Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 05/28/19 as of 05/29/19 01:00 BST ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/28/19 ####
- ```
- <none>
- ```
- #### Epoch 2 Document/Downloader links seen for 05/28/19 ####
- ```
- http://9adhity.com/wp-includes/Scan/lRdGqCxAIrblhWESpHJPhgiMfXAtF/
- http://aamihr.com/31gy/eyf7u6-zhnup-jlhmdu/
- http://aasian.ch/wp-admin/2khtfm-texb9b-cypvlc/
- http://abasindia.in/abasindia.in/PUpnqGAxXUpWRNKMSrLpDwk/
- http://adamshop24.de/wp-includes/o1guhen-z34z5pg-cdwsjhm/
- http://adminwhiz.ca/FTPwhiz/jgldbTNBgBbUHdmt/
- http://agriclose.eu/wp-includes/hy5zk-790n8en-zbfqwqp/
- http://agrosurya.com/wp-content/uploads/2019/05/DOK/hsnrdm6menkz9_2nh78wn-05713934634488/
- http://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
- http://albaniadancesport.org/wp-content/Dok/rWQHTbUYAeEsjhwrrTe/
- http://aleterapia.com/wp-includes/himt1nj-mgxgmm6-jsmjpxv/
- http://alitekinture.com/wp-includes/s7k3kh-4u4w7-uemc/
- http://allaypharma.com/wp-admin/Scan/qywlvf1egg0kgk055d2ee_0b76l5-6114076748/
- http://allegromusicart.com/wp-admin/user/Pages/dqvcjm4132znq_ec4cac-7153438678/
- http://ammar187.000webhostapp.com/wp-admin/Inf/TpaKnEylLPRC/
- http://apecmadala.com/ca4ajte/Scan/dm459cmpwts0k2fsn1osn76wp9q_wqbzi-321319218/
- http://aridostlari.com/irfu/Scan/HcdpSzlUrBqSAvyqi/
- http://aromakampung.sg/wp-content/plugins/jGCruALnctnhWcPLTfRdBlxQNFpV/
- http://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
- http://autoshuma.net/wp-admin/INC/zycspw48qk3i_ikxqeym7k-9904114885/
- http://azademomeni.com/wp-includes/dof2qr-phob4g-rfskn/
- http://azimuthrenovaveis.com.br/wp-admin/PLIK/rNzVyRhC/
- http://bagiyapi.com/wp-includes/nbi588-mvt90k-ykwd/
- http://bangtan.az/yfvxdx/parts_service/ux811t8fb9l1shjgq3cqslrlpnoi_2yvvlnz-98770782433/
- http://beekayagencies.com/font-awesome/2qcuj-oisk1r-swuuwld/
- http://benederpop.nl/wp-content/7u4de7-cvj18-vqvzrj/
- http://besttasimacilik.com.tr/wp-content/uploads/gnetrg1o_fpkmc2y-595917581/
- http://blmaluminios.pt/5pqn/parts_service/TVMJELksZeUXXIhgGBmlUY/
- http://blog.steadfast-inc.com/wp-content/plugins/paclm/76zekp2xzh1dsgru5jsgmlqoqq8l1u_6k9qxp-883756608888/
- http://blog.steadfast-inc.com/wp-content/plugins/Pages/cgser7tm7kq5unqf5w6ok_tjpb7-426423773964/
- http://blueceratiles.com/uploads/EeWpwfZBfsbnLlifG/
- http://bluedream-yachting.com/wp-admin/YxsWkWbrIxymRWTPWZZWZP/
- http://bmk.zt.ua/j7br/Dane/ah4zpt1t9ht24zrc2ts0fhtfycm_lzpow-43467507/
- http://buildinitaly.com/domina/o6d1f-lbtes-holaau/
- http://callihorizon.com/wp-snapshots/INC/t5scutv1dwj_jaaqu-352898068880047/
- http://chef-solutions.dreamscape.co.in/wp-admin/parts_service/HrJAQmSWlbBdrupBhwUmDKekDKR/
- http://chicagolocalmarketing.com/cgi-bin/wnicd-l5r1u9-npwkh/
- http://chiolacostruzioni.com/cgi-bin/0wai-mtfi7l-askvo/
- http://coltfinanciera.com/wp-content/0milo-peg7ff-qvbws/
- http://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
- http://contabilidaderesulte.com.br/wp-admin/DOC/ztZpVYxawtwAGMZdUekS/
- http://customerexperience.ro/calendar/DOC/VdYlEhpGRKoAVrYvAUQkZQgpCMuk/
- http://dangdepdaxinh.com.vn/dangdepdaxinh.com.vn/LLC/ORqoiFwFdlG/
- http://delpiero.co.il/xzig/4sonl6eogw_cm8hviq-90178285/
- http://delwuinfoservices.com/wp-admin/esp/gGKnyakkbuaOGGkHWkdBmtC/
- http://dentalimplantsdubai.ae/wp-content/Pages/xqHucZHPjsKamw/
- http://deolhonaprova.com.br/wp-includes/Dok/tj0hjjpnbjbrekwb4a66ksh88uspe_sbo9xg-399229692101/
- http://designsbykarenpolack.com/wp-includes/images/INF/FZKeFdASHrbDAAue/
- http://dev-bk.se/site/uploads/2019/parts_service/ozpc5r3v1054hotghozv3z2z_935iguaiqp-83687914739/
- http://disbain.es/wp-includes/xf79ds9dizn5d5l650a_87v710v-119507105/
- http://donghanhxanh.vn/wp-admin/DOK/kHCtBSBTjnhKljIatYmAOB/
- http://donghethietbi.com:443/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
- http://dongxam.com.vn/vgw8/DOC/zLyXUOnYqFeMFi/
- http://dotnetdays.ro/wp-admin/4gp8-p5vul-olvu/
- http://ebslaradio.cl/css/sites/pqah6nuj3yz39j5vii7_byu36zn1-970548939/
- http://edicolanazionale.it/wp-content/jh7my-bnqb2-zxav/
- http://elvi.info/wp-content/LLC/ygfv9bdoukhmycls0i6r_mcbs7p2da-4181752296/
- http://enagob.edu.pe/nuget/LLC/vqsr8lna27ug9nv2feb5jgz_v7ipufb0-702026703803305/
- http://endofhisrope.net/2008-08_PSBearDonate/ni5ef9rgv8vpnvdf2wknvy_1fty18-5560290098/
- http://escalaragency.com/wp-includes/v5ej5o-3bauic-xjadiys/
- http://escritonasestrelas.com/wp-includes/vdpysps-tijy84-veoszzp/
- http://evertonholidays.com/cgi-bin/17dmul8880vaa883nexza_poin3bqzk-3404969777/
- http://excellentceramic.com.bd/wp-admin/FILE/39s6ehvlsjbm_2rgd9ksu5-80904262/
- http://exitex.ir/wp-includes/kqgglk-mpn14c-gqpouhx/
- http://faal-furniture.co/wp-snapshots/5utp-5mljh-eniga/
- http://fabricsculture.com/wp-includes/parts_service/enzwZWtGccnKyzqAluzpAu/
- http://fashiontwist.pk/wp-content/19vtr6j-iggqng-mzmkvq/
- http://feti-navi.net/wp-admin/lm/yOhVYbIZSe/
- http://forum.facedog.by/components/czpf4gijg_d9n4e96eb7-5189701579120/
- http://fulan.ga/wp-content/INF/gyubltjtb_pmd2kukv-87808156/
- http://fungames4allapps.com/wp-admin/lhzhnjd-4cp4xm-affe/
- http://funsportsgameapps.com/wp-admin/x9olmfo-z7ei6k-pcxpp/
- http://futar.com.sg/ua6v/LLC/ofbbog1zvwt4o3vjizrimqvb9ygc_xkgpfol-4139989949/
- http://fute.lk/wp-content/FILE/shkmwaw4324aoimz86z5sh20xzbnvv_1es3ojt-1660819873/
- http://g4osj.co.uk/cgi-bin/FILE/NahUHWYvZxvjNLZjpOSeqdyCXdSw/
- http://gamesbeginner.com/wp-includes/0dv2t-fp31q-eflz/
- http://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
- http://gauravnayakwadi.in/wp-content/INC/RTNOiuzzJlPivz/
- http://gdwenxue.cn/wwcw/DOC/VuoqaIbRpEmxlUWAIbtu/
- http://geratapetes.com.br/wp-snapshots/Dane/SNWcvTipmQ/
- http://ghazi21.xyz/wp-admin/adWizUHgZnSx/
- http://globalhruk.com/globalhr280318/Plik/ui6b2qadu5djjjawi3thb3_lqlck6-70220690735905/
- http://glugaz.com/wp-content/Dok/c6p92o69r4mvpn8_ca5x1-17553174168899/
- http://grafikomp-web.pl/images/paclm/qz9gnqox86a836cnaqmi34dpk_z1w9s07-6758905517/
- http://gundemakcaabat.com/jumd/lm/x42ani1hukkebuzybc59yg01ni_dmiev-68340372338/
- http://haghshop.ir/wp-admin/4q2ok6-m78nk8z-qndh/
- http://hambike.com.ar/awstats/INF/k12qfakmsebp4evmgv0krgz_dgvi35m-48524571864279/
- http://haxuanlinh.com/otzc/parts_service/ec9qai9jwa5g_fquunn1mp8-8150963330/
- http://hayphet.net/upload/esp/hJoZssutpyHvLLJLyfzpmbGHc/
- http://hazmeeldia.mx/wp-content/ycCgvMqEpKbyTZKJzcBgIB/
- http://hcmlivingwell.ca/wp-admin/sites/revxbvjccjm0sq4540x0c_l25eq242f-64615888/
- http://help.shop123.net/help/DOC/JyywdyyizPxZdZkaUZLqE/
- http://hennfort.com.br/install/INC/x500k2dhhhbwj3nce7_m2azj32-120971439204/
- http://himappa.feb.unpad.ac.id/images/rbvoi2-63gjefe-qbrc/
- http://hiringjet.com/aaupdatecoreo/sites/ixw2adapg3q5popb0_71yus9c-3510138678458/
- http://hondaotothaibinh5s.vn/html/lm/qJhJDSjXAHwJhFOogYojzjz/
- http://hondathudo.com/wp-snapshots/parts_service/1cothgsd7i7wwj_66rg7ufvl-156447858351/
- http://hotelplazalasamericascali.com.co/wp-content/p195z1-vph7uc4-mqge/
- http://hotelroamer.com/cgi-bin/Dane/w7lbm4l34isfci3vbkpqm3a5wt4kl_m3j5mss-494729068/
- http://imis2.top/wp-content/lm/8nacv8qnwy_d7ro0a-067006290795/
- http://indesignflorida.com/wp-admin/Document/nc2m8sgw7d15lgw0np_2y70s43b-644730778/
- http://inpacetech.com/wp-content/LLC/JMpBCsccfG/
- http://insitupro.cl/cgi-bin/jqz7cly-wc86n-udss/
- http://ithespark.com/software/Pages/wZhrIpOlRvFmtcg/
- http://jamesapeh.com.ng/wp/parts_service/lb691n3t3hg9i7prhomskfitp313v_duo3m-989273786/
- http://jbwedding.co.za/css/esp/qtrgcp7mhq8tmg5n265xbukp_qpqopcjez0-2596232733401/
- http://jsc.go.ke/wp-content/uploads/Scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181/
- http://keysolutionsbox.com/wp-admin/35i8ko-oz501u6-kfrk/
- http://kgml.pt/wp-admin/LLC/GSOWbtmhlhBQvUVTVKwzcIOvHKz/
- http://khambenhxahoihanoi.net/wp-includes/eygGQMXm/
- http://khoayduocdaihocthanhdong.edu.vn/wp-content/Plik/nhtek6b1heol169wqg1i4xt9iwa5_a0im7ttz-332385928588322/
- http://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
- http://lacvietland.com.vn/wp-includes/ldgc7ix-6i0100-hujxrgp/
- http://lattsat.com/wp-content/SfmfwUVxskFL/
- http://lavinnet.ir/wp-admin/dok0-1x5nhft-ednmtue/
- http://leplateau.edu.vn/wp-admin/YSyJnDPQrT/
- http://lifeed.de/wp-content/1kfkpauhyaf2yd1nwuwaf5qi_v9srucd-660134982176753/
- http://lifemed.kz/storage/sites/mhUthnbQLpvaFagQ/
- http://lightlab.mohawkgroup.com/wp-admin/fs50vz-mylh5-maetkj/
- http://littleabd.com/wp.bbk/LLC/xsAKptNcAmyZwpDXnGv/
- http://losethetietour.com/loseadmin/k8gzn62-mqdrst-vuvla/
- http://lp.gigaspaces.com/cgi-bin/hwsskn-6dlm6rt-rkgpdy/
- http://luteranosblumenau.com.br/cgi-bin/esp/7t6vv50yrw705dqpxub7fwd2_bzykgo-443407317214052/
- http://madadeno.ir/ioqz/4xmw49zwlo37a7_6h1emiuz-47966905363445/
- http://mads.sch.id/wp-content/FQlfiJdGQGDgotTDCEf/
- http://maisgym.pt/wp-includes/FILE/g23oabnx0jy_btnrqhf-66878754808/
- http://maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
- http://maissa.bio/www/7yk69v7-kp75m-rjartek/
- http://malekii.com/clbv/jq8df-7zetr-qxop/
- http://mansha.tk/wp-admin/yhhh3mxrwmsl58u2oge9x7df_de8nqrhqv-98442995087132/
- http://marcoarcieri.com/wordpress/HTixsFuNGkxkbaFrjTHYBoezCml/
- http://maul.hr/blogs/kaj1cr-nl3nn-wwaatq/
- http://maupindah.com/wp-includes/Plik/5uw9lv1w_8835b-4351190324/
- http://maxclub777.net/wp-includes/esp/8n9kz6zwef77w2wvrk0x_m1yxncthg-9413662787617/
- http://mayamerrit.com/wp-includes/Document/zWsyzvxyzDmuVFYzUsSkz/
- http://maykop-news.ru/wp-content/paclm/ag2tknctbs2bb2thhsc4lim9n5zm_kpa0lj-508963173/
- http://mceltarf.dz/myadmin/lVnUpoqTLAlATMxpWRBr/
- http://met.fte.kmutnb.ac.th/wp-admin/Document/oq8wzjr532y5obd3g_bgjqpiod3-7712741001967/
- http://metaledging.net/wp-content/LLC/k2cplf9519b_3tsh86-4020520927866/
- http://mettaanand.org/wp-content/sh9b0-lq00ib2-pter/
- http://mhlsistemas.com.br/00mhl/782u0-ncqy14-jqnb/
- http://miazen.ca/wp-admin/paclm/kRwyqqHS/
- http://miff.in/media/0qm4oiueyca943tcx0p6_9wsd9s5-58679980857319/
- http://mitsubishioto.com/us/jia1bh4-u7ypk91-gblhvsy/
- http://moneycomputing.com/eebd/esp/QIbgHKbS/
- http://montblancflowers.com/sitemaps/esp/QqlaiTnCKKBtDuWlnOE/
- http://mulinari.med.br/homologacao/wp-content/uploads/INC/gzppinu9ltkaig_su53ecqpe-86320592/
- http://musicaparalaintegracion.org/wp-admin/zpgymbg-obdbf86-vkfumx/
- http://mydynamicsale.com/wp-content/INC/jnmjhbwprmczqer50gq3e_9546t2-73865426322/
- http://m-yoshikazu.com/reference-demo/Document/87oi0wq2epd4y_x3753prg-36300716495/
- http://mysmartchoice10.000webhostapp.com/wp-admin/Dane/UUmHQYNofuIAjlLRvmKS/
- http://namanganteatr.uz/videos/6r8c6y-l61lu83-ajezpvw/
- http://nbn.co.ls/cgi-bin/PLIK/ioo7yffqo92dymmfsqzl8k_woai7-5533480025/
- http://ncoimbra.pt/31e0/xNFUQMwLjMFwjXKMPbWr/
- http://netranking.at/wp-content/FILE/lpDAHwpJzlmVJ/
- http://nevenageorgievadunja.edu.mk/alfacgiapi/sites/c4ulng9eqf4ficpwo3o9at8moqx68_695zpr2-01228641/
- http://nextrealm.co.uk/cgi-bin/8w2i8ylzveploq9f_6j6ij0-682567154/
- http://nfbio.com/img/upload_Image/edm/pic_2/Document/MIqOgySRzzpZVIhpKtuAipt/
- http://nfsconsulting.pt/cgi-bin/FILE/zjRwaRJETtdnNbmBebhw/
- http://nieuwhoftegelwerken.nl/lm/vPTYZsEfxdSPGcUF/
- http://nightowlmusic.net/reference/DOC/l29h2lm0r6vpuw6v4hjt4v_db2x446a-645341033965123/
- http://noithatquyetloan.com.vn/downloads/cpdizih-sz8pmmi-vsznx/
- http://norperuinge.com.pe/norperuana_archivos/Pages/jjzywqoggleqye2ia7owdboijgco5x_l6sutq4i-1864307550/
- http://oficinadacarreira.com.br/wp-admin/Scan/bARIkDRxrxgvHTceXPAYoLSDUKJc/
- http://olavarria.gov.ar/libroolavarria/vrm9-cxviupl-iibwyp/
- http://olavarria.gov.ar/libroolavarria/ybgko-408txdb-pxlgyue/
- http://omnisolve.hu/sites/Pages/iinhmqmyn7xlh_r84gvw5vd7-0051916833/
- http://oncoursegps.co.za/inventory/Scan/qjrmz8ju2686oz5xcb_6kpxemu9cr-5741214415/
- http://onepointlead.co.uk/wp-content/sites/UrbnLwMJzvVPezk/
- http://onepursuit.com/wp-includes/Scan/xbfpv1qb6yg_y2t1mot1-547023491779852/
- http://onestin.ro/wpThumbnails/FILE/4o2up4lwzoaafd64w4c3tk2t0_7gmgqn-74402121536/
- http://onlinemafia.co.za/cgi-bin/ay341aj0ct_7e8gv2x0v-4928522797/
- http://onlinetech-eg.com/wp-content/Scan/zGAvHgAfywXtxcNRO/
- http://organichana.com/wp-content/doat-whosoma-jfyirkm/
- http://orygin.co.za/cgi-bin/vo7g6fhoxdur04w3u5jj_nzw2yohdw-12898478915/
- http://otojack.co.id/wp-content/uploads/1b8ak-w1d08-mhugs/
- http://ottimade.com/wp-includes/INC/ZLWveLpIxYSiAVnVxNGUdXzZWjvcE/
- http://ovelcom.com/cgi-bin/TIiUbNptglMlDsuV/
- http://ozganyapi.com/wordpress/2ufrsxw-lvejcr-azjbwwt/
- http://pafagroup.com/wp-content/FILE/e3ii1s3rj51sui_qi2zzbdk84-69805265/
- http://pagan.es/DE/parts_service/odHdzMhnxNC/
- http://paifi.net/ssfm/455b7158xjgnhq5zf90qjakpjoo_a5wz85-51998664/
- http://paramos.info/INC/jiuys7jxqbtuetvcmei398ua_dxnx3-1612900777374/
- http://parenting.ilmci.com/xekd/xIjRzHALVXchdTyBfzxd/
- http://parisel.pl/temp/Document/DCjmvktlcqOywWgvSk/
- http://parquet-san.com.ua/wp-content/sites/tg0igiaznonzpqg_fs8pq1-4214797001/
- http://parser.com.br/10/UemDtSxBNvtIOEMhsUwNZYJD/
- http://passelec.fr/translations/XmMCGkcPrsWtUUVmXlSslYZkiy/
- http://patrickhouston.com/beavismom.com/xvfNGompChwUFDfgQw/
- http://patroldata.com/wp-content/kqhw-tipjqp-face/
- http://pbcenter.home.pl/pbc/sites/PUxCKmLk/
- http://pclite.cl/correo/sites/RDfRXvbkkcW/
- http://pcsafor.com/coches/ruk6jsknrrbeoy91_lvsat-989681296456/
- http://peacewatch.ch/fileadmin/LLC/FQYIXuVbIXvWgoJW/
- http://pedroprado.com.br/em-breve/8e9w6j-t6vq1-dhvlys/
- http://perfax.com.mx/cckG-iJ0tBPscI3afgSS_HRsdwWrra-aG/DOC/bSotvnZPbSYSEiMWeQ/
- http://perfax.com.mx/cckG-iJ0tBPscI3afgSS_HRsdwWrra-aG/LLC/clIxdxWQGDRcoVGLUpVLYkradH/
- http://pescadores.cl/wp-includes/lm/WtXaTyDwOVGtucRDxWoBf/
- http://photodivetrip.com/test/LLC/sbwx5le0k1fxgf_v6be0jxfra-37193886141/
- http://pjbuys.co.za/EN_US/FILE/mn5oblpmldqnm5go1qofxvzsizx_4m4t3116-568597395577409/
- http://planologia.com/mail/parts_service/cn1yathgn1rs0_mhayfznqy0-143270358110018/
- http://pornbeam.com/jmr0q4ekkhebbu92anxz13z4k_gt5h3dt-730001972445594/
- http://portfronts.com/wp-includes/36jov9i-0b7q0-zhptuwp/
- http://possopagar.com.br/wp-admin/sites/zt7xm40dko6fh69b7mkg7o_n0adulyym-456554391045/
- http://pranammedia.com/wp-content/svZokukA/
- http://precisiontech.com.ar/wp-backup/5e9zuvx-4oz09-wogxnq/
- http://premiera.ks.ua/wp-admin/bdhjhs-67gnq-lfhztb/
- http://probright.com.kz/wp-admin/Document/8by83mzxt4khf37wbts69gch_93ufqgb-63345467/
- http://projectwatch.ie/mychat/INC/quslRieRiaZVRLb/
- http://psihologcristinanegrea.ro/wp-admin/DOC/TtbXqYzITETWplm/
- http://ptmaxnitronmotorsport.com/cgi-bin/Pages/SEkoZZqTQwwyddkOdLwWmYIsrmfX/
- http://pufferfiz.net/Files/Document/3a1sm8skeuzgl7cqyy_bmwlr-415254194580508/
- http://pyneappl.com/wp-admin/gwtpmig-513ir1r-bbut/
- http://qgproducoes.com.br/wp-content/kKFNpQGTDxQbIESKNKOMYfYxibU/
- http://qservix.com/wp-admin/Document/44jordpkkuwsdwtkry_agc5x-2843467084/
- http://qualitec.pl/images/INC/832x74abrffu77vfdt_05vnmis-7201257285/
- http://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
- http://quintadascamelias.com/wp-content/esp/uJiQRhCpa/
- http://rameshmendolabjp.com/wp-admin/parts_service/AURFMvGl/
- http://rclocucao.pt/wp-admin/parts_service/vttatprzenvmtw_76qed9ax2-59780589/
- http://realistickeportrety.sk/wp-content/parts_service/pnPpdkhtpQ/
- http://reborn.arteviral.com/wp-includes/esp/ANNKUglqPsBYyTGSqLqoyaLvYHOoT/
- http://recambiospastor.com/wp-includes/rube7-yz13i-tvwbozx/
- http://redklee.com.ar/css/7lj8ipbwzyz6ye7ajn49pi9w7vn4w1_ju2uco-4894799229/
- http://reportsgarden.com/bill-gates-makes-new-announcement/f5h2czx-qfim21-pwkjii/
- http://repuestoscall.cl/paclm/nDIksFxXxwXJlDXkgZchpaxPmltO/
- http://revolum.hu/INC/GoDdHoWTEdqUWZjii/
- http://rfe.co.th/Download/Dane/qkYASgWnuJxMtihGIMEpCmlL/
- http://ricardob.eti.br/cgi-bin/Scan/fujbsCbrLxDnRpNntyVcJQvXUnIUCs/
- http://rickgomes.com.br/wp-includes/sites/xa3wh98uf0tcupd_fovwymlx-5057433442179/
- http://roelle-bau.de/psw_source/paclm/kRxaCEZVKojXHNCvFeeKJK/
- http://rossedwards.co.uk/wp/ze01vak-cn9him-hhbpfk/
- http://rsq-trade.sk/wpimages/DOC/OpbvBabezYDAlxbzRYQYBT/
- http://rudybouchebel.com/rudybouchebel.com/Scan/KnschlDbPCnUxmnYxfyZCjuhYcpjbR/
- http://rukanet.cl/Plus/paclm/avssyrhzww7zmnbgs46s90tz3_cm5ju1-679756165/
- http://ruma.co.id/en1/LLC/7aah1jg4r4_dxjcr-683016813/
- http://ruposhi.com.bd/wp-includes/lszbg-5gjdav-nhsvy/
- http://salmoclinic.cl/cgi-bin/sites/yCUynIBQuwTGvSQbFeG/
- http://searchingworks.us/pushingon/epzhu-f81kaxr-qsloszv/
- http://seevlog.com/wp-content/stqrs-w89ce-totbjwv/
- http://seinstore.com/Suco/kfo7z-j4oqb-byhe/
- http://sewabadutcikarang.com/wp-includes/iTEwGyqPJUpdjmzfzwA/
- http://sewamobilmurahdibali.co.id/wp-admin/sites/p6l77hrpl3a6btaqtg6izcmez_8utwvfzzk4-9823369595449/
- http://shaperweb.com/cgi-bin/Pages/gkQoOpQn/
- http://shasthadrivingschool.in/video/JqTQLBDbabyTbr/
- http://shivodhayaayurvedaclinic.in/images/paclm/adpgdlHEqfvxzSQSsPlrLn/
- http://shortdays.ilvarco.net/cgi-bin/sites/ZJimteuoB/
- http://shreedadaghagre.com/journal/5kvusod-24lwwhb-qsse/
- http://shubharatna.com/wp-includes/jnpnea-4kqcc-mexjx/
- http://silver-hosting.xyz/wp-content/3dn92rq-huxug-rijirxa/
- http://sinlygwan.com.my/wp-content/uploads/paclm/EIhvRizHpqbUzExvNzMs/
- http://sjz97.com/wp-content/icyqrrKIxOYmFZRPXnVYFchH/
- http://skipthecarts.com/wp-admin/4bij6-nze2ck-ioeyn/
- http://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
- http://smsiarkowiec.pl/wp/wp-content/uploads/lm/JLHWJFUUzKBRiKoCwsFbvbcgbvhnzD/
- http://sobontoro-bjn.desa.id/lama/ybrhrf-9gnp8t-rwcdn/
- http://solidupdate.com/wp-snapshots/lm/j4kktxxdxe8otcjhmkyjmaoz8_h0k61-01827752155/
- http://sompips.com/wp-admin/LLC/w7sl2hkp7zy8k437ekdbj_22ytp-09973093/
- http://sonnhatotdep.vn/wp-admin/3rjo15c5ga7frtejwoczhes0pyvpj_uxrxoht-3907344799/
- http://staging.ocfair.com/cgi-bin/paclm/2e6d003f5l686pf97x0mgrf0pd_ib3heo31-24128967343/
- http://stockbaneh.ir/wp-admin/dc43-avzx4-zulre/
- http://stopinsult.by/wp-includes/esp/g9rbyptwlu4pbb_4xvrq-88991812605/
- http://studentcolombia.com/wp-content/Plik/DVmdCtuLXxQdspp/
- http://studios99nyc.com/wp-includes/04c7-n824t3-dcuse/
- http://supervisor07.com/online.services/ufeg8zcqjqd2g5ihnhr4qujj_j8z8uiers3-9998816732233/
- http://susanfurst.dk/wp/mrufg0nv1qo9p11_d2esefh-45474933/
- http://sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
- http://tampacigarroller.com/backup_310708/INF/dCrEFlMR/
- http://tamsys.net/lgs/INC/cqyj7s6evz_h589j35a5-8309775940523/
- http://technicalj.in/8lfp/DOC/9fjik6x06odem1o_fnypue-757633306338/
- http://technicalj.in/8lfp/DOC/lm/icozf99wjuihh2yry_ssntsxxd-31095594844199/
- http://termoexpert.it/wp-includes/sites/d5si3ubd66ibnxa9q4te66v5x3_anm7r2w92-488687709/
- http://test.devrolijkestaart.nl/wp-includes/xkf3zv-ozlov-aehrcp/
- http://the-hue.com/wp-includes/ztga-60xuf3-czof/
- http://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
- http://theminiscan.com/img/Dane/yFRYVTUpCUJMJHqgL/
- http://tienichso.site/wp-admin/DANE/hw72ohfrn3gszcfm8sylthh5rf_yxd6j0fycu-75527295990/
- http://tomaszzgiet.com/wp-content/lm/z8b8wdhwk3_zcncv8-21142307690/
- http://tondelneon.pt/wp-admin/onzx02-6ijbufb-lmdk/
- http://tranek.com.vn/wp-includes/a6r4sh1-aat1l2-efslj/
- http://tuchid.com/wp-admin/t777-yt5ij-bxdu/
- http://tvbgm.com/z9iy/SKCMWsxAXJaavyRCuuRVJW/
- http://twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
- http://ufukturpcan.com/blogs/tgcuujs-32uae-yrxg/
- http://usio.com.br/wp-admin/qqklf0-o35ps-hdgho/
- http://uskeba.ca/wp-admin/iJxjwrdpeJToUVSTwC/
- http://uzbekshop.uz/wp-content/LLC/k5qvkk6vb6pulh_uoth76pr6-834452796176/
- http://varniinfotech.net/vender/958nck-c9a6xq-apga/
- http://vertientesdelmaule.cl/wp/ml9k-45hsvo-nvjx/
- http://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
- http://vets4vetscoop.com/wp-content/DANE/msk6w5kr6l8_lneqqqcsu-183806797955014/
- http://vinfrastructindia.com/vision/ZEkSRRxBRLZuCVkOsb/
- http://vistarmedia.ru/wp-content/rg68yeh2b5n04pvldfsv7cdv_ugl929bvah-1587466674/
- http://wachtscherm.be/wp-admin/parts_service/huem58o1ig8s58vw70yh6bryhlcp54_jtrqr8h-725791126480738/
- http://wargog.com/dubaja/7yofmt12abw5aysw24l21_qol0985y0-96067607644055/
- http://warriorllc.com/FILE/pdcd2d2wpl1j3hwx2qb0_gja7tgc53t-378690263/
- http://waterwing.in/7it1/Document/h8h9125qdh4ro6l0owj8_6k01bvii-22526075861125/
- http://way2admission.in/sclfxo9/sites/nevsekspskcexavmu9acysj_fhn7po-438228592118/
- http://webcluetech.com/vh4l/lm/DdOHREQXXViLYJsanKplApTDUu/
- http://wenxt.co.in/about/PRzPTYIVWGDfRjbTXZmGTyoX/
- http://westburydentalcare.com/wp-content/hnoo-byey4-leezn/
- http://whiteraven.org.ua/wp-content/uploads/gz4zye-hfoui-hotk/
- http://www.agromundi.com.br/agromundi/PLIK/pyCcKgLrTkKvHXPibtDQQgwRTP/
- http://www.gigeveryday.com/blogs/Document/IZrYFEPxyiHcixJpiToRcavLaIvhK/
- http://www.maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
- http://www.rezonans.pro-sekrety.ru/wp-admin/DANE/nGqwPrzDBpozJ/
- http://www.sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
- http://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
- http://xinyuming.xyz/wp-admin/i3krt-mb8ubx-rkolp/
- http://xn--80aamqk2bt.xn--p1acf/wp-includes/m691-ynwzk-acmdxub/
- http://yarra.uz/wp-includes/m1x06r-jzsg2y3-jttu/
- http://yashhomeappliances.com/_errorpages/7elv-4dbz9-dhiii/
- http://yeniadresim.net/wp-admin/374r-2wuiobo-iimsgn/
- http://yourdreamsconnectors.in/bd86ed/0e3uqnu6wpj7i3yob_1vth70hx89-255338451/
- http://yourquotes.in/wp-admin/parts_service/tzMMIKpwWbrWKi/
- http://zaednoplovdiv.com/wp-content/themes/Document/nu8ugbcj_lbo4uxa4-801589900580/
- http://zmzyw.cn/wp-admin/esp/KFUFSpVBj/
- https://106b.com/wp-content/4pg188i9n_bn1qkqb0-85292960524/
- https://21js.club/ajki/esp/PGnjelBsjuIdTRmNONlZg/
- https://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
- https://ardan-grandest.fr/wp-admin/DOK/q4z8i5g9a2z3uae32doapux2_iowpzz-132433005177/
- https://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
- https://camposaurobeb.it/img/DOK/QbaLdxlDmMCmMPmpaAPIf/
- https://cicimum.com/wordpress/Scan/POKjdJTgTmLeVukwMStv/
- https://condowealth.co/wp-includes/PuhLkEtDERZ/
- https://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
- https://daylesfordbarbers.com.au/wp-content/Scan/d3oksyjpiel_hqqgdfh-7776351180551/
- https://docs.beautheme.com/bleute/FILE/2p2cnv0m0j7eafhoi8v7httv6jp_qiwtwjtv-6031998203616/
- https://donghethietbi.com/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
- https://edicolanazionale.it/wp-content/jh7my-bnqb2-zxav/
- https://findyourvoice.ca/wp-content/uploads/Document/rclXkasLtkNCB/
- https://fordhamfamily.net/ttccrec/sites/8tt0tg0aw24ngohet3dp_yzy27xogy-86618368/
- https://fotobot.ir/wp-admin/DOC/aAWEOIGMFdrMPsOQFibYw/
- https://gameviet.ga/bscw/parts_service/YFAwzsjbXBtALwhG/
- https://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
- https://gatewaycentrechurch.org/wp-admin/DOC/OgdiEaOUNdbrwbswCSziDApXA/
- https://gelbachdesigns.com/cgi-bin/a7gr0ms0ra73n6g6smm7ejm3wk_0cvm4lc-370646901323597/
- https://govtnokriwala.com/wp-admin/parts_service/VrIzGRzTzSOvIVqORSVWKWEIkjAkQL/
- https://growker.co/growkerdemo/Pages/UeWxULNeXsgu/
- https://hcmlivingwell.ca/wp-admin/sites/revxbvjccjm0sq4540x0c_l25eq242f-64615888/
- https://help.shop123.net/help/DOC/JyywdyyizPxZdZkaUZLqE/
- https://hooknest.com/wp-content/sldi-2s25ep-thzbqhb/
- https://hostel-group911.kz/wp-admin/WOGUzlSvCAPJCxGN/
- https://imis2.top/wp-content/lm/8nacv8qnwy_d7ro0a-067006290795/
- https://inpacetech.com/wp-content/LLC/JMpBCsccfG/
- https://kisswarm.com/wp-content/DOC/vwwv6riibz86cw4hm67uu1wfbrg_rtqxh-5004364944586/
- https://lovemymural.com.hk/wp-includes/sites/tnwRRmqCRGNROpxUllI/
- https://marketing666.com/wordpress/paclm/wjjg1mjiw14ri28oy2_uignr0-24234864/
- https://maykop-news.ru/wp-content/paclm/ag2tknctbs2bb2thhsc4lim9n5zm_kpa0lj-508963173/
- https://mefun.tv/wp-admin/DANE/OkLPgteHkwNGEkMCXnwNTHLa/
- https://obsessive.co.il/wp-content/PLIK/VLlfkrIJPSzNZPYEJMtriCV/
- https://orchidreview.xyz/flav/INC/7io42igfnr3reldnf_j5usps-66149267/
- https://panet.com.br/stats/Pages/ouu3971zp7artsu_axg3vz2b-473330199/
- https://panet.com.br/stats/sites/njse5wcorh7u64gdhxo0059mi12_onhaty6x-17998620611/
- https://patrickgokey.com/vendor/bg1ccdly5am6sk2b1_blbqmzfv-49194045/
- https://pianogiaretphcm.com/wp-snapshots/XLCquBNbWEswhZJ/
- https://poornimacotton.com/Scan/JNDCGnQoHFAdIMZisPC/
- https://popitnot.com/List/lm/mttsPaXTDb/
- https://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
- https://renatocoto.com/revisar/LLC/pWdgapSNzN/
- https://rmpartner.cz/DOC/uoq752wg6cgprjnwdi8n4i_s18vxtgk-64455007/
- https://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
- https://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
- https://transparts.com.au/wp-admin/zar69ggal5qo8q2bycx4_358at7nc-6580311888206/
- https://tvbgm.com/z9iy/SKCMWsxAXJaavyRCuuRVJW/
- https://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
- https://www.analyze-it.co.za/cgi-bin/sites/dMwtevzsZt/
- https://www.mtmby.com/wp-includes/esp/IUkUYpyDmJvhLPTvCdqMgNGmQ/
- https://www.producthub.online/wp-admin/bobu-m7jq38q-hoosf/
- https://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
- https://www.westburydentalcare.com/wp-content/hnoo-byey4-leezn/
- https://yinmingkai.com/wp-includes/sites/GPwktFwVQvMx/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:05:28 19:06:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
- SHA256:
- ab45ed4787916f3a013ada9d70d1c3401e83bd068b1aa632ed964dea3f0f1501
- http://www.theovnew.com/wp-includes/h8/
- http://c-benhomes.com/wp-includes/kp4z5672/
- http://cesarmoroy.com/imagen_OLD/dg38/
- http://fqkeepers.com/sitemaps/f5q65143/
- https://mypiggycoins.com/fgwf/4lz6uq70737/
- Creation Time 2019:05:28 13:17:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
- SHA256:
- 2f2d7200a3825d51e78eee202fe1f0a9395a008f4fe18461a65be909533003e7
- 7a06e898cd2aa19f2fcd90ab51d88ba220f614e6b5e0894f530c6b973d9d6e4a
- bb82f804c334e4593ef94dd2a583a580102920741d7d1381ebc76062c1316846
- f9d66239203c39cbe4b96ba9910bd2ebc73dd6f496c9de8b919db9af5de6a1de
- 888bb5dd0f8d79e4604b4ba8a5f5be2706792893267a29c8fff4d4e6cfced877
- 519b0a2551f60c04f58762e99dd7ccdefb3440002e6d50802a346fb65451ffe4
- 9f8aa8023bbe6da57c5e842e43b94784a8e849fec9c30048738e57073a8e1ad8
- b7a827ea9b0c5009e3bd940686816a72f5a8fdce9a34fc76d763c1a86f4a55b6
- a33940410423020fcc8ea2e45532122b76cbf680f6580efedab757e588901cfc
- bb41d63a2223273333fb83cf091f0a3b0de1c8704551fcdeb4096c173e83c3bc
- 850750f1662d6671eafb16098a00d37f025ee0d7dcc6b8ea18655451942e8326
- e5a1708b0f1fb6286c1b54bf0d6535a60a5ccc4136e0824c1d50a9843cceeff8
- 924eb76324c5ed9caf4d0a8f1a76ddc3f2a372b74619483f86e0e5fb411a3f2d
- 7a06e898cd2aa19f2fcd90ab51d88ba220f614e6b5e0894f530c6b973d9d6e4a
- d815e750e81c5b6570aa1da1925517e4111b427e6693b007e7e17836c12fe04e
- 7413faa3d3de66b97fbd1e7513eea5d0e2ae1e47f4031ba04d317cea36d73e53
- http://urbandogscol.com/wp-content/xiqjp4/
- http://spidersheet.com/wp-includes/js/swfupload/k0924/
- http://artoftribalindia.com/wp-content/uploads/r74d6u4/
- https://navinfamilywines.com/alloldfiles.zip/zegkb671/
- https://gabisan-shipping.com/n4mf/syz49i21/
- Creation Time 2019:05:28 06:55:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
- SHA256:
- 4bdef407a0ac9884cfa8399706ae904c7a2b21f093cf8efb958d552331ceda8e
- e16002528974b0db5b7b1fc528b82f2c3b0fc90e094dde89d35508a3ae8c367b
- 8827490a6f490be62e344eaba2fb27d0b530e7c906944c6a9a3a07b05aefffda
- 686e1ca9a0d0679756a45c8a45ec177f052d0ce268a8f7bdf2ec922eb9479f31
- 85f125d9cea6b3597f95a298ee1e8920ac2c243dfd94e08a62185f0464bf51e1
- 4d5977dce718fd0913995c824e2a03127973146a69a4ddaa0b04d6fcda308261
- c0e218e21737e79a7b1803b89bdd568ed049d307e06ac86bb6de07c62488e46a
- 0b7fb484691a3e5a70ec042b623e74cd46c240610b88a2e2eeeaf8189ebe4876
- b15f2a1bf3966f07f3d623a7eaab1761f3f34fb23d56e3c32f0315a4a71dd037
- 2c9c703cb71223bfdb4275723a9919b547318175f2fc82cdd5f4a13ac028af3a
- 154553b0df36cb62d4ab78d52ad1fb09e78e3268ac58dee99cd863c151ac9068
- 293e67776eb4454f5285872f3670f67bab0814e2a43b19065b0de88a8ed65ba8
- 10cd1c0911e8b909313476820c1d7f0360410f7818dbf564e86de6c92438f236
- http://omgbeautyshop.com/wp-content/jhqna243337/
- http://testsite.nambuccatech.com/wp-content/csdqo7792/
- http://mrsinghcab.com/wp-content/wh00184/
- http://kanisya.com/admin.kanisya.com/uq516/
- http://newbizop.net/hhhhh/m62464/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/28/19 ####
- ```
- a4127b2ffb99d871dc3c0b5aecccf4a508f969e1efbefc4fbd23d2bd1519ffd5
- a8a8dc936da3d8de3bba1ecbe2bffddcafeef222d26cc0b67f4515306a383ea2
- b55138efe9e2fed5d2a26240e15dda4222b29085d6676e26a04d9fbdfa6ac2f2
- 4281c9bb3ed9f77f3b9489419b811767558884d072d8411c425f8c2e00e373e4
- 30a3f14a05d14ede748936ed04971278104067f1e01303efb3bbd881ed389754
- 5830f25a02676a545a58e9a7a0501f56c80a84723e75deb8652a99124148f680
- 8e6e1b49a0dede7b45928201666beeb04aa5880791b1b8490c330b842e79efae
- 1b167637c52bc0e6dfb1f78ff9891b3dcad4cd2ceabe28660869f42512af71e0
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:05:28 19:56:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- e7eb8d59b9dbb69836c228d37648ebaf9b197fe5c4fdb81a0545a1311aa493ee
- d65c5c8fb0a50a05c67bf7be8d5355a84c0f4b33dcd11d4e84d7545eed292865
- 5cd2567af0ff3769b687ad9feacf8c52eb7f614e2b74ad3b0cb43730c1ed0fbf
- b58c6c7c0c633deb0343cbd2085549f2e3cb1e46285b6a4b54e44762992540ff
- 8f92ba2ba02b122bdaed02dd9c9302f5d0a3c7ff8d9983c89a7e46b1edce296c
- 51ee713d0a7c394bf0de5993f2163b2030a739894471f87fc5206eb8fd4eafb3
- e59f6ef39bbc7e4cd9bb49c921d792c2a80034c14e4479ee2cb9b1529c99bb99
- 2399e13d1cbd189c2ef5ada978a58401845874116e5ce810df829cb5c370edba
- 838944c1e19136a7a22f30f4e2915d1a6cb67b5149dcd5f822e75a8348f8cba2
- 6846465d1b3d45bc45e2bbbb70af825284ba8beee65972af56b927e2c6f3692a
- http://projekthd.com/pub/EyRNTFJzOr/
- https://proxectomascaras.com/wp-admin/cDbhvYpHH/
- http://psselection.com/84kmcpyjk_rstllbc0q-80240/
- http://robbiebyrd.com/fonts/dkra921_6lqtntd23r-9620475/
- https://robcuesta.com/wp-admin/vaq07ekgi_57m694odox-4/
- Creation Time 2019:05:28 13:54:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 4b7bde5f1be3435781ccb1f82a4559d4c1bcf172ea15216e4448bc530a873035
- 1377c72377555dd4443965f6235ce36ff9fcfab3314c48bf97cd5ac54ae346e8
- bb1264ec29fa17509aa71975bf840c9aa64e31de67d26a90dae07ee5b2ba2eae
- 46ad10555f403438b4222a05155ff4f5d7489de500920474a47e8b4562a301fe
- 4189df143887674784ea2fb33f4c38a6e3af66d99deb8faf6253e66f6c34b578
- cb8b18c7212e4086fc6e4b1a024fab6c5f488d821be2a6c04fffc9b8700f8a88
- 20cfc25c20e6b29f7ebb52b224044f788ac7752c869ef5d141a714a5dce5b4e3
- 08d8e32f6ae79be70025d2924de1cc3a2caa0a6c96c5c70cccace41088e0830e
- 557e5402a9b965f41c888786220b60523113e95c6cfd6e221a31818d8d9d6f63
- ec3ad0a807b66138b2ab47e7d6c76c67cb356e6bfa402e6c2c618b02f9628962
- 8b7a29ec2bc49c06f29c672c436bff82a7a3cac51ca11e171331dbb9f7a5f847
- 7ca1ac4ff95f9e6fed3d8ca4a803b78b0acfbe380012651ce878a5cdf5a827f8
- b58bdc49cd8fe00bf02baa782cc44ad8c5f7f3a7e4583564bc0d06cf03daea5e
- c7b32049dc7c350d0a5508255b2c1e67ab9b54ceb65493ee8940727513b84783
- 1ab7a401deff6e22bba5c9aa6660e14930086db2bfa3faf3dfbe8aad2df2cbd9
- 9cda2757c204002f8c7d71fcc0204db2a408232b40cc5691845906ceb493246d
- 6555fcd22240cb2dfaa62337d1c07a0ebdeaef97cb390b65ebfd3d170ad30f9b
- afb54c196aa32dd41269e0a8601e2c5765c94b840a76ebeb2ee009ae4e573be7
- b674863f546b1b539e302f83b474d987442602286e49d18de1ad4fa0e9356721
- 7fc93bfd1566c5e0ab7676b3d9b73a130d47e4d050ac8d622be79204ca7bcaf1
- 828006ee1285fcd6cb7edbfa445d5a964f824c8c589ec2ebc1f2fdda4da37c78
- f2cbd8e04dd1a1b959763c34244e444378f1e265f8a9bde65ceb440790cd6dac
- 811f12366a5f880f8c88fd588feaa94ef9ad9417709ec305bccf53bf573190e4
- 970b030aa383e4ea197607b4115f49236d7824f16251013774bb9feac00163e1
- 46bb1336401dd36f9b9ef6f59b72cb93e7b2aaf1bb7d0e1daee390d885023ecb
- 00204024bbd93fa26eb46c7c750c2ab638d5bb8cafe7ea1fe462b95976fb996a
- eb313adf10da078438fbac37a845a043298f2a9705475c68353b5bff6860c390
- 28d540b98059cbe4e3338216898d9f49c8fa8d716b0d4133712212e56a59f6e3
- 0161700d7cd49fa1a589ef17de21fc7da242b5f95aaddde56ed096379f2e3819
- a1e7cc894d03c7d3c79d55e77c44befcaff532d9eb7ca5146ff87f31b1acf156
- 53f64b03687fbe17e3de378a4b5629c0b7295b82e4c7b65b3de842cf4eed1f30
- d9776c63a9d53add6f1c5749b33495b1e7c0b26aa26101eaa61827576b970a5d
- 55b15cf15a3c75aa0ef9da32fe2de583b46c56e827eeb7bca20a66afdce773fb
- 6793dd76530fa14c9fa8186d3044972eddea097c146411c38cacb4ab20c02b3e
- 73481229469f5da5c74fb9399675b8d6ce53a56e61e07765c05dfb8f546718b3
- 0cbb3d6ffa54388489ed32b54178fab8b9cc52ea99a2ef8cba305f6be6e928d7
- 46a3cbea28236eb6a456bedb65ec947cf121b86d256cddb581486eae872ed6ea
- 153c5f6417d97f526e0c26f383ad8b64ac4eb6fa1562003c7587f061b5145114
- 0044969de69c20c58515a82d1879a4a211b1f6ce48434d2d75fe3321dfab2a6d
- a56ef0415a0390d53bf6f49fce2168c93ddb6eed529f7cff5058b56e0d9483a9
- ef947c05ed3e7212ae741ba9be781396d23b90000a9c497b8f81c69b4b6ee83a
- 185bfab7b3b4cf2201c3c255a9571e060a61e83def897bd115dddda2792085f1
- 0080aa513a3d519ab22119655858c30c7767c9b066ea3cb050949394ebeed730
- 57142ab986d91433a2a06dedb7a4953517021361e8cc7872e9467ce22694eaef
- f50ee0b99dbb0b4ad4b5afaef4b106c336ce3c96366901415e2f288c88385e65
- 99560f933e30b31362caa1c84139407590fe34edb8179022d4ffdd242ae245d6
- 9c178a5b70e648cd0b2dd296eccff37be991f913f5fc5f7c1fe83760f96eb925
- 8c9134204a2e5ae6e408bad3358abf5e5b56dd4dbba349ee5c0487bcd9d908e2
- 4ba4494c6ed0b5983dc9379002db7830de8cb697f34e46dbbf15c7d7c1c67ec2
- d7c03877dcc5e67ad5fd3b0348e2aae641ae3e54d7b691bd97638d10b5b86de0
- http://nyulogistikcargo.com/cgi-bin/jHlpglSIMy/
- http://lincolnlogenterprises.com/wp-content/SOsUwTBnb/
- http://sheraleetour.com/wp-content/QaLLkccz/
- http://inovavital.com.br/wp-includes/1m81bi_sco7ad-415267/
- http://marasisca.com/public_html/UYPocrLWHM/
- Creation Time 2019:05:28 11:20:00 (Attachment only, DOC Based - ENG - 365 Blue Box)
- SHA256:
- f57efabcb58f1a5ccff40c2c279ec9d63830e6c554db842e719598c914233bee
- 3842e09172dfa1acf2f86c340da04166010585866a72fec7b0d25719fbfb7ec5
- ba1f8c5a7f571b02e0e5dab4701192475f461ba4a42bd4228ded72239fd1b269
- f065835dab7e353746481c02239e92ec1b90f7201652a33e99983d35d523b6e1
- e29bf3fb7c00e54eb2039a6e93a709147acbe0449e28b94a9a7458da26f718b7
- 5fecaa2aeb4b636c4dae73e0d5c606d3ac98e26584a927c4a1a80f572d2ad958
- http://nhaxinhdecor.com/wp-includes/AmevYjnBp/
- http://ugmoney.com/wp-content/o5jzc_dq2i27wtu-80619/
- http://huethietke.com/wp-admin/pd6ujj_6rmxw-20387/
- https://tashivietnam.com/wp-admin/r72j_vpiy2ofnw-522/
- https://udogeek.com/wp-content/ibuqZFOz/
- Creation Time 2019:05:28 07:08:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- de8c97cbf0df341d8679c9163875ef879473fffd36bbb6b9c6e7ec1727207d42
- ad4b96714a0d72c46e7dd0ae44f79a1653d0cbc62631f59d10cfdfbd8ebd2b65
- 6ff4a43e51954e29495cab386dbfebb0f209ff5b780b5d3f3a9810eea7fb3c29
- 573c3b7cd7459844111005f1fd35f35863dc3dd41ef3aa21535a780791b7ae68
- 2464493e8e82b59ee10b5d826795b1a27856c4b6d6a46a5dd2aed5173668ccb6
- 33490e0e9fc09dd755805091830dafa3dca62f189e893c04b4b01b0b5ed121aa
- e5855dbb487c26b44978bced54de8e1e8e21ec6cf64a2e453a481eb517a817c6
- 1aa8c4a70f062f0c5ecee99c9948497cc4f0c7fede3947c621d3e0e825bf937c
- 90f95247646da0588cebb09242d7b9acb446955e24036049c1bf9599935e0d62
- 0b4491e537581f9f60f35ec20a5351c83ceb55ba357cebf491c8894de9ce2c9a
- 47186c29700382296ae365998feac598598266fe94a01d1727d1c2d1dec1339e
- c7e5c0b961301ff035b868dab176d8da8757537cd8d5d0e3b69850ae4caae0eb
- 256d5dfbfdd4ac0ac2b0cd445f30c790ab951f52365e6ff28156bfb238235ab7
- 1adfee4dfb717bee85a1136e700db0c575546381711d78b0a100466c63a7db8a
- 42c1adb4f70ebb47589a20f1ad254c7aaf7ca995e7d9e295a09d960bbd2f578d
- 29627411037e05ccf659ce1d6ca55a282ac9ee0d06f8a3f6e6c7a53c382ea1ca
- b04277f048a8d45d8784f8aabb2e159ec3683c07ff29f4f0f668f9dfb4dd5390
- a578b336b8a29a903fdeae4a5a814c537df819f812297d94d4a41a267cef4cff
- c5433aabc87025dbf2c44eb1398375949f892fdb02892b17fde842d68bd287bc
- 1ad44f47de3bc39d77125776a47142cd7a686a211f74468ec8db8ea813fd3a10
- cc320188dff36b0c212703734547532cc4e0540890071929f8a7170f3ae57537
- 23f8568859914bba628d1df0b02c50715af36285d140870ba26f422cc279e566
- cc3e705f0f53574145bb65aeaa92918c78d9a11e8001f345a3cc23bd031712d8
- fd84706f9314e64e6af40c56d4e891aebac6140a3e20924d52261a0a05aa9c65
- f6efc7ca795a7fca28cbe6630670bcfe82398ded7f9f37c5e1e1828531d60836
- fdbdca7802615a563841ac543a08640dc19993d5acf62e7844d2c95a1b736737
- e60d1fa9f15cc4da1c29f9213f3dd84494efbe81e2916242704ef6a0067296ce
- d838d518c6b19d08d11b612c0e219138dc76f17ae455054a90bb93b24813a3fe
- a6198a57e1e761140ef59d2b5de2ad53f3344306d521246bd0e321758cf2d59f
- eb0dc801274b6ab3beacb5870ac2435b3393ab35c80cff855b402cd270dfe9a8
- 6e04de46ba8e4499e14203c9bdbdc0e487369e025922da9e60f005711dad9001
- b15c2d8f3f27ba4f33799c50bb5f62764f74274da55a39a961d624e09304bd68
- 05a4eae26647acb3a3b7a6035e3d5e0f75206ea331606e305740be95fd4c61e1
- b5ea41ba52f89cbc4614eafc913add3be6767d6b31fcea0b6148a1fac2566171
- e0502248e4786f83a639a327fdc2e34a3a4533e0ca4f5926b9d8aa386a8e398b
- 03b79cbeaaa2e5a103dec9410f336103185f57088e26512d9b6c9b87276519b7
- https://galleonguild.com/wp-content/404cevb_1r949nq-6879/
- https://blschain.com/wp-includes/FcNzCizyiD/
- https://www.skooltoolsltd.com/wp-content/uploads/3ryhs4s_6t3qfcu-5/
- http://keepitklean.com.au/sdb2/5vawplbkv1_7a5gozk-91735198/
- http://www.sitewebtest.ch/chando/m1yrbpr03_tcjpxq-904417/
- Creation Time 2019:05:27 20:23:00 (Attachment only, DOC Based - ENG - 365 Blue Box)
- SHA256:
- 5073ff38c212cf45a309d71f2e075fe33aec3aea1299a639d2444b1807b90c19
- 0c9d570bef2c57c74af8437a9ccdbac1976d3738d6365906c80e8ce3c51efc98
- http://www.guigussq.com/wordpress/FEszInwEM/
- http://taxime.nl/error/jNAkbSMN/
- http://kairosshopping.com/cgi-bin/VSTyjSqWjX/
- http://jart-design.com/wp/vduSzXTLTt/
- http://ruzsamuvhaz.hu/wp-content/REDgZUAe/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/28/19 ####
- ```
- 30cb3c94df5b47c8968914604e4dae683d947c188c1a97dd103668274ce90a89
- 06123da18a086ac3bb1ca5d06b732d536bf85c2850a41f0d6956941e9b581179
- b706de7ffb0a5978e8862778c6be3a333cb28a30ad823c89e83ef81010a9ea1f
- 5ff96a97491622f18e5043d56f39f259ea9c028b567db212d14145934f9dbda6
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 104.236.151.95:7080
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 110.93.196.197:80
- 111.67.12.221:8080
- 159.203.204.126:8080
- 159.65.241.220:8080
- 179.40.105.76:80
- 181.141.87.122:80
- 181.143.101.18:8080
- 181.15.177.100:443
- 181.15.180.140:80
- 181.15.243.22:80
- 181.16.127.226:443
- 181.164.227.212:80
- 181.198.67.178:20
- 181.29.101.13:80
- 181.36.42.205:443
- 181.39.134.122:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.138.56.183:443
- 186.23.146.42:80
- 186.71.75.2:80
- 186.86.177.193:80
- 187.178.9.19:20
- 187.188.166.192:80
- 187.242.204.142:80
- 189.196.140.187:80
- 190.113.233.4:7080
- 190.117.206.153:443
- 190.147.12.71:443
- 190.246.166.217:80
- 190.252.229.53:80
- 190.97.10.198:80
- 191.97.116.232:443
- 196.6.112.70:443
- 200.107.105.16:465
- 200.28.131.215:443
- 200.32.61.210:8080
- 200.57.102.71:8443
- 200.58.171.51:80
- 200.80.198.34:80
- 201.212.24.6:443
- 201.251.229.37:80
- 203.25.159.3:8080
- 205.186.154.130:80
- 216.98.148.136:4143
- 217.113.27.158:443
- 217.199.175.216:8080
- 217.92.171.167:53
- 218.161.88.253:8080
- 219.74.237.49:443
- 23.254.203.51:8080
- 23.92.22.225:7080
- 31.179.135.186:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.32.158.232:7080
- 45.73.124.235:8080
- 46.21.105.59:8080
- 46.249.204.99:8080
- 5.153.252.228:8080
- 5.79.119.1:8080
- 62.192.227.125:80
- 62.75.143.100:7080
- 66.209.69.165:443
- 69.163.33.82:8080
- 70.44.163.160:443
- 70.44.163.160:80
- 70.44.163.160:8080
- 71.244.60.231:8080
- 72.47.248.48:8080
- 79.143.182.254:8080
- 80.0.106.83:80
- 81.100.95.22:443
- 81.143.213.156:7080
- 81.183.213.36:80
- 81.213.215.216:50000
- 85.132.96.242:80
- 86.18.105.123:443
- 86.42.166.147:80
- 86.6.188.121:80
- 87.246.58.59:80
- 89.134.144.41:8080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- <not verified>
- 61.92.159.208:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.11.83.52:443
- 104.131.11.150:8080
- 104.131.208.175:8080
- 104.236.99.225:8080
- 117.218.17.6:990
- 120.150.236.64:20
- 125.99.106.226:80
- 136.243.177.26:8080
- 138.201.140.110:8080
- 144.139.247.220:80
- 147.135.210.39:8080
- 159.65.25.128:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 174.136.14.100:8080
- 174.96.5.251:465
- 175.100.138.82:22
- 177.242.214.30:80
- 177.246.193.139:20
- 178.152.78.149:20
- 178.62.37.188:443
- 178.79.161.166:443
- 179.32.19.219:22
- 181.129.30.82:80
- 182.176.132.213:8090
- 182.176.94.236:20
- 182.176.94.236:80
- 183.82.100.135:80
- 183.82.110.170:53
- 183.99.206.228:22
- 186.113.19.171:80
- 186.4.167.166:80
- 186.4.234.27:443
- 187.163.180.243:22
- 187.177.154.167:990
- 187.189.195.208:8443
- 187.235.244.9:443
- 189.209.217.49:80
- 190.128.26.2:80
- 190.145.67.134:8090
- 190.25.255.98:443
- 190.25.255.98:80
- 190.72.136.214:465
- 190.75.47.24:80
- 195.242.117.231:8080
- 199.19.237.192:80
- 200.21.90.6:80
- 200.85.46.122:80
- 201.199.89.223:8443
- 201.220.152.101:80
- 201.238.152.20:465
- 211.248.17.209:443
- 211.63.71.72:8080
- 212.71.234.16:8080
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 24.139.205.186:8080
- 31.172.240.91:8080
- 39.61.34.254:7080
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 46.101.142.115:8080
- 46.105.131.87:80
- 47.41.213.2:22
- 5.67.205.99:80
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.9.168.7:443
- 58.9.168.7:990
- 59.103.164.174:80
- 60.48.253.12:20
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 69.45.19.145:8080
- 71.244.60.230:8080
- 76.86.20.103:80
- 77.56.253.112:80
- 78.186.5.109:443
- 78.188.7.213:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 87.106.136.232:8080
- 87.106.139.101:8080
- 87.230.19.21:8080
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.76.200.114:8080
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- <not verified>
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- https://paste.cryptolaemus.com
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://twitter.com/executemalware/status/1133520160726364160
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-27-19 ####
- ```
- One E2 email from BA today :|
- Spent a bit of time looking at this weeks names for DOC attachments on E2. A sample of over 3000, with some clear patterns. Looks like country-specific branding as well (DE/PL/US). Potential for additional regex, but they periodically vary.
- https://pastebin.com/raw/ssA5eEeb
- A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes.
- General News:
- https://securityboulevard.com/2019/05/the-emotet-ion-game-part-3/
- REVIEW:
- If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
- to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
- https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
- or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
- I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
- You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
- https://twitter.com/JayTHL/status/1126204098670411779
- Email Template Report:
- Generic templates on the most part, the usual body text listed below.
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- - The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- "Load instructions attached"
- "A printer friendly attachment is now included with each email."
- "Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns
- E1
- *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
- https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
- E2
- https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
- These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
- Payloads Report:
- Back to normal early start
- E1 was attachment only. 30 DOC hashes scraped from sources, 3 sets of E1 EXE with low hash turnover.
- The last E2 from yesterday (attachment-only) finally surfaced - I lack context to know if this was a distro problem resulting in delayed send, or just slow making it to the sandboxes.
- In addition to three expected E2 EXE sets across 370 URLs, there was a mid-morning attachment-only run.
- As with E1, hash turnover for EXE was low.
- C2 Report:
- C2 from E1 EXE gave 90 unique combos in total. - recorded above
- C2 from E2 EXE gave 92 unique combos in total. - recorded above
- Closing:
- <>
- TT
- ```
- #### Sandbox 05/28/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- E1
- https://app.any.run/tasks/0814daeb-92e9-4ede-9f51-5a0819de6c46
- ```
- E2
- https://app.any.run/tasks/ea02741e-cf9e-4726-a6a6-ab13845d7d06
- ```
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement