Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 05/14/19 as of 05/14/19 23:30 EDT ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/14/19 ####
- ```
- Seen only in attachments
- ```
- #### Epoch 2 Document/Downloader links seen for 05/14/19 ####
- ```
- http://abughazza.com/hsx4d/esp/u75rdlq64ir_20ffez-369627642185527/
- http://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
- http://adrolling.co.uk/cgi-bin/Document/xnps7se5p9027k3gosifzabes1x4n_27jlip-740191600447332/
- http://ahmadrezanamani.ir/css/odxco40-jjjpi-xjslyy/
- http://akihi.net/test/sites/167i2xvlgyis76mw61uvqqme13_b0af62-171181877/
- http://aliattaran.info/r6cqohl/Scan/bElAKQUYJahJwfQZLSxm/
- http://alistanegra.com.br/cgi-bin/ix1jc21-at6z6-qzgbh/
- http://anjoue.jp/academy/9x81l-c8ja2-wrakkkd/
- http://apps.cartface.com/wp-content/plugins/hunl-vio2dux-mdmh/
- http://autorepairmanuals.ws/homepage/bSDjvZYCUYyxvldpcWiSpz/
- http://ayashige.sakura.ne.jp/CGI/parts_service/ksDqudmXNvlaBwGVoFEf/
- http://blackdog.sakura.ne.jp/bbs/fv1i3uw-kdm0fvw-acfnf/
- http://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
- http://blog.ysydc.cn/wp-admin/GLcYGEFSNIWOJveRO/
- http://blogs.ct.utfpr.edu.br/direc/INC/uIdEMaPKdBqQYlDQHdzQyh/
- http://bondhuproducts.net/ewjdmwf/7gjyjj-l0zzl-iwxxxad/
- http://bunz.li/hcsr/paclm/iv1m7z2ov4aeyd9oowc_4z35x-71533411096933/
- http://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
- http://cabindecorpro.com/2pol/parts_service/7ci4ep7byrn5wu5204prv4nvo_1yhqddpb1k-8890423987693/
- http://camereco.com/wp-content/languages/4b3u-9vk9z0y-wmztpu/
- http://camponesa.ind.br/wp-content/uploads/a87nb2-0m8dk-uvxe/
- http://citrixdxc.com/wp-snapshots/parts_service/qEkwIAxwfTVtpEDixSmDMrVE/
- http://clinicadentaltecnik.com/wp-content/mmjmtp-9v60tm2-dpgj/
- http://cn.willmoreinternational.com/qher/6dk1x3izjg86s5zqcavcm_n97ccg-5164862602815/
- http://coebioetica.salud-oaxaca.gob.mx/wp-content/uploads/nts68xu-zmfzf-rumb/
- http://dalatmarketing.com/wp-content/8ze2s9-8t0a98p-psay/
- http://data.iain-manado.ac.id/wp-content/parts_service/xhgoodKaIgTrqSlftsrtI/
- http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
- http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/\/
- http://design.bpotech.com.vn/fueru/m91cu-41qbnnv-akvbm/
- http://designbaz.com/wp-includes/7mayq8-s2f91v-gvonqoi/
- http://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
- http://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
- http://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
- http://ensignsconsultants.com/wp-content/Scan/6pp1tyfd7wjwqk374jd5kssdpkriu_1fo2ye-1740947321/
- http://esmocoin.com/engl/tMTtsSSBlRHGaeVHfG/
- http://eurotechgroup.ru/wp-content/07h1f4-f6bcu9-oxiix/
- http://helpforhealth.co.nz/css/acbm9-kwj7h-peujkrt/
- http://heritagehampers.com/wp-snapshots-hacked-remove/s9myp-nyow6v1-svzncrf/
- http://hsm.co.th/wp-content/uploads/4mkw7-ge0t7a-bgwea/
- http://iberian.media/wp-content/parts_service/kNPBylOT/
- http://ifcingenieria.cl/15395MZFKWK/LLC/JQHZAArPeybIBtZQrONEYpV/
- http://innovate-wp.club/wp-content/uploads/qys2ebt-iwbbk-alhrxs/
- http://interlab.ait.ac.th/wp-content/cache/d81mzmq-fosl9-xorltbb/
- http://jamsand.com/about_3/paclm/OsllaPAGnGOHMo/
- http://jordanvalley.co.za/wp-includes/Document/ujphaxe9mddatnxfsy59434_8hi8ods-77793165/
- http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr/
- http://jutvac.com/css/lm/SvkTiVffJFjKEnxqnE/
- http://kabloarizasi.com/wp-admin/esp/fbe8arp6_935orj-581215178074/
- http://kanax.jp/koku-no-mugon/kieaqWtWQUch/
- http://kanoan.com/cgi-bin/KnLSEhvhByrMdJyndQuqH/
- http://karenanndesign.com/_vti_bin/esp/8mdys2sisoj5veh_cegy3gle-41684013/
- http://keita173.net/0kyoto20120906/paclm/LeOfdbEAOzLxiCTomMgbwoUuOAM/
- http://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
- http://kiichiro.jp/blocks/paclm/OrEOtIlgvMfQZNzwHtnyBvQCehcHBX/
- http://kinotable.com/image/nlyt204pfwxvp2_s5s081inzc-01418077986/
- http://kirakima.sakura.ne.jp/_yoru.html/lm/KitGyeaokbtqqnqdXeggNeoqh/
- http://kndesign.com.br/alarme_files/DOC/CMaBzJzQQmzlagoVZdgFCEGHDaDZo/
- http://kongendo.com/images/Pages/lDpbdoYAkjtKVaTAkZKaf/
- http://kopiroticentral.com/wp-content/parts_service/oqw472pajmixlzhtb5xben_39u2d3b2-83233810/
- http://kralpornoaltyazili.xyz/wp-content/tt13c-539ty-vvqfr/
- http://ktudu.com/wp-content/uploads/esp/izdqe5tg2d0bmzwriq6vb550ula_6ojur-8467335352073/
- http://kujuaid.net/2005/DOC/6u9917zb_fyugiclmdb-71542144755215/
- http://lapisvia.com.br/qqggee/lm/22cytxvf3g31rmn7hy8a920q2b_fpjhcp5n4-96280875559174/
- http://lc2training.com.br/arquivos/xamwlw8-dms7o-dtjbne/
- http://lejintian.cn/wp-admin/parts_service/u0hovmjmmyv1l32_tyg484j-650166756659060/
- http://leonxiii.edu.ar/postfixadmin/Scan/SSyinfvsDxgEPPpmWYBsSldCdrVW/
- http://lombroso.com.br/blog/pages/ecfvyhgmcgqteaqposqhkfmqgzar/
- http://lucky119.com/wzzeb/u3a7k6g-80iywm-pnmkh/
- http://mahala.es/live/c453k5-fn42h-iklsbb/
- http://maltestefansson.se/wp-admin/kzXSCWlKeedtd/
- http://mamabebe.pt/wp-admin/v3gft3-nknh2q-ebfypda/
- http://marketidea.in.th/wp-admin/0mkcr-mrfa9l-xurtcu/
- http://mazury.vip/wwrqj/2nbol-s2iin-rparhh/
- http://mediafrontier.co.za/wp-content/uploads/2019/Scan/2qic3ym5zbrmes46pz60ca3b3h_ope82iv-5451732251/
- http://mekosoft.vn/wp-content/uploads/v7tw-huhsd5e-zeaa/
- http://memcom.bradleyrm.com/wp-includes/paclm/om6bqfr63kf_5d8inhyufd-713057321763/
- http://mhfa.org.mt/live/paclm/cx3h7v0y8cwr5hjsvfk_ay7qw-04997084013/
- http://michelletran.ca/wp-includes/r2od-b0f14-cfgxwpm/
- http://mybestlifestyle.com/wp-admin/kft55rx-5jf54hl-iqbrakm/
- http://myphamvita.com/wp-admin/or1fkvw-hh2y3-mkkqxj/
- http://mysterylover.com/corenascreations/zencartcatalog/cache/7949-zhv1x9l-neiwp/
- http://netmoc.vn/wp-content/esp/fmep4j2q2lk2ods963wd_go6wpghnnl-16767374/
- http://newlaw.vn/wp-content/nuifvvy-6846u-ogaufjt/
- http://newlaw.vn/wp-content/wbqu-3rwy357-taka/
- http://nextleveltravel.es/language/INC/daTpvRgY/
- http://notariusz-balas.pl/goqtirm/3j9p-heahs6-yvrmt/
- http://notic.fr/wp-includes/LdMJIMLSPrBUhzV/
- http://novaan.com/wp-includes/wrfxa-ti770h-pkvh/
- http://officesolutions.com.bd/wp-content/parts_service/zv6po5ck8pbq4sm7u0o3nf8q3p3ocg_i2uj5pa8np-974865408639391/
- http://ortusbeauty.com/error/jr6x5l2-gxy7qnp-clulnfu/
- http://parvaz.me/gkjgo/iazuv-32wnjt-oawe/
- http://perumahanbaru.com/gading/FILE/m6piknegtaj2lt6p0yz3vc2c0_ug6py-81955318960920/
- http://phuclinhbasao.com/wp-content/uploads/bu5q-6mqm33-sajpb/
- http://pomohouse.com/wp-content/INC/jy5yfs8a0sb4wb0tf2ebj_2axwtvd7b-2482537198857/
- http://pop-up-brands.com/test/6usr6w-gqh47-mmpexfk/
- http://portal.maesai.ac.th/images/lOTElcljRgeXG/
- http://protechcarpetcare.com/wp-includes/parts_service/znnb0e0awx4vx9kq87ny3zu90_akm6pfp8df-231360640/
- http://purplebillioninitiative.org/wp-admin/v3ox-xalpj-eecdrtg/
- http://rccgambghana.org/wp-content/QaOdVZvzvkAXgl/
- http://regipostaoptika.hu/wp-admin/kj6e-o0135-heldpqp/
- http://render.lt/deze/files/ext/meThzlxRRjwSYYYFJKzi/
- http://robertocabello.com/wp-includes/y3fb-1i99t9d-befe/
- http://romanemperorsroute.org/wp-content/SFXYXtleyyXjhCbyNrkHHjzenEG/
- http://rostudios.ca/store/FILE/lfn1rszufp4c9f5qjv3u67pfm_wpafpiixmt-04140375847/
- http://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
- http://royalqueennyc.com/wp-admin/atix-7iyhw-cpls/
- http://school118.uz/wp-admin/fojyx-e7tbpge-cmfvos/
- http://seorailsy.com/ww4w/lm/b7gm3eq7e9y_7lknujo-21675234/
- http://shikrasport.ru/wp-includes/Pages/IJrOdBKNcjNbIIkGFWOKKf/
- http://shirdisaibabamalaysia.com/wp-includes/Pages/jffLyYJxUi/
- http://shop.deepcleaningalbania.com/wp-content/FILE/gkfy0uk8cmqk_loe22-88959229/
- http://simplifyglobalsolutions.com/xgcwh/parts_service/DRGvBguspZs/
- http://smart-ways.tn/ind/Document/zCYktFvdoMzwrA/
- http://socutno-varstvo.si/wp-admin/girb-jw5fku2-ekjpb/
- http://solmec.com.ar/old/sites/t8md91c5s0ktltc7r0wryrquiq_auy5xftb7-2182217120241/
- http://songdung.vn/4d4ixle/INC/XyoGxMSoAYq/
- http://sparkcreativeworks.com/cgi-bin/k0sy1gi16f_3nmxz-249204028130647/
- http://sph.com.vn/3pql2w/c4kp-ahi3iw1-refr/
- http://suadienlanhthaibinh.net/wordpress/paclm/QrYXxASIDbGjDrsLVLqlNJdpj/
- http://suckhoevalamdep.vn/wordpress/DKXJXxWluamOXIdv/
- http://sugikahun.design/wp-includes/lm/meAUulLGFcZWtmEWK/
- http://sukhiprasadsatyanarayan.com/ijh00uaxy/owr5-flkpjgh-aghnypf/
- http://sunpet.com.vn/wp-admin/INC/d0pvlwaj1jj_cvq3o-6108898585/
- http://superfun.com.co/wp-snapshots/3meaizs-wqvtywf-kfbwz/
- http://sushilinesurabaya.com/wp-includes/esp/9hiqzbvv3lqez3u_k4gj2-6319207089/
- http://svetovarussianlawyer.ru/wp-admin/paclm/HPniqkfhaIqYRPAXoPtEZ/
- http://swtsw.top/wp-admin/uz98i-fpmkem-utse/
- http://syafukuseijyukai.com/wordpress/qoskh-gcooki0-fkqp/
- http://syroco.com/wp-admin/fxbx-cdv2gl9-cwvt/
- http://taimu.jp/dairy/npzmndu4zux_d97w2a16-788758797/
- http://takosumi.sakura.ne.jp/GalleryImage/2svog-7uktrtv-ptwaf/
- http://tamta.gr/wp-content/l0rvc-p7cfefj-mikhg/
- http://tattoocum.xyz/engl/DOC/TsxGjoCfDP/
- http://telepostal.coop/cache/DOItWsxzzYzEdYJdEGuWOzRNcIzAjZ/
- http://test5.freebottlepc.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
- http://tienphongmarathon.vn/wp-content/Scan/suEAwPKZxHIU/
- http://timebank.ai/wp-admin/Document/SXtmLuuaUV/
- http://tngeblog.com/wp-content/eOoNYdaXJJfTVftGsKN/
- http://tpc.hu/arlista/FILE/xaax234mcwydae902gf1ya_wnz0g3-226314364698937/
- http://travelwithsears.com/pantallas/sv1i-8cuy3d-wtpg/
- http://trvipifsalar.com/wp-includes/DOC/vwaatfVfwmZFru/
- http://tsatsi.co.za/au0aag/parts_service/66vn86cuyg804mls4_ahos19w-822538932904122/
- http://tuslav.com/wp-admin/18yp6-9acrdg-daxjemr/
- http://vancouvermeatmarket.com/wp-includes/sutpl-6hnad-ggjjpfj/
- http://vantageautocare.com/anfdu/paclm/YICQkKpnRErgaGmsdAwfL/
- http://vegapino.com/wp-admin/esp/XBCCzqPIqSBkQlhdkiplheIkCLZK/
- http://vipro.life/cgi-bin/lm/aMrvQePJxl/
- http://was-studio.com/wp-includes/Document/zg943o2bnpsc4ukw_ztcsu-25937618/
- http://webshop.se/u3j0/GbzIZOukGhpzRgNxOXrLWtzSvThe/
- http://wordpress-263723-820316.cloudwaysapps.com/wp-includes/parts_service/DdkQiEVJWgjYpqYVwDkIaP/
- http://worldtouriosm.xyz/sitemaps/Document/u74c4g7do2_hm23qc3-2455270045016/
- http://wsg.com.sg/@eaDir/sites/jHxMXwXZoKKJhbfqITnjpjD/
- http://www.camereco.com/wp-content/languages/4b3u-9vk9z0y-wmztpu/
- http://www.citrixdxc.com/wp-snapshots/parts_service/qEkwIAxwfTVtpEDixSmDMrVE/
- http://www.lombroso.com.br/blog/Pages/ecfvyhGmCgqTEaqPOSQhKfMQGzaR/
- http://www.mahala.es/live/c453k5-fn42h-iklsbb/
- http://www.nextleveltravel.es/language/INC/daTpvRgY/
- http://www.pomohouse.com/wp-content/INC/jy5yfs8a0sb4wb0tf2ebj_2axwtvd7b-2482537198857/
- http://www.shirdisaibabamalaysia.com/wp-includes/Pages/jffLyYJxUi/
- http://wywoznieczystosci.pomorze.pl/wp-content/nlu4ory-1qpme-glkml/
- http://xcalculus.xin/cycling.xcalculus/esp/gv20ibph6x_fmz0yw-11364222814587/
- http://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/
- http://yoloaccessories.co.za/ukhz0yw/qany-2urknrp-pfdo/
- http://yumitel.com/cimg/LLC/ieEcQMpnVTVEbkDegVPciEckT/
- http://ztshu.com/wp-content/bgcxq-lnrlu-tdhrmc/
- https://0xbitconnect.co/wp-content/9b1nwg-5mixk7-xizo/
- https://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
- https://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282?/
- https://akihi.net/test/sites/167i2xvlgyis76mw61uvqqme13_b0af62-171181877/
- https://apps.cartface.com/wp-content/plugins/hunl-vio2dux-mdmh/
- https://blog.mymealing.ovh/wp-snapshots/mookm-bfbwg7c-gdqrmpa/
- https://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
- https://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
- https://cabindecorpro.com/2pol/parts_service/7ci4ep7byrn5wu5204prv4nvo_1yhqddpb1k-8890423987693/
- https://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
- https://design.bpotech.com.vn/fueru/m91cu-41qbnnv-akvbm/
- https://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
- https://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
- https://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
- https://expeditiontoday.com/wp-content/FILE/juljzqwqg89goz13ll_kjsb64rpqy-8791587564/
- https://heritagehampers.com/wp-snapshots-hacked-remove/s9myp-nyow6v1-svzncrf/
- https://icdt.unitbv.ro/administrator/parts_service/w8qca00eqy7nq01gf918yqpr22z4_rpev90d-196767120862359/
- https://innovate-wp.club/wp-content/uploads/qys2ebt-iwbbk-alhrxs/
- https://jordanvalley.co.za/wp-includes/Document/ujphaxe9mddatnxfsy59434_8hi8ods-77793165/
- https://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
- https://kralpornoaltyazili.xyz/wp-content/tt13c-539ty-vvqfr/
- https://lucky119.com/wzzeb/u3a7k6g-80iywm-pnmkh/
- https://mamabebe.pt/wp-admin/v3gft3-nknh2q-ebfypda/
- https://memcom.bradleyrm.com/wp-includes/paclm/om6bqfr63kf_5d8inhyufd-713057321763/
- https://mhfa.org.mt/live/paclm/cx3h7v0y8cwr5hjsvfk_ay7qw-04997084013/
- https://mybestlifestyle.com/wp-admin/kft55rx-5jf54hl-iqbrakm/
- https://notic.fr/wp-includes/LdMJIMLSPrBUhzV/
- https://notlang.org/cgi-bin/eedqg4-2yl0s-bxannkx/
- https://ortusbeauty.com/error/jr6x5l2-gxy7qnp-clulnfu/
- https://perumahanbaru.com/gading/FILE/m6piknegtaj2lt6p0yz3vc2c0_ug6py-81955318960920/
- https://purplebillioninitiative.org/wp-admin/v3ox-xalpj-eecdrtg/
- https://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
- https://royalqueennyc.com/wp-admin/atix-7iyhw-cpls/
- https://smart-ways.tn/ind/Document/zCYktFvdoMzwrA/
- https://solmec.com.ar/old/sites/t8md91c5s0ktltc7r0wryrquiq_auy5xftb7-2182217120241/
- https://tamta.gr/wp-content/l0rvc-p7cfefj-mikhg/
- https://worldtouriosm.xyz/sitemaps/Document/u74c4g7do2_hm23qc3-2455270045016/
- https://www.clinicadentaltecnik.com/wp-content/mmjmtp-9v60tm2-dpgj/
- https://www.telepostal.coop/cache/DOItWsxzzYzEdYJdEGuWOzRNcIzAjZ/
- https://www.trvipifsalar.com/wp-includes/DOC/vwaatfVfwmZFru/
- https://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-14 16:58:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- ad3bd25e5369a634ca73916b76e1a5e4d83ce7eb41025dc7e0d8bc3c25bdb46d
- 6645a5f0656f769fddc8fd7ff748c698b17aa17a7671f6e79f429463c01a3581
- 4919226d79001ff770e78b9d654577e4baa97719da2d32cd4d12c8babda318ad
- http://12bdb.com/wp-admin/qm6xxb651/
- http://flystuff.com/wp-content/uploads/ual30/
- http://icaninfotech.com/wp-admin/20/
- http://spacermedia.com/wp-includes/l4ic57758/
- http://rmhwclinic.com/wp-content/sy3/
- Creation Time 2019-05-14 06:53:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 18ccc8626a42e63b9e38afb6751880c812204e48857ce842b7f1481ae021dff5
- a69ad422c2ee9395eba421651c5d1d72cb838078dc88071d88cf0268edf0d62b
- 97b2e93b48b3fbb8feb4573a0498282dd32479f7dced803daf9229291a0c901a
- 8075c2e1b78ed94622fc605dfc561ea88c80218720d068a0453ace95ecde5f91
- d148d5ce282dd942522d22f4b8440644bfa2ac8627d300f8868aacbb0f5aa8b2
- 920aaf040f39fc68b7991138c9ec95fcd47133a22bc6f515a577254b54a4a640
- f139cc52b7f4081794d752583dd2b8c6e1ca7bbe9343499cfdbf9a54aadacc86
- 840115e25f1d7bf02cb85882f4378180e70ee49c66e2f0211d730d71500214a9
- 47c7a4eb221cba445e9809ae19a4d5578b2e866a17fcabf5f87209e1cbd579cd
- 1cfd1ee15585d71cf121994157428982803c412f974d56285b68fc2862ae162c
- bebabe1677b3ae63e5f3034712b3bc39d354be9e1ea44a39c2ed16944b2449f9
- https://regigoscoring.com/7b0oewe/32ffd39/
- http://www.huzurunkalbi.net/wp-admin/0mh475/
- http://terminal-heaven.com/2006/w51z87/
- http://evamote.com/wp-content/l07bp8485/
- https://tecnologiaoficial.com/wp-admin/br83/
- Creation Time 2019-05-13 19:26:00 (Password Protected - Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- a50fdc671f504b725e5c54ca030fd31e1801ede2a707a5f3bc1b841f091838db
- c413ec81ba6f7dba1cd9deb1c992ad3827fd5af72b09c0dc219d4d1539f34605
- http://xycindustrial.com/wp-content/uploads/3oz5f80982/
- http://arstudiorental.com/ecmyl/papkaa17/f8vhktx2825/
- http://technosoftservicess.com/bhldyu/un96/
- http://egresswindowsystems.com/magiczoomplus/vh8/
- http://star-sport.com/lacc/8v0hb1639/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/14/19 ####
- ```
- 05b3ea03295f365020c0e855336b090a58e0474e0a6cdc3f7c427b93631f8945
- 41666821f448ab565de554326dfb66f1d0a6affbc29352e21be56dbc4a322d19
- 0f09f5653b5372954f94154e42cbd33f7ea6b98ca2abefec6da2a6a663b47a72
- d18f5bad0ad568e4b7f7f224f81c153efad71866d81fbfba004137957c3ac029
- 28c2272a7b0c99e121c3574a9dcc686537630ae489ed57d6eb414dc4e2f4c28b
- ae6298fc7795f15b13466cb47fd37fc74596b6941b2550f88cd0e204d26f202f
- 14897367d5800d26bab03d4724abc1888c0e822ab4592eae702a5a9b02683f13
- e23d218df3f788c55426ba96af143c4751d2d75306049015108d62ed71bdb8e6
- 7b2cb6bbfd1f9cf8acd8a10b110a89ea60c916a34d6437346f77647a9209a360
- bab6e0f09f3c04480a6964a6e2d4cbf34d05ba53fa4da359ba84b7427a00e922
- 3a594ce3945cb76f5893f28a3cf638dd0e6b94f27dbf7ecf0fb4c8fe98463a79
- ecb9694a508b82da50a61b9ce885745c12d55106a365a7616e1905fb60bf3fef
- 03de36c4bb6c7da2541a955902d41182a1d82b209ed3f88962f724cf8ef69d86
- a17955f7e95fb4397d5a804e58e68e5707504d307feccc1d7dea5e01510a28aa
- 1781901bb3fc4d805b66223db3f37421458540f3dcc17cf5961a6f7e375daef5
- cd791a4f2eb1ffc1848e6f5c497e453e3e9e93dad4b65a63e489c0b9dc42d175
- 89505547ab0c070423689a861dbad454e54f006bb739c373d1898a319c73ab1e
- cd0a333af320b169c4566ead7edc8b89f90ad115b7f42f4a9e7979346e74fcce
- aa203f3ecb69bd059e4a4e98e1b44c8b330685c3955ba8436948407c003401f8
- 75d00fdb350e30164bb81e62dbbf795c53ae11431013c27cfaceb64b5b134b7d
- e60e11b3a6efa4654004ae286bb9f6758055588acc74c7f0a6a3dd26899d380d
- 94c3d58a4c3c470306641f7bbcf5fddd1f30760a5447b9b449cb42d621f104f2
- c589862f856efeba8c115e692bd9f3e269073c6f5df7d874c5bccef3dd041e39
- 0c4fbde85760eaac5785eea95277eb3648dbadc83a25cfdbc14eb32cdf32f829
- 22ca1a0a091a65656843c22fd2576ed89c99b3fc9c9432f9eb58732fa0859790
- 934dee37bd6c306a25773b8fab334787574317f41041574170746733e84d42ca
- 5d52b4d5b70492900a62526558520776d69bc4d56de15f65483e452eb5e7a961
- 735652c398769277507b84a3521f52070f20a4ddbc84753822a22b5aa4533e49
- 9c0950a86f40df4474e9c9186ad035ca28340ff88f4d353fa78e322347d6842e
- f36e358dae2a0ca1e61276d9d08770405aa78a776960c6e7164a5f86d5b21efc
- 9898bcdbae0c11569d927e8226c2abfa678c413273f3f2a512c5abc453228814
- 488c67b8589298df399b7ac8a1a9fbdd195eddd759df28f0c10de919a538de02
- c71f04fc507c37b51a0485b57756cfb461bae53bf3e323bdf773f1f7a7f8d7de
- 7e783123e549b4a0f6c621ffffe938bef33be3e8613d40e364b5ad9ddab3569d
- c7df67b5983444a216c25e7d6d03098b91b0a2088a6ef948df6e21f9781d437e
- ea016f60dfb480f0184e7a67baec0f3c030a152adab5a9be76f852e8b4484dc7
- 18c25727e7f1d707c93783de46efcd3355b339b2a5ea613c53d467b3f8f82304
- 65fad1b560893e5a1c304eca12ad8a524fd9811968f876331f5cb2495f7f1088
- 620bd3124473bb745333c239d4856b9e4fb54db3b9ca6cf1ab1149b4825ee38a
- 60bdff8f5a4dd4b8522f6ae386ce1126f4fcc432e298bff5ea86b87de8718c4e
- 1678b344f5d37332c8db3346e5749eadac5e0af1f272c4fcdfecc0cd8dda5b40
- d1a20b349f1157b1ce269ce2d0d6e758b8cddd702bb82fab176b942c05e36f12
- 26a84185e3d786bb402345c086233e9c4bfad3ffd6fbe205c12f03759d4059ad
- 5bfa375c2d29e2396fb7d2384a5229bc4683305cc5c52b592584f5f94a396122
- 2315e2cd62984306f423df3d51f2e94b5b69760eb6ea9891451455a7ec14170c
- 555f6036f5752493b8466d5ebd4985b5e2f33a08f28fa0ef8b12957d8a0a565d
- 224013591ddc192efdb93d7c777ae3d7133d4fc56f356358e9e31cc7d87e70ca
- f5ad0e50c53292c57f9955a8407f20e90b8f13c0f4859f66c6c71fc851fa2990
- 640c5bf10d68f24d7ea536433a50c442a299a5a4958e41aa4b5b20ddea8d9ada
- 623b3532f0cccc7219e36e7ed3dabb72018977c12004ffa4f337be185d0f9700
- 4e44c7f4a73410c62ba199d0f0f09a1e8d6b754d0b4855e86967ef613ac04e65
- 4e2d9130edb55f26520a7ad830f8f299e092d0c146ab6ae1b2bf9d60403e0f56
- d1dd2d4f71dd14d9565ab32c4b2570df329dc3dcb686d9759aaf3d3125846920
- 6b911d5ac3038563d8f7dc43e98eed88c8f6901161299961e50c15fe38aab635
- 584fbbb9477ef0ac9962b5fc5886403b1e2d1a0b02acccecdf81f99efa98a6dd
- 5bdd802868794f77589404ca06763559dc88dbb76ec21261362dfb79eaa79f40
- 797f97538c2ed035c3d615bfc8f0a0e470c672bdbb050c01a4d377c5f18add8e
- c48e44e54253d80374fb969b49f6bfccefa596c109597e92f447072684d5cb87
- cd6c397cd6e62e2c3df8cdb1823c0f213a709db2ff98c0da30adc8797f682f7f
- f5e4d458ae1f64d792e667431c1797c3c5cc65c0b75a6a724dd5772db935919b
- b1ecc9402931c9e1ada9dbb1e30467ae849391483c24a1016afc050175c294b2
- c3d30066eab732d54160c8c0c11efbe2d13b60d6d1b9a55252a36414209a4b17
- aa9b3246db12d191940232a7baa3ecbfcf798172435365baaa0caf6c79aa68f4
- 238a1c4b8c9125165596ad7ba9709b19e6e5a5f6988ad57fce1972192c1db063
- e03d4e18c225ee7ca21d9e8a626e51513782abe199f2f8ac00b14fb0eee614c4
- 61772c41fdb4548edf324ca243a2fc9bbcf4dcb92170ca814dadcc3a2d387d82
- 01a08ac28ccbf4a709932f0fd67103e28ee1ed013639d1d898505c894da3cbd9
- 3072145e9026b9ad0f5a5e7a5ec1f27ac3d020fed1bd88c6af6acb3d9207054b
- 8c95e51f18810d2fc31b681957c344c1f8731fa52075a96a1271734ff6c3b26f
- a19d72ee169cd3c80c6f88b99ca9cad6ceb4afd60ae00369892b81cd27ec8758
- 8c9ae72f0cbbd50703d0b16130bf633e302d26d8e5147d1cc6c692aa09a8dbe9
- ebb1cbb63e4a2b863531add797a94507c53dead208bcfceefd96a9d36c61f120
- dec89a4d259ce8f43b7d5ca2dd7eb59f9693dfd70732fafde6018ea6f6399a37
- d26b5f47422703dad2025b6c20e1fbbde116db0f48abe6620fa943fa83440400
- 76d5450a3c997cf8630ded4aa0a5823925105a90933aaba5fa9434488fd1d84c
- 17406fd4b781e12dd656a6f68d95c8fff7f1933b8f393780a5721d164345ebcc
- d701d1af3464115952dae3b5697c0b666ea60de37dfd49df89c0cd156cfa38cd
- ced621193ffde86660dbb0aa2dccdbea2f5d12d9e7551d20aad11365a90042da
- 71baf7c8d31b449cd5f5baa1aed2bd9ffead90d5da81347be961ffb18b6108a1
- 1321a56efd667e80a3b3830099ba4eab037fcba72ed610338e9622a02a001f0d
- 945f36bfe353c0c4c8af9b2b2eed8b6a78ef029078208c7088a20b84829b0b4f
- ec40c03114bfb3731d2e0d2aab19a2181d1a31abbedf4936652efd1220bb8d98
- 0f3bfe967ce02dc7c4e489ecff8992b24525417344f32078376e0c1c986fb4c1
- b575ba480a8eccbd851a7f3430c9975ba80af05b3b8ad94d8c5ec1d150fbf80b
- 5f1ead355baa2fe7f4a5616b31fbdb740c4e37ec799eebc0b843397a16c7b149
- 9917ed63cc81464ec54aba1614ddfb2c87bbf15610d4fc0118bd7204d01d3e54
- 5fc89a238d781eb024714935a3ec56ce505c3504ad323f89077a537bfcd8660d
- 31b37b38acb8488095d52a00a73037892413807a10de3148d0d3a2e522b2107c
- 9c84c77a8e203c269da2b5cf0caa1d3622b5d97d23ed521875e01204829aae32
- 5442e221da66b51a5483531d7f21c5ca6db296734ba3580ee6c665eaadc319fa
- 935bd8c61cd2295efe9fdcf7981370861623d79717227a19eb0053bc4428202b
- 24ef24c0e541736c73cdd69530786b3e428a9c713270c63e8c61e607f9b05360
- 33da6f20effdf6c373ea6e77bd57f588a68b7d89ad36c6127cf2f9f8d5b20fd5
- ef2f162d4ae9fcec73fa0030de363405cc56ad6c8a80ede819678042a8bb1458
- d5f0a1a730fc1b8f73b99aa6817fb89696d06382e981b5de61157a1c28f74509
- 8e874d41b6fb08776bd2770b6d6b11fc5818c5b21768ccd1d3a49fca2cec223e
- 43b9b4e4e073560f3ba4c3c8604da0c9c6ce0608498047d7a4a6c6ca52cc2f9f
- e7ba29aceb8045704b2a98186eb81d86cef975f8593e8f71644b0fb3402edab5
- db8ab6f4ef07827af3519c2e28a8683fe2934a5bb8ae79773a8a1a239a12f7d3
- c636b7812cdd2053d1539b14965d89f386988d62f6aa883f73e58fa8768ac55a
- ad4bf2260daa86337a8872dcb16a1b61cf8a4a96797cfb5c6e6e4f1f850c6272
- 7443ac9199bb877a0d182862f38f946f07dabbc5c666c48a5a837a750619b7df
- e43953047e491a90835a1eaae6f292684fe84852231242a31c210ea0dc615115
- a831a4fdcac8a471401b880059f34206d54e34fa0d54fd7481591264a5932e91
- 9376a4a0e41c5e0f12c32bdc9c5d5b8d13bfda606de26f832b5f8615bc765ff9
- 826427814daafe97cc6c90850b1638de2e6713368f3f10c62980e3aceb6ff502
- 6821bd66b0f2a17c8c984ac5c6ae7ffd17ef20e765bd8b29e0650463f74a504c
- 0f26aece79ffc1391a075d3ec4bf67602ad2a05d81ab7fdbe1140f428f31c775
- a4219f684442fdaad3ca1289c3286cce878931d3402337c665ec828dce888a90
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-14 16:10:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 41743d480c3a97d8475eaa4958e46a6e9df7a3f25a034194b5ba57e43e664ed2
- 6719d9db1a6b6ac88a386c24cba086025aebc504773433dca6fb569cd88bf929
- b0227e5477f2c043eef7f404c69eb02ffdfc15f99e973f12de0b86addf03d898
- 76cf785870fdb543f0e2b1e7fc610c97886a570cfde9f66b7dbe24e909e0344c
- 1583078312fe29c688d44c6c15a4ff2f303f6cfdc32e910629132515ae885a60
- b2c7523bbcf91ea107010fa04635d5dadefae7a6302d31fe48fa978909682257
- http://riversoftbd.com/wp-content/vFikaQjYg/
- http://dayiogluun.com/wp-admin/DhMoxPrwC/
- http://therattgang.com/wp-content/yos4u6h_pt8wdb-3/
- http://beyazgarage.com/cgi-bin/NuygiMFoRC/
- http://ksafety.it/awstats-icon/bhrdd5_52hq89-34/
- Creation Time 2019-05-14 08:52:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- adc07b7378fe4151f14b3b95e74c2672265af06b3defc0d178101a4f3b471ef0
- 7b24e6266c7a15da11ee8858bfd8bee5239e61321bbed785e7b59fb0e286a51d
- 55cf0049b654989882ca8020b572fabfab598173d6f95b66831a461770320935
- 9047c8429ed9cd6ec6c564952494bef62b39f647eaf418c0c61bc8d708d5f806
- 5f7df5ae858abc5f9143bef4fdb5dee06a82fac18181010b7c3ee40d2dab86d1
- a5f234ffe4236cbcde90ef95db56e9ce0f2af4dec1a82d3e77cee501920ab4c4
- 28de789ced5a1db62ccda82fb878bd16127d8cc394c8e5d29195132805d7bfa6
- 1679dd3db93e293c95edb586e6d932cc54769a02edd0761104baad1ed8891adc
- 06cde6f0624e75401f93778a162243565d7b3ccd0035bac440222f6bec1ae90b
- b230738c02d15b00e4c0d130f0525db4843c7164546c98efecec88ce9d02d904
- 6dfc0b213c2b9114b1f3bdb6fdd22ea839fea568c3e009c426a9d23714cc4459
- da6e514f25462af15216e863333e4e2d328ce918169e373193cb573236d4277f
- 2937b17f1b6bfe747e90133fafe65da59b503f78c9ce84a288e177c4a26c2d87
- b41990cb22aa0c188e2f554bb19f5c964670d3db64a8b5efc21ce908dbd7298e
- 79fdac8b8ca653a0c8e111568c80eaf7a38d3442b7f40726e106b9be4c49bd83
- 3329825c2172813eff6c2b628a6a3242cb65fde2bb483d94e513de5d2b42c412
- 3eddc6f302caa969ec96c25129c1c30c0b3291024bb3a822d85e8a5216b5a378
- 1c72d76332b9bac3f9e7c58eaabe2baa42d166b31a0b3fbbe6f326f7463fd0f3
- 9e976d5bdcae4e50924b90810dd7255b7a4eb628417c947060f1e08e8ae01ef5
- ef38e075cbdaed0e95863558e92634b7fa29434b792c24f58357bac3b0b72331
- 6d3910ab176f90830155ef0e51d3fb3a0c02adf8e9722572812604d900db205d
- 012ae3cbcb08ad063dae6f61c5989efdaf8bef9374cd85ac67033724a7b35493
- 13f192a309637a86007d05308e01d86ea441b3f82e3fe3cf4f0211e0b29ba459
- fc453bf2b437e194f0068004a58dccc68c58bea217aa03f8795153058eac1cb9
- 5865551c45ba7fa5fe4d91210d52e202cfcb283d095f4068de1b25bcf0fed341
- a8362656f7ffd67014d238f97a6598263f4a19449714fd34cd4ce3a3c06ded10
- b23666e8e3a88e7c584a5714c9c57f023a6f091ade23349a002616c39811f619
- 8d092f1d799b7cdfa8cd2a35ae350a31d9bc519eb7ad133728afbf1244e624d8
- 8b2f2a89e07519ede5e53fa1501fd7555f56762a50cb409ceafd1c5ea508ddc6
- fdf0b89876c1960af5e14f563144afd9aec7e43b7cdb7c2f3c125e7460a3ca70
- 46c6a318203f47e262dce8f6305af0ead6a8d65fde6f875a55ea7715f79c8b0a
- 2c9f122d5878f5bbc1cd3dfbc554148fe975e94821b2aec857252e5f445bd5bc
- 4008b7f97a2feab5c8eb19b490e18aef8cbc52307f285b8e999c4c2038763839
- 683399ef7bebef73259f00a0d9cc1b564bfa7b167cfae83a9f70363b489299b9
- a449bb74a723db8ca33e09bcea613e6aae370a4722e2f03387945aa9c91fb21e
- 8185a3c6bd0396d6db4871f2490a38f8c4839f6f4819d9cc3b49ece842bcd273
- e869e1d95a21962f7e6e79e06752d9adcc8976de3c8991af8e645b2bbd139cf8
- 5e5997cba36266aca42852376e651d017f59badc3484d5d64eef66970bd4fd67
- 894005342c01da06b240c3b9fd27c23fe641c86a62733945142b53c2e92142af
- 86c8a2919b2def71408e6e244500044d96fea7188995fe654364ca221b008873
- 9558d463a7f0f0fff8c41640bf1ad1b810a09c52ae6fb183c759a2a81da660f6
- 56b9f6c0b0e06a06a9f25519343accdb00776206015feebbd8f2c7c2d35961f6
- 782aaa0063c02912db06d46780f6d95c60433aba4933874f5084287c8960a44d
- 130fa99c6112e4b60f5fecc8c59809f5386b341cdd7a1b06fb34688cfb4fa9f7
- 30b48ab4968bfb49a8141a9a954ced07ec56e454c9e5dab21357fa33a4e0f2ef
- dffc12f027a086c7824c1beeb5fc952c5fa6cc1dbf1217c6837471fa98ced0c9
- da81949e8612caf52635b73cde3d730d4fadc63bb05bf073106f79b2153877e9
- 88ba8a7379555c9201d1dde934f2fd7e4b64eb20307aa0ec231a8e6b6779c8a0
- 0254c5fadf9e3ae658b1c4b8f25bd4e8007cbf92083d9d00371659e21371a15c
- ff42488751f31e94afae338c095aacf8cf2c997d79e8d39e38bf0e8713d04d17
- https://ksicardo.com/travel/ntKWzIyDl/
- http://iamzb.com/aspnet_client/system_web/GAAfRZMq/
- http://maloninc.com/apps/GbBZomQjS/
- http://kumakun.com/7jet/3b244672ze_btumnc0h-2178896/
- https://ingegneriadelweb.com/fantacalcio/8611ljoo_o4y023w-3754704371/
- Creation Time 2019-05-13 19:33:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 6e27b70e10089e9b815f7eab1b80e637e40733060f22a20e6b010b25287122ac
- 8f4a02c8a1ecbf0131226b34c9d39f5dcb5ef92663e8dc40f4b49392d606e4a8
- 19a798b57c3470bf1d7de42ca5ca6bccc6e55974ce6e63625a5e4b681c440abd
- 5c4496cdd3ee86af8935d9e1f64e6337c732741df7824571cf15e426f7913923
- a2c86ee442e6189003747b161dcc36c2c569a74d96f0cc68e9150bbccefde54c
- a7292870d07de0b4afc626e495e40af4daac91c7e19b36a7a783572f26b35662
- efff06ca2c68747883b27ae3102b91edfccbb147f2817543219039446648404a
- 95b76cb37e2e3caa0e07f01c9aab219e128ea4ac3cab80aa48e9fc2733713343
- baac5eeb90873f5781c9ecc9143537bd287a609e4dd9ce36b697e8fd1976b288
- 9cea1907b55f879861052c85d3db81e017c00adc2517d740c291b8d0316e6b43
- 3b33502eee805abdf772cff17265066d740c3f6c01d837510f58cb2e433ff5e6
- cee6e8328110a0ba748a787b78d8eebed99ed183922003aa96a7ef7e235f306c
- 2b516c0d16970d0faa9e74f763ee14724579e15690dc06658835e0e5f5d462d2
- a6cbf7c7f99de821b80884eb5076ff48e730075ac5d9c331eca9d0482e9085fd
- b583ba4c5790fa703f047ee77bb5562c7ba09d4ea3845ebc1d0225173dbecf0e
- 0028a8ec6e89822bc3faa5e797caf836c057153d3f019d590741060716a55343
- b0ba02974163d321b58322351c6ff306db87c9e1ce45a68e7558efc2f8303b82
- 2ee3c7107a9831e1b1d90d57365700c94ab4033e6515890204c82203e25c7808
- 652083730ca6c0f32527b1b7b14f69100e45229c016722bef50904c801e48de3
- 8813cd8261963dcbca65371321507b6502aa57883cd91ec4dfe8c5fe17e48076
- 7346090ed235d35e6a640f62b67cb02cfbd272a4a73ac4352bacd21e4f1c49e7
- b311c5c0a459527071166668752e087223a3e5ca6a8c8319ec6ddb0f8ebb110e
- f69b477c18524ba73acae4f93ae321077aed3645fd473eaf75cef1314dfd887f
- 492db6ac548104b627ee2881120eae5538f20e1db315e718e3b25de35f5f1bf6
- 1595c376a6dbe775478a9595ad780829572095d3264e2ad8dd6e9710f9a18522
- fee909ec35382c82297015f542c7975ae152623fd04b05a73f81266d44f817fd
- 9f5351f25afca434053ad6ff7799422a3f59a83f09982e32a20048730fd0b5f4
- 3d024e0f7324646bdc397d5c2192820e2f73594afc77f3c509b8809d2a0c64f7
- c0bd36b56a67c1be19e874287405076cdfca640755c790effe994b4de370abd7
- http://durganamkeen.com/wp-admin/DgUwPMst/
- http://gfpar.es/blogs/1y3p64_jyelzm-160135920/
- http://yourplasteringneedscovered.co.uk/bfrye/eeURJGsK/
- http://ladiesbazar.in/wp-includes/74yc005bti_pui2akdp-19152074/
- http://engraced.org/wp-content/lwUhCxRzO/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/14/19 ####
- ```
- 12ba09d1fb95a170e4fdcb28f1dc36882d2cb47e4a6d8219899abdc2005db6d4
- 844e3b338abefbf6b7e29f5947373616248b3548dee938add767eebc57feaeba
- 71dd8c35448fa4d479a2a4ab4582fe7b95e9be7517bc5d049d10bb79b26a45ea
- 48ba07ad9bc1d4fbd127aa05bbc31ce676cbaa1e9536fad1ac5a5a23ba56e92b
- e3a780e3d802985680f6fd3a55f23cf702e648f01703590b1fc36c569ccf0efb
- 6587daf0291733c40cf423a3bc3131d7c7cb1311f775c253ca9dc545696d5bb5
- 149b09256beb53d487a30bebde8041ab7cdd07e2079f27347f4474830ae9d570
- f9309e01e9f44c9f4489d6e32dd566aaec0b16c3a47fdd73a4d9735ef9f3393c
- 8f8d610d75b7b3abfd6d5b5d0e9ec8785278d1bb326069ada1e8c225728066bb
- cdd90236b1a620a20ca9c5d6a1d7bb2bfb292909c1c9f8ee011a417c95696607
- bf581fd18175d78372221710ec018d58bb5684ca944f5f349f99208f3ee18069
- 72514d40414d67778a1db0ed0728cdaf96e184efad9ca17e54ffa54a266fdb6a
- b07344da69b6ea79fd98857d63deec5621af9ac3156114483f56c8a5b685a338
- 225144deccd766edc86cf3179c6322fabc9cd7f25b041f890f68369e7a54bf8c
- 7a779f61463a1d0934d08ddfc32d01b25765ddbd1e3224cb1f079bc5eb296dbe
- a35b999ea8bb3f2388c451038ebdb66ef75ae727dd11ab76ea4da3894b488faa
- d53ef82460891e82797bed0238bb2d2cf8c5c59eb22478a89a962088f5ae6d46
- 815b89175dd08f44b3221615fc4e2335b2d69b84918227e295416e5fcb51d339
- fe9dd516cecd08e8a4897d931c4a7390a10ad8c6d5c69c1da92a33759d12ff39
- bd47f14b2c97c3788f13151d31635fdd5566ab7d28cdd2b2f7fdef8aa79d7412
- 032d413b9730126652b3a54dde7d678f6cbafe0c5cb3eb34ec2d6a26cc758ad0
- 9896b12c9f600d7ce0539fe0c1c349c8ccc27348a660c47e2b1c7f0d4f28edc5
- ab19a3f49874e6e22cafb32109c1bb4f0db7ca30a4915208eeaa06cc1eefb7dc
- 8040fdac7658e32cddc10dfe11a41eb8971f2a81c5d93ffe38dd6d10c6d35522
- 6e0996716266ea7f3f1393b1312ebae59ceb7d5651341c1373b2df8170e131e2
- 70bb34a07411cc0fb2e2fa47602fffcae8c95dad29a0f6a12a80678329530d04
- 38bc02b8c5b2e76e078761f4486ba3dc2371f872e0accc84dcb3a17d7553049e
- 909028f4cbe20e7d81766a68958d0fef790ec93b8711fbfa0efab758e746fb7d
- 90d6fb5cc45de8e9d8c7bc5beba8bc2e8ede8534e576ce62257afb12c4c63b7b
- 1753ecfb8d03b10f506dcfbefa6affcf6005d4cbfcba8dc3903ae1e255351685
- 05bbf3dd528dc06c799c7927a3bb08c9e3a7c3cd9224fadf977bc2b73d14d490
- c84972e44644080020f759810ecd9e5a89b054a56c1fa467428e191bb3ab384e
- 721321e28130d044aec2707aacd418012e5de076fa873703d2b6590b49662408
- f545243f54520ad479fbbf3df81ea31d234af8b5d4452630391a50815c53bbea
- 2627543419e2229e2b3445e4530e270c60b4c7b0b1882757a18a5f729ee62889
- 9f43f2b9ee39a45441da9d79a3b65181a0f41ac8e41d169e0319dd7b4248f11e
- 3b3287168df97138f14535be0a2aa02713ecbfbd9c7c7212bc78745db9d5506d
- 1604da70f172c249833b7340dae1ab65260bcf030ee395771218879b77ddf795
- 2cfee248366aad28ae55a0941323e3e776e732ef39f4b0b83a3a97346715aa96
- 56038022d89df874a7a3158328b1a2b522b361cb6f028e1b03f3eda1e2b17f88
- 22c03476b6bf0e03401d4e7fc828094b818c35b4c6e1ee590ba4bebc67aa2867
- 8d18b7e934012b180d29a0f44992fdc06c6ba8211c0e2fc5ddb6502fa2ba9fc9
- 0419ee7cb7a16c933b342316b8f7466ca8d73e0726c45714efaad863dd92f885
- 3b3864df5ad2cda0c14e777e060562202d0dc5d08b1898ff8fe86c458f004ee9
- f54696e1f1d761753264c1933ba53e7e36406ffa27c6899067f0ec7ae547a8a5
- 31758ac1b7f83b3d13e789ccde6bf2117ab4f52a7c5a98b144ed94632f587c15
- 54b169f7707ff536936c45bf3c9abe7606c78551294d16200a69b7e637d07140
- ae7af441861976958fe9fec0343bc39776ec77e5175693d35ec7255f01fe1df4
- 366d67bc2a490d6e175d34316fe0bdeb95cf48361bd9f3d0700e318f522bfdbe
- ef57ee54a47e95767e58d68c51e04ecd9c52363b30441b332c9379d8a1acb694
- 2c0af79fbdc7bcf7be1cb772dfa71be27a2d8cb08de4963aa75260b650932e27
- 23c648e1c1d033278a39803d56bb02dc63674f8edb41fc91d1bb1523f05725d7
- cec6c7c955c38a91ef3a85b1093fe1de9cbfea76c164e47549abd0b8318a7352
- b7fae94d926f1e80f9f08897132764ae0cc60818deae7b66e51a5cad08079fbd
- d608f1ac7e5c1b4f2f24e7865bcf8e6bd0ba2253f6f4b1e011f150874a7779ae
- 9daab6c73353614a093316a5d3a6f8fedf49e6f09c902c2a9eb8ebc2421fd073
- f5c90a7ffaadc644d8879c1f5cd226b01d03dca7ab1d25daaa506d790e6f0806
- b7d6abf5e0ac9854e6cc338ba32df844c21cc0265950d7ce8b13be55bc27028a
- ef1cf8c9b4c3b9b1ec5720101c9968c257ee0aef892f120b5e7ea55e88252bbb
- 4095cb4d46154c6ec4d8c70d02914cb8df6ca646df01c85a00f5f5cba1bb5666
- f4fa4fad684e10e5f4d016134c73eeec9559278da0cea59cb6bc1e8f8ec9953e
- 4f07207894325e1073a2c6386d15123f5f0a060226f7ee562596e32c5e4d6df7
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 103.213.212.42:443
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 111.67.12.221:8080
- 163.18.23.242:80
- 175.107.200.27:443
- 181.110.239.26:80
- 181.143.101.18:8080
- 181.15.243.22:80
- 181.16.127.226:443
- 181.199.151.19:80
- 181.29.101.13:80
- 181.30.126.66:80
- 181.39.134.122:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.121.223.131:80
- 186.139.160.193:8080
- 187.178.9.19:20
- 187.188.166.192:80
- 187.242.204.142:80
- 189.196.140.187:80
- 190.117.206.153:443
- 190.123.35.82:50000
- 190.13.211.174:21
- 190.147.116.32:21
- 190.180.52.146:20
- 190.85.206.228:80
- 191.112.58.204:443
- 191.97.116.232:443
- 192.155.90.90:7080
- 196.6.112.70:443
- 200.107.105.16:465
- 200.127.0.8:80
- 200.28.131.215:443
- 200.45.57.96:143
- 200.58.171.51:80
- 200.59.189.217:80
- 201.217.67.3:80
- 201.251.229.37:80
- 203.25.159.3:8080
- 205.186.154.130:80
- 213.172.88.13:80
- 216.98.148.136:4143
- 217.199.175.216:8080
- 217.92.171.167:53
- 218.161.88.253:8080
- 219.94.254.93:8080
- 23.254.203.51:8080
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.73.124.235:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 64.87.26.16:443
- 66.209.69.165:443
- 69.163.33.82:8080
- 72.47.248.48:8080
- 79.143.182.254:8080
- 81.183.213.36:80
- 81.3.6.78:7080
- 82.226.163.9:80
- 85.132.96.242:80
- 89.134.144.41:8080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- 61.92.159.208:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.255.150.84:80
- 103.53.44.20:80
- 105.247.109.117:993
- 119.155.153.14:21
- 133.242.156.30:7080
- 134.196.53.52:7080
- 136.243.177.26:8080
- 138.201.140.110:8080
- 147.135.210.39:8080
- 149.167.86.174:990
- 149.255.56.242:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 173.255.196.209:8080
- 174.93.130.148:8443
- 175.100.138.82:22
- 177.230.108.144:22
- 177.242.202.30:8080
- 177.242.214.30:80
- 177.246.193.139:20
- 178.152.78.149:20
- 178.62.37.188:443
- 178.79.161.166:443
- 179.14.2.75:21
- 182.176.132.213:8090
- 182.188.47.206:990
- 183.82.100.135:80
- 183.82.110.170:53
- 186.113.19.171:80
- 186.19.202.88:21
- 186.31.189.232:143
- 186.4.167.166:80
- 186.4.234.27:443
- 187.189.195.208:8443
- 189.209.217.49:80
- 190.112.228.47:443
- 190.145.67.134:8090
- 190.25.255.98:443
- 190.25.255.98:80
- 190.53.135.159:21
- 190.72.136.214:465
- 198.57.223.7:8080
- 2.50.4.159:443
- 2.50.52.255:20
- 200.21.90.6:80
- 200.85.46.122:80
- 201.199.89.223:8443
- 201.220.152.101:80
- 201.231.44.78:80
- 201.238.152.20:465
- 211.248.17.209:443
- 211.63.71.72:8080
- 213.14.166.152:990
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 24.139.205.186:8080
- 41.169.20.147:143
- 41.184.246.205:53
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 46.100.165.6:53
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.9.168.7:443
- 58.9.168.7:990
- 59.103.164.174:80
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 68.52.43.253:80
- 69.45.19.145:8080
- 77.56.253.112:80
- 78.186.5.109:443
- 78.189.173.217:143
- 84.241.10.111:53
- 85.104.59.244:20
- 86.122.149.86:8080
- 87.106.139.101:8080
- 88.198.62.227:8080
- 88.21.212.13:8080
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.59.49.76:995
- 94.76.200.114:8080
- 95.128.43.213:8080
- 98.142.208.27:443
- 98.144.73.193:80
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/6Mus5st4 - @lazyactivist192
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-14-19 ####
- ```
- General News:
- Both botnets went into full attachment mode today and only very select reply-chain spam was being delivered. Most of the reports of
- Emotet spam that I saw today ended up being delayed sends or Ursnif. It seems like based on the name of the documents I am seeing
- that most of the reply chain malspam is targeting Germany. A lot of us our speculating that we may be entering into a period of
- low spam volume or a break. Maybe Ivan is taking what I said to heart and giving up. :) We can only hope.
- In other news:
- Really not much to report today. Most of us saw nothing or very little like delayed sends. Good example is this post from @ps66uk:
- https://twitter.com/ps66uk/status/1128413508780134400
- @JayTHL had a nice summary of our data from last night:
- https://twitter.com/JayTHL/status/1128182107979898880
- REVIEW:
- If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
- to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
- https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
- or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
- I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
- You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
- https://twitter.com/JayTHL/status/1126204098670411779
- Email Template Report:
- My assumptions are that most of the malspam being sent today was targeting Germany based on the German file names. I also suspect
- that all of the malspam was low volume reply-chain attachment type malspam. Unfortunately I don't have any examples to share.
- If anyone wants to share anything they are getting, reach out.
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- - The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- "Load instructions attached"
- "A printer friendly attachment is now included with each email."
- "Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns - Nothing new to report as we going to all attachments it seems.
- E1
- https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
- E2
- https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|demo|direc|Document|DOC|esp|FILE|homepage|images|INC|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
- These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
- Payloads Report:
- Stage 2 docs are all being delivered by attachment it seems as of mid afternoon today. E1 has been attachments this week
- and E2 went to attachments this afternoon. There also seems to be only 2 quintets that were in play on each botnet
- today. This is further reason to believe a break is likely because this has happened in the past near the end of long run
- of spamming. It is almost as if they have some garbage left over to use up and just throw the last 2 bundles or 1 bundles out
- before putting it on auto-pilot.
- Seeing a newish hybrid of the loader being tried on distro for E2 today after both E1 and E2 were back on the old V1 loader
- yesterday. James Quinn (@lazyactivist192) and I are calling it V4 as it differs from the previous v2/3 tests of late.
- James thinks, "Yeah it's definitely v4 as it takes elements from V2 and v3" of the new loader.
- This one is not hash busting stilland just comes in 1-3 hashes and sits for hours (usually 10-12) with the same hash on Distro
- and C2. They must be having problems with hashbusting or they are testing still.
- C2 Report: C2 Combos are slowly falling now on the E2 botnet after reaching a record 95 combos over the weekend.
- C2 combos on E1 are slowly increasing.
- C2s DID change for E1 and increased from 61 to 69 combos in total. - recorded above
- C2s DID change for E2 and decreased from 92 to 90 combos in total. - recorded above
- Closing:
- Well, a lot of signs are pointing to a break and we are due for one but Ivan has fooled me several times before with this.
- It could just be some testing of some new features/code that kept them from hitting the spam button hard today. We will
- see what tomrrow brings.
- TT
- ```
- #### Sandbox 05/14/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-05-15 at 02:00 UTC - https://cape.contextis.com/analysis/73848/
- ```
- ```
- Epoch 2 C2 run on 2019-05-15 at 02:45 UTC - Courtesy of @lazyactivist192 https://pastebin.com/6Mus5st4
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement