Advertisement
ps66uk

#Emotet Malware IoCs 2019/05/28

May 28th, 2019
3,378
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 51.68 KB | None | 0 0
  1.  
  2.  
  3. ## Emotet Malware Document links/IOCs for 05/28/19 as of 05/29/19 01:00 BST ##
  4. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  5.  
  6.  
  7. #### Epoch 1 Document/Downloader links seen for 05/28/19 ####
  8. ```
  9.  
  10. <none>
  11.  
  12.  
  13. ```
  14. #### Epoch 2 Document/Downloader links seen for 05/28/19 ####
  15. ```
  16.  
  17. http://9adhity.com/wp-includes/Scan/lRdGqCxAIrblhWESpHJPhgiMfXAtF/
  18. http://aamihr.com/31gy/eyf7u6-zhnup-jlhmdu/
  19. http://aasian.ch/wp-admin/2khtfm-texb9b-cypvlc/
  20. http://abasindia.in/abasindia.in/PUpnqGAxXUpWRNKMSrLpDwk/
  21. http://adamshop24.de/wp-includes/o1guhen-z34z5pg-cdwsjhm/
  22. http://adminwhiz.ca/FTPwhiz/jgldbTNBgBbUHdmt/
  23. http://agriclose.eu/wp-includes/hy5zk-790n8en-zbfqwqp/
  24. http://agrosurya.com/wp-content/uploads/2019/05/DOK/hsnrdm6menkz9_2nh78wn-05713934634488/
  25. http://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
  26. http://albaniadancesport.org/wp-content/Dok/rWQHTbUYAeEsjhwrrTe/
  27. http://aleterapia.com/wp-includes/himt1nj-mgxgmm6-jsmjpxv/
  28. http://alitekinture.com/wp-includes/s7k3kh-4u4w7-uemc/
  29. http://allaypharma.com/wp-admin/Scan/qywlvf1egg0kgk055d2ee_0b76l5-6114076748/
  30. http://allegromusicart.com/wp-admin/user/Pages/dqvcjm4132znq_ec4cac-7153438678/
  31. http://ammar187.000webhostapp.com/wp-admin/Inf/TpaKnEylLPRC/
  32. http://apecmadala.com/ca4ajte/Scan/dm459cmpwts0k2fsn1osn76wp9q_wqbzi-321319218/
  33. http://aridostlari.com/irfu/Scan/HcdpSzlUrBqSAvyqi/
  34. http://aromakampung.sg/wp-content/plugins/jGCruALnctnhWcPLTfRdBlxQNFpV/
  35. http://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
  36. http://autoshuma.net/wp-admin/INC/zycspw48qk3i_ikxqeym7k-9904114885/
  37. http://azademomeni.com/wp-includes/dof2qr-phob4g-rfskn/
  38. http://azimuthrenovaveis.com.br/wp-admin/PLIK/rNzVyRhC/
  39. http://bagiyapi.com/wp-includes/nbi588-mvt90k-ykwd/
  40. http://bangtan.az/yfvxdx/parts_service/ux811t8fb9l1shjgq3cqslrlpnoi_2yvvlnz-98770782433/
  41. http://beekayagencies.com/font-awesome/2qcuj-oisk1r-swuuwld/
  42. http://benederpop.nl/wp-content/7u4de7-cvj18-vqvzrj/
  43. http://besttasimacilik.com.tr/wp-content/uploads/gnetrg1o_fpkmc2y-595917581/
  44. http://blmaluminios.pt/5pqn/parts_service/TVMJELksZeUXXIhgGBmlUY/
  45. http://blog.steadfast-inc.com/wp-content/plugins/paclm/76zekp2xzh1dsgru5jsgmlqoqq8l1u_6k9qxp-883756608888/
  46. http://blog.steadfast-inc.com/wp-content/plugins/Pages/cgser7tm7kq5unqf5w6ok_tjpb7-426423773964/
  47. http://blueceratiles.com/uploads/EeWpwfZBfsbnLlifG/
  48. http://bluedream-yachting.com/wp-admin/YxsWkWbrIxymRWTPWZZWZP/
  49. http://bmk.zt.ua/j7br/Dane/ah4zpt1t9ht24zrc2ts0fhtfycm_lzpow-43467507/
  50. http://buildinitaly.com/domina/o6d1f-lbtes-holaau/
  51. http://callihorizon.com/wp-snapshots/INC/t5scutv1dwj_jaaqu-352898068880047/
  52. http://chef-solutions.dreamscape.co.in/wp-admin/parts_service/HrJAQmSWlbBdrupBhwUmDKekDKR/
  53. http://chicagolocalmarketing.com/cgi-bin/wnicd-l5r1u9-npwkh/
  54. http://chiolacostruzioni.com/cgi-bin/0wai-mtfi7l-askvo/
  55. http://coltfinanciera.com/wp-content/0milo-peg7ff-qvbws/
  56. http://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
  57. http://contabilidaderesulte.com.br/wp-admin/DOC/ztZpVYxawtwAGMZdUekS/
  58. http://customerexperience.ro/calendar/DOC/VdYlEhpGRKoAVrYvAUQkZQgpCMuk/
  59. http://dangdepdaxinh.com.vn/dangdepdaxinh.com.vn/LLC/ORqoiFwFdlG/
  60. http://delpiero.co.il/xzig/4sonl6eogw_cm8hviq-90178285/
  61. http://delwuinfoservices.com/wp-admin/esp/gGKnyakkbuaOGGkHWkdBmtC/
  62. http://dentalimplantsdubai.ae/wp-content/Pages/xqHucZHPjsKamw/
  63. http://deolhonaprova.com.br/wp-includes/Dok/tj0hjjpnbjbrekwb4a66ksh88uspe_sbo9xg-399229692101/
  64. http://designsbykarenpolack.com/wp-includes/images/INF/FZKeFdASHrbDAAue/
  65. http://dev-bk.se/site/uploads/2019/parts_service/ozpc5r3v1054hotghozv3z2z_935iguaiqp-83687914739/
  66. http://disbain.es/wp-includes/xf79ds9dizn5d5l650a_87v710v-119507105/
  67. http://donghanhxanh.vn/wp-admin/DOK/kHCtBSBTjnhKljIatYmAOB/
  68. http://donghethietbi.com:443/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
  69. http://dongxam.com.vn/vgw8/DOC/zLyXUOnYqFeMFi/
  70. http://dotnetdays.ro/wp-admin/4gp8-p5vul-olvu/
  71. http://ebslaradio.cl/css/sites/pqah6nuj3yz39j5vii7_byu36zn1-970548939/
  72. http://edicolanazionale.it/wp-content/jh7my-bnqb2-zxav/
  73. http://elvi.info/wp-content/LLC/ygfv9bdoukhmycls0i6r_mcbs7p2da-4181752296/
  74. http://enagob.edu.pe/nuget/LLC/vqsr8lna27ug9nv2feb5jgz_v7ipufb0-702026703803305/
  75. http://endofhisrope.net/2008-08_PSBearDonate/ni5ef9rgv8vpnvdf2wknvy_1fty18-5560290098/
  76. http://escalaragency.com/wp-includes/v5ej5o-3bauic-xjadiys/
  77. http://escritonasestrelas.com/wp-includes/vdpysps-tijy84-veoszzp/
  78. http://evertonholidays.com/cgi-bin/17dmul8880vaa883nexza_poin3bqzk-3404969777/
  79. http://excellentceramic.com.bd/wp-admin/FILE/39s6ehvlsjbm_2rgd9ksu5-80904262/
  80. http://exitex.ir/wp-includes/kqgglk-mpn14c-gqpouhx/
  81. http://faal-furniture.co/wp-snapshots/5utp-5mljh-eniga/
  82. http://fabricsculture.com/wp-includes/parts_service/enzwZWtGccnKyzqAluzpAu/
  83. http://fashiontwist.pk/wp-content/19vtr6j-iggqng-mzmkvq/
  84. http://feti-navi.net/wp-admin/lm/yOhVYbIZSe/
  85. http://forum.facedog.by/components/czpf4gijg_d9n4e96eb7-5189701579120/
  86. http://fulan.ga/wp-content/INF/gyubltjtb_pmd2kukv-87808156/
  87. http://fungames4allapps.com/wp-admin/lhzhnjd-4cp4xm-affe/
  88. http://funsportsgameapps.com/wp-admin/x9olmfo-z7ei6k-pcxpp/
  89. http://futar.com.sg/ua6v/LLC/ofbbog1zvwt4o3vjizrimqvb9ygc_xkgpfol-4139989949/
  90. http://fute.lk/wp-content/FILE/shkmwaw4324aoimz86z5sh20xzbnvv_1es3ojt-1660819873/
  91. http://g4osj.co.uk/cgi-bin/FILE/NahUHWYvZxvjNLZjpOSeqdyCXdSw/
  92. http://gamesbeginner.com/wp-includes/0dv2t-fp31q-eflz/
  93. http://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
  94. http://gauravnayakwadi.in/wp-content/INC/RTNOiuzzJlPivz/
  95. http://gdwenxue.cn/wwcw/DOC/VuoqaIbRpEmxlUWAIbtu/
  96. http://geratapetes.com.br/wp-snapshots/Dane/SNWcvTipmQ/
  97. http://ghazi21.xyz/wp-admin/adWizUHgZnSx/
  98. http://globalhruk.com/globalhr280318/Plik/ui6b2qadu5djjjawi3thb3_lqlck6-70220690735905/
  99. http://glugaz.com/wp-content/Dok/c6p92o69r4mvpn8_ca5x1-17553174168899/
  100. http://grafikomp-web.pl/images/paclm/qz9gnqox86a836cnaqmi34dpk_z1w9s07-6758905517/
  101. http://gundemakcaabat.com/jumd/lm/x42ani1hukkebuzybc59yg01ni_dmiev-68340372338/
  102. http://haghshop.ir/wp-admin/4q2ok6-m78nk8z-qndh/
  103. http://hambike.com.ar/awstats/INF/k12qfakmsebp4evmgv0krgz_dgvi35m-48524571864279/
  104. http://haxuanlinh.com/otzc/parts_service/ec9qai9jwa5g_fquunn1mp8-8150963330/
  105. http://hayphet.net/upload/esp/hJoZssutpyHvLLJLyfzpmbGHc/
  106. http://hazmeeldia.mx/wp-content/ycCgvMqEpKbyTZKJzcBgIB/
  107. http://hcmlivingwell.ca/wp-admin/sites/revxbvjccjm0sq4540x0c_l25eq242f-64615888/
  108. http://help.shop123.net/help/DOC/JyywdyyizPxZdZkaUZLqE/
  109. http://hennfort.com.br/install/INC/x500k2dhhhbwj3nce7_m2azj32-120971439204/
  110. http://himappa.feb.unpad.ac.id/images/rbvoi2-63gjefe-qbrc/
  111. http://hiringjet.com/aaupdatecoreo/sites/ixw2adapg3q5popb0_71yus9c-3510138678458/
  112. http://hondaotothaibinh5s.vn/html/lm/qJhJDSjXAHwJhFOogYojzjz/
  113. http://hondathudo.com/wp-snapshots/parts_service/1cothgsd7i7wwj_66rg7ufvl-156447858351/
  114. http://hotelplazalasamericascali.com.co/wp-content/p195z1-vph7uc4-mqge/
  115. http://hotelroamer.com/cgi-bin/Dane/w7lbm4l34isfci3vbkpqm3a5wt4kl_m3j5mss-494729068/
  116. http://imis2.top/wp-content/lm/8nacv8qnwy_d7ro0a-067006290795/
  117. http://indesignflorida.com/wp-admin/Document/nc2m8sgw7d15lgw0np_2y70s43b-644730778/
  118. http://inpacetech.com/wp-content/LLC/JMpBCsccfG/
  119. http://insitupro.cl/cgi-bin/jqz7cly-wc86n-udss/
  120. http://ithespark.com/software/Pages/wZhrIpOlRvFmtcg/
  121. http://jamesapeh.com.ng/wp/parts_service/lb691n3t3hg9i7prhomskfitp313v_duo3m-989273786/
  122. http://jbwedding.co.za/css/esp/qtrgcp7mhq8tmg5n265xbukp_qpqopcjez0-2596232733401/
  123. http://jsc.go.ke/wp-content/uploads/Scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181/
  124. http://keysolutionsbox.com/wp-admin/35i8ko-oz501u6-kfrk/
  125. http://kgml.pt/wp-admin/LLC/GSOWbtmhlhBQvUVTVKwzcIOvHKz/
  126. http://khambenhxahoihanoi.net/wp-includes/eygGQMXm/
  127. http://khoayduocdaihocthanhdong.edu.vn/wp-content/Plik/nhtek6b1heol169wqg1i4xt9iwa5_a0im7ttz-332385928588322/
  128. http://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
  129. http://lacvietland.com.vn/wp-includes/ldgc7ix-6i0100-hujxrgp/
  130. http://lattsat.com/wp-content/SfmfwUVxskFL/
  131. http://lavinnet.ir/wp-admin/dok0-1x5nhft-ednmtue/
  132. http://leplateau.edu.vn/wp-admin/YSyJnDPQrT/
  133. http://lifeed.de/wp-content/1kfkpauhyaf2yd1nwuwaf5qi_v9srucd-660134982176753/
  134. http://lifemed.kz/storage/sites/mhUthnbQLpvaFagQ/
  135. http://lightlab.mohawkgroup.com/wp-admin/fs50vz-mylh5-maetkj/
  136. http://littleabd.com/wp.bbk/LLC/xsAKptNcAmyZwpDXnGv/
  137. http://losethetietour.com/loseadmin/k8gzn62-mqdrst-vuvla/
  138. http://lp.gigaspaces.com/cgi-bin/hwsskn-6dlm6rt-rkgpdy/
  139. http://luteranosblumenau.com.br/cgi-bin/esp/7t6vv50yrw705dqpxub7fwd2_bzykgo-443407317214052/
  140. http://madadeno.ir/ioqz/4xmw49zwlo37a7_6h1emiuz-47966905363445/
  141. http://mads.sch.id/wp-content/FQlfiJdGQGDgotTDCEf/
  142. http://maisgym.pt/wp-includes/FILE/g23oabnx0jy_btnrqhf-66878754808/
  143. http://maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
  144. http://maissa.bio/www/7yk69v7-kp75m-rjartek/
  145. http://malekii.com/clbv/jq8df-7zetr-qxop/
  146. http://mansha.tk/wp-admin/yhhh3mxrwmsl58u2oge9x7df_de8nqrhqv-98442995087132/
  147. http://marcoarcieri.com/wordpress/HTixsFuNGkxkbaFrjTHYBoezCml/
  148. http://maul.hr/blogs/kaj1cr-nl3nn-wwaatq/
  149. http://maupindah.com/wp-includes/Plik/5uw9lv1w_8835b-4351190324/
  150. http://maxclub777.net/wp-includes/esp/8n9kz6zwef77w2wvrk0x_m1yxncthg-9413662787617/
  151. http://mayamerrit.com/wp-includes/Document/zWsyzvxyzDmuVFYzUsSkz/
  152. http://maykop-news.ru/wp-content/paclm/ag2tknctbs2bb2thhsc4lim9n5zm_kpa0lj-508963173/
  153. http://mceltarf.dz/myadmin/lVnUpoqTLAlATMxpWRBr/
  154. http://met.fte.kmutnb.ac.th/wp-admin/Document/oq8wzjr532y5obd3g_bgjqpiod3-7712741001967/
  155. http://metaledging.net/wp-content/LLC/k2cplf9519b_3tsh86-4020520927866/
  156. http://mettaanand.org/wp-content/sh9b0-lq00ib2-pter/
  157. http://mhlsistemas.com.br/00mhl/782u0-ncqy14-jqnb/
  158. http://miazen.ca/wp-admin/paclm/kRwyqqHS/
  159. http://miff.in/media/0qm4oiueyca943tcx0p6_9wsd9s5-58679980857319/
  160. http://mitsubishioto.com/us/jia1bh4-u7ypk91-gblhvsy/
  161. http://moneycomputing.com/eebd/esp/QIbgHKbS/
  162. http://montblancflowers.com/sitemaps/esp/QqlaiTnCKKBtDuWlnOE/
  163. http://mulinari.med.br/homologacao/wp-content/uploads/INC/gzppinu9ltkaig_su53ecqpe-86320592/
  164. http://musicaparalaintegracion.org/wp-admin/zpgymbg-obdbf86-vkfumx/
  165. http://mydynamicsale.com/wp-content/INC/jnmjhbwprmczqer50gq3e_9546t2-73865426322/
  166. http://m-yoshikazu.com/reference-demo/Document/87oi0wq2epd4y_x3753prg-36300716495/
  167. http://mysmartchoice10.000webhostapp.com/wp-admin/Dane/UUmHQYNofuIAjlLRvmKS/
  168. http://namanganteatr.uz/videos/6r8c6y-l61lu83-ajezpvw/
  169. http://nbn.co.ls/cgi-bin/PLIK/ioo7yffqo92dymmfsqzl8k_woai7-5533480025/
  170. http://ncoimbra.pt/31e0/xNFUQMwLjMFwjXKMPbWr/
  171. http://netranking.at/wp-content/FILE/lpDAHwpJzlmVJ/
  172. http://nevenageorgievadunja.edu.mk/alfacgiapi/sites/c4ulng9eqf4ficpwo3o9at8moqx68_695zpr2-01228641/
  173. http://nextrealm.co.uk/cgi-bin/8w2i8ylzveploq9f_6j6ij0-682567154/
  174. http://nfbio.com/img/upload_Image/edm/pic_2/Document/MIqOgySRzzpZVIhpKtuAipt/
  175. http://nfsconsulting.pt/cgi-bin/FILE/zjRwaRJETtdnNbmBebhw/
  176. http://nieuwhoftegelwerken.nl/lm/vPTYZsEfxdSPGcUF/
  177. http://nightowlmusic.net/reference/DOC/l29h2lm0r6vpuw6v4hjt4v_db2x446a-645341033965123/
  178. http://noithatquyetloan.com.vn/downloads/cpdizih-sz8pmmi-vsznx/
  179. http://norperuinge.com.pe/norperuana_archivos/Pages/jjzywqoggleqye2ia7owdboijgco5x_l6sutq4i-1864307550/
  180. http://oficinadacarreira.com.br/wp-admin/Scan/bARIkDRxrxgvHTceXPAYoLSDUKJc/
  181. http://olavarria.gov.ar/libroolavarria/vrm9-cxviupl-iibwyp/
  182. http://olavarria.gov.ar/libroolavarria/ybgko-408txdb-pxlgyue/
  183. http://omnisolve.hu/sites/Pages/iinhmqmyn7xlh_r84gvw5vd7-0051916833/
  184. http://oncoursegps.co.za/inventory/Scan/qjrmz8ju2686oz5xcb_6kpxemu9cr-5741214415/
  185. http://onepointlead.co.uk/wp-content/sites/UrbnLwMJzvVPezk/
  186. http://onepursuit.com/wp-includes/Scan/xbfpv1qb6yg_y2t1mot1-547023491779852/
  187. http://onestin.ro/wpThumbnails/FILE/4o2up4lwzoaafd64w4c3tk2t0_7gmgqn-74402121536/
  188. http://onlinemafia.co.za/cgi-bin/ay341aj0ct_7e8gv2x0v-4928522797/
  189. http://onlinetech-eg.com/wp-content/Scan/zGAvHgAfywXtxcNRO/
  190. http://organichana.com/wp-content/doat-whosoma-jfyirkm/
  191. http://orygin.co.za/cgi-bin/vo7g6fhoxdur04w3u5jj_nzw2yohdw-12898478915/
  192. http://otojack.co.id/wp-content/uploads/1b8ak-w1d08-mhugs/
  193. http://ottimade.com/wp-includes/INC/ZLWveLpIxYSiAVnVxNGUdXzZWjvcE/
  194. http://ovelcom.com/cgi-bin/TIiUbNptglMlDsuV/
  195. http://ozganyapi.com/wordpress/2ufrsxw-lvejcr-azjbwwt/
  196. http://pafagroup.com/wp-content/FILE/e3ii1s3rj51sui_qi2zzbdk84-69805265/
  197. http://pagan.es/DE/parts_service/odHdzMhnxNC/
  198. http://paifi.net/ssfm/455b7158xjgnhq5zf90qjakpjoo_a5wz85-51998664/
  199. http://paramos.info/INC/jiuys7jxqbtuetvcmei398ua_dxnx3-1612900777374/
  200. http://parenting.ilmci.com/xekd/xIjRzHALVXchdTyBfzxd/
  201. http://parisel.pl/temp/Document/DCjmvktlcqOywWgvSk/
  202. http://parquet-san.com.ua/wp-content/sites/tg0igiaznonzpqg_fs8pq1-4214797001/
  203. http://parser.com.br/10/UemDtSxBNvtIOEMhsUwNZYJD/
  204. http://passelec.fr/translations/XmMCGkcPrsWtUUVmXlSslYZkiy/
  205. http://patrickhouston.com/beavismom.com/xvfNGompChwUFDfgQw/
  206. http://patroldata.com/wp-content/kqhw-tipjqp-face/
  207. http://pbcenter.home.pl/pbc/sites/PUxCKmLk/
  208. http://pclite.cl/correo/sites/RDfRXvbkkcW/
  209. http://pcsafor.com/coches/ruk6jsknrrbeoy91_lvsat-989681296456/
  210. http://peacewatch.ch/fileadmin/LLC/FQYIXuVbIXvWgoJW/
  211. http://pedroprado.com.br/em-breve/8e9w6j-t6vq1-dhvlys/
  212. http://perfax.com.mx/cckG-iJ0tBPscI3afgSS_HRsdwWrra-aG/DOC/bSotvnZPbSYSEiMWeQ/
  213. http://perfax.com.mx/cckG-iJ0tBPscI3afgSS_HRsdwWrra-aG/LLC/clIxdxWQGDRcoVGLUpVLYkradH/
  214. http://pescadores.cl/wp-includes/lm/WtXaTyDwOVGtucRDxWoBf/
  215. http://photodivetrip.com/test/LLC/sbwx5le0k1fxgf_v6be0jxfra-37193886141/
  216. http://pjbuys.co.za/EN_US/FILE/mn5oblpmldqnm5go1qofxvzsizx_4m4t3116-568597395577409/
  217. http://planologia.com/mail/parts_service/cn1yathgn1rs0_mhayfznqy0-143270358110018/
  218. http://pornbeam.com/jmr0q4ekkhebbu92anxz13z4k_gt5h3dt-730001972445594/
  219. http://portfronts.com/wp-includes/36jov9i-0b7q0-zhptuwp/
  220. http://possopagar.com.br/wp-admin/sites/zt7xm40dko6fh69b7mkg7o_n0adulyym-456554391045/
  221. http://pranammedia.com/wp-content/svZokukA/
  222. http://precisiontech.com.ar/wp-backup/5e9zuvx-4oz09-wogxnq/
  223. http://premiera.ks.ua/wp-admin/bdhjhs-67gnq-lfhztb/
  224. http://probright.com.kz/wp-admin/Document/8by83mzxt4khf37wbts69gch_93ufqgb-63345467/
  225. http://projectwatch.ie/mychat/INC/quslRieRiaZVRLb/
  226. http://psihologcristinanegrea.ro/wp-admin/DOC/TtbXqYzITETWplm/
  227. http://ptmaxnitronmotorsport.com/cgi-bin/Pages/SEkoZZqTQwwyddkOdLwWmYIsrmfX/
  228. http://pufferfiz.net/Files/Document/3a1sm8skeuzgl7cqyy_bmwlr-415254194580508/
  229. http://pyneappl.com/wp-admin/gwtpmig-513ir1r-bbut/
  230. http://qgproducoes.com.br/wp-content/kKFNpQGTDxQbIESKNKOMYfYxibU/
  231. http://qservix.com/wp-admin/Document/44jordpkkuwsdwtkry_agc5x-2843467084/
  232. http://qualitec.pl/images/INC/832x74abrffu77vfdt_05vnmis-7201257285/
  233. http://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
  234. http://quintadascamelias.com/wp-content/esp/uJiQRhCpa/
  235. http://rameshmendolabjp.com/wp-admin/parts_service/AURFMvGl/
  236. http://rclocucao.pt/wp-admin/parts_service/vttatprzenvmtw_76qed9ax2-59780589/
  237. http://realistickeportrety.sk/wp-content/parts_service/pnPpdkhtpQ/
  238. http://reborn.arteviral.com/wp-includes/esp/ANNKUglqPsBYyTGSqLqoyaLvYHOoT/
  239. http://recambiospastor.com/wp-includes/rube7-yz13i-tvwbozx/
  240. http://redklee.com.ar/css/7lj8ipbwzyz6ye7ajn49pi9w7vn4w1_ju2uco-4894799229/
  241. http://reportsgarden.com/bill-gates-makes-new-announcement/f5h2czx-qfim21-pwkjii/
  242. http://repuestoscall.cl/paclm/nDIksFxXxwXJlDXkgZchpaxPmltO/
  243. http://revolum.hu/INC/GoDdHoWTEdqUWZjii/
  244. http://rfe.co.th/Download/Dane/qkYASgWnuJxMtihGIMEpCmlL/
  245. http://ricardob.eti.br/cgi-bin/Scan/fujbsCbrLxDnRpNntyVcJQvXUnIUCs/
  246. http://rickgomes.com.br/wp-includes/sites/xa3wh98uf0tcupd_fovwymlx-5057433442179/
  247. http://roelle-bau.de/psw_source/paclm/kRxaCEZVKojXHNCvFeeKJK/
  248. http://rossedwards.co.uk/wp/ze01vak-cn9him-hhbpfk/
  249. http://rsq-trade.sk/wpimages/DOC/OpbvBabezYDAlxbzRYQYBT/
  250. http://rudybouchebel.com/rudybouchebel.com/Scan/KnschlDbPCnUxmnYxfyZCjuhYcpjbR/
  251. http://rukanet.cl/Plus/paclm/avssyrhzww7zmnbgs46s90tz3_cm5ju1-679756165/
  252. http://ruma.co.id/en1/LLC/7aah1jg4r4_dxjcr-683016813/
  253. http://ruposhi.com.bd/wp-includes/lszbg-5gjdav-nhsvy/
  254. http://salmoclinic.cl/cgi-bin/sites/yCUynIBQuwTGvSQbFeG/
  255. http://searchingworks.us/pushingon/epzhu-f81kaxr-qsloszv/
  256. http://seevlog.com/wp-content/stqrs-w89ce-totbjwv/
  257. http://seinstore.com/Suco/kfo7z-j4oqb-byhe/
  258. http://sewabadutcikarang.com/wp-includes/iTEwGyqPJUpdjmzfzwA/
  259. http://sewamobilmurahdibali.co.id/wp-admin/sites/p6l77hrpl3a6btaqtg6izcmez_8utwvfzzk4-9823369595449/
  260. http://shaperweb.com/cgi-bin/Pages/gkQoOpQn/
  261. http://shasthadrivingschool.in/video/JqTQLBDbabyTbr/
  262. http://shivodhayaayurvedaclinic.in/images/paclm/adpgdlHEqfvxzSQSsPlrLn/
  263. http://shortdays.ilvarco.net/cgi-bin/sites/ZJimteuoB/
  264. http://shreedadaghagre.com/journal/5kvusod-24lwwhb-qsse/
  265. http://shubharatna.com/wp-includes/jnpnea-4kqcc-mexjx/
  266. http://silver-hosting.xyz/wp-content/3dn92rq-huxug-rijirxa/
  267. http://sinlygwan.com.my/wp-content/uploads/paclm/EIhvRizHpqbUzExvNzMs/
  268. http://sjz97.com/wp-content/icyqrrKIxOYmFZRPXnVYFchH/
  269. http://skipthecarts.com/wp-admin/4bij6-nze2ck-ioeyn/
  270. http://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
  271. http://smsiarkowiec.pl/wp/wp-content/uploads/lm/JLHWJFUUzKBRiKoCwsFbvbcgbvhnzD/
  272. http://sobontoro-bjn.desa.id/lama/ybrhrf-9gnp8t-rwcdn/
  273. http://solidupdate.com/wp-snapshots/lm/j4kktxxdxe8otcjhmkyjmaoz8_h0k61-01827752155/
  274. http://sompips.com/wp-admin/LLC/w7sl2hkp7zy8k437ekdbj_22ytp-09973093/
  275. http://sonnhatotdep.vn/wp-admin/3rjo15c5ga7frtejwoczhes0pyvpj_uxrxoht-3907344799/
  276. http://staging.ocfair.com/cgi-bin/paclm/2e6d003f5l686pf97x0mgrf0pd_ib3heo31-24128967343/
  277. http://stockbaneh.ir/wp-admin/dc43-avzx4-zulre/
  278. http://stopinsult.by/wp-includes/esp/g9rbyptwlu4pbb_4xvrq-88991812605/
  279. http://studentcolombia.com/wp-content/Plik/DVmdCtuLXxQdspp/
  280. http://studios99nyc.com/wp-includes/04c7-n824t3-dcuse/
  281. http://supervisor07.com/online.services/ufeg8zcqjqd2g5ihnhr4qujj_j8z8uiers3-9998816732233/
  282. http://susanfurst.dk/wp/mrufg0nv1qo9p11_d2esefh-45474933/
  283. http://sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
  284. http://tampacigarroller.com/backup_310708/INF/dCrEFlMR/
  285. http://tamsys.net/lgs/INC/cqyj7s6evz_h589j35a5-8309775940523/
  286. http://technicalj.in/8lfp/DOC/9fjik6x06odem1o_fnypue-757633306338/
  287. http://technicalj.in/8lfp/DOC/lm/icozf99wjuihh2yry_ssntsxxd-31095594844199/
  288. http://termoexpert.it/wp-includes/sites/d5si3ubd66ibnxa9q4te66v5x3_anm7r2w92-488687709/
  289. http://test.devrolijkestaart.nl/wp-includes/xkf3zv-ozlov-aehrcp/
  290. http://the-hue.com/wp-includes/ztga-60xuf3-czof/
  291. http://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
  292. http://theminiscan.com/img/Dane/yFRYVTUpCUJMJHqgL/
  293. http://tienichso.site/wp-admin/DANE/hw72ohfrn3gszcfm8sylthh5rf_yxd6j0fycu-75527295990/
  294. http://tomaszzgiet.com/wp-content/lm/z8b8wdhwk3_zcncv8-21142307690/
  295. http://tondelneon.pt/wp-admin/onzx02-6ijbufb-lmdk/
  296. http://tranek.com.vn/wp-includes/a6r4sh1-aat1l2-efslj/
  297. http://tuchid.com/wp-admin/t777-yt5ij-bxdu/
  298. http://tvbgm.com/z9iy/SKCMWsxAXJaavyRCuuRVJW/
  299. http://twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  300. http://ufukturpcan.com/blogs/tgcuujs-32uae-yrxg/
  301. http://usio.com.br/wp-admin/qqklf0-o35ps-hdgho/
  302. http://uskeba.ca/wp-admin/iJxjwrdpeJToUVSTwC/
  303. http://uzbekshop.uz/wp-content/LLC/k5qvkk6vb6pulh_uoth76pr6-834452796176/
  304. http://varniinfotech.net/vender/958nck-c9a6xq-apga/
  305. http://vertientesdelmaule.cl/wp/ml9k-45hsvo-nvjx/
  306. http://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
  307. http://vets4vetscoop.com/wp-content/DANE/msk6w5kr6l8_lneqqqcsu-183806797955014/
  308. http://vinfrastructindia.com/vision/ZEkSRRxBRLZuCVkOsb/
  309. http://vistarmedia.ru/wp-content/rg68yeh2b5n04pvldfsv7cdv_ugl929bvah-1587466674/
  310. http://wachtscherm.be/wp-admin/parts_service/huem58o1ig8s58vw70yh6bryhlcp54_jtrqr8h-725791126480738/
  311. http://wargog.com/dubaja/7yofmt12abw5aysw24l21_qol0985y0-96067607644055/
  312. http://warriorllc.com/FILE/pdcd2d2wpl1j3hwx2qb0_gja7tgc53t-378690263/
  313. http://waterwing.in/7it1/Document/h8h9125qdh4ro6l0owj8_6k01bvii-22526075861125/
  314. http://way2admission.in/sclfxo9/sites/nevsekspskcexavmu9acysj_fhn7po-438228592118/
  315. http://webcluetech.com/vh4l/lm/DdOHREQXXViLYJsanKplApTDUu/
  316. http://wenxt.co.in/about/PRzPTYIVWGDfRjbTXZmGTyoX/
  317. http://westburydentalcare.com/wp-content/hnoo-byey4-leezn/
  318. http://whiteraven.org.ua/wp-content/uploads/gz4zye-hfoui-hotk/
  319. http://www.agromundi.com.br/agromundi/PLIK/pyCcKgLrTkKvHXPibtDQQgwRTP/
  320. http://www.gigeveryday.com/blogs/Document/IZrYFEPxyiHcixJpiToRcavLaIvhK/
  321. http://www.maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
  322. http://www.rezonans.pro-sekrety.ru/wp-admin/DANE/nGqwPrzDBpozJ/
  323. http://www.sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
  324. http://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  325. http://xinyuming.xyz/wp-admin/i3krt-mb8ubx-rkolp/
  326. http://xn--80aamqk2bt.xn--p1acf/wp-includes/m691-ynwzk-acmdxub/
  327. http://yarra.uz/wp-includes/m1x06r-jzsg2y3-jttu/
  328. http://yashhomeappliances.com/_errorpages/7elv-4dbz9-dhiii/
  329. http://yeniadresim.net/wp-admin/374r-2wuiobo-iimsgn/
  330. http://yourdreamsconnectors.in/bd86ed/0e3uqnu6wpj7i3yob_1vth70hx89-255338451/
  331. http://yourquotes.in/wp-admin/parts_service/tzMMIKpwWbrWKi/
  332. http://zaednoplovdiv.com/wp-content/themes/Document/nu8ugbcj_lbo4uxa4-801589900580/
  333. http://zmzyw.cn/wp-admin/esp/KFUFSpVBj/
  334. https://106b.com/wp-content/4pg188i9n_bn1qkqb0-85292960524/
  335. https://21js.club/ajki/esp/PGnjelBsjuIdTRmNONlZg/
  336. https://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
  337. https://ardan-grandest.fr/wp-admin/DOK/q4z8i5g9a2z3uae32doapux2_iowpzz-132433005177/
  338. https://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
  339. https://camposaurobeb.it/img/DOK/QbaLdxlDmMCmMPmpaAPIf/
  340. https://cicimum.com/wordpress/Scan/POKjdJTgTmLeVukwMStv/
  341. https://condowealth.co/wp-includes/PuhLkEtDERZ/
  342. https://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
  343. https://daylesfordbarbers.com.au/wp-content/Scan/d3oksyjpiel_hqqgdfh-7776351180551/
  344. https://docs.beautheme.com/bleute/FILE/2p2cnv0m0j7eafhoi8v7httv6jp_qiwtwjtv-6031998203616/
  345. https://donghethietbi.com/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
  346. https://edicolanazionale.it/wp-content/jh7my-bnqb2-zxav/
  347. https://findyourvoice.ca/wp-content/uploads/Document/rclXkasLtkNCB/
  348. https://fordhamfamily.net/ttccrec/sites/8tt0tg0aw24ngohet3dp_yzy27xogy-86618368/
  349. https://fotobot.ir/wp-admin/DOC/aAWEOIGMFdrMPsOQFibYw/
  350. https://gameviet.ga/bscw/parts_service/YFAwzsjbXBtALwhG/
  351. https://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
  352. https://gatewaycentrechurch.org/wp-admin/DOC/OgdiEaOUNdbrwbswCSziDApXA/
  353. https://gelbachdesigns.com/cgi-bin/a7gr0ms0ra73n6g6smm7ejm3wk_0cvm4lc-370646901323597/
  354. https://govtnokriwala.com/wp-admin/parts_service/VrIzGRzTzSOvIVqORSVWKWEIkjAkQL/
  355. https://growker.co/growkerdemo/Pages/UeWxULNeXsgu/
  356. https://hcmlivingwell.ca/wp-admin/sites/revxbvjccjm0sq4540x0c_l25eq242f-64615888/
  357. https://help.shop123.net/help/DOC/JyywdyyizPxZdZkaUZLqE/
  358. https://hooknest.com/wp-content/sldi-2s25ep-thzbqhb/
  359. https://hostel-group911.kz/wp-admin/WOGUzlSvCAPJCxGN/
  360. https://imis2.top/wp-content/lm/8nacv8qnwy_d7ro0a-067006290795/
  361. https://inpacetech.com/wp-content/LLC/JMpBCsccfG/
  362. https://kisswarm.com/wp-content/DOC/vwwv6riibz86cw4hm67uu1wfbrg_rtqxh-5004364944586/
  363. https://lovemymural.com.hk/wp-includes/sites/tnwRRmqCRGNROpxUllI/
  364. https://marketing666.com/wordpress/paclm/wjjg1mjiw14ri28oy2_uignr0-24234864/
  365. https://maykop-news.ru/wp-content/paclm/ag2tknctbs2bb2thhsc4lim9n5zm_kpa0lj-508963173/
  366. https://mefun.tv/wp-admin/DANE/OkLPgteHkwNGEkMCXnwNTHLa/
  367. https://obsessive.co.il/wp-content/PLIK/VLlfkrIJPSzNZPYEJMtriCV/
  368. https://orchidreview.xyz/flav/INC/7io42igfnr3reldnf_j5usps-66149267/
  369. https://panet.com.br/stats/Pages/ouu3971zp7artsu_axg3vz2b-473330199/
  370. https://panet.com.br/stats/sites/njse5wcorh7u64gdhxo0059mi12_onhaty6x-17998620611/
  371. https://patrickgokey.com/vendor/bg1ccdly5am6sk2b1_blbqmzfv-49194045/
  372. https://pianogiaretphcm.com/wp-snapshots/XLCquBNbWEswhZJ/
  373. https://poornimacotton.com/Scan/JNDCGnQoHFAdIMZisPC/
  374. https://popitnot.com/List/lm/mttsPaXTDb/
  375. https://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
  376. https://renatocoto.com/revisar/LLC/pWdgapSNzN/
  377. https://rmpartner.cz/DOC/uoq752wg6cgprjnwdi8n4i_s18vxtgk-64455007/
  378. https://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
  379. https://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
  380. https://transparts.com.au/wp-admin/zar69ggal5qo8q2bycx4_358at7nc-6580311888206/
  381. https://tvbgm.com/z9iy/SKCMWsxAXJaavyRCuuRVJW/
  382. https://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
  383. https://www.analyze-it.co.za/cgi-bin/sites/dMwtevzsZt/
  384. https://www.mtmby.com/wp-includes/esp/IUkUYpyDmJvhLPTvCdqMgNGmQ/
  385. https://www.producthub.online/wp-admin/bobu-m7jq38q-hoosf/
  386. https://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  387. https://www.westburydentalcare.com/wp-content/hnoo-byey4-leezn/
  388. https://yinmingkai.com/wp-includes/sites/GPwktFwVQvMx/
  389.  
  390.  
  391. ```
  392. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  393. ```
  394.  
  395. Creation Time 2019:05:28 19:06:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  396. SHA256:
  397. ab45ed4787916f3a013ada9d70d1c3401e83bd068b1aa632ed964dea3f0f1501
  398.  
  399. http://www.theovnew.com/wp-includes/h8/
  400. http://c-benhomes.com/wp-includes/kp4z5672/
  401. http://cesarmoroy.com/imagen_OLD/dg38/
  402. http://fqkeepers.com/sitemaps/f5q65143/
  403. https://mypiggycoins.com/fgwf/4lz6uq70737/
  404.  
  405.  
  406. Creation Time 2019:05:28 13:17:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  407. SHA256:
  408. 2f2d7200a3825d51e78eee202fe1f0a9395a008f4fe18461a65be909533003e7
  409. 7a06e898cd2aa19f2fcd90ab51d88ba220f614e6b5e0894f530c6b973d9d6e4a
  410. bb82f804c334e4593ef94dd2a583a580102920741d7d1381ebc76062c1316846
  411. f9d66239203c39cbe4b96ba9910bd2ebc73dd6f496c9de8b919db9af5de6a1de
  412. 888bb5dd0f8d79e4604b4ba8a5f5be2706792893267a29c8fff4d4e6cfced877
  413. 519b0a2551f60c04f58762e99dd7ccdefb3440002e6d50802a346fb65451ffe4
  414. 9f8aa8023bbe6da57c5e842e43b94784a8e849fec9c30048738e57073a8e1ad8
  415. b7a827ea9b0c5009e3bd940686816a72f5a8fdce9a34fc76d763c1a86f4a55b6
  416. a33940410423020fcc8ea2e45532122b76cbf680f6580efedab757e588901cfc
  417. bb41d63a2223273333fb83cf091f0a3b0de1c8704551fcdeb4096c173e83c3bc
  418. 850750f1662d6671eafb16098a00d37f025ee0d7dcc6b8ea18655451942e8326
  419. e5a1708b0f1fb6286c1b54bf0d6535a60a5ccc4136e0824c1d50a9843cceeff8
  420. 924eb76324c5ed9caf4d0a8f1a76ddc3f2a372b74619483f86e0e5fb411a3f2d
  421. 7a06e898cd2aa19f2fcd90ab51d88ba220f614e6b5e0894f530c6b973d9d6e4a
  422. d815e750e81c5b6570aa1da1925517e4111b427e6693b007e7e17836c12fe04e
  423. 7413faa3d3de66b97fbd1e7513eea5d0e2ae1e47f4031ba04d317cea36d73e53
  424.  
  425. http://urbandogscol.com/wp-content/xiqjp4/
  426. http://spidersheet.com/wp-includes/js/swfupload/k0924/
  427. http://artoftribalindia.com/wp-content/uploads/r74d6u4/
  428. https://navinfamilywines.com/alloldfiles.zip/zegkb671/
  429. https://gabisan-shipping.com/n4mf/syz49i21/
  430.  
  431.  
  432. Creation Time 2019:05:28 06:55:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  433. SHA256:
  434. 4bdef407a0ac9884cfa8399706ae904c7a2b21f093cf8efb958d552331ceda8e
  435. e16002528974b0db5b7b1fc528b82f2c3b0fc90e094dde89d35508a3ae8c367b
  436. 8827490a6f490be62e344eaba2fb27d0b530e7c906944c6a9a3a07b05aefffda
  437. 686e1ca9a0d0679756a45c8a45ec177f052d0ce268a8f7bdf2ec922eb9479f31
  438. 85f125d9cea6b3597f95a298ee1e8920ac2c243dfd94e08a62185f0464bf51e1
  439. 4d5977dce718fd0913995c824e2a03127973146a69a4ddaa0b04d6fcda308261
  440. c0e218e21737e79a7b1803b89bdd568ed049d307e06ac86bb6de07c62488e46a
  441. 0b7fb484691a3e5a70ec042b623e74cd46c240610b88a2e2eeeaf8189ebe4876
  442. b15f2a1bf3966f07f3d623a7eaab1761f3f34fb23d56e3c32f0315a4a71dd037
  443. 2c9c703cb71223bfdb4275723a9919b547318175f2fc82cdd5f4a13ac028af3a
  444. 154553b0df36cb62d4ab78d52ad1fb09e78e3268ac58dee99cd863c151ac9068
  445. 293e67776eb4454f5285872f3670f67bab0814e2a43b19065b0de88a8ed65ba8
  446. 10cd1c0911e8b909313476820c1d7f0360410f7818dbf564e86de6c92438f236
  447.  
  448. http://omgbeautyshop.com/wp-content/jhqna243337/
  449. http://testsite.nambuccatech.com/wp-content/csdqo7792/
  450. http://mrsinghcab.com/wp-content/wh00184/
  451. http://kanisya.com/admin.kanisya.com/uq516/
  452. http://newbizop.net/hhhhh/m62464/
  453.  
  454.  
  455. ```
  456. #### SHA256s for Epoch 1 Payload EXEs seen on 05/28/19 ####
  457. ```
  458.  
  459. a4127b2ffb99d871dc3c0b5aecccf4a508f969e1efbefc4fbd23d2bd1519ffd5
  460. a8a8dc936da3d8de3bba1ecbe2bffddcafeef222d26cc0b67f4515306a383ea2
  461. b55138efe9e2fed5d2a26240e15dda4222b29085d6676e26a04d9fbdfa6ac2f2
  462. 4281c9bb3ed9f77f3b9489419b811767558884d072d8411c425f8c2e00e373e4
  463. 30a3f14a05d14ede748936ed04971278104067f1e01303efb3bbd881ed389754
  464. 5830f25a02676a545a58e9a7a0501f56c80a84723e75deb8652a99124148f680
  465. 8e6e1b49a0dede7b45928201666beeb04aa5880791b1b8490c330b842e79efae
  466. 1b167637c52bc0e6dfb1f78ff9891b3dcad4cd2ceabe28660869f42512af71e0
  467.  
  468.  
  469. ```
  470. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  471. ```
  472.  
  473. Creation Time 2019:05:28 19:56:00 (DOC Based - ENG - 365 Blue Box)
  474. SHA256:
  475. e7eb8d59b9dbb69836c228d37648ebaf9b197fe5c4fdb81a0545a1311aa493ee
  476. d65c5c8fb0a50a05c67bf7be8d5355a84c0f4b33dcd11d4e84d7545eed292865
  477. 5cd2567af0ff3769b687ad9feacf8c52eb7f614e2b74ad3b0cb43730c1ed0fbf
  478. b58c6c7c0c633deb0343cbd2085549f2e3cb1e46285b6a4b54e44762992540ff
  479. 8f92ba2ba02b122bdaed02dd9c9302f5d0a3c7ff8d9983c89a7e46b1edce296c
  480. 51ee713d0a7c394bf0de5993f2163b2030a739894471f87fc5206eb8fd4eafb3
  481. e59f6ef39bbc7e4cd9bb49c921d792c2a80034c14e4479ee2cb9b1529c99bb99
  482. 2399e13d1cbd189c2ef5ada978a58401845874116e5ce810df829cb5c370edba
  483. 838944c1e19136a7a22f30f4e2915d1a6cb67b5149dcd5f822e75a8348f8cba2
  484. 6846465d1b3d45bc45e2bbbb70af825284ba8beee65972af56b927e2c6f3692a
  485.  
  486. http://projekthd.com/pub/EyRNTFJzOr/
  487. https://proxectomascaras.com/wp-admin/cDbhvYpHH/
  488. http://psselection.com/84kmcpyjk_rstllbc0q-80240/
  489. http://robbiebyrd.com/fonts/dkra921_6lqtntd23r-9620475/
  490. https://robcuesta.com/wp-admin/vaq07ekgi_57m694odox-4/
  491.  
  492.  
  493. Creation Time 2019:05:28 13:54:00 (DOC Based - ENG - 365 Blue Box)
  494. SHA256:
  495. 4b7bde5f1be3435781ccb1f82a4559d4c1bcf172ea15216e4448bc530a873035
  496. 1377c72377555dd4443965f6235ce36ff9fcfab3314c48bf97cd5ac54ae346e8
  497. bb1264ec29fa17509aa71975bf840c9aa64e31de67d26a90dae07ee5b2ba2eae
  498. 46ad10555f403438b4222a05155ff4f5d7489de500920474a47e8b4562a301fe
  499. 4189df143887674784ea2fb33f4c38a6e3af66d99deb8faf6253e66f6c34b578
  500. cb8b18c7212e4086fc6e4b1a024fab6c5f488d821be2a6c04fffc9b8700f8a88
  501. 20cfc25c20e6b29f7ebb52b224044f788ac7752c869ef5d141a714a5dce5b4e3
  502. 08d8e32f6ae79be70025d2924de1cc3a2caa0a6c96c5c70cccace41088e0830e
  503. 557e5402a9b965f41c888786220b60523113e95c6cfd6e221a31818d8d9d6f63
  504. ec3ad0a807b66138b2ab47e7d6c76c67cb356e6bfa402e6c2c618b02f9628962
  505. 8b7a29ec2bc49c06f29c672c436bff82a7a3cac51ca11e171331dbb9f7a5f847
  506. 7ca1ac4ff95f9e6fed3d8ca4a803b78b0acfbe380012651ce878a5cdf5a827f8
  507. b58bdc49cd8fe00bf02baa782cc44ad8c5f7f3a7e4583564bc0d06cf03daea5e
  508. c7b32049dc7c350d0a5508255b2c1e67ab9b54ceb65493ee8940727513b84783
  509. 1ab7a401deff6e22bba5c9aa6660e14930086db2bfa3faf3dfbe8aad2df2cbd9
  510. 9cda2757c204002f8c7d71fcc0204db2a408232b40cc5691845906ceb493246d
  511. 6555fcd22240cb2dfaa62337d1c07a0ebdeaef97cb390b65ebfd3d170ad30f9b
  512. afb54c196aa32dd41269e0a8601e2c5765c94b840a76ebeb2ee009ae4e573be7
  513. b674863f546b1b539e302f83b474d987442602286e49d18de1ad4fa0e9356721
  514. 7fc93bfd1566c5e0ab7676b3d9b73a130d47e4d050ac8d622be79204ca7bcaf1
  515. 828006ee1285fcd6cb7edbfa445d5a964f824c8c589ec2ebc1f2fdda4da37c78
  516. f2cbd8e04dd1a1b959763c34244e444378f1e265f8a9bde65ceb440790cd6dac
  517. 811f12366a5f880f8c88fd588feaa94ef9ad9417709ec305bccf53bf573190e4
  518. 970b030aa383e4ea197607b4115f49236d7824f16251013774bb9feac00163e1
  519. 46bb1336401dd36f9b9ef6f59b72cb93e7b2aaf1bb7d0e1daee390d885023ecb
  520. 00204024bbd93fa26eb46c7c750c2ab638d5bb8cafe7ea1fe462b95976fb996a
  521. eb313adf10da078438fbac37a845a043298f2a9705475c68353b5bff6860c390
  522. 28d540b98059cbe4e3338216898d9f49c8fa8d716b0d4133712212e56a59f6e3
  523. 0161700d7cd49fa1a589ef17de21fc7da242b5f95aaddde56ed096379f2e3819
  524. a1e7cc894d03c7d3c79d55e77c44befcaff532d9eb7ca5146ff87f31b1acf156
  525. 53f64b03687fbe17e3de378a4b5629c0b7295b82e4c7b65b3de842cf4eed1f30
  526. d9776c63a9d53add6f1c5749b33495b1e7c0b26aa26101eaa61827576b970a5d
  527. 55b15cf15a3c75aa0ef9da32fe2de583b46c56e827eeb7bca20a66afdce773fb
  528. 6793dd76530fa14c9fa8186d3044972eddea097c146411c38cacb4ab20c02b3e
  529. 73481229469f5da5c74fb9399675b8d6ce53a56e61e07765c05dfb8f546718b3
  530. 0cbb3d6ffa54388489ed32b54178fab8b9cc52ea99a2ef8cba305f6be6e928d7
  531. 46a3cbea28236eb6a456bedb65ec947cf121b86d256cddb581486eae872ed6ea
  532. 153c5f6417d97f526e0c26f383ad8b64ac4eb6fa1562003c7587f061b5145114
  533. 0044969de69c20c58515a82d1879a4a211b1f6ce48434d2d75fe3321dfab2a6d
  534. a56ef0415a0390d53bf6f49fce2168c93ddb6eed529f7cff5058b56e0d9483a9
  535. ef947c05ed3e7212ae741ba9be781396d23b90000a9c497b8f81c69b4b6ee83a
  536. 185bfab7b3b4cf2201c3c255a9571e060a61e83def897bd115dddda2792085f1
  537. 0080aa513a3d519ab22119655858c30c7767c9b066ea3cb050949394ebeed730
  538. 57142ab986d91433a2a06dedb7a4953517021361e8cc7872e9467ce22694eaef
  539. f50ee0b99dbb0b4ad4b5afaef4b106c336ce3c96366901415e2f288c88385e65
  540. 99560f933e30b31362caa1c84139407590fe34edb8179022d4ffdd242ae245d6
  541. 9c178a5b70e648cd0b2dd296eccff37be991f913f5fc5f7c1fe83760f96eb925
  542. 8c9134204a2e5ae6e408bad3358abf5e5b56dd4dbba349ee5c0487bcd9d908e2
  543. 4ba4494c6ed0b5983dc9379002db7830de8cb697f34e46dbbf15c7d7c1c67ec2
  544. d7c03877dcc5e67ad5fd3b0348e2aae641ae3e54d7b691bd97638d10b5b86de0
  545.  
  546. http://nyulogistikcargo.com/cgi-bin/jHlpglSIMy/
  547. http://lincolnlogenterprises.com/wp-content/SOsUwTBnb/
  548. http://sheraleetour.com/wp-content/QaLLkccz/
  549. http://inovavital.com.br/wp-includes/1m81bi_sco7ad-415267/
  550. http://marasisca.com/public_html/UYPocrLWHM/
  551.  
  552.  
  553. Creation Time 2019:05:28 11:20:00 (Attachment only, DOC Based - ENG - 365 Blue Box)
  554. SHA256:
  555. f57efabcb58f1a5ccff40c2c279ec9d63830e6c554db842e719598c914233bee
  556. 3842e09172dfa1acf2f86c340da04166010585866a72fec7b0d25719fbfb7ec5
  557. ba1f8c5a7f571b02e0e5dab4701192475f461ba4a42bd4228ded72239fd1b269
  558. f065835dab7e353746481c02239e92ec1b90f7201652a33e99983d35d523b6e1
  559. e29bf3fb7c00e54eb2039a6e93a709147acbe0449e28b94a9a7458da26f718b7
  560. 5fecaa2aeb4b636c4dae73e0d5c606d3ac98e26584a927c4a1a80f572d2ad958
  561.  
  562. http://nhaxinhdecor.com/wp-includes/AmevYjnBp/
  563. http://ugmoney.com/wp-content/o5jzc_dq2i27wtu-80619/
  564. http://huethietke.com/wp-admin/pd6ujj_6rmxw-20387/
  565. https://tashivietnam.com/wp-admin/r72j_vpiy2ofnw-522/
  566. https://udogeek.com/wp-content/ibuqZFOz/
  567.  
  568.  
  569. Creation Time 2019:05:28 07:08:00 (DOC Based - ENG - 365 Blue Box)
  570. SHA256:
  571. de8c97cbf0df341d8679c9163875ef879473fffd36bbb6b9c6e7ec1727207d42
  572. ad4b96714a0d72c46e7dd0ae44f79a1653d0cbc62631f59d10cfdfbd8ebd2b65
  573. 6ff4a43e51954e29495cab386dbfebb0f209ff5b780b5d3f3a9810eea7fb3c29
  574. 573c3b7cd7459844111005f1fd35f35863dc3dd41ef3aa21535a780791b7ae68
  575. 2464493e8e82b59ee10b5d826795b1a27856c4b6d6a46a5dd2aed5173668ccb6
  576. 33490e0e9fc09dd755805091830dafa3dca62f189e893c04b4b01b0b5ed121aa
  577. e5855dbb487c26b44978bced54de8e1e8e21ec6cf64a2e453a481eb517a817c6
  578. 1aa8c4a70f062f0c5ecee99c9948497cc4f0c7fede3947c621d3e0e825bf937c
  579. 90f95247646da0588cebb09242d7b9acb446955e24036049c1bf9599935e0d62
  580. 0b4491e537581f9f60f35ec20a5351c83ceb55ba357cebf491c8894de9ce2c9a
  581. 47186c29700382296ae365998feac598598266fe94a01d1727d1c2d1dec1339e
  582. c7e5c0b961301ff035b868dab176d8da8757537cd8d5d0e3b69850ae4caae0eb
  583. 256d5dfbfdd4ac0ac2b0cd445f30c790ab951f52365e6ff28156bfb238235ab7
  584. 1adfee4dfb717bee85a1136e700db0c575546381711d78b0a100466c63a7db8a
  585. 42c1adb4f70ebb47589a20f1ad254c7aaf7ca995e7d9e295a09d960bbd2f578d
  586. 29627411037e05ccf659ce1d6ca55a282ac9ee0d06f8a3f6e6c7a53c382ea1ca
  587. b04277f048a8d45d8784f8aabb2e159ec3683c07ff29f4f0f668f9dfb4dd5390
  588. a578b336b8a29a903fdeae4a5a814c537df819f812297d94d4a41a267cef4cff
  589. c5433aabc87025dbf2c44eb1398375949f892fdb02892b17fde842d68bd287bc
  590. 1ad44f47de3bc39d77125776a47142cd7a686a211f74468ec8db8ea813fd3a10
  591. cc320188dff36b0c212703734547532cc4e0540890071929f8a7170f3ae57537
  592. 23f8568859914bba628d1df0b02c50715af36285d140870ba26f422cc279e566
  593. cc3e705f0f53574145bb65aeaa92918c78d9a11e8001f345a3cc23bd031712d8
  594. fd84706f9314e64e6af40c56d4e891aebac6140a3e20924d52261a0a05aa9c65
  595. f6efc7ca795a7fca28cbe6630670bcfe82398ded7f9f37c5e1e1828531d60836
  596. fdbdca7802615a563841ac543a08640dc19993d5acf62e7844d2c95a1b736737
  597. e60d1fa9f15cc4da1c29f9213f3dd84494efbe81e2916242704ef6a0067296ce
  598. d838d518c6b19d08d11b612c0e219138dc76f17ae455054a90bb93b24813a3fe
  599. a6198a57e1e761140ef59d2b5de2ad53f3344306d521246bd0e321758cf2d59f
  600. eb0dc801274b6ab3beacb5870ac2435b3393ab35c80cff855b402cd270dfe9a8
  601. 6e04de46ba8e4499e14203c9bdbdc0e487369e025922da9e60f005711dad9001
  602. b15c2d8f3f27ba4f33799c50bb5f62764f74274da55a39a961d624e09304bd68
  603. 05a4eae26647acb3a3b7a6035e3d5e0f75206ea331606e305740be95fd4c61e1
  604. b5ea41ba52f89cbc4614eafc913add3be6767d6b31fcea0b6148a1fac2566171
  605. e0502248e4786f83a639a327fdc2e34a3a4533e0ca4f5926b9d8aa386a8e398b
  606. 03b79cbeaaa2e5a103dec9410f336103185f57088e26512d9b6c9b87276519b7
  607.  
  608. https://galleonguild.com/wp-content/404cevb_1r949nq-6879/
  609. https://blschain.com/wp-includes/FcNzCizyiD/
  610. https://www.skooltoolsltd.com/wp-content/uploads/3ryhs4s_6t3qfcu-5/
  611. http://keepitklean.com.au/sdb2/5vawplbkv1_7a5gozk-91735198/
  612. http://www.sitewebtest.ch/chando/m1yrbpr03_tcjpxq-904417/
  613.  
  614.  
  615. Creation Time 2019:05:27 20:23:00 (Attachment only, DOC Based - ENG - 365 Blue Box)
  616. SHA256:
  617. 5073ff38c212cf45a309d71f2e075fe33aec3aea1299a639d2444b1807b90c19
  618. 0c9d570bef2c57c74af8437a9ccdbac1976d3738d6365906c80e8ce3c51efc98
  619.  
  620. http://www.guigussq.com/wordpress/FEszInwEM/
  621. http://taxime.nl/error/jNAkbSMN/
  622. http://kairosshopping.com/cgi-bin/VSTyjSqWjX/
  623. http://jart-design.com/wp/vduSzXTLTt/
  624. http://ruzsamuvhaz.hu/wp-content/REDgZUAe/
  625.  
  626.  
  627. ```
  628. #### SHA256s for Epoch 2 Payload EXEs seen on 05/28/19 ####
  629. ```
  630.  
  631. 30cb3c94df5b47c8968914604e4dae683d947c188c1a97dd103668274ce90a89
  632. 06123da18a086ac3bb1ca5d06b732d536bf85c2850a41f0d6956941e9b581179
  633. b706de7ffb0a5978e8862778c6be3a333cb28a30ad823c89e83ef81010a9ea1f
  634. 5ff96a97491622f18e5043d56f39f259ea9c028b567db212d14145934f9dbda6
  635.  
  636.  
  637. ```
  638. #### Epoch 1 C2s ####
  639. ```
  640.  
  641. 103.201.150.209:80
  642. 104.236.151.95:7080
  643. 105.224.171.102:80
  644. 109.104.79.48:8080
  645. 109.73.52.242:8080
  646. 110.93.196.197:80
  647. 111.67.12.221:8080
  648. 159.203.204.126:8080
  649. 159.65.241.220:8080
  650. 179.40.105.76:80
  651. 181.141.87.122:80
  652. 181.143.101.18:8080
  653. 181.15.177.100:443
  654. 181.15.180.140:80
  655. 181.15.243.22:80
  656. 181.16.127.226:443
  657. 181.164.227.212:80
  658. 181.198.67.178:20
  659. 181.29.101.13:80
  660. 181.36.42.205:443
  661. 181.39.134.122:80
  662. 185.129.93.140:80
  663. 185.86.148.222:8080
  664. 185.94.252.27:443
  665. 186.138.56.183:443
  666. 186.23.146.42:80
  667. 186.71.75.2:80
  668. 186.86.177.193:80
  669. 187.178.9.19:20
  670. 187.188.166.192:80
  671. 187.242.204.142:80
  672. 189.196.140.187:80
  673. 190.113.233.4:7080
  674. 190.117.206.153:443
  675. 190.147.12.71:443
  676. 190.246.166.217:80
  677. 190.252.229.53:80
  678. 190.97.10.198:80
  679. 191.97.116.232:443
  680. 196.6.112.70:443
  681. 200.107.105.16:465
  682. 200.28.131.215:443
  683. 200.32.61.210:8080
  684. 200.57.102.71:8443
  685. 200.58.171.51:80
  686. 200.80.198.34:80
  687. 201.212.24.6:443
  688. 201.251.229.37:80
  689. 203.25.159.3:8080
  690. 205.186.154.130:80
  691. 216.98.148.136:4143
  692. 217.113.27.158:443
  693. 217.199.175.216:8080
  694. 217.92.171.167:53
  695. 218.161.88.253:8080
  696. 219.74.237.49:443
  697. 23.254.203.51:8080
  698. 23.92.22.225:7080
  699. 31.179.135.186:80
  700. 37.59.1.74:8080
  701. 43.229.62.186:8080
  702. 45.32.158.232:7080
  703. 45.73.124.235:8080
  704. 46.21.105.59:8080
  705. 46.249.204.99:8080
  706. 5.153.252.228:8080
  707. 5.79.119.1:8080
  708. 62.192.227.125:80
  709. 62.75.143.100:7080
  710. 66.209.69.165:443
  711. 69.163.33.82:8080
  712. 70.44.163.160:443
  713. 70.44.163.160:80
  714. 70.44.163.160:8080
  715. 71.244.60.231:8080
  716. 72.47.248.48:8080
  717. 79.143.182.254:8080
  718. 80.0.106.83:80
  719. 81.100.95.22:443
  720. 81.143.213.156:7080
  721. 81.183.213.36:80
  722. 81.213.215.216:50000
  723. 85.132.96.242:80
  724. 86.18.105.123:443
  725. 86.42.166.147:80
  726. 86.6.188.121:80
  727. 87.246.58.59:80
  728. 89.134.144.41:8080
  729. 91.205.215.57:7080
  730. 91.83.93.124:7080
  731.  
  732.  
  733. ```
  734. #### Epoch 1 - Spam/Stealer C2s ####
  735. ```
  736.  
  737. <not verified>
  738. 61.92.159.208:8080
  739. 104.236.185.25:8080
  740. 50.116.63.9:7080
  741.  
  742.  
  743. ```
  744. #### Current Epoch 1 RSA Public Key ####
  745. ```
  746.  
  747. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  748.  
  749.  
  750. ```
  751. #### Epoch 2 C2s ####
  752. ```
  753.  
  754. 103.11.83.52:443
  755. 104.131.11.150:8080
  756. 104.131.208.175:8080
  757. 104.236.99.225:8080
  758. 117.218.17.6:990
  759. 120.150.236.64:20
  760. 125.99.106.226:80
  761. 136.243.177.26:8080
  762. 138.201.140.110:8080
  763. 144.139.247.220:80
  764. 147.135.210.39:8080
  765. 159.65.25.128:8080
  766. 162.243.125.212:8080
  767. 167.114.210.191:8080
  768. 169.239.182.217:8080
  769. 174.136.14.100:8080
  770. 174.96.5.251:465
  771. 175.100.138.82:22
  772. 177.242.214.30:80
  773. 177.246.193.139:20
  774. 178.152.78.149:20
  775. 178.62.37.188:443
  776. 178.79.161.166:443
  777. 179.32.19.219:22
  778. 181.129.30.82:80
  779. 182.176.132.213:8090
  780. 182.176.94.236:20
  781. 182.176.94.236:80
  782. 183.82.100.135:80
  783. 183.82.110.170:53
  784. 183.99.206.228:22
  785. 186.113.19.171:80
  786. 186.4.167.166:80
  787. 186.4.234.27:443
  788. 187.163.180.243:22
  789. 187.177.154.167:990
  790. 187.189.195.208:8443
  791. 187.235.244.9:443
  792. 189.209.217.49:80
  793. 190.128.26.2:80
  794. 190.145.67.134:8090
  795. 190.25.255.98:443
  796. 190.25.255.98:80
  797. 190.72.136.214:465
  798. 190.75.47.24:80
  799. 195.242.117.231:8080
  800. 199.19.237.192:80
  801. 200.21.90.6:80
  802. 200.85.46.122:80
  803. 201.199.89.223:8443
  804. 201.220.152.101:80
  805. 201.238.152.20:465
  806. 211.248.17.209:443
  807. 211.63.71.72:8080
  808. 212.71.234.16:8080
  809. 216.98.148.156:8080
  810. 217.13.106.160:7080
  811. 222.214.218.136:4143
  812. 24.139.205.186:8080
  813. 31.172.240.91:8080
  814. 39.61.34.254:7080
  815. 41.220.119.246:80
  816. 45.123.3.54:443
  817. 45.33.49.124:443
  818. 46.101.142.115:8080
  819. 46.105.131.87:80
  820. 47.41.213.2:22
  821. 5.67.205.99:80
  822. 50.31.0.160:8080
  823. 50.99.132.7:465
  824. 58.9.168.7:443
  825. 58.9.168.7:990
  826. 59.103.164.174:80
  827. 60.48.253.12:20
  828. 62.75.187.192:8080
  829. 64.13.225.150:8080
  830. 66.84.11.168:8080
  831. 69.45.19.145:8080
  832. 71.244.60.230:8080
  833. 76.86.20.103:80
  834. 77.56.253.112:80
  835. 78.186.5.109:443
  836. 78.188.7.213:8090
  837. 84.241.10.111:53
  838. 85.104.59.244:20
  839. 87.106.136.232:8080
  840. 87.106.139.101:8080
  841. 87.230.19.21:8080
  842. 91.205.215.66:8080
  843. 92.154.101.154:50000
  844. 94.76.200.114:8080
  845. 95.128.43.213:8080
  846.  
  847.  
  848. ```
  849. #### Epoch 2 - Spam/Stealer C2s ####
  850. ```
  851.  
  852. <not verified>
  853. 198.58.114.91:4143
  854. 213.136.86.219:7080
  855. 91.205.215.10:7080
  856.  
  857.  
  858. ```
  859. #### Current Epoch 2 RSA Public Key ####
  860. ```
  861.  
  862. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  863.  
  864.  
  865. ```
  866. #### Credits and Notes Section ####
  867. ```
  868.  
  869. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  870. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  871. https://pastebin.com/u/jroosen
  872. https://paste.cryptolaemus.com
  873.  
  874. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  875. I am providing them for your benefit in case you want to parse them to be sure.
  876.  
  877. ```
  878. #### What is Epoch 1 and Epoch 2? ####
  879. ```
  880.  
  881. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  882.  
  883. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  884. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  885. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  886. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  887. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  888. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  889. time period.
  890. Here are some observations I have noted since I have been watching these botnets:
  891.  
  892. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  893. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  894. being delivered in maldocs on Epoch 2 at any one time.
  895. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  896. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  897. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  898. Monday morning/Sunday night.
  899. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  900. Epoch 2 may have a document hosted on host.tld/B.
  901. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  902. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  903. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  904. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  905. - C2s are never shared between Epochs/Botnets.
  906. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  907. via C2 to stay ahead of AV defs.
  908. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  909. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  910. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  911. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  912. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  913. spam template, word template, document type and even payload.
  914.  
  915. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  916.  
  917. ```
  918. #### Community Lists ####
  919. ```
  920.  
  921. https://twitter.com/executemalware/status/1133520160726364160
  922.  
  923.  
  924. ```
  925. #### Credits ####
  926. ```
  927. (OC from @JRoosen and/or combination work of the following)
  928.  
  929. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  930. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  931. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  932.  
  933. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  934. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  935.  
  936. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  937. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  938. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  939.  
  940. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  941.  
  942. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  943. helping out with this!
  944.  
  945. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  946. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  947. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  948.  
  949. ```
  950. #### Daily Log 05-27-19 ####
  951. ```
  952.  
  953. One E2 email from BA today :|
  954.  
  955. Spent a bit of time looking at this weeks names for DOC attachments on E2. A sample of over 3000, with some clear patterns. Looks like country-specific branding as well (DE/PL/US). Potential for additional regex, but they periodically vary.
  956. https://pastebin.com/raw/ssA5eEeb
  957.  
  958.  
  959. A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes.
  960.  
  961.  
  962. General News:
  963.  
  964. https://securityboulevard.com/2019/05/the-emotet-ion-game-part-3/
  965.  
  966.  
  967. REVIEW:
  968. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  969. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  970. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  971. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  972. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  973. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  974. https://twitter.com/JayTHL/status/1126204098670411779
  975.  
  976. Email Template Report:
  977.  
  978. Generic templates on the most part, the usual body text listed below.
  979.  
  980. Review:
  981. What we know about the threaded templates/reply chain:(changes are marked with *)
  982.  
  983. - Emails are sourced from once (or still) compromised users all over the world.
  984. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  985. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  986. back as far as June 2018.
  987. - Now on E1 and E2.
  988. - Now seeing German based templates that are essentially the same thing but in German.
  989. - The injected reply is usually prefaced with the following:
  990. "Attached is your confidential docs."
  991. "Attached please find the wire transfer form."
  992. "Thank you for your help. Please see the attached."
  993. "Load instructions attached"
  994. "A printer friendly attachment is now included with each email."
  995. "Click on the attachment to open or save the printer friendly version of your report."
  996. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  997. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  998. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  999. - These templates are pretty limited in run and not very numerous.
  1000.  
  1001. Link Regex Report:
  1002.  
  1003. Regex directory patterns
  1004.  
  1005. E1
  1006. *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
  1007. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  1008. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  1009. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  1010.  
  1011. E2
  1012. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  1013. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  1014. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  1015.  
  1016. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  1017.  
  1018. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
  1019.  
  1020.  
  1021. Payloads Report:
  1022.  
  1023. Back to normal early start
  1024.  
  1025. E1 was attachment only. 30 DOC hashes scraped from sources, 3 sets of E1 EXE with low hash turnover.
  1026.  
  1027. The last E2 from yesterday (attachment-only) finally surfaced - I lack context to know if this was a distro problem resulting in delayed send, or just slow making it to the sandboxes.
  1028. In addition to three expected E2 EXE sets across 370 URLs, there was a mid-morning attachment-only run.
  1029. As with E1, hash turnover for EXE was low.
  1030.  
  1031.  
  1032. C2 Report:
  1033.  
  1034. C2 from E1 EXE gave 90 unique combos in total. - recorded above
  1035. C2 from E2 EXE gave 92 unique combos in total. - recorded above
  1036.  
  1037.  
  1038. Closing:
  1039.  
  1040. <>
  1041.  
  1042. TT
  1043.  
  1044. ```
  1045. #### Sandbox 05/28/19 ####
  1046. (all with fakenet and MITM unless spam/secondary infection)
  1047. ```
  1048.  
  1049. E1
  1050. https://app.any.run/tasks/0814daeb-92e9-4ede-9f51-5a0819de6c46
  1051.  
  1052. ```
  1053.  
  1054. E2
  1055. https://app.any.run/tasks/ea02741e-cf9e-4726-a6a6-ab13845d7d06
  1056.  
  1057. ```
  1058.  
  1059.  
  1060.  
  1061. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement