Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 04/23/19 as of 04/23/19 23:59 EDT ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 04/23/19 ####
- ```
- http://107.178.221.225/jxewyv9/service/nachpr/042019/
- http://118.24.109.236/wp-includes/RqGB-im5oqDanhXZiPb_XjxiHdCih-hL/
- http://122.152.219.54/wp-includes/BUYlO-vLosWWhbM8XrS4r_bAbdRvyMy-PZ/
- http://3dconsulting.com.au/wp-admin/service/Nachprufung/2019-04/
- http://94.191.48.164/hf9tasw/TQxsk-MFAYsgwZh1Ns7z_eEnRiYnDv-rM/
- http://aclandgroup.com/digi/YEAP-S6N3rjCaH8bGFOt_FPMIUESl-d7H/
- http://advancetentandawning.ca/wp-includes/XNUi-NcDF9HkhiNssiV_ngtjikDB-i5/
- http://advogadossv.com.br/wp-admin/AhsM-NUwQ33GA7RH6WAu_LGFdbdnS-2NK/
- http://amangola-dgp.org/wp-includes/HpEtX-VC11guFEcFzPa0d_tXEdNqubB-xIn/
- http://antiqueclocks.co.in/css/support/Frage/201904/
- http://aplaque.com/wp-content/legale/Frage/2019-04/
- http://apptecsa.com/img/HNNoZ-eJq9EKsWjF66GcV_goLgMdrv-DCs/
- http://aqm.mx/wp-admin/QWqh-uqWtpmBaGpMcGa4_eTtBRDAFE-Asg/
- http://arrowandheart.com.au/wp-admin/bkCQ-iXMXX6TpVs5VNQo_yisSFHkVL-oz/
- http://artificialfish.com.ar/lXpeo-EPNWYjrxjNfOmEU_XwBuyNFy-nCG/NbBax-cN8nIwecxIYQS7_JhsQsUfXh-y1c/
- http://artvest.org/roseled/dcPUN-ayTlvrr3ZdDg2C_HczkPPbP-H4Z/
- http://atelierap.cz/administrace/NnMOz-8unu6ziajLjbB1J_XTjdLyIb-gn/
- http://audihd.be/amerika/Tfou-uhNh2JMbXnhlOv_ochGSMLNM-OWy/
- http://bajabenedik.com/styleguides/legale/vertrauen/2019-04/
- http://beirut-online.net/portal/service/vertrauen/04-2019/
- http://belart.rs/images/nachrichten/Frage/042019/
- http://benetbj.com.cn/wp-content/DSaV-jy2QH7igXgTEiu_liimaNxUG-9ab/
- http://beysel.com/XaaK-IZWqrsbyAmxS9X_yHrjsjhEj-a3/legale/sich/2019-04/
- http://biomedmat.org/nKtd-08tW7GH4dnNfRf_MzFePcfQD-oww/legale/vertrauen/2019-04/
- http://blog.almeidaboer.adv.br/wp-admin/kRZaH-OACVB0lxxVZVZS_NshcyzDE-1jP/
- http://bluboxphotography.in/wp-admin/runz-kkdyfzmwwomhqc_lhcmlqyxk-j43/
- http://breeze.cmsbased.net/ceekh/support/Frage/042019/
- http://brendanstead.com/wp-admin/support/Nachprufung/042019/
- http://brunocastanheira.com/wp-includes/legale/Frage/201904/
- http://bryanwfields.com/image/sjQy-zu1ro8vpEJ9W82_WBOUxAUgS-uh/
- http://butikkanaya.com/wp-snapshots/support/vertrauen/2019-04/
- http://caimancafe.com/wp-includes/yqfF-z3DmAqlfc5gJXm3_edmDWMCpU-iGL/
- http://capaxinfiniti.ml/wp-includes/rqok-EZhDQULc6qm5im_yPyKpBgz-1Z/
- http://cddvd.kz/cgi-bin/nEJQh-2QiNTamwC4jR4ys_JWgbgUHL-Cym/
- http://chang.be/carole/ksiJa-HIJ8fRSflJRnFIn_JLsEPIqP-hDm/
- http://cielecka.pl/ilum.pl/QyiAW-peU7AssFTut78o_vOGDKvqm-3M/
- http://cleverdecor.com.vn/wp-includes/vbFWW-2ZmpzS1K1wQU0tc_nxTjDAJO-xoR/
- http://clinicafrigo.com.br/cgi-bin/uFUsi-dEAPHuMAlaPkMmF_aHmGxDErw-x3/
- http://cocnguyetsanlincupsg.com/wp-admin/legale/sichern/2019-04/
- http://comparato.com.br/wp-admin/JpPT-xokemJB7jlwoRh_NdiiMeTdt-9f/
- http://computedge.com.ng/wp-content/legale/vertrauen/04-2019/
- http://computerhome24.com/wp-includes/cGAR-N5nPqFXq2khia6_iUJCDfDxA-Fh/
- http://creaception.com/wp-content/WhlNb-wvIBgmZZpndvr8_LSWnrYgX-UrI/
- http://creativeplanningconnect.com/lttcjwb/legale/sichern/042019/
- http://dailynews.techfeek.com/gts/hZLP-KsaeD3dReLVhYV_MAzJRPFdl-hZ/
- http://datos.com.tw/logssite/WyoVX-966EGG3hWBRHpe_tTaULnSgr-H44/
- http://delereve.com/lq/nachrichten/sich/042019/
- http://designshive.co/doveparkapartments/hQDmY-qa1yRboNDHppJi_UGYoBSwD-NbD/
- http://dirproperties.com/cgi-bin/RBQQ-3JUCTcunirqEtr_GLyNzyoCu-4l/
- http://distorted-freak.nl/html/pRKgx-PVZdaE1vEKpKC2_JBLYuLPty-uO/
- http://dogodoanchi.com/wp-content/nachrichten/Nachprufung/042019/
- http://dominantainvest.com.ua/wp-includes/GUiC-LARR92mAGdCPE0k_mwtsxZLPA-qYM/
- http://douti.com.br/wp-includes/nachrichten/Nachprufung/201904/
- http://dptcosmetic.com.vn/zy6xstp/BGkii-BtZmWScPPsxa9O_iXghKIAe-rN/
- http://dramitinos.gr/images/JFdTB-OpOZY2roML1l6Cr_gbKDyqZZ-BXZ/
- http://drwilsoncaicedo.com/cgi-bin/uouPm-iT6ksIaKV61oqD_YomlbQkdr-Gm/
- http://edwardhanrahan.com/images/buKy-frDqYyHZwvdz5k1_LeldCrEFl-BW/
- http://ellikqalatumani.uz/dmewfh0/FwsjB-UImRWtUah5rJmb2_LktEvhPNL-Mf/
- http://emarmelad.com/wp-admin/XZkH-gucbP0muTUalg12_NOZsYuhQo-UE/
- http://enseta.com/wp-admin/service/Nachprufung/2019-04/
- http://equitylinkfinancial.com/wp-admin/xPPII-VnnEHhEUVCTTEs_uKdSOqScO-SEW/
- http://erica.id.au/scripts_index/FgkO-rS85XYRuptzWzAz_zeUrkEOh-Pz/
- http://erlcomm.com/BNzC-VgDgOLD9aPylaRI_sdwzsBjeN-XK/GnwFQ-o9y2miL4AsVniO_lNnlKnFea-iSn/
- http://escoladeprosperidade.com/wp-content/GpjW-mXUUaOoBT6DbVDY_oqAMrjSZk-TN/
- http://esmorga.com/pelis/osGy-LbBiztACu5ES3b_VzGhzrgch-OM/
- http://espacerezo.fr/wp-content/languages/service/Nachprufung/042019/
- http://estetikelit.se/wp-includes/EsJW-RyBaIby7U92AGT_xVPQckGE-NGF/
- http://etherbound.org/test-images/wVtXu-AurrU3vB4pAMgp_jtIOxzxkd-oN/
- http://etmerc.com/12-22-2015/legale/vertrauen/04-2019/
- http://fips.edu.vn/wp-includes/support/Nachprufung/201904/
- http://fitness-outdoor.be/_notes/nachrichten/Frage/04-2019/
- http://flamingonightstreet.xyz/wp-admin/nachrichten/sich/04-2019/
- http://forzatattoo.com/wp-admin/NGoO-49PTlW0WNve6TK6_WhJlNSRwE-AK/
- http://foxhallcondos.com/wp-content/LODPP-lDBCo6pyo8PmZf_OQbRsDzk-pNu/
- http://foxhallcondos.com/wp-content/vDBVh-1NE5CdqrV7W0a7_zCQtadcI-XLQ/
- http://fse2020.com/wp-admin/nachrichten/sich/042019/
- http://fullstature.com/mid/zEZdK-1ItAsYbsvzsiJKu_WmpRDdkY-aF/
- http://gabeclogston.com/wp-includes/kluQx-H117744StC68Gi7_YhDBwIZfQ-Pjk/
- http://ghostdesigners.com.br/senna/vUfb-C5rrF5GSM34OOl_guMotwmxD-jQn/
- http://gkpaarl.org.za/language/ZjwX-vJdyNsZ0ThhYbA_ErOqAeRwW-PT/
- http://gocnho.vn/public_html/nachrichten/Nachprufung/2019-04/
- http://goleta105.com/404_page_images/YGiwS-FpNy0v5QsL4LNv_eliQjUchW-11B/
- http://gomiles.vn/wp-content/uploads/kzBpc-x1csAto431wENp_TdpLfckI-Hp/
- http://grosircelanaanak.net/wp-content/legale/sich/04-2019/
- http://hamisport.ir/PHP-IPTest-master/service/nachpr/04-2019/
- http://herpesvirusfacts.com/wp-admin/legale/Frage/04-2019/
- http://hmjanealamhs.edu.bd/cgi-bin/uXHn-pGwIfHqUsigbTA_psXmtoirs-iWq/
- http://homeydanceschool.com/wp/support/sichern/042019/
- http://hqsistemas.com.ar/img/Toczr-LU1xfWdPLVD6Dh_fXrSfYFBj-YO/
- http://hyboriansolutions.net/wp-includes/Icbt-vDtm5GlpZNQkbG_zuhIQDqTc-VzE/
- http://iberias.ge/ajax/Rjtg-15ssbRSK4o4G35o_vgtHqfCa-pp/
- http://icasludhiana.com/wp-admin/ckeU-TeQSGTTrjT3kpJ_uqVIsbgO-Mk/
- http://imaginativelearning.co.uk/Scripts/js/css/gJwGd-eT578q24MiXpxH_QYHcKEHL-Vfp/
- http://imranrehman.com/wp-includes/service/Frage/04-2019/
- http://indieliferadio.com/scripts_index/DRSCR-tI4WYt2gFohZf0C_EerSpbCYI-QM/
- http://intergemed.com/opez1o4/nachrichten/vertrauen/042019/
- http://its.ecnet.jp/logs/lwvc-sCilerXLiFkn4gB_oLmbhnLnx-b4j/
- http://janus.com.ve/bonaire/JRNd-pFL2NYvEtklJNi_lwLZGdQAF-pAt/
- http://jasaservicelift.com/wp-includes/iRlpZ-aWZohSNJ1E0XqgD_NXarRPrhW-uL/
- http://johansensolutions.com/travel/kdknH-uRqFT22SujstO0B_EVlyBnaxB-y9/
- http://johnsonlam.com/Dec2018/eYDtZ-aj4eZqD507z5lxA_DFfeiWgi-9V/
- http://jorgeolivares.cl/correo/PDOs-4txyhY94jZKs6s7_CIqqxpsT-BVF/
- http://jsya.co.kr/@eaDir/iGFE-yUBMaibuO7rUvM_EALOLBggQ-gxa/
- http://kingsidedesign.com/blog/KnMZ-HQiysTo8J24DoT_NfXcjnfYT-qeH/
- http://kinguyenxanh.com/wp-admin/UqIbr-Ht0CtS6cCOxShe_IStBunTws-5ls/
- http://kleeblatt.gr.jp/cp-bin/legale/Nachprufung/04-2019/
- http://klex.com.my/landing/ViGai-G2ji9Wqz5D3yBUr_NSfVULZSH-ogb/
- http://kurumsalkimlikkilavuzu.com/9tie5kj/legale/Frage/042019/
- http://laarberg.com/wp-includes/support/nachpr/2019-04/
- http://lacave.com.mx/wp-admin/GdCc-wU4rHS7HASoFj3l_TmMoKXvxC-DW/
- http://lacivert.net/cgi-bin/xHLIS-1QQuHkK8hYifPS_xSsgvzlZ-si/
- http://lauradmonteiro.com.br/old/yiGt-RZXt7eA5v69nyWP_iVHIWlUfQ-SD/
- http://linkmaxbd.com/web/legale/sich/04-2019/
- http://makson.co.in/Admin/mAOyn-hvssdifYUrjdtN_BdmpkUumS-97H/
- http://masholeh.web.id/wp-admin/nachrichten/Frage/042019/
- http://mattshortland.com/OLDSITE/service/Nachprufung/04-2019/
- http://mediamatters.info/VVpm/hUmuU-AWd06BxSkx3tka_NRLvwpzd-CF/
- http://metajive.com/work/mTURd-SRsWGXXyrULLDM_HNPbtxLP-AN/
- http://mipnovic.org/ima/ohto-9v1x3xdqbxyscue_lbtfvpdd-k1/
- http://msecurity.ro/sites/etcB-oNJrRcKGdAjwfUX_daiKkMJi-SFC/
- http://musicassam.in/pages/gWAKF-g9satqZnebHmdzL_raAWwWgQz-kP/
- http://natenstedt.nl/TWPqQ-LHGr5VrBGWRa77_hbSmEhUOT-nk7/
- http://natha.is/_/PRYI-83JSQr4gBk0o8G_ASRXDLerK-49/
- http://nathanmayor.com/wp-admin/legale/nachpr/042019/
- http://nationwideconsumerreviews.org/jospj/support/Nachprufung/04-2019/
- http://ncw.com.sa/img/support/sichern/042019/
- http://nealhunterhyde.com/HappyWellBe/nachrichten/sich/042019/
- http://netsystems.pt/administrator/cache/com_languages/bCpH-pTK5hxUJkZJ2zA_BwWvdwXs-24v/
- http://newlifestylehome.com/wp-content/uTsJt-hpZuWI0S3LLvcye_MdPkhzNig-IR/
- http://nmbadvertising.com/wp-snapshots/jNFup-zthmA0FbuoQz7Vv_WjQUJkqW-Q7/
- http://ntad.vn/gm931mo/DUHP-LhC4EeRQRbivrL2_aaxoXoYt-rQ/
- http://observatorysystems.com/wp-content/qKttW-b6sh1vYpvzDrssj_vkOFbyXtY-wSq/
- http://okranutritionph.com/w/nachrichten/Nachprufung/2019-04/
- http://pakistani.top/wp-admin/legale/sichern/2019-04/
- http://palin.com.br/siteantigo/support/sichern/042019/
- http://paymate.co.za/src/baTY-2IEZSteLVWMXBT_AvlqWSwJ-2O/
- http://personalwatercraftindustry.com/wp-includes/support/Frage/042019/
- http://pessoasdenegocios.com.br/img/kHWn-AsIn9Tyk2CdFXX_topPGrCS-zAD/
- http://pizza786edmonton.ca/wp-admin/UkZz-vZ6XgxsqRCim4n_yNzCcSyg-BF/
- http://planktonik.hu/menu/rdCK-9aldW34AD61vxN_JtIaoEcOW-hy/
- http://pneumotronic.com.br/assets/zdOT-7DaWnhCX7TW0tfn_CZMMqczy-hb/
- http://porchestergs.com/AGM/waGm-sbb9O7Tu1BCZ8Rl_kYWjpyitJ-RB/
- http://provio.nl/collector/nachrichten/Nachprufung/04-2019/
- http://puglia.ch/citizenship/GFHq-lSJWuDTLkfyL6m_ovtUBfNSj-0qz/
- http://pursuittech.com/css/LIkHk-N4GVEFBLPpQMLxu_fGTAYZua-nG/
- http://qbico.es/jAlbum/PYZP-zb7qumsl860C3Nh_BRgtIsPa-Jz/
- http://qualitec.pl/images/IbZf-DhxY86DPSuUKI2_KPeuiNEJ-FU/
- http://quirkyproductions.com/App_Data/bgYzb-05sill9EWwTFM2_QifrTbQzi-VI/
- http://raminajmi.dk/stpre/ikEJ-MFSxZdRRZTtEwv_WXqVBCjOV-5eU/
- http://rcti.web.id/hrpel37lgd/BOlR-ZztVv66VA6QsoJ_NxZYSlMGn-6Z/
- http://reckon.sk/e107_admin/service/Frage/2019-04/
- http://redebioclinica.med.br/comunicacao.redebioclinica.med.br/MvfW-a30zjM4hMM0iX8y_ictaPgXws-h9w/
- http://reformastellez.com/css/IbIjp-KQsFa0hpx7JCiPq_hguBAHVd-KB/
- http://regipostaoptika.hu/ml67/sVHKq-TGJRZXzgxeq2Z3_ecrSGXWdk-a8Z/
- http://remias.eu/ww4w/zWVuF-DuaK9RGOGLdj6st_QiRdNQgwI-HO/
- http://romanskey.ch/vajnainstruments/YcfXe-XuFOOZwFhf4Fow_oRnYERMNC-Id/
- http://rsnm.ac.ug/wp-content/legale/sichern/04-2019/
- http://rtodd.com/NPFt-5FR3N7bmec4thTU_DUjDtlAU-pB/
- http://rudmec.adysoft.biz/wp-includes/nachrichten/vertrauen/2019-04/
- http://rwbarnes.com/images/BDgn-TElHDeFEdCbxrh_aZLIUNerB-qy/
- http://sampling-group.com/local-cgi/QpKeU-RaYLh0x3yPH5TAX_XQpqAwIAs-h3/
- http://samsonlineservices.co.ke/wp-admin/legale/vertrauen/042019/
- http://sanhueza3.cl/cgi-bin/cwoAu-qTEoR3GcjtXLXpF_ORnAJpjUt-7P/
- http://sansplomb.be/nbproject/InYNQ-L7e7uj8ZoY1KjU_wfAxGONqi-Ft/
- http://satcabello.es/tienda/Wxim-lioWfDgcwtkTzbZ_ThNJVwFuD-5T4/
- http://sbmlink.com/wp-admin/hzHL-hoTdhay7vdK5hGw_eqLIqdeM-OX/
- http://schaferandschaferlaw.com/bin/YBmyY-eWqq0c22GOlEURV_ZmoFgzqiY-Wvf/
- http://sciww.com.pe/cgi-bin/aqkHI-Khmdw3hwv0GJCKO_QeGmwMdI-So/
- http://sebastien-marot.fr/webmail/JnqxY-aZnaa5i8b1JixE_OJDGCHVrQ-K7/
- http://setit.ro/camera/rENd-iSrjb5AwUzzkxJM_QobrJEOv-kRY/
- http://seveninvest.pl/wp-admin/nachrichten/sich/2019-04/
- http://seymourfamily.com/analytics/tmp/BHDVn-i2gPWP46mwrNwy1_IfHcEtlq-i4/
- http://sftereza.ro/administrator/nQzt-rxMNu1ydQwUhY4_vfqtnqoA-CF/
- http://sgbjj.com/wwvvv/rAQft-5ukvkUXZlfikY3m_lHnNcHeX-o7M/
- http://short.id.au/phpsysinfo/tclBO-s9YDqu1Pi2p91rP_lxUbaIsx-kf4/
- http://signsdesigns.com.au/bairdbay/iRsA-NEJ5Q17DRSa1kk_DZWrMvIEQ-Y1z/
- http://silikwaliners.com/wp-includes/yNqdr-OhRo5nv49CNyRcG_kiAIynCwP-Vf/
- http://simonflower.co.uk/iOyu-dBKUmGvzb7vpXXX_NbzvOlZZ-kj2/
- http://simplyresponsive.com/wp-admin/legale/sich/2019-04/
- http://sinemanette.site/kawsc4k/Vqkn-oQBH1ktWTmTEju_uorqSTBUj-COL/
- http://sinequanon.ch/displays/img/css/UoPQ-yR9VOVE77EexRS_gXrjaqwj-9n/
- http://sjag.dk/wp-content/DBGW-OzWctQRgSXYUBK_GyQXqgDQu-CB/
- http://skaarupjensen.dk/random/YEVc-nXfgmYrkVQF5df_Rwgvfugu-mNr/
- http://slotjumbo.com/wp-includes/support/nachpr/04-2019/
- http://slvwindoor.in/images/FZvxd-2TLJ6lc0DsRHC0_hiZSjDsr-AgO/
- http://snprecords.com/wp-includes/hmYVf-8IrMwBXCrVeHkZ_rMgLBZCET-YoP/
- http://sonare.jp/LivliSonare/gGayb-ntR1hjwJKmHlyR_OBLfrmvi-V5i/
- http://sowood.pl/wp-admin/legale/vertrauen/042019/
- http://stephenjosephs.com/gucci2014/wbNl-glhhV7Wh8FqNgrI_PhMBPFwW-9X/
- http://stsbiz.com/js/UXOJ-giIiMclKQhkAVx9_CHfSesEz-j5/
- http://symphosius.de/files/onAnL-MZE7xdo4kpBCMAu_CBqElKCf-Sn/
- http://taxibreda076.nl/wp-includes/nachrichten/nachpr/04-2019/
- http://teamsofer.com/store/service/Nachprufung/04-2019/
- http://thanhlapgiare.com/wp-admin/nachrichten/Frage/04-2019/
- http://thetechbycaseyard.com/wp-content/myevI-8Pk6qff6n4ulCE_wWcKFWdh-dj/
- http://thietkexaydungnhamoi.com/beta/ZFel-LwG4jmm9g5z1TQ_VzIEqebMb-8F/
- http://thinking.co.th/styles/CtFL-3uuVTZrD500NdMc_mFYZuohN-HeN/
- http://thoroughbredcalendar.com/thoroughbred/jVtDT-KGMIaDBlFq6sI5i_QsBxlGgNh-DDf/
- http://tierramilenaria.com/wp-content/legale/sich/2019-04/
- http://tinhyeuhanghieu.com/wp-content/GTrDc-2QWMrAEYxV52vzn_CSOHExTcB-wb/
- http://todigital.pe/images/oxpNg-GyKUAfF6NBlEV3_crXEyaEd-5bT/
- http://tomsnyder.net/Factures/mILU-KH1sEOVl9fUsH4O_OsSStAwR-Sui/
- http://tongdaigroup.com/bill/TRXZ-G0yMOIETH0t3NSS_OBoOmlIv-zs/
- http://tpagentura.lv/aqyhpuu/legale/sich/201904/
- http://tr.fruturca.com/wp-content/pKLPk-2ubbcWkvWkaouvq_qENdntmaf-RBQ/
- http://turkexportline.com/e-bebe/qTGE-4bouAY700r3fzL_sWcvbTRcd-4e/
- http://ukr-apteka.pp.ua/wp-content/legale/Nachprufung/04-2019/
- http://uskeba.ca/earlybird/uENU-nPgPuXwCp7ZMax_zZXepmcz-CF/
- http://valumedia.de/wp-includes/support/sich/2019-04/
- http://victimsawareness.com/upload/DGilf-Ma3iQ5rbzkiG6Fb_oDzQokUXW-NVt/
- http://videcosv.com/backup/nachrichten/vertrauen/042019/
- http://vinhcba.com/reac/support/nachpr/201904/
- http://vision-4.com/business_growth/support/Frage/2019-04/
- http://vivelaaventura.cl/imgcentros/UNVq-kVpzTlO6MAyYwvZ_jwkuRwYzy-C0/
- http://wangwenli.cc/wp-includes/DDbky-dUFLglnVe1gj3y_OYxxXunR-3P/
- http://webszillatechnologies.com/i9d2pu1/support/Nachprufung/2019-04/
- http://wellcome.com.vn/wp-includes/RzLPp-6D0PjOEOTTE0hY_iCGZViYX-OZZ/
- http://winnersystems.pe/wp-content/legale/nachpr/2019-04/
- http://workingonit.site/wp-content/legale/nachpr/04-2019/
- http://wptest.kingparrots.com/ynibgkd65jf/XJRbt-4cJokvhn070vl32_faFaljwfD-yfF/
- http://www.aipatoilandgas.com/cellnote5/Mtau-vgbxqzQuqREBthD_ukYppLkYe-vi/
- http://www.atuteb.com/wp-content/themes/dwPD-hv3QOMymBxU7nWO_mWcnOndtz-PR3/
- http://www.beirut-online.net/portal/service/vertrauen/04-2019/
- http://www.bluboxphotography.in/wp-admin/runz-kkdyfzmwwomhqc_lhcmlqyxk-j43/
- http://www.fse2020.com/wp-admin/nachrichten/sich/042019/
- http://www.gifftekstil.com/C4mAvqn/qoHnQ-c8QQwWNtPWu3HG_uVvPyUFs-D6n/
- http://www.hanifiarslan.com/wp-admin/service/Frage/04-2019/
- http://www.hotissue.xyz/wp-content/ZqUsZ-YwyY7D6e86Fihv_BXiDDFqc-9r/
- http://www.keieffe.com/error/fFmq-tq3Zkwktw4n8pud_HapHIdQT-ZB/
- http://www.onyx.co.za/cybered/fzoes-1IwNi7vNBKfIKsY_FmdNVrML-5Qo/
- http://www.porat-ins.co.il/wp-admin/legale/nachpr/04-2019/
- http://www.provio.nl/collector/nachrichten/Nachprufung/04-2019/
- http://www.sinequanon.ch/displays/img/css/UoPQ-yR9VOVE77EexRS_gXrjaqwj-9n/
- http://www.stephanscherders.nl/koken/xzDEA-PfIpMjwev0UKxJ_spjVrQsk-NW/
- http://www.virtuoushairline.org/8zqijve/nEtHy-GMUxZZdRHgrWjga_LJMNnkml-Wz/
- http://xoangyduong.com.vn/wp-admin/nachrichten/nachpr/042019/
- http://yarrowmb.org/wp-admin/support/nachpr/2019-04/
- http://yayasanrumahkita.com/eqdx/TKWBN-cOKlwF3Cuuj2YoP_DIjOiVfii-suE/
- http://yucatan.ws/cgi-bin/KWqJD-P5k3EmDjiVp9Xu_hWeXxucxg-8f/
- http://zhannadaviskiba.co/wp-content/OXcN-7k06hrbBQF6h9D_JKvzfLeZL-ka/
- https://breeze.cmsbased.net/ceekh/support/Frage/042019/
- https://computerschoolhost.com/wp-admin/HAEuk-f7pSlNmoAgJxLQ_KfYvpfVv-MIF/
- https://diskominfo.sibolgakota.go.id/wp-content/mshE-eqmQIhrDtfajyEq_zJBjMJxt-Yo/
- https://etoiledumidi.de/wp-content/SYmYj-vUf81CaTTM0Q1UT_XOlTGJhBX-rs/
- https://giangocngan.com/css/ZFNtx-sMvOheSrh1M27q_ltytHrDEn-Pur/
- https://grosircelanaanak.net/wp-content/legale/sich/04-2019/
- https://joysight.ga/wp-content/ZqWS-NS85wHTdIY9N5Ay_pbBWLepX-he/
- https://kobac-nagoyachaya.com/wp-admin/NqZE-vKDo7DBJpzj8L6x_QNQhCgXql-Qjo/
- https://laarberg.com/wp-includes/support/nachpr/2019-04/
- https://masholeh.web.id/wp-admin/nachrichten/Frage/042019/
- https://maxfiro.net/wp-content/cACav-ajWxYYGqi938Qxo_vTWnGDlx-nW/
- https://mdigital.md/wp-content/NzKMv-2horjuyPQDLLOzR_gCKygaFYt-CvM/
- https://mybigoilyfamily.com/vrjq0aa/IBIG-1KgCd1xCaXDntof_KXnBmfPXF-Jpk/
- https://nanayamfm.com/wp-includes/LQOei-a18cNNrFSlY14t_GVoOoVtZ-9a/
- https://nudgepartners.co.nz/wordpress/nachrichten/sich/042019/
- https://office910.com/acmailer/pnJa-Hj0ByEkAA6k7jG4_KMgvLHOMn-KAk/
- https://physio-veda.de/vqr0/support/sichern/201904/
- https://projectconsultingservices.in/calendar/wgeMd-EHAz6dbeax26R2_sZEmqgpT-iY/
- https://pureprotea.com/ynibgkd65jf/IjpU-jPXjRcx2PfQ9tT_NhYiukhD-ZP3/
- https://samsonlineservices.co.ke/wp-admin/legale/vertrauen/042019/
- https://sandygroundvacations.com/wesm1py/RfQZ-EJaz7bVufJ5ubN_NaMFMvJD-uG5/
- https://sebvietnam.vn/gxfwcez/nachrichten/sichern/2019-04/
- https://siloseventos.com.br/wp-admin/SzghL-mrik4Ur19Cp2cuH_gmNaGhpj-XbN/
- https://sulovshop.com/wp-admin/YgCO-w0Mr3uD8XLkWM9_pWtgeokGH-AF/
- https://visualhosting.net/css/azFJQ-yanF22gTQjWryz_FGoUbrsPR-qdw/
- https://vpacheco.eu/wp-includes/fTTW-Zt3nf66ic2rW8q_VrPqWUTA-5A6/
- https://wangwenli.cc/wp-includes/DDbky-dUFLglnVe1gj3y_OYxxXunR-3P/
- https://webbala.it/wp-content/support/nachpr/201904/
- https://www.goldsilverplatinum.net/wp-admin/xcgf-VtnmV3tNk1kpaDX_bbLFPCZkO-Lw/
- https://xetaimt.com/ooecgp9/zBOtt-NoNUBfCU05bihE0_AOlXcday-bOn/
- ```
- #### Epoch 2 Document/Downloader links seen for 04/23/19 ####
- ```
- http://114.115.215.99/wp-includes/FILE/tqT1CIrJY6xF/
- http://118.89.215.166/wp-includes/LLC/XFOeTtrg02ii/
- http://119.28.135.130/wordpress/INC/w5y2euS18w/
- http://122.180.29.167/map/FILE/f0EUuJvvAZ/
- http://140.143.240.91/yfwta7q/Document/STVf4apXM/
- http://192.144.136.174/wp-content/LLC/duL8HSdCc/
- http://203.114.116.37/@Recycle/INC/t2NhfjL8rCj/
- http://203.157.182.14/apifile/mat_doc/Document/LPf16lKOLD3J/
- http://39.106.17.93/wp-includes/jm3uhrg-q4rg4-ftpkhb/
- http://47.104.205.183/wp-content/INC/ftYw7diB2Z/
- http://47.91.44.77:8889/wp-includes/INC/zJc4LCIf/
- http://81.56.198.200/sendinc/FILE/WiqbwoQKKdv/
- http://academiaprimary.co.za/cgi-bin/cwg55zb-vr19efl-iugv/
- http://acteon.com.ar/awstatsicons/DOC/xtA2F0y6KS/
- http://adammark2009.com/images/porkcnn-juclf-ypag/
- http://agencjat3.pl/kopia/Scan/OJb3xGRe72Hr/
- http://airmaxx.rs/nulvt-xbrcbp-yfcpetgo/Scan/TsOu8ccYMEKe/
- http://akawork.io/wp-admin/LLC/Sb2T8ExB3/
- http://algocalls.com/wp/DOC/QKTVgvtKiC/
- http://alliedpipelinesconstructions.com/wp-includes/9xfa9-kkdbzs-gosr/
- http://almatecsrl.it/wp-admin/LLC/husRbYUu7/
- http://alphaconsumer.net/css/Document/g97i7fWWoCVB/
- http://anoopkarumanchi.com/cgi-bin/Scan/VRkG1DhTglYp/
- http://anphoto.tw/wp-content/uploads/LLC/ngAoAbYzI/
- http://antislash.fr/includes/facelift/cache/INC/2ukSjQUMKB/
- http://ardali.eu/picture_library/Scan/6WL5AdIEx/
- http://auraco.ca/ted/Scan/y3Yw8FWM/
- http://avartan.com.np/wp-content/uphw6-cow2r6-dqouvzr/
- http://babaroadways.in/e1kypej-alyuopw-bplsmxa/
- http://balletopia.org/scripts/frr3lv-57pd4-utvr/
- http://banzaimonkey.com/images/rns3-4zsqu-qtkrl/
- http://beachwoodproperty.com.au/wp-includes/Document/X70fsSmuK2E/
- http://beljan.com/upload/INC/N4UIPAxIcF/
- http://benitezcatering.com/wp-includes/fytz3-oy5ybi-ynit/
- http://best-baby-items.com/wp-content/Scan/sKt863f3lMzi/
- http://bilisimeskisehir.com/wp-content/yzpuy6-7dbmv1-rlaoibp/
- http://bocaskewers.com/wp-admin/LLC/nVxTYaJIhR/
- http://booyamedia.com/img/INC/vWCvkT01X/
- http://borsodbos.hu/kavicsospart/INC/SW1GiUsp3D/
- http://brutalfish.sk/dropbox/DOC/RVKGMO9Tf/
- http://buygreen.vn/wp-content/Document/8t0tMfUh3S74/
- http://cakrawalapajak.com/wp-admin/od89v-nr9l6-gmclh/
- http://caleo.co.in/wp-admin/Scan/XjCAywLIgXjl/
- http://campuccino.de/uwkoyzy/LLC/tTuzI1cV/
- http://carcounsel.com/hid/7hp9-8klic-dukwhn/
- http://catamountcenter.org/cgi-bin/LLC/vnBMA5xXeip/
- http://ccoach.nl/wp-admin/LLC/UOFwrhR1/
- http://cdn.zecast.com/multichannel/upload/record/Scan/sMxfyrTFt/
- http://cfsengenharia.pt/wp-admin/Document/8UYQH0VxA71r/
- http://chanoki.co.jp/Library/DOC/KeorZLpDT9/
- http://chapter3.co.zw/vyk/bqe8l-yldkh-uvlsky/
- http://cheapesthost.com.ng/cgi-bin/hkmhg-1od04t-ybxp/
- http://chigusa-yukiko.com/blog/INC/Jf1AyOrQDFt2/
- http://chouhan.net/FILE/Document/dXCCQfhbtCR/
- http://chuckweiss.com/cgi-bin/Scan/XkTrFOVUYzt/
- http://coccorese.com/xp/DOC/Pd2RlAxcltt/
- http://construccionesrm.com.ar/EN_en/Document/vP8xDeNp/
- http://cosmeis.com/vfwp/DOC/M9I9dtrUU80u/
- http://craftsvina.com/testgmail/INC/SUhOaKGe2i/
- http://ctm-catalogo.it/cgi-bin/Scan/ZlZMNgfA/
- http://cupartner.pl/izabela.gil/DOC/9OMmfxHPyRRq/
- http://cybermedia.fi/jussi/Scan/NKttnIjx/
- http://cyborginformatica.com.ar/_notes/Document/vfg8AcA5IJ4/
- http://danslestours.fr/wp-admin/Document/7496tdlWsc/
- http://darthgoat.com/files/INC/m1Lcg4ZSUf/
- http://datasavvydesign.com/powerbi/FILE/nD0m8sdva9/
- http://deepcleaning.com.au/cgi-bin/DOC/IuMCIJUZ0I/
- http://denmaytre.vn/wp-content/INC/ScpZVGKIz/
- http://desertpandas.com/wp-admin/xwoef-lg0dl6g-efuayvs/
- http://designartin.com/INC/x1IoRuJHf/
- http://dinobacciotti.com.br/2eqt/LLC/ZTBxQ5y1/
- http://ditec.com.my/js/Document/iaUC9Qyrwk/
- http://docesnico.com.br/Document/Document/fcP552si/
- http://dolanmbakboyo.com/wp-admin/INC/oRN3UUKd9M/
- http://dqbdesign.com/wp-admin/Document/1DD806en/
- http://dracore.com/journal/Scan/LRcpuiOK/
- http://duhocnhatbanvika.com/wp-admin/Document/9qSgtHuFqQlR/
- http://duulang.com/cgi-bin/3o3vcbi-5g8kx9c-etygbdw/
- http://duwon.net/wpp-app/871az46-f4zgh2-mzsvj/
- http://dziennikwiadomosci.pl/wp-content/u4qwj-888xdu-jxlqybv/
- http://easport.info/wp-admin/FILE/yowzR7LLf5/
- http://easymoneyfinance.co.uk/wp-admin/DOC/m82h11qICVw/
- http://ecube.com.mx/js/DOC/U3s6U718Nq5/
- http://edandtrish.com/blue/FILE/9MWs8Sviq/
- http://edenhillireland.com/webalizer/oorrzhr-wo4bl-iuimya/
- http://ejder.com.tr/iuLYqpe6E/LLC/QAWY20Nfm/
- http://elitaafashion.com/wp-content/Document/dV4CJz8kO/
- http://elitist-trading.com/wnnlfml/jo5ws60-6a26o2g-vzycd/
- http://encorestudios.org/verif.myacc.resourses.net/k3yesv3-zyyukdp-pygwcs/
- http://engadgetlt.com/4zlr3t2/x3d1d6u-bcv19om-ijkcpi/
- http://entrepinceladas.com/resources/9d98-ziodn-dbnohmg/
- http://espacobelmonte.com.br/wp-admin/jf92d9-79vp5-deyymak/
- http://exotechfm.com.au/YDmHx-wlaRWdBx0K3g9n_PDbPkfUl-iT/sc4s6k-boufp0z-wbgz/
- http://eztravel.jp/wp-includes/4s5t4-7ov7wm0-cqhiuim/
- http://famaweb.ir/intro/INC/RH6e5iD8/
- http://famillerama.fr/roundcube/vendor/pear-pear.php.net/e7mder-iol91-ejcn/
- http://fanzi.vn/wp-includes/dhrb-zx009-teqy/
- http://ferramentasindustriais.com.br/wp-admin/h47xsvd-c5q5zg-ztldk/
- http://fisiocenter.al/wp-includes/1w8f2p5-w9ably-pccrgr/
- http://flatbottle.com.ua/@eaDir/Document/WwdoVE76a98S/
- http://fondation.itir.fr/wp-includes/DOC/pF9HsxcbC/
- http://fon-gsm.pl/ip5daee/LLC/W8keoanQG/
- http://ftsolutions.info.pl/wp-includes/u8l3gb-k5nlr-cqbsidz/
- http://g2ds.co/wp-content/LLC/vOta9TadT/
- http://gamvrellis.com/MEDIA/Scan/z00oafbg9/
- http://garammatka.com/cgi-bin/Document/GKl3ccBnrMn/
- http://gardellimotors.ca/agora/html/FILE/mkQuOwk9x/
- http://gazianteplaminatparke.com/wp-content/kodp-94iy61d-oidso/
- http://gccpharr.org/assets/1i4r0-cfyfx8i-jnbxs/
- http://gksign.com/baxai/Document/G0L2gvsHUL/
- http://gnimelf.net/CMS/Document/UFjyWVpKw3A/
- http://gomsubattrangxuatkhau.com/wp-content/LLC/HxkQpb2u/
- http://goudappel.org/HendrikMGoudappel/3kgr1f-95ba01r-cqhk/
- http://grafikomp-web.pl/newfolde_r/Document/FQWQAVrb/
- http://grayscottage.co.uk/DOC/9on4vbCN/
- http://grf.fr/css/INC/6MGwY8q9/
- http://gunpoint.com.au/jqQB6bFC/agh2-9scajqi-bklorhk/
- http://haek.net/admin/FILE/MabDexPs/
- http://heke.net/images/rnjmcf-406o76s-auxdmln/
- http://hermagi.ir/wp-includes/FILE/t4zOcq9j/
- http://hetz.nu/wp/bhwl-753tt-horfls/
- http://hgrp.net/contacctnet/LLC/rY3SRRv11BI9/
- http://hkpatrioti.lv/wp-includes/akpc8-4fdblx-orzwz/
- http://houseofbluez.biz/vt/myrhx-wrxelpq-aecw/
- http://iceco.cl/cgi-bin/Document/APCYA95Q/
- http://idfutura.com/Matt/INC/ppopLv0w/
- http://idrmaduherbal.in/wp-admin/k62ve35-5ixmn3-gxhuyer/
- http://i-genre.com/wp-admin/INC/UOx4oHA0/
- http://inandmusicgroup.com/wp-includes/Document/3TzvlUWsCHHM/
- http://inbeon.com/sites/Document/VD3B0SjH/
- http://indodentist.com/wp-admin/Scan/TtNpztds/
- http://indushandicrafts.com/wp-includes/Document/rNaXkvM4WxD/
- http://industriasrofo.com/Connections/Scan/UrBuBROez/
- http://infoteccomputadores.com/i2test/rje9a-s7xaxy-hryo/
- http://inputmedia.no/wp-admin/LLC/dnypSLvK/
- http://irbf.com/baytest2/o1mvk-z14cq3-dqtbk/
- http://irismal.com/ecsmFileTransfer/FILE/RwHM77Jm/
- http://it-eg.com/wp-includes/INC/tz1mSOxxQ/
- http://javiersandin.com/wp-admin/LLC/gr9yoFeCX/
- http://jeffwormser.com/v1site_images/FILE/pgnGuO4MVkUk/
- http://jenthornton.co.uk/wp-includes/Scan/2kmaAbRWP/
- http://jkncrew.com/c3gsvz-cfgw8rf-lajbwlp/Scan/4CmnJBHWRF/
- http://jmbtrading.com.br/secure.myaccount.resourses.net/ucpm-nsnhgf-otxdrzf/
- http://joepackard.com/_vti_cnf/INC/CgSd2prNI64B/
- http://johnnycrap.com/verif.myaccount.send.biz/Document/zFxICh5FWZSk/
- http://jvalert.com/wp-content/mucs0n-oln7k0q-lbpndi/
- http://jycingenieria.cl/images/FILE/LETTGgztM/
- http://kaipskanu.lt/wp-includes/FILE/iGSfWHU8D/
- http://kamir.es/controllers/FILE/DxBfP5Vp/
- http://kamsic.com/wp-includes/z93a-je645-oxwdo/
- http://kejpa.com/shop/845pkl-o9hrz0-peside/
- http://ketodiethome.pw/wp-includes/FILE/7z8cLuhZ/
- http://kicsipatakvendeghaz.hu/cgi-bin/1bl5hpw-17jt5q-ogainz/
- http://kirklees.phewinternet.com/site_checker/e2wct-byxv7ge-pvxj/
- http://kitabos.com/wp-admin/o72k6-xnp3g22-vlilvff/
- http://kmgusa.net/a2test.com/DOC/JOJUpqbR7/
- http://knappe.pl/wordpress/e01lhe-c4069ej-sziblax/
- http://kodlacan.site/wp-includes/Scan/tIfgZWeB/
- http://kolarmillstores.com/cgi-bin/LLC/xPPlYKWlzXb/
- http://korfiatika.gr/wp-content/aa16fx-dua05u-hxef/
- http://krisen.ca/cgi-bin/r1shq72-ii2zd-johkc/
- http://l7zat.com/wp-includes/k5jjyr3-8oe9n-fewi/
- http://lalunenoire.net/loggers/Document/UyjxGWI7QwIS/
- http://lasso.vn/kppupag/LLC/LLC/dzJRyMdlu1AP/
- http://lexusinternational.com/wp-admin/LLC/1uZnWIRXuNWk/
- http://li-jones.co.uk/NVtz-JPa4XqPL1XZ8inH_lMvLBZZBA-L1S/INC/qlld5sE7a/
- http://lookingupproductions.com/wp-includes/LLC/uFL6lWDQKXdR/
- http://lotussim.com/Scripts/INC/IZzrsvoMeM/
- http://lucidcreations.co.in/wp-admin/axq6z53-r5t0egy-zedux/
- http://mail.mtbkhnna.com/oqfi4kksd/mzhzfy-m73iw-rbuihy/
- http://makepubli.es/tshirtecommerce/Scan/Mi9lOaRiBmJ/
- http://mangaml.com/jdownloader/scripts/pyload_stop/nyoa4zw-1x23q3x-nguvkq/
- http://marbellastreaming.com/2016/FILE/YzV1k3KSRsDo/
- http://marcofama.it/tmp/Scan/jM9LPnf9Cz/
- http://mazzottadj.com/stats/INC/2ci7GK9Yb/
- http://mc-squared.biz/note2/uceu-jc336t-kqiz/
- http://mebel-brw.by/wp-includes/kdoopi-993xr-vpvhdn/
- http://mehpriclagos.org/wp-content/INC/76qDvjmA7yfl/
- http://mersia.com/wwvvv/INC/y5oqLVbMJeu/
- http://mickreevesmodels.co.uk/micks_chat/DOC/g1gr5L0vR/
- http://millenoil.com/modules/smarty/sysplugins/DOC/mRi0fGjB/
- http://mis387.org/cgi-bin/Document/XdhQfQbU/
- http://mission.com.vn/nfcg/2exxbj-u6sguew-ezrvvro/
- http://moes.cl/cgi-bin/DOC/IRRMQOI4Aa/
- http://moneynowllc.com/cgi-bin/Document/FV33zBMGR/
- http://monngonvietdalat.com/ohgup/urkoai-ver508-uinzrcy/
- http://motor.real-web.pro/wp-includes/el2v-nkl00d-puakgw/
- http://msnews.ge/wp-admin/y2cdy-9zzw1p-zkhimkr/
- http://mtcr.co.za/wp-admin/l6djp-rup1s8-nfvjzz/
- http://mundosteel.com.br/resposta_clientes_mundo_steel/9w7h-pv0dh1-kimesg/
- http://museothyssenmadrid.cn/wp-admin/16fe6x-yi5oo-nhkue/
- http://mymachinery.ca/DI/tqr55-8tioi8-oqpqpc/
- http://mysprint.shop/wp-content/Scan/wPpd9j7U/
- http://mywebnerd.com/moodle/Scan/R6uLMDFo/
- http://naum.cl/8mljmyk/Document/Znory9mk/
- http://nhasachthanhduy.com/ynibgkd65jf/LLC/Ttutte2DUAb/
- http://nickycooperhomes.co.nz/wp-content/rfcw3nn-lf707th-lteu/
- http://nissanquynhon.com.vn/kfde/dkxgk-zkk2f-dryy/
- http://noithathuybich.com/security/lasee5-leaatzf-hiwis/
- http://nortic.co/cgi-bin/FILE/UwjSv7TRIvcO/
- http://nurotan-edu.kz/wp-content/LLC/Ypb0SgzoW/
- http://ocean-web.biz/pana/DOC/W88wZI7981Li/
- http://ohmpage.ca/reviews/FILE/aRrqJuEpf4M/
- http://onair2tv.com/css/4lc4-87cfgu-jvbwag/
- http://onestin.ro/wpThumbnails/INC/d1vvyEgr/
- http://onlinemafia.co.za/cgi-bin/FILE/Us9LQVkRP/
- http://opticatena.com/wp-content/ag1ev-gthfrn-ryfohx/
- http://ows.citc.pk/wp-includes/LLC/9N60yM5qMf1d/
- http://ozkayalar.com/admin836cnxhpb/file/xgfqiwusgsim/
- http://pakuvakanapedu.org/wp-includes/iyh1-xrui5nk-zxojr/
- http://parakazani.net/lgmawkf/8zs6xd-vj71i-meyut/
- http://passelec.fr/translations/jcrw0v-6lssxvs-npnwflk/
- http://pbcenter.home.pl/pbc/FILE/p9yIqYZN3/
- http://pemasac.com/css/Scan/dl2vKZW8ju2/
- http://perenso.com/wp-content/plugins/gotmls/safe-load/Scan/jIXgpkr1aXY/
- http://perfax.com.mx/Wmasa-DqQwrSlVW5lJurY_gzziLrmV-O3I/Scan/Vtc3bUxAdQx/
- http://performancelink.co.nz/cgi-bin/counter/data/LLC/dvrHv3NP0Tb/
- http://phileasfoggtours.com/wp-includes/Document/wggBiUQLsX/
- http://piccologarzia.it/admin/LLC/bBrpfmVDJz/
- http://pilyclix.cl/wp-includes/Scan/qbbhZX4Lb/
- http://pimpmybook.com/cgi-bin/INC/2EqsdpohIC/
- http://pitypart.dk/sites/Document/I4br53MM84i/
- http://pmpress.es/img/FILE/LCYuNOiKM/
- http://pompeymusic.co.uk/awstats-icon/Scan/LEkk8RF5J/
- http://pornbeam.com/wp-content/FILE/VQgGoo94/
- http://positiv-rh.com/wp-content/fokxo2-fwby6-makwp/
- http://priatman.co.id/wp-admin/9dk6v1-76v26ls-iluwyon/
- http://projekthd.com/pub/Scan/R0LCUuXdWQF/
- http://psicologiagrupal.cl/wp-admin/Document/RmzptR0Aqc/
- http://ptgut.co.id/admin/DOC/iOHWpMTjJNoE/
- http://pufferfiz.net/spikyfishgames/Scan/iION9gxu/
- http://pyykola.net/wp-content/DOC/fryJb7YQ77Y/
- http://qgproducoes.com.br/wp-content/dte0bg1-au7tsm-odwel/
- http://qhemp.io/wp-content/FILE/3991eYF3Mad/
- http://quintadeparamos.com/administrator/LLC/p64xiIoF/
- http://rachel-may.com/Restore/LLC/LGuVADDZ/
- http://radioshqip.org/assets/LLC/y3vNFMCeGOY8/
- http://ragnar.net/cgi-bin/FILE/MczrTug4g/
- http://rajgraphics.in/cgi-bin/e01x1vq-xaitho7-xqvssmp/
- http://ralozimper.com/cgi-bin/LLC/VlShLMKqx/
- http://rcaddict.us/worbpress/Scan/SpEiBLvp/
- http://readnlead.de/wp-admin/6zkwtc-1hwgg-zuojt/
- http://readyloans.net/wp-includes/yhzw7-9zxjcd-isidh/
- http://realistickeportrety.sk/wp-admin/js/Scan/Jdbumi446LMI/
- http://redklee.com.ar/css/DOC/l7gkcASOO/
- http://revolum.hu/templates/FILE/Rb2rHQM1yUg/
- http://rezontrend.hu/mail/Document/LNC16To5t/
- http://riserock.com/LLC/V77pUDtxPUI/
- http://riverrosephoto.com/exmgmu6/DOC/4QSx4t9z/
- http://robbiebyrd.com/backup/Document/1zF99ySJ5Y/
- http://roidercontreras.com/wp-snapshots/FILE/9GaQ0ubdT/
- http://roxhospedagem.com.br/chatonline2/LLC/PC8VVubJCC/
- http://rsq-trade.sk/wpimages/ehf7k-x7u4lg1-topde/
- http://rusticwood.ro/ww4w/FILE/IRIAFuBVc/
- http://ryangetz.net/cgi-bin/Scan/HAgbQepiHBt/
- http://samgyang.com/wp-content/INC/5DYll2IYq1/
- http://sanabeltours.com/wp-content/rmfq-dkmvqm-wnimqyq/
- http://sanduskybayinspections.com/logon/INC/ds37LVLopa/
- http://sangpipe.com/inquiry/Document/wFPwa81gkzXF/
- http://santoconselho.com.br/logssite/Scan/l2iEmUkT/
- http://sarli.com.br/wp-includes/INC/fZhC0YZxIByh/
- http://scampoligolosi.it/wp-admin/FILE/GEAqfvAdLD/
- http://servidj.com/cgi-bin/LLC/r70sL2iNgYeD/
- http://sevensites.es/D1J/Document/fnYAdd2PhnzM/
- http://shangdaointernational.com/1oqaq31/3wmt3b-1bwrbav-kqgftmc/
- http://shapeshifters.net.nz/files/DOC/SUvyvdi6zql/
- http://sharifulislam.co/n1t6crj/FILE/2LfXOhWKD/
- http://shastri.com/GOOGLEB960D79703C80265/INC/p4kJj6m02T/
- http://shopbikevault.com/wp-includes/2r00l-63ys24-wfsptg/
- http://shopmeet.com/fk/Scan/h2c7vDrHw/
- http://simhafusion.com/qu6yfhx/0e19-mms72l-vwsvub/
- http://simlun.com.ar/css/INC/fuFtae3Kc/
- http://sintraba.com.br/wp-content/Document/ZMk8QjtRzS/
- http://sixthrealm.com/dee/INC/JYWI8Hat/
- http://sjhoops.com/FILE/fmN3y4tiVM6/
- http://skyggehale.dk/includes/LLC/C4k0bzCoMC/
- http://skygui.com/wp-admin/Scan/g8b4oPzXCb/
- http://smapp.ir/mail/rl1jh-1qej91-spmd/
- http://smbdecors.com/wp-admin/oy0342-1qjwhjo-ldaaz/
- http://sonargaonhs.edu.bd/cgi-bin/INC/f8E8Sw7T62/
- http://spaziooral.com.br/wp-admin/Document/slDvXhuIbIXc/
- http://stateunico.com/wp-content/vs7ghh-jgtpo-umypn/
- http://stay-night.org/framework/images/uploads/Document/qpmEvPLuRQHN/
- http://stephanielasica.com/wp-admin/ix3sn-pzbpg-hvtnql/
- http://studioduofisio.com.br/wp-content/INC/6BFHVElMuvqo/
- http://sublimart.ge/cgi-bin/714zh-9qoot9w-bnafh/
- http://symbiflo.com/PJ2015/Document/HZ2VFp6Ih/
- http://taskforce1.net/wp-admin/mhsn1z-ytvzr6-ctzjj/
- http://t-comp.sk/qmECW-FkeQnzxaezI5E1_jbhgzFwa-c1w/DOC/ChsTUlBBi7/
- http://techshahin.info/wp-content/DOC/BDFNt7nQwU/
- http://tekalu.pt/0xjvnok/afpii-mtjwg-ouzlt/
- http://testfixit.tk/6tg72hd/LLC/Ah0NsSCQ/
- http://theconnectionsindia.com/wordpress/d8qa6as-0mdt60-cdlauyt/
- http://thefintech.com.au/wp-admin/t4db-f2fdx0-zmewqpy/
- http://thuyluckhinen.com.vn/er3j0ev/DOC/TMF4t0whh4eX/
- http://tinyfab.in/wp-includes/Scan/yJyeEnHAeM/
- http://toclound.com/kdbl/7d324-x9izdf5-uqoxyju/
- http://todaylink.tk/wp-content/fm66zwg-jrk7e-cmjx/
- http://toyotamiennam.vn/wp-admin/wa8yxu-piz3t6h-orglzav/
- http://tradereport.cl/lmae/j72i-5o52n-rqucl/
- http://trainghiemsong.com/ujbllmy/pc8d88s-bnx6rs-nigkzt/
- http://trangtriquancafe.com/wp-includes/hwsvnd6-4xunnn-ofnn/
- http://tricktotrip.com/wp-includes/nflr0-c5eyxrz-uuwy/
- http://trident-design.net/agcrm/Document/hk54nKkIqVNn/
- http://tristanrineer.com/sec.accs.docs.biz/Scan/8dsyHnkn/
- http://tubbzmix.com/07u6/mnhg-8vstvzz-sosvf/
- http://tunnelpros.com/wp-admin/i8puze2-mk0kn-mxld/
- http://uztea.uz/wp-admin/INC/ZUsLKPD9bLF/
- http://vallabh.zecast.com/wp-content/uploads/q836-91g7of-qkvh/
- http://valoomanus.com/q7rjcoh/2ysqt-jpmb9-ojpsvfu/
- http://vanspronsen.com/test/INC/68KEIgnbiqzo/
- http://vertuar.com/Logo/INC/Fn48NBB4LC/
- http://veseco.pt/wp-admin/LLC/oEoHMrTYVx6g/
- http://villamontesdr.com/daua/xjpd3s-v179bg-qfjp/
- http://vinagyp.com/security/bxzb-yjrxu-osnv/
- http://vivationdesign.com/files/FILE/YmDMJ2PDliJc/
- http://watelet.be/wp-includes/FILE/mhNzetvTus/
- http://weblebiz.com/wp-content/mgvqv-dhvn0r-zpxiso/
- http://whistledownfarm.com/dev/DOC/Escq81d9jF/
- http://wladdes.com/wp-includes/Document/guOUQrtGj/
- http://wordpress.demo189.trust.vn/wp-content/uploads/FILE/YdcLqbS7/
- http://wpdemo.sleeplesshacker.com/wp-includes/Document/XrgbvGGI8FvC/
- http://www.aktifsporaletleri.com/assess/Scan/l7vlHX0jdDGH/
- http://www.bnc24.in/ynibgkd65jf/Document/hn9sojMa89au/
- http://www.bouwinzigd.nl/wp-admin/Document/8uRTXXih/
- http://www.completedementiacare.com.au/wp-admin/kk3nxjl-id2whjq-gfct/
- http://www.edelhof.cc/wp-admin/j0dxs-mciyu-cphdoqv/
- http://www.elevationshairboutique.com/7synaav/Scan/ooDB4Y9ehupq/
- http://www.farvest.com/form/64j43yc-mhsyl9-cybpeg/
- http://www.fuerthkaffee.at/wp-includes/Document/5q8RMMMTZiZr/
- http://www.jubileesvirginhair.com/wp-content/DOC/EA1LXd0x/
- http://www.kvsc.com.my/rtrtgtm/blc8-4345am9-jehirg/
- http://www.lafoulee.com/calendar/ai9tx-pyen5zi-tdmaf/
- http://www.lecombava.com/wp-content/FILE/PRs3CWUiT/
- http://www.lotushairandbeauty.com/op0bkpn/INC/8z6iSqqKp/
- http://www.maestraleyacht.com/wp-content/o97v-6rl7ent-sayen/
- http://www.megawindbrasil.com.br/css/FILE/9Sos3l8TxxQ/
- http://www.mhkqyj.com/wp-includes/Document/KZ1AxOyfyIj0/
- http://www.scilijas.com.ba/componentsasd/FILE/K9jWXtx51ty2/
- http://www.smc.ps/ar/Scan/ibEMEaYxaRDJ/
- http://www.sz-lansing.com/wp-includes/Scan/gQ4yUHQu1UeU/
- http://www.versatilehairshop.com/m8gzo1y/vgrhvk6-ik615-gohar/
- http://xn--h1adcfjmfy1g.xn--p1ai/wp-includes/utnpww5-j03d0-zihtpic/
- http://yellow-fellow.pl/wp-admin/DOC/0xN36TKC/
- http://ymca.monkeynbiz.com/wp-admin/fp36bur-adu1nar-euqzhe/
- http://yoyoplease.com/ebay/FILE/8NUrTGbHy/
- http://yuyinshejiao.com/wp-admin/DOC/dy4FSEaOTP/
- https://aabbcc.gq/wp-content/INC/BX7oj8ttIDc/
- https://aktusglobal.com/member/rfu02-cets80f-oqsun/
- https://amoyal-law.co.il/wp-content/INC/dUgjhWJ5HG/
- https://anoopkarumanchi.com/cgi-bin/Scan/VRkG1DhTglYp/
- https://apsblogs.com/wp-includes/2r09i5-4iapze3-qrbdwk/
- https://asis.co.th/cisco-sg300/FILE/i0zEB0n1NQpL/
- https://business-insight.aptoilab.com/wp-content/Document/TiWwwrh0e0m/
- https://chlorella.by/cgi-bin/FILE/P5NZpZ1tu/
- https://christianconcepcion.com/wp-includes/DOC/lMgXLyEcGinH/
- https://cosmeliti.com/wp-admin/LLC/a4aWaRWqMft/
- https://criminalisticaycriminologia.com/wp-includes/zvwz8-qrvwc-mgnnza/
- https://dadgummarketing.com/error/opek3xg-t8xt7-ezakezb/
- https://disnak.sukabumikab.go.id/wp-includes/LLC/mjI8TozRco/
- https://dziennikwiadomosci.pl/wp-content/u4qwj-888xdu-jxlqybv/
- https://escuro.com.br/ckeditor/FILE/Rfw3oKtI/
- https://fanzi.vn/wp-includes/dhrb-zx009-teqy/
- https://fishingbigstore.com/addons/FILE/aq73bdkf5o/
- https://geladinhogourmetoficial.com.br/wp-includes/DOC/1FeiuO8n/
- https://kxmgf.cn/emp5/7nb7a-zjb02f1-ylft/
- https://lcced.com.ve/images/FILE/RQmoqv2qet/
- https://mundosteel.com.br/resposta_clientes_mundo_steel/9w7h-pv0dh1-kimesg/
- https://musicianabrsm.com/8uhpkl5/g7qsw-euwgq1-yrmgicf/
- https://nhadatphonglinh.com/wp-admin/dm3u1-v4y93ut-eksz/
- https://privacydesignstudio.com/wp-content/Scan/OL7da4MV/
- https://psicopedagogia.com/glosario/INC/MJJ6pQ3VfQ/
- https://rtarplee.stackpathsupport.com/wp-admin/qo36ehj-bjgt61-gccdsnh/
- https://sillium.de/Scan/fQOWzePg/
- https://swbproject.com/wp-admin/x8ofi-acrpkjo-vfucsy/
- https://thingstodoinjogja.asia/wp-includes/Scan/lSKrx7e7kq/
- https://tradereport.cl/lmae/j72i-5o52n-rqucl/
- https://wangwenli.cc/wp-includes/LLC/xjUxkowAm/
- https://wordpress.carelesscloud.com/wp-includes/Scan/SjNzNCJocgR4/
- https://www.bitsmash.ovh/wp-includes/LLC/9k83vg0gslt/
- https://www.completedementiacare.com.au/wp-admin/kk3nxjl-id2whjq-gfct/
- https://www.diezauberin.xyz/3zyf/FILE/TIbeLuj295K/
- https://www.eigenheim4life.de/s/p89km6e-q1l97-beryri/
- https://www.elevationshairboutique.com/7synaav/Scan/ooDB4Y9ehupq/
- https://www.guy007.com/wp-content/d3zewz2-xac9bb-hjni/
- https://www.hrportal.co.il/wp-admin/ijtu9x-fwub6-rvbt/
- https://www.jubileesvirginhair.com/wp-content/DOC/EA1LXd0x/
- https://www.lotushairandbeauty.com/op0bkpn/INC/8z6iSqqKp/
- https://www.versatilehairshop.com/m8gzo1y/vgrhvk6-ik615-gohar/
- https://xn--80aao0acd1ak7id.xn--p1ai/wp-content/themes/creattica/ibe0949-aoibin-eziw/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-04-23 16:25 (JS Based - Fake Error)
- SHA256:
- 8870927b7fcb804322779608fabf59e1c019245df08aaaf5f9202d131e92efda
- https://sundarbonit.com/xd/A9N4/
- http://potterspots.com/cgi-bin/8MnY/
- http://sandovalgraphics.com/webalizer/Xfje/
- http://nexusinfor.com/img/pjVK/
- http://recepsahin.net/assets/F2f/
- Creation Time 2019-04-23 15:59:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 62314d9127e21a4c6699cd64b66367e6c8b8485ef64db9a028a8edcd01fe75fa
- ac96c75c569e5c3b91a6b35c7515aa4aadc2dea24fc7b81db63e6584651ba0d6
- 9e7dd8e9ea5a6f360878a30d733c3ad5e2ed98c6f833b4e3af59254b9ce0d628
- 53e9f7828635fb6942f861efe6a7a34ef7c23386e3cdcc40532006de16224af7
- bac7104f09a2bd62e763f70c397d04ed4557a039d8c6874565811c4fb57b5e34
- 05614336198c070f40cbadb19084134eee12925d96dabd7f8a019c22653f01df
- b781f610acb1dcbac1a5fab85b8a5229a4f19ca226dbb1761f48495570c4cfb0
- https://ecitytanduclongan.com/wp-admin/lY/
- http://lamdepuytinsaigon.com/wp-includes/XZl/
- http://lakeviewadv.com/cgi-bin/uSzIw2/
- http://trajectt.com/admin/RxBnOe/
- http://platinumbizleads.com/assets/QUPv/
- Creation Time 2019-04-23 13:04:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 29a925b3e50af3942f309839f65675057062a73de483bef6f76d5e22c35fa682
- ff7052efb78b1bf3b9940feaa60a8602f46f0f3954e0174a1fe3bd051c47aa6a
- abbd0218bb6170f2a29651775f304ce7242b5e4960549949bb45e2e31087eeca
- 281618c4a9f369f622db7d0e858a475cd37a645a38b319ea119c223e0b245ebb
- 5d161eab7ef2878e01833a5eaa610cb8512d10bb3606bcfdc1dfa486598fa093
- b66dc10da4466199693f91df5ea7dd2ed60a9cb1a78bc4f0f8fdfce491b2d9fa
- 14b44d0c1a2f12237df53f00dc5f2b077cdd61eb5c6c425ff3a5fefcaa45e0ef
- 143a148ea107f581f93b5db736e69c98b30f148ca2a085a44cf64f9f46c425b0
- 9cf3e252ff58bda643296cd07649a27244e6ae4335e3f5d876d8ea92c5b90d6f
- d8eb301687446e4cd6e78a8a12023289acb786b98b7fa84768b9dbd732180584
- c06cc7019df2a0d97b134e586e0ccc0775347b8b0a82e2b91afc1b6bb6acbb70
- 9fa8025e2b7b7773cec40a06799cb49e3e9e0b9ce12898fc7d47af6aaf029af2
- ba1027d8e0eb986ca3400cd96f18e9af558c75dbec99ea06f18c89df8ce5a5c7
- 97876ee20e38192df516f76fecfff1344d009473c4ac728c488eb4fd1428e42a
- 50932d29893a6e40edd28fd11c78563ab28cbe43f4a55a4678b93c2dc8e9c94d
- bff675cd3d783a2763dad5d38f8fe22e94f7d3cd8c68b55794b625caa341126c
- a6dc193f79bcf2949b0e36c094b8f74d200ed6f5cacceb1e725c47dc1d8b830c
- 3ccc08551639ea7da8a092efdb09741ee02811fd2a184d1251912d1fbac80cb9
- https://italiansupercars.net/wp-content/OFyT/
- http://lammaixep.com/wp-admin/aT9/
- http://dragonfang.com/nav/0fa/
- http://diegogrimblat.com/flv/1SOeU/
- http://depot7.com/aflinks/IDNf/
- Creation Time 2019-04-23 06:36:00 (DOC Based - ENG - Off-Center - Light Blue White)
- SHA256:
- ca3f54d1fcff1a1efd989216700b026258747b559c276c6529c68cfd95e31d66
- be5ddc5205ae3fe281120ec331bd7147840abd5525f92f54e17b7077bf6c3e9f
- e466833b13d52c1a53ff88edff210675c05b035de470bacbf3e458a42b56572c
- 456ceacee3301702311d82930f828249fa4491e41c7fc14514e18478cd5a9098
- 2133eac1611dc2053b14dcd5b31a18ba33a97a4ca3c577e3bc9503a758c9b523
- 45316e992538e2e2a2cd6170639c3ac7cc32e1574b96c33f68f094062b69e497
- 1970d5dd4090db52ddf0da8612ea02103afe13b7d858161378043b9931f78f07
- 05ed93a6f628dda8a17a679f15bbc24c0bc74e62abcdc4936ff3c558fd7712c5
- a13fb3d24e666871b1780e2bf04b62cd827d856043fe644245809f368ac600ea
- 43c0db4b7f256f51b2c99e2c5afec802b1c97268b25845297f4b57047fa0de76
- 038b79a29410a9ded140ddaab017ea772eaa3d791f24bdcef637a85c8e1b1c28
- c96751644ae83458397db3e959978b553f3c862144e99cf7b8ab4c59a231b7d8
- f7923edcc2b5a2222045ce7c6b655c532d93f1570a09f7f0184a4a1493769d88
- 6a2b372164f3a1575f60581b21966a519c7b7bcb3896dc6a0157205b899c00e8
- 349808ae5cdb176953e1cdad90f95c82fff460a2d1c7f381fd03b9fa7ee01275
- 9b2c8629ee8aca6148453497504a78ba3941e88e0240573e5cad9643149ff674
- f5efcb5f8cda89bf1a782faba2763205544a7014c263e560bdae75773f89267d
- 18bbd30411778c812f8261c8301b1ef6dae3a3a0c004c597ef3188bb4562ead2
- 3db5e98669141a68e434ed306bf1c068ec74815c480ddfa788a10141b9ca2153
- 27a52a537cd972688dc4265b77793a0d9262efab808e6c94f67f15527d9ad7df
- 7495db6637503d92e6da60393bc1c06ebceb2c96add65ee85f91507a45bb4848
- ed45725970bc308762a415bfe8e337d407cdce14c319cfa627b452c981e39266
- 198386980851d33a9065f13c27b424e89e6914ad9e3b68c03a8bd64c75ac5f72
- 578d17f95e6e0d99106da42e4ad45845e15675bcc78a203b31db1ad2e635e81c
- 13d853bba4b842e3ba4a73e2a8b427a2d8dc50986dee04e7eb0674aa1219b8cb
- b045cf47cdc4739c7f59af29ff7e2ff3e8c00758a790600ef9e875646fb7728a
- b8304ef53f9c5462f71c0231ffe09332a49d933b1288025b250f19486f4abe75
- 5d1a306f10dfbc62a20479bd1284319fcd3ee5d23b5934a2897669a2c84cbc19
- ff94c2f8261ebc790b43a550a54454c87c92da6eb5fb561f663bc0c98776ff31
- acf352b18b4027f9ec3ade17c179641bf2ffaf3fbc5d05dd8f4c9082363f633f
- 0613a5d290dd56c9f205c408e5f101f40c8a49066db7c76d7138e8c0d2975a75
- e4e68555c1f99b66a7d9e18723aa2695b38ddf1593d2b6fb13b69de36cae475a
- 7836eca87915833bc896f259106067f5b2b683c748259cccdd862d0bc4677dfd
- 3de209898999145cd434482cd442c2788b9f3303c48a4859e0737c3c0ce485a6
- cb9f35a8695a24c59a3f4390572c03bd0b3da9740949509b3695e6e1de636ae6
- a35b5d2be5e897e676a9f988b4988faec6ed74cfbeb0bcd10818ac95b9293fcf
- 80169761726119400f6609e90b944d0298d53b95e48b794e6ad4c9c4f9d3d2c5
- d8223a40d23863346896d66ad28467a4107c744a8f6968803156adaffc639c4b
- http://arenaaydin.com/wp-admin/m27pq/
- http://alokitosovna.com/wp-admin/R17lCz/
- http://912graphics.com/cgi-bin/caUh/
- http://happytobepatient.com/o8rxofd/880/
- https://www.thebermanlaw.group/wp-content/Y6V/
- Creation Time 2019-04-22 19:25 (JS Based - Fake Error)
- SHA256:
- 79270d1e30b8e29e99db95c42e8d33801b27624fe09b05d51f4dd5c0a945d987
- http://www.ahosep.com/wp-admin/Cu4oJ/
- http://www.veryplushhair.com/wp-content/HJtW-uphj19AdL727Yo5_svcWyoja-se/uCN7/
- http://raorizwan.com/mail.nexitsystems.com/fSTj/
- http://www.tophaat.com/abacus/aQda/
- http://momtomomdonation.com/dbau/v23J/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 04/23/19 ####
- ```
- d192e212101c718c80a36a991d3e967f0e9934a6844ce4907b8b5846693e015a
- a2aeb5f507d5a5ca62ffc73fa34c825890d9bccd686079a283e37a3d21a0c50e
- e24d216a48831d6aea667016faf1c5a0a2ddf47cf95e0a80623be0dfc3ada8a6
- 760ccb0edeeeafe0cae52334884c431ccd8a753b070cd4f6cb3d2dc2acac2404
- a935e3538afb699f13da4578dee4ab77e255419f487a70375f9224d929360bee
- f4df5458f10a2b6ff06370d74c4d4e0d49c7e1f37c23a975c1a70714e40ff471
- 83add8abcfaa2f492c95a471066ef63ed7f1271511475f7daedacea92327b4ed
- 9e960667e11d148901e9e2c6792027764ccf1daa531960dbfda20e26fe0dc2ca
- 7174da45ef7eb800a50e5a4d6dd77a6a5ef5f58f976fc67ba48ea59ed7e20d67
- 477740b7225bdf26d7b9719b4306feb996eca93a853b632851ed37a4bdf08e25
- 7dc44c5d3a2643d4cbb2c0648a2d0cf31a8c2402aba38cfa3aee1c0e4fc17e80
- 1c500e35e33de21db2ef5b4eb553d585ec651997abeec720f337690e682faa5f
- 7fab9e357b397df96b825ad1f634491a33c7ea8ec4ae5e1fb95ea4a54f9f2c9f
- d473ed661b66285fb80de0dd5cc30b99c5048eb9da142ed9ed2be3139fa7c2bc
- a716fb303dee550318cc2158267b219fcbc26b048d7daed9ab9b9ea17aac1ce7
- 77f5c4a34fee54488ee47fc1d0659991ee2202746f1e81b9cd2ed26a043b29ed
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-04-23 21:05 (From ZIP - JS Based - Fake Error)
- SHA256:
- a89d55ff31f6d08a85a5d289901fc98d4bfcf5a856ced841496b1bfb951744cd
- http://robertwatton.co.uk/uo_LL/
- http://sapporo.com.pe/cH_2/
- http://search4.ie/includes/O_gK/
- http://shot.co.kr/yupdduk717/Zd_R/
- http://shawktech.com/shawktech.com/5_nW/
- Creation Time 2019-04-23 18:35 (From ZIP - JS Based - Fake Error)
- SHA256:
- 70bc77f6cf5975f8264223d0e98cbbbcb6974b98e0e4e3aa70c45c253d9c1ae5
- http://berenbord.nl/wp-includes/7n_D/
- http://mobilifsaizle.xyz/wp-includes/j_zO/
- http://ganegamoks.com/wp-admin/up_K/
- http://recep.me/welovemilk/02_0/
- http://xianbaoge.net/wp-admin/3_j/
- Creation Time 2019-04-23 15:50 (From ZIP - JS Based - Fake Error)
- SHA256:
- 82faac5b1de8020cbeaff66440bfa37deda302f4b2f37b3e554f269e377bda35
- http://emrabulweni.co.za/wp-admin/Io_z/
- https://www.nadlanhayom.co.il/wp-content/1x_ke/
- http://tmp.dln.solutions/wp-admin/X_1k/
- http://emrabulweni.co.za/wp-admin/Io_z/
- http://raptorpcn.kz/wp-admin/Mb_Ae/
- Creation Time 2019-04-23 12:52:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 495e01af5674dd68450d5b5a14a2fcc49a26ca68916feaaa452d1a2eb201a0a2
- 285a768fac07c8161f6a07b67a28e19a8db77ef7ed9e435f56814b0a4ff80491
- 99e638f6c4aa79656fee7ce55d9006b0d32618e4ab7126a221f21c1145d6dafa
- 24cf2ab0d94eefc1e250cda59f79f3315a2a42564e07def2f8f1bfe4e937db2e
- ee2720cc87f318dbfbbd59202ca8ad2d040ff4b5ed2906bea4f6f29330f64352
- cf16a16a44203bc21a49504576474aa2b496627ef23d07e0bf330c2e37a1562c
- a3933f110219fdc4b27bb3cc9df87a6d5ffca5c849206816c1311f2185551f9e
- 1c65c0215346a85601fda399fb4a9ef9b8ccd842ade60d00e203d595a92ee259
- 031a535d9bcc4ef5dfbb559582a702c51659d7b426312830b307244f623705a7
- 49ae36bd67358f651213cc5da473e1f458f060b7c4e405a1ceadad37918d4858
- f6d327e2c36bf45b3d4875ab3663fb0370ceaeab1bd3ed66146ac15934764af7
- 178f9807e09da56ff02b4c72907f5cec2a567527da4ee515aa6453f47e52a787
- 675fa576848c8a67edfcef7e9681c981864ba3cf3d6a9ee9b5ea44a494f2ead5
- 400ae560116bf0ef226d0bd4ef45a39a2565bb0855cce51784174d56250245f6
- 4d9cfb2c1a23a9ee12aef0f2956d60a1dc540182eb919ea57b21c90016f112eb
- 03d471048561df5ca748a9cbb38b424eb5ae4910faebee09b8182c96dfbc37ad
- bd1ad940def500e3d59d0e332c307cc51ca6bf3c6ba350f99d9d0b078fe667d7
- http://cosme.kyawaiiiii.com/wp-content/F_q/
- http://mirai-ek.com/wp-admin/S_Hh/
- http://esmeraldadelmar.info/wp-includes/4V_2e/
- http://solrichphc.co.za/wp-includes/9_rq/
- http://anshindia.co.in/wp-includes/a_mb/
- Creation Time 2019-04-23 08:33:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- c2ca9216937b1370a716d4c794826a52afce64f4e11977aae9a9e4623a15dbbc
- 322234c35234943d7d6ed1ae0d4456259e0e766054faf29e94350d4700c24812
- f5a6ffb607acd20063ae377d9fec4eb7e711e901ab55a70d05e3027f7173cbea
- 947cd52e3ba71b6930c3fb752e273e7c1fa3222c3c327a7d307be1130b4fe4b3
- b619c40db4b3bac7a6368728d62a075a5fff1754d5949d75c0ba54a23564ce97
- da4dfeeea62db89fff33cc53d8e40375c5002c4c98d57d6a1ed7cd4a8a6c655d
- 5a6e36811650641a65b747d97580253559986118a49605133f8870b8319f2f42
- 8cb861e7a8800043b68e48a6f554c6e009672ed8476e99c2db33525e894fdbd2
- fd99ddc2ca1d961cc8c92b266b59145640cbc1cd571c391ca1dc3d8235905f9a
- 7169323bd6c9ee7c407e5b654bdbccc85adfead85e80ed65f147f79da7e7004c
- 48c186204c7f7ddec825e8853569ac42ee5f374e0c6a3e01ece52bb24b94381f
- 4796a9b178509e64b34e6d0e9b0d45f987db00fe2714d1bc3f8bf3fe34301d7d
- 25642b4bbb562527cb4bb493029d0b16711312b09e8532a9969631dee47d46ce
- 069e351bf97b6101fa1d1265c869a02b49bf633132904217c2fd410d373f114d
- 5332772c957d3798b563f103a5e46f88b6e19d550257ae43151e28a3fc822251
- 44c89fcfe2b096c7e98f7ade38c8425c043de5f52011f2bd516a127ac21e786e
- 98bdb5edfbb87cecd1915e6d8712d18e4653df3f16caa4241faa82279d621e2a
- 78ed92ad5d192475a5aa2e710bdba8564842fd89547d606d3064b007a87239b4
- cc400d6799676af69385ded789883f294d9f3da2f09bfc3439ce5745a2e11b5f
- 7bba52bed8170af15520935659a77862418c71a8e871dcee3069f854e9099765
- a5b79368dec93d883473c35f7fdfc6edc120b75892906fcd525b685b0df06c9f
- b242cb11f8229e1aa091258442a8c93eed17aad21333d4c2b9b8332a9ac3c657
- efc112b0cc6f900702b85bd4b90ecfd44865f76710d3223d833ffc3a504f1fcd
- 2195cee5fa989ab82bd3d8b22f61716ffdabce020a3fe562bdf8aea45dc3c913
- 8f957284fe9b3c22f776a5585ace8196cf14acf41c240647b732d8a6849b1c01
- http://multitradepoint.com/wp-content/6_gq/
- http://maspan.org.ng/wp-content/u_A/
- http://freecell.id/wp-includes/g_f/
- http://guimant.com/wp-admin/c_x8/
- http://trimsalonhandsome.nl/wp-admin/lZ_e1/
- Creation Time 2019-04-22 23:20 (From ZIP - JS Based - Fake Error)
- SHA256:
- 5d89c4cb4860ea6552e5045a8c845fd5574ab20e6b186f5f5b3001faab57d558
- http://insurgentguy.com/wp-admin/y_I/
- http://vitallita.com/wp-includes/N_2/
- http://eiamheng.com/EES/F_bi/
- http://himatika.mipa.uns.ac.id/wp-content/O4_Hx/
- http://patriclonghi.com/blog/pN_T/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 04/23/19 ####
- ```
- b73d0d387e795267c39d299027c57ab4e610b0e02d79c3b6aac0273e601eedc2
- be3e02e26379369f8058b166e51cd05ece579a90889f938cc5f8da2a29b6cea1
- b2bcb7fe83ffb8606ba25c652c5dfa2b2cf0dc694af39285546d44910b39f208
- 582c432d98b47033db8ee54020c056ea601fda5782b5cfeea69802af2a414560
- 99bfcb5e5a2f376a2669b55f47f0057050a754f30f15a7efc8a0f38927bd9df1
- f6ed3a56a0cdf245c8e5c9458bbf13aca9ac83c5659f0b315ac8c95a181db172
- c50999bfffc53c78843c686ce10c1e3c758af1a51675fcbf18c2b6d1571d3dac
- 7dcc05ba32a7a976675c7ffa234ab6d79d1de3208353db63821f571296784f64
- 2fcda732715461e50e4e40c8c7bfe8691ac5847110e12be125cb46b648cbbe4a
- e75b4bfc84ebed34f2d0dd4e626841cb538221d2b1119a51860c8d2bbdc5e227
- 0d6fd22e12d9e6900d35160ae70c8ef4d1f639e9b5720a6d426f09c85ec5a51b
- 691b8a29b0e017849ee81d4f67412feede6cc520c73d6aaf00afca58d22f5793
- eccee65a45ae542365666dfa9b19542124985a2ec6dfdd81f37ace4ff2ad8524
- 714032b5e9c06fcfbc3014b8fae232f26a7443b08321ce6f847ecb1eff9e8ab5
- cf7881f855a691cd37fb706e4fa63866d58b63ab4542df402aa0dd005bfcf436
- b4f48fb312c231a178a1f4130a5fe321a9f0a1222f0cc95f53d18ce7fcb23b60
- 1d851af306e20e2b5b0e48256f69d6fd2510a80337700764fefb448b043a9503
- 334d9e0c7a2708c193186318b858bdf18915c4ea416f4ed4341a3da6e3e50fea
- f5a2159a5d5dc57417bb055000a1689664524ef9ff95d64693f8f87d7ab99984
- 6daf924b05ef8fa822d073f8ce066bbed450d7eef5b2360c213246aa72173f62
- 053b2dc44fcfac0e20f9b8c630f31a697877fc7b797cebedb0ce4cb17d504906
- b4d63aed8366e5a497d596cdd53ad2a6cb66d4bbe4acc55bc9e1c1cb24dbea02
- 15cc5cc19e3fc4a096d4daf4a2eba362a7fc10b66223047584f910ba852ce666
- 3c5998ea1f8c3c1d4da22b0a93ab86e42267c313427781147ecc6e6d01a97d35
- 2c1e8552818d370cb49d591433c779c40dc40f8a7986241dec5ec775b1758973
- 7401c4eecd540d25a74dd082c684a7213ac1be666274d7ba96607f892421b95b
- c7c21c207c985ea39949200116809dfc83a71026574283935a98ce4fe945853e
- 3797171e6006c8fc610d6223dd0337e6448846300b1b0092f82b56743d984f6f
- 2bbd2344e33209569fab125208c5d5e43e3b11a6b386be81edbaacd6240a59d2
- 3433338dc674d4a8a765dcd9b9ba9974324980dc432d3800627abcd0cf740804
- 1aa731b6025db5409fe91f228f6ba6511b671590a008b881e5e81e585c1ea2f4
- bcb87d9fda073b879526b88de2264efa2bb714e34d1e94eb68c9be6d73c829a2
- 4814a73236d7754102f8fc491d51963e6d86153e6813b94f2ab67566ba2a4df0
- 787af8c65c4e745058b5e64a427c280fff9cee21ccca0563a0857faa70dab4be
- 1401dd547f950c88326469d9eab68aab77dc1c70ed886c1f54b247c67160727a
- 053e4a628be3a5f446ed96ec5134424a8a72581cb1c0fc694fb401fa144b3c23
- cb2331ced669a6de4344d7a45794170a1d0ab4308e3a5c180fdb5f0a37837f98
- ad000ebcd310eb54206101bd7ab1c1bd0d182096855f69068cfa8646957ef088
- 1249b48fb90c65b12a708bc65993346040f8776539aca9201432e680e01d8d46
- 94a9fc6b149a528e115e61fdcac954b27f0aa70df5a078d0de6b58e351a856e6
- ff39a9760b4be04852860b5a44ceb545a3dbb6a76ad9f9dc5fb2f87199e06f90
- 6a9e9b258d90c0573ce4abc69cde366ce9105fb9848314bf3984df00ba660727
- 488b3e96934f9a815ee63b5d280d42438db75a54f3be8a3fd978925edb3c646d
- 8e20d09ae1514237e629118b33b1cdf7e39b818afedfeeae98b21532c09316cf
- b8abc7a915d025955ae020ecf1d68b3e7e9cbe337d5236fb56412e2f54d9b7d8
- a8758f06a76e0b0ec8963b9a1c9f3362f3fc86384de7dd889ca6036f098a4f8f
- 8ae1b2d3af3722a78c9ec50941b9580caaf7c6cbefeeb6f8f4f6dc75e4bb8fdf
- e62c20e5018540aad8796b50b46ceb7a31069b064d9863e9b374d645d6b95b7e
- 50dbf82003a998f1dc067a8c6fd81785bd30b347f440a4ad49d4b54ae3f93e55
- 7faa05f93c56cd58fad0d2f6d4592d279071bd56fdf24bf8286e97a4218f0ce6
- b9d64084b2c58560aa737d9d846723b13a01e891766025dac0f4c30f1b9e0b03
- 044877949335dd85481620014afb27ee054d267669701443c77b79881a4768aa
- 144944dd50c0612c4d80a8dd82a4cb9fa4267361b4ca7475632549ca7fefbe80
- de7291d05aa7dd4ef710022ce0913dcf438fb9c05597d72ba89887a84acab10e
- 3bf584e9322d3c48d61913b740f280982b925939f668f83ae2f18ef7d4175da5
- c16924cc3dc51d0ab690c49cbb083f495e932e2cd42a8c3eb385d4789acc7d29
- fd4ec0c245af875204098dec6eb42e353dea86b94dd873a2750f2fc5c514e8dc
- c6e2c295cef34a4dd25dd64a4520970998f7be1702f9dd3877abd79466da2b36
- a72d94aa1c8880314439226d8277aba1dc10b29cf6bccdece46b1ada3ced96d0
- 80ab48eba881cf62e38c78013ee06d1775de011b5cf15293a18f0f8244a9b14c
- 3e40d1ebf7b149898c023c9baa4ddddaa54ebdbb7b9054e3226dd3420c67df31
- b37a4a75881617126e51ffe8d337ed937fb56e4d3f7c34dc974bc04046591aca
- 7c26232667a88a5111926515d6a722362d46c3b04a552b18a1950ee1a8cb02f5
- 6bd5a56b1c9ad3521f75cc557376818163a88e763fa07173e7bc141d77d9b3a8
- 2278ccbadd8c85862c9dc38ada4ccaa1fd179cb64cbf87685f35f962c3d5d2a3
- 66f4e795b2347a28350a1bc2b6e85311212ab86965426435681abd4ec0aa8b13
- 3650d8f991e2f1a52bf0e240440963e022cce3bb0e12eef4294a8c46b90e139e
- 9be8e489c2c33668a9ed18e99a39f40e68e7815380b8a012806bc93a8e6b27c2
- b903fe25f91ba94f05cd8cdcdecee0be90832071740bf39489a2c0a887779013
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 103.213.212.42:443
- 107.159.94.183:8080
- 109.104.79.48:8080
- 109.73.52.242:8080
- 139.59.19.157:80
- 144.76.117.247:8080
- 165.227.213.173:8080
- 175.107.200.27:443
- 176.58.93.123:8080
- 177.225.175.199:80
- 181.142.29.90:80
- 181.199.151.19:80
- 181.29.101.13:80
- 181.29.186.65:80
- 181.30.126.66:80
- 181.37.126.2:80
- 185.86.148.222:8080
- 185.94.252.249:443
- 185.94.252.27:443
- 186.139.160.193:8080
- 187.188.166.192:80
- 189.205.185.71:465
- 190.117.206.153:443
- 190.147.116.32:21
- 190.171.230.41:80
- 192.155.90.90:7080
- 192.163.199.254:8080
- 196.6.112.70:443
- 197.248.67.226:8080
- 197.91.152.93:80
- 200.107.105.16:465
- 200.114.142.40:8080
- 200.28.131.215:443
- 210.2.86.72:8080
- 213.172.88.13:80
- 219.94.254.93:8080
- 23.254.203.51:8080
- 24.150.44.53:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.118.216.70:80
- 45.33.35.103:8080
- 5.9.128.163:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 66.209.69.165:443
- 66.228.45.129:8080
- 69.163.33.82:8080
- 72.47.248.48:8080
- 77.82.85.35:8080
- 81.3.6.78:7080
- 82.226.163.9:80
- 85.132.96.242:80
- 88.215.2.29:80
- 89.135.138.149:80
- 91.205.215.57:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- 31.172.86.183:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 106.51.37.192:80
- 119.155.153.14:21
- 119.93.243.2:50000
- 124.123.42.93:80
- 133.242.156.30:7080
- 136.243.117.85:8080
- 138.201.140.110:8080
- 139.216.191.234:20
- 144.202.9.18:8080
- 147.135.210.39:8080
- 149.255.56.242:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 173.255.196.209:8080
- 173.255.250.241:443
- 174.93.130.148:8443
- 175.100.138.82:22
- 177.230.108.144:22
- 177.231.157.189:53
- 177.242.214.30:80
- 178.62.37.188:443
- 178.79.161.166:443
- 180.150.87.75:22
- 181.39.51.243:993
- 186.4.234.27:443
- 187.189.195.208:8443
- 190.112.228.47:443
- 195.99.230.208:80
- 2.50.52.255:20
- 201.220.152.101:80
- 208.78.100.202:8080
- 211.63.71.72:8080
- 212.22.215.140:80
- 213.14.166.152:990
- 216.98.148.156:8080
- 217.13.106.160:7080
- 31.163.99.231:80
- 45.123.3.54:443
- 45.249.156.10:8090
- 45.33.49.124:443
- 5.230.147.179:8080
- 50.101.180.172:7080
- 50.31.0.160:8080
- 58.65.211.99:50000
- 58.9.168.7:990
- 62.75.187.192:8080
- 64.13.225.150:8080
- 67.205.149.117:8080
- 68.229.130.39:80
- 69.198.17.7:8080
- 69.45.19.145:8080
- 70.116.68.186:80
- 71.78.158.190:80
- 77.56.253.112:80
- 78.100.187.118:80
- 78.149.210.116:22
- 78.186.5.109:443
- 82.0.19.40:80
- 83.110.155.238:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 86.136.28.152:8080
- 87.106.139.101:8080
- 91.205.215.66:8080
- 94.130.35.140:443
- 94.76.200.114:8080
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/3vv5zZ0e - @ps66uk
- https://otx.alienvault.com/pulse/5cbf738701c33d2844eea31a/ - @SecSome
- https://pastebin.com/LMGJAK10 - @pollo290987
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 04-23-19 ####
- ```
- General News:
- I got a fair bit of link malspam from both botnets today. Mostly E1 but some E2 early. The Emotet guys seems to be working on the
- loader code quite a bit lately and keep changing things up. Sounds like someone doesnt like all the poking around lately and notes
- being published. We expect more major changes soon. Still a lot of weirdness with E1 and E2 Distro/C2 binary updates.
- In other news:
- @Luca_nagy caught the latest Emotet EXEs using the Heaven's Gate technique to switch 32 to 64 bit and avoid some debugging. :)
- https://twitter.com/luca_nagy_/status/1120634450201722880
- Explanation of this here:
- http://www.alex-ionescu.com/?p=300
- Email Template Report:
- I received 42 in total and the majority of it was E1. I did see a burst of German based malspam in the early morning around 07:00UTC
- from E2 and then sporadic English E1 until 21:00UTC. I then got 3 dozen E1 link based malspam in a burst until 01:00UTC.
- None of it was reply chain based and it was the same templates I have been showing lately for billing and invoices etc.
- Review:
- What we know about the threaded templates:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- *- The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- *"Thank you for your help. Please see the attached."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns - The following patterns were seen active today:
- E1
- \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- E2
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
- Payloads Report:
- E1 had 4 quintets today. E1 was doing DOCs all day and then switched to 15:59 for a new creation time and then quickly moved
- direct JS downloads where it has been all night.
- Entirely link based stage 2 downloads seen.
- E1 binaries are updating in distro and C2 today. However, distro E1 slowed hash busting to at a rate of 1 per 6-8 hours as of
- approximately 08:15UTC this morning. The new EXE showing up in distro is very different than what is showing up in C2. It is
- small at 78KB and contains some odd behavior. It is currently the only type on E1 Distro.
- C2 is updating every 2 hours.
- E2 had 5 quintets today which is a higher than normal count. As it has lately, E2 started the morning as documents but then moved to
- hash busted ZIP/JS files after around 15:45UTC. It is currently still doing hash busted ZIP/JS files.
- Entirely link based stage 2 downloads seen.
- E2 binaries were updating and hash busting at a pace of 5-10 minutes until about 08:30 UTC this morning. From that point forward
- it has been following the 6-8 hour update pattern that with the small 78KB type binary in distro. C2s are still "normal" and
- updating every 2 hours.
- C2 Report:
- C2s DID change for E1 and increased from 54 to 57 combos in total. - recorded above
- C2s DID change for E2 and increased from 65 to 67 combos in total. - recorded above
- Closing:
- Ivan and the Emotet gang are showing themselves to be resourceful as of late. It seems like some major time is being spent on the
- binary loader development and there are likely major changes coming ahead. Be prepared. TT
- ```
- #### Sandbox 04/23/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-04-24 at 00:15 UTC - https://cape.contextis.com/analysis/68810/
- ```
- ```
- Epoch 2 C2 run on 2019-04-24 at 02:30 UTC - https://cape.contextis.com/analysis/68928/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement