Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 11/05/18 as of 11/05/18 23:59 EST ##
- *Notes and Credits now at the bottom* Follow me on twitter @jroosen for more updates.
- #### Epoch 1 Document/Downloader links seen for 11/05/18 ####
- ```
- So far attachment only.
- ```
- #### Epoch 2 Document/Downloader links seen for 11/05/18 ####
- ```
- http://1stniag.com/Download/EN_en/Invoice-Number-44664/
- http://777ton.ru/DOC/US_us/Scan/
- http://agrarszakkepzes.hu/5931ZTIGS/com/US/
- http://altaredlife.com/logssite/INFO/US_us/Question/
- http://altarfx.com/Nov2018/En/Invoice-for-p/e-11/05/2018/
- http://armator.info/tjweather/04224FCYKUT/biz/Commercial/
- http://artzkaypharmacy.com.au/4690UVTTQOXO/SWIFT/Commercial/
- http://b2streeteats.com/LLC/En/Service-Report-73478/
- http://balispadallas.com/sites/US_us/Outstanding-Invoices/
- http://bemnyc.com/Nov2018/US/Past-Due-Invoices/
- http://blogforprofits.com/files/En_us/Paid-Invoices/
- http://borggini.com/11XW/SEP/Smallbusiness/
- http://brasileirinhabeauty.com.br/Document/En_us/Invoice-for-s/o-11/05/2018/
- http://brazilianbuttaugmentation.net/11997OLJVY/BIZ/Business/
- http://carbonbyte.com/xerox/EN_en/Invoice-Corrections-for-37/59/
- http://carminewarren.com/newsletter/US_us/Invoice-Corrections-for-15/54/
- http://casino338a.city/newsletter/En/Invoice-5505302-November/
- http://cdn5.rvshare.com/1541440212.491c5b0b32d56a2330520a9a91463722.doc/
- http://chefshots.com/57953PMYDYHBV/SWIFT/Commercial/
- http://chstarkeco.com/Document/EN_en/1-Past-Due-Invoices/
- http://chungelliott.com/wp-admin/Nov2018/US/Question/
- http://cidadeempreendedora.org.br/wp-content/upgrade/65208YCNN/PAY/Smallbusiness/
- http://craniofacialhealth.com/newsletter/US/Past-Due-Invoices/
- http://crowdgusher.com/Document/US_us/Overdue-payment/
- http://djlilmic.com/84025BMQKXYDV/BIZ/Personal/
- http://duwon.net/wpp-app/4815587SLERFGAN/identity/US/
- http://emilyxu.com/847XLUFEIHG/BIZ/Personal/
- http://fenlabenergy.com/FILE/En_us/Outstanding-Invoices/
- http://foccusmedical.com.br/INFO/US/Invoices-Overdue/
- http://gaardhaverne.dk/371880QWYFSQ/PAYMENT/Business/
- http://griff.art.br/default/US_us/Invoice/
- http://gueben.es/INFO/EN_en/Document-needed/
- http://ingridkaslik.com/0597864MMOLPXNP/identity/Business/
- http://investicon.in/wp-content/plugins/workfence/649494OUWHGA/oamo/Personal/
- http://jacquesrougeau.ca/old/LLC/US_us/Invoices-attached/
- http://johnscevolaseo.com/doc/EN_en/Open-Past-Due-Orders/
- http://juegosaleo.com/newsletter/US/Invoice-Corrections-for-81/79/
- http://marcocciaviaggi.it/sites/EN_en/Sales-Invoice/
- http://mesaqore.com/doc/US_us/Service-Invoice/
- http://mironovka-school.ru/977878WBVWYKBV/BIZ/Smallbusiness/
- http://never3putt.com/Nov2018/US/Past-Due-Invoices/
- http://notehashtom.ir/wp-admin/598GLELB/SWIFT/Smallbusiness/
- http://nuomed.com/Nov2018/En_us/Service-Report-3672/
- http://nutrilatina.com.br/files/En_us/Sales-Invoice/
- http://peconashville.com/INFO/En_us/Service-Report-20333/
- http://pereira.photo/newsletter/EN_en/Invoice-receipt/
- http://pornbeam.com/eVsCvwP/4AY/8QVYJ/PAYROLL/Business/
- http://touchandlearn.pt/wp-content/uploads/81944UBMHWQIH/PAY/Business/
- http://tvaradze.com/doc/US_us/Invoices-Overdue/
- http://womendrivers.be/scan/US_us/Open-Past-Due-Orders/
- http://www.aes.co.th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
- http://www.cabdjw.gov.cn/wp-includes/2021ACJTULJK/SWIFT/US/
- http://www.conceptsacademy.co.in/wp-content/uploads/2018/files/US/024-13-180753-957-024-13-180753-943/
- http://www.greenamazontoursperu.com/LLC/EN_en/Open-Past-Due-Orders/
- http://www.imankeyvani.ir/INFO/US_us/Open-invoices/
- http://www.martabadias.com/8481483FGDDG/PAYROLL/Commercial/
- http://www.milaszewski.pl/sites/US_us/Invoices-attached/
- http://www.retailtechexpo.cn/en/wp-content/wp-rocket-config/scan/US_us/Scan/
- http://www.swiftsgroup.com/default/En/Outstanding-Invoices/
- http://www.test.vic-pro.com/newsletter/EN_en/Outstanding-Invoices/
- http://www.torneighistorics.cat/INFO/EN_en/Invoice-Number-85412/
- http://www.ultigamer.com/wp-admin/includes/INFO/US/Important-Please-Read/
- http://www.willbcn.com/sites/US_us/Invoice/
- http://www.zcnet.com/0872684IQBTLZW/ACH/Personal/
- https://celgene.zendesk.com/attachments/token/jsBvNcgFVs4ELgPF4okoU1R3T/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2018-11-05 22:29:00
- SHA256:
- ad3781adce18959a883e43e6d3d03a264388f9c8bf99df96cda11131a63371f9
- http://keywestartistmarket.com/OaM1uBg
- http://cadenas.com.br/30A6rlp
- http://krmar.ru/9qiWCR4b
- http://shababazm.com/v675zUP
- http://andrzejsmiech.com/UZpCXUkk
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 11/05/18 ####
- ```
- 3f9d6c29995dbc28b91e0d30b63cfb7f7cf42d050949355b0b62293b76327568
- 185094ab98a1c77837a6c3b0bf48c4a1d25698e5844b308d4704b5d3f40db681
- 865c74a009e713098d335e4138a09a545ec2ef26001ddacf64c9cb9ec597fe3f
- d3611b52f3662288d438bca5d9fe7ad394f954a33d155915645d7526caf91e68
- 56463dac265e82a6178a8924d5be794495b295a25efd1976daae35eff61829ac
- fd91f0d55d932a2d14451967e225765c21037a91b5e64fe4915c87fd87561bf9
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2018-11-05 17:18:00
- SHA256:
- f3e187ebd0be4413d9495345935aeb63a025bb299c63b24787188a71003e5a5b
- 0acd52e7f92f125d8fec5d78db296ee3c88079456dfb66b84fa92be944dc1293
- 4dfb9830a14e1e92ca88b40189fb05be60a42be886c9ca1cd2f6a3f5f09e0208
- 680d56d915ec028d4d0e33cd63e90f58c1f67c4e8b92d11eabf2576702d5b3bd
- d997af80a0b2cea354d82735f28b04fb6f40ec6a687b4616cbc03230c7319ad3
- 6c9f60643913ae688fc163d8e09a71268c0bd527ca5e9330c163108aafac5944
- 26fba2bd9792cbe6aa14f3baa9a2ffb57344d7348805648a53dcf92644a8b973
- f43ced0de6dce1c3fcf386cb7bd4e0d787d64983f0d2bb236311605402ba74a9
- e78f28580ea5e79a33be5ba93c71e2c66528812db3580a3e39f3f652ecaaa858
- 18c74f2852985acd6a5b35d21d12e8e852d54003b4e5d3714243e045969c434f
- af3fea36a05c59c3670d5fe58a4d679c3e089ceb8be39c92663c3401ce8784eb
- 87b5210624989f6ff74bb9a07083aeab116ba3e179db099f768982ac1dbbb5b8
- 5d3e5a9b7730bd40f0cd4392367744bb7a3ddefd3b316d603e56369a7813ee68
- 3cebbd85235c819ec92210572035f2973b54740f306b8b0607e03c84eb7b0914
- 9827a577b252a3417174e8177592785515f22b9bca4d435a2206e512a2ced3fd
- 3ebc758a0186db99545ab2614b2a96544ab4509bf7d24c8d11dca06b2d17adbd
- 943aa71f481cb0a3af7e24e2be09298ed6c98235b4d1cfb89979339c8bad8085
- 42df2ceda548dbd95ed4cf8176dfb8817e7350ea9b296adb33a3e6c3f2fb272e
- 11d52b1ee5c330911ed98ba86a4560c67cba2bd70427c8d33a0b793ddeb5c11e
- 9bd34506cacf57f6329a6b5530684822d50d03a26e6105d217220e46297bf84c
- 687d3887779bf147f8ab6637c28f76559f3a1cbe0899cfa07d0ac33733fc74efc
- 1a4dc5022a6b5296fe5d03597782a985bd721e3651b010c06b9be205b5c9f97d
- fc4fa944b430fb0c175ab12d9bb776819f04d29c4a371baa243af0d7e7ab267b
- 7ae43402b33483d995f4c64940500a3cd508a22e4e2ae9c70ead3f9fd6396bc7
- 8560ed53158f7c2f7931ee6e95abcbf0325d117b039d96f9ebc2e7971c22a151
- 8393f02d75dd065203874f01ad54ccaa767603b63d5a2faf77d3a55c17a6b4bc
- 1f5e9f1c173cc8611a5d34e801c0a26ce7365cb1c7b660bcd88816153b76d467
- c2470c1b4e9e97fa1820f29ca1dece3f99e154c6cd695d1e6f89e12425eb3a4f
- 7575b3de182b5ad8b92eabad4f5307e27280729f81ab692d20633dac2f786d8c
- e7dcbaaec834d3b3accd527299f71fd1056b9b88e5156d83ec6e928d13872177
- 51cd6bdb18da6dc94549e067b04e727b9e947f2f189f5c27da67eb56f77c5f54
- 2210bb4262bd6f02c2c1b836ea7372c28b35f7e31d81dcf4749fbd4fe71676fb
- 9aee83d453ff3ce67e771d3b417ec0e29c1104a3e6b035088b8e799557049c3c
- 853d3351d23e0de67958a4669d628444c1a15d4de4de4f114f8db90689a2d715
- http://tlextreme.com/orsOyz
- http://vanherreweghen.be/I
- http://www.camenisch-software.ch/ynlTz
- http://sh2017.chancemkt.com/Vg07
- http://www.tzen2.com/wp-content/8xR
- Creation Time 2018-11-05 10:02:00
- SHA256:
- 7516af39a37c18fa7c21a8dc9b0659463886b7453d92d0082e04907e8c7cfb32
- e410c621736aa8e6b5174ad62cc2c49fc6a804dd6dac8f87fcfd35910b5734ca
- b61113e598e002f1d9273b07d7607d858efba0cb4dcda4a8c72864885ed63376
- 1908cf7f7f3be0ea4d3221f70402947b76211dad38058a5a0bfb762f8ecdd392
- 3ce80ee8433dc8ddd1459244196e687508bd564493621a45fa2df58b3e521314
- 5ab7313c5141a184d22a5c6ac325dbd3bdaf81aa448600d204914a3740e5612d
- e4ecb82fb8a2bf785c2f976c1feea57bca2ff115f5a26c00a9282f9d7f43eb43
- 6840a6c22f7f7070147e3d119e95b2c794de450af9bdbcfbca7ede94c6678440
- 000cac78f50ff38ccb4465cac82be45df87e8d0b9e28338fdd62d367240f26a0
- 6ca9d13ba701a131d357c033e15204e7daacd1805142856c568c1289ca010656
- 0b3e6fb8bf5701aa1e13c089b2cf51bcb8c169e3d6a2e3e86a8ed9398f8f493b
- d1e2d97314ab7f756f8ce799a9b578d80388f8e1365f648743183ec08a9f315d
- 3546c31ab9a6dbcf55084397ce3b5b24afe23861e2a9cc2b84f7d79b07e33ee5
- http://artsntek.com/YtQno
- http://bahiacreativa.com/9SYOE9k
- http://cipherme.pl/data/cw
- http://charliefox.com.br/41Cj
- http://casellamoving.com/t1g
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 11/05/18 ####
- ```
- 10a02d3fea79599ab6fa9a8518045cc41b5fb50c57c01f69242b8bdb4b79d8c8
- Trickbot 59b603b211b6a4a76f7b025f6bfd414819a9639df45f9d3e70dd4ece1ba7c6b6
- 049f732f2da2289408b937bb46c365028fed6f9ee74a373cc92e4dca2f18dcf2
- e9aab3899d0279062b117e543ca3397394541e68bf124730fc43c2e3409a0047
- c1790994f32aa1c104bbca7ff17b6b8710acb03030ee1e4351547603e9fd88e7
- 06af2e77bacf94f4328ce864aa162346e685730aa10919b7a93b76abbc0e7119
- f05ca029a47e30740c5ea4fa8d8e28bbe18c15fa3a82551f952493e78a72d59b
- 0448a0701036b154e48b34cc49d9cbe28985a02730cebd7d1a04f0b142bbe144
- 906e954a652300362198d3b7be578487eac04f14be1c562bf75b1b1c01436c32
- b85fb8892c9a1778f470d70689c8f1e60082504df0d2dd06a11d85efba738729
- 09f69cb18f86d6bcb718a6cb9b7fa0e2ac4bbe4f38f8dc6a01476e9681825a9a
- ```
- #### Epoch 1 C2s ####
- ```
- (Port is 80 unless noted)
- 128.193.56.169:443
- 133.242.208.183:8080
- 139.59.242.76:8080
- 148.103.7.242:7080
- 159.65.76.245:443
- 165.227.213.173:8080
- 186.10.17.186:443
- 186.20.217.236
- 190.124.166.113:8080
- 190.17.44.48
- 190.90.100.228:8080
- 192.155.90.90:7080
- 198.199.185.25:443
- 200.21.90.6:8080
- 201.111.74.224:7080
- 210.2.86.72:8080
- 210.2.86.94:8080
- 213.48.239.192
- 217.35.82.190:7080
- 23.254.203.51:8080
- 24.117.165.162:50000
- 24.37.218.86
- 37.120.175.15
- 45.73.110.62:8080
- 47.225.131.10
- 47.34.43.223
- 49.212.135.76:443
- 5.9.128.163:8080
- 69.198.17.20:8080
- 76.65.166.252:7080
- 81.20.87.205:443
- 81.214.108.10:443
- 90.75.137.228:50000
- ```
- #### Spam/Stealer C2s ####
- ```
- 24.161.14.157:443
- 174.71.204.179:8080
- 24.28.182.224:443
- 186.68.80.34:443
- 212.48.68.58:8080
- 87.106.243.118:8080
- 70.82.209.53:8080
- 186.85.127.59
- 211.228.237.11:443
- ```
- #### Epoch 2 C2s ####
- ```
- (Port is 80 unless noted)
- 104.205.121.6:8090
- 115.71.233.127:443
- 136.56.103.201
- 139.162.151.141:8080
- 149.167.86.174:990
- 153.122.38.158:443
- 160.2.24.88:990
- 174.55.139.78
- 189.190.61.232
- 190.92.37.171:7080
- 200.194.26.234:443
- 211.115.111.19:443
- 217.13.106.160:7080
- 217.174.206.181:443
- 222.214.218.192:4143
- 24.59.228.182
- 27.96.91.225:8443
- 37.211.34.12:8080
- 45.123.3.54:443
- 46.163.76.187:8080
- 47.32.248.75:8080
- 5.230.147.179:8080
- 67.205.149.117:443
- 69.198.17.7:8080
- 69.55.255.159
- 70.50.196.234:8080
- 71.167.178.19
- 72.255.128.229:7080
- 73.31.237.56:443
- 78.47.182.42:8080
- 79.69.254.176:7080
- 81.7.10.106:7080
- 83.222.124.62:8080
- 84.200.106.120:8080
- 95.141.175.240:443
- 96.67.83.134
- 98.102.182.2:8443
- 98.142.208.27:443
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 50.100.215.149:50000
- 70.62.224.226
- 202.175.188.154:8443
- ```
- #### Credits and Notes Section ####
- ```
- Updated 7/13/18
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
- UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
- What is Epoch 1 and Epoch 2?
- Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/GXaSAMJ6 - @James_inthe_box
- https://pastebin.com/h61QUzSv - @ps66uk
- https://pastebin.com/Zbrny8VL - @pollo290987
- ```
- #### Credits ####
- ```
- (OC and combination work)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch
- C2 info - @unixronin, @MalwareTechBlog
- Payloads - @James_inthe_box, @MalwareTechBlog
- Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
- Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
- ```
- #### Daily Log ####
- ```
- After a long hiatus it is back. E1 shutdown and E2 is going pretty strong. I will put up some templates later of the emails.
- 16:00 - seems like E1 may be waking up? Been able to find over ~60 URLs of E2 stuff so far.
- 18:30 - Confirmed, E1 is now sending attachment malspam and @ps66uk found the first sample.
- 23:00 - Ran the latest C2s for both botnets and listed them above replacing the old ones.
- 23:59 - added C2 runs at the end from @anyrun_app. Added @pollo290987's list.
- ```
- #### Sandbox 11/05/18 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- ```
- Epoch 1 C2 Run as of 23:12 https://app.any.run/tasks/04ec5fd9-61cb-4457-a8ec-4d6043f89ff3
- Epoch 2 C2 Run as of 23:05 https://app.any.run/tasks/3f21db2f-8461-49a1-a60f-71f9d46c8d84
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement