API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/02/22

jroosen
Feb 22nd, 2019
1,868
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 65.77 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 02/22/19 as of 02/22/19 21:30 EST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 02/22/19 ####
  5. ```
  6.  
  7. http://115.66.127.67/company/accounts/thrust/list/WRajkqLmWY28dZ03pvfwI/
  8. http://12pm.strannayaskazka.ru/company/online_billing/billing/secur/file/xv6ftcEllwPU8CdWl8UHbPRzRAo/
  9. http://13.127.32.1/organization/account/sec/read/eqCq6PE4fr5jD3RNhpOlUj/
  10. http://13.211.153.58/de_DE/IFWXGXOM7140412/Rechnungs-docs/DOC/
  11. http://13.229.153.169/corporation/receipt/QwgQD-dhP_yiifJMvs-LLn/
  12. http://13.229.189.170/de_DE/LJIJIN4305718/GER/DOC/
  13. http://13.231.169.127/REF/info/Receipts/LRDyU-SJ_yuIl-TR/
  14. http://13.231.226.136/Ref_operation/Newreceipt/176661867480/zHCdP-SxUXR_Ww-vXt/
  15. http://13.233.183.227/Refund_Transactions/llc/WumL-KI_NwftQymt-ye/
  16. http://13.57.175.119/Sec_Refund/company/Rcpt/FuxSs-mciz_ca-aq/
  17. http://13.58.169.48/__MACOSX/document/lZHX-71O_DSlA-Mx7/
  18. http://13.59.241.74/Ref_operation/Newreceipt/SDcgq-TG_xIp-1o2/
  19. http://159.65.146.232/DE/DOCPTK8698611/gescanntes-Dokument/Hilfestellung/
  20. http://159.89.167.92/DE_de/CIDDQABDH4591994/Rech/Zahlungserinnerung/
  21. http://162.243.254.239/Addon/company/online/sec/file/lWVGjJAtdPjvEilhv9n7afpbdyE/
  22. http://179.191.88.69/RF/info/Newreceipt/KnyJ-VHWP_J-4m/
  23. http://18.136.103.27/doc/Receipt_Notice/Jrrvg-GSG_YtyMrtrX-BkQ/
  24. http://18.205.117.241/wp-content/uploads/secure/business/open/read/WTFDUY315MuoYA6/
  25. http://3.121.44.244/wp-content/Ref_operation/document/Receipt_Notice/XUeP-bNjY2_LMEpLWi-avj/
  26. http://3.16.25.162/document/receipt/5720759/EUhx-wW_fH-Yz/
  27. http://3.17.29.197/De/XOMMPZ1065479/GER/Rechnungsanschrift/
  28. http://3.87.40.220/DE/CCXVOODB6153566/Rechnung/Rechnungszahlung/
  29. http://35.198.197.47/DE/ESRGRSAF7709844/Scan/FORM/
  30. http://35.200.146.198/Ref_operation/Receipt_Notice/hIdaJ-vV_aWoN-Ln4/
  31. http://35.201.228.154/organization/online_billing/billing/secur/read/2PciH9EccMFLn8PRX1GUtCEAgpF/
  32. http://35.204.88.6/De/PJXSWTABXV5569758/GER/Fakturierung/
  33. http://35.225.141.54/DE_de/BKVBLQ7553155/DE/Zahlungserinnerung/
  34. http://37.139.27.218/Ref_operation/xerox/receipt/fVYNO-aI_aE-iCh/
  35. http://52.205.176.136/Sec_Refund/corporation/Receipt_Notice/438526362/IZEMl-58L_rzDVNB-dIO/
  36. http://66.55.80.140/RF/Receipts/CFjX-btDJJ_vbNy-kct/
  37. http://adenasaman.com/company/business/sec/view/RaFTkC38CQhjKDil/
  38. http://aghigh.yazdvip.ir/secure/account/thrust/list/Vf8CIZ5372MssNTgMY28K78FZY/
  39. http://aghpl.com/secure/account/sec/file/TI39swcDRpraIczehAyJc/
  40. http://alainghazal.com/DE_de/JAIWXFTCV5712097/Rechnung/DETAILS/
  41. http://amazon-kala.com/DE/STTPCIM6977296/Rechnungskorrektur/Zahlungserinnerung/
  42. http://amazonvietnampharma.com.vn/DE/AHXFTKVR9604920/DE_de/RECH/
  43. http://annual.fph.tu.ac.th/wp-content/uploads/De/UWLMRQC3104460/Dokumente/Hilfestellung/
  44. http://apkelectrical.com.au/Copy_receipt/RiEUw-kv65w_eeh-EZ/
  45. http://aqualand-chalets.com/corporation/Rcpt/kryo-rB_JRl-Ia/
  46. http://arcpine.com/NNMLGU6236452/Rechnung/RECHNUNG/
  47. http://banglaixe.vn/DE_de/MAJPJJKCVL0966888/Bestellungen/Fakturierung/
  48. http://barabooseniorhigh.com/REF/Rcpt/47605048/ciWxe-0w_c-2i/
  49. http://bdmcash.tk/Februar2019/GADOHDV9083741/Rechnungs/Zahlung/
  50. http://bigbros.id/DE/MFYGIGUL2331770/Rechnungskorrektur/DOC/
  51. http://bk-brandstory.mdscreative.com/Refund_Transactions/company/Receipt_Notice/2534985619583/kcsn-vbu_MKvkZxSb-M6/
  52. http://blog.aliatakay.com/secure/online/sec/file/9nIbRUx43o7uQz6s6uqw/
  53. http://bolumutluturizm.com/REF/download/Copy_receipt/XGAME-CD_HyojDpco-Uo/
  54. http://bolumutluturizm.com/secure/online/thrust/read/WCXjBTC0O349NomU0bu/
  55. http://book.oop.vn/wp-content/uploads/company/accounts/open/read/BrP5PLO7FSsqN6brudrf0/
  56. http://bookingbus.id/De_de/VLQRNXE6251745/Rechnungs-Details/Rechnungsanschrift/
  57. http://burodetuin.nl/cgi-bin/company/online/thrust/file/fRnLxNiVF7axSphfdtmv/
  58. http://bvxk.vatphamtamlinh.net/Ref_operation/Copy_receipt/20469458/QtmA-PyJDv_wosK-A9/
  59. http://caroulepourtoit.com/De/JYYNZAU9414001/Rechnung/Hilfestellung/
  60. http://cmasempresa.com/company/account/thrust/read/1WF2iJLZNT9KLsNV/
  61. http://cngda.tw/xerox/Newreceipt/aPrUw-aS4Pp_tRRYebQ-BK/
  62. http://collabtocreate.nl/De/ZHSJUUES5689299/gescanntes-Dokument/Zahlung/
  63. http://contabilidadecontacerta.com.br/doc/Rcpt/rmwa-7wt_LTst-DZ/
  64. http://crbsms.org/DE/ISOTLPWC1958605/gescanntes-Dokument/Fakturierung/
  65. http://crestailiaca.com/PHXQOU0845448/de/RECH/
  66. http://crsturkeyf.com/company/account/sec/list/irVFFvmRoN6Lugrx/
  67. http://dafia.org/dafia/wp-content/uploads/Ref_operation/corporation/receipt/fXZs-xw9U1_TcrHjckQ-ydj/
  68. http://datijob.co.il/receipt/legzb-VPM_YzDOQ-XIA/
  69. http://dctrcdd.davaocity.gov.ph/wp-content/de_DE/JOMXMKMT6187940/Rech/Rechnungsanschrift/
  70. http://demeidenchocolaensnoep.nl/Ref_operation/files/28181781733882/wZUr-VK_PlOrxg-v8/
  71. http://digim.asia/secure/account/open/view/fkTfuyupTDJMwpqVecfblxPQTd/
  72. http://dkstudy.com/secure/account/thrust/file/Qe50bWLgyJ2aXzFTJvbm8/
  73. http://dockrover.com/AEOWUX9531912/Scan/Fakturierung/
  74. http://drivespa.ru/RF/document/Newreceipt/xVPs-wVFyw_gAZ-7Bx/
  75. http://duniasex.pukimakkau.me/organization/online_billing/billing/thrust/read/kBfJ7SdoDXKaXS6JeFzEA/
  76. http://dztech.ind.br/wp-content/uploads/secure/business/open/list/BDdfem76rrOZaV1RmeclUm/
  77. http://edubiel.com/Februar2019/FMCXQTFYDW5035534/Dokumente/RECH/
  78. http://ellegantcredit.co.ke/DE_de/LXXAPZ1243161/Rechnungs-Details/Rechnungsanschrift/
  79. http://en.sun-sen.com/wp-content/RF/document/hOGB-lAbn_MRu-WYa/
  80. http://energy63.ru/company/account/open/file/jnpvoliU3GCMMwttLPocikGWpnx/
  81. http://engenbras.com.br/NRDZLCRGF7058124/Dokumente/DETAILS/
  82. http://ewan-eg.com/Sec_Refund/xerox/Rcpt/PlmZ-c6_Ao-Vdo/
  83. http://fashion-world.ga/Refund_Transactions/llc/Copy_receipt/557328819/BkxQ-jJ_SXxrw-ip9/
  84. http://fatinyaroma.com/REF/download/Copy_receipt/74382881/Bufs-mCz8_QSsAPAJ-3Xu/
  85. http://ficfriorp.com.br/company/account/thrust/read/uy255I4lTEIJQl00Uv0nT/
  86. http://flapcon.com/verif.accs.resourses.com/
  87. http://forum.archedegloire.com/LCPSOBADD7560773/de/Zahlungserinnerung/
  88. http://fp.unived.ac.id/wp-content/uploads/organization/business/thrust/view/b2rHQM1yUgR2MV8oU9oFpe1P/
  89. http://frog.cl/organization/accounts/thrust/list/jc481ssWZagkOOaps5cZqptoi67x/
  90. http://gfe.co.th/download/Rcpt/fXWOY-mdfG_xRBYOw-cw8/
  91. http://halal-expo.my/DE/ANQPURPAZF1671052/Rechnungs/Zahlungserinnerung/
  92. http://hashtagvietnam.com/company/business/secur/read/j31fCHVr1Vpvkguy9auB8/
  93. http://hayalbu.com/DE_de/PUZUMI6245609/Rechnungs/DOC/
  94. http://hellojakarta.guide/wp-content/uploads/company/online_billing/billing/open/list/HG9uGBtjgmHwbmzWk14im5/
  95. http://herewegonepal.com/company/accounts/thrust/list/SS9u54tuM8u33r1gC5IFGtj2zI/
  96. http://heroupforchange.com/DE/SLKHASJA3522219/gescanntes-Dokument/Zahlungserinnerung/
  97. http://hillmann.ru/download/Newreceipt/hngi-DIyk_YrgP-AB/
  98. http://hipecard.yazdvip.ir/Ref_operation/6076203058/ReXm-8t_iUFyUQ-XF/
  99. http://hongcheng.org.hk/info/Newreceipt/OZdFm-QYI_APBSN-Ar/
  100. http://huyhoanggia.vn/secure/account/thrust/view/Sgg4Vl3mQAPGLp9RKDu5/
  101. http://itechzone.ml/secure/online/sec/view/dGgzufK1W0jIWlunKqYh4/
  102. http://karditsa.org/De/DVQPXJLIPE4621912/Rechnungs/Zahlungserinnerung/
  103. http://karkw.org/secure/accounts/sec/view/5ddXaQYoqgJ3KlgrSkU/
  104. http://kgwaduprimary.co.za/secure/online/sec/file/oUPtgVmqcgQUfm3zF5Lv/
  105. http://khobep.com/company/accounts/sec/read/E9IStvFItXpJvdZ05WZP/
  106. http://khobep.com/document/KZsma-C5kS_p-G6/
  107. http://kienthuctrimun.com/organization/accounts/sec/read/SL92iANsxS4yRmmsff6caqcfz/
  108. http://kingcoffeetni.com/company/account/secur/view/n8cLmmlNgppoWt3Cg/
  109. http://kubud.pl/company/online/thrust/view/iTNZkr6qVPPTv6S7/
  110. http://kussow.net/secure/account/secur/view/oAOUC4iLx3iRiy8XePcsI1/
  111. http://kymviet.vn/organization/business/open/list/dq7Xy03JgPvSu6MIbF1KWDPOy/
  112. http://labourmonitor.org/wp-content/REF/Rcpt/cgvi-jS_mV-Aj/
  113. http://labuzzance.com/company/accounts/sec/list/N7evqmcSsUFz1fHME8Xm/
  114. http://laining.info/Februar2019/EEVUEBXTPN7058166/Rechnungskorrektur/DETAILS/
  115. http://lanco-flower.ir/secure/business/thrust/file/OXOHs2OrXimddpJCoAeKVEsht/
  116. http://legits.net/DE_de/GIIKIZE3061893/Rechnungskorrektur/RECHNUNG/
  117. http://lehavregenealogie2017.fr/Februar2019/QVIUVO2131825/Dokumente/Zahlungserinnerung/
  118. http://liketop.tk/De_de/FEWQDA7487233/de/Fakturierung/
  119. http://lojamariadenazare.com/DE/UXRDPTF9350535/Dokumente/Fakturierung/
  120. http://lovelylolita.info/Ref_operation/doc/peNL-Zi9_r-jF/
  121. http://luxeradiator.com/transaction/Copy_receipt/KElY-0lOM_tlkDzWVf-Hsb/
  122. http://m.szbabaoli.com/organization/accounts/sec/list/zL3M8LqnhGjUUp13/
  123. http://maitreya.aki9.com/organization/accounts/thrust/file/luzM9Q4RYaZd0nOw/
  124. http://maruf.giti33.xyz/company/business/thrust/read/2RdFR3YJZMa2Z148wiF/
  125. http://miamidadecountyprivateinvestigator.com/Sec_Refund/company/Rcpt/dNCXn-vKuaj_NfWVTeYmK-iPP/
  126. http://mimreklam.site/organization/business/sec/view/kWll3pRDbBvdf4IC1CvV7F5/
  127. http://moving-dubai.com/Ref_operation/scan/Receipt_Notice/OSwc-ECn_OY-2Eh/
  128. http://mrm.lt/organization/account/open/view/tXZ4wRdBRDn7cFYjScnoaDsi34Z1/
  129. http://msc-goehren.de/DE/JZITYM2464319/Rechnung/Hilfestellung/
  130. http://multishop.ga/DE/OJGVAT2102816/Rech/Rechnungszahlung/
  131. http://nashikproperty.tk/secure/online/secur/read/9D5diSgBqUointHD0A6s4BZX/
  132. http://navigatorpojizni.ru/Ref_operation/scan/nfJDX-Ctz_BlLhHOR-vuO/
  133. http://nhadatthienthoi.com/Sec_Refund/info/usBt-Rb_CrIeuvlPW-Nh/
  134. http://norwegiannomad.com/company/account/sec/view/Q2sKPNM4VTfRpv1Y3h/
  135. http://norwegiannomad.com/company/account/sec/view/Q2sKPNM4VTfRpv1Y3h\/
  136. http://oesfomento.com.br/Refund_Transactions/corporation/Receipts/jVHWJ-mTf7_RlnsChwTD-1iY/
  137. http://onisadieta.ru/company/account/secur/view/lSeqiIU8xUbRMp5gCwg0ljx6wq/
  138. http://onisadieta.ru/Sec_Refund/llc/34199190/RVhiR-mOg0d_bhXFdTh-Nb7/
  139. http://otlm.pharmso.ru/de_DE/ZSJZYFE3065782/Rechnung/DOC/
  140. http://partnerlookup.superiorpropane.com/wp-content/uploads/company/online_billing/billing/thrust/list/oXMTcBZFKqF40YoaoLBbUKR/
  141. http://patient7.com/RF/corporation/mreo-4TQ_UNQt-a3/
  142. http://pawel-lipka.com/company/account/secur/read/QZB0FFOKAKSjFF3bgDfTQGZPN8/
  143. http://phamthudesigner.com/Rcpt/NvxOo-fBGO_QmpZn-koy/
  144. http://pisarenko.co.uk/Refund_Transactions/Receipts/BmYS-gdRaR_JgYpGsifx-u9/
  145. http://powervalves.com.ar/DE/TDBUKPA4382389/Rech/RECHNUNG/
  146. http://print.abcreative.com/DE_de/PHSJEQZOCL0899069/Bestellungen/DOC/
  147. http://proffessia.ru/14879501333/ueDR-swa_qnsBmCJfZ-7lH/
  148. http://quizvn.com/Refund_Transactions/Rcpt/edTj-99hg_DQdUcFqhK-Y2/
  149. http://rkfplumbing.co.uk/theme/outlook2018/MS_OFFICE/files/zGqk-VoW6_IU-ace/
  150. http://romantis.penghasilan.website/company/online_billing/billing/open/list/Uddpqqebq7rxlECkfZX9Cnkh/
  151. http://ronkonkomadisccenter.flywheelsites.com/Ref_operation/info/Receipt_Notice/0707960468/qOVQt-OBTB_eqOfdpRk-hO5/
  152. http://rupbasanbandung.com/scan/9960087550/JTDf-Mwk_n-vi/
  153. http://rydla12.com.ve/De_de/HJFXHBOYI5432470/Bestellungen/Fakturierung/
  154. http://saitnews.ru/company/account/secur/view/uFDmFqXB3wxNC3rOu/
  155. http://school6.chernyahovsk.ru/De_de/RFVTKTI2685196/Scan/Zahlung/
  156. http://sealonbd.com/De/XOTJGYZH3053108/Rechnungskorrektur/Zahlungserinnerung/
  157. http://senboutiquespa.com/RF/doc/Receipts/34527917315530/EwVbB-IJqPI_FPXu-jl2/
  158. http://serenitymatagorda.com/REF/company/ltUFg-WvsBx_LBzWEiI-UNg/
  159. http://shovot27-m.uz/Sec_Refund/info/Receipts/55597804464/QMrvH-VaiG_DDcfbaeP-iK/
  160. http://sialkotmart.net/RF/transaction/7725270765945/SZIg-JJHG_ilYkZA-0JC/
  161. http://solarnas.net/@eaDir/scan/Copy_receipt/qqIJ-gLpnh_OvTsAXS-wvs/
  162. http://sourcestack.ir/Refund_Transactions/xerox/Copy_receipt/QxIT-d6_VyQyFdYlT-FfQ/
  163. http://spartak-women-spb.ru/Ref_operation/download/Newreceipt/WuUhb-w0Nh_tDisucJnl-466/
  164. http://specialaccessengineering.com.my/RF/document/aPLy-82_WdLUvT-jX/
  165. http://stemcoderacademy.com/download/Receipt_Notice/YnrkE-k83M3_aMlqPY-08t/
  166. http://stihiproigrushki.ru/DE/KXRJDUJWU8466850/DE_de/Hilfestellung/
  167. http://sts-hk.com/Ref_operation/company/Rcpt/94729675973/mCMCd-fjP_iyUp-ECh/
  168. http://stylishlab.webpixabyte.com/Refund_Transactions/transaction/Newreceipt/myBXB-0Y43_coKyzQt-H8t/
  169. http://sunildhiman.com/files/Newreceipt/0270357/xdCEH-dD_LN-xn9/
  170. http://talk-academy.vn/document/1411743496/CWOQW-Kf_wxBNllaHP-nA/
  171. http://tcl-japan.ru/Sec_Refund/Copy_receipt/yQKB-iu_TKLWrd-Ck5/
  172. http://tetrasoftbd.com/REF/llc/zLZCf-ENfx_ritXqK-WF5/
  173. http://thinhphatstore.com/RF/98295260130302/iAxMi-mUN_JRdfYW-qc/
  174. http://threemenandamovie.com/REF/Receipt_Notice/PbOwM-15_Aejzt-TXW/
  175. http://tise.me/Sec_Refund/Rcpt/280434231078/UHypV-rn_nxdyPdR-Wi/
  176. http://tktool.net/Sec_Refund/download/Receipt_Notice/NHBkH-Uiq5U_NZ-IR/
  177. http://uc-56.ru/REF/Rcpt/aHLnZ-isio_Ksyh-4fF/
  178. http://vcpesaas.com/Copy_receipt/KPPTE-NoYZ_tjl-kWW/
  179. http://view52.com/download/Receipt_Notice/68669216480/yvMeY-zko_Yj-aj1/
  180. http://webnuskin.com/Ref_operation/corporation/WxUC-qkM4w_sIYn-6xu/
  181. http://wompros.com/secure/online/thrust/read/GPfQ0KA0UcZE1NM/
  182. http://wpdemo.wctravel.com.au/organization/account/open/read/BgtYo5Db3ZSKpBY6t8sfADipR/
  183. http://www.51-iblog.com/wp-content/uploads/RF/company/Rcpt/Hvuh-h3m_k-ViF/
  184. http://www.dkstudy.com/secure/account/thrust/file/Qe50bWLgyJ2aXzFTJvbm8/
  185. http://www.instagramboosting.com/Sec_Refund/llc/UUWV-lwgVq_Jwotndp-M2/
  186. http://www.topreach.com.br/DE/JSAIWGAD0408761/Rechnung/DOC/
  187. http://xn----7sbb4abj9beddh.xn--p1ai/de_DE/BHQOGQNGJH9795586/Rechnungs/Zahlungserinnerung/
  188. http://xn--b3cfud2a8bbhes3dcy9ig0ce4k2g.com/REF/files/receipt/BNhbF-nxx_oYvvlfP-l9/
  189. http://yduoclongan.info/Ref_operation/llc/Receipt_Notice/55137535926487/AvBf-1OR_itQNHpA-kG/
  190. http://yduocthanhoa.info/Sec_Refund/xerox/Receipts/PRVO-3wobL_UED-3Kk/
  191. http://yushifandb.co.th/company/online/secur/list/nNystfJhvxR3UElqjMKntE3AYmK/
  192. http://zambiamarket.com/DWVUSXMQRJ6499573/Rechnungs/Rechnungszahlung/
  193. https://crestailiaca.com/PHXQOU0845448/de/RECH/
  194. https://dkstudy.com/secure/account/thrust/file/Qe50bWLgyJ2aXzFTJvbm8/
  195. https://ftp.smartcarpool.co.kr/lf_care/user_picture/Ref_operation/company/0645174121/cMfsv-JSLCQ_hF-mTK/
  196. https://view52.com/download/Receipt_Notice/68669216480/yvMeY-zko_Yj-aj1/
  197. https://www.dkstudy.com/secure/account/thrust/file/Qe50bWLgyJ2aXzFTJvbm8/
  198.  
  199. ```
  200. #### Epoch 2 Document/Downloader links seen for 02/22/19 ####
  201. ```
  202.  
  203. http://103.11.22.51/wp-content/uploads/US/sOfA-QygK_ijheJZDR-7d9/
  204. http://104.199.238.98/Februar2019/SPWLOU3518519/
  205. http://104.223.40.40/wp-admin/Februar2019/DIWDADVXVN0215145/
  206. http://128.199.207.179/RJKVWJPI6474317/
  207. http://13.112.69.225/wp-content/Copy_Invoice/kiUmW-O7_ambwybOW-6G/
  208. http://13.126.28.98/US_us/info/Inv/0364600516/eqot-L9_Fw-WRQ/
  209. http://13.233.173.191/wp-content/En/llc/MdKL-D3HKu_Fta-js/
  210. http://13.54.153.118/wp-content/De_de/YAYYSOFKDP9757158/
  211. http://132.145.153.89/De/BYWZYQ0286108/
  212. http://139.59.64.173/En/corporation/lMUwY-DrBKe_fqAMNo-PG/
  213. http://159.65.65.213/DE/NTGJWR0358110/
  214. http://159.65.83.246/De_de/NSTPPASHUD8902256/
  215. http://167.99.10.129/DE/CKKMRQ0595333/
  216. http://178.62.102.110/En/doc/Ypje-vaN_XysPJ-EB6/
  217. http://178.62.233.192/de_DE/ZYEEJQRWTD1487009/
  218. http://18.136.24.106/wordpress/DE_de/HPAKTAV6459792/
  219. http://195.88.208.202/Invoice_Notice/oEiD-xKQZZ_OQokrU-au/
  220. http://1lorawicz.pl/plan/DE_de/VDAXVAGBKY8750168/
  221. http://1sana1bana.estepeta.com.tr/De_de/IKZIUAQSS1493072/
  222. http://1stgroupco.mn/De_de/EQLHDFO3496533/Rechnung/DOC-Dokument/
  223. http://222.74.214.122/wp-content/WTHEKFBG8220915/
  224. http://34.224.99.185/Februar2019/UHQVKLHAHJ3931598/
  225. http://35.200.238.170/De_de/YTFJYWQNM3325605/
  226. http://35.202.216.83/UOKDDXED0599901/
  227. http://35.231.137.207/DE/ZTFUNJNR6454431/
  228. http://35.244.2.82/document/New_invoice/vTQN-dMT_Rwz-K6/
  229. http://52.66.236.210/Februar2019/DHAFIKX7396556/
  230. http://54.242.75.153/Februar2019/UBVBYCDV8539886/
  231. http://54.252.173.49/Februar2019/LJXTNNWVEO5993970/
  232. http://acmemetal.com.hk/WVWA-ONO34_iJF-Ck/
  233. http://aghigh.yazdvip.ir/document/New_invoice/RgWiD-5aGl_OVImbyQfQ-MhO/
  234. http://alainghazal.com/Februar2019/HNMGGPLNNL8005707/
  235. http://allaboutpoolsnbuilder.com/En/Invoice/287419503779/BopHZ-waQw_QQeguQ-cD/
  236. http://amare-spa.ru/corporation/Ufzb-bTGjV_RgIviKPX-aE/
  237. http://ammedieval.org/wp-includes/DE/EGNYAMZQNI8438785/
  238. http://arcpine.com/En/Copy_Invoice/bAwJS-Wq_goFV-8P/
  239. http://avis2018.cherrydemoserver10.com/Februar2019/AMBXRGE9908906/
  240. http://awcq60100.com/Invoice_Notice/xsBCK-aT_JlUGPfNd-OO/
  241. http://benthanhdorm.com/Amazon/Transactions/DE/ULRAROQL9187424/
  242. http://birminghampcc.com/scan/Invoice/BEaz-hnqXV_wU-9t/
  243. http://bkm-adwokaci.pl/res/Inv/xDPv-TrKM_HlCY-DsB/
  244. http://bksecurity.sk/En_us/download/New_invoice/YbyV-MAim_oNo-bL/
  245. http://blog.piotrszarmach.com/de_DE/QUTJSBDQ0942199/
  246. http://bobvr.com/EN_en/xerox/Invoice_number/QJjVU-c5u_IHHcHU-8h/
  247. http://bondibackpackersnhatrang.com/DE/LIBQXVTJF2686285/
  248. http://byqkdy.com/DE/HIEMUXPFGK4718874/
  249. http://canwonconsulting.com/wp-content/uploads/de_DE/WRDHNAWPAT2004673/
  250. http://captipic.com/Invoice/HKOwp-L0SQ_TFxFaGcmB-7w/
  251. http://captipic.com/Invoice_number/zDyWf-TXK_hMsKz-sd/index.php.suspected/
  252. http://carolechabrand.it/Februar2019/ZFCBBMLYG4718089/
  253. http://ccbaike.cn/US_us/file/biZk-XF5_kQoAcg-shF/
  254. http://cetcf.cn/IGVELZUA2250611/
  255. http://chenhaitian.com/En_us/info/New_invoice/NNcZx-6P91_LgateFVEC-Qb/
  256. http://chiltern.org/EN_en/xerox/Inv/MAqJN-yd1nO_nLJIElUKe-rq/
  257. http://cild.edu.vn/de_DE/DWUXTQZK7725877/
  258. http://clavirox.ro/DE_de/GYDYHR9147375/
  259. http://codedoon.ir/De/DUKXZO8987912/
  260. http://creativedistribuciones.com.co/US/document/Invoice_number/CrwWK-Ut8oG_qE-vs/
  261. http://crmz.su/scan/75246643/tFdB-dOH_lCr-cn6/
  262. http://demo.liuzhixiong.top/corporation/fNdq-axS9S_DcWYd-DC/
  263. http://developerparrot.com/US/Copy_Invoice/TXqG-9OA_VNZ-aZA/
  264. http://dorsapanel.com/US_us/llc/Inv/cosed-CcI_XOwqG-aP/
  265. http://dverliga.ru/download/Invoice/mSjDR-Jl_SbLaLeELy-K4/
  266. http://ecohome.ua/US_us/corporation/Invoice/PFNM-PJc1_UjZAaAhLC-en/
  267. http://eduapps.in/wp-content/uploads/EN_en/Invoice_number/OmbI-HDkbJ_tTQ-bmY/
  268. http://ejder.com.tr/US/xerox/trcrz-VXn_iGWhG-2f/
  269. http://ellsworth.diagency.co.uk/US/KNRx-fAAQj_Dk-5G/
  270. http://ex-bestgroup.com/download/Copy_Invoice/npqH-z6qG_GtpVSp-LqR/
  271. http://facetickle.com/de_DE/XBKNWBBJ3517162/
  272. http://fenichka.ru/file/989285702485709/giYqs-TUAyp_tji-av/
  273. http://ff52.ru/saxiv-K0JTq_ZpOVdte-pf/
  274. http://frog.cl/En_us/AQSyr-pjmB2_hQOrLBif-Qg9/
  275. http://gabama.hu/De/MGJBANCTTS1928375/
  276. http://galeriakolash.com.ve/EN_en/Copy_Invoice/3823962600/yxTb-Klswi_NQuCYHBEV-4a/
  277. http://galinakulesh.ru/EN_en/file/Invoice_number/1516686/Ungd-FKpi_MgV-vom/
  278. http://galinakulesh.ru/file/Invoice_Notice/cysp-zcLtz_ryTFh-8Jj/
  279. http://giancarloraso.com/download/Inv/HbmL-US_RNkD-9A/
  280. http://giave.vn/De/WHJKZOF0284348/
  281. http://greatkenyatours.com/En/download/Copy_Invoice/Lgqb-Gqg_U-Bl7/
  282. http://hangphimtheky21.com/En/company/Invoice/EDbLV-Ad_fbr-vr/
  283. http://hapoo.pet/Februar2019/CGHBPF9650779/
  284. http://hourofcode.cn/En/llc/New_invoice/HrrU-mFwi4_NvKcDU-ru/
  285. http://htmedia.net/En_us/doc/Invoice_number/322374698567650/Uyuif-6iV_cYEx-x7/
  286. http://humanwigshair.net/de_DE/TLODSYLF0662115/
  287. http://huyushop.com/doc/Invoice/ppQlC-1hzuX_OXIpKCI-gJi/
  288. http://huyushop.com/xerox/Invoice_number/4873909681/shyaV-jw_XIkWj-1g6/
  289. http://hyper.gaminggo.website/DE/DE/MGCRMUHE2025190/
  290. http://ibakery.tungwahcsd.org/media/doc/Invoice_Notice/IRza-yOhi_L-0Ng/
  291. http://icspi.ui.ac.id/DE/BZHFIO4860458/
  292. http://idecor.ge/xerox/Mvdos-wM7_SlQUIgMWf-97/
  293. http://ihsan152.ru/doc/Csyz-k7_XfsMbVK-w6/
  294. http://ile-olujiday.com/En_us/Invoice_number/Azpl-1y_HYOjeQhvm-H5v/
  295. http://ingramjapan.com/DE/JDYMCSV7189567/
  296. http://iso-wcert.com/doc/Copy_Invoice/5593042/uWji-T4QB_wisfpWe-abt/
  297. http://jakador.com/US/info/Invoice/uiUZl-YAosI_zbcXOgMHv-B20/
  298. http://justbikebcn.com/US_us/info/Invoice/RRNC-NM_HNc-kts/
  299. http://kebunrayabaturraden.id/En_us/company/New_invoice/QzqIF-Hj_it-jXz/
  300. http://keyhousebuyers.com/US_us/llc/Copy_Invoice/XIWH-IGY_ckwdiJo-gJ/
  301. http://keytosupply.ru/YDLNLHT0064679/
  302. http://khachsananthinhphat.com/EFEAFM2493480/
  303. http://khaivankinhdoanh.com/En/download/GcIqG-Dpqp4_Itt-B6L/
  304. http://kidplearn.co.th/US/scan/qMrqi-Er_VlSOjHyk-XN/
  305. http://kienthuctrimun.com/US/llc/Invoice_Notice/uplqm-U0_vIVHjjh-71Y/
  306. http://kingcoffeetni.com/New_invoice/XpFAz-sL_eea-bE/
  307. http://kndesign.com.br/EN_en/info/Invoice/QiRv-Cn_B-rwx/
  308. http://kostrzewapr.pl/ww4w/file/New_invoice/xlABM-8iP_WgGcAABXA-1E/
  309. http://ktdakhaoyai.com/llc/VqlO-RTai_UHfaP-XK/
  310. http://kursiuklinika.lt/language/En/xerox/Inv/dXBJR-CF_uQwatHm-4HF/
  311. http://kynangbanhang.edu.vn/wp-admin/De/YUNJBZ4605942/
  312. http://lastreview.ooo/US_us/doc/Inv/40698973974/jzDj-P4cPZ_La-YMn/
  313. http://latuagrottaferrata.it/US_us/Invoice/DdaC-RKIeP_FcSCT-ePS/
  314. http://laylalanemusic.com/EN_en/scan/New_invoice/wbNo-TW7P_O-Ko/
  315. http://letrassoltas.pt/Invoice/XHZA-gBUx_JaGJYEsl-JE/
  316. http://lindgerieforyou.nl/89278556094569/lsPAb-8gkW_FsZDD-xq/
  317. http://link-4.eu/De/WSQGHEQEDC1613631/
  318. http://lyo-chuyenhanghanquoc.com/doc/Invoice/Tbtb-25VL5_K-9G/
  319. http://manisatan.com/En/file/Invoice_number/xcVC-0F_I-QW/
  320. http://mantoerika.yazdvip.ir/En_us/Invoice/OrfdW-YAIs_g-Z2/
  321. http://mantoerika.yazdvip.ir/xerox/Copy_Invoice/BLvZd-boDwE_vmYCwE-kP8/
  322. http://marbellaholiday.es/cjsowjhdvn/De_de/WNMFFU3791587/
  323. http://marche.ecocertificazioni.eu/En/Invoice/65003821729386/gFKoj-XspRJ_pBs-lQ/
  324. http://marisel.com.ua/ZyXkK-SXe5_Md-wdC/
  325. http://matongcaocap.vn/Februar2019/VZMIPUBDVU6493426/
  326. http://maxhotelsgroup.com/wp-content/uploads/EN_en/doHd-ghqgD_JrfIW-Ww/
  327. http://meliora.ge/Februar2019/XREWOHYNE9826670/
  328. http://merebleke.com/US/doc/Invoice_Notice/ukZE-usk_N-5Ie/
  329. http://mex-man.com/EN_en/Invoice_number/jYjBA-USul_Qo-m9O/
  330. http://midtjyskbogfoering.dk/Februar2019/IFBFOI8956896/
  331. http://mikrotekkesicitakimlar.com/EN_en/doc/New_invoice/sXBT-w4l_THrjaFBv-9TB/
  332. http://missionautosalesinc.com/EN_en/Invoice_number/ApXnw-vW_suYdct-jX/
  333. http://motor-service.by/En/scan/Copy_Invoice/NUpzw-Hb_l-DY/
  334. http://mrm.lt/En_us/file/Vqfg-I2N_JG-b28/
  335. http://msa.club.kmu.edu.tw/EN_en/download/Curni-dDq_qi-eH/
  336. http://mtrans-rf.net/XPbL-jlz_LzwdIPbbs-Vg/
  337. http://nilisanat.com/Copy_Invoice/IWIg-tytmP_D-ZTq/
  338. http://noithatchungcudep.info/En_us/company/Invoice_number/EqoD-yQW_XfoDZM-Oh/
  339. http://noithatshop.vn/Invoice_number/71550784026926/VCUS-q8_AVrvs-XKg/
  340. http://noscan.us/Invoice/871430326423/vvQp-D8_rndLvX-sW/
  341. http://o-k.by/US/Inv/Bdrr-jv_yZ-Kue/
  342. http://okna-csm.ru/corporation/wBZEO-O5_kYPva-fGY/
  343. http://okna-csm.ru/US_us/scan/Invoice/UCRe-bX_eDIfoJXea-8D/
  344. http://ozon.misatheme.com/doc/Invoice/005060974679/QLeW-mwuf_rmzi-Wv/
  345. http://paksu.my/EN_en/doc/Inv/fqfT-YHp30_RUjRKVXlm-Eg/
  346. http://phamthudesigner.com/US_us/doc/Copy_Invoice/wNHb-YzG_YbSbGu-Zj/
  347. http://pixelfactorysolutions.xyz/En_us/file/lEDKZ-TR3gT_ZXjzK-uKU/
  348. http://play4fitness.co.uk/US_us/corporation/Copy_Invoice/ECCp-M72g_lIUDwz-Y1H/
  349. http://portriverhotel.com/En_us/xerox/Idpt-W99Z_mHARu-xzZ/
  350. http://posicionamientowebcadiz.es/En_us/doc/Copy_Invoice/uwfH-nlg_LKOWHPOiV-H08/
  351. http://print.abcreative.com/DE/NXLOFWIYA7069215/
  352. http://progressivefinance.info/DE_de/De_de/YJZBFQMYL7939382/
  353. http://qnapoker.com/De_de/YUATGGWMQ5766638/
  354. http://quantuminterior.xyz/US/file/Invoice_number/LEGty-sdOJ4_ENS-2T/
  355. http://rejuvuniversity.com/scan/qrqWx-h9kz4_hbJSD-lA/
  356. http://rem-ok.com.ua/En/doc/952988542422/FMyi-rr_OTqTZVN-D7/
  357. http://research.fph.tu.ac.th/wp-content/uploads/De/SNMHXRSNZV8828324/
  358. http://rohrreinigung-wiener-neustadt.at/WPUUPHC8420986/
  359. http://romanvolk.ru/templates/info/jbfK-FcG8k_kTWWY-X8b/
  360. http://sanga.vn/DE/PEQQTVVPU4860066/
  361. http://sanxuathopcod.com/enquiry/De/YZKVTFDE8136228/
  362. http://satellit-group.ru/En/corporation/nidq-qIp_nS-4c7/
  363. http://securoworld.co.za/De_de/ZIMTDWA2450909/
  364. http://shentiya.com/tjp/xerox/1074154/EyOU-ehwUX_p-T9/
  365. http://shop1.suptgniort.com/US/company/Invoice_number/Yltn-RrDiR_cmg-iG/
  366. http://siamsoil.co.th/En/scan/Invoice/jWZia-PXur7_vmw-6Pe/
  367. http://sinz.ir/En_us/scan/Invoice/ncCGx-5iDS_onHSPWC-hq/
  368. http://smlex.com.my/De/KKFNFUFM1729586/
  369. http://soyuzhandpan.com/US_us/Invoice/UlqfM-xKd_LBlpfb-Ot/
  370. http://spb0969.ru/En_us/Copy_Invoice/CFZI-RSLvA_zHzcfuFNv-s4h/
  371. http://ssstatyba.lt/EN_en/doc/cyXl-j2_q-JVf/
  372. http://stage.abichama.bm.vinil.co/wp-content/uploads/2019/02/viewuserlist/EN_en/download/Invoice_number/tldUb-qlGd_NeDOIo-sF/
  373. http://sukson.xyz/US/Invoice/ChWR-z9m_C-VUs/
  374. http://sweethusky.com/Februar2019/ELUKSM1691772/Rechnungs/DOC-Dokument/
  375. http://tasarlagelsin.net/DE_de/ECBJUGXDF4914787/
  376. http://themichaelresorts.com/gunungsalak/wp-content/plugins/revslider/De_de/DQYEHW4637973/
  377. http://tiaramarket.ir/DE/IXTQPWMLC9359449/Rechnungs-docs/Fakturierung/
  378. http://tiendaflorencia.cl/EN_en/New_invoice/Gnta-57cJg_dQSK-yX/
  379. http://tischer.ro/En/New_invoice/KLrp-pY_GsF-Kt/
  380. http://tmmaf.org/wp-content/En_us/document/9175060/neKL-Ao_UV-uL/
  381. http://tmr.pe/company/Invoice/OYdW-RoqGy_BiFio-mX9/
  382. http://tolstyakitut.ru/En_us/download/tZWf-dMK20_rAz-dB/
  383. http://tony-shoes.com/7JzXexTmCI/De_de/QLQBPFVYE5291988/
  384. http://trandinhtuan.edu.vn/En_us/doc/Inv/820468724023892/hzAlp-74M0B_WHUH-Q7b/
  385. http://trandinhtuan.vn/Copy_Invoice/yNQak-pf1qa_Dye-Ae/
  386. http://tranhoangvn.com/wp-includes/js/tinymce/US_us/download/Inv/IPey-AQTj9_PuzNcqmr-1f/
  387. http://ulco.tv/En_us/xerox/Invoice/1832647384/FsVWR-XV_ytQNsd-x1/
  388. http://vienquanly.edu.vn/En_us/corporation/New_invoice/0307028/HRxvv-P6O_eybpf-lKd/
  389. http://viento.pro/download/Invoice/vMSNo-6JYm_i-RB/
  390. http://volkswagensto.kiev.ua/US/company/09234339011189/SYOJc-aA_Kz-2aZ/
  391. http://weresolve.ca/EN_en/llc/Inv/ZeiYy-WY_Ko-GyU/
  392. http://wpdemo.wctravel.com.au/En/file/wJZbG-k2I_Cw-am/
  393. http://www.birminghampcc.com/scan/Invoice/BEaz-hnqXV_wU-9t/
  394. http://www.coolpedals.co.uk/US_us/scan/90126558649321/lwNHH-J44S_QUp-sD/
  395. http://www.ingrossostock.it/De_de/XXZFUMY6186328/
  396. http://www.mhills.fr/US_us/doc/hanb-nsV8_vzrKb-YA0/
  397. http://www.play4fitness.co.uk/US_us/corporation/Copy_Invoice/ECCp-M72g_lIUDwz-Y1H/
  398. http://www.posicionamientowebcadiz.es/En/download/New_invoice/385278308544/uBoNQ-k387g_V-cp/
  399. http://www.timothymills.org.uk/De/XPCADZUR9908983/
  400. http://www.verykool.net/vk_wp/wp-includes/de_DE/CQPQBPLVMY8380956/
  401. http://www.xn----8sbef8axpew9i.xn--p1ai/En/HAZna-MBGL_kxSHOZ-OQ/
  402. http://xn--116-eddot8cge.xn--p1ai/Invoice_Notice/HTVsa-OSNt_Mx-bZ2/
  403. http://xn--116-eddot8cge.xn--p1ai/Invoice_Notice/YOah-tWq_jHcimfLi-iCK/
  404. http://xn--90achbqoo0ahef9czcb.xn--p1ai/doc/Invoice/34714700878869/FurZe-64r8g_OP-coE/
  405. http://yduoclaocai.info/US_us/info/5310708/dYpmV-Gz_TbOeWCL-EZ/
  406. https://captipic.com/Invoice/HKOwp-L0SQ_TFxFaGcmB-7w/
  407. https://captipic.com/Invoice_number/zDyWf-TXK_hMsKz-sd/index.php.suspected/
  408. https://noithatshop.vn/Invoice_number/71550784026926/VCUS-q8_AVrvs-XKg/
  409. https://tischer.ro/En/New_invoice/KLrp-pY_GsF-Kt/
  410. https://www.verykool.net/vk_wp/wp-includes/de_DE/CQPQBPLVMY8380956/
  411.  
  412. ```
  413. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  414. ```
  415.  
  416. Creation Time 2019-02-22 20:11:00 (Doc Based - ENG - 365 Blue Box)
  417. SHA256:
  418. 6b15bbf73ed0e7e9eafb201bb0c011575a01468d9bc79e593ff829ce43d07d04
  419. 4ac5eda9e268d3080bb9c0adbdde08bb771ec1c05ff35dfb29d8b16d1b780538
  420. dc051762a9498bfe6a7c8b3a0fdfe40297320d153779f371e49daf5b25ea6b01
  421. 5cc01852121c3ec83d7fb48bf22e3685c997f53f33ff1bf29fb2533141cc69ab
  422. 0d68de69e94a097e5edbd84f95264cdf235e82fbb3cc27c08d095ca0d4632e10
  423. ad65ca562bf6b19f6e9874bfdd3e4f60a2a67a65aa565393d4d7ca6e30da3f8c
  424. f9a50fd7645aa3d10bbad91c727790bd61ffe25bd08ba16cca3fd9a521c22d58
  425. fc308f26322485c361110bcadf9e3eb54896a1563693a4b8bb3799edcdc9e320
  426. 6ca19d8a1147e65b0e8b222215621978905c663ace06195a183e0c2b3a94576f
  427. 8d2608fd0eddf328c9509181bfe0560b26ada34bbddc919e8e6d717b5487a220
  428. aee69708fe6713bf1b461cc910ed8297649e578c92213dc10387c90effa7f750
  429. bc42c6d5722725a303e6de809bfb5099d0ea13b18f422f154c5a6713c1ff22c6
  430. e881930c362396744a2338740d28ac26377cf19c33b460cdac987fcb1255f804
  431. 9fa9d852c7f7a94a022347e7bf2325d41032163fb7ec61d362bfeb94a0ed9ee8
  432. 363371e71bfd3a0f6e8e0ffe1017918d65d5afe7ce1c6d7ea26f5604b26144ce
  433. ba0b908255f68bff48e58cc7d2ac0caa55e369b7a282fce5b9d58ae1df34b681
  434. d523914940ef79338eeba96e8befae59574d1552f13ddff5c41500bf43d9192d
  435. 26bda8a7e04a3b4ba47ff57f776cb65b0ed11870bc5fa65b33353c53ab718566
  436. 3a162a09d1f8a4ee0248d72a60ff0ddbc2cef8084c3d2aed1cfb73192f628d42
  437. cb83759cf47a4b6e44e5afcf6f85f64b475a6f4bbcd0bff82b31b45f048a64c9
  438. 949bd24349829221977de531f8a1dc80d401bf5e0a8fc69a1b386261b474ee43
  439. 3d48920206c69924bd3c388e2d7a48845e48ba6a525f06ae466db235deaa6832
  440. 6055cf5b67690819f88a3a96685386afd8819377dd31454fab559809fc9ef6eb
  441. db0478556a516ed5d8508f165251efd10fd3e68c84fda7d720730f6409af61b8
  442. 415eda47173d571207d420861a66ea7419cea30d59a901f716354c8167c8373b
  443. bd1f913c5ceaf2042070666fba37fa0a8108f1e82ac19e516a7f74e9d5da5ea8
  444.  
  445. http://lenkinabasta.com/G2ek3iYJ7B/
  446. http://montecarlosalud.com/33x7eCfeBy/
  447. http://nano40.com/bGv61ju/
  448. http://td-electronic.net/MbY14ajM/
  449. http://pi-labs.tech/GOlujDOL6/
  450.  
  451. Creation Time 2019-02-22 14:42:00 (Doc Based - ENG - 365 Blue Box)
  452. SHA256:
  453. a63da6fc7ae1cded300cabf23caa61ea1842eb67ffb4067b1e21b258bab220a0
  454. beb0411e0876902fda0b692f6762a060518abdb28e85a0b5a6d6dec6b38b6a84
  455. 0a385f2998f80ad17753783a136bbd6af84942635d51b6f02d428fb75fc89559
  456. eff525a92a7e0adf91bea8b6c4d77ce5a4e0f41bdd22395d383bce3aa919b91d
  457. 38726dd1965be4c460b2f85d94fed8ab0990da766ee257d591e559a023891374
  458. fc5b2808613e062e69dcb759c97b62ae00da1088e2d530a3d0f36aa0c79e2141
  459. 9d24ba1452cf7c3c099c381d32be83c7fa68add51de1dee53159956e0e0637cb
  460. 0562de3af793b54da76e76b86f6deaa411a47127fac07a7942b15233096bf19a
  461. 7ab0160070db04d98053fb1a7b33114794497679f7511b36a0fa6c8dcf96d37a
  462. 17ec95bee7a170f0aa887a896a70291919c654e18a471b24c705b1d233d376bd
  463. 7d938cc0739e786acac1200a88ba886e24a5513f051a1c2ea35116ae44e80e2b
  464. 2d7e564f8c0904a9a7b4e9459388c447eccde5ce82b59f8c34d67fbba3c041b5
  465. 23c1099c724cffa9a4dfee7c4bbdc439a89738b9524c5acbe8e3534b1213e237
  466. 04946ffcd40c0aae97afa4abbbd72dad4bb24e5556cbf4a20e512beef3f12aab
  467. 4ee69b621d9d156b15f973573af52aecee4f6722964a3e0e83c5f12ab65c3506
  468. 2aad2fadcfbc831361808f3d166e24eeba0b57ce9eb2e9b88d604931bfee1607
  469. 8b18eb464e938b0e5dccadcc42e2ed20a370b42a1a7d69e2f5d789a830f86789
  470. dcd5bc2bb04ef9afee15588f468778f1eed3ed4323399c083c3803b0a092ab36
  471. 90b9006b3beafe089d87e6ab22076f77e7b6056c7991c7580561ec5b9a69ab31
  472. 62a5b9859707a127551afc3285badd8d2f1e9e98115ae5bb30add117ce3c0e07
  473. 7718350e6b0b63d58a259609e062da6f8fd0c0131d4b24b6698977b4ba771524
  474. b317e3ffb25133f732055103f3c2253515b4c64a63f22dbbfe31fd697186236b
  475. 0bb8c7f49057a9df86324c8d72773244d22d4be0608eaab2524f145dc0f6290e
  476. 0b8ee3afb4f1cab3de335eef0e4acfd7070a9752623ec02d0d8619a76fb759af
  477. bc7857608fc5e413de7d75e7994474e6680b5057d4209a17a79590bae9f5f652
  478. 3b354b725cbaa388f7868639279b83a448fa107a3d54b6b9d7e3c4e8855f97d8
  479. f71b09490cf1085197e830d6ba5eb61019a229d6e5629a7a08d16883f398e42e
  480. 117f47cc6372fc2a5c9cb341b37dbc677ee8cf5cb68f782b3619267d8eed580b
  481. 97c741d85bc32e626a678142eef9afc36ef16c3bd1bb5df8311750ed6c5cd0f6
  482. d08d1ea41326ed59a111246b637c1cce8193389f40a4d3deb13bcd69d16fa3fe
  483. b73b7bbf69f053106abe436f9f9396202373ce35bccec2f976006abca6952105
  484.  
  485. http://dataland-network.com/0yhPaoFo/
  486. http://128.199.68.28/NUipKSNdX/
  487. http://mbostagezoeken.nl/lTxOW3ais/
  488. http://199.43.199.16/wp-admin/PMnENN7UR/
  489. http://206.189.45.178/wp-content/uploads/aWk9ELnU/
  490.  
  491. Creation Time 2019-02-22 10:51:00 (Doc Based - ENG - 365 Blue Box)
  492. SHA256:
  493. ff020ce959d59d8464bb203470babf7b9b201f0287e0a01587a1c766819455cc
  494. e6a8c8d7809cb9220fcb240b3f8b822911132582cdd285705f0ff969872014a2
  495. 3d4e35724379eb6f65e1e12baa4262ea0ca687188aeb0c1ae47d4cae01859cc3
  496. c40b54a1f590b57b72b89821ed2836db462d6e9fdaee6d536e08ebe43013003a
  497. 6b8852e0ba2744ecf35363afd29da7c293c8e1c9e8a43703fb708b95276c7790
  498. e9a5359b4a892266bc6ffe672c38ff2109adb973a88985606c35579b831660d8
  499. 95a2e4f8483d707a8be09b6162d3f45c29803d87c509ed02b16e6bb8f11789fe
  500. 0eb29597bd2a76b3d7d1a5b5100e1d59f4e1e6e62cf4fad1de9ffb990f54855d
  501. c194f46bc3d735c019c43833b4b05e849e1a28e4db1e92593f9a5608675637c8
  502. 683d9ef0ddb8bbadb97997710065c01b886454e49fc9f77b4e9399ae9ed2b358
  503. d4065e35dce526fa42c7c0bb1013dc436db9a63c7fd572c22d239132fa951743
  504. 385b37e37bb2471ed86876e9a2beb290f078d2a5757e74e413cf0df3b44dfd56
  505. c0108d5ff6ba2321ca2189831085765e663bbbd5a6b3cf047ad7ec71d326e9b2
  506. cb6a5f58c5ab3dbeba0fc5aac4373ef5e7da4a8c860ec3800cd2bbcb4161ab90
  507. 5b26da941e2d695af13fe6ba787a97ef0bfe8aa7aa1c477c02851fd9cd63d7d0
  508. a7b6f9710d4b55bfa0c79d5fdbae9d4c0e2bc6d63ef7039b467185b04e8f9833
  509. cc94c3b982f3a5bd605b2e837f9b3e1339e9f1f5e2f5155b68351b4a095427fd
  510. 9f0770440dd293f04562528d0d3d9280b0681b471b4ae3d15aa81d28eb307a4f
  511. 4f6874f822619ae2b4b36d07fdafe23c08640eb0504229d780a8e58d3e5aeafd
  512. 44776e744c0196fb4e12a697b378dc69704e1a25b29eb2e2a4b74a85b637ea56
  513.  
  514. http://eurobandusedtires.com/8CkavCZyr/
  515. http://guidojoeris.com/0Jq9Kb2Uwa/
  516. http://guanabarahandball.com.br/wp-content/uploads/YgQFFRe/
  517. http://www.ccbaike.cn/5KabHk6/
  518. http://139.59.182.250/rLUeg6v/
  519.  
  520. Creation Time 2019-02-22 07:17:00 (Doc Based - ENG - 365 Blue Box)
  521. SHA256:
  522. 6de999d0280a8d4aaa022289c71504b283e599f6e97e3863e7080b314007fb8a
  523. 3335a117ab3942e92e1027dfd1b50d5b3b56c6aee23f3a97dfc615d8c0354fdd
  524. 9ba11246258f8de67a2af0246e22d6716b0be542ab1c7a3b3b0e7969d0b549d8
  525. 77acfcff5a71b198b7bcc4d5b458482bfcf13cdd1a6b3b37eb2517ea7fb8c35a
  526. 19d4954c0926ffdacc90987d2b9ea1a1f5fa894fb3dc718cd41fcec8751e2e79
  527. b5fe6d1fa62a3978471199da6c051c0bc9b84963478923377caf2e13feb22c39
  528. e7ba84c834fcf0d21ec94380a972965cd9b5c50ff984d393149076d3c44397b1
  529. e7ba84c834fcf0d21ec94380a972965cd9b5c50ff984d393149076d3c44397b1
  530. a59ab969c68131c7b5eafdafc793b9e20b70fb401bf35c328f6c1639576a54b7
  531. 708e9a33c866dc9d60b151b4c35637b012a611ecc0d0547f1556957edc62d95f
  532. 4e10635154e02b5555a60da9172c56d6ad1bbd54fac5bfd7eb37f71be845657a
  533. ce4f66b3c0e0e5cf74a8d0de9bd06074a2a03410eb2c35e0bcd98de5ea78a07f
  534. fe3006dbb7d4cc41cd99aa00e0b5ede5fd8688af6270a4458f9a0099127c8cd9
  535. b7b90606200693cf7f05f79153460731e376fe30aadcf389ad496609de80ee10
  536. 94ab5cc18d0df73345d045826fa9e4027f1311d105d20b125eee71bbb0002917
  537. 68fc4630bd05c3731a25019a915232e22789c120fc023c615779a94fbcfe59cf
  538. 323dcae8f0d9d0a3d5bd883f86c7c748156643f4c75bc7bf0026a4bf71aefdb8
  539. 09511026645995125e09057562271afa23dbead6e8c9489241f8e58f4d9538b7
  540. b41328249c4496d74f8aa66a4ee736033b3e7af9db9babf866703e8f4fa7d108
  541. 28905718bd028d99da8d0cf89db77294397e02f6d742fe0214ea11ffc9353e4a
  542. fa3e30c8519017bf50afb2a9a2a0f6bc5c2367927d921e23c94e2d116a6e2837
  543. cb166bf8f89c65478277be66510fa5e3527a958c791052d0c2bd27d80dc9a199
  544. 6407bb361e5611a475ca4266d416ee57c73a98b024713bfde516165e1c13faec
  545. 3b43cb817d5ecdf81d574722499b300464518c65d13ebaa50c7b87869250ee1e
  546.  
  547. http://140.227.27.252/wp-content/eirJDz6P4X/
  548. http://80.48.126.3/wp/wp-content/uploads/HfTT9hn/
  549. http://kgr.kirov.spb.ru/LUGataK/
  550. http://tekirmak.com.tr/6nseJMHZgy/
  551. http://mediarox.com/6wcdQDCe/
  552.  
  553. Creation Time 2019-02-21 19:28:00 (Doc Based - ENG - 365 Blue Box)
  554. SHA256:
  555. 046f87c718018b50c7c6f539d11492b8fa6e4325e3da77a64f6a702287e5c824
  556. 4b75a9159e22f9e5ae12ab9c732b7075e1965c92be52b859eca1b03eb86ac805
  557. ee60f9e2d38218109aff1d443750aeec436be61873d04466a24c2178928ada5c
  558. a7e75c95eb4d7dbd3236888c12dd4ba59ae69500620a07521120637a6f8abd23
  559. b8644d9f61436749be8678f246cdcc25ef58eef190f10a6ce079fb689caf3ef5
  560. 1186b28adceb8145a036958af9b666a86f94350606c58559013fd7e0bf5b2d10
  561. 2f5f36a66a982a2f0457a6d1b04c50f2da186c5b97464b3be5a7eac114ed467f
  562. 7c8c775210220e5ceee72c0c7459877dbcb72068aa6011fa6a29f5e3fda1b5f8
  563. 84c269a26193867fcf59b3ef37fbb87619721f18163f233f1e7612a423617050
  564. ef843662c0f3ee87c56de95a49c430e90696798956eb5ce980f08b85f4dcb05a
  565. 763e1568e57bc1bc0eea550a996790ae3a08f66eb9a1164257f2ef35875745cc
  566. 32b93c3a0e095ddba394079ec1d18f3a2707172ae7780b213a6973b2d87e565d
  567. d87ab889091040521fc76bda0abdab6bc37bd3afbcb3d4421b3b0c8c2808e15e
  568. e5d8ca1e7faa58e8016549b308650709b9609ed2f655abb165826ebda065a256
  569. 753e6d5f8b2922939f905cc0f324c06acd0d6a3a033691e256ebfd37779583e1
  570. 1e979dd7f93ebf27f9559e151d508110058bc0ae24e7443bda6d206e8040db26
  571. a421681d1d6a43b2ca18bb57d596a9002e3a0442fa5cdee0e2b30098aadcbf47
  572. cd63352e1eae206ee6d7b9646fa765a6638d7a6c093a6f035d04a798300f2672
  573. 0e31b64c56b8b6fb914bc519d0564490c31ddbe81da51a56d1f71ea15635bbb1
  574. f980dc8dc9418b78ad40625e3e2490083d2b1f3a8d0bbd7ee6ad02d6043e218f
  575. 0a0d6e36083123462b0362f0909ceee2eeb962e4fe2bdc3428c452184e701d94
  576. 4c1c586ea91084e4ab171a2a1faec85244e823f4ac0e282faab996a6b33f0700
  577. df4a92dacf24f62e230b0656dabe555c231d1c42c7bd3d1f6128c528458fd3c2
  578. 4ff00fef96a8b96ba389bee1744b3e33a5143b64c6402fdd4bf0d8db8be6ccb2
  579. 99cfc1d7303f75ab1a8ba4ab3f60a7ae67c36eed36aa2098858b9607e2c462bd
  580. 2836974c689831bb98cbfe91a85f59c42a50b1888c82db496d53e1132886f7a3
  581. 155d10bea9e7018e6b20ee840db81ab1938d69531697c41a6896bf1a5b7b6517
  582. 857473dbe88b80da3e1580876384cec6a84cdc85b2a0274a81d5437ae361cf4a
  583. 90ebcdca1a7f6f2ad9a52d8edf26a7e75d4741625d08616c1f6631b4b7f3b426
  584. 20c303567a05318e7ef208304abb8fcaa52329bd26e4584db4db399949fc3241
  585. 9f192124b2235421f53196db5c9e1d538be1d30b5580a3b284bbc953440f9f06
  586. 4950451b96939bc5e872b286398930509981767a8a840e80306f35d1c5d3c173
  587. 50b8e39e1cd2c2886542d0a3c9bcea3e91298fca4af62b23e6a46994335cda19
  588. b408dda7bc388d61fc3032a57d1680f68e81f90b698deff1897a01899cf554d0
  589. 269d5a38bc77f5228031fa16b3b19dea79b6f4095331dc4e6e8edabbd35df36e
  590. 2c5985fb3d6419f4a0e8861860b9aa6f5eefec3f55d41a163e25aef684e597b2
  591. 3ada6e8496565c7288c045e0dcd7d4d019ca3aaca855d2d25d4c83ac7945e9c4
  592. 5a928ccfdda8165fffe7c25fd7dca4270f64f25f6efbb401ae0859058bbe1e7f
  593. e8a539d214ec2ed141d9619bbc2bc1d6b9d73541eca7a0fde94139d7b108774a
  594. 4701102fd7b71169276d8dae3065e6c15fd4667d6fda5375b90e0458a4a5c257
  595. 5f528344740d8555e9a2eef46a7cfb33391ad44274c8e7f303e8bb14cdcebe03
  596. 0b4a62a24b9990ff092bb55fa4375f6e47ab0f423f7e8a9f59ddbfe315626d7a
  597. ed707d534ff4671e1db0ef802074f9b146f7ca4d0c7d4ee7f42e29fe84a3cca2
  598. eaf3d751be767274ae82b72a2d5946ff06ba2e2c8969a8c17f4705e4a0dceb98
  599. 8cdc3a56ab924c1b4ef340ef6fc7246e7c433e2ef7ad6102685faad5f0b40798
  600.  
  601. http://uat-essence.oablab.com/cEP88qz/
  602. http://34.207.179.222/GPc2ykD/
  603. http://204.236.197.55/ZmkN6EP/
  604. http://107.23.200.84/EmllsJND2W/
  605. http://radioviverbem.com.br/SZYTAZDa/
  606.  
  607. ```
  608. #### SHA256s for Epoch 1 Payload EXEs seen on 02/22/19 ####
  609. ```
  610.  
  611. 70fe811e7c16fc8f42d80d704349819eb9044af3e858ce1c6e8875563a6f0817
  612. 2ea8991e1aefaf9cb61db388a3336667a5b8164e23ebd28ed3b28c7d19729a10
  613. eb2c11e411a4bd4e122273d8e08d7f20b956e7cee160be4cf95dd45195ffe3ee
  614. bb014f3cd443b9bafa48df7d06121b47057ff8dbeee6479b6b2c8dc2dbb4df7d
  615. 07885a0e79c13b7743ba872a119a76d643b98b1d4f1fb094dde6efdac03f7be1
  616. f3760cbecb581435b181defed3dba88bde2841ce982be61a5ff98ee88fc72767
  617. 6724f015f93622f173d3d07ecd51702e5add69a510b7f03f9535c97fe0c15d5c
  618. 4b6847cb1d8a71acd66ee7672a1737f13b085a550882244580a25eb9f60e3d9f
  619. 0febea4f91628e5e0011e56456508962ac3885c3ce7c74d825c2f22a7b554669
  620. a517edbaecd8f5ec99554aab2e29dde0d4f32316757bc69b0e0f0063f57d4019
  621. 54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232
  622. 3f7a24172cb893d6e6e11cd4b9fd1d80bd9d921306920ac9313b1c5682839179
  623. e10412b3f56f15cc3363b39f3f1f03cd4a127943e6f03a0654494ecf843b19f6
  624. 0e985416ce1f0eab95b774d1e1608d2895e955f871997a2892f57a28448c0b1a
  625. 0d5f45befe5686a6b48f56b76d4aec96fe297cbb81aefccdd667d1fe0a3f7ac1
  626. 0283eb958383ad555d213e6ec90295eb70e1c87694ffd47f11c6639b1f4c173d
  627. e29ba4e2d1b805061e2a1b08e2e246dcfacfa11ff007f7251bbce63727d9cc24
  628. 87d882779340aecdda529abc74dbe37c5c0c4e80c5f4b1fb7c5de20f0a8b00d1
  629. 331c9274fa6c42c30642e3adca515f62978fbfeea6c960b84533e034eca781ed
  630.  
  631.  
  632.  
  633. ```
  634. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  635. ```
  636.  
  637. Creation Time 2019-02-22 18:16:00 (Doc Based - ENG - 365 Blue Box)
  638. SHA256:
  639. 961a57f6c6607b7d1c5273d3e8515f5f9f1cc8506f419de5a9031c0ba5745b49
  640. 1ca43cc4e8e5befc913f2a3adc89dc1c2fcd9c16764ccef10866b0e59ec61e6f
  641. fc4f525f44d7f3512af531aadb22374120304fb4bac24e1fa5067d5916506cd3
  642. fa49901bc067792d069f9264b7459459cc702f7b8111819d93bc562be9ee87d1
  643. 2a274753602d0b9cba527e667b7247a4e19416d35648a57c724d08f9215b0e34
  644. 84fbe1a7d9f1a39bfa812609b0e932249f86332da4cd585c6d016cc9dcd608da
  645. 39e18585fbe82eeeb53e027599e24654d32c49971ab868b3dc739b8212d147d9
  646. a7f3f7a257255e22c696a5714592fc0c62fdf0c712729805823a8084fb055c0a
  647. f624c4e1c49239d7c25a68a7c30d7c45d6b8b694111eea307125fd842e5da904
  648. a96407c639147915da83038a86a2c8927a377895315281fabd69fe8d0a45bf0f
  649. 0aa4239396404481d6ce4d38eb9140e2d52f49408c9755f03204bafb80358cfa
  650. 65c4648e28e6f6f8945a67375afccf39779cff0cefd98bf19c5fb3adf83c9d5e
  651. 7c03dd7a53bdad863c4ef4da12cf19b724686a8972f03acd0f12f5faa28be4c2
  652. 71fad1f80e57bfce9da1e2bbdd836443cf1fe3d5c4f264beffa9d4db675db786
  653. 252d38958c5789e408309bb562a4a5d1f3d24955b516a20f9ebdf75762583430
  654. fc7252d2bb725774ff9195db5af8f9602a48ab2c4e30eb6d12ecc87c922ea674
  655. 9f51918746416b2d8b1d6062030afc723ea45f65a97b29737aeb7fa0004ebb2a
  656. 9e2e215c94dc7e99812a49d6e3d796d9f02798c951d6cd2024d93678fd01874e
  657. 59803960ce9fdd1ecc84a5f7b8e6f6a91c572eba2d15b101d085b8db93cb5167
  658. a8f7ae828fcbc601a599402abb2c78064dae3578a267bae90bf66d2d4a571af5
  659. 529b560f34084634da442f563e691db180a983ca078cb0dcee4fa89584bada49
  660. ca8fd0389d1e3a73d9e0fa2bfcbc32783b6e7ed0bdff849f0d705c566092bfe6
  661. 0fc795c44a906742f311322849e106fb2246c42734af49084f49a4d94fdc88cc
  662. ebe1df97727fdbe018a30e13b5ebde08f7df414445de7dec0bc54df3daa6f6a3
  663. eb9f1022837061b1218358200de0512aa78bf0326c7255578a5d32e4724c9722
  664. e9a16026adca83dad0ef0c573fabd247143237eb6a4c7c8dbd0754ba3f2c2081
  665. 22a7cd8b9e0580efe178640286fad199fbe9798b256b2b87a08b21fa3acb9e0f
  666. 53ac9b24e07df504d0b6ed665676d7e5cecd0b4841051c89ac1a9525667d5e38
  667. bca3d9df8c5f8dd577f12c3224ad5247dbe795087b435f83a36be63950f54272
  668. 0eccd2439b22ae9540d1f3ee3d0470753019720c2b6fa678f279300140940deb
  669. 224e4bc620496c5c3e0dae296cdce431641b90af7ca60e20ddf313ccabdeac3e
  670. a8e24d396c0bb7881333c925622430496fd35bdd069cfef8966bc18b1243ba84
  671. a960d2da5178d922c57cc537ba3d002f4f4e3d28968b5a732acfd114000f1263
  672. 00b220013b17a76962bb3c09dc09d3e60c12e427455e560749b14ab9d8723d4d
  673. bd9ed74e0cf0b14305163a615a37475f52969c85f4d30588bc59d83e1b4831a4
  674. 47c72e73c619cbbf6a1d3425f93afc69f20a0a11a7e7366b368bde07d76743f6
  675. 3189aa09594a1b6101d3c6619baa7dba16d61d080a83d6975a6e9e8772979803
  676. 1b65dab3bfa87b87a2a8f8e44258a060d958b536dda9103f09f2ba87160c0005
  677. 19f120b5a6caefbe4cbc01f3d1d1c6fbcdc8074ff213bc9584c07e877e56bf34
  678. afa5500064c46c66c19f57e22b3c7f40b3ec861ee6d92b434c026976001866e4
  679. c66d95c1f481b05fb6c7cfe306a1e29cd39dfb5f4099ffb301742ed41cff3359
  680. 2e48e189062fbd6467ec7a62ca0e514fe23b629f8bbe041ddc9d614f151f2e3e
  681. a8960bed362edcdbafd39629c6821927073d18f1bc311d7eedcf55fab90e9176
  682. 5a180c8554b8c8d2bdf3eb2374a5dbf5751ad6c61eac88d62d0d9a0df989b01d
  683. 6fdf13fa81007704468b0cbb9f5051fb3bdd9983fe6150b6e86f9e8e985981fa
  684.  
  685. http://pandeglangkec.pandeglangkab.go.id/VRiVl1jL4rZ9x/
  686. http://primevise.lt/JVC887tTeJsTm_Q2/
  687. http://206.189.154.46/hymd818Vvm86LW_ee/
  688. http://35.247.37.148/UpY2rFZj3YVu7K_bJFfhx9Ep/
  689. http://107.23.200.84/UMTFOfAh4hptNvMK_GGNPnbI9/
  690.  
  691. Creation Time 2019-02-22 14:29:00 (Doc Based - ENG - 365 Blue Box)
  692. SHA256:
  693. fb8214e8438e5a3b192dfffb47c0fe669b98a4adabbbe3d027b1853a34d0fa90
  694. 7959240e195ddeb4c73c6c41128887530c08344676fc832ebc5cbe492a38f6a1
  695. cd10e074276be9990ab5a8e85a0ebeb383f855a6cbb598919521b2d022010668
  696. f5c59c6b68d73566793e6fdfccdf2cecc94c9f1b7315487e4467f6acb4c69eec
  697. b29fe3fb2b9909a94ea8f079abc7ea994cb8d225a327222bee2c85a5480bb32c
  698. 8a1c8041ecff89c73c83df41ed70b24468f109a87766ab182f5a415599872059
  699. 6c9167142597152c09a19b9dad7e4643f007fc83b8598ab21520667ce7dbb213
  700. 134c3c9300fb1117e3765baa1f92f2a91d7535afec5a0282ad4143f13977597e
  701. 3126083bae39ce34a8688ad8c68e9ce313b4968c487a8407b33451039bf33e2f
  702. e98fc6c0deda7cc83ca0fec2a8800bb08987db4fba4729ed4f7187f042ae7df7
  703. b24abbb4b18b3c6a08a7c77497dbe0d068f39ed8319d98a4b4e0dc7f97d8380f
  704. edcc03a53acffd37dc274e1a707adb3c95145f053eedbf3415008cae94bca950
  705. aadd77eb71a287bf7add8c94aeeafaa3939bdc8295cbb68260475c55a992dbce
  706. 23db4387b50f01b6aba78b378cc208f1e4c0839e262e929d53af010b23db7736
  707. 8241e3ef37307e3412a8d93414cba2849a6292b09da5f7766fff9dba56ec9bc2
  708. c05c2f2011e67479a3b138140a348647dc2f81828dbebe91d58c29c34fb191e2
  709. 8d633c3b35480167e18bbc12e517facece157d1f8e3d00ebb893b2dac8d7777c
  710. b4ca77f65fe917854bec3b3dda5afbeabc2cf2a57cd43a6f330a38acadc59155
  711. 9100f09501b34e5999ff36f74f5197ca5b26b05f296be85e5531d6a8e52e639e
  712. 9efebc889e55c3d4e58bd2003530b093abbfc5d6776d2209be3b2d32bffab067
  713. f746c0e7c20d9bf520b9bb5f877cab019ae1ff91ad3e8adf667f82fa05bd5016
  714. a20e8ead25e235b8f7a3e14a40c15aaee6a4fcdf9d5f04fd4a3936a5a33f68c9
  715. f3347032633b4461190ae33a2db84cec5ef09f208d8b7a5a1861d38a208cf5d8
  716. 6be0a6bbe53fc12c181591966c5ec2a31d5ed04f3d6d5d9884199b89c1c28681
  717. 3138b5bcb246b464a3bcfd9de407d63654fa38db0c34344c9834626cfe9ad754
  718. bba7c7bbcee32adfb481c2e2a7f88d9fa197f53c28267413dec22d2a973d33b0
  719. d546695b2dcabcd462189cf554709e65de2c718861b5fed38077e8c77deca375
  720. f6c7c2fcefd6daa20f4ca328d7e92d16313b01f20644eff473af1f6bde98c0bb
  721.  
  722. http://suamaygiatduchung.com/wp-admin/js/bkgiovu2mxS/
  723. http://tjrtrainings.com/bhVVXzfNXCxrj3_dV/
  724. http://song.lpbes.org/oKDGT3HnwA_9u/
  725. http://ditib.center/2OTZiNbRxnb2/
  726. http://www.gelectronics.in/wordpress/wp-content/ETGjNx1_g/
  727.  
  728.  
  729. Creation Time 2019-02-22 13:45:00 (Doc Based - ENG - 365 Blue Box)
  730. SHA256:
  731. 8960b0f0a90a9e2e509c8cded688fd2a744973b4de7dd45cd1eb9ff221220f58
  732. d4aa6aefb1d37234a4e549827bfe07b56307f6d5d8338b7e9db82f960cb7e1d2
  733. bd63961a0b576c07e38660603acfc388e38d3d369c81bb1663775ea2d871d1db
  734. 4c73c3031a9ab2678ec5011247672d19c962c934fdbc165fa549cf78cdca5c52
  735. 5e42876035b214c50307301131b5faf305d9c3310b391b313de5f2d050667d75
  736.  
  737. http://suamaygiatduchung.com/wp-admin/js/bkgiovu2mxS/
  738. http://tjrtrainings.com/bhVVXzfNXCxrj3_dV/
  739. http://song.lpbes.org/oKDGT3HnwA_9u/
  740. http://ditib.center/2OTZiNbRxnb2/
  741. http://www.gelectronics.in/wordpress/wp-content/ETGjNx1_g/
  742.  
  743. Creation Time 2019-02-22 08:22:00 (Doc Based - ENG - 365 Blue Box)
  744. SHA256:
  745. 7313d002582722f2552a82f91ce1a013ec79424d9a57915d16e3693fd44ce269
  746. a5ec36f262af3ff218bdaec36cc7a8c90befce2f623b1f2c71f8256ff81bd573
  747. bdd6b6fbe8a17b80347e02c15c57de0264a8e48d9980839b5c6041dcbb1e7e89
  748. 7a1fe6a2231a39109f82f38ea46b204dbe49e7a41bc03d010917cec16c035427
  749. 28f765d66743f41ff590cd24859c0d428517930696761f11594609e979a5fbf1
  750. e9912e1077bda9f94ecfbbc184e654dae92f680485efd93443df48ed9243317d
  751. 7c3d9c011b94b7de6416e8ead6451d071bb209bb493e834ab74c8671f0a2129d
  752. c96521108acf5fd1800fa4b302f09009ea3dd36973fa3cd4b673186ffd703a28
  753. 1bf74c1e82d63589d9703907e6eb5878f4f5d0238c47c364ddb65dfd71aee84b
  754. a05d193a03741e2c2c9de7236e56669288a08cd03706fe4c933fa9ce64ad56cb
  755. 224f8fd4b25520adcc22c49b86a7f52dffba6428dccc81abeefce29383c354f1
  756. c5fc3f6ca41ef3a9b55f342e78bdea209317a186393fe7de25ed9db51162d633
  757. 8c0a03eda0f34f7e87a36b697b113da7aa50b961d3af1a5056dd33ffa1f1707e
  758. e2520b9b484f7ccf2f9c3b1cc2cc8ddb7c37c5eff20d709e585189ad55095161
  759. 13df66005aa50f3f0a9213b5c7f1d889fd72a202811c6794e467d9df1f760b7a
  760. 4b25363b28873c1add7b13b046befe675108fb36ab874dd9c8c1ab9140a26aae
  761. 93f590739491d3814a4820aa7e69ef8a6c875aec2eb450280bdfb7fecea00edc
  762. b9568f524c5e5a52877c5e8ad28438472d3d2dd7b4099cdbc5be299f27320817
  763. cb101e5de7d8ab909e3ff3cb9b60da24feaadb6ca684f099d8690bdea9eff435
  764. 62a1307176dcfc48a20d31f5f76b7c8d2a25e861f57533d23ac272815f7ce460
  765. f756f1e3c6445d187b15c78bc4fb449ab633bcd09042fd962eff8ae9f63b4594
  766. 1b689be6dc9754f4a81303d0b661ffdceb86c990c45ac1dfc4367beffecd0e43
  767. c0ab099ead88ff3de60362651144a2edc78bd944cd11ec0caac89fea221e1ada
  768. 482371cfd57977e11bd837b54a7d4759fe8fb85352ea15fbb846c7658f70f836
  769. 245079c4fb127b0b60febe3e89af54a44866c67ea1b623336daf68b2a9a060ad
  770. d271484f11fc77b057940ebf43c1bd15547c3d2bc64b87d48e08e5c45bb8e735
  771. 2418ed2015fae480691f3239ce2002de93dacb93b9ded1c9a1fe4d0d03832f6c
  772. 12b4add00b024cd51120ca220f2c6eddbc7de7a2b9b42877f0d779e474b1ebce
  773. 367cbab1dc1ddb5eb5cc94d2f613ffd0b91be1fc2b574de07b58bfe301c4fc5a
  774. f1647858533b4749354ff19ab0928e1559255a2b0335dc6cb560135fddf42cbf
  775. 37f99bb2121239ff814753f565c43a876f4b63c5098cd83ff191c5f667c51dab
  776. d5d6aae3d940aaf613cc733705769e7d91222549be3e668f59e6341cc2366fce
  777. b164ca4da4bb9d5fc5e4f8fa162bb4eb93a8464914c850b042ac0ee4c69ea795
  778. 362beb3a4a19e7a0fbbc119eb4b8d0730228bd644594fd211aa719f584086d97
  779. f8570802bf76063969c8a167544fd283bba43cfd7ce0a1d2f405b098fbfe3f73
  780.  
  781. http://destino.coaching.interactivaclic.com/tjEwdljrg44_lZhOyC/
  782. http://galiamuebles.es/wit1OfboK8eA/
  783. http://thinhlv.vn/73CtMXMgqwq/
  784. http://palmer-llc.kz/TxIvOOt9Uw/
  785. http://www.armand-productions.com/B1kK33Yc9ULW_wb1/
  786.  
  787. Creation Time 2019-02-22 06:57:00 (Doc Based - ENG - 365 Blue Box)
  788. SHA256:
  789. ce06e7d309f3c2ee9ada6ef07f14b734b1229ab672f14f646b35e689158e3a8a
  790. 6d06956632e3853c1896f7a32f227e6a3bd36cb4d20cf0b945e687c6a13cc995
  791. b498d256fecf401dbafa33019919b5f41bdf912aaad458cdd0c3d948471356b1
  792. 0fa13885a21266d0fdae33ca6cebbe7e496a961bc8f6f15c8acdcaff2ece9534
  793. 18d32c5f7388bf283b376d4ec1646fe70c03400f218f86afbe8d03b029dc2c88
  794. 49ae81b34e03962430086000a093b41db32898539b909f0a9de25aca0a4df646
  795. 5dc5c97f22c78e2eef957dc9412644ce71c597b62584ddc0eea25bc352412bd2
  796. c0e4f2434d9aa1ae110127f100ee7469dda1387cc899aed670b0ed1f94b17b65
  797. da1c259d333f72f05be637093cd9a53d69b9650e369956701567c747ebbad495
  798.  
  799. http://healthytick.com/wp-content/uploads/ustpcF6FMZpDg_9RwPnGG/
  800. http://ftpcm.com/BZCEsFUe653snDRB/
  801. http://protecaoportal.com.br/BdSyFxrniPRjsN_K/
  802. http://palmer-llc.kz/TxIvOOt9Uw/
  803. http://www.armand-productions.com/B1kK33Yc9ULW_wb1/
  804.  
  805. Creation Time 2019-02-21 21:58:00 (Doc Based - ENG - 365 Blue Box)
  806. SHA256:
  807. 98c0ce92e61c133b514b58093e17ffa6df186e40ae7244c9cd6290ec7578b49f
  808. 695947db8e78b9520041c1b25b9de373eb1bf0c6aa184a4330d24cc086cd5623
  809. 3e8f09a00da64f471232c26c327cca6e04e939c6c11b34f451a0ed73b9e649fe
  810. 3a814aba071c0bb25158f9632f177d4f0bb79ebeb6c4184e750c9f1f5be7556f
  811. 6f00cb06559ee611ad863f052d203d645455ee83556361d9f3db0c68f6c944b0
  812. cf2d7e0c2bc39625f2aeebb6b8c0950963a8e51b1568c9fb5b4a2dc67e8b3cb1
  813. 50c5559035123f045c5ea46d600cf9135707a76519122d18c86b12a0f61e8470
  814. 00cd3678ea574e1f132cfa48aedd0fdf7b16879d7a5caa697980a9febec8c49b
  815. 96e2cc08140b91a7ea123eae11cd24977a0938193a727a73038ee9a28bedddf2
  816. 8f518f6ec04b7ac2c4b43176f0349ba3ced69453359e09948b007324e5af3a07
  817. 4b83a7cfd2fc2ef08fff2d87ff6afbcd42ee1d78d8375824fd16601f74bd322e
  818. 5fa2a97cd7e989eac9fc9a1ce98af71cc3b77078e8653c7ba9027bf9711ac59c
  819. d095edb1ebe403e34bb7e556d4d572f8adf4cf0a928f1bf78e9dbb2a09cb87a4
  820. 89e716291e1bdce7071afb523cef3c1d788bcc7ac5be5252fa4eae61864b1cc9
  821. 7e4a41ff4ebe8750f84a1eb1acab55c0e326246d045054888b6acb022d38578e
  822. 94243eac3290f53bd56478e0bef9e523060a9398d9f4f66953ea7749491f8cbe
  823. f2ae4e6272a6c254d9685c8b95cf28131e59555be218209c029f99fe05f6542f
  824. d1534d44023fc954eab8281a858ae7ac67ddaae7e369458c63764476a3fcca47
  825. 72e48be9ae480b705c2a9e4f6f41c4b18e159504d57a75409c7e4bc937c09384
  826. 59933f2acdec3c573634e29f631526a3feddc7899b68724b515a3259f9460b0e
  827. 1aa6fcee174dad4fc57da2996ce4881217dc26b34a8fd43f1934ba04a2e94cad
  828. cd168b2a2559b63a988969f95a897fec4cae3583b0867a82a79b8b0f4239e9a1
  829. 09885cd35d4a8ce2d2f14197a892dcea9b9164da1ba693bc83c874d2cb169874
  830. 1efc84de08d3b53a897fb9eba6e105bc3d0c4d21ed26e16d48d696f1210252b8
  831. 0d6804c5eb316f83de77541e46be0fe34438917cdf3e60e7f6980adc2346b07b
  832. 0d6a2fb81dadc4ee1338e648a92c62c8ec1520eab9e09d8b508c38e2047e4687
  833. aca925c5e72482417254a5f75b06221aeef8628b2097fd7ab3642fe65125fedb
  834. a448e1c4821fa9c9f41791a8c9d461e09f3d1a00f7ab29ca024175df9204653b
  835. 94d1ce79356e2213336f8cf874bc64b8be9303a07caa242dcc6707a49c2296ca
  836. dba985d5697186de88463d3058fec1067d53b31c4f72bde225800c178a70114d
  837. 53a3dae9cbee00d4a21c0b5406415757581ebd5fc8ee33602a52a2b5037006b8
  838. c69ffb0d1f57218768ebd8b691576d302580a7cb4a302adfb0718fdeef233b79
  839.  
  840. http://222.74.214.122/wp-content/9kj6qOXTF_aR9C/
  841. http://79.137.86.189/produits/poissons/zgLvIOdR2vvZj8_KnYC7/
  842. http://dmcgroup.com.vn/k0jINCbJj2n8TL9/
  843. http://english-run.com/yojDPG1mo5rmPXV_sxKAoEp/
  844. http://elk-joy.com/G4AFioRkP1t_oJSEWMw/
  845.  
  846. ```
  847. #### SHA256s for Epoch 2 Payload EXEs seen on 02/22/19 ####
  848. ```
  849.  
  850. f10ed0e6c4cd34c806732ce081faa8323077965d1ba8784b3a3560a85d3d3034
  851. 17fb1eb88d9380f20d73a6c975d22fbd46c4bdfffacade1a1cbd6be3081716c2
  852. 999b2c8b665a4b8e3327811ddd0bd9585ba6fcc2142251d3d1821571ca0ca690
  853. eacabe53b4053af858e7706a09fcbec1b95c1dbfbaf6ac076e14b23285112875
  854. f13bf7cbff0a2cae50e74832dba7e31f032cea8da295f21fd8685f4081f95ff5
  855. b488002d3b8f8fba6e039587a47cecbc8e40eb13a386d2c5c9cc8948a65280af
  856. cac79530710a405ca4daa54af4ddfcd2c04006b5ff5ccf4528e4647d16d94d75
  857. 3406b39d07f45487ad81ab122fc4b92c2e4c340a08c299f34d5985b7489fc26a
  858. 3c68f963b0f3903c1c19c64e66f71d30d6b97d4dc5d6f9eb08902d9fa65e6e95
  859. ae82d4db7ee2d8861b79a1c579484756a0b6d7536a4b31464f528d53c17141d5
  860. c2a6497f80a1de6cbdc0fc533f8a2908c654018f3c4b3e5f671e6b8d7a13b9e0
  861. 595048c9ed480824162e754dd79e78712c3e6b54821afe85646173752af29d77
  862. fb8c433ec526913a4d8c45a6192f7cb1b63c97f1a49bca4afbbf349a0582c628
  863. f5925fde287847ffe4e87795a2bedbd388659b332b99e53cce6f597a1c240976
  864. e2eb34ac3356653da56876b68d5afafccd5d72bf63c425f4aa84a901dde9834e
  865. b60f3140e2f6a7cdb592b7b6d6e816bf87bb337f66d8c60abd86db8a20f8ca0e
  866. 327f0a543778e5493a9765af07f551c4190414e19ab6ecb18bfa934311f538d4
  867. 3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4
  868. 1bba2e80cf271c5d36f1800d29d0da0da2507fbe2c99901171b6c4a4fbf68d67
  869. c2ca10c379eddebab5ea428e6b6a79203c2614068b8f68783ea61cc7aeb99f22
  870. 5a276f6be10c865870b8530bfe23d89d7d8849bccbe07a6552b95f3b888291b9
  871. 0c891ff7c73ef05e6dcbea2df183cf791fb0a77070c9038a1c0832436829077d
  872. e2046b994e406af83fce87fda1874d6faf4f3a638b92bd87f5f39eebc78b6d23
  873. 4e6fa2c1152c9d931de0f841206484085914c312607a35e8c1098a6bf5909841
  874. 74b6cd0c43f504e87c99a9878a5ad76a1ce013a962db2c10f925d47d77d5b5d6
  875. ffe9637744f90a5ae50a76bb5636a6887a754d19c6a49000bc0ce0c3bad2091b
  876. 27a04c08aabcc724cc54e3f6b621a96c925ac17d091f159da6801c90593bc6f8
  877.  
  878. ```
  879. #### Epoch 1 C2s ####
  880. ```
  881.  
  882. 109.104.79.48:8080
  883. 123.168.4.66:465
  884. 136.49.87.106:80
  885. 138.68.139.199:443
  886. 144.76.117.247:8080
  887. 159.65.76.245:443
  888. 165.227.213.173:8080
  889. 168.226.35.218:80
  890. 173.94.53.3:8080
  891. 181.168.123.241:443
  892. 181.29.214.233:8080
  893. 181.56.165.97:53
  894. 184.15.10.139:53
  895. 185.86.148.222:8080
  896. 186.68.100.2:20
  897. 189.173.176.115:443
  898. 190.117.226.104:8080
  899. 190.191.218.44:80
  900. 192.155.90.90:7080
  901. 192.163.199.254:8080
  902. 194.154.80.106:443
  903. 201.122.94.84:8080
  904. 201.204.44.101:8080
  905. 201.212.113.14:50000
  906. 208.180.246.147:80
  907. 209.159.244.240:443
  908. 210.2.86.72:8080
  909. 212.83.51.248:8080
  910. 219.94.254.93:8080
  911. 23.233.240.77:8443
  912. 23.254.203.51:8080
  913. 5.9.128.163:8080
  914. 51.255.50.164:8080
  915. 66.209.69.165:443
  916. 69.163.33.82:8080
  917. 70.114.194.228:80
  918. 70.177.115.200:20
  919. 71.40.213.82:8080
  920. 72.47.248.48:8080
  921. 73.115.132.124:80
  922. 74.45.170.110:80
  923. 74.62.89.170:8080
  924. 90.63.245.70:8080
  925. 92.48.118.27:8080
  926.  
  927.  
  928. ```
  929. #### Spam/Stealer C2s ####
  930. ```
  931.  
  932. 104.236.185.25:8080
  933. 187.134.63.166:8080
  934. 189.180.186.235:8080
  935. 189.244.82.217:143
  936. 212.112.113.235:80
  937. 24.191.37.42:443
  938. 50.116.63.9:7080
  939. 73.185.42.52:8080
  940. 75.166.252.40:80
  941.  
  942. ```
  943. #### Current Epoch 1 RSA Public Key ####
  944. ```
  945.  
  946. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  947.  
  948. ```
  949. #### Epoch 2 C2s ####
  950. ```
  951.  
  952. 107.10.49.252:80
  953. 133.242.164.31:7080
  954. 138.201.140.110:8080
  955. 153.121.36.202:7080
  956. 172.248.21.6:8080
  957. 172.98.243.40:80
  958. 173.21.116.239:80
  959. 173.255.196.209:8080
  960. 173.255.250.241:443
  961. 173.63.66.10:20
  962. 178.62.37.188:443
  963. 181.119.30.28:80
  964. 181.119.30.36:80
  965. 187.198.33.171:7080
  966. 189.150.140.28:8080
  967. 191.92.83.137:990
  968. 208.78.100.202:8080
  969. 211.115.111.19:443
  970. 217.13.106.160:7080
  971. 24.151.31.150:465
  972. 24.153.169.62:443
  973. 24.185.185.187:443
  974. 24.243.160.247:80
  975. 45.123.3.54:443
  976. 45.63.17.206:8080
  977. 5.230.147.179:8080
  978. 50.31.0.160:8080
  979. 62.75.187.192:8080
  980. 62.75.191.231:8080
  981. 63.116.14.206:7080
  982. 64.19.74.49:8080
  983. 64.228.72.40:7080
  984. 66.193.130.13:80
  985. 67.205.149.117:443
  986. 68.195.129.139:7080
  987. 69.198.17.7:8080
  988. 70.115.70.154:80
  989. 70.116.68.186:80
  990. 70.123.237.77:8080
  991. 71.41.68.158:8080
  992. 73.186.92.178:22
  993. 73.194.61.246:20
  994. 75.99.7.18:8443
  995. 83.222.124.62:8080
  996. 87.106.210.123:80
  997. 94.76.200.114:8080
  998. 96.20.172.107:8443
  999. 99.139.140.129:80
  1000.  
  1001. ```
  1002. #### Epoch 2 - Spam/Stealer C2s ####
  1003. ```
  1004.  
  1005. 198.58.114.91:4143
  1006. 213.136.86.219:7080
  1007. 24.164.79.147:80
  1008. 47.50.128.85:443
  1009. 58.108.251.65:443
  1010. 66.38.64.143:80
  1011. 71.95.197.230:143
  1012. 71.95.197.230:993
  1013. 96.42.13.162:80
  1014.  
  1015. ```
  1016. #### Current Epoch 2 RSA Public Key ####
  1017. ```
  1018.  
  1019. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  1020.  
  1021. ```
  1022. #### Credits and Notes Section ####
  1023. ```
  1024. Updated 7/13/18
  1025. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  1026. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  1027. https://pastebin.com/u/jroosen
  1028.  
  1029. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  1030. I am providing them for your benefit in case you want to parse them to be sure.
  1031.  
  1032. ```
  1033. #### What is Epoch 1 and Epoch 2? ####
  1034. ```
  1035.  
  1036. What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.
  1037.  
  1038. I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
  1039. communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
  1040. version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
  1041. C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
  1042. entity/group. Here are some observations I have noted since I have been watching these botnets:
  1043.  
  1044. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
  1045. document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
  1046. in maldocs on Epoch 2 at any time.
  1047. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  1048. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  1049. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
  1050. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
  1051. have a document hosted on host.tld/B.
  1052. - The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
  1053. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  1054. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  1055. - C2s are never shared between Epochs/Botnets.
  1056. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
  1057. of AV defs.
  1058. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  1059. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  1060. - The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.
  1061.  
  1062. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  1063.  
  1064. ```
  1065. #### Community Lists ####
  1066. ```
  1067.  
  1068. https://twitter.com/ps66uk/status/1099059333604753414 - @ps66uk
  1069. https://pastebin.com/XphvkZDD - @pollo290987
  1070. https://otx.alienvault.com/pulse/5c705f9e1a83e475aeb19b09/ - @SecSome
  1071.  
  1072.  
  1073. ```
  1074. #### Credits ####
  1075. ```
  1076. (OC from @JRoosen and/or combination work of the following)
  1077.  
  1078. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
  1079. @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
  1080. @shotgunner101, @HerbieZimmerman, @Outkast_TI
  1081.  
  1082. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
  1083. @gorimpthon, @Racco42, @Jan0fficial
  1084.  
  1085. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
  1086. @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
  1087. @OguzhanTopgul, @HerbieZimmerman
  1088.  
  1089. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  1090.  
  1091. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with this!
  1092.  
  1093. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  1094. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
  1095. and @Virustotal for providing services/software no charge to this cause!
  1096.  
  1097. ```
  1098. #### Daily Log ####
  1099. ```
  1100.  
  1101. Today was light and only saw 14 malspams. Almost all of them were link type with the same templates of late.
  1102. Spamming stopped at about 19:30EST for both botnets again.
  1103.  
  1104. Today I saw a new tactic of offering a Transaction Refund which has not been seen that I can remember. The really odd thing about it was it was dated
  1105. as of 2007 for some of them so maybe someone forgot to change the time in the template. Others were current time so I am not sure what happened.
  1106. (Picture attached in Report)
  1107. The HTML templates look like this:
  1108. ________________
  1109.  
  1110. From: Full Spoofed Name <Comrpomisedsender@domain.tld>
  1111. To: victim@yourdomain.tld
  1112. Subject: Transaction Refund for $1150.00
  1113. Subject: Transaction Refund
  1114.  
  1115. <html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body>
  1116. <title></title>
  1117.  
  1118. <table width="100%" cellpadding="5" cellspacing="0" style="font-size:12px;color:#000000;font-family:arial, sans-serif;">
  1119. <tbody><tr>
  1120. <td valign="top" align="left">
  1121. <table width="550" cellpadding="5" cellspacing="0">
  1122. <tbody><tr>
  1123. <td valign="top" align="left" style="font-size:12px;color:#000000;font-family:arial, sans-serif;">
  1124.  
  1125.  
  1126. <p>
  1127. </p><div style="font-size:16px;font-weight:bold;">REFUND CONFIRMATION</div>
  1128.  
  1129. <table cellspacing="0" cellpadding="2" bgcolor="#a0a0a0" width="100%">
  1130. <tbody><tr><td><span style="color:#ffffff;font-size:12px;">
  1131. Invoice Information
  1132. </span></td></tr>
  1133. </tbody></table>
  1134.  
  1135. <table cellspacing="0" cellpadding="2" width="100%">
  1136.  
  1137. <tbody><tr><td width="90" valign="top"><span style="font-size:12px;margin-top:12px">Description:</span></td><td valign="top"><span style="font-size:12px;margin-top:12px">Online Payment</span></td></tr>
  1138.  
  1139. </tbody></table>
  1140. <table cellspacing="0" cellpadding="0" width="100%">
  1141. <tbody><tr><td width="250" align="top">
  1142. <table cellspacing="0" cellpadding="2">
  1143.  
  1144. <tbody><tr><td width="90" valign="top"><span style="font-size:12px;">Invoice Number&nbsp;</span></td><td valign="top"><span style="font-size:12px;">2921794</span></td></tr>
  1145.  
  1146. <tr><td width="130" valign="top"><span style="font-size:12px;">Customer ID&nbsp;<br></span></td><td valign="top"><span style="font-size:12px;">AY7786</span></td></tr>
  1147. <tr><td><br></td></tr>
  1148.  
  1149. </tbody></table>
  1150. </td>
  1151. <td valign="top">
  1152. <table cellspacing="0" cellpadding="2">
  1153. </table>
  1154. </td></tr>
  1155. </tbody>
  1156. </table>
  1157. <hr>
  1158. <table cellspacing="0" cellpadding="0" width="100%">
  1159. <tbody><tr><td>
  1160. <table cellspacing="0" cellpadding="2" align="left">
  1161.  
  1162.  
  1163. <tbody><tr>
  1164.  
  1165. <td valign="top" align="left"><span style="font-size:14px;font-weight:bold;">
  1166. <a href="http://serenitymatagorda.com/REF/company/ltUFg-WvsBx_LBzWEiI-UNg">Get REF-receipt</a></span>
  1167. <br>
  1168. </span>
  1169. </tbody></table>
  1170.  
  1171.  
  1172. <table cellspacing="0" cellpadding="2" align="right">
  1173. <td valign="top" align="right"><span style="font-size:14px;font-weight:bold;">Total:</span></td>
  1174. <td valign="top" align="right"><span style="font-size:14px;"></span></td>
  1175. <td valign="top" align="right"><span style="font-size:14px;font-weight:bold;">$1150.00 </span></td>
  1176. </tr>
  1177.  
  1178. </tbody></table>
  1179. </td></tr>
  1180. </tbody></table>
  1181. <br>
  1182. <table cellspacing="0" cellpadding="2" bgcolor="#a0a0a0" width="100%">
  1183. <tbody><tr><td><span style="color:#ffffff;font-size:12px;">
  1184. Payment Information
  1185. </span></td></tr>
  1186. </tbody></table>
  1187. <table cellspacing="0" cellpadding="0" width="100%">
  1188. <tbody><tr>
  1189. <td valign="bottom">
  1190. <table cellspacing="0" cellpadding="2">
  1191. <tbody><tr><td width="130" valign="top"><span style="font-size:12px;">Date:</span></td><td valign="top"><span style="font-size:12px;">02/06/2019</span></td></tr>
  1192.  
  1193. <tr><td width="130" valign="top"><span style="font-size:12px;">Transaction ID:</span></td><td valign="top"><span style="font-size:12px;">89123494617</span></td></tr>
  1194.  
  1195. <tr><td width="130" valign="top"><span style="font-size:12px;">Payment Method:</span></td><td valign="top"><span style="font-size:12px;">Card ''''''7410</span></td></tr>
  1196.  
  1197. <tr><td width="130" valign="top"><span style="font-size:12px;">Transaction Type:</span></td><td valign="top"><span style="font-size:12px;">Refund</span></td></tr>
  1198.  
  1199. <tr><td width="130" valign="top"><span style="font-size:12px;">Auth Code:</span></td><td valign="top"><span style="font-size:12px;"></span></td></tr>
  1200.  
  1201.  
  1202.  
  1203.  
  1204.  
  1205.  
  1206.  
  1207. </tbody></table>
  1208. </td>
  1209. <td valign="bottom" align="right">
  1210. <table>
  1211.  
  1212. </table>
  1213. </td>
  1214. </tr>
  1215. </tbody></table>
  1216. <br>
  1217.  
  1218.  
  1219. <table cellspacing="0" cellpadding="2" bgcolor="#a0a0a0" width="100%">
  1220. <tbody><tr><td><span style="color:#ffffff;font-size:12px;">
  1221. Merchant Contact Information
  1222. </span></td></tr>
  1223. </tbody></table>
  1224. <div style="top:0; width:98%; font-size:12px; text-align:left;">Full Spoofed Name</div>
  1225. <a href="mailto:Spoofed email">Spoofed email</a></div>
  1226.  
  1227.  
  1228. </td>
  1229. </tr>
  1230. </tbody></table>
  1231. </td>
  1232. </tr>
  1233. </tbody></table>
  1234.  
  1235.  
  1236. </div></blockquote></body></html>
  1237. ________________
  1238.  
  1239.  
  1240. Beyond this I saw a few of the typical things like 2 German based Invoice malspams this morning and some ACH Forms/Payment/Receipt Bills in the
  1241. afternoon with a few Freshbooks messages thrown in for good measure.
  1242.  
  1243. Unfortunately it looks like CAPE extraction is broken for C2s now. I have switched back to using Any.Run. The keys have not changed either.
  1244.  
  1245. E1 C2s changed and combos decreased to 44 from 48 yesterday. - Recorded above.
  1246. E2 C2s changed and combos decreased to 48 from 51 yesterday. - Recorded above.
  1247.  
  1248. The keys have not changed.
  1249.  
  1250. Notice: the @cryptolaemus1 posts may be a little chatty this week with C2s both saying they are from E1 when they are really are either E1 or E2
  1251. in disguise. The bot thinks everything is E1 right now but the posts are accurate and complete. For confirmation check these daily posts.
  1252.  
  1253. Have a great weekend everyone!
  1254.  
  1255. ```
  1256. #### Sandbox 02/22/19 ####
  1257. (all with fakenet and MITM unless spam/secondary infection)
  1258. ```
  1259. Epoch 1 C2 run on 2019-02-23 at 01:00 UTC - https://cape.contextis.com/analysis/39527/
  1260. Epoch 1 C2 run on 2019-02-23 at 01:15 UTC - https://app.any.run/tasks/9272df7d-49b5-4f71-b402-6c4deab670ad
  1261.  
  1262. ```
  1263.  
  1264. ```
  1265.  
  1266. Epoch 2 C2 run on 2019-02-23 at 01:00 UTC - https://cape.contextis.com/analysis/39528/
  1267. Epoch 2 C2 run on 2019-02-23 at 01:15 UTC - https://app.any.run/tasks/dda5b389-4b96-4f00-bf34-6d4e4d8b86ee
  1268.  
  1269. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!