwh/
  87. http://hottnews.tk/wp-admin/i6sbr3gzf7d81ttfsbgcfi_0ep5rrxd-532243386/
  88. http://hsp-shuto.jp/menu/INC/7s7vagi5dl7o0yn44xh4mnlqn_4lxrc1v-96663874/
  89. http://iamchrisgreene.com/Plik/VqCxNTUpwJgyyf/
  90. http://iberias.ge/ajax/Document/j819r2b5acjauddmy7g_3dviw-346222721021/
  91. http://ichikawa.net/wvvccw/4emi86-ncwpn4-dggzjy/
  92. http://iclebyte.com/cgi-bin/DOC/8npze9i7vr0g_v7jx3y-49079503304628/
  93. http://idealtech.com.pk/axcv/nu6i7-8d8qjw-kykosad/
  94. http://i-dog.jp/higashiosaka-yao/DOC/94ehnjdukkpk4c888qpw3fjb_hdlhca-0736735396873/
  95. http://i-life-net.com/ban/LLC/vuz91b8m_g2e8k-70032498/
  96. http://indahtour.com/test/iieub-ppe0zks-ekjb/
  97. http://indoorpublicidade.com.br/wp-includes/n3jq0t422r2_7hnky38vs3-83093705/
  98. http://ipdesign.pt/dtm/7bvpw7w-f69b1n-cylu/
  99. http://irismal.com/ecsmFileTransfer/DOC/wwxjrul2118b7fp_1sy9y-49325124795289/
  100. http://itconsortium.net/images/INC/d9e9o214zkleefgzhcv_ete0631837-48808070802/
  101. http://its.net.pe/wp-content/fb3bwwdxnfbl6p6k8se4_dkoa5q96-4422471396/
  102. http://jamsand.com/about_3/paclm/OsllaPAGnGOHMo/
  103. http://janicekaiman.com/wp-content/Inf/BBoojXxFUoQKuLCqNQTKsITdA/
  104. http://jerrytech.tk/mysql/paclm/uIQPvRCmDytqBucg/
  105. http://jsminfot.tk/restaurant/Pages/OMbKDeLMwJsxFYxSTWSsCRKcvmqi/
  106. http://kanoan.com/cgi-bin/KnLSEhvhByrMdJyndQuqH/
  107. http://karenanndesign.com/_vti_bin/esp/8mdys2sisoj5veh_cegy3gle-41684013/
  108. http://karpasbulvar17.com/wp-admin/INC/JcBMtYcW/
  109. http://kazancakademim.com/wp-admin/paclm/1mq88ln97dsk_toxhqwl1d-012916449/
  110. http://kbpbiosciences.com/@eaDir/Scan/ApOmjVKn/
  111. http://keita173.net/0kyoto20120906/paclm/LeOfdbEAOzLxiCTomMgbwoUuOAM/
  112. http://kevinwitkowski.ca/webalizer/LLC/gQYyFJYIIRbWqTghvlxLBHPifI/
  113. http://kndesign.com.br/alarme_files/DOC/CMaBzJzQQmzlagoVZdgFCEGHDaDZo/
  114. http://kodlacan.site/permalink/DANE/wtSKvxFllItEwQq/
  115. http://kongendo.com/images/Pages/lDpbdoYAkjtKVaTAkZKaf/
  116. http://koroom.net/39/esp/hgkrmao0oggay4b39y2fs0oa_wkkjz-94827413647/
  117. http://kreditekfa.co.id/wp-includes/Document/01lk3ku2q2dyl6bi5an9dmtdj9y_mfe4yzn3-59374554445886/
  118. http://kumalife.com/Library/Document/rqtpzqh7ys34_9p01g0g-6505566292/
  119. http://lab-quality.com/nmkh/INC/vrAqqzJgLmVzNQoLVPd/
  120. http://lat.ffcc.co/9hrSXJm/wjc4gsnfa5z_2dc3may-04874681/
  121. http://leandropacheco.adv.br/wp-content/j763or8c_7pre9-275868498/
  122. http://lejintian.cn/wp-admin/parts_service/u0hovmjmmyv1l32_tyg484j-650166756659060/
  123. http://lencoltermicosonobom.com.br/wp-content/pBNlLhfN/
  124. http://likenow.tv/wp-admin/INC/RhgBqAEYbWYVSZvzwmHKMsyeF/
  125. http://magitech.tk/wp-content/zx5plu9ooe08rf8tmozcgxrzp_r160ttiksb-41507208131/
  126. http://maskisudeposu.com/wp-content/FtRpaahRJaaJuPGL/
  127. http://masterestan.com/wp-admin/FILE/DRVaGGtISElAvBdWmdhOlJdkUe/
  128. http://mastertek.ir/wp-content/ykii-hi3m5p-qjpnr/
  129. http://meb.com.vn/wp-admin/bigjln-ru1tn-srhsmwc/
  130. http://meble.grudziadz24h.eu/wp-admin/2s7cq8n-onb70gi-bjazkwq/
  131. http://mediainmuebles.es/wp-content/a7hkg14j_zol3szqgm-91365872286240/
  132. http://medyalogg.com/wp-content/ai1wm-backups/7eb18l-ehu6s9f-glgoyh/
  133. http://meravilla.it/wp-admin/DOK/rSaOyFOigqqczbRsiZQYzxjFLvIOX/
  134. http://metalrecycling.com.co/wp-includes/sites/it4cumyuruk22450hrl48c_ggu53-816092320311/
  135. http://miagoth.com/wp-content/nh8h0yt-m8tsv-fhydcq/
  136. http://mobilesforu.ga/wp-content/2gw5vwnbwy1_yuqjdfsjr9-58449743431751/
  137. http://mobradio.com.br/wp-admin/INC/OdTgzACDP/
  138. http://monnaomotona.co.bw/administrator/Scan/xAxUgGUtJUIclo/
  139. http://mpsday.la/wp-admin/bukpnqpqopcjez0do9f6kdc_9po699-75518771132/
  140. http://musicaparalaintegracion.org/wp-admin/f2v2dka50xoo6rmpa_iqxp512-474972950458877/
  141. http://musmanbaig.com/wp/esp/dvaDfUEekBoSaXjEBCVHcOWKDdMeW/
  142. http://nature-creativ.fr/wp-admin/Document/druVFmMEHJaEgMCYeUgcOoSXXe/
  143. http://newindianews.net/wp-includes/sites/ho7vbirzu_9n96r3h6-804129012/
  144. http://nissandongha.com/nwlv/ns27hw-99jsfnm-otiw/
  145. http://nissanvinh.com.vn/wp-content/FILE/DZsTsBDFMrxcrYLYcPikagMV/
  146. http://nofy-nosybe.com/wp-includes/DOC/3vm5r6dd1zh7a24heu6i1v_pdzt60yww-952543362/
  147. http://nordflaten.art/wp-content/sites/26rred8x295xuzyy0jcp3m3dcqxh_6i5wsry-61885523307/
  148. http://novocal.com.vn/wp-admin/bh24s1-4rs2e14-mlmrf/
  149. http://omshanti.lv/wp-includes/esp/BQXuTRGchODynXgEirQ/
  150. http://onebyone.tk/wp-admin/LLC/7706vgdssf94_42cb3wl6o3-452615088702/
  151. http://opspack.tech/wp-admin/Scan/HuvKLKDAVrvsaIacoy/
  152. http://orientaltourism.com.ua/wp-includes/o0v7314-lskye-wiwrc/
  153. http://osarofc.com/wp-content/0xza-146jk-vneaa/
  154. http://parquet-san.com.ua/TEST777/hk7hh5-owhzas9-zcvvrf/
  155. http://pbj.undiksha.ac.id/wp-content/uploads/is8sa-zp7sjl-kswybet/
  156. http://poomcoop.kr/wp-includes/FILE/0iv4itsyce4ebg1la6p6h2s_v7fn0sh9-21612429090/
  157. http://pornhaven.me/wp-admin/Plik/obLBGjXEosW/
  158. http://profair.kz/profair.kz/w9ffwow-qc2x2-yxff/
  159. http://pyneappl.com/wp-admin/r4x2cea-v6nathl-viladac/
  160. http://radi.org.ng/wp-content/paclm/LKkyuOCjRqsBtQA/
  161. http://radiomediavillage.com/bin/DOC/llwYAboSHCIGNNMARHVlBwgaSW/
  162. http://radiomito.fm/cgi-bin/paclm/4wtdjxun7yoe6prhwdmykvhutvm_trqasxx4-37436569/
  163. http://ranbaxylabs.com/wp-includes/2q33-1ptyaz-klqzcpb/
  164. http://realhr.in/wp-content/FILE/LMtUKTFHGjegGqzXeqpOliQXBZmVB/
  165. http://reffd.com/wp-content/Plik/UZHvFUEKQ/
  166. http://regalosdemaria.com.br/wp-includes/paclm/BghjjRFZMncgnELOp/
  167. http://reklamkalemi.net/wp-content/Document/yoBVKLGgeVAxTJGONEvfCtwqGFBTn/
  168. http://rodame.com/wp-includes/Dok/gnkdmt0smywgujlkye50o2vrh5uyj_rleqlnqiq-017770738/
  169. http://rollshtora.by/wp-includes/parts_service/yrZKGYOOoptluKTeuKvdqSrqUx/
  170. http://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
  171. http://samsunmansethaber.com/wp-content/ngucluy9ylb4zygoi_uxqputkn27-483516794/
  172. http://sa-pient.com/wp-admin/INF/RMXgMrSzIFWYQcgaDxblxFn/
  173. http://saraikani.com/wp-content/k8hnlok-v3ab90j-xutmihs/
  174. http://sarayemesri.com/wp-includes/gbp72vu-pyn3pwn-ghysyjm/
  175. http://sarilahotel.com/wp-admin/parts_service/yjn2nqilx9sg7nbcnh61y_3ltruvczp-892693941531/
  176. http://saturday-school.org/wp-content/52x264qdz9q3tstfzyagovrst6j3d_d0nfmfe5hs-35969571794/
  177. http://shanghaitour.site/wp-content/3ha3f-865hco8-zqwnau/
  178. http://shdesigner.com/cgi-bin/esp/FSgyAKIBQNSZp/
  179. http://shdesigner.com/cgi-bin/esp/FSgyAKIBQNSZp/\/
  180. http://sinlygwan.com.my/wp-content/uploads/Document/aaMvzztMSMSzJcPewhyDdpTcQbAD/
  181. http://siragehad.com/wp-admin/lm/19zrzebriefqhegi_482ss92-87064803611642/
  182. http://skylineindia.in/wp-admin/Scan/VAscYQjBlBTEsDRpM/
  183. http://sleekinnovations.com.ng/wp-admin/DOK/m5kydrv1nj1288p7y4e35oox3j_x203fr-98860666476178/
  184. http://smaki-natury.eu/wp-includes/n8ir7na-yshm171-vzozudw/
  185. http://smart-dentist.pp.ua/wp-admin/INC/i2crllps52mifvmdtiwthhlwhucuz_jza9slq3n-60901708884028/
  186. http://s-maruay.com/administrator/FILE/aTKnyvvbxQhUZIE/
  187. http://smooth-moves.com/ykoc/parts_service/r8gs26y5btcy1jxjgfaz4j9_c8tk06-38744374962491/
  188. http://soladeouro.pt/wp-admin/sites/GGJwUfMENUwSroMLKKyFeeJHDaMJer/
  189. http://soulbonanza.com/lounge/DOK/i5ruldd6w7op8wn8cj1dyz63udh1_a8syl-969837728830/
  190. http://staffline.com.co/cgi-bin/DOC/oj0lcem89wh0xbb11kvk_29w4e6xt-784623781995/
  191. http://stage.bakeli.tech/cgi-bin/cr8sn021qkbl2krv_a8zbzq4jpi-7592281876/
  192. http://stationpowered.com/wp-admin/paclm/tubtrysd/
  193. http://stijnbiemans.nl/wp-content/pw6fms-s6lbuj3-aierldo/
  194. http://targetrentalcar.ma/wp-admin/paclm/bWGnKCtnEPxyYVYP/
  195. http://teksint.ru/includes/Pages/bsjzQNJVlReGtbwvpFM/
  196. http://temizsudeposu.com/wp-admin/pllcWdhqzKxelzKz/
  197. http://thanhlongland.vn/wp-admin/aFPuEMMIHXcLTKWGgzHdq/
  198. http://tokoagung.web.id/mikhmon/parts_service/VOiGbJVVelmFDeXTv/
  199. http://tosetaban.com/en/3uivg-6kowc-kchpjb/
  200. http://tuyenvolk.000webhostapp.com/wp-admin/paclm/w5x74v9u5q6p1wj_xo30hwvbr-9914872349/
  201. http://uniformes.com.tn/js/parts_service/PRsuIafsWAkdxoVXJVmSjmf/
  202. http://unioncomm.co.kr/wp-includes/IXR/INC/SzbKyZNfCGqyCBxTlmKxv/
  203. http://veoreport.com/cgi-bin/XjKasTavHOhSuowm/
  204. http://veresk-studio.ru/wp-admin/p1ptsd5l06catpoq4_jdd5y3sp39-95860538271/
  205. http://wciagniki.eu/wp-admin/DOC/FlHkZDrRtGWKxFYgqBHfiNbeCpBMEP/
  206. http://wciagniki.eu/wp-admin/DOC/FlHkZDrRtGWKxFYgqBHfiNbeCpBMEP/%20/
  207. http://wedewer.com/wedding/i0hlzp-zxfbg-rhaxtm/
  208. http://weseleopole.pl/wp-content/esp/MhYFThDgwjpSCpqovlBDVJdVjOzow/
  209. http://winnersystems.pe/wp-content/Plik/ewlho76c6_rpvf7r668-6979499490/
  210. http://wisam.xyz/wp/parts_service/2fphhsvocoyrnbvi5njyuual5_0o59ex-0066139507/
  211. http://woxear.com/wp-admin/n5ovoylp7ezibjd9bg0dp_31vhle6j1e-1556384229959/
  212. http://wp.devsite.com.pe/Search-Replace-DB-master/paclm/kLTkcmEtLuWCz/
  213. http://www.mahala.es/live/c453k5-fn42h-iklsbb/
  214. http://www.nextleveltravel.es/language/INC/daTpvRgY/
  215. http://www.travlsocial.com/gyiodv/Document/JgNOOIjYDCQIxgoUAewiQdbxaTOG/
  216. http://wz6.com.cn/wp-admin/LLC/NlYeMdMPe/
  217. http://xenang24h.net/wp-content/qsyn-wivtse-eywijza/
  218. http://xn--c1akg2c.xn--p1ai/wiki/images/parts_service/sk3oe3zcspzdec_1u0sqevw-31877200/
  219. http://yzanmh.top/wp-admin/Scan/DXNPUbuCttexXHxPvlxGzloDKtaInN/
  220. http://zalog78.ru/wp-includes/parts_service/ulbgyx64j94a1o3n_vvsjjeegli-584173111/
  221. http://zestevents.co/wp-includes/7gyqq1-gxxjn89-klybthd/
  222. http://zhozh.ru/wp-includes/lm/kcTMaXPJURcfuo/
  223. https://aseanarmy.mil.id/adminos/lm/AHFYbndZNarqnjoX/
  224. https://buenoschollos.es/wp-admin/Pages/2cudm68w7lue6xxd32woevdmpa_1mmc3j9o-3719672984/
  225. https://carpartsviet22.site/autoleek/paclm/zvbaHUvVb/
  226. https://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
  227. https://epi-basel.ch/b/Document/hfvfXJUXKywglfdWggiWtrISdIDfQ/
  228. https://hsp-shuto.jp/menu/INC/7s7vagi5dl7o0yn44xh4mnlqn_4lxrc1v-96663874/
  229. https://huskennemerland.nl/wp-content/Dane/GdkPYoUjjerintLfNC/
  230. https://icurse.nl/jeffrey/wtfvv-robj69a-sauettl/
  231. https://informatika3b.com/marcador/EuvgsJKTUOMOCzkSzMPQ/
  232. https://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
  233. https://lodicak.sk/wp-includes/LLC/brkiwgsxg/
  234. https://mrts.ga/gallery/img/uploads/BmSCADCNVDuCFiJ/
  235. https://onextrasomma.com/wp-content/parts_service/oglr7g1ozcgl7iem9rugqohcuhrt8_itksg7f4w-7376898186/
  236. https://phukiensinhnhattuyetnhi.vn/wp-admin/Dok/dAsiYLWHSXSjuKMqwUmSZ/
  237. https://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
  238. https://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
  239. https://schroeffunderingholland.nl/wp-content/Scan/BUjiOhqDVnmiI/
  240. https://sportboutiqueheleen.nl/wp-admin/sites/ifeqze447_cad5c0-88908196117026/
  241. https://stationpowered.com/wp-admin/paclm/tubtrysd/
  242. https://tajrobtk.com/wellsfargotextcenter/HRBcyHIxb/
  243. https://www.bat.archi/wp-admin/lm/bw0n1svwvd8shr5yf1uy546xj6s0e_za6ahbfsa-93869808191/
  244. https://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
  245. https://www.kaum.com/wp-content/plugins/sites/l006jmwzvwk6cr2ie6_8f1de-04921188537/
  246. https://www.travlsocial.com/gyiodv/Document/JgNOOIjYDCQIxgoUAewiQdbxaTOG/
  247.  
  248. ```
  249. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  250. ```
  251.  
  252. Creation Time 2019-05-15 19:56:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  253. SHA256:
  254. 2111f3703bb08e49ac15cac50018d916092243375ff295f2a465b095bc8ad388
  255.  
  256. http://pawarsoftwares.com/shree/o7u4s7u3775/
  257. http://tarakangroupsro.com/wp-includes/s350496/
  258. http://stampa3dplus.com/wp/mf9pbly5824/
  259. https://mondainamsterdam.com/xkcm/9o1i83/
  260. http://jiyasweetsandrestaurant.com/wp-content/jsa08124/
  261.  
  262.  
  263. Creation Time 2019-05-15 14:20:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  264. SHA256:
  265. a3156fbf1ceedd1083118ff6deecf4b704e42e3a076cfca1cf14fad64d3da67c
  266. f6087311ff333cfcc436f204318c5fa5a1cdde58f460a5c8c034d4373fb5c57f
  267. 5219ef99f614acc503dc7c4049238f1fbd06832d95e27be8358a86e9f1a5b31f
  268. 313e7e5ab7e05ec7d2b2d8434325edfc3f2d48c676178fe16827fec2f9e8a193
  269. 69f97037831e1d0666adf2fefb028a65d557e9ffe1ba0e421d04ce90d74be5e2
  270. 4ce396cf7261b508ec089ae8a900f8be3a9d9e34489866ad90881c1111eaee04
  271. 5955a0454e97b2bb233ceb312f11f2ceda984f1df88917eed5cbe0d252e10b09
  272.  
  273. http://rojmall.com/wp-includes/rpu7qe375/
  274. http://aleatemadeg.com/wp-includes/hrpps344485/
  275. http://60708090.xyz/wp-admin/jziinti061/
  276. http://feti-navi.net/wp-admin/a8a625687/
  277. http://tavay.net/wp-admin/nfjyi8m1/
  278.  
  279. Creation Time 2019-05-15 06:58:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  280. SHA256:
  281. 328442d28eb42113eeb05cb90a710207bf12a56be45e9307d14eecf16e16eb72
  282. 8dfe30a3242a582c8ae717454febdc5831f45c8b54679ed2f54c5f925b68c0bf
  283. 69659aab4abe650e8ef70e9902ebb45e5b8ddf9c1990f66af717c6094436cc5f
  284. 8b03d9329a029e7797d43eea6c3fb69f1245674322818fbb17e1b0180a63b707
  285. ee5d1c80f535338a9bbb6c958d70f114d436cefa5e481f52b1ac5b160b53b81b
  286. 61185f54e0c230140cb9396fc379ab8fc3d0bdff4ce983b26c5126be95d70d1b
  287. cafa1b1f3922975c0ecdabffb2e0540d0509fccd8067d9f7f8a635f5bd8a5314
  288. 4a15c55e95d500bffa89a127cb065325d75ae84a08f3780a49a7bf975235aa57
  289. 5c19a97afe840b05235d6d3a3dcc142a3c5c5baf1949f9e78a6a7a658a26cb21
  290. a0aedc90de8688c7e1e51fc82ad700aca8e0c620dd69b2c68b7b235d1587e34f
  291. 292e79db7dd867a1a7d33de7e19e91e1ba203e09f7409fdaed1962017cecf7c7
  292. 10637e759d7d2314bb65eb9e64c57b756b9400cc8d291f317f5c5267feb0aaa4
  293. 8dfae420b8822be3d2bd1fcf42a3a1797a79c9fff8568eb7540bdd7b02758f51
  294. 2ff43b151ff2baca5cdd1af702ea2dc2802d06be66172e32c3b9eb7fb3685ca8
  295. d9e961726d5477178f886755b1ad568dd60435f80c6be8804f7fe0cabdebdea3
  296. 6522cca08dd748d4de5f533e81373e37f3a5e890ec2af3714033f745695b5699
  297. 6c0a1a2aef667257cb7d6e70e96d77ae73ad4ef69bef34ac6b72a9ec4526cfa0
  298. f20eaad09405cda54df004d4c0f0bf0a4c519320526e7dafb4d013cf4a96c6bb
  299. 8dfae420b8822be3d2bd1fcf42a3a1797a79c9fff8568eb7540bdd7b02758f51
  300. 11839cc29827cdabe0150922e1f8ac693cf4b1f88eae795283ebe375796f6577
  301. 47574a85d9275c941a6de8879c84c062d38c56d0e174d101672693998ed1cbd2
  302. d9e961726d5477178f886755b1ad568dd60435f80c6be8804f7fe0cabdebdea3
  303.  
  304. http://elememory.com/wp-admin/9y80024/
  305. http://aktpl.com/wp-includes/zv1x90/
  306. http://risingindianews.com/wp-includes/l2/
  307. http://fifidossaltosaltos.com/yfpo/ufjeix07/
  308. http://weartexhibitions.com/eqplsj/b1v3z10/
  309.  
  310. Creation Time 2019-05-14 16:58:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  311. SHA256:
  312. ad3bd25e5369a634ca73916b76e1a5e4d83ce7eb41025dc7e0d8bc3c25bdb46d
  313. 6645a5f0656f769fddc8fd7ff748c698b17aa17a7671f6e79f429463c01a3581
  314. 4919226d79001ff770e78b9d654577e4baa97719da2d32cd4d12c8babda318ad
  315.  
  316. http://12bdb.com/wp-admin/qm6xxb651/
  317. http://flystuff.com/wp-content/uploads/ual30/
  318. http://icaninfotech.com/wp-admin/20/
  319. http://spacermedia.com/wp-includes/l4ic57758/
  320. http://rmhwclinic.com/wp-content/sy3/
  321.  
  322. ```
  323. #### SHA256s for Epoch 1 Payload EXEs seen on 05/15/19 ####
  324. ```
  325.  
  326. 64c2327fb3dafb942c37240874cb201c5614e9b68d19503963cc4c664d8f18c0
  327. 17120e2006e4ac0f68eafedb960617b2d0ce56b163d4715d4c194c0b9e6584d3
  328. fb40eb674e785d753e45d9cde9e70a9316bd04b84b171efd80758839be200a10
  329. 371220c9489525eb65b39042f8d4d1ec1a61c06fa9403df2eae83e99f7e45682
  330. 26d9569baab5a093d2dd665e100ef0ece0fcb78769235e6e9955eb5b9cd4ba8d
  331. 1cdae96fed935196efe5395aca8a23e18ad3c1061261991bba980ee20480f96e
  332. b0f8cc8cd7a02ec7f26ce6bcf6c4696bd7bdce74c653a5f05620d52b36beb0e4
  333. 58a34f248fce1d5b939e381acdad7387cbd0203dc50a25da037137f88c48d2a4
  334. 7580e3a3c802cbe0b228215799d6cc4c2836d0317821040babb83ff5a921c226
  335. 1d527da78114511c91670d2c8ed8638519d2db9a9446df095d3b86991e1ea349
  336. 57caee9184341c206a508b37b2768ae8b277c22592d050ec679432262fac19db
  337. 13190d0f9b60449c530897199dc1ded64bd823c7d158736229a90fa874609971
  338. 8fa7bf34e78b67ba8d97ef0cba317c5347159ce493433a1460205e4312b75941
  339. 0d0240039be3abeadefa5dee9bcc36370c3a421309725506604d1ad94f79c395
  340. dc9dbd730fd6acff7bfcbf9047477e24a28c9a0462f594823ef6bb873c5bd138
  341. e7ef217c0b15d2389117dd898d7b39c07109407e02cc410ceb2a24c6d17f92c2
  342. 9cea5ad4e113fc547aa3dd0a493e7f5eec757767ad44885a77b233df456c6ee2
  343. 266d1b7edf2f97826491f5090d7a4d768c455c748dfba7fdf452bb3c57fb93bb
  344. 6abd86a4e480342515a85acfe206cd39435d1b284549152a44b703e986f5868d
  345. e0e8c117215367206b3dcb03ec520f2ec85e1b8883371c24cb3a841b119101aa
  346. 6309424bfb92b0438cb472be7fcb937e951f5a72364ca934293272066fed2ffb
  347. b49783c68734dbea136cda05eff6f285a2fdd3b227a200e9f4e9e1623b5c4358
  348. 87003f66d102cd1e47cf59a5e7c4f03113939225751082d0e413ea378c8c6af1
  349. f1404f118b2a3ce1120a59c0e7c02f4917350c22c6d85ebb4f44c0b04cda5ed1
  350. 01d9ea70429adc72e09f0aeff996fc30ff5c761b0dd846b76c4541a392b78dba
  351. d7f48cc941cf9a4e3540d50e7d761f681bbce5a3acb163f054f51d6ba0b04b55
  352. c59169cfd0099280ab6abfebb9cb6dd6d1bdb3f157317b5af628d8fb089b97cc
  353. 6dc3a811d504fc16f43ebae9c6c35983772cbfdba48bb44036bfeb9aec1237e1
  354. 53038bc3205b9747b291bc11b24a2dcb536551c897c8bdbd53559907e7ac998b
  355. 1ada223a49ba749cabde7a4f4a5245047077159adfabb4fb4109db8612e0812d
  356. 9ea4a2c13003aff75c32fb381d9c292877df178e343088b807b2cfe9fd376df5
  357. a4b1891b9fd51621e0b47c2dec716ad03d7da9880177ecb67927738188a60a50
  358. b41f0b68b316ab049ce081b2a25810d07c29994e835b7564aac908809667656d
  359. b41af3e559c7e5f83d78ec176f080cc1aa0ae4759ef9e511d48eead6d73c45f6
  360. a75f79a01ba0d647d47d2328eda950f6a7f28fd03922e323ae22c28a77100ba3
  361. ab17175b152dcc4e3e2099e96486847f196d101249d4515c0556280401230c49
  362. 51526650655967bb421a1b43ab5aa7c2e86dcceb9438ad71e4e0b578a2bed7bf
  363. 45763ae36929f02957af3d864acc86cd65aaf08dbb66d76e3e3ff6ad35055a26
  364. e57849f7a16c48f509286ac3ae5ad21bad2572a685b5323d4aa8eb8201081b45
  365. 71c2384bd841114727a5362c789b6b65fa8aa69b141ad0da77d92ca9352a58ae
  366. 7e8e707b52940d081f1ae1b4a12f5216e55a8381d4f42da99f8e82f0aa51d897
  367. 2923f38e771bc61a7f64886179ab2d0e363992cd6b15ba3fdf6091d3146e6274
  368. 31e1ae0b3193d06d8a0926f1ea67599576a188b3800e8f74618b0faca990a284
  369. e525501dcfd819e6833febe0fcf920ec1c6d9c25cc18700e783e383fd21a8173
  370. 7b3509f6d4c45b1081bcc031e07c4d310268a31992c1ff3f80a9f306f4849885
  371. dfde9f01184bdd3870172c825fd88d86f749e02bac86e9128d6464a97c85d75f
  372. d627ac1dcd6079cb3262887c42615b42bc00100dedf546613d6b7a9da29e2aa7
  373. 727f2a638535f67ae3a7cead0cc6ca9e3818826bd75fb2b41055764d0a75f7b1
  374. 0a711882e0f86c37488faed5425dbbadb6b743909fe35d4017ba1e72b5f118e8
  375. 8cb60c924d643ed0beea9edb3ae373e3199ac2c7ef038b26d7fa41538f2587ac
  376. 10b11b9af10275d12df2a014a266390282bbbad87181791beb692a10c0c83e71
  377. 589cfd7d6a2411579736ad02da604358a717e54f6ba799cfe32c214b5703a5dc
  378. 287188451288b0d259ec912ac1fbb062eca739d074d2dfd41f37a79a206f90b0
  379. e3e0bb1e6589f0393f2ac477e0c019b3698dc8352f2cecb70b8e72b9f653b089
  380. a1d1c5ef96db18e3cfe1b8f78a70cb09ea7604b946c05325d92335991aaf75b4
  381. 696fa5ba8eb0298fb9452fab5ffb0fbf2ac9cec7cc0ba6adcf754f8ddcf9de20
  382. e257bb5a3ce487b971968c07954725cd29cba4b20d7e9fac5c79dd8a6f497c31
  383. c54188ac80c9b4550200368adbc40b3e9a5bfdfaf001a879d042c2ef5a4cd18d
  384. bf011bf787aef5314cdc7fa9d75b7adf520edf1bffdceddb0f6c0d422b367882
  385. a822af1bb648c64bbaea50e827c4439023017db1b3f47a127ff2b2e846f3c5b3
  386. 7b5ce1ab6bc29050aece18e55fc4fbeeec7a652fe18554e95b6ddee72c11d854
  387. e7c71fd2954c4df629edbb68a9ac035f4d81d232c678042bd3bb971308b7cd85
  388. aa05d217ae03d6b384751da1133b6b181e2ce148101b913c45dd0c672e94e453
  389. 19200e21c501b65c705217bf6930117c22d4c747f3ff2f7bb13f6dcca8547d42
  390. f189c92133ed3c4bace033bbb85bc1e3b24946d6b145785dd9f263a57df39454
  391. 0bf2b8f3f0fc5daccd38591e1afd6be0651d7ab04a2875cb7bee8cd2804809b0
  392. bbe7ac3ddf6ca2e2a002ddfd76741025d283d4b64953467c7018b489003ec2e5
  393. 6ffe96f3abec30fb4a73271ed0aa96d9c994cce3ca8529ab7543eeec1102d2e1
  394. f95b4b9b27c47dbae3b48dff7e2766a5845be83eabeaf03b4017de3f5b9562c7
  395. aebdbc96bfff0899e4501945da7b29029705ef68d3248ffe4fccea30c238b2c2
  396. 18a10e97e13749be4bf91b285da6b192b137f560ed9201ab8e0c7dd14c0f546d
  397. 8cc08f998d9f45da55ac9459a5471a6f6190a35088087b774a804e0444e5fd9c
  398. 88a4dc2c391af97856d731538cdc19d52b48b6a493b9147e0ed571f567d88d71
  399. 6f2b419364c3039f1172c610438f967bddc043a59598748e1af5279cc24dee86
  400. 3d6943816af9da61b65c12a6e4d8ce6bea41056778cdc8ad3bc3986e62143260
  401. 8c662ba3ba447018153843e599da26c82a9fe9456325598b0cbbe647e404f67c
  402. 992a78db189848326417e8b493baa7cff9914e7208f98b2025233c70aa848c51
  403. a5a624a9bfd0a5017e6373de52c75662c9030ff704db7ef120a7bf46a54ab4a0
  404. da749c0cf803d879ff440de2a47e00b879feccc1311e2ebba4c92f82d6c27ab8
  405. 9b60a3309884a11f07956c476303858116654dd2c96b10c849473a5708e74995
  406. bef675d50685f173fb0ba215ff275ce563fdb0e2c03935bfbb7641eca5f2640e
  407. 1d12e81be801e708a739843e4bc86e19dcad056c1daaa2ec5e440ff04e18678f
  408. 246174fb6ebbcb09679e7ef89431a5fa39b1d38f7fec9677ba46709131485a80
  409. 404baa60fdb6e5b296a80d14bba941876b68ccea3c68432dbae67c0156bf0d8a
  410. 05b3ea03295f365020c0e855336b090a58e0474e0a6cdc3f7c427b93631f8945
  411. 41666821f448ab565de554326dfb66f1d0a6affbc29352e21be56dbc4a322d19
  412.  
  413.  
  414. ```
  415. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  416. ```
  417.  
  418. Creation Time 2019-05-15 19:18:00 (DOC Based - ENG - 365 Blue Box)
  419. SHA256:
  420. 876ef1c3b8aa4aa4e88e33f1b71e2507969d126edc5a111553480ebb3fe12459
  421. b8304bea7cd5270509a5196224eceffcdd199ef4e303c65d5af104cea4239a35
  422. acec5b482ad5a4de84e5e7f3146c7e04131d0a04b6874d552f33a97812fc9e38
  423. 3ba1cad4f797c189510cbffa728b2b1b85ad1400d5ecbee223e262f03acf0443
  424. e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
  425. c3bd3e3df0bb391b3a5808ca3c517abc5d4731441df38b7e30b69ce7bb3dff6f
  426. 400a5d6d21230c8fe91fed9cb2fa2ddae199cfa892462281452b106bd219a782
  427. 9b7e99499d0dcd4959e69800de74b8356b9ce5da4fc2e5897c3edfcead8bd8d3
  428. 706373653bea1bfd1d577a640e2942a16d064636f6a9aec85b58da3b0cb7ce2b
  429. d3d69226a3f6759d15a4b94a3ad99da3e20a28113194cff91dfe345c1696a7a9
  430. 75f8716c14b028fee42ba751d4aae0ececdead291572bc36b8f9afeb1e71fb0b
  431. 7ad693a3fd9da1b97c0e7f85fb37bf15f511168d2aa397ffcd4d0f3aeacc84db
  432. 942c724bdf60dba3fad9f8695be9b19d96df15a8314d35fd82055b62610f62cd
  433. 5b4be5216d7eb192ca92a660ecb8fb86adae5da2727485141e9e9f02d6a24544
  434. 3299e6f7204ea1a44782d496c99329b76218b70233892426c02f872221548784
  435. 1d174cf281f20a5f318e24b5df536ff2d04d6ea854a81d8d45a519cf3ca60ac2
  436. 9762ba52106a0148507908106036e0685026493dc390413549e1d4621b193c04
  437. 4821d11f5f6c1d360fb783467ccf365e9e9d412b9d63e262004e592bf8083d03
  438. 4d9b585b5bb977301647ee51bffa8dc42b2f2ef1568a1693cada306de09d134d
  439. 724c3189c486f06b9090c094256d1ff91fd4e235ccc39a0bd96dfd1b9e2e91e7
  440.  
  441. http://tomasoleksak.com/wp-includes/zm2ga7ha2l_5q8wl-2798/
  442. http://mmassyifa.com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
  443. https://aaliotti.esp-monsite.org/wp-content/6orh12qu_7dsv031ip-0075691/
  444. http://adsprout.co/wp/oMrTbPUxE/
  445. http://springhelp.co.za/wp/jMSZNshHRf/
  446.  
  447. Creation Time 2019-05-15 14:15:00 (DOC Based - ENG - 365 Blue Box)
  448. SHA256:
  449. bc97596fe24b9ea6dbdf3b79905e7605a182c0dbe9425be238d91a8ccd3416aa
  450. d29f6030fc82c182401170d9f7c16805011d26e3b2e6517be9329aac5f76eab8
  451. dca1f72df40ae287350b5f56dee80a00c578ae6947e1cdc2b30e8a8729c570b3
  452. 5d96199193fd88fe85736d9fbcbf089927a15256528555e4e83b198a730c1824
  453. 0924abfc228a5127ff1dd3298b6eb682405d434c552c3fe479280e5acbec25f8
  454. 3a26799b284110e4dbb03656850eb1dd8ccbf78f1c4ef641d980668649994c3e
  455. 92628f8542e2c4f401c94d5fdb03d4ccade61a51becae5b7f9443d5dfc57f48f
  456. bd82d8791edc039ad7fe29fed742630ec59e1253cc58e9c9a4650f21f55095a6
  457. 682353178ae0d75d866f1fb4f0f888f86fd1f6b30c2100562af83def2616c2e6
  458. fdf0e5c1d38c12d7877c65b2bb16aaedf41cd907636554ef9eb7d372bd647fa4
  459. 4492ed4c96bc6045ccf82f5d529b9d9dd0cfb99508cab52a43dbab4b035beec2
  460. 0fcf7cf2c7214cce93fe5ac19b40adf15fbaf85d7a3ba0448346419024d04556
  461. e61ecdeb7d0d5e709511bf3a05f93ec484b55209dab718cf51d22579be2d711a
  462. e17fe81a4b7570eb64abd9164e3656ce6e707f976a81679e19cac3b3e51b61bb
  463. 7873556779ae9d41b3826ee5a1bf4c89388e9dadfb3286ce43e5ec52ead674d6
  464. 7982f9b9f14867cad8e4484a6913b351f8bef1f424d7054841dc92e0369c9ee9
  465. 3e7c9a76109feaa7e7d079401d59530c4685c532a45521c8665462efca4a7e71
  466. 04d4be108e974493c8202e5d8ee64d0108c07bf3518a0e3275045d88f6859936
  467. cd223f60662186903ce90dec6904622b66d75b694f6ce21330b1e475de1d973e
  468. ede61ea068666c707af52a910a2867ac9056b307e44e67c879525ac6d9e16e3e
  469. ff21a92675a320b32d9880963ff053baa155739a9ab3dd0c75914cc32c2f8fdd
  470. f90ceeea4c6b2a250b65dc3d9a32450dfd933dce742dbdc7accd95f0ab0c309a
  471. 1e9eee2a36d0fb0264fe6f45e68574395cb5f43a494371c347d6b5eb1f0a9768
  472. fa4653f09cbefa0862e457cdc243982df3fae03f9722bf596ff74658394ea67f
  473. c36b1f3a264e5471d01200b112b4261ef77cbb7138e147d3ab91e78d962fc48e
  474. ac6fa29a2bbaf4c70d7420fbfd5f0f0c206af78cafa180de6064086da3e0f27d
  475. 530d831a6bd6131d50a016d892294855ec878184c15b459367d331af006ffb4e
  476. a5880e0b0795ff59ff9c1dae8192c22ccb1fae7316a867a0dd9ccf54bd93ccda
  477. 0e8f14f5ab762828fa27495bfe232f34727b30c00fc3a413d14adc85f5028490
  478. 4171885b42a0b28e5e5a3d2e74e910f279eb7f6391b21c1db494505cb17b200f
  479. 5f4334cd07236b87b412dd33aa8abfbb144aadb18b1b0b7fc73356b91b575441
  480. 6863324974137d1b6ad13c241ea234ca83e218e62011cf187b085831459b4e9d
  481. 53cb16e937c5e92af6b4581190fcb628662b76ba6a5b4ede2d5cf3be210044bd
  482. 3a1cb2260605a1e551c62cd3e0e374e321b29d3990939b36c871c1dcc77edf84
  483. 8df835a0bf2251c91d7c607742cd028f8a97a2dd9adb2c95643d6cff5b302e5f
  484. d4777218f3750320270743da37a31cf730e086528c09a9952198a8f7bb10b26a
  485. 9a402e62f564f1507f057181f9e6a2381798591cefb97978fa82122fbb072ab1
  486. 827608c8a4854bfc571b21271fb2b6311a05daa95f60b0cc69de8dcca02d1d64
  487. bad82e85dc57ee2da146b15b51eee53cb542f7b835c59a8d3a75dd133e31e7a6
  488. d93f100a7450d1221718b34f4579afad93550525b4dba71d211822f4399e8fa9
  489. c8e902a29b0f2bf62dce9d3e68e38abddae4bcb84f533e7edf03b02111c43e51
  490. 3b4cb1b6586403b5129ff15e9af7e18de91b60d5e0aaf20cc7ed3120ab10c3a7
  491. b593b09f27224656a01d5aabf8cfa0ac8dc8dfc13fe8e307cc9bcc9c44fe9f7f
  492. be8ba4d9082afa61749b0e8492243a0bd67052fadccb26d0f8bbb373e698e970
  493. ce9866e2f62102481bed0ec69ea30044ad9db02002ffc85a5e2c6c0d0a46035f
  494. 89d27d3e106583ef2e07d184e62702f5653f94454be7bef136968ab9b0f1570e
  495. b5257875d4e82a9cdd0ee182e4dc194174f7e0564854083657b84ef818d892f5
  496. 86c58ddbedfa222998b78d8fcf57e1b1d273a2c21f5bffe1033451c2dce7679f
  497. 773755f3164a339938ccb87bd223515247a372db0b400677b7a0a11709b4e070
  498. 4249181338e4936a2908a63a08117386ce7134b7873d1dacffbc1690cf8dc7d7
  499.  
  500. http://shophanquoc.net/wp-content/73it74nh83_js5m6-716/
  501. http://sanvieclamngoainuoc.com/wp-content/QrzwTpywLM/
  502. https://inhuiscreative.com/wp-content/qdbb0_jgb5c-981069283/
  503. http://gmrs-roanoke.com/wp-content/bKrtHYcBh/
  504. http://blog.canmertdogan.com/wp-includes/zpuFONhf/
  505.  
  506.  
  507.  
  508. Creation Time 2019-05-15 07:34:00 (DOC Based - ENG - 365 Blue Box)
  509. SHA256:
  510. 049a78fdd15678f268dde513c39b7b8ad7bd4a76db05fc2fb30d63dbd88e7f3f
  511. 90e4c4d3e28cbb8079e45b77198bedfb25fa9dc5383277f2cbaf8bd0c7c7ce54
  512. a8cf43b1a7e95e6b6be6ce0bf0dd20a3831f3f292531b5312c9e40398d218343
  513. b56d126b99435483539fb9ea1db0d269d8b26900bd081bfd8558a4a89d1728a0
  514. 16aa0ba31a676c768374a4811756c18a79a99912f3c89123f81dd21c842a9626
  515. 03fddbbfa438e6fbc1e1220cbdc31a3ae18dcd2c77273a5a1624e4f03b62de8f
  516. 7a4881229ca767839e8b9995cbfcf443be9a032905dd8995ec5d6acb6ce050c4
  517. 0f7434ae82615ba5001794b3ccb0022f52f81301376fcffcf3efe0dbedd8c3d8
  518. 32ecf836ef107f60c8d76df92bc7bd42535e4ef9e29694f4655f1cb170bc667d
  519. aee14a20193ecb808fa3efdbeae5d59c6743fcd2998bff3c5227be448826bc1e
  520. 2b7840500d88aec77c60b247cbaebda3b372b2a80584cccbcf33e4079ac5282f
  521. 9cbf289774b328e8b65cad33374da81d3a8ac28281ba4b99edb25d98fb04aa2b
  522. 8ef8b790ded99130ae70abd8a3775835bb1a279799745994d01c9c9e1bce07d3
  523. e0b99a6df592160a770d28e1e763c47a63fbdb357ba4bfef9810a28ec4a4efcb
  524. 781057e4fc05d8206913611da110145548311a440f0922c5a238dcf4839f963b
  525. e3c0cd46f3b8a3d0eb6c333dcdcfe13c0f3c883c67905f40256be1368473f0cc
  526. b7f2802de808bbcb4d8f07514c4becc02c85a6df5099228089963ac96771fbb2
  527. 61ca42e19f2254dfd288f912afc1d7c7a20dcc2790687821acde622470f35308
  528. dc48137ae9dfa5d668ed911b8703f9725ed94ea241c40bc9bf3d159c094eafe7
  529. f2c356a5be1efb7ecd91c0cdf1d9526c539c7477f448eec89342ff38dac8d918
  530. 5964373413861ea4771be9df789ec174d7931e41721993a21289b4549c566186
  531. 13a46bce1ad2b5433a3915060639a5073ae68779da1b599658271d8e9f2932ea
  532. 6273492f7425010ac115b511226334f85378b15d21cf49e27e8ab35503a55adf
  533. 0e97304127079f3e4c6cc267f2f49eaf6e5a66736f8fd0e8ad73d6e4641243b7
  534. bdb00c63e7a50f94e9d416c9cf16ad4b4c1cbaca53558c2f26679450ede68559
  535. d0b346ed8262e30fb81abdb4fdb9873712fc265305dde4f2c2f4dec391341fbe
  536. 77c11c6c0263591de5f59f4d4f883da6363a7d294a2b9bda16d00f42009210e7
  537. 4f67ce8f4acfe18129b453caca39145cb95ec6ed11a9694fed841857f28a9c3e
  538. 769cc3e61d5656e37f834b89fec79ba90093a635e9fec85ae8d33164ba3d9149
  539. 574f6094f3e77af7915fc6c58b46b969a7f378c4fd2a197721f77013bbcd4f38
  540. 4d45957815c0e45c62f076946b505b1b4388d531436dc94238bf407a5e01f1fd
  541. 3adbfbd11a5299f0f18788996d5d89720bf672ebbc1008fea02ef732f50017c0
  542. e2c0d7da5e9f1c5f10816d04997eb2b84cb2992566d062568876c96e24636c2c
  543. 9b12451e5be682342adee2b45ade1255ca9d748a7f6e9b73b3b29b308d156098
  544. 5193eb38e48695aa084621411de74c0c61759e7dcc253ba2be0947a80c0b322e
  545. ba10319f5b905bc7b26bbf05ff764674e55ab6122773c20d797f38aeab63e977
  546. bf6ef8b65aa5222ab16969656bee2b7e5c9712cbfea83b6fa8d94b442a363ba8
  547. 1041bf0b05d7ab777252793a46fc9626d90002b87379aed40a1e735df59b4ce7
  548. 0dcd677e685098f3c450d99d81b96f6fc592e294fd75961f62364c318276d8aa
  549. ccbf4c1d8d50c097b3d50b2211242670f8dfafa0f62411cc9fbf671ccbe5b5a5
  550.  
  551. http://drmarins.com/engl/pCAdOLWLJ/
  552. http://hybridbusinesssolutions.com.au/cgi-bin/t6ye0j_wyhf4yw-2/
  553. http://durakbufecengelkoy.com/wp-includes/GrIBQTnoO/
  554. http://performancevitality.net/partner/rq2totv_bryhdqjc2-17320/
  555. http://tnrkentonode.com/wp-admin/vxaljneq_f9vcwvsz03-015845519/
  556.  
  557. Creation Time 2019-05-14 22:43:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  558. SHA256:
  559. edd7683434bf4b5dcf6e62052c0d260f9ce2824bcd2e7fc527680dc96cf84fa0
  560.  
  561. http://angelyosh.com/andreaputriana.online/QSSVHkBY/
  562. http://4im.us/wp-includes/cMHGNWRN/
  563. http://alankippax.info/wp-content/MvAXogsxrQ/
  564. http://solutionpub.dz/wp-admin/MajOQGpI/
  565. http://parttimepazarlama.com/sitemaps212/hrUpeljH/
  566.  
  567. Creation Time 2019-05-14 16:10:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  568. SHA256:
  569. 41743d480c3a97d8475eaa4958e46a6e9df7a3f25a034194b5ba57e43e664ed2
  570. 6719d9db1a6b6ac88a386c24cba086025aebc504773433dca6fb569cd88bf929
  571. b0227e5477f2c043eef7f404c69eb02ffdfc15f99e973f12de0b86addf03d898
  572. 76cf785870fdb543f0e2b1e7fc610c97886a570cfde9f66b7dbe24e909e0344c
  573. 1583078312fe29c688d44c6c15a4ff2f303f6cfdc32e910629132515ae885a60
  574. b2c7523bbcf91ea107010fa04635d5dadefae7a6302d31fe48fa978909682257
  575.  
  576. http://riversoftbd.com/wp-content/vFikaQjYg/
  577. http://dayiogluun.com/wp-admin/DhMoxPrwC/
  578. http://therattgang.com/wp-content/yos4u6h_pt8wdb-3/
  579. http://beyazgarage.com/cgi-bin/NuygiMFoRC/
  580. http://ksafety.it/awstats-icon/bhrdd5_52hq89-34/
  581.  
  582. ```
  583. #### SHA256s for Epoch 2 Payload EXEs seen on 05/15/19 ####
  584. ```
  585.  
  586. 4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
  587. 7d4dc03394db567dbb6a1294740c46af5684c8190ae27ae1a25d517d912cea69
  588. 5ee2b9406e31f3006b3327b19f1a62153d75ac9ee2fe97d27e9d1f64fb8589c3
  589. 1b176e194dcf0a586b4f9a6febc51dc2d24db6e93ee5bd44edd95581702c3274
  590. 5cd23bc71dfad1a730802b6ef10b6e4916410549f1daacb95af1c39796548cca
  591. 622414f8a0c309bf1aa3f47a3dd4ccdd1a0ccd6e656aae1101b95273ae1caf03
  592. 06a4e80c4b4c76b2b45085ae91dd9180554e2b8fb74671241c099a575af44e17
  593. 7d7f15be88432a9ad02cc7a96de1a1ab151b8475956c0273fa54dec83740bd4a
  594. 67c34af66619236307f635cf83afb4ed6680a578afb5a356ca19471174ab0d86
  595. bdc089224fa0992637594ac52ebee77f4c6c0d0f361a6ec868d74ca026a4c5ec
  596. 0edba0eb53c5aee4f55e0df924cdbc482c7c8edcf55667f8c914a0bf635820e7
  597. 3aa9537705eaa07e02f378c1ba6db7008dcffb28b21ff0b6f43a926a80c015e4
  598. e8c591db1758728370fa4b3cfd3d6089547ac597a3e6c01dca0cbe2c05b93180
  599. f17d51cd3a10beaf3e6334dc1dde4afd0be9b011dbaa531590b718b48d3fe36b
  600. 4d2ef6d38674d3125c423a6a0101a0470d35c69e85c4c37c268e08421e6b02f3
  601. 3b4cf098b9d31e1291c17ea18f70b16203d56b5b99cbce5c0a546cc3bc293af8
  602. 86fc83da4d0429091bda7724a0abd520461018fcce7a7063ecf4044eec37e75e
  603. 87c01a1010066527797657c15a3a34821ee67c2c5727465b7a66bcce6e48c8bb
  604. 70b814f6eabf53b272ed7dc19ae386949a1768c85824656f198ef0ca1dc73098
  605. e55f09940649d3f92c21332def35df46deba57b3e289a856749b67ed95d89925
  606. e55f09940649d3f92c21332def35df46deba57b3e289a856749b67ed95d89925
  607. 864c5f6a98bcf7e51401728526a26e6dcb8f5060e3b81f346c99899990beaea4
  608. 716e36ee071fd837df288137ae1ada0212e439c3f7c3fda949c3437a47623270
  609. 99eb678c926a8e3c93b6327959bf06d26db9c85ba6fee7d56412e788ca0ac285
  610. 40ede55df9f672b234c372b585a5b390f7d7168974c3757a344942ba71045c9d
  611. 6fe85f051e7a67e8f9a204f30f151482072976517fe4bbb5c28695c3b5193477
  612. 01be569ddaa5d619923ef2061a59554258c70a9106fddef8dd2286c561ac6aad
  613. c820852f8c821c9c9bae1fa839d605fe91ed88c8de5a829642adb798af03de62
  614. c6afadd4271e65f11fdb29dc0ee1792d3852e040b05eaa129e97cf496572d394
  615. 7cdd7778792ac0ea1600b6da97c843ce283ae3b02bd292389a0b6645abd3c4c1
  616. 5829b40f161c0104d6c8d45ded1b7019127dd8ed1067bcc136766b4d0c6d11ad
  617. c89521beafb0512674aa2379c2b3d088d5e9fc1974993b3de36b1a5acdd9d7df
  618. 18a2a257224bbf025e37369d6004dde1572d8ae29dac72f640c182a293fb4cfc
  619. b5f6146a99ccf88df5b48ffbf9e06e457b22cb111e1b7de9b1b63b8b20d85efb
  620. 178eed97038cc594652aa784b49f778e01cf5f6533fd6d336afc9adf7a23826b
  621. da6f1954d469d2f2273f6385fbe947e4e9c66d9edeb4f12239521ca9acdf6b63
  622. 67420468a8973bc7699370e70eb71dda7c9616f7797c4a903facc9c86d9f9b26
  623. 39afc2c85f7e4824b7692a5008fc22af5f32bde9d933f2a6b8f207657f937ba9
  624. f0abf117bbb9ad4c7a29b1205fde1687f943f460df9dec719db6eb9dac35124d
  625. b6b1ab181da4a70bc414cde451b06dd9a16041f392b5d0a90e0315de32a36719
  626. 53a127fdc57f3c39b0feca98c5b64919c28980d450fd701f3c839776b411b128
  627. 12ba09d1fb95a170e4fdcb28f1dc36882d2cb47e4a6d8219899abdc2005db6d4
  628. 844e3b338abefbf6b7e29f5947373616248b3548dee938add767eebc57feaeba
  629.  
  630.  
  631. ```
  632. #### Epoch 1 C2s ####
  633. ```
  634.  
  635. 103.201.150.209:80
  636. 103.213.212.42:443
  637. 105.224.171.102:80
  638. 109.104.79.48:8080
  639. 109.73.52.242:8080
  640. 111.67.12.221:8080
  641. 154.120.228.126:143
  642. 163.18.23.242:80
  643. 175.107.200.27:443
  644. 181.110.239.26:80
  645. 181.143.101.18:8080
  646. 181.15.177.100:443
  647. 181.15.243.22:80
  648. 181.16.127.226:443
  649. 181.199.151.19:80
  650. 181.29.101.13:80
  651. 181.30.126.66:80
  652. 181.39.134.122:80
  653. 185.129.93.140:80
  654. 185.86.148.222:8080
  655. 185.94.252.27:443
  656. 186.139.160.193:8080
  657. 187.178.9.19:20
  658. 187.188.166.192:80
  659. 187.242.204.142:80
  660. 189.143.52.49:443
  661. 189.196.140.187:80
  662. 190.113.233.4:7080
  663. 190.117.206.153:443
  664. 190.123.35.82:50000
  665. 190.13.211.174:21
  666. 190.147.116.32:21
  667. 190.180.52.146:20
  668. 190.85.206.228:80
  669. 191.97.116.232:443
  670. 192.155.90.90:7080
  671. 196.6.112.70:443
  672. 200.107.105.16:465
  673. 200.127.0.8:80
  674. 200.28.131.215:443
  675. 200.32.61.210:8080
  676. 200.45.57.96:143
  677. 200.57.102.71:8443
  678. 200.58.171.51:80
  679. 200.59.189.217:80
  680. 201.217.67.3:80
  681. 201.251.229.37:80
  682. 203.25.159.3:8080
  683. 205.186.154.130:80
  684. 213.172.88.13:80
  685. 216.98.148.136:4143
  686. 217.199.175.216:8080
  687. 217.92.171.167:53
  688. 218.161.88.253:8080
  689. 219.94.254.93:8080
  690. 23.254.203.51:8080
  691. 31.179.135.186:80
  692. 37.59.1.74:8080
  693. 43.229.62.186:8080
  694. 45.73.124.235:8080
  695. 51.255.50.164:8080
  696. 62.75.143.100:7080
  697. 64.87.26.16:443
  698. 66.209.69.165:443
  699. 69.163.33.82:8080
  700. 72.47.248.48:8080
  701. 79.143.182.254:8080
  702. 81.183.213.36:80
  703. 81.3.6.78:7080
  704. 82.226.163.9:80
  705. 85.132.96.242:80
  706. 89.134.144.41:8080
  707. 91.205.215.57:7080
  708. 91.83.93.124:7080
  709.  
  710. ```
  711. #### Epoch 1 - Spam/Stealer C2s ####
  712. ```
  713.  
  714. 61.92.159.208:8080
  715. 104.236.185.25:8080
  716. 50.116.63.9:7080
  717.  
  718. ```
  719. #### Current Epoch 1 RSA Public Key ####
  720. ```
  721.  
  722.  
  723. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  724.  
  725. ```
  726. #### Epoch 2 C2s ####
  727. ```
  728.  
  729. 103.255.150.84:80
  730. 103.53.44.20:80
  731. 133.242.156.30:7080
  732. 134.196.53.52:7080
  733. 136.243.177.26:8080
  734. 138.201.140.110:8080
  735. 138.68.13.161:8080
  736. 147.135.210.39:8080
  737. 149.167.86.174:990
  738. 149.255.56.242:8080
  739. 162.243.125.212:8080
  740. 167.114.210.191:8080
  741. 169.239.182.217:8080
  742. 173.255.196.209:8080
  743. 174.93.130.148:8443
  744. 175.100.138.82:22
  745. 177.230.108.144:22
  746. 177.242.202.30:8080
  747. 177.242.214.30:80
  748. 177.246.193.139:20
  749. 178.152.78.149:20
  750. 178.62.37.188:443
  751. 178.79.161.166:443
  752. 182.176.132.213:8090
  753. 182.188.47.206:990
  754. 183.82.100.135:80
  755. 183.82.110.170:53
  756. 186.113.19.171:80
  757. 186.4.167.166:80
  758. 186.4.234.27:443
  759. 187.189.195.208:8443
  760. 189.209.217.49:80
  761. 190.112.228.47:443
  762. 190.145.67.134:8090
  763. 190.25.255.98:443
  764. 190.25.255.98:80
  765. 190.72.136.214:465
  766. 191.92.69.115:80
  767. 2.50.4.159:443
  768. 200.21.90.6:80
  769. 200.85.46.122:80
  770. 201.199.89.223:8443
  771. 201.220.152.101:80
  772. 201.238.152.20:465
  773. 207.44.45.27:22
  774. 211.248.17.209:443
  775. 211.63.71.72:8080
  776. 213.14.166.152:990
  777. 216.98.148.156:8080
  778. 217.13.106.160:7080
  779. 222.214.218.136:4143
  780. 24.139.205.186:8080
  781. 41.184.246.205:53
  782. 41.220.119.246:80
  783. 45.123.3.54:443
  784. 45.33.49.124:443
  785. 46.100.165.6:53
  786. 46.105.131.87:80
  787. 50.31.0.160:8080
  788. 50.99.132.7:465
  789. 58.9.168.7:443
  790. 58.9.168.7:990
  791. 59.103.164.174:80
  792. 62.75.187.192:8080
  793. 64.13.225.150:8080
  794. 66.84.11.168:8080
  795. 69.45.19.145:8080
  796. 71.244.60.230:8080
  797. 75.177.169.225:80
  798. 77.56.253.112:80
  799. 78.186.5.109:443
  800. 78.188.7.213:8090
  801. 84.241.10.111:53
  802. 85.104.59.244:20
  803. 86.122.149.86:8080
  804. 87.106.139.101:8080
  805. 90.57.69.215:80
  806. 91.205.215.66:8080
  807. 92.154.101.154:50000
  808. 94.59.49.76:995
  809. 94.76.200.114:8080
  810. 95.128.43.213:8080
  811. 98.142.208.27:443
  812. 98.144.73.193:80
  813.  
  814. ```
  815. #### Epoch 2 - Spam/Stealer C2s ####
  816. ```
  817.  
  818. 198.58.114.91:4143
  819. 213.136.86.219:7080
  820. 91.205.215.10:7080
  821.  
  822. ```
  823. #### Current Epoch 2 RSA Public Key ####
  824. ```
  825.  
  826. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  827.  
  828. ```
  829. #### Credits and Notes Section ####
  830. ```
  831.  
  832. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  833. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  834. https://pastebin.com/u/jroosen
  835.  
  836. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  837. I am providing them for your benefit in case you want to parse them to be sure.
  838.  
  839. ```
  840. #### What is Epoch 1 and Epoch 2? ####
  841. ```
  842.  
  843. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  844.  
  845. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  846. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  847. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  848. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  849. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  850. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  851. time period.
  852. Here are some observations I have noted since I have been watching these botnets:
  853.  
  854. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  855. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  856. being delivered in maldocs on Epoch 2 at any one time.
  857. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  858. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  859. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  860. Monday morning/Sunday night.
  861. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  862. Epoch 2 may have a document hosted on host.tld/B.
  863. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  864. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  865. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  866. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  867. - C2s are never shared between Epochs/Botnets.
  868. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  869. via C2 to stay ahead of AV defs.
  870. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  871. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  872. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  873. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  874. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  875. spam template, word template, document type and even payload.
  876.  
  877. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  878.  
  879. ```
  880. #### Community Lists ####
  881. ```
  882.  
  883. https://otx.alienvault.com/pulse/5cdc7dcab39d030f86e97ab7/ - @SecSome
  884. https://pastebin.com/tTPYiSHd - @ps66uk
  885.  
  886.  
  887. ```
  888. #### Credits ####
  889. ```
  890. (OC from @JRoosen and/or combination work of the following)
  891.  
  892. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  893. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  894. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  895.  
  896. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  897. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  898.  
  899. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  900. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  901. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  902.  
  903. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  904.  
  905. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  906. helping out with this!
  907.  
  908. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  909. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  910. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  911.  
  912. ```
  913. #### Daily Log 05-14-19 ####
  914. ```
  915.  
  916. General News:
  917.  
  918. Unfortunately, no break for us and both botnets were at it again with low volume spam. Malspam was reported again from many
  919. in the community but I still received nothing today. Other researchers reported receiving a handful to several dozen malspams.
  920. It looks like E1 was still stuck in attachment mode but E2 did a burst of link based malspam. The document template is still
  921. the 365 Blue Box type but the builder changed as of Monday because we are starting to see the randomization of metadata in the
  922. Author/Comments and other fields. Additionally the new builder seems to use EvilClippy type techniques to block the viewing
  923. or editing of the VBA macros in Word. E.g. Word just crashes. Kirk Sayre -@bigmacjpg broke this news first here:
  924. https://twitter.com/bigmacjpg/status/1128742495591047168
  925.  
  926. Later the author of EvilClippy(Carrie Roberts - @OrOneEqualsOne) decided to update the project in order to reveal the Emotet
  927. macros by adding the -gg option. This may be a bit of joke by using GG. GG indeed. :)
  928. https://twitter.com/OrOneEqualsOne/status/1128759076505116672
  929.  
  930. In other news:
  931.  
  932. Once again @JayTHL had a nice summary of our data from last night:
  933.  
  934. https://twitter.com/JayTHL/status/1128516821370441729
  935.  
  936. Also heard that Poland was getting hit hard with #emotet today but I was not able to confirm the details.
  937. This was stated here:
  938.  
  939. https://twitter.com/c0t0d0s2/status/1128632394620313600
  940.  
  941. REVIEW:
  942. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  943. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  944. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  945. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  946. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  947. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  948. https://twitter.com/JayTHL/status/1126204098670411779
  949.  
  950. Email Template Report:
  951.  
  952. The vast majority of malspam today seemed to be low volume attachments on both botnets. I did not receive anything but
  953. @executemalware and @ps66uk did. Here is what they saw:
  954.  
  955. https://twitter.com/executemalware/status/1128830368872849408 - 25 with .DOC attachments and 2 with links.
  956. https://twitter.com/ps66uk/status/1128769883729219584 - 5 DOC attachments and 1 link.
  957.  
  958. Review:
  959. What we know about the threaded templates/reply chain:(changes are marked with *)
  960.  
  961. - Emails are sourced from once (or still) compromised users all over the world.
  962. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  963. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  964. back as far as June 2018.
  965. - Now on E1 and E2.
  966. - Now seeing German based templates that are essentially the same thing but in German.
  967. - The injected reply is usually prefaced with the following:
  968. "Attached is your confidential docs."
  969. "Attached please find the wire transfer form."
  970. "Thank you for your help. Please see the attached."
  971. "Load instructions attached"
  972. "A printer friendly attachment is now included with each email."
  973. "Click on the attachment to open or save the printer friendly version of your report."
  974. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  975. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  976. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  977. - These templates are pretty limited in run and not very numerous.
  978.  
  979. Link Regex Report:
  980.  
  981. Regex directory patterns - Changed one of the Regex's for E2 to pick up more common directories that were seen today.
  982.  
  983. E1
  984. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  985. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  986. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  987.  
  988. E2
  989. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  990. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  991. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  992.  
  993. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  994.  
  995. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
  996.  
  997. Payloads Report:
  998.  
  999. Again stage 2 docs were all being delivered by attachment on E1. E2 seemed to be a mixture of DOC attachments and links.
  1000.  
  1001. Once again the newish hybrid loader appeared on the E2 distro and C2 updates near 1900-2000 UTC. Not sure why they change
  1002. at this point. It still is not hash busting and remains the same hash for many hours. E1 is doing all old V1 type loaders.
  1003.  
  1004. C2 Report: C2 Combos are slowly falling now on the E2 botnet after reaching a record 95 combos over the weekend.
  1005. C2 combos on E1 are slowly increasing.
  1006.  
  1007. C2s DID change for E1 and increased from 69 to 74 combos in total. - recorded above
  1008. C2s DID change for E2 and decreased from 90 to 84 combos in total. - recorded above
  1009.  
  1010. Closing:
  1011.  
  1012. Unfortunately I was fooled again by Ivan thinking that this was a break coming on. The reality may be that Ivan and the Emotet
  1013. actors are changing their tactics to move to a lower volume spam operation with more attachment based malspams paired up with
  1014. reply chain exfilterated data. Since the beginning of this month, the spamming patterns have for sure changed and it is not
  1015. exactly clear as to why yet. Time will tell if this is just a phase for now or if this is the new norm.
  1016.  
  1017. TT
  1018.  
  1019. ```
  1020. #### Sandbox 05/15/19 ####
  1021. (all with fakenet and MITM unless spam/secondary infection)
  1022. ```
  1023.  
  1024. Epoch 1 C2 run on 2019-05-16 at 02:15 UTC - https://cape.contextis.com/analysis/74094/
  1025.  
  1026. ```
  1027.  
  1028. ```
  1029.  
  1030. Epoch 2 C2 run on 2019-05-16 at 02:45 UTC - https://app.any.run/tasks/36c17906-7f37-42e8-ac3c-e2af53cfefc1
  1031.  
  1032. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!