Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Emotet Malware Document links/IOCs for 08/27/18 as of 08/27/18 23:59EDT *Notes and Credits now at the bottom* Follow me on twitter @jroosen for more updates.
- ---- Epoch 1 Document/Downloader links seen for 08/27/18----
- Only seen attachments.
- ---- Epoch 2 Document/Downloader links seen for 08/27/18----
- http://112.196.42.180/projects/pearl/pearl/fGRnsq2V/SEPA/200-Jahre/
- http://3music.net/68777VSMQLWTP/WIRE/US/
- http://7continents7lawns.com/11WMIDUEZN/identity/US/
- http://7continents7lawns.com/33016LXGMXTEH/BIZ/Business/
- http://abelcasillas.com/9161548KUQDEYJU/oamo/Business/
- http://abelcasillas.com/doc/EN_en/Overdue-payment/
- http://abujarealproperties.com/files/US/Document-needed/
- http://acb-blog.com/906JWKK/SEP/Personal/
- http://acupuncture-dvd.com/627HXHKLTW/BIZ/Business/
- http://aerialandpolefitness.co.uk/Download/US/ACH-form/
- http://aesbusiness.ru/8618RGMEL/com/Commercial/
- http://ahsrx.com/230004THF/SEP/Business/
- http://ahwebdevelopment.com/files/EN_en/9-Past-Due-Invoices/
- http://airtrainning.larucheduweb.com/Aug2018/US/Past-Due-Invoice/
- http://akva-vim.ru/02716QMMFH/BIZ/Commercial/
- http://allstateelectrical.contractors/LLC/US/Question/
- http://amemarine.co.th/1179894XGIWIX/ACH/Smallbusiness/
- http://amiralgayrimenkul.com/2037PTMX/PAY/Commercial/
- http://amiralgayrimenkul.com/79961MF/biz/Smallbusiness/
- http://anandare.com/aIrRgnEL0E1zrBCUC/SWIFT/PrivateBanking/
- http://animasisumbar.com/tgD236djSW01zJHxUM/SWIFT/IhreSparkasse/
- http://antonyakovlev.ru/connectors/system/57ZA/PAYMENT/US/
- http://apnadarzi.pk/default/En/Invoice/
- http://apsaction.com/DOC/US/Summit-Companies-Invoice-61185150/
- http://apsaction.com/xerox/En_us/Open-invoices/
- http://aqualuna.jp/ZviStsxUTYYy/BIZ/PrivateBanking/
- http://arquels.com/2BUY/ACH/Personal/
- http://artechentra.it/Aug2018/US_us/Outstanding-Invoices/
- http://ar-text.nl/DOC/US_us/8-Past-Due-Invoices/
- http://artquimia.co/Aug2018/En_us/Paid-Invoice-Credit-Card-Receipt/
- http://artwellness.net/5392CN/PAYROLL/Business/
- http://banglanewstime.com/Corporation/En_us/Need-to-send-the-attachment/
- http://belief-systems.com/00205IHHNQXAY/PAY/Business/
- http://bemnyc.com/DvXvOMkmmH/de/Service-Center/
- http://beta.brewproductions.com/Corporation/US/Outstanding-Invoices/
- http://biciculturabcn.com/doc/US_us/Question/
- http://broward-attorneys.com/DOC/En_us/Paid-Invoice/
- http://bucakservisciler.com/Document/US/Invoice-Corrections-for-22/96/
- http://businessarbitr.ru/62FZIOXJY/WIRE/Commercial/
- http://bytesoftware.com.br/Iy1aOY/SEP/Privatkunden/
- http://bytosti.cz/22VBMCCG/PAYROLL/Smallbusiness/
- http://canadary.com/3010760NECHN/biz/US/
- http://carokane.re/default/US_us/Outstanding-Invoices/
- http://challengerballtournament.com/eNNBo5w/SEP/200-Jahre/
- http://chaterji.in/p0u8RGk7/biz/Privatkunden/
- http://chiaseed.vn/511MBI/identity/Personal/
- http://cio-spb.ru/051205UFNFBO/ACH/Business/
- http://cjmont41.fr/313FA/PAYMENT/US/
- http://clipkadeh.ir/lijh8isk5KActPz32882/SEPA/PrivateBanking/
- http://conacero.org/4812JYVNDGJ/PAYROLL/Business/
- http://congresorecursoshumanos.com/INFO/En_us/Invoices-Overdue/
- http://course.the-interview-academy.com/6262166YIWFTP/biz/Personal/
- http://crdu.shmu.ac.ir/wp-content/MOZ3LqWP6gqACWH7d77x/biz/IhreSparkasse/
- http://cryptoads.cfc.io/scan/US_us/Open-Past-Due-Orders/
- http://d.techmartbd.com/3RFBV/com/Business/
- http://daffodilssurguja.com/Aug2018/En/Invoice-83372590-August/
- http://dc.amegt.com/wp-content/4341LGMOBBY/WIRE/Personal/
- http://demicolon.com/dvrguru_revoerror/image/0615694GSH/SEP/Commercial/
- http://dev.churchco-op.org/Aug2018/US_us/Invoice-91150531/
- http://digitaltransformation.live/default/EN_en/Invoices-attached/
- http://dnyanshree.edu.in/692683TOQIEN/WIRE/Personal/
- http://e3dai.com/745027IENI/SEP/Commercial/
- http://ednis.devblek.pt/newsletter/En_us/Overdue-payment/
- http://elantex.com.tw/25859FTFF/com/Personal/
- http://elista-gs.ru/doc/En_us/Invoice-receipt/
- http://elvieuto.com/2GZ/SEP/Business/
- http://emcc.liftoffmedia.ro/Document/US/Invoice-4347377/
- http://entuura.com/doc/EN_en/Summit-Companies-Invoice-0345165/
- http://ergonomicscadeiras.com.br/76XCNNERW/SWIFT/Personal/
- http://ericsweredoski.com/scan/US/Invoice/
- http://erikortvad.dk/RVLtBmBpXfU3hrBOWA3Y/de/200-Jahre/
- http://estates1.roispresso.com/764726VTIAC/SWIFT/Commercial/
- http://euro-kwiat.pl/213QKANAZQJ/SWIFT/Business/
- http://example.pixeloft.com/LLC/EN_en/Invoices-attached/
- http://exxot.com/23KDKKIRC/oamo/Personal/
- http://fa.golriztransportco.com/INFO/En_us/Scan/
- http://firmajowisz.pl/default/US/Paid-Invoice/
- http://fischbach-miller.sk/583945NCHIY/PAYMENT/Personal/
- http://floridabassconnection.xpartsols.com/DOC/EN_en/Sales-Invoice/
- http://frenchheritagesociety.org/1PB/WIRE/Business/
- http://fumitam.creatify.mx/INFO/En/1-Past-Due-Invoices/
- http://garant-rst.ru/44ZQNYAVN/identity/US/
- http://garputala.org/wp-content/31209XMVLDU/BIZ/Personal/
- http://geocoal.co.za/3555215ZSG/PAY/Business/
- http://go.jinglz.online/35UY/WIRE/Smallbusiness/
- http://goldsellingsuccess.com/leKoaTLEM/SEPA/IhreSparkasse/
- http://gondan.thinkaweb.com/6SJRO/biz/US/
- http://gotrainsports.com/6238PM/WIRE/Smallbusiness/
- http://gp-company.ru/1400133NQF/PAY/Personal/
- http://graffcrew.com/83248TCVRUE/PAYROLL/Commercial/
- http://grandtour.com.ge/5KSBARN/WIRE/Business/
- http://grupochiesa.com.ar/LLC/US_us/New-order/
- http://grupoloang.com/INFO/En_us/Invoice-Number-31070/
- http://gruzolub.ru/media/02X/WIRE/Business/
- http://gutterartmi.com/scan/En_us/Outstanding-Invoices/
- http://harvard.825testsites.com/371385VVGIHI/ACH/Personal/
- http://hasalltalent.com/0576399LIGXKRGU/oamo/Personal/
- http://hiztercume.com/wp-admin/9138961M/biz/Personal/
- http://homeloantoronto.ca/newsletter/En_us/Service-Report-8125/
- http://hope.webcreatorteam.com/default/EN_en/Invoice-receipt/
- http://hosting.tlink.vn/73524JPWAXUB/oamo/Business/
- http://icbccaps.com/12IKZEZK/ACH/Smallbusiness/
- http://idocandids.com/4840TNPI/WIRE/Personal/
- http://ihatecamping.com/896109N/SWIFT/Business/
- http://iien.ir/newsletter/En_us/Outstanding-Invoices/
- http://infratecweb.com.br/XSHwHhxBwnZi/SWIFT/Service-Center/
- http://intelerp.com/scan/EN_en/Past-Due-Invoice/
- http://intertourisme.unoeilneuf.net/Download/En_us/Invoice-Corrections-for-67/67/
- http://investinthessaloniki.demolink.gr/sites/En_us/Invoice-Number-08599/
- http://joannekleynhans.com/files/EN_en/Outstanding-Invoices/
- http://jognstroll.com/1947VAYGM/SWIFT/US/
- http://jxbaohusan.com/4823PN/PAYROLL/Business/
- http://kalif-law.co.il/doc/US_us/060-79-381776-569-060-79-381776-650/
- http://kanaangroupsociety.com/07958KJE/PAYMENT/Smallbusiness/
- http://kaz.shariki1.kz/727131RP/PAYMENT/Personal/
- http://kaz.shariki1.kz/scan/EN_en/Invoice/
- http://kikiaptech.website/79733UWREGL/com/Smallbusiness/
- http://kikiaptech.website/fonts/72NHMX/SWIFT/Business/
- http://k-k.co.il/newsletter/US/Invoice/
- http://kofye.com/Download/En/Scan/
- http://korenturizm.com/FILE/En_us/Paid-Invoice-Credit-Card-Receipt/
- http://lamemoria.in/1QC/SWIFT/Commercial/
- http://landmarkgroup.com.bd/INFO/US_us/Summit-Companies-Invoice-1423828/
- http://lazytime.outcropbd.com/newsletter/US/Outstanding-Invoices/
- http://leodruker.com/wp-content/cache/4RS/SEP/US/
- http://lesbouchesrient.com/logsite/92AD/BIZ/US/
- http://lescommeresdunet.larucheduweb.com/121QRJR/PAYROLL/Personal/
- http://lifetransformar.com/INFO/US/Invoice/
- http://lindgrenfinancial.com/3ITCQZY/ACH/Business/
- http://lkvervoer.nl/m7OIX8NW2TJ/SEPA/PrivateBanking/
- http://localjobbroker.dupleit.com/FILE/En/Past-Due-Invoices/
- http://lonestarcustompainting.com/2HQDX/BIZ/US/
- http://lunacine.com/0sNficQPVY3/SEPA/200-Jahre/
- http://lunamarialovelife.com/Download/En/Open-invoices/
- http://magazine.mrckstudio.com/newsletter/US_us/Invoice/
- http://magnetacademy.com/67XZPLJV/PAY/US/
- http://manzhan.org/sites/En_us/Paid-Invoices/
- http://marbdobrasil.com/66742EK/WIRE/Personal/
- http://melyanna.nl/051YYNFB/PAYROLL/Business/
- http://membre.parle-en-musique.fr/scan/EN_en/Scan/
- http://meninmedia.com.au/tyoinvur/7TMDYOSG/SWIFT/Personal/
- http://mins-tech.com/95HLEYP/oamo/Business/
- http://mirmat.pl/newsletter/US_us/Invoice/
- http://mitraindopaytren.com/newsletter/US/Invoice-5200718-August/
- http://montegrappa.com.pa/8600B/SWIFT/Smallbusiness/
- http://moriken.biz/LLC/En/Need-to-send-the-attachment/
- http://morrissan.com/LLC/En_us/Open-invoices/
- http://mudfreaksblog.cubicproject.com/Download/US_us/New-order/
- http://nationalcivilrightsnews.com/2971HSOFFO/identity/Business/
- http://nationalcivilrightsnews.com/84D/com/Personal/
- http://naturopoli.it/24YFXV/oamo/Personal/
- http://neuroinnovacion.com.ar/xerox/En/Past-Due-Invoices/
- http://newsite.safuture.ca/010079DFMOK/ACH/Smallbusiness/
- http://nexus2017.amcp.org/72496RXXFGXG/BIZ/Personal/
- http://nhualaysangcomposite.com/1RJEK/WIRE/Personal/
- http://niagara.kiev.ua/960911MXJQ/PAYMENT/Personal/
- http://nicolaisen.de/554ZPGXCAFF/oamo/Smallbusiness/
- http://nigeventindustry.org/4YV/WIRE/US/
- http://noithatphongthinghiem.com/00AAUTZW/SEP/Smallbusiness/
- http://nowy.darmedicus.org/8505EDFROJ/SWIFT/Personal/
- http://nutraceptic.com/5781692TEASFX/identity/Smallbusiness/
- http://o3ozon.eu/F9yKTYr7ruec/de_DE/Service-Center/
- http://oliveiras.com.br/3811492FD/SWIFT/Commercial/
- http://onlinelegalsoftware.com/919RFOIKM/oamo/US/
- http://onlyonnetflix.com/WgdwCso3rLhe/SWIFT/Service-Center/
- http://optics-line.com/nbRb3vodNxAq1kl/BIZ/Firmenkunden/
- http://oving.banachwebdesign.nl/doc/En/Service-Report-97672/
- http://parlament.biz/kcGiCxVT1EmJEPX/DE/Firmenkunden/
- http://pbt-demo.web2de.com/FILE/En_us/Invoice-for-i/q-08/27/2018/
- http://pcrchoa.org/FILE/En/Paid-Invoice-Credit-Card-Receipt/
- http://pdfkitapindirelim.net/2955570XJ/ACH/Smallbusiness/
- http://peekaboorevue.com/5263ZYIH/ACH/Smallbusiness/
- http://peekaboorevue.com/LIl7OuDOvwCwwrN/de/PrivateBanking/
- http://perfectmissmatch.vastglobalsolutions.com/Download/EN_en/Open-Past-Due-Orders/
- http://pfecglobalptecenter.com.au/FILE/US_us/Invoice-30783860-August/
- http://plastiheat.com/Download/US/Invoice-for-you/
- http://plastiheat.com/INFO/US/Past-Due-Invoice/
- http://pmpvietnam.vn/6103IOLPYU/identity/Smallbusiness/
- http://portal.arti70.com/915218GMOAKAPQ/PAYROLL/Business/
- http://pqbs.sekolahquran.sch.id/default/En_us/Question/
- http://primemuitistudios.com/7WMWKHENY/oamo/Commercial/
- http://primemuitistudios.com/LLC/US_us/Overdue-payment/
- http://progenkimya.com/9012NHHOW/identity/Smallbusiness/
- http://promodigital.tk/925965GAMJRSVT/biz/Smallbusiness/
- http://pruebas.extrasistemas.com/2KLIEELA/SWIFT/US/
- http://psyche.xiaotaoqi.me/Aug2018/US_us/Open-invoices/
- http://publications.aios.org/7OSADWI/PAYMENT/Smallbusiness/
- http://qavami.ir/wp-includes/Download/En/Sales-Invoice/
- http://r100.youth.tc.edu.tw/Download/EN_en/Scan/
- http://registrationsansar.com/scan/En_us/Question/
- http://rekavisitama.indoweb.id/361113J/PAY/Smallbusiness/
- http://rideon.co.id/64UW/SWIFT/77731YDNAY/SEP/Personal/
- http://rideon.co.id/64UW/SWIFT/Corporation/US_us/Scan/
- http://robertsd.com/INFO/EN_en/Service-Invoice/
- http://romanceeousadia.com.br/xerox/EN_en/Invoice-receipt/
- http://rootsconsulting.com/Download/US_us/Invoice-for-you/
- http://s3.techsysmedia-dz.com/Corporation/US_us/Past-Due-Invoice/
- http://sakonwan.aplatoo.com/xerox/En_us/Summit-Companies-Invoice-14011251/
- http://salientbrands.com/Document/US/Summit-Companies-Invoice-4393249/
- http://scorpiocomunicaciones.com/5OI/SEP/Business/
- http://sellitti.com/Obkubb9AaMl/SEP/Privatkunden/
- http://serce-staging.deveko.net/471532LXQ/identity/Smallbusiness/
- http://servasevafoundation.in/DOC/US/Past-Due-Invoices/
- http://serviceparck.com/Corporation/US/Open-Past-Due-Orders/
- http://shmi.ir/LLC/En/Outstanding-Invoices/
- http://shop.irpointcenter.com/pekvuewe/sites/En_us/ACH-form/
- http://site05.michaelrabet.fr/xerox/US_us/Paid-Invoice-Credit-Card-Receipt/
- http://site1.ideomind.in/Document/US_us/4-Past-Due-Invoices/
- http://sneetches.net/default/Rechnungs-docs/Rechnungsanschrift/Rechnung-scan-KO-38-12858/
- http://solutiontools.net/DC03wVSd4KfeS/de/Service-Center/
- http://solutiontools.net/files/394VSCAIVTY/1ZH/oamo/Personal/
- http://southerncalenergysavings.com/0976SSF/identity/Personal/
- http://spectrumbookslimited.com/0GAD0aaHHNPLTYPH/SEPA/200-Jahre/
- http://sqldefragmanager.xyz/3LP/com/Business/
- http://sqldefragmanager.xyz/4084OKISRFL/com/Commercial/
- http://stmartinscollegecork.com/UEBn8u8tPmH0KrT/de/PrivateBanking/
- http://studio-aqualuna.com/985FAAAOOUF/SEP/US/
- http://studiobliss.com.au/005SZZD/BIZ/Personal/
- http://sundayplanning.com/8739UIW/SWIFT/Personal/
- http://synergyairsystems.com/79074XEBNM/PAY/Business/
- http://syntek.net/005LDLDKCRI/SEP/Business/
- http://tekfark.com/UJkgvUOSitYiaZ/SEPA/PrivateBanking/
- http://tempoplugin.staging.wpengine.com/Aug2018/En/Past-Due-Invoice/
- http://test.wp-maintenance.ch/LLC/En_us/3-Past-Due-Invoices/
- http://testingpkl.immsah-polnep.com/4919TWWTD/identity/Smallbusiness/
- http://thaliyola.co.in/wp-content/plugins/taqyeem-predefined/0953ARD/identity/Smallbusiness/
- http://thejewelrypouchstore.com/1UHFZRX/biz/Commercial/
- http://thepinkonionusa.com/159GBV/WIRE/Business/
- http://thucphamchucnangtumy.com/7594463ERIL/ACH/Business/
- http://timlinger.com/0811965OTHXLT/BIZ/Smallbusiness/
- http://toaster.ph/sites/En_us/Invoice/
- http://toosansabz1811.com/351963FHORJ/oamo/Personal/
- http://toradiun.ir/DOC/En/Invoice-6670415-August/
- http://truebluevibes.com/files/US/Invoice-Number-995388/
- http://ttp-tampico.com/374BLDSVE/PAYMENT/Commercial/
- http://tvtuning.techplus.pk/39RCXMV/identity/Personal/
- http://uemaweb.com/83GSW/SEP/US/
- http://uemaweb.com/wp-admin/js/widgets/Download/US/Document-needed/
- http://um-regionalverbund.de/Corporation/En_us/Open-Past-Due-Orders/
- http://v6ckv.vandartel.eu/scan/EN_en/Sales-Invoice/
- http://vestiaire.camille-lourdjane.com/452UEXZBQHL/SEP/Business/
- http://viable.ec/blog/doc/302EYICJHSL/SWIFT/Personal/
- http://vietnam-life.net/Ya6RkmYZErspK1/SEPA/200-Jahre/
- http://vii-seas.com/892760CNJUAI/PAYMENT/Personal/
- http://vjencanjazagreb.hr/Corporation/US_us/Overdue-payment/
- http://vps.diyautotune.com/113QNWBU/PAYMENT/US/
- http://vps.diyautotune.com/INFO/EN_en/Summit-Companies-Invoice-5713249/
- http://vyteatragiamcan.com/sites/EN_en/Overdue-payment/
- http://vyteatragiamcan.com/wp-includes/438GIB/WIRE/Personal/
- http://wae.co.in/3914274CW/WIRE/Smallbusiness/
- http://wae.co.in/LLC/US/Summit-Companies-Invoice-60558367/
- http://webdemo.honeynet.vn/4ICPXOBMI/oamo/Personal/
- http://webhall.com.br/tyFAddez1Hx/SEP/PrivateBanking/
- http://webuzmani.net/8221780TS/ACH/Business/
- http://willbcn.com/2654JK/BIZ/Business/
- http://wisecapitalinc.com/Document/En_us/Invoice-8824745/
- http://wnhs.madcollective.com/80GROJFDP/SWIFT/Business/
- http://woodchips.com.ua/iDKOKgV5Eu1SD1x/SEPA/IhreSparkasse/
- http://wordpress.khinethazin.me/1430948MKHGZAPR/SWIFT/Smallbusiness/
- http://wp1.lukas.fr/122PFM/biz/Smallbusiness/
- http://wp13.lukas.fr/INFO/US/Invoice-0351844-August/
- http://www.cuidandoencasatorrezuri.com/55DEP/identity/Smallbusiness/
- http://www.demicolon.com/dvrguru_revoerror/image/0615694GSH/SEP/Commercial/
- http://www.demicolon.com/dvrguru_revoerror/image/iR2MZkGtUjEMbom/DE/Privatkunden/
- http://www.fanbasic.org/6821249MM/PAYMENT/Commercial/
- http://www.laspalmasquinta.com/sites/En/Sales-Invoice/
- http://www.mega360.kiennhay.vn/wp-content/uploads/09932P/SEP/Business/
- http://www.tekfark.com/UJkgvUOSitYiaZ/SEPA/PrivateBanking/
- http://www.thagreymatter.com/LLC/US_us/Paid-Invoices/
- http://www.thejewelrypouchstore.com/1UHFZRX/biz/Commercial/
- http://www.truongnao.com/6406OP/PAY/US/
- http://xn--26-6kcaalesi4enatg5a2l.xn--p1ai/Aug2018/US/ACH-form/
- http://xn---63-yddvpjmf9je.xn--p1ai/19BZL/com/Smallbusiness/
- http://xn--b1axgdf5j.xn--j1amh/103QA/PAYROLL/Commercial/
- http://yuanjhua.com/Download/En/886-05-924783-231-886-05-924783-406/
- ---- Epoch 1 Payloads by Document SHA256---- Times all UTC
- Unknown creation time or hash of doc
- http://eurekalogistics.co.id/jsn/emc/emc_driver/uploads/O5AKqJ9
- http://yuanjhua.com/rVEXtUE8
- http://ultigamer.com/wp-admin/includes/IVVEizB
- http://fluorescent.cc/SumsYIUdh
- http://flowerella.ca/WERmpqir
- http://eticaretvitrini.com/HO06l5dr
- http://forgenorth.xyz/P8znNSeK9
- http://funerariadaprelada.pt/gy3kGCXs0
- Creation Time 2018-08-27 13:14:00
- SHA256: 698a3da8ec7530c6b7264f3caa783bffe083676c288f66c87662dc5988d15709
- b1e7d06df01042b815f4b6b0acf32d49d2b5623fe3026f01bf906ffaea1b5bac
- 665183d2ad64e9eacbe194bd9fc286d0426beb699756586d3acabc6ebf2ef043
- 7849a4748fdf880444c762e5f886ea7dbb78b90c0bff51bb137e0f93bee9eeb3
- http://cabinetmmpartners.com/wp-content/upgrade/QM6l6NaB5s
- http://perfilpesquisas.com.br/8oKnqiidQy
- http://sarea.ma/tynNzPm2
- http://aquaplant.ir/gqyZzUW
- http://zhivarart.ir/tByI3DhdP
- Creation Time 2018-08-27 07:34:00
- SHA256: 244e686e437d506fb335c8340a0d5152c544b11a0d7655819a85d36b1bcf2d6a
- 21ac76aed3a68fd9d3cc3b36713153229cd215980d4c1b07bcb74cd1c937b922
- 960acf07c4ed2db039aa1693787502f3954b4217480e90678c8bbc2d22c56bbb
- 8e67a5fcf64263926bf50030fd61fc82da29495da9126f5eb99cc9a9b678147d
- http://laschuk.com.br/OLuTBXZu
- http://emulsiflex.com/vYkzsCpJWh
- http://leodruker.com/wp-content/cache/PcSWls7zVI
- http://goosenet.de/b6N6EnW
- http://www.inancspor.com/4gpH8ox
- ----SHA256s for Epoch 1 Payload EXEs seen on 8/27/18----
- 8d00705164886e137e6b3ebfeca99b935266f33bfb11cc18fdd0b24de3a52ad8
- e198e309ec3b575642118710f66d18b14b772290de4ae380919c352065d50f8a
- d25818df0df6bccabf045f07fcd7c5b035f033ef9ffe07eb7cade96dabe6a382
- 92e66617e10825824c4298c52d8e12f993e332922b4d3e450d6914b704f130d7
- c1cece4159239c5c5ed09967c860224e146f5c327dfb11d781459c95e9a0f76c
- ---- Epoch 2 Payloads by Document SHA256---- Times all UTC
- Creation Time 2018-08-27 21:45:00
- SHA256:
- d1f4068d41efe4c566d3c18b4ff57b2e1c0d92b3d5845ac0853ed9df059dfe2d
- 4d9a774a08bfe1c47c9075cc3bb351ec9dfeaa453118d4ae6d928812ccc91f76
- 74bb2c2f3b4dc5f5be918f6562c6dfea8033ef09046dc27e0b25f7567b6aa816
- 7ebc9d32425fb175c66d9081f8940a00192d3ad65ce875775e25ea2c1bc1b80c
- dbb35a7d2c3eb40ab6fb895c65b0616c880ddd8932d1161d6f692323835f8ec4
- ba356265add6038c066ec7cdb9c6ae2387d55f30026854ac67819bc722293f1e
- 3ed462031c1fbe01e6964e9ffcee03e6521ba2f6d8d466a69f11f38d982d75c4
- 367f630818a63185561303f8b1077fd7b6b81af33d371bddc765aa00e7150756
- 052c9ec3b814215d5f240731d77189d72223943f246f7ee94e1dbb369a0aad64
- 8d81b279bfd8091882c3c8c83f2708c28a53f8cb6836f5179931df891fb7dc57
- 2d2746779349a04d4312d05f4c19b40b9c4b7eb80f7c4d99199be07b0497e970
- 988b2f5c73eb2d2fa60623f4cbcca93c93204f5bde95c92c0fccbc24a3bc9a1a
- 21074c3fc9e90b4a683bc735c41076e3f911325154d80b50e39dc06695ee8f19
- a5ebaf0b09d2a5bb93f181d9f02e22fb5febb06ac48424a3211386e4db7d52a6
- 0dd24ace673b175e6aed7c2c3262440ad38634bfad638c2b59c1002beab205ea
- ef56263e06ba57f71d9920967c282915c4cb7341dd238bd949691486b295b73f
- 6005fc7e106f4613fc8338d7868d139b69d70af5d7480ecef727f5efffe07333
- f6cf611a8a1d2a2b2fefb1a48d41db16fa2b614e8525b73663d9a4a5a0db6c38
- 274d3a756aac018e7a13b1daae912fc0719f44865a05d1e863c021e277c96c82
- 7365917e65241335465809d804e83e3916ac7321f0b3ba6b706bb14991e3dcac
- bbdfa6d962aad1150dde37e48a8d357c2ca792f938c810e6c21354c4daaa2442
- 290563a81976caa2186d42611cbacfbe56bf435c8f0ae57d38d4ea25641805c9
- 8db36a2bb5a769e6d5f1598734a7f26fcabed65197a0463a3ff1cc1486953d3c
- 5db442bea622fd13b1389ab3c12461db0038347fd46188a7c74ccbb224a8cdd3
- 59bd461cd6dea17cfed5c365bfd6d786946e6cec2acbe7ba9dbb0229284d4f04
- 822b34ff1f138b843aa245d719c4c4720ef36cdf0fdf2e10c72153da4003dab0
- fd3e042918aa5eb9a45f12e065d6d915b236c68e31c0c5334abad4a500493a35
- 85b17c68bf50bf7398bdf60f9614ae4c811d451603b782ed2b478b4bf37ef820
- 06207a708206b43b97696b74912802b393603933027c24f3c17407c32ea28e19
- http://aliu-rdc.org/QwWKYJxM
- http://2idiotsandnobusinessplan.com/wC7
- http://7naturalessences.com/DFaSvtrS
- http://benimdunyamkres.com/v0vig1G1
- http://hostmktar.com/mP
- Creation Time 2018-08-27 18:24:00
- SHA256: 3fe7ec7128cfa6cfa53d772d4373d9e632a159cf052aab92e4cc8244a016f728
- c5b58c3b46066edef56fe5599152ba9cdc0b6e3014f787a86aa5058aa633cedf
- 7f3907b150556caf04eca201c821a7690b6d54861e39005fc63e849eb1662eb8
- 53a12c218ba743107dd37a18df8b310d6c21ffb6b056d29ba87235afdef78362
- dad09f7276cbce5372be26645df02a6a2dbd7f46eaa982850bc31f74fd7d6638
- 2164ad73c897198d39d2510a316870e03441435640cbfca6a71cd798951e1612
- 5926dc15ffdbd1dddcd2fa37d7890e559305ab540cff0f2fdbdbb770baea030a
- 6a00355f23e3577dfe8a01f45da811974f85ae7297961941d5d8c3595b7cb210
- b697586467e41f5a3c0a396757bb21d586ee94fd0efc77c4a5de1b7ee2e0966b
- 2a34eabc003bf5f8d24be3491ef70b5e90a5021840ad71dd3597aecf6a01510f
- 251cac1628a51d79639e938b61771635a3096a422f5980442b00dc72fe03c4de
- 396d59c249bbd11511bd8465f9874cb81f5f497e12f9cfbfeb18b532a11d0383
- d150766bcdca94444c5322c8d9f841620fd7af3837e1972fb236ada2b207b623
- 186e88af4c82887853b07aeff3a3ec8b3072c734b5d7cc1ec13c9b7986020569
- 1f33a3b176c7062a63b392a64c21e5c05bcd0c920a363bbcde4a1a0bc9ad2b8d
- 6d922a730d6a6ea16c69116b5bff0aa314589f6311ed40de8eb754e6a0bfd958
- 4072755d09d0ea7a2d8d83e75a648b5cbc3fea001b6cb4e3210bfa68b6937308
- 9f1ae857de12b8d37728ebacda50b5233e2b6bee30be539f1403fe603a36c1ac
- 1bad501cba7a1b6abcc8e6ceec1906a621274fdb7df8c37a3d6901ddaa9dc785
- 07afeb101eab97daac3863600d40b1851bd710d4481dbe0a93459fd07624e468
- http://alpharockgroup.com/HT
- http://adminflex.dk/l5TF6w
- http://gailong.net/X5AyWfJG
- http://shunji.org/logsite/TJaaB
- http://binar48.ru/OtTlVIU5
- Creation Time 2018-08-27 12:15:00
- SHA256:
- cd904e43a9f61c131a35bd4f77d14e486617b62554f0261f07acbe2cc0bb4120
- f40f3021f3cb64a649d165bb1f96daa938c14c89082bfc23d040a483e66cc0b0
- ca886a09f402a6642233a6ed8b7d048c14fcc19b6e053a6d787b977018e35a47
- b8273cbe7425fc4238b976b43dc085a3de9467aa60fb2a755d2f07e4da1aeca4
- bae2e4f31deedb6a937b4af936c2adf588af638b6e62ee355f96e9a375dbd7d2
- f7f508cf182dbd2908424229da0dc275d0f2481be14893f52a52681a439fc5ff
- 9deb4bf7ac34970384feefa1707c20fd6664b62b771bc8413e1c451dbb22c710
- 734f64ca7f46267f9be88e88e6372be12810d68db33e6fd30c6cbad6ee2f5345
- 973faba821f3fa3520fa10588550b25fbe6e4f2c4e46f5b69fcb749892d8fe7f
- 70d7b1d623d338516e15f948fc1fc2b698f5904f7b8a300069fa226b7caa0cbe
- 5cc610eac5d84b29bb61d778166d1c5731104e8f4fd24a8ff705bb9f63e3231a
- 66b93406f20a6f7ba061efd78b0f9243b2adcf371d7880255b585f1db5efe735
- 0d089768e6647b7eb09d082b5643ceb727005ef4602affbdc892865234be2cea
- 90250e61be833c250c76133aab73e7c7e31a63d4047c632cf6d7593d2e28058c
- fa4b6a4ad99fa6510e66b13368ad2dc153d22cdb00916b1e58d8c748c5807153
- 072a18092a577a0482948ac3d3da20ac53c747a827de177b79a695bfdb4f22de
- cef95e0d8dd870221bf983fdfe7651970a2bcf08648033850e3c1b38da17dbb6
- 7550f4783bd6de5c92f97a98793b934dde3e3431239ccc6d018f0f32bab84cd2
- 6af48928a012710ce6e282b10d6229d7afa7b9b447d6c90751741cbecc2d7011
- 6bc84db57c48bac438c57a9f647494bd551bc73dfbea443464085a84e5de35dc
- 9fb3e72526839d9af77cb23fbdf5e1be8e738629506d39d26842f102c505a954
- 8dc401ab33e84b6cc14d62e659e0e30c16b6d1a830f51dda107fef258109d26c
- 9fb90f3a2b46130f98979f025b1da55181aa5a1f712048cd849f43b60853c395
- 7f4f02070728a42ac85532e1f78b3a6ebecf4c43013c0235eba3686daacbeafb
- c355476ae6913c545adf8185444a81d141a7bb38c80be35a7244269634af6b88
- 41144abd343a139c0726bdc8bcbf3b8f06e6c828da1c7a7119cd878fff95691a
- ba4cd17565fafe0f13b1bb02392c42a5764a575e9022f45eeea1dc70ca688fae
- 58f9d97e158b58e611265f3f1846262207616071163dd5d7d8f58f1f4d13fe1b
- 35f66cafb06ca523c54ea1dfbf4917a0a5cf7e0988f752d42eacbf8cc2b10bca
- 6a7d0817dedc95681d1988bb8d02a4deea7f2899579f616cc0f8a04e7ad700ff
- ca805ba7d2a3d24da6fd651fe2c201f1d629bf4b1024497ef8870ea3ff41cf8f
- d95f81a8a6d605b7019ed3bd631fb7939e33c7d7c041651e17aa05bc5d0c9059
- http://studio-aqualuna.com/UpBe
- http://krever.jp/5
- http://santafetails.com/dcz6vEs
- http://stolpenconsulting.com/QAjZrH6
- http://repro4.com/website/wp-content/uploads/MbO
- Creation Time 2018-08-27 06:56:00
- SHA256:
- 7966371c325143e981f2a3962c114a8ef30a5deba48c58c00f65d2c9ce2eafd1
- 705bc8f09f6972d633a6656383aa91027f310666b98d727c44f6504382041b2c
- 368c832bc1318d8750b702425233bc199e282619e9362a024d3e92f49f51f245
- e313e4fb7f19b010abac674a38c3d8768fab428ccb1f87d4478e92ce37f920ef
- cc4bf9ecf7cc47d970077e35fb939ca485df2fa1c7700c7cd16f4688bef6ba82
- 78d7bce6d243b2be5340e97eaac003dcd53c20879a9ff1c99dadbf3f488e4ae6
- deaa5571f8b6c3a9c02256c545843cd3785d510b4587be4d184215c0cbdfc12f
- 4923098c75521804f7c5c2ba72f82548101b6b24328b7b4c0849e3484b91d8a7
- http://michiganbusiness.us/jBE6
- http://ingridkaslik.com/8
- http://drdelaluz.com/Q7s1
- http://milehighffa.com/cqZHO01V
- http://avto-baki.ru/Ph9j
- Creation Time 2018-08-26 23:24:00
- SHA256: ec49e433686bee917d5b0bfd99b03ef58cab67e3f6f2cb2211dff276a2d1bfee
- http://nestoroeat.com/CwowZ
- http://fourtion.com/9kEErRF
- http://a1leisure.eu/tEPyqS1
- http://mshcoop.com/cqcc
- http://studiobliss.com.au/4
- Creation Time 2018-08-24 23:31:00
- SHA256: b8be31db3cf8fa74d86929a303a2ae714fb928211f14b777f4a63f2bd1854929
- f5cbb2a78c376881dd2a1a0109fa48a31ac01342e30328b279a8a9b10215a0ae
- 3b738dd4585e5b66bb122670c9e84042111999c9e20e62b0e5e52d475e5b5f5b
- f960150bdf60ac87f2f7ddf4bdb55fc517e1c7fa4707104fe804e3eaf436d725
- 26af093d1ec8917ad9e3bdfeb0bb6d0d03d29f936f61e3f3d5f54b3758934cff
- acf16baeb439e66b85cd873e06566dffc0c6fe1391d1e1c7746f3a510f02c413
- 4ce483f322ebfbcb4860fa610b9b4b1970423901ae8df689cf5363fa4306a353
- 2b849aca5039234ac9b5e82e02f1c4f4aef45722f76acb1a340a6077f53f5c30
- 352db4336e0b680ceede9e99aac261e4181201d1cad868215986cd54f2391efa
- cf187c7e1b979a14bbea861c7521838c0108c65c0f82465c0a30cddf16f4bea6
- cd2ca0dd480b0e65a97ac35cd701ff8d72fa18e1ac3a212e52659e5eaaf9c175
- 4e6b73e7da25b55ddfd245bfba2edd5a184c8b4ad7e5580ba592be66006b0264
- bdd0ef1c2f7846eb19b353397fb294d21f76a7268e805febde48e40341d91db6
- 20b3fd1e9b961bd1ebf99ef2acaf836fd222e7e8e275ee5fe98d147007956476
- 80f10c156643b9ac31599dc1a9514482dbe5e6ecf0b3956edde2a0de346d4210
- 61d340302fafed7644737b27631807d326d68acec8c32462adb5be6668af3a1a
- ac5184981d1d62c019b620e4dab234ffe48f81423bd39065d042722796e44a51
- 9112c901996517a90d09580bde3dd8e9d5a8b48645cf74785d4d175e564c0da7
- c374703439b6c13b241ad2652e126f93d104401157518a50822f38f0a2538c52
- 1027dcf0ac13ba9da3a74edd293537bb91a0aa56a6bc35037dd07d0e7c134785
- 24e266c12f9624da9ffb2dfe7ee7ed47aeba644f269389ff65360b2ffdfa665b
- 82c5705c00351b79a0a0fdf9bf7175ce189e529d550a66f81d7ca4ee3c37c851
- fbcf1a7c1c00511f168c16a5c20bba380c6f094b104187b5e19d99cc9fef4a87
- 6d4da277bb48fa1afdeb949e7a806ed3b02dd738c824aa64b4992b5b05ecd23f
- 37832082f728da1bacdf336f3781f3fbc2678bb7231369eaffd4bc4c6444c64d
- 4f73d7c59c7f1373e99d93cc4ba0babbe1fcc366269c427753b4a431ad97af8a
- e5ea40c20ed1b3a878f5993f1dac8bd2b6674e0198c1c582ef95e52bae5a651e
- 115e66ae406dc1849e4436bd5123aa11a23140d0e5499df0db4a79bc54d9b0a2
- 66b1d18fef39c1c5f6df786758c4abbf4e1986f2fb6def82595388e97fd7effe
- 745d9941a7ac2aa275e81dbcbdf4288cc6a04f9e480318ad3c43cad77131473e
- a067962e21868af30124f3bc400787d9fce99a5d3b914f9eb37757ab3a6ae559
- 204fade0f54fcc7004a5c92e267c4b10f2c7e34abe2c23d81148a1da050cd0c4
- d27d5e5a544de8c0e19c821cc9a94a6ae7bf9c34395eb03933b0e11c3307f024
- f0effc4ca93f56269c55794dbf40b37c1c06e406104153c0c875087872530fc2
- 6a85007df58be36c0a7010cd2e153a5949af8e54575a5f3633fbd1e73ec0672c
- 87f25ddefb9492b2f41a72d87b082cf187a82bf1b007f79c2f4f6fbc9c7f0d70
- 19299ca446bd6e4f35f779b6645e754c447b4b3c3eff47b52ed35dc2f4b9c33a
- 10def6ce3d027c88fdd6d14f8d48cbcf1bea538c6c5d7bba1535b7da8538d625
- ed61ba4754a84725bd2e8280fc338efbed80d82e6a1b160575382a1729f83eab
- cc2c5850d5e0cb647f541b9553660543dddb2b0c85dbd41db5a845dcdfa2db4a
- b4ef995c32990492d22b9ee1ffcd0984bc7f73b69ca539164825bbb245908f4e
- e7fc41c22a535a1a89dd3824c86d51466389e1fac2c5723d44246c83cc421acc
- 2411c862c3a10016a8c77ca30260edd0b1578681b2c0e7efb283305d1a06a2d6
- 584f0539d4110583adacb68d2e38d05164aeeabfec95a0826c3a495dd41059c4
- 9a08f249443e20ad76099bbfbb9a03a606d45f68b571730986e35fd155ff946d
- fa22225bbaa33be9c57bf5bc3588b3e5dd4a6bcd531eb10fdf28ae5dc7c950f6
- ace87e606a9120a2860e1d4b3702d154833eabce95e227f464d141569e88a9fa
- 6d25187f8c2b1d9dbd4ec7daa8239839acd599c263ef5a7d1892be7c755e6209
- c58f9528a0048f24fd024510f3b150480300f61f8c18a438058c3a71dfdaf56a
- 7e02a225481fb3e1980482c0d71961d6ef88241e9b9c805f02ec35666dd2ba29
- http://blog.bctianfu.cn/4
- http://mail.vcacademy.lk/5nLo
- http://lamemoria.in/2ib2Pt
- http://tropicalislandrealtyofflorida.com/NNqM7W
- http://businessarbitr.ru/E
- ----SHA256s for Epoch 2 Payload EXEs seen on 8/27/18----
- 7efc8446996e148dcf5b6f490899f588c97cd1140b867098943f6a2b486fcc5a
- f833b7eb36612e0beeb0ab93d012f544a7f7127a08afc387be115b8b282a2e90
- b79b696f6e3d66512faab754ed00d46608ae1a94c6b827b5292266e73768a263
- 1e61fe9d4ab0d10bf770b06944e80d96c8f533920b27418248f932e05cd84384
- d227b260fc41b9691da68d9cd24ce4e1f3eb9bef0c8042b0ae0a2f67733a46c5
- 92725be31d0842e5dbcdf86eebd512db9cd59a86fe6ce3369f0ac18732a1f44c
- Trickbot 5bd53452269c19a648cc8b13e778b25bab7b351f2b1dda9bf48b2daf3f79d26e
- 63bd217be3952557996bc345d669c76d83a8e1af58dab83ec6365ecfacd3d469
- 400b56c426f9a33eb9250c90f0000e474c64d088135f7a5a6d721e17f4121f6e
- ----Epoch 1 C2s by port----
- *=new/returned since last posting
- 80:
- 117.222.46.128
- 189.193.88.137
- 201.183.235.150
- 37.120.175.15
- 51.52.210.93
- 72.46.176.46
- 94.173.89.227
- 443:
- 105.184.211.23
- 202.134.191.142
- 49.212.135.76
- 4143:
- 217.13.106.203
- 7080:
- 192.226.247.73
- 8080:
- 104.236.25.85
- 133.242.208.183
- 137.175.248.4
- 181.48.19.4
- 190.120.22.227
- 203.198.129.4
- 210.2.86.94
- 68.14.221.174
- 84.168.127.125
- 89.186.26.179
- 89.186.26.180
- 8090:
- 190.233.119.42
- 8443:
- 184.149.48.160
- ----Epoch 2 C2s by port----
- *=new/returned since last posting
- 80:
- * 174.99.88.121
- * 213.79.36.67
- * 24.194.235.193
- * 35.141.236.45
- * 67.245.84.8
- * 70.90.72.230
- * 71.251.192.132
- * 78.102.51.229
- * 81.16.240.39
- * 82.19.6.143
- * 93.103.89.117
- * 96.224.240.123
- 443:
- 118.244.214.210
- 14.1.39.3
- * 181.111.255.220
- 194.150.118.8
- 199.119.78.9
- 199.119.78.19
- 199.119.78.23
- 199.119.78.38
- 211.115.111.19
- * 47.206.102.188
- 95.141.175.240
- 990:
- * 76.7.2.27
- 4143:
- 222.214.218.192
- 7080:
- * 62.232.246.218
- 8080:
- * 118.174.151.25
- 146.185.170.222
- 157.7.164.23
- * 184.70.141.226
- * 201.183.153.243
- * 216.221.65.224
- * 24.224.45.166
- 46.105.131.69
- * 63.153.163.207
- * 66.191.63.170
- * 69.198.17.7
- 78.47.182.42
- 84.200.106.120
- 8443:
- * 62.232.246.218
- 50000:
- * 24.103.167.82
- * 81.17.93.134
- ----Credits and Notes Section----
- Updated 7/13/18
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
- UPDATED (08/02/18): Epoch 1 is now dead and it looks like there may just be one actor on the scene using what was known as epoch 2. I am going to stop using the Epoch/Botnet 2 identifiers and move on until something changes. I am leaving this for historic info:
- What is Epoch 1 and Epoch 2?
- Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
- ----Community Lists----
- https://pastebin.com/8BgdDz7z - @ps66uk
- https://pastebin.com/9aWMFHfy - @pollo290987
- https://pastebin.com/ZrG762W4 - @pollo290987
- ----Credits----
- (OC and combination work)
- Doc DL URLs - @unixronin, @ps66uk, @avman1995, @dms1899, @Bitterman59, @pollo290987, @James_inthe_box
- C2 info - @pollo290987, @unixronin
- Payloads - @AmirRedh, @unixronin, @ps66uk, @pollo290987, @James_inthe_box
- Special thanks to @unixronin, @pollo290987/@ps66uk for creating scripts and helping me out with all of this!
- Very special thanks to @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
- ----Daily Log----
- No small run of emotet over the weekend on Saturday. Today all I am seeing is attachment spam starting at about 07:30EDT.
- Seeing something strange in the list that @PS66UK put together. There are payloads close together by time. This reminds me of when Epoch1/2 were in play. After looking over the C2s for both, I am convinced there are two botnets again because the C2s are separate. The botnet that was active last week is Epoch 2 again as it was before and this new/returned one is Epoch 1.
- Here are some examples of the Spanish Malspam with attachments that I got this morning.
- ---- Example #1 ----
- Date: Mon, 27 Aug 2018 16:07:49 +0100
- From: Spoofed Coworker <> <karla.esquivel@exhito.com>
- To: victim@yourdomain
- Subject: Factura de cuenta KME3792711 por mes
- ------=_Part_25665_3648912677.23671237493232930
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: quoted-printable
- Buenos d=C3=ADas,=20
- =0DAdjuntamos la factura solicitada.
- =0DSaludos
- ---------------------------
- Spoofed Coworker
- --------------------------
- =0DComo siempre, si necesita ayuda, no dude en llamarnos.
- ------=_Part_25665_3648912677.23671237493232930
- Content-Type: application/msword; name="FACTURA-KME3792711.doc"
- Content-Transfer-Encoding: base64
- Content-Disposition: attachment; filename="FACTURA-KME3792711.doc"
- ---- Example #2 ----
- Date: Mon, 27 Aug 2018 08:46:28 -0600
- From: Spoofed Coworker <> <gabriel.venegas@fabricasselectas.com.mx>
- To: Victim@yourdomain
- Subject: =?UTF-8?B?QnJ5YW4gT3BhbGtvIENvcnJlY2Npw7NuIGRlIDI3LzA4LzIwMTg=?= (Spoofed Coworker Corrección de 27/08/2018)
- ------=_Part_20727_2331053037.6445866531912701815
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: quoted-printable
- =0DTarde,=20
- =0DHe adjuntado la factura 08-LBT2638887 para ti hoy. =0DTambi=C3=A9n env=
- =C3=ADo la factura 06-ND73647054 de junio porque=0Dfue facturado mientras e=
- staba de vacaciones, y no estoy seguro si fue enviado por correo electr=C3=
- =B3nico.=0DPor favor, confirme la recepci=C3=B3n.
- Gracias,=20
- ---------------------------
- Spoofed Coworker
- --------------------------
- =0DSi tiene alguna pregunta sobre su pedido o los documentos adjuntos, cont=
- =C3=A1ctese con nuestro cliente departamento de servicio.
- ------=_Part_20727_2331053037.6445866531912701815
- Content-Type: application/msword; name="FA-LBT2638887.doc"
- Content-Transfer-Encoding: base64
- Content-Disposition: attachment; filename="FA-LBT2638887.doc"
- ____________________________
- I never really saw Epoch 1 come back today after noon and epoch2 was spamming on and off. Tomorrow looks like more URL spam from Epoch 2 and I see some new stupid directories like:
- /PrivateBanking/
- /Privatkunden/
- /200-Jahre/
- /Invoice-randomnumbers-August/
- /Firmenkunden/
- So until tomorrow.
- ----Sandbox 08/27/18----
- (all with fakenet and MITM unless spam/secondary infection)
- Epoch 2 delivering trickbot: https://app.any.run/tasks/97274e5f-49c2-4329-b6c2-d88fe26aef62
- Epoch 1 C2 run as of 9:30 - https://app.any.run/tasks/6674db92-3b0a-42be-968d-ee8ba8c981df
- Epoch 2 C2 run as of 10:15 - https://app.any.run/tasks/d58a84c7-95a9-4b32-ae79-e06228178f54
Add Comment
Please, Sign In to add comment