API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/05/14

jroosen
May 14th, 2019
4,944
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 49.15 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 05/14/19 as of 05/14/19 23:30 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 05/14/19 ####
  6. ```
  7.  
  8. Seen only in attachments
  9.  
  10. ```
  11. #### Epoch 2 Document/Downloader links seen for 05/14/19 ####
  12. ```
  13.  
  14. http://abughazza.com/hsx4d/esp/u75rdlq64ir_20ffez-369627642185527/
  15. http://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
  16. http://adrolling.co.uk/cgi-bin/Document/xnps7se5p9027k3gosifzabes1x4n_27jlip-740191600447332/
  17. http://ahmadrezanamani.ir/css/odxco40-jjjpi-xjslyy/
  18. http://akihi.net/test/sites/167i2xvlgyis76mw61uvqqme13_b0af62-171181877/
  19. http://aliattaran.info/r6cqohl/Scan/bElAKQUYJahJwfQZLSxm/
  20. http://alistanegra.com.br/cgi-bin/ix1jc21-at6z6-qzgbh/
  21. http://anjoue.jp/academy/9x81l-c8ja2-wrakkkd/
  22. http://apps.cartface.com/wp-content/plugins/hunl-vio2dux-mdmh/
  23. http://autorepairmanuals.ws/homepage/bSDjvZYCUYyxvldpcWiSpz/
  24. http://ayashige.sakura.ne.jp/CGI/parts_service/ksDqudmXNvlaBwGVoFEf/
  25. http://blackdog.sakura.ne.jp/bbs/fv1i3uw-kdm0fvw-acfnf/
  26. http://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
  27. http://blog.ysydc.cn/wp-admin/GLcYGEFSNIWOJveRO/
  28. http://blogs.ct.utfpr.edu.br/direc/INC/uIdEMaPKdBqQYlDQHdzQyh/
  29. http://bondhuproducts.net/ewjdmwf/7gjyjj-l0zzl-iwxxxad/
  30. http://bunz.li/hcsr/paclm/iv1m7z2ov4aeyd9oowc_4z35x-71533411096933/
  31. http://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
  32. http://cabindecorpro.com/2pol/parts_service/7ci4ep7byrn5wu5204prv4nvo_1yhqddpb1k-8890423987693/
  33. http://camereco.com/wp-content/languages/4b3u-9vk9z0y-wmztpu/
  34. http://camponesa.ind.br/wp-content/uploads/a87nb2-0m8dk-uvxe/
  35. http://citrixdxc.com/wp-snapshots/parts_service/qEkwIAxwfTVtpEDixSmDMrVE/
  36. http://clinicadentaltecnik.com/wp-content/mmjmtp-9v60tm2-dpgj/
  37. http://cn.willmoreinternational.com/qher/6dk1x3izjg86s5zqcavcm_n97ccg-5164862602815/
  38. http://coebioetica.salud-oaxaca.gob.mx/wp-content/uploads/nts68xu-zmfzf-rumb/
  39. http://dalatmarketing.com/wp-content/8ze2s9-8t0a98p-psay/
  40. http://data.iain-manado.ac.id/wp-content/parts_service/xhgoodKaIgTrqSlftsrtI/
  41. http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
  42. http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/\/
  43. http://design.bpotech.com.vn/fueru/m91cu-41qbnnv-akvbm/
  44. http://designbaz.com/wp-includes/7mayq8-s2f91v-gvonqoi/
  45. http://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
  46. http://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
  47. http://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
  48. http://ensignsconsultants.com/wp-content/Scan/6pp1tyfd7wjwqk374jd5kssdpkriu_1fo2ye-1740947321/
  49. http://esmocoin.com/engl/tMTtsSSBlRHGaeVHfG/
  50. http://eurotechgroup.ru/wp-content/07h1f4-f6bcu9-oxiix/
  51. http://helpforhealth.co.nz/css/acbm9-kwj7h-peujkrt/
  52. http://heritagehampers.com/wp-snapshots-hacked-remove/s9myp-nyow6v1-svzncrf/
  53. http://hsm.co.th/wp-content/uploads/4mkw7-ge0t7a-bgwea/
  54. http://iberian.media/wp-content/parts_service/kNPBylOT/
  55. http://ifcingenieria.cl/15395MZFKWK/LLC/JQHZAArPeybIBtZQrONEYpV/
  56. http://innovate-wp.club/wp-content/uploads/qys2ebt-iwbbk-alhrxs/
  57. http://interlab.ait.ac.th/wp-content/cache/d81mzmq-fosl9-xorltbb/
  58. http://jamsand.com/about_3/paclm/OsllaPAGnGOHMo/
  59. http://jordanvalley.co.za/wp-includes/Document/ujphaxe9mddatnxfsy59434_8hi8ods-77793165/
  60. http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr/
  61. http://jutvac.com/css/lm/SvkTiVffJFjKEnxqnE/
  62. http://kabloarizasi.com/wp-admin/esp/fbe8arp6_935orj-581215178074/
  63. http://kanax.jp/koku-no-mugon/kieaqWtWQUch/
  64. http://kanoan.com/cgi-bin/KnLSEhvhByrMdJyndQuqH/
  65. http://karenanndesign.com/_vti_bin/esp/8mdys2sisoj5veh_cegy3gle-41684013/
  66. http://keita173.net/0kyoto20120906/paclm/LeOfdbEAOzLxiCTomMgbwoUuOAM/
  67. http://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
  68. http://kiichiro.jp/blocks/paclm/OrEOtIlgvMfQZNzwHtnyBvQCehcHBX/
  69. http://kinotable.com/image/nlyt204pfwxvp2_s5s081inzc-01418077986/
  70. http://kirakima.sakura.ne.jp/_yoru.html/lm/KitGyeaokbtqqnqdXeggNeoqh/
  71. http://kndesign.com.br/alarme_files/DOC/CMaBzJzQQmzlagoVZdgFCEGHDaDZo/
  72. http://kongendo.com/images/Pages/lDpbdoYAkjtKVaTAkZKaf/
  73. http://kopiroticentral.com/wp-content/parts_service/oqw472pajmixlzhtb5xben_39u2d3b2-83233810/
  74. http://kralpornoaltyazili.xyz/wp-content/tt13c-539ty-vvqfr/
  75. http://ktudu.com/wp-content/uploads/esp/izdqe5tg2d0bmzwriq6vb550ula_6ojur-8467335352073/
  76. http://kujuaid.net/2005/DOC/6u9917zb_fyugiclmdb-71542144755215/
  77. http://lapisvia.com.br/qqggee/lm/22cytxvf3g31rmn7hy8a920q2b_fpjhcp5n4-96280875559174/
  78. http://lc2training.com.br/arquivos/xamwlw8-dms7o-dtjbne/
  79. http://lejintian.cn/wp-admin/parts_service/u0hovmjmmyv1l32_tyg484j-650166756659060/
  80. http://leonxiii.edu.ar/postfixadmin/Scan/SSyinfvsDxgEPPpmWYBsSldCdrVW/
  81. http://lombroso.com.br/blog/pages/ecfvyhgmcgqteaqposqhkfmqgzar/
  82. http://lucky119.com/wzzeb/u3a7k6g-80iywm-pnmkh/
  83. http://mahala.es/live/c453k5-fn42h-iklsbb/
  84. http://maltestefansson.se/wp-admin/kzXSCWlKeedtd/
  85. http://mamabebe.pt/wp-admin/v3gft3-nknh2q-ebfypda/
  86. http://marketidea.in.th/wp-admin/0mkcr-mrfa9l-xurtcu/
  87. http://mazury.vip/wwrqj/2nbol-s2iin-rparhh/
  88. http://mediafrontier.co.za/wp-content/uploads/2019/Scan/2qic3ym5zbrmes46pz60ca3b3h_ope82iv-5451732251/
  89. http://mekosoft.vn/wp-content/uploads/v7tw-huhsd5e-zeaa/
  90. http://memcom.bradleyrm.com/wp-includes/paclm/om6bqfr63kf_5d8inhyufd-713057321763/
  91. http://mhfa.org.mt/live/paclm/cx3h7v0y8cwr5hjsvfk_ay7qw-04997084013/
  92. http://michelletran.ca/wp-includes/r2od-b0f14-cfgxwpm/
  93. http://mybestlifestyle.com/wp-admin/kft55rx-5jf54hl-iqbrakm/
  94. http://myphamvita.com/wp-admin/or1fkvw-hh2y3-mkkqxj/
  95. http://mysterylover.com/corenascreations/zencartcatalog/cache/7949-zhv1x9l-neiwp/
  96. http://netmoc.vn/wp-content/esp/fmep4j2q2lk2ods963wd_go6wpghnnl-16767374/
  97. http://newlaw.vn/wp-content/nuifvvy-6846u-ogaufjt/
  98. http://newlaw.vn/wp-content/wbqu-3rwy357-taka/
  99. http://nextleveltravel.es/language/INC/daTpvRgY/
  100. http://notariusz-balas.pl/goqtirm/3j9p-heahs6-yvrmt/
  101. http://notic.fr/wp-includes/LdMJIMLSPrBUhzV/
  102. http://novaan.com/wp-includes/wrfxa-ti770h-pkvh/
  103. http://officesolutions.com.bd/wp-content/parts_service/zv6po5ck8pbq4sm7u0o3nf8q3p3ocg_i2uj5pa8np-974865408639391/
  104. http://ortusbeauty.com/error/jr6x5l2-gxy7qnp-clulnfu/
  105. http://parvaz.me/gkjgo/iazuv-32wnjt-oawe/
  106. http://perumahanbaru.com/gading/FILE/m6piknegtaj2lt6p0yz3vc2c0_ug6py-81955318960920/
  107. http://phuclinhbasao.com/wp-content/uploads/bu5q-6mqm33-sajpb/
  108. http://pomohouse.com/wp-content/INC/jy5yfs8a0sb4wb0tf2ebj_2axwtvd7b-2482537198857/
  109. http://pop-up-brands.com/test/6usr6w-gqh47-mmpexfk/
  110. http://portal.maesai.ac.th/images/lOTElcljRgeXG/
  111. http://protechcarpetcare.com/wp-includes/parts_service/znnb0e0awx4vx9kq87ny3zu90_akm6pfp8df-231360640/
  112. http://purplebillioninitiative.org/wp-admin/v3ox-xalpj-eecdrtg/
  113. http://rccgambghana.org/wp-content/QaOdVZvzvkAXgl/
  114. http://regipostaoptika.hu/wp-admin/kj6e-o0135-heldpqp/
  115. http://render.lt/deze/files/ext/meThzlxRRjwSYYYFJKzi/
  116. http://robertocabello.com/wp-includes/y3fb-1i99t9d-befe/
  117. http://romanemperorsroute.org/wp-content/SFXYXtleyyXjhCbyNrkHHjzenEG/
  118. http://rostudios.ca/store/FILE/lfn1rszufp4c9f5qjv3u67pfm_wpafpiixmt-04140375847/
  119. http://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
  120. http://royalqueennyc.com/wp-admin/atix-7iyhw-cpls/
  121. http://school118.uz/wp-admin/fojyx-e7tbpge-cmfvos/
  122. http://seorailsy.com/ww4w/lm/b7gm3eq7e9y_7lknujo-21675234/
  123. http://shikrasport.ru/wp-includes/Pages/IJrOdBKNcjNbIIkGFWOKKf/
  124. http://shirdisaibabamalaysia.com/wp-includes/Pages/jffLyYJxUi/
  125. http://shop.deepcleaningalbania.com/wp-content/FILE/gkfy0uk8cmqk_loe22-88959229/
  126. http://simplifyglobalsolutions.com/xgcwh/parts_service/DRGvBguspZs/
  127. http://smart-ways.tn/ind/Document/zCYktFvdoMzwrA/
  128. http://socutno-varstvo.si/wp-admin/girb-jw5fku2-ekjpb/
  129. http://solmec.com.ar/old/sites/t8md91c5s0ktltc7r0wryrquiq_auy5xftb7-2182217120241/
  130. http://songdung.vn/4d4ixle/INC/XyoGxMSoAYq/
  131. http://sparkcreativeworks.com/cgi-bin/k0sy1gi16f_3nmxz-249204028130647/
  132. http://sph.com.vn/3pql2w/c4kp-ahi3iw1-refr/
  133. http://suadienlanhthaibinh.net/wordpress/paclm/QrYXxASIDbGjDrsLVLqlNJdpj/
  134. http://suckhoevalamdep.vn/wordpress/DKXJXxWluamOXIdv/
  135. http://sugikahun.design/wp-includes/lm/meAUulLGFcZWtmEWK/
  136. http://sukhiprasadsatyanarayan.com/ijh00uaxy/owr5-flkpjgh-aghnypf/
  137. http://sunpet.com.vn/wp-admin/INC/d0pvlwaj1jj_cvq3o-6108898585/
  138. http://superfun.com.co/wp-snapshots/3meaizs-wqvtywf-kfbwz/
  139. http://sushilinesurabaya.com/wp-includes/esp/9hiqzbvv3lqez3u_k4gj2-6319207089/
  140. http://svetovarussianlawyer.ru/wp-admin/paclm/HPniqkfhaIqYRPAXoPtEZ/
  141. http://swtsw.top/wp-admin/uz98i-fpmkem-utse/
  142. http://syafukuseijyukai.com/wordpress/qoskh-gcooki0-fkqp/
  143. http://syroco.com/wp-admin/fxbx-cdv2gl9-cwvt/
  144. http://taimu.jp/dairy/npzmndu4zux_d97w2a16-788758797/
  145. http://takosumi.sakura.ne.jp/GalleryImage/2svog-7uktrtv-ptwaf/
  146. http://tamta.gr/wp-content/l0rvc-p7cfefj-mikhg/
  147. http://tattoocum.xyz/engl/DOC/TsxGjoCfDP/
  148. http://telepostal.coop/cache/DOItWsxzzYzEdYJdEGuWOzRNcIzAjZ/
  149. http://test5.freebottlepc.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
  150. http://tienphongmarathon.vn/wp-content/Scan/suEAwPKZxHIU/
  151. http://timebank.ai/wp-admin/Document/SXtmLuuaUV/
  152. http://tngeblog.com/wp-content/eOoNYdaXJJfTVftGsKN/
  153. http://tpc.hu/arlista/FILE/xaax234mcwydae902gf1ya_wnz0g3-226314364698937/
  154. http://travelwithsears.com/pantallas/sv1i-8cuy3d-wtpg/
  155. http://trvipifsalar.com/wp-includes/DOC/vwaatfVfwmZFru/
  156. http://tsatsi.co.za/au0aag/parts_service/66vn86cuyg804mls4_ahos19w-822538932904122/
  157. http://tuslav.com/wp-admin/18yp6-9acrdg-daxjemr/
  158. http://vancouvermeatmarket.com/wp-includes/sutpl-6hnad-ggjjpfj/
  159. http://vantageautocare.com/anfdu/paclm/YICQkKpnRErgaGmsdAwfL/
  160. http://vegapino.com/wp-admin/esp/XBCCzqPIqSBkQlhdkiplheIkCLZK/
  161. http://vipro.life/cgi-bin/lm/aMrvQePJxl/
  162. http://was-studio.com/wp-includes/Document/zg943o2bnpsc4ukw_ztcsu-25937618/
  163. http://webshop.se/u3j0/GbzIZOukGhpzRgNxOXrLWtzSvThe/
  164. http://wordpress-263723-820316.cloudwaysapps.com/wp-includes/parts_service/DdkQiEVJWgjYpqYVwDkIaP/
  165. http://worldtouriosm.xyz/sitemaps/Document/u74c4g7do2_hm23qc3-2455270045016/
  166. http://wsg.com.sg/@eaDir/sites/jHxMXwXZoKKJhbfqITnjpjD/
  167. http://www.camereco.com/wp-content/languages/4b3u-9vk9z0y-wmztpu/
  168. http://www.citrixdxc.com/wp-snapshots/parts_service/qEkwIAxwfTVtpEDixSmDMrVE/
  169. http://www.lombroso.com.br/blog/Pages/ecfvyhGmCgqTEaqPOSQhKfMQGzaR/
  170. http://www.mahala.es/live/c453k5-fn42h-iklsbb/
  171. http://www.nextleveltravel.es/language/INC/daTpvRgY/
  172. http://www.pomohouse.com/wp-content/INC/jy5yfs8a0sb4wb0tf2ebj_2axwtvd7b-2482537198857/
  173. http://www.shirdisaibabamalaysia.com/wp-includes/Pages/jffLyYJxUi/
  174. http://wywoznieczystosci.pomorze.pl/wp-content/nlu4ory-1qpme-glkml/
  175. http://xcalculus.xin/cycling.xcalculus/esp/gv20ibph6x_fmz0yw-11364222814587/
  176. http://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/
  177. http://yoloaccessories.co.za/ukhz0yw/qany-2urknrp-pfdo/
  178. http://yumitel.com/cimg/LLC/ieEcQMpnVTVEbkDegVPciEckT/
  179. http://ztshu.com/wp-content/bgcxq-lnrlu-tdhrmc/
  180. https://0xbitconnect.co/wp-content/9b1nwg-5mixk7-xizo/
  181. https://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
  182. https://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282?/
  183. https://akihi.net/test/sites/167i2xvlgyis76mw61uvqqme13_b0af62-171181877/
  184. https://apps.cartface.com/wp-content/plugins/hunl-vio2dux-mdmh/
  185. https://blog.mymealing.ovh/wp-snapshots/mookm-bfbwg7c-gdqrmpa/
  186. https://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
  187. https://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
  188. https://cabindecorpro.com/2pol/parts_service/7ci4ep7byrn5wu5204prv4nvo_1yhqddpb1k-8890423987693/
  189. https://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
  190. https://design.bpotech.com.vn/fueru/m91cu-41qbnnv-akvbm/
  191. https://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
  192. https://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
  193. https://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
  194. https://expeditiontoday.com/wp-content/FILE/juljzqwqg89goz13ll_kjsb64rpqy-8791587564/
  195. https://heritagehampers.com/wp-snapshots-hacked-remove/s9myp-nyow6v1-svzncrf/
  196. https://icdt.unitbv.ro/administrator/parts_service/w8qca00eqy7nq01gf918yqpr22z4_rpev90d-196767120862359/
  197. https://innovate-wp.club/wp-content/uploads/qys2ebt-iwbbk-alhrxs/
  198. https://jordanvalley.co.za/wp-includes/Document/ujphaxe9mddatnxfsy59434_8hi8ods-77793165/
  199. https://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
  200. https://kralpornoaltyazili.xyz/wp-content/tt13c-539ty-vvqfr/
  201. https://lucky119.com/wzzeb/u3a7k6g-80iywm-pnmkh/
  202. https://mamabebe.pt/wp-admin/v3gft3-nknh2q-ebfypda/
  203. https://memcom.bradleyrm.com/wp-includes/paclm/om6bqfr63kf_5d8inhyufd-713057321763/
  204. https://mhfa.org.mt/live/paclm/cx3h7v0y8cwr5hjsvfk_ay7qw-04997084013/
  205. https://mybestlifestyle.com/wp-admin/kft55rx-5jf54hl-iqbrakm/
  206. https://notic.fr/wp-includes/LdMJIMLSPrBUhzV/
  207. https://notlang.org/cgi-bin/eedqg4-2yl0s-bxannkx/
  208. https://ortusbeauty.com/error/jr6x5l2-gxy7qnp-clulnfu/
  209. https://perumahanbaru.com/gading/FILE/m6piknegtaj2lt6p0yz3vc2c0_ug6py-81955318960920/
  210. https://purplebillioninitiative.org/wp-admin/v3ox-xalpj-eecdrtg/
  211. https://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
  212. https://royalqueennyc.com/wp-admin/atix-7iyhw-cpls/
  213. https://smart-ways.tn/ind/Document/zCYktFvdoMzwrA/
  214. https://solmec.com.ar/old/sites/t8md91c5s0ktltc7r0wryrquiq_auy5xftb7-2182217120241/
  215. https://tamta.gr/wp-content/l0rvc-p7cfefj-mikhg/
  216. https://worldtouriosm.xyz/sitemaps/Document/u74c4g7do2_hm23qc3-2455270045016/
  217. https://www.clinicadentaltecnik.com/wp-content/mmjmtp-9v60tm2-dpgj/
  218. https://www.telepostal.coop/cache/DOItWsxzzYzEdYJdEGuWOzRNcIzAjZ/
  219. https://www.trvipifsalar.com/wp-includes/DOC/vwaatfVfwmZFru/
  220. https://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/
  221.  
  222. ```
  223. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  224. ```
  225.  
  226. Creation Time 2019-05-14 16:58:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  227. SHA256:
  228. ad3bd25e5369a634ca73916b76e1a5e4d83ce7eb41025dc7e0d8bc3c25bdb46d
  229. 6645a5f0656f769fddc8fd7ff748c698b17aa17a7671f6e79f429463c01a3581
  230. 4919226d79001ff770e78b9d654577e4baa97719da2d32cd4d12c8babda318ad
  231.  
  232. http://12bdb.com/wp-admin/qm6xxb651/
  233. http://flystuff.com/wp-content/uploads/ual30/
  234. http://icaninfotech.com/wp-admin/20/
  235. http://spacermedia.com/wp-includes/l4ic57758/
  236. http://rmhwclinic.com/wp-content/sy3/
  237.  
  238.  
  239. Creation Time 2019-05-14 06:53:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  240. SHA256:
  241. 18ccc8626a42e63b9e38afb6751880c812204e48857ce842b7f1481ae021dff5
  242. a69ad422c2ee9395eba421651c5d1d72cb838078dc88071d88cf0268edf0d62b
  243. 97b2e93b48b3fbb8feb4573a0498282dd32479f7dced803daf9229291a0c901a
  244. 8075c2e1b78ed94622fc605dfc561ea88c80218720d068a0453ace95ecde5f91
  245. d148d5ce282dd942522d22f4b8440644bfa2ac8627d300f8868aacbb0f5aa8b2
  246. 920aaf040f39fc68b7991138c9ec95fcd47133a22bc6f515a577254b54a4a640
  247. f139cc52b7f4081794d752583dd2b8c6e1ca7bbe9343499cfdbf9a54aadacc86
  248. 840115e25f1d7bf02cb85882f4378180e70ee49c66e2f0211d730d71500214a9
  249. 47c7a4eb221cba445e9809ae19a4d5578b2e866a17fcabf5f87209e1cbd579cd
  250. 1cfd1ee15585d71cf121994157428982803c412f974d56285b68fc2862ae162c
  251. bebabe1677b3ae63e5f3034712b3bc39d354be9e1ea44a39c2ed16944b2449f9
  252.  
  253. https://regigoscoring.com/7b0oewe/32ffd39/
  254. http://www.huzurunkalbi.net/wp-admin/0mh475/
  255. http://terminal-heaven.com/2006/w51z87/
  256. http://evamote.com/wp-content/l07bp8485/
  257. https://tecnologiaoficial.com/wp-admin/br83/
  258.  
  259. Creation Time 2019-05-13 19:26:00 (Password Protected - Attachment Only - DOC Based - ENG - 365 Blue Box)
  260. SHA256:
  261. a50fdc671f504b725e5c54ca030fd31e1801ede2a707a5f3bc1b841f091838db
  262. c413ec81ba6f7dba1cd9deb1c992ad3827fd5af72b09c0dc219d4d1539f34605
  263.  
  264. http://xycindustrial.com/wp-content/uploads/3oz5f80982/
  265. http://arstudiorental.com/ecmyl/papkaa17/f8vhktx2825/
  266. http://technosoftservicess.com/bhldyu/un96/
  267. http://egresswindowsystems.com/magiczoomplus/vh8/
  268. http://star-sport.com/lacc/8v0hb1639/
  269.  
  270. ```
  271. #### SHA256s for Epoch 1 Payload EXEs seen on 05/14/19 ####
  272. ```
  273.  
  274. 05b3ea03295f365020c0e855336b090a58e0474e0a6cdc3f7c427b93631f8945
  275. 41666821f448ab565de554326dfb66f1d0a6affbc29352e21be56dbc4a322d19
  276. 0f09f5653b5372954f94154e42cbd33f7ea6b98ca2abefec6da2a6a663b47a72
  277. d18f5bad0ad568e4b7f7f224f81c153efad71866d81fbfba004137957c3ac029
  278. 28c2272a7b0c99e121c3574a9dcc686537630ae489ed57d6eb414dc4e2f4c28b
  279. ae6298fc7795f15b13466cb47fd37fc74596b6941b2550f88cd0e204d26f202f
  280. 14897367d5800d26bab03d4724abc1888c0e822ab4592eae702a5a9b02683f13
  281. e23d218df3f788c55426ba96af143c4751d2d75306049015108d62ed71bdb8e6
  282. 7b2cb6bbfd1f9cf8acd8a10b110a89ea60c916a34d6437346f77647a9209a360
  283. bab6e0f09f3c04480a6964a6e2d4cbf34d05ba53fa4da359ba84b7427a00e922
  284. 3a594ce3945cb76f5893f28a3cf638dd0e6b94f27dbf7ecf0fb4c8fe98463a79
  285. ecb9694a508b82da50a61b9ce885745c12d55106a365a7616e1905fb60bf3fef
  286. 03de36c4bb6c7da2541a955902d41182a1d82b209ed3f88962f724cf8ef69d86
  287. a17955f7e95fb4397d5a804e58e68e5707504d307feccc1d7dea5e01510a28aa
  288. 1781901bb3fc4d805b66223db3f37421458540f3dcc17cf5961a6f7e375daef5
  289. cd791a4f2eb1ffc1848e6f5c497e453e3e9e93dad4b65a63e489c0b9dc42d175
  290. 89505547ab0c070423689a861dbad454e54f006bb739c373d1898a319c73ab1e
  291. cd0a333af320b169c4566ead7edc8b89f90ad115b7f42f4a9e7979346e74fcce
  292. aa203f3ecb69bd059e4a4e98e1b44c8b330685c3955ba8436948407c003401f8
  293. 75d00fdb350e30164bb81e62dbbf795c53ae11431013c27cfaceb64b5b134b7d
  294. e60e11b3a6efa4654004ae286bb9f6758055588acc74c7f0a6a3dd26899d380d
  295. 94c3d58a4c3c470306641f7bbcf5fddd1f30760a5447b9b449cb42d621f104f2
  296. c589862f856efeba8c115e692bd9f3e269073c6f5df7d874c5bccef3dd041e39
  297. 0c4fbde85760eaac5785eea95277eb3648dbadc83a25cfdbc14eb32cdf32f829
  298. 22ca1a0a091a65656843c22fd2576ed89c99b3fc9c9432f9eb58732fa0859790
  299. 934dee37bd6c306a25773b8fab334787574317f41041574170746733e84d42ca
  300. 5d52b4d5b70492900a62526558520776d69bc4d56de15f65483e452eb5e7a961
  301. 735652c398769277507b84a3521f52070f20a4ddbc84753822a22b5aa4533e49
  302. 9c0950a86f40df4474e9c9186ad035ca28340ff88f4d353fa78e322347d6842e
  303. f36e358dae2a0ca1e61276d9d08770405aa78a776960c6e7164a5f86d5b21efc
  304. 9898bcdbae0c11569d927e8226c2abfa678c413273f3f2a512c5abc453228814
  305. 488c67b8589298df399b7ac8a1a9fbdd195eddd759df28f0c10de919a538de02
  306. c71f04fc507c37b51a0485b57756cfb461bae53bf3e323bdf773f1f7a7f8d7de
  307. 7e783123e549b4a0f6c621ffffe938bef33be3e8613d40e364b5ad9ddab3569d
  308. c7df67b5983444a216c25e7d6d03098b91b0a2088a6ef948df6e21f9781d437e
  309. ea016f60dfb480f0184e7a67baec0f3c030a152adab5a9be76f852e8b4484dc7
  310. 18c25727e7f1d707c93783de46efcd3355b339b2a5ea613c53d467b3f8f82304
  311. 65fad1b560893e5a1c304eca12ad8a524fd9811968f876331f5cb2495f7f1088
  312. 620bd3124473bb745333c239d4856b9e4fb54db3b9ca6cf1ab1149b4825ee38a
  313. 60bdff8f5a4dd4b8522f6ae386ce1126f4fcc432e298bff5ea86b87de8718c4e
  314. 1678b344f5d37332c8db3346e5749eadac5e0af1f272c4fcdfecc0cd8dda5b40
  315. d1a20b349f1157b1ce269ce2d0d6e758b8cddd702bb82fab176b942c05e36f12
  316. 26a84185e3d786bb402345c086233e9c4bfad3ffd6fbe205c12f03759d4059ad
  317. 5bfa375c2d29e2396fb7d2384a5229bc4683305cc5c52b592584f5f94a396122
  318. 2315e2cd62984306f423df3d51f2e94b5b69760eb6ea9891451455a7ec14170c
  319. 555f6036f5752493b8466d5ebd4985b5e2f33a08f28fa0ef8b12957d8a0a565d
  320. 224013591ddc192efdb93d7c777ae3d7133d4fc56f356358e9e31cc7d87e70ca
  321. f5ad0e50c53292c57f9955a8407f20e90b8f13c0f4859f66c6c71fc851fa2990
  322. 640c5bf10d68f24d7ea536433a50c442a299a5a4958e41aa4b5b20ddea8d9ada
  323. 623b3532f0cccc7219e36e7ed3dabb72018977c12004ffa4f337be185d0f9700
  324. 4e44c7f4a73410c62ba199d0f0f09a1e8d6b754d0b4855e86967ef613ac04e65
  325. 4e2d9130edb55f26520a7ad830f8f299e092d0c146ab6ae1b2bf9d60403e0f56
  326. d1dd2d4f71dd14d9565ab32c4b2570df329dc3dcb686d9759aaf3d3125846920
  327. 6b911d5ac3038563d8f7dc43e98eed88c8f6901161299961e50c15fe38aab635
  328. 584fbbb9477ef0ac9962b5fc5886403b1e2d1a0b02acccecdf81f99efa98a6dd
  329. 5bdd802868794f77589404ca06763559dc88dbb76ec21261362dfb79eaa79f40
  330. 797f97538c2ed035c3d615bfc8f0a0e470c672bdbb050c01a4d377c5f18add8e
  331. c48e44e54253d80374fb969b49f6bfccefa596c109597e92f447072684d5cb87
  332. cd6c397cd6e62e2c3df8cdb1823c0f213a709db2ff98c0da30adc8797f682f7f
  333. f5e4d458ae1f64d792e667431c1797c3c5cc65c0b75a6a724dd5772db935919b
  334. b1ecc9402931c9e1ada9dbb1e30467ae849391483c24a1016afc050175c294b2
  335. c3d30066eab732d54160c8c0c11efbe2d13b60d6d1b9a55252a36414209a4b17
  336. aa9b3246db12d191940232a7baa3ecbfcf798172435365baaa0caf6c79aa68f4
  337. 238a1c4b8c9125165596ad7ba9709b19e6e5a5f6988ad57fce1972192c1db063
  338. e03d4e18c225ee7ca21d9e8a626e51513782abe199f2f8ac00b14fb0eee614c4
  339. 61772c41fdb4548edf324ca243a2fc9bbcf4dcb92170ca814dadcc3a2d387d82
  340. 01a08ac28ccbf4a709932f0fd67103e28ee1ed013639d1d898505c894da3cbd9
  341. 3072145e9026b9ad0f5a5e7a5ec1f27ac3d020fed1bd88c6af6acb3d9207054b
  342. 8c95e51f18810d2fc31b681957c344c1f8731fa52075a96a1271734ff6c3b26f
  343. a19d72ee169cd3c80c6f88b99ca9cad6ceb4afd60ae00369892b81cd27ec8758
  344. 8c9ae72f0cbbd50703d0b16130bf633e302d26d8e5147d1cc6c692aa09a8dbe9
  345. ebb1cbb63e4a2b863531add797a94507c53dead208bcfceefd96a9d36c61f120
  346. dec89a4d259ce8f43b7d5ca2dd7eb59f9693dfd70732fafde6018ea6f6399a37
  347. d26b5f47422703dad2025b6c20e1fbbde116db0f48abe6620fa943fa83440400
  348. 76d5450a3c997cf8630ded4aa0a5823925105a90933aaba5fa9434488fd1d84c
  349. 17406fd4b781e12dd656a6f68d95c8fff7f1933b8f393780a5721d164345ebcc
  350. d701d1af3464115952dae3b5697c0b666ea60de37dfd49df89c0cd156cfa38cd
  351. ced621193ffde86660dbb0aa2dccdbea2f5d12d9e7551d20aad11365a90042da
  352. 71baf7c8d31b449cd5f5baa1aed2bd9ffead90d5da81347be961ffb18b6108a1
  353. 1321a56efd667e80a3b3830099ba4eab037fcba72ed610338e9622a02a001f0d
  354. 945f36bfe353c0c4c8af9b2b2eed8b6a78ef029078208c7088a20b84829b0b4f
  355. ec40c03114bfb3731d2e0d2aab19a2181d1a31abbedf4936652efd1220bb8d98
  356. 0f3bfe967ce02dc7c4e489ecff8992b24525417344f32078376e0c1c986fb4c1
  357. b575ba480a8eccbd851a7f3430c9975ba80af05b3b8ad94d8c5ec1d150fbf80b
  358. 5f1ead355baa2fe7f4a5616b31fbdb740c4e37ec799eebc0b843397a16c7b149
  359. 9917ed63cc81464ec54aba1614ddfb2c87bbf15610d4fc0118bd7204d01d3e54
  360. 5fc89a238d781eb024714935a3ec56ce505c3504ad323f89077a537bfcd8660d
  361. 31b37b38acb8488095d52a00a73037892413807a10de3148d0d3a2e522b2107c
  362. 9c84c77a8e203c269da2b5cf0caa1d3622b5d97d23ed521875e01204829aae32
  363. 5442e221da66b51a5483531d7f21c5ca6db296734ba3580ee6c665eaadc319fa
  364. 935bd8c61cd2295efe9fdcf7981370861623d79717227a19eb0053bc4428202b
  365. 24ef24c0e541736c73cdd69530786b3e428a9c713270c63e8c61e607f9b05360
  366. 33da6f20effdf6c373ea6e77bd57f588a68b7d89ad36c6127cf2f9f8d5b20fd5
  367. ef2f162d4ae9fcec73fa0030de363405cc56ad6c8a80ede819678042a8bb1458
  368. d5f0a1a730fc1b8f73b99aa6817fb89696d06382e981b5de61157a1c28f74509
  369. 8e874d41b6fb08776bd2770b6d6b11fc5818c5b21768ccd1d3a49fca2cec223e
  370. 43b9b4e4e073560f3ba4c3c8604da0c9c6ce0608498047d7a4a6c6ca52cc2f9f
  371. e7ba29aceb8045704b2a98186eb81d86cef975f8593e8f71644b0fb3402edab5
  372. db8ab6f4ef07827af3519c2e28a8683fe2934a5bb8ae79773a8a1a239a12f7d3
  373. c636b7812cdd2053d1539b14965d89f386988d62f6aa883f73e58fa8768ac55a
  374. ad4bf2260daa86337a8872dcb16a1b61cf8a4a96797cfb5c6e6e4f1f850c6272
  375. 7443ac9199bb877a0d182862f38f946f07dabbc5c666c48a5a837a750619b7df
  376. e43953047e491a90835a1eaae6f292684fe84852231242a31c210ea0dc615115
  377. a831a4fdcac8a471401b880059f34206d54e34fa0d54fd7481591264a5932e91
  378. 9376a4a0e41c5e0f12c32bdc9c5d5b8d13bfda606de26f832b5f8615bc765ff9
  379. 826427814daafe97cc6c90850b1638de2e6713368f3f10c62980e3aceb6ff502
  380. 6821bd66b0f2a17c8c984ac5c6ae7ffd17ef20e765bd8b29e0650463f74a504c
  381. 0f26aece79ffc1391a075d3ec4bf67602ad2a05d81ab7fdbe1140f428f31c775
  382. a4219f684442fdaad3ca1289c3286cce878931d3402337c665ec828dce888a90
  383.  
  384. ```
  385. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  386. ```
  387.  
  388. Creation Time 2019-05-14 16:10:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  389. SHA256:
  390. 41743d480c3a97d8475eaa4958e46a6e9df7a3f25a034194b5ba57e43e664ed2
  391. 6719d9db1a6b6ac88a386c24cba086025aebc504773433dca6fb569cd88bf929
  392. b0227e5477f2c043eef7f404c69eb02ffdfc15f99e973f12de0b86addf03d898
  393. 76cf785870fdb543f0e2b1e7fc610c97886a570cfde9f66b7dbe24e909e0344c
  394. 1583078312fe29c688d44c6c15a4ff2f303f6cfdc32e910629132515ae885a60
  395. b2c7523bbcf91ea107010fa04635d5dadefae7a6302d31fe48fa978909682257
  396.  
  397. http://riversoftbd.com/wp-content/vFikaQjYg/
  398. http://dayiogluun.com/wp-admin/DhMoxPrwC/
  399. http://therattgang.com/wp-content/yos4u6h_pt8wdb-3/
  400. http://beyazgarage.com/cgi-bin/NuygiMFoRC/
  401. http://ksafety.it/awstats-icon/bhrdd5_52hq89-34/
  402.  
  403.  
  404. Creation Time 2019-05-14 08:52:00 (DOC Based - ENG - 365 Blue Box)
  405. SHA256:
  406. adc07b7378fe4151f14b3b95e74c2672265af06b3defc0d178101a4f3b471ef0
  407. 7b24e6266c7a15da11ee8858bfd8bee5239e61321bbed785e7b59fb0e286a51d
  408. 55cf0049b654989882ca8020b572fabfab598173d6f95b66831a461770320935
  409. 9047c8429ed9cd6ec6c564952494bef62b39f647eaf418c0c61bc8d708d5f806
  410. 5f7df5ae858abc5f9143bef4fdb5dee06a82fac18181010b7c3ee40d2dab86d1
  411. a5f234ffe4236cbcde90ef95db56e9ce0f2af4dec1a82d3e77cee501920ab4c4
  412. 28de789ced5a1db62ccda82fb878bd16127d8cc394c8e5d29195132805d7bfa6
  413. 1679dd3db93e293c95edb586e6d932cc54769a02edd0761104baad1ed8891adc
  414. 06cde6f0624e75401f93778a162243565d7b3ccd0035bac440222f6bec1ae90b
  415. b230738c02d15b00e4c0d130f0525db4843c7164546c98efecec88ce9d02d904
  416. 6dfc0b213c2b9114b1f3bdb6fdd22ea839fea568c3e009c426a9d23714cc4459
  417. da6e514f25462af15216e863333e4e2d328ce918169e373193cb573236d4277f
  418. 2937b17f1b6bfe747e90133fafe65da59b503f78c9ce84a288e177c4a26c2d87
  419. b41990cb22aa0c188e2f554bb19f5c964670d3db64a8b5efc21ce908dbd7298e
  420. 79fdac8b8ca653a0c8e111568c80eaf7a38d3442b7f40726e106b9be4c49bd83
  421. 3329825c2172813eff6c2b628a6a3242cb65fde2bb483d94e513de5d2b42c412
  422. 3eddc6f302caa969ec96c25129c1c30c0b3291024bb3a822d85e8a5216b5a378
  423. 1c72d76332b9bac3f9e7c58eaabe2baa42d166b31a0b3fbbe6f326f7463fd0f3
  424. 9e976d5bdcae4e50924b90810dd7255b7a4eb628417c947060f1e08e8ae01ef5
  425. ef38e075cbdaed0e95863558e92634b7fa29434b792c24f58357bac3b0b72331
  426. 6d3910ab176f90830155ef0e51d3fb3a0c02adf8e9722572812604d900db205d
  427. 012ae3cbcb08ad063dae6f61c5989efdaf8bef9374cd85ac67033724a7b35493
  428. 13f192a309637a86007d05308e01d86ea441b3f82e3fe3cf4f0211e0b29ba459
  429. fc453bf2b437e194f0068004a58dccc68c58bea217aa03f8795153058eac1cb9
  430. 5865551c45ba7fa5fe4d91210d52e202cfcb283d095f4068de1b25bcf0fed341
  431. a8362656f7ffd67014d238f97a6598263f4a19449714fd34cd4ce3a3c06ded10
  432. b23666e8e3a88e7c584a5714c9c57f023a6f091ade23349a002616c39811f619
  433. 8d092f1d799b7cdfa8cd2a35ae350a31d9bc519eb7ad133728afbf1244e624d8
  434. 8b2f2a89e07519ede5e53fa1501fd7555f56762a50cb409ceafd1c5ea508ddc6
  435. fdf0b89876c1960af5e14f563144afd9aec7e43b7cdb7c2f3c125e7460a3ca70
  436. 46c6a318203f47e262dce8f6305af0ead6a8d65fde6f875a55ea7715f79c8b0a
  437. 2c9f122d5878f5bbc1cd3dfbc554148fe975e94821b2aec857252e5f445bd5bc
  438. 4008b7f97a2feab5c8eb19b490e18aef8cbc52307f285b8e999c4c2038763839
  439. 683399ef7bebef73259f00a0d9cc1b564bfa7b167cfae83a9f70363b489299b9
  440. a449bb74a723db8ca33e09bcea613e6aae370a4722e2f03387945aa9c91fb21e
  441. 8185a3c6bd0396d6db4871f2490a38f8c4839f6f4819d9cc3b49ece842bcd273
  442. e869e1d95a21962f7e6e79e06752d9adcc8976de3c8991af8e645b2bbd139cf8
  443. 5e5997cba36266aca42852376e651d017f59badc3484d5d64eef66970bd4fd67
  444. 894005342c01da06b240c3b9fd27c23fe641c86a62733945142b53c2e92142af
  445. 86c8a2919b2def71408e6e244500044d96fea7188995fe654364ca221b008873
  446. 9558d463a7f0f0fff8c41640bf1ad1b810a09c52ae6fb183c759a2a81da660f6
  447. 56b9f6c0b0e06a06a9f25519343accdb00776206015feebbd8f2c7c2d35961f6
  448. 782aaa0063c02912db06d46780f6d95c60433aba4933874f5084287c8960a44d
  449. 130fa99c6112e4b60f5fecc8c59809f5386b341cdd7a1b06fb34688cfb4fa9f7
  450. 30b48ab4968bfb49a8141a9a954ced07ec56e454c9e5dab21357fa33a4e0f2ef
  451. dffc12f027a086c7824c1beeb5fc952c5fa6cc1dbf1217c6837471fa98ced0c9
  452. da81949e8612caf52635b73cde3d730d4fadc63bb05bf073106f79b2153877e9
  453. 88ba8a7379555c9201d1dde934f2fd7e4b64eb20307aa0ec231a8e6b6779c8a0
  454. 0254c5fadf9e3ae658b1c4b8f25bd4e8007cbf92083d9d00371659e21371a15c
  455. ff42488751f31e94afae338c095aacf8cf2c997d79e8d39e38bf0e8713d04d17
  456.  
  457. https://ksicardo.com/travel/ntKWzIyDl/
  458. http://iamzb.com/aspnet_client/system_web/GAAfRZMq/
  459. http://maloninc.com/apps/GbBZomQjS/
  460. http://kumakun.com/7jet/3b244672ze_btumnc0h-2178896/
  461. https://ingegneriadelweb.com/fantacalcio/8611ljoo_o4y023w-3754704371/
  462.  
  463. Creation Time 2019-05-13 19:33:00 (DOC Based - ENG - 365 Blue Box)
  464. SHA256:
  465. 6e27b70e10089e9b815f7eab1b80e637e40733060f22a20e6b010b25287122ac
  466. 8f4a02c8a1ecbf0131226b34c9d39f5dcb5ef92663e8dc40f4b49392d606e4a8
  467. 19a798b57c3470bf1d7de42ca5ca6bccc6e55974ce6e63625a5e4b681c440abd
  468. 5c4496cdd3ee86af8935d9e1f64e6337c732741df7824571cf15e426f7913923
  469. a2c86ee442e6189003747b161dcc36c2c569a74d96f0cc68e9150bbccefde54c
  470. a7292870d07de0b4afc626e495e40af4daac91c7e19b36a7a783572f26b35662
  471. efff06ca2c68747883b27ae3102b91edfccbb147f2817543219039446648404a
  472. 95b76cb37e2e3caa0e07f01c9aab219e128ea4ac3cab80aa48e9fc2733713343
  473. baac5eeb90873f5781c9ecc9143537bd287a609e4dd9ce36b697e8fd1976b288
  474. 9cea1907b55f879861052c85d3db81e017c00adc2517d740c291b8d0316e6b43
  475. 3b33502eee805abdf772cff17265066d740c3f6c01d837510f58cb2e433ff5e6
  476. cee6e8328110a0ba748a787b78d8eebed99ed183922003aa96a7ef7e235f306c
  477. 2b516c0d16970d0faa9e74f763ee14724579e15690dc06658835e0e5f5d462d2
  478. a6cbf7c7f99de821b80884eb5076ff48e730075ac5d9c331eca9d0482e9085fd
  479. b583ba4c5790fa703f047ee77bb5562c7ba09d4ea3845ebc1d0225173dbecf0e
  480. 0028a8ec6e89822bc3faa5e797caf836c057153d3f019d590741060716a55343
  481. b0ba02974163d321b58322351c6ff306db87c9e1ce45a68e7558efc2f8303b82
  482. 2ee3c7107a9831e1b1d90d57365700c94ab4033e6515890204c82203e25c7808
  483. 652083730ca6c0f32527b1b7b14f69100e45229c016722bef50904c801e48de3
  484. 8813cd8261963dcbca65371321507b6502aa57883cd91ec4dfe8c5fe17e48076
  485. 7346090ed235d35e6a640f62b67cb02cfbd272a4a73ac4352bacd21e4f1c49e7
  486. b311c5c0a459527071166668752e087223a3e5ca6a8c8319ec6ddb0f8ebb110e
  487. f69b477c18524ba73acae4f93ae321077aed3645fd473eaf75cef1314dfd887f
  488. 492db6ac548104b627ee2881120eae5538f20e1db315e718e3b25de35f5f1bf6
  489. 1595c376a6dbe775478a9595ad780829572095d3264e2ad8dd6e9710f9a18522
  490. fee909ec35382c82297015f542c7975ae152623fd04b05a73f81266d44f817fd
  491. 9f5351f25afca434053ad6ff7799422a3f59a83f09982e32a20048730fd0b5f4
  492. 3d024e0f7324646bdc397d5c2192820e2f73594afc77f3c509b8809d2a0c64f7
  493. c0bd36b56a67c1be19e874287405076cdfca640755c790effe994b4de370abd7
  494.  
  495. http://durganamkeen.com/wp-admin/DgUwPMst/
  496. http://gfpar.es/blogs/1y3p64_jyelzm-160135920/
  497. http://yourplasteringneedscovered.co.uk/bfrye/eeURJGsK/
  498. http://ladiesbazar.in/wp-includes/74yc005bti_pui2akdp-19152074/
  499. http://engraced.org/wp-content/lwUhCxRzO/
  500.  
  501. ```
  502. #### SHA256s for Epoch 2 Payload EXEs seen on 05/14/19 ####
  503. ```
  504.  
  505. 12ba09d1fb95a170e4fdcb28f1dc36882d2cb47e4a6d8219899abdc2005db6d4
  506. 844e3b338abefbf6b7e29f5947373616248b3548dee938add767eebc57feaeba
  507. 71dd8c35448fa4d479a2a4ab4582fe7b95e9be7517bc5d049d10bb79b26a45ea
  508. 48ba07ad9bc1d4fbd127aa05bbc31ce676cbaa1e9536fad1ac5a5a23ba56e92b
  509. e3a780e3d802985680f6fd3a55f23cf702e648f01703590b1fc36c569ccf0efb
  510. 6587daf0291733c40cf423a3bc3131d7c7cb1311f775c253ca9dc545696d5bb5
  511. 149b09256beb53d487a30bebde8041ab7cdd07e2079f27347f4474830ae9d570
  512. f9309e01e9f44c9f4489d6e32dd566aaec0b16c3a47fdd73a4d9735ef9f3393c
  513. 8f8d610d75b7b3abfd6d5b5d0e9ec8785278d1bb326069ada1e8c225728066bb
  514. cdd90236b1a620a20ca9c5d6a1d7bb2bfb292909c1c9f8ee011a417c95696607
  515. bf581fd18175d78372221710ec018d58bb5684ca944f5f349f99208f3ee18069
  516. 72514d40414d67778a1db0ed0728cdaf96e184efad9ca17e54ffa54a266fdb6a
  517. b07344da69b6ea79fd98857d63deec5621af9ac3156114483f56c8a5b685a338
  518. 225144deccd766edc86cf3179c6322fabc9cd7f25b041f890f68369e7a54bf8c
  519. 7a779f61463a1d0934d08ddfc32d01b25765ddbd1e3224cb1f079bc5eb296dbe
  520. a35b999ea8bb3f2388c451038ebdb66ef75ae727dd11ab76ea4da3894b488faa
  521. d53ef82460891e82797bed0238bb2d2cf8c5c59eb22478a89a962088f5ae6d46
  522. 815b89175dd08f44b3221615fc4e2335b2d69b84918227e295416e5fcb51d339
  523. fe9dd516cecd08e8a4897d931c4a7390a10ad8c6d5c69c1da92a33759d12ff39
  524. bd47f14b2c97c3788f13151d31635fdd5566ab7d28cdd2b2f7fdef8aa79d7412
  525. 032d413b9730126652b3a54dde7d678f6cbafe0c5cb3eb34ec2d6a26cc758ad0
  526. 9896b12c9f600d7ce0539fe0c1c349c8ccc27348a660c47e2b1c7f0d4f28edc5
  527. ab19a3f49874e6e22cafb32109c1bb4f0db7ca30a4915208eeaa06cc1eefb7dc
  528. 8040fdac7658e32cddc10dfe11a41eb8971f2a81c5d93ffe38dd6d10c6d35522
  529. 6e0996716266ea7f3f1393b1312ebae59ceb7d5651341c1373b2df8170e131e2
  530. 70bb34a07411cc0fb2e2fa47602fffcae8c95dad29a0f6a12a80678329530d04
  531. 38bc02b8c5b2e76e078761f4486ba3dc2371f872e0accc84dcb3a17d7553049e
  532. 909028f4cbe20e7d81766a68958d0fef790ec93b8711fbfa0efab758e746fb7d
  533. 90d6fb5cc45de8e9d8c7bc5beba8bc2e8ede8534e576ce62257afb12c4c63b7b
  534. 1753ecfb8d03b10f506dcfbefa6affcf6005d4cbfcba8dc3903ae1e255351685
  535. 05bbf3dd528dc06c799c7927a3bb08c9e3a7c3cd9224fadf977bc2b73d14d490
  536. c84972e44644080020f759810ecd9e5a89b054a56c1fa467428e191bb3ab384e
  537. 721321e28130d044aec2707aacd418012e5de076fa873703d2b6590b49662408
  538. f545243f54520ad479fbbf3df81ea31d234af8b5d4452630391a50815c53bbea
  539. 2627543419e2229e2b3445e4530e270c60b4c7b0b1882757a18a5f729ee62889
  540. 9f43f2b9ee39a45441da9d79a3b65181a0f41ac8e41d169e0319dd7b4248f11e
  541. 3b3287168df97138f14535be0a2aa02713ecbfbd9c7c7212bc78745db9d5506d
  542. 1604da70f172c249833b7340dae1ab65260bcf030ee395771218879b77ddf795
  543. 2cfee248366aad28ae55a0941323e3e776e732ef39f4b0b83a3a97346715aa96
  544. 56038022d89df874a7a3158328b1a2b522b361cb6f028e1b03f3eda1e2b17f88
  545. 22c03476b6bf0e03401d4e7fc828094b818c35b4c6e1ee590ba4bebc67aa2867
  546. 8d18b7e934012b180d29a0f44992fdc06c6ba8211c0e2fc5ddb6502fa2ba9fc9
  547. 0419ee7cb7a16c933b342316b8f7466ca8d73e0726c45714efaad863dd92f885
  548. 3b3864df5ad2cda0c14e777e060562202d0dc5d08b1898ff8fe86c458f004ee9
  549. f54696e1f1d761753264c1933ba53e7e36406ffa27c6899067f0ec7ae547a8a5
  550. 31758ac1b7f83b3d13e789ccde6bf2117ab4f52a7c5a98b144ed94632f587c15
  551. 54b169f7707ff536936c45bf3c9abe7606c78551294d16200a69b7e637d07140
  552. ae7af441861976958fe9fec0343bc39776ec77e5175693d35ec7255f01fe1df4
  553. 366d67bc2a490d6e175d34316fe0bdeb95cf48361bd9f3d0700e318f522bfdbe
  554. ef57ee54a47e95767e58d68c51e04ecd9c52363b30441b332c9379d8a1acb694
  555. 2c0af79fbdc7bcf7be1cb772dfa71be27a2d8cb08de4963aa75260b650932e27
  556. 23c648e1c1d033278a39803d56bb02dc63674f8edb41fc91d1bb1523f05725d7
  557. cec6c7c955c38a91ef3a85b1093fe1de9cbfea76c164e47549abd0b8318a7352
  558. b7fae94d926f1e80f9f08897132764ae0cc60818deae7b66e51a5cad08079fbd
  559. d608f1ac7e5c1b4f2f24e7865bcf8e6bd0ba2253f6f4b1e011f150874a7779ae
  560. 9daab6c73353614a093316a5d3a6f8fedf49e6f09c902c2a9eb8ebc2421fd073
  561. f5c90a7ffaadc644d8879c1f5cd226b01d03dca7ab1d25daaa506d790e6f0806
  562. b7d6abf5e0ac9854e6cc338ba32df844c21cc0265950d7ce8b13be55bc27028a
  563. ef1cf8c9b4c3b9b1ec5720101c9968c257ee0aef892f120b5e7ea55e88252bbb
  564. 4095cb4d46154c6ec4d8c70d02914cb8df6ca646df01c85a00f5f5cba1bb5666
  565. f4fa4fad684e10e5f4d016134c73eeec9559278da0cea59cb6bc1e8f8ec9953e
  566. 4f07207894325e1073a2c6386d15123f5f0a060226f7ee562596e32c5e4d6df7
  567.  
  568. ```
  569. #### Epoch 1 C2s ####
  570. ```
  571.  
  572. 103.201.150.209:80
  573. 103.213.212.42:443
  574. 105.224.171.102:80
  575. 109.104.79.48:8080
  576. 109.73.52.242:8080
  577. 111.67.12.221:8080
  578. 163.18.23.242:80
  579. 175.107.200.27:443
  580. 181.110.239.26:80
  581. 181.143.101.18:8080
  582. 181.15.243.22:80
  583. 181.16.127.226:443
  584. 181.199.151.19:80
  585. 181.29.101.13:80
  586. 181.30.126.66:80
  587. 181.39.134.122:80
  588. 185.129.93.140:80
  589. 185.86.148.222:8080
  590. 185.94.252.27:443
  591. 186.121.223.131:80
  592. 186.139.160.193:8080
  593. 187.178.9.19:20
  594. 187.188.166.192:80
  595. 187.242.204.142:80
  596. 189.196.140.187:80
  597. 190.117.206.153:443
  598. 190.123.35.82:50000
  599. 190.13.211.174:21
  600. 190.147.116.32:21
  601. 190.180.52.146:20
  602. 190.85.206.228:80
  603. 191.112.58.204:443
  604. 191.97.116.232:443
  605. 192.155.90.90:7080
  606. 196.6.112.70:443
  607. 200.107.105.16:465
  608. 200.127.0.8:80
  609. 200.28.131.215:443
  610. 200.45.57.96:143
  611. 200.58.171.51:80
  612. 200.59.189.217:80
  613. 201.217.67.3:80
  614. 201.251.229.37:80
  615. 203.25.159.3:8080
  616. 205.186.154.130:80
  617. 213.172.88.13:80
  618. 216.98.148.136:4143
  619. 217.199.175.216:8080
  620. 217.92.171.167:53
  621. 218.161.88.253:8080
  622. 219.94.254.93:8080
  623. 23.254.203.51:8080
  624. 37.59.1.74:8080
  625. 43.229.62.186:8080
  626. 45.73.124.235:8080
  627. 51.255.50.164:8080
  628. 62.75.143.100:7080
  629. 64.87.26.16:443
  630. 66.209.69.165:443
  631. 69.163.33.82:8080
  632. 72.47.248.48:8080
  633. 79.143.182.254:8080
  634. 81.183.213.36:80
  635. 81.3.6.78:7080
  636. 82.226.163.9:80
  637. 85.132.96.242:80
  638. 89.134.144.41:8080
  639. 91.205.215.57:7080
  640. 91.83.93.124:7080
  641.  
  642.  
  643. ```
  644. #### Epoch 1 - Spam/Stealer C2s ####
  645. ```
  646.  
  647. 61.92.159.208:8080
  648. 104.236.185.25:8080
  649. 50.116.63.9:7080
  650.  
  651. ```
  652. #### Current Epoch 1 RSA Public Key ####
  653. ```
  654.  
  655.  
  656. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  657.  
  658. ```
  659. #### Epoch 2 C2s ####
  660. ```
  661.  
  662. 103.255.150.84:80
  663. 103.53.44.20:80
  664. 105.247.109.117:993
  665. 119.155.153.14:21
  666. 133.242.156.30:7080
  667. 134.196.53.52:7080
  668. 136.243.177.26:8080
  669. 138.201.140.110:8080
  670. 147.135.210.39:8080
  671. 149.167.86.174:990
  672. 149.255.56.242:8080
  673. 162.243.125.212:8080
  674. 167.114.210.191:8080
  675. 169.239.182.217:8080
  676. 173.255.196.209:8080
  677. 174.93.130.148:8443
  678. 175.100.138.82:22
  679. 177.230.108.144:22
  680. 177.242.202.30:8080
  681. 177.242.214.30:80
  682. 177.246.193.139:20
  683. 178.152.78.149:20
  684. 178.62.37.188:443
  685. 178.79.161.166:443
  686. 179.14.2.75:21
  687. 182.176.132.213:8090
  688. 182.188.47.206:990
  689. 183.82.100.135:80
  690. 183.82.110.170:53
  691. 186.113.19.171:80
  692. 186.19.202.88:21
  693. 186.31.189.232:143
  694. 186.4.167.166:80
  695. 186.4.234.27:443
  696. 187.189.195.208:8443
  697. 189.209.217.49:80
  698. 190.112.228.47:443
  699. 190.145.67.134:8090
  700. 190.25.255.98:443
  701. 190.25.255.98:80
  702. 190.53.135.159:21
  703. 190.72.136.214:465
  704. 198.57.223.7:8080
  705. 2.50.4.159:443
  706. 2.50.52.255:20
  707. 200.21.90.6:80
  708. 200.85.46.122:80
  709. 201.199.89.223:8443
  710. 201.220.152.101:80
  711. 201.231.44.78:80
  712. 201.238.152.20:465
  713. 211.248.17.209:443
  714. 211.63.71.72:8080
  715. 213.14.166.152:990
  716. 216.98.148.156:8080
  717. 217.13.106.160:7080
  718. 222.214.218.136:4143
  719. 24.139.205.186:8080
  720. 41.169.20.147:143
  721. 41.184.246.205:53
  722. 41.220.119.246:80
  723. 45.123.3.54:443
  724. 45.33.49.124:443
  725. 46.100.165.6:53
  726. 50.31.0.160:8080
  727. 50.99.132.7:465
  728. 58.9.168.7:443
  729. 58.9.168.7:990
  730. 59.103.164.174:80
  731. 62.75.187.192:8080
  732. 64.13.225.150:8080
  733. 66.84.11.168:8080
  734. 68.52.43.253:80
  735. 69.45.19.145:8080
  736. 77.56.253.112:80
  737. 78.186.5.109:443
  738. 78.189.173.217:143
  739. 84.241.10.111:53
  740. 85.104.59.244:20
  741. 86.122.149.86:8080
  742. 87.106.139.101:8080
  743. 88.198.62.227:8080
  744. 88.21.212.13:8080
  745. 91.205.215.66:8080
  746. 92.154.101.154:50000
  747. 94.59.49.76:995
  748. 94.76.200.114:8080
  749. 95.128.43.213:8080
  750. 98.142.208.27:443
  751. 98.144.73.193:80
  752.  
  753.  
  754. ```
  755. #### Epoch 2 - Spam/Stealer C2s ####
  756. ```
  757.  
  758. 198.58.114.91:4143
  759. 213.136.86.219:7080
  760. 91.205.215.10:7080
  761.  
  762. ```
  763. #### Current Epoch 2 RSA Public Key ####
  764. ```
  765.  
  766. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  767.  
  768. ```
  769. #### Credits and Notes Section ####
  770. ```
  771.  
  772. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  773. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  774. https://pastebin.com/u/jroosen
  775.  
  776. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  777. I am providing them for your benefit in case you want to parse them to be sure.
  778.  
  779. ```
  780. #### What is Epoch 1 and Epoch 2? ####
  781. ```
  782.  
  783. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  784.  
  785. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  786. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  787. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  788. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  789. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  790. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  791. time period.
  792. Here are some observations I have noted since I have been watching these botnets:
  793.  
  794. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  795. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  796. being delivered in maldocs on Epoch 2 at any one time.
  797. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  798. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  799. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  800. Monday morning/Sunday night.
  801. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  802. Epoch 2 may have a document hosted on host.tld/B.
  803. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  804. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  805. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  806. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  807. - C2s are never shared between Epochs/Botnets.
  808. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  809. via C2 to stay ahead of AV defs.
  810. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  811. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  812. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  813. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  814. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  815. spam template, word template, document type and even payload.
  816.  
  817. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  818.  
  819. ```
  820. #### Community Lists ####
  821. ```
  822.  
  823. https://pastebin.com/6Mus5st4 - @lazyactivist192
  824.  
  825. ```
  826. #### Credits ####
  827. ```
  828. (OC from @JRoosen and/or combination work of the following)
  829.  
  830. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  831. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  832. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  833.  
  834. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  835. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  836.  
  837. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  838. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  839. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  840.  
  841. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  842.  
  843. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  844. helping out with this!
  845.  
  846. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  847. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  848. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  849.  
  850. ```
  851. #### Daily Log 05-14-19 ####
  852. ```
  853.  
  854. General News:
  855.  
  856. Both botnets went into full attachment mode today and only very select reply-chain spam was being delivered. Most of the reports of
  857. Emotet spam that I saw today ended up being delayed sends or Ursnif. It seems like based on the name of the documents I am seeing
  858. that most of the reply chain malspam is targeting Germany. A lot of us our speculating that we may be entering into a period of
  859. low spam volume or a break. Maybe Ivan is taking what I said to heart and giving up. :) We can only hope.
  860.  
  861. In other news:
  862.  
  863. Really not much to report today. Most of us saw nothing or very little like delayed sends. Good example is this post from @ps66uk:
  864. https://twitter.com/ps66uk/status/1128413508780134400
  865.  
  866. @JayTHL had a nice summary of our data from last night:
  867.  
  868. https://twitter.com/JayTHL/status/1128182107979898880
  869.  
  870.  
  871. REVIEW:
  872. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  873. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  874. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  875. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  876. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  877. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  878. https://twitter.com/JayTHL/status/1126204098670411779
  879.  
  880. Email Template Report:
  881.  
  882. My assumptions are that most of the malspam being sent today was targeting Germany based on the German file names. I also suspect
  883. that all of the malspam was low volume reply-chain attachment type malspam. Unfortunately I don't have any examples to share.
  884. If anyone wants to share anything they are getting, reach out.
  885.  
  886. Review:
  887. What we know about the threaded templates/reply chain:(changes are marked with *)
  888.  
  889. - Emails are sourced from once (or still) compromised users all over the world.
  890. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  891. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  892. back as far as June 2018.
  893. - Now on E1 and E2.
  894. - Now seeing German based templates that are essentially the same thing but in German.
  895. - The injected reply is usually prefaced with the following:
  896. "Attached is your confidential docs."
  897. "Attached please find the wire transfer form."
  898. "Thank you for your help. Please see the attached."
  899. "Load instructions attached"
  900. "A printer friendly attachment is now included with each email."
  901. "Click on the attachment to open or save the printer friendly version of your report."
  902. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  903. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  904. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  905. - These templates are pretty limited in run and not very numerous.
  906.  
  907. Link Regex Report:
  908.  
  909. Regex directory patterns - Nothing new to report as we going to all attachments it seems.
  910.  
  911. E1
  912. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  913. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  914. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  915.  
  916. E2
  917. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  918. https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|demo|direc|Document|DOC|esp|FILE|homepage|images|INC|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  919. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  920.  
  921. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  922.  
  923. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
  924.  
  925. Payloads Report:
  926.  
  927. Stage 2 docs are all being delivered by attachment it seems as of mid afternoon today. E1 has been attachments this week
  928. and E2 went to attachments this afternoon. There also seems to be only 2 quintets that were in play on each botnet
  929. today. This is further reason to believe a break is likely because this has happened in the past near the end of long run
  930. of spamming. It is almost as if they have some garbage left over to use up and just throw the last 2 bundles or 1 bundles out
  931. before putting it on auto-pilot.
  932.  
  933. Seeing a newish hybrid of the loader being tried on distro for E2 today after both E1 and E2 were back on the old V1 loader
  934. yesterday. James Quinn (@lazyactivist192) and I are calling it V4 as it differs from the previous v2/3 tests of late.
  935. James thinks, "Yeah it's definitely v4 as it takes elements from V2 and v3" of the new loader.
  936. This one is not hash busting stilland just comes in 1-3 hashes and sits for hours (usually 10-12) with the same hash on Distro
  937. and C2. They must be having problems with hashbusting or they are testing still.
  938.  
  939. C2 Report: C2 Combos are slowly falling now on the E2 botnet after reaching a record 95 combos over the weekend.
  940. C2 combos on E1 are slowly increasing.
  941.  
  942. C2s DID change for E1 and increased from 61 to 69 combos in total. - recorded above
  943. C2s DID change for E2 and decreased from 92 to 90 combos in total. - recorded above
  944.  
  945. Closing:
  946.  
  947. Well, a lot of signs are pointing to a break and we are due for one but Ivan has fooled me several times before with this.
  948. It could just be some testing of some new features/code that kept them from hitting the spam button hard today. We will
  949. see what tomrrow brings.
  950.  
  951. TT
  952.  
  953. ```
  954. #### Sandbox 05/14/19 ####
  955. (all with fakenet and MITM unless spam/secondary infection)
  956. ```
  957.  
  958. Epoch 1 C2 run on 2019-05-15 at 02:00 UTC - https://cape.contextis.com/analysis/73848/
  959.  
  960. ```
  961.  
  962. ```
  963.  
  964. Epoch 2 C2 run on 2019-05-15 at 02:45 UTC - Courtesy of @lazyactivist192 https://pastebin.com/6Mus5st4
  965.  
  966. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!