API tools faq
paste
jroosen

Emotet Malware IoCs 2019/04/03

jroosen
Apr 3rd, 2019
2,363
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 62.79 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 04/03/19 as of 04/04/19 00:45 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 04/03/19 ####
  6. ```
  7.  
  8. http://128.199.150.47/for_hide/xelokob/sec.myacc.resourses.net/
  9. http://140.143.20.115/hgnxlto/secure.accs.docs.com/
  10. http://140.143.20.115/hgnxlto/verif.myacc.resourses.biz/
  11. http://142.93.73.189/ufy1dmh/secure.accs.docs.biz/
  12. http://174.138.92.136/wp-content/uploads/sec.accounts.docs.biz/
  13. http://3.0.242.71/wp-content/trust.accounts.docs.net/
  14. http://35.185.96.190/wordpress/secure.myaccount.docs.com/
  15. http://46.105.92.217/wordpress/verif.myaccount.send.com/
  16. http://47.75.114.21:83/wp-includes/secure.accs.resourses.com/
  17. http://54.153.155.14/wp-content/plugins/wp-migrate-db/verif.myaccount.resourses.com/
  18. http://acosalpha.com.br/wp-content/sec.myaccount.docs.biz/
  19. http://adultsikishikayeleri.com/tp9oayq/trust.accounts.resourses.biz/
  20. http://africanmango.info/wp-includes/verif.myacc.resourses.com/
  21. http://akppservis30.ru/l3stwbb/secure.myaccount.docs.com/
  22. http://alcantaraabogados.es/languages/verif.myacc.resourses.com/
  23. http://aldurragroup.com/wp-includes/trust.myaccount.docs.biz/
  24. http://allgraf.cl/external/trust.accs.docs.biz/
  25. http://altaredspaces.org/szo1ygc/sec.accs.docs.biz/
  26. http://altop10.com/wp-includes/trust.accs.docs.biz/
  27. http://am3web.com.br/verif.myacc.resourses.biz/
  28. http://annemeissner.com/wp-includes/sec.myacc.docs.com/
  29. http://applestore.kz/wp-admin/secure.accounts.resourses.biz/
  30. http://aradministracionintegral.com/wp-content/uploads/sec.myacc.docs.biz/
  31. http://aspiringfilms.com/cgi-bin/sec.myacc.docs.biz/
  32. http://aupa.xyz/wp-includes/trust.accounts.resourses.net/
  33. http://bashheal.com/eymakax/secure.accs.docs.biz/
  34. http://berith.nl/wp-content/secure.myacc.send.com/
  35. http://bf2.kreatywnet.pl/owa/sec.myaccount.resourses.biz/
  36. http://binayikimisi.com/wp-includes/secure.accs.docs.biz/
  37. http://bkarakas.ztml.k12.tr/animasyon/trust.myacc.send.biz/
  38. http://bobvr.com/sendinc/verif.accs.resourses.biz/
  39. http://brianmpaul.com/blog/secure.myaccount.send.com/
  40. http://broscheid.de/verif.myaccount.resourses.net/
  41. http://byworks.com/wp-includes/secure.myacc.send.net/
  42. http://cargacontrol.com.co/doc/secure.myacc.docs.net/
  43. http://chemicalvalues.com/styleso/trust.myaccount.resourses.net/
  44. http://chemicalvalues.com/styleso/verif.accounts.send.net/
  45. http://comunikapublicidade.com.br/sitemaps/trust.myacc.resourses.biz/
  46. http://content24.pl/wp-snapshots/secure.accounts.docs.com/
  47. http://cotacaobr.com.br/application/sec.myacc.docs.com/
  48. http://creativaperu.com/phpqrcode/cache/secure.accs.resourses.biz/
  49. http://cruelacid.com/stats/secure.accs.send.biz/
  50. http://ctm-catalogo.it/cgi-bin/secure.accounts.resourses.net/
  51. http://cupartner.pl/izabela.gil/secure.accs.send.net/
  52. http://cyborginformatica.com.ar/_notes/secure.accounts.docs.net/
  53. http://datatechis.com/dis4/sec.accounts.docs.net/
  54. http://debuitenkeukentimmerman.nl/wp-content/secure.myaccount.docs.com/
  55. http://devpro.ro/misc/trust.accs.resourses.biz/
  56. http://diaocngaynay.vn/diaocngaynay/secure.myaccount.send.net/
  57. http://distorted-freak.nl/html/trust.myaccount.send.biz/
  58. http://divyapatnaik.xyz/wp-admin/trust.accounts.send.com/
  59. http://dracos.fr/Scripts/secure.myaccount.send.com/
  60. http://egobe.com/ahmad/secure.myacc.docs.com/
  61. http://eiamheng.com/aspnet_client/verif.accounts.docs.net/
  62. http://elko.ge/elkt/wp-content/uploads/verif.accs.send.com/
  63. http://erica.id.au/scripts_index/verif.accounts.send.biz/
  64. http://especializacaosexologia.com.br/3hzmuew/sec.myaccount.docs.com/
  65. http://fishingcan.com/wp-admin/verif.accs.docs.biz/
  66. http://fueledutv.com/wp-content/secure.accs.send.net/
  67. http://futuregraphics.com.ar/trust.myacc.docs.net/
  68. http://gabbargarage.com/lakw7z7/secure.myaccount.resourses.com/
  69. http://g-and-f.co.jp/photobox15/sec.accs.resourses.biz/
  70. http://ghostdesigners.com.br/bin/verif.myaccount.resourses.net/
  71. http://gkpaarl.org.za/language/secure.myacc.send.biz/
  72. http://glampig.com/wp-includes/secure.myaccount.resourses.com/
  73. http://gocreatestudio.com/ntc/trust.myaccount.docs.com/
  74. http://golfer.de/advertpro/secure.myaccount.send.com/
  75. http://gpsbr.net/img/sec.accounts.send.com/
  76. http://hanbags.co.id/layouts/secure.myacc.send.net/
  77. http://healthwiseonline.com.au/wp-admin/secure.accs.send.biz/
  78. http://hirosys.biz/wp-content/secure.accounts.send.com/
  79. http://hoalanthuyanh.com/wp-admin/secure.myaccount.send.com/
  80. http://iais.ac.id/wp-content/trust.myaccount.send.net/
  81. http://icodriver.com/wp-includes/sec.myaccount.docs.biz/
  82. http://jenthornton.co.uk/wp-includes/sec.accounts.send.com/
  83. http://jotaefe.cl/js/trust.myacc.resourses.com/
  84. http://karakhan.eu/wordpress/trust.accs.resourses.com/
  85. http://li-jones.co.uk/css/secure.myacc.docs.net/
  86. http://lswssoftware.co.uk/Accounts/secure.accounts.docs.net/trust.myaccount.resourses.biz/
  87. http://media-crew.net/bao/verif.myacc.docs.com/
  88. http://mmtt.co.nz/wp-includes/sec.accounts.docs.net/
  89. http://mouaysha.com/cgi-bin/verif.myaccount.resourses.com/
  90. http://myphamsachnhatban.vn/wp-snapshots/trust.accs.send.biz/
  91. http://namellus.com/wp-admin/trust.accounts.send.com/
  92. http://newbizop.net/assets/trust.myacc.docs.com/
  93. http://newsmafia.in/fj2xlpr/sec.myaccount.send.com/
  94. http://newvirtual360.com/wp-includes/I2Y4/
  95. http://nexusinfor.com/img/sec.accounts.docs.net/
  96. http://nhatrangtropicana.com/wp-content/sec.accs.resourses.com/
  97. http://nirhas.org/cgi-bin/sec.myaccount.docs.net/
  98. http://noithattunglam.com/wp-admin/sec.accs.resourses.net/
  99. http://obelsvej.dk/forum/sec.myacc.docs.com/
  100. http://pathwaymbs.com/wp-includes/sec.accs.send.biz/
  101. http://pennasliotar.com/wp-content/secure.accounts.send.biz/
  102. http://pepper.builders/wp-content/secure.accounts.docs.biz/
  103. http://pickleballhotspot.com/wp-admin/verif.myaccount.docs.net/
  104. http://plugnstage.com/logo/secure.accounts.send.net/
  105. http://potterspots.com/cgi-bin/sec.myacc.docs.biz/
  106. http://readnow.ml/wp-includes/trust.accs.docs.com/
  107. http://revistadaybynight.com.br/sac/trust.accs.resourses.com/
  108. http://sandovalgraphics.com/webalizer/sec.myacc.docs.com/
  109. http://shahedrahman.com/Backup/trust.accs.send.biz/
  110. http://spiritwarriormama.com/mwx/secure.myacc.send.com/
  111. http://sriretail.com/api.Asia/verif.accs.send.biz/
  112. http://stegwee.eu/aanbieding/secure.accounts.docs.net/
  113. http://streamsfilms.com/wp-content/secure.accounts.send.biz/
  114. http://studiopryzmat.pl/cgi-bin/trust.myaccount.docs.com/
  115. http://taxiinspector.com.au/poker-platform.com/trust.myaccount.resourses.biz/
  116. http://teamincbenefits.com/wp-content/sec.accounts.docs.com/
  117. http://tengu.cf/wp-includes/secure.accs.docs.biz/
  118. http://terminalsystems.eu/css/verif.accounts.docs.com/
  119. http://thepropertystore.co.nz/cgi-bin/sec.myaccount.resourses.biz/
  120. http://thinking.co.th/styles/verif.myacc.send.com/
  121. http://tomiauto.com/sec.myaccount.resourses.com/secure.myacc.resourses.net/
  122. http://tongdaigroup.com/bill/sec.myacc.resourses.biz/
  123. http://tristanrineer.com/sec.accs.docs.biz/verif.myaccount.docs.net/
  124. http://tsk-winery.com/wp-includes/trust.myacc.send.net/
  125. http://urbaniak.waw.pl/wp-includes/trust.accounts.resourses.com/
  126. http://valentindiehl.de/writers/sec.accounts.send.com/
  127. http://vanspronsen.com/test/trust.accs.docs.net/
  128. http://vcube-vvp.com/cgi-bin/sec.myaccount.send.biz/
  129. http://viproducciones.com/yt-assets/sec.accs.resourses.com/
  130. http://wajeehshafiq.com/wp-admin/secure.myaccount.resourses.net/
  131. http://wellness3390.site/tangerinebanking/verif.accounts.docs.biz/
  132. http://worldclasstrans.com/doc/sec.myacc.docs.biz/
  133. http://www.arse.co.uk/yeti12/trust.myacc.send.biz/
  134. http://www.especializacaosexologia.com.br/3hzmuew/sec.myaccount.docs.com/
  135. http://www.fueledutv.com/wp-content/secure.accs.send.net/
  136. http://www.gifftekstil.com/wp-admin/verif.myaccount.docs.biz/
  137. http://www.janelanyon.com/flpuekj/secure.myaccount.resourses.com/
  138. http://www.madonnaball.com/wp-content/secure.accounts.docs.biz/
  139. http://www.promo-snap.com/wp-content/sec.myacc.send.com/
  140. http://www.sriretail.com/api.Asia/verif.accs.send.biz/
  141. http://www.urcmyk.com/eeg/trust.accs.resourses.biz/
  142. http://www.web-feel.fr/wp-content/sec.myacc.docs.net/
  143. http://xn--dammkrret-z2a.se/wp-admin/trust.accounts.resourses.biz/
  144. https://abi.com.vn/BaoMat/verif.accs.resourses.net/
  145. https://altop10.com/wp-includes/trust.accs.docs.biz/
  146. https://animes.tech/wp-admin/trust.accs.docs.biz/
  147. https://bashheal.com/eymakax/secure.accs.docs.biz/
  148. https://bashheal.com/eymakax/secure.accs.docs.biz/%20/
  149. https://bhpsiliwangi.web.id/wp-includes/verif.accs.docs.net/
  150. https://bitmyjob.gr/dev/sec.accs.docs.net/
  151. https://celumania.cl/gigf64c/sec.accs.resourses.biz/
  152. https://datagambar.club/xerox/secure.accs.resourses.net/
  153. https://debuitenkeukentimmerman.nl/wp-content/secure.myaccount.docs.com/
  154. https://flagpoles.viacreative.co/wp-includes/verif.myaccount.docs.biz/
  155. https://gadgetglob.com/wp-content/secure.myacc.send.com/
  156. https://gid58.ru/cgi-bin/trust.accounts.docs.net/
  157. https://legalservicesplc.org/qinvf6a/secure.myaccount.send.com/
  158. https://mmtt.co.nz/wp-includes/sec.accounts.docs.net/
  159. https://multilingualconnections.com/wp-includes/secure.accounts.send.com/
  160. https://pickupav.site/wp-admin/secure.accounts.resourses.biz/
  161. https://raisedrightman.com/wp-includes/secure.accs.docs.biz/
  162. https://streamsfilms.com/wp-content/secure.accounts.send.biz/
  163. https://teamincbenefits.com/wp-content/sec.accounts.docs.com/
  164. https://tripaxi.com/All/secure.myacc.send.biz/
  165. https://visualhosting.net/bk/trust.myacc.send.net/
  166. https://www.fueledutv.com/wp-content/secure.accs.send.net/
  167. https://www.madonnaball.com/wp-content/secure.accounts.docs.biz/
  168. https://www.netimoveis.me/wp-content/sec.accs.send.biz/
  169. https://www.promo-snap.com/wp-content/sec.myacc.send.com/
  170.  
  171. ```
  172. #### Epoch 2 Document/Downloader links seen for 04/03/19 ####
  173. ```
  174.  
  175. http://118.24.109.236/wp-includes/trust.myacc.resourses.net/
  176. http://12pm.strannayaskazka.ru/wp-content/verif.myacc.send.com/
  177. http://140.143.240.91/yfwta7q/verif.accs.resourses.biz/
  178. http://159.203.169.147/yhpbh7i/secure.accounts.docs.com/
  179. http://167.99.186.121/fwcly2f/trust.accounts.send.net/
  180. http://1sbs.unb.br/phpmyadmin/sec.myaccount.docs.biz/
  181. http://211.238.147.196/@eaDir/secure.myacc.send.net/
  182. http://47.91.44.77:8889/wp-includes/secure.myacc.docs.com/
  183. http://94.191.48.164/hf9tasw/trust.myaccount.resourses.net/trust.myaccount.resourses.net/
  184. http://94.191.48.164/hf9tasw/trust.myaccount.resourses.net/trust.myaccount.resourses.net/trust.myaccount.resourses.net/
  185. http://94.191.48.164/hf9tasw/trust.myaccount.resourses.net/trustmyaccount.resourses.net/trust.myaccount.resourses.net/
  186. http://acteon.com.ar/awstatsicons/trust.myaccount.docs.net/
  187. http://agrodeli.cl/cgi-bin/sec.accs.resourses.net/
  188. http://armourplumbing.com/wp-snapshots/sec.accs.docs.com/
  189. http://banglanews24x7.com/wp-includes/trust.accs.send.net/
  190. http://beflaire.eazy.sk/wp-includes/sec.myacc.docs.net/
  191. http://belanja-berkah.xyz/xwc1zez/sec.myaccount.docs.net/
  192. http://bf2.kreatywnet.pl/owa/trust.accounts.send.com/
  193. http://bitefood.in/wp-content/trust.myacc.send.biz/
  194. http://blog.aproe.cl/wp-includes/trust.accounts.send.biz/
  195. http://blog.easyparcel.co.id/wp-includes/sec.myaccount.resourses.net/
  196. http://bloodybits.com/edwinjefferson.com/secure.myacc.docs.net/
  197. http://bloombrainz.com/thridhani.com/trust.accs.docs.com/
  198. http://bluecrestpress.com/cgi-bin/trust.myaccount.docs.biz/
  199. http://buitre.tv/adqss/trust.accounts.docs.biz/
  200. http://campustunisie.info/96132500/secure.myaccount.send.net/
  201. http://canalgeo.com/7rxiaf3/sec.accounts.send.com/
  202. http://catamountcenter.org/cgi-bin/verif.accs.send.net/
  203. http://cbmagency.com/wp-content/sec.myacc.docs.biz/
  204. http://cdlingju.com/calendar/trust.accounts.send.com/
  205. http://chigusa-yukiko.com/blog/sec.myaccount.send.com/
  206. http://connectingdotsllc.com/wp-content/trust.myacc.docs.net/
  207. http://coozca.com.ve/templates/verif.myaccount.docs.net/
  208. http://craftsvina.com/testgmail/sec.accounts.send.net/
  209. http://creaception.com/insta/sec.myaccount.docs.biz/
  210. http://dailynuochoacharme.com/wp-admin/secure.myacc.send.biz/
  211. http://demu.hu/wp-content/verif.myaccount.docs.net/
  212. http://dev.smartshopmanager.com/wp-content/verif.accounts.resourses.biz/
  213. http://development2.8scope.com/hkl9pc0/trust.myacc.send.biz/
  214. http://dirtyrascalstheatre.com/cgi-bin/verif.myacc.docs.biz/
  215. http://distrania.com/discart1/sec.accounts.send.biz/
  216. http://drszamitogep.hu/_BACKUP-20190208-HACKED/secure.accs.docs.biz/
  217. http://dzyne.net/jzahb-pnzc6s-oydtsbquq/trust.accs.docs.net/
  218. http://ecube.com.mx/css/verif.accs.resourses.net/
  219. http://electrolux.com.vn/wp-content/trust.accounts.send.net/
  220. http://emirates-tradingcc.com/wp-content/secure.myaccount.send.net/
  221. http://escapadesgroup.com.au/cgi-bin/secure.accs.resourses.net/
  222. http://everandoak.com/css/trust.accs.send.biz/
  223. http://f2concept.com/App_Data/trust.myacc.docs.net/
  224. http://factory.gifts/wp-includes/verif.myacc.docs.com/
  225. http://fashionblogandpromo.club/wp-includes/secure.myaccount.send.net/
  226. http://feryalalbastaki.com/kukuvno/trust.myacc.docs.biz/
  227. http://firma-finance.com/wp-admin/sec.accs.resourses.com/
  228. http://fruitstip.com/wp-admin/secure.myacc.docs.biz/
  229. http://fullstature.com/mid/sec.accounts.resourses.net/
  230. http://gamemechanics.com/dbtest/verif.myaccount.docs.com/
  231. http://globalpassionentertainment.com/wp-content/trust.myacc.send.net/
  232. http://gnimelf.net/CMS/sec.accs.resourses.net/
  233. http://goldshoreoutsourcing.com/zi1lwr3/verif.accs.send.com/
  234. http://gosmi.net/download/verif.accs.send.net/
  235. http://grinius.lt/ru/secure.accounts.resourses.com/
  236. http://gsportsgroup.co.kr/wp-admin/secure.accs.docs.biz/
  237. http://guiadecardapios.com/pointdoacai/verif.accounts.send.com/
  238. http://guiullucia.com/$Recycle.Bin/verif.myaccount.docs.net/
  239. http://hahawaii.org/wp-admin/verif.accounts.resourses.com/
  240. http://hanict.org.vn/nbproject/sec.myaccount.docs.com/
  241. http://harrisnewtech.ir/wp-content/trust.myaccount.resourses.biz/
  242. http://heylisten.co.uk/images/sec.accounts.docs.biz/
  243. http://hfhs.ch/bildungswissenschaftnet/trust.accs.resourses.net/
  244. http://highvoltageextracts.ca/wp-includes/trust.accs.resourses.biz/
  245. http://husainrahim.com/v1/verif.myaccount.resourses.net/
  246. http://informapp.in/xvyf69e/trust.accs.docs.net/
  247. http://ione.sk/isotope/secure.accounts.docs.net/
  248. http://isn.hk/cgi-bin/secure.accs.resourses.biz/
  249. http://jaspinformatica.com/boxcloud/sec.myaccount.resourses.com/
  250. http://jkncrew.com/trust.myaccount.docs.biz/
  251. http://joyfulparenting.co.in/wp-content/sec.myaccount.docs.com/
  252. http://jpmtech.com/css/trust.myaccount.docs.com/
  253. http://jthlzphth.ga/wp-content/secure.accounts.resourses.net/
  254. http://kakoon.co.il/wp-includes/secure.accounts.resourses.biz/
  255. http://kamgoko.xyz/chatapi/trust.accounts.resourses.net/
  256. http://kevs.in/wp-content/uploads/trust.myacc.docs.com/
  257. http://korpushn.com/wp-content/sec.accounts.docs.com/
  258. http://kylegorman.com/wp-content/trust.accounts.resourses.biz/
  259. http://lemondropmoon.com/wp-includes/gzOJp-MX5fHAHnT7hHzB_hleUEIPiS-Oi/
  260. http://lesgarconsdugazon.com/1p8tost/secure.myacc.resourses.net/
  261. http://lotusttrade.com/App_Data/sendinc/secure.accounts.send.net/
  262. http://m4rv.nl/cgi-bin/sec.myaccount.resourses.com/
  263. http://macademel.com.br/wp-admin/secure.myacc.docs.biz/
  264. http://matsyafedserver.in/cgi-bin/secure.myaccount.docs.biz/
  265. http://miknatis-online.com/wp-admin/secure.accs.resourses.biz/
  266. http://mline-sa.com/toba/verif.myaccount.docs.biz/
  267. http://monfoodland.mn/wp-admin/trust.myacc.send.net/
  268. http://neucence.in/cgi-bin/trust.accounts.docs.net/
  269. http://newsspe.com/fvefbd/trust.accounts.send.com/
  270. http://nhatkylamme.net/wp-admin/trust.myacc.docs.biz/
  271. http://nitech.mu/Scripts/SrXa-6oCLaoRlYTuXP6_LDMltGAo-Ol/
  272. http://ocean-web.biz/pana/LXPFg-dIKXL81xQIqKu4_stKSmukXv-03/
  273. http://omegaconsultoriacontabil.com.br/site/qbDS-K5BqC6ZvX91h3E_ScDwZcnMP-Oo/
  274. http://orquestajoaquinylosbandidos.com/wp-admin/verif.accounts.docs.net/
  275. http://petr.servisujem.sk/81.89.61.188/verif.accounts.resourses.com/
  276. http://pilota14.com/cgi-bin/secure.accounts.docs.net/
  277. http://plugnstage.com/logo/sec.accs.send.com/
  278. http://positiv-rh.com/67bvckg/verif.accs.resourses.biz/
  279. http://puntoprecisoapp.com/ypb/secure.myacc.docs.com/
  280. http://ragnar.net/cgi-bin/sec.accounts.resourses.biz/
  281. http://rcadiabd.com/wp-includes/trust.accs.send.net/
  282. http://realmist.com/wp-content/verif.myacc.docs.biz/
  283. http://recepsahin.net/assets/sWvFY-rHu2tCzXSobVQd6_KSyyKRrx-MPP/
  284. http://redtv.top/wp-content/trust.myaccount.docs.net/
  285. http://repuestoscall.cl/fw2s-4yu61-vjpadj/ioGEe-BF5Nhm4KPby3Sc_MaBlGBMs-a4a/
  286. http://robertoperezgayo.com/1vzp53p/secure.accs.docs.net/
  287. http://siteplaceholder.com/mozzocofee/sec.accounts.resourses.net/
  288. http://slcasesoriasyconsultorias.co/l0o54ka/trust.accs.resourses.biz/
  289. http://slcasesoriasyconsultorias.co/l0o54ka/trust.accs.resoursesbiz/
  290. http://spscdhaka.edu.bd/zuhiejj/secure.accs.send.com/
  291. http://suckhoexanhdep.com/sam-yen.com/trust.myaccount.docs.net/
  292. http://tanpaobat.com/cgi-bin/verif.myacc.docs.biz/
  293. http://tempahsticker.com/tuowxsc/sec.myaccount.resourses.com/
  294. http://theadszone.com/wp-includes/sec.accounts.send.net/
  295. http://thebarnwoodinn.com/jopvis435/trust.myacc.send.net/
  296. http://thelivefreeproject.org/wp-includes/verif.myaccount.docs.biz/
  297. http://thetransformedaddict.com/wp-includes/verif.myacc.docs.com/
  298. http://toorbrothers.com/wf5mdgp/verif.myaccount.resourses.com/
  299. http://tridiumcosmeticos.com.br/class.hed/verif.myacc.docs.net/
  300. http://ulco.tv/1v7wu20/secure.myaccount.send.com/
  301. http://umutsokagi.com.tr/cgi-bin/secure.accounts.resourses.net/
  302. http://uzeyirpeygamber.com/wp-admin/sec.myaccount.send.biz/
  303. http://vandiemansnyc.pixdal.com/ymx/trust.myaccount.resourses.com/
  304. http://vistadentoskin.com/wp-includes/trust.myaccount.resourses.net/
  305. http://vpacheco.eu/xzds8sq/verif.accs.resourses.biz/
  306. http://www.567-365.com/wp-admin/wSArJ-w8i45n4LFUCJ7N0_LSsiovdS-6t/
  307. http://www.aipatoilandgas.com/cellnote5/secure.accs.resourses.biz/
  308. http://www.arielluxhair.com/hobzl9h/secure.accounts.send.biz/
  309. http://www.arkworkspace.com/wp-includes/secure.myacc.docs.biz/
  310. http://www.courchevel-chalet.ovh/fbmyql7/secure.accounts.resourses.com/
  311. http://www.dmgh.ir/wp-admin/verif.myacc.docs.com/
  312. http://www.factory.gifts/wp-includes/verif.myacc.docs.com/
  313. http://www.greenwichwindowcleaners.com/Old/secure.accounts.resourses.com/
  314. http://www.hahawaii.org/wp-admin/verif.accounts.resourses.com/
  315. http://www.health-regulations.xyz/cgi-bin/trust.myaccount.send.com/
  316. http://www.herflyingpassport.com/wp-admin/trust.myaccount.docs.net/
  317. http://www.johnspowerwashing.com/wp-admin/trust.myaccount.resourses.net/
  318. http://www.lecombava.com/Surlenet/sec.myacc.send.com/
  319. http://www.lescoccinelles.org/Photos2016/trust.accs.resourses.com/
  320. http://www.monfoodland.mn/wp-admin/trust.myacc.send.net/
  321. http://www.muchdesign.com/test/secure.accounts.docs.com/
  322. http://www.orangeblushsalon.com/cgi-bin/verif.accounts.docs.biz/
  323. http://www.recipetoday.xyz/wp-includes/secure.accounts.resourses.net/
  324. http://www.recipetoday.xyz/wp-includes/secure.accounts.resoursesnet/
  325. http://www.sh-lanhuo.cn/mobile/trust.accs.send.com/
  326. http://www.sicoprd.com/wp-includes/sec.accounts.docs.com/
  327. http://www.sonmoicaocap.vn/tdq5mpz/sec.myacc.resourses.biz/
  328. http://www.sz-lansing.com/wp-includes/trust.myacc.send.com/
  329. http://www.thecoastaltimes.media/wp-admin/verif.myaccount.send.biz/
  330. http://www.tripsignals.com/cgi-bin/trust.myacc.send.com/
  331. http://www.vdaservices.co.in/wp-includes/verif.myacc.resourses.com/
  332. http://www.wanqicharger.com/rrcw66s/verif.myaccount.resourses.net/
  333. http://www.willdep.com/QLCRM/trust.myacc.resourses.biz/
  334. http://www.wiseniches.com/yoga/secure.accounts.resourses.com/
  335. http://www.zkeke.xyz/wp-admin/aOzsV-3QxApNIzgGJtbi_fVDxbvWZy-u1/
  336. http://zeynet.kz/cgi-bin/BfCG-7Mx3C2cOvcXzz8_vaAOsVFQJ-nx/
  337. http://zooril.com:443/wp-includes/verif.accs.send.biz/
  338. https://agrodeli.cl/cgi-bin/sec.accs.resourses.net/
  339. https://banglanews24x7.com/wp-includes/trust.accs.send.net/
  340. https://dr-recella-global.com/wp-admin/sec.accounts.docs.biz/
  341. https://escapadesgroup.com.au/cgi-bin/secure.accs.resourses.net/
  342. https://fashionblogandpromo.club/wp-includes/secure.myaccount.send.net/
  343. https://gilsanbus.com/wp-includes/sec.myaccount.send.net/
  344. https://globalpassionentertainment.com/wp-content/trust.myacc.send.net/
  345. https://gulungdinamo.com/wp-admin/trust.myacc.resourses.biz/
  346. https://informapp.in/xvyf69e/trust.accs.docs.net/
  347. https://iqbaldbn.me/wp/Tobk-7yX2IL6yQVBpQQ4_HqPclVLT-ZHo/
  348. https://kaylie.awesomenosity.com/wp-includes/sec.accounts.docs.net/
  349. https://kemeri.it/wp-includes/verif.myaccount.send.com/
  350. https://kovar.sbdev.io/xhol/verif.myacc.resourses.net/
  351. https://ltv.laneterralever.com/lsf/sec.myaccount.send.net/
  352. https://musicianabrsm.com/8uhpkl5/verif.accounts.docs.com/
  353. https://needlelogy.com/e-access-idp-elogin-att.com/secure.myacc.send.net/
  354. https://scontoidea.it/0ispapa/trust.accounts.resourses.biz/
  355. https://sovintage.vn/wp-admin/sec.accs.docs.biz/
  356. https://sundarbonit.com/cgi-bin/secure.accounts.send.com/
  357. https://tempahsticker.com/tuowxsc/sec.myaccount.resourses.com/
  358. https://vistadentoskin.com/wp-includes/trust.myaccount.resourses.net/
  359. https://www.arielluxhair.com/hobzl9h/secure.accounts.send.biz/
  360. https://www.hive.world/wp-admin/secure.accs.send.biz/
  361. https://www.sonmoicaocap.vn/tdq5mpz/sec.myacc.resourses.biz/
  362. https://xetaimt.com/ooecgp9/sec.myaccount.resourses.net/
  363. https://yidemy.com/wp-admin/secure.myacc.resourses.biz/
  364. https://zooril.com/wp-includes/verif.accs.send.biz/
  365.  
  366. ```
  367. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  368. ```
  369.  
  370. Creation Time 2019-04-03 21:02:00 (DOC Based - ENG - Upgrade Blue Box)
  371. SHA256:
  372. 506463901ec3d2b35c46d3440da8d3e1f87a42abf077bbd9b1b95a18225c8f71
  373. da7ea362dcfaa616cf2a12ecb73daa9f6087f5a135a0ac13a2d5119a86d780e2
  374. 50f394e9b9ca8ab7439bc459b21ef08a5c3654ca49b459d113b10e05785dddc5
  375. f47cf466eea61b2d0283056f22060a4646012146f6b29a5c76cdb67df36cfcad
  376. 7bf4a8381c111375255df214d14d009db98caa63201a82637d1a32c352681b09
  377. 91afcbd38278ce562d89502a7e3e2daa8c90bf13ff2d490ee70bac8f24233bd5
  378. 5abbce43733a9d23195776eae8ec8a27233ed72ebf8bcda12a384b38053e585e
  379. 3b27c9a4b443660f21426d9a1430a068c210f6fc757ba017f0db5143f7239dcb
  380. 9ff4c1dd44b1b9325305b092d494a3ae2ea0382b039aeb3d9ef12da894212556
  381. 23066135096bd5c5ad5e2cd13981b2091379c2df73679b465a108eb92c99cffc
  382. 38edd270739223f96a36cc1d218b873758b1ad41f9f528e753aa79acd64fdff6
  383. 62f22bcc833a5cbc03ab078a2f67c782087f2fec344502b8b4261218fc898ace
  384. f1b1dbb226dec92d179a1e42170a630f04adcb82c199437a5172a41a86ee7e62
  385. 5fe724058139a4f7805c6887d489e15b0800f6b64d676a88531deee736457aa5
  386. 02a856b38e7c32e7387f663af577ca0e854e1f2d8d8363697a7b9ce410b3a0ba
  387. 0cd2dc09ea71e8051659ed0499960124d9fd6a0ec00699d74b0b94acf30a08b8
  388. 1232e66429c4b02677cc0839b9bb8011f3643b53d904641a2c5d14dade5e1f71
  389. db9deefe8f744ebab340c76e7a86ed02660977fcf176bb99d50e672561ff2dfa
  390. 8793144bd36b01ff56228ab7714f0b66d8d99c60b009fa5740a21828efd2b38e
  391. c546488c5f0a56ea6063a375ef7ea194df3020e92b724ac5f1bc14e7ea4ed9a5
  392. 5c98ef277b22eea991a7d7cf2f1e98213949247e6d451c6c8a7bb4467fe69869
  393. 0effc9bcdae3a1f1eb8f1d08f2b01645ffd8874837e2dce3673b0201eb04b840
  394. b83fcebd64496356242238dc45665aa3f96373f3514ec29c72facc5d140edb5d
  395. 084cbedb8279ae7de89ec5aad45dac178d988ef2a95ca66c1d4ca01f4e878123
  396. e02539b1a6600b2f408ed5987c9440f63e8508e0a27cfd27c398dc05720974db
  397. fa2ee431e53cc46b3df21d065d45f13009d9be52a92c4bed4d011bf55304eaec
  398. b5f6d5e337fea754bedd12a8eaaf39413cf39a65e406d21406d5606ae8142f2f
  399. b931fc4b2118df5f33d9ccfe4c89555c15a8b53693b0b3728edb8cc1758ffe07
  400. 05f0bb601080ba05a5f5023e3c35ee49d4bfe40a09924c4fca3e0ce0c58dc075
  401. c57f69a1a40c66d76e6a858e0077c93fc2f7524e200889a71ddef057918f05b0
  402. 66fae3eb56aa085c40dcf7654478c3aad5920549570ea215759f478698e6efe8
  403.  
  404. http://thaddeusarmstrong.com/wp-content/wRx/
  405. http://122.180.29.167/landx-test/wp-content/aj/
  406. http://47.104.205.183/wp-content/i7J7/
  407. http://fumicolcali.com/wblev-6pox5-vpckk/kWFS/
  408. http://johnstranovsky.com/96t8b-z2ns7-galcijo/wF53m/
  409.  
  410. Creation Time 2019-04-03 15:14:00 (DOC Based - ENG - Upgrade Blue Box)
  411. NOTE- Sometimes seen in Password Protected .ZIP Attachments.
  412. SHA256:
  413. 1c999239e51e20fb29e22a59becec4906330e90532b16af6e69047c8eca06867
  414. 4bd17a43b613fe24e1b8ca88a1a6485e83fbf3847667198986cf5e86043d5477
  415. 8456e6089978321d8764bee7ec4dd49c2a8b8786244394edf87adbdc91107280
  416. c3ac09babb47f0458f7b17630c65490ad2d5be1ad0817a66d044c1b76b3b3f6e
  417. be3707eecc4a37d4d37be65c2948ae76ab42ab95b86d1152da1fb60356e175df
  418. ac81323cf4c11d699997e5cb3732de8ea83c317949969e31f04d97c5de9f44b4
  419. 873d63a58151cd2e779333d915d1a2ec30da9fa119c227348f810708d86fb8c5
  420. de310033fecf3228c2e76b210befe1c10d2f8729fac19e61ad86585ddfe82b7d
  421. c485dd383302126170395cfb4c51bf6267ccad9b4be30895c4a3db772b779bc5
  422. 380fe9eb910412fdba4b1f3b5a83fa97626f07a6887842596aa19a37428f50d9
  423. 1580933f21c6cb61a4aa95b47caadee439fe2d6b2e9d32a10923ace4bdb2816c
  424. 7d5e0a8e30cadcafb859fb240b13d95f08783950d5c85964e3e1b1ddd0882105
  425. ceaa30b33434e66a07eb0d5a30ff478edffebc477d0c34d7d3c66e82e4d0b746
  426. 5a25bc771de52fd4b40e90d788194e5b20d465606a2577321b10abba5df93b20
  427. efb37a6a0bb2077d1b5c8f9a3ddc2fa70bf4b2c4e21c98df9ca91d1ae672df66
  428. b8c18a591fb3710afee4cd243489ea16f92e7d9d4fb0f77fe63954062fa816f5
  429. ba19e0b1b55163d610eed2d666e91ce17c1af65618d61c6887436b8da54b0a44
  430. 15a4f1d4d1ae8af17b284e71a33668fba2a5aad27179717ddad62285caf1a778
  431. 69deb3d64aa30ccc994a8085591131e217bb6455509bc0b63a884175de49fd8f
  432. 62a4925ad26d393ce9675a7c8754a2dbcd3bafe2683b38ae9a6e953321a9ea7c
  433. c2ed243b37f6248036cfdbd0dc743fb664fff8dfefb92f81942028ccec1c567e
  434. 4af0e6ecbb0b29b5b0a4a4d587459f585c37eb08bd376d6cd91cdffc670f31f9
  435. dea10b78972814eb7c996fb83f7bf9b0749cffaa83c6daac5d7aa12aa690109a
  436. e255b02e13b1ab7691437859d4f2e0d14911eba0e22e3c50cf88f5b417160d76
  437. ec52ac699447c94c3e6f92b9acd2a948b23f558eabc2e59c3b7cb8309fff28f1
  438. 6c41174ebd7480a26a4ffdd385495c2effdef203bb32ad9fd10a9d77eee78e59
  439. 86c24f31451ef09493682a898f2fae2ec0041920a034201903e60e0108d711c0
  440.  
  441. https://newvirtual360.com/wp-includes/I2Y4/
  442. http://mealpackage.biz/wp-admin/opSs/
  443. http://www.ecommercesuper.com/mijmbxg/aBibT/
  444. http://rootleadershipstrategies.com/phq2afo/r2Oz/
  445. http://www.eviar.com/databases/jdi/
  446.  
  447. Creation Time 2019-04-03 06:22:00 (DOC Based - ENG - Upgrade Blue Box)
  448. SHA256:
  449. 6b706516aa4a6c84d7288790bd311b5ff46812d716913cdb7e2868b7502eb5f5
  450. f6e05aea9f90a7a944d714ed205231ed0d6b0710b69140ceb6e1955194c586d8
  451. 9731cf4485184f19d7b72f44c3a88e41b4e58b4e523eb25946bfe51109d58b4d
  452. 72d6fafd2207338c230ed1581d3d8721b50eddf6dd04ca85e427a68c06173759
  453. 0d059b3123f0ffefd19b2eda223a17a59544480129c890ecd8f74485822aceb0
  454. ae275125e8892c96f7e1d17ade25c251402ce40c790e67f171e4703823c1e1da
  455. 78a1facad713beecbc54297cdb1cb9f0c9b3e0ce5ecfea4552c8542a4a396bc2
  456. 2c2e00cf2cf50d1a3a21dbdba070c90d7d45252bd75f90948068eaf4223a3025
  457. dc748e6aad74deeb30fa7650512b69e543894a1a5c514d0099f99ba80dcf343c
  458. 2d84259bfdce75522fadba53461db4ada6d2ff955c78b183766f85a3c57bdf6a
  459. 94d70d6bf0435c860ec0e1bcd51b7ea28481200015d8a0c5c5aa42e3137f2d7e
  460. 1db4178108dab0f9fe0f552966f5568a4107cbee16c0f29bbe3dcbb20da2f08e
  461. ad989c053dd1e789b43d837e07c82207c56ee9fe259afba290f9b093538fab6c
  462. 0ee280736c3047439f3a37f0c0dd48ae6d6e17df3c4ef9ec8df736780054da46
  463. 66f36a293aba9466fc43e0adc0879a4b5d83a995d4cc909a083ced4c98e00b10
  464. 65e5d1a7905a8d0ff3e87c4f981db06513f7e176c62e4ca3868b4603a647a3cc
  465. 67f07721254f250f2d9971ab7a3b2c6256ecc8406498f6a7ef820e6699f4d84c
  466. edd9f8e8faf54418abcb5b432df9f056ebb5c1c3b81798538eb6490e54d47f36
  467. 0c9deda596cf2dd482a3139e6286dc0615dda6a46c8d2787a2e0ba99bfc0556e
  468. 445f31b0dda2cfc01cb1aeb34879e4de651f29f699cf7651239cb43d0e93fd05
  469. 39d6fc12d6a286000f198c58384d3cab86c09da21801cc7b7522f17b02e735b1
  470. 8d1534344be13b480dd14f4125b72b5f290dc045856140c58b444c7718a409f0
  471. 5650d3456d6fa5c68d3601a0756118ece0fccb0ebc00d50b069a22284fabfed9
  472. 5976b405bce1b13747925a53afc92532a2610c93bfc1f71058b6f244b40d1bcc
  473. 87676338e75300df5039931deb20af98b6317040b883187b0cf04fb01987315c
  474. 2ecc2feacfd73e3c56359d3fdad2ff08017c8f3c9b656b5deeca74f770888679
  475. 93e226f0affc4e060bb661f825d3ee374ac2412c83b235ddc98ba7681bf0657e
  476. 07d66bc331363fcdb92ed85666eed78ed330bfc58e79cfbd73b0b7b6f4ca5cd5
  477. 342e00333761d82296da26f90c0fe83358a1c126bcfc3cb570f591e4979147e2
  478. 246db40be6fbbbde85fde6dbf283f231995917f1f38f5daaaf659f224ca54971
  479. 704f0ed0d0e9b343f4300796f148964ca1d0c2d078efd28b6f36574bd61196e6
  480. 5b2b196113f8ffcf5c3ef4a3b0413f2328adff842d659c7b47e74f69e4be254c
  481. 571f0bee37af24915566c4587722262f53b2e071e049667896508a2bdf597c76
  482. a8d71ec99cbd978830027d4b96b243f480ba79799e410a55f4445f9bd680cdcf
  483. 4d9e9bd80a9b83893a42de4a0b6cd46609e5b9e2bb466bd8ad8ace6a6e754358
  484. ee8dc441596b37f45e1a11fba9247a95cea357dedc6acd0eddf63dbed747c9cf
  485. d400eadda1766c976d0968ce1a7a6452c076ca234767a9485cfa261785b00d27
  486. defe358c93c51af6e6fb177ef5fa9184bb1774d1983177646d5ee66003006fd6
  487. 9bcdf8f1ef2d23e421e68ec60b405c4bbaa77b89e0ecb3dc2c58b727a7f51933
  488. 16c7269bba293e77681057618f2a44cc22b1259b1e06576230fee8273dfc4d31
  489. db7c710501288a593a11b9d2cce1af5f4089fbf405e73e528c4e823f7600b6bf
  490. f675f1b5d8d2f817401b38a208f1cfdd255fc96854b613703b427170ff3a4d62
  491. 59b50f0cf0fa890d212fd4c854c50185a685b92bbc0a3e49cf39f04b63b414e5
  492. e8803cf7423ade3e00804f74bc7c6abf0eb19758628d76e81dc9b6826f988571
  493. 9c28d2b54cc9c5542cf08ceb82838e30a4285ab4a927c9e184fc1a6806d8925a
  494.  
  495. https://hashtaglifestore.com/wp-admin/PilSAE/
  496. http://nedmextrade.com/wp/kgMUT/
  497. http://www.eltexapparel.com/byoxxoh/EukGG/
  498. http://successworth.com/wsu/Nw8V/
  499. http://www.garagedoorsrepairraleigh.com/teefzs9/yLOkO/
  500.  
  501. Creation Time 2019-04-02 20:54:00 (DOC Based - ENG - Upgrade Blue Box)
  502. SHA256:
  503. 6969d147438848f98bf4d55ede9a9e822055edcf9e3366c3420b83d365f0dc74
  504. 794c7c25c8801298d45c2e08d711dfae269f9906c2f4dc52d6808eb3a13b9e6f
  505. 1bbee951c39bd4fe6c34dda1d615b86564b100c105d334ad7bef9b48c6b3575a
  506. bbe81ad0327f03f35ae1345795c61e2b725e275dadcd84bfca0efbe3fb37a772
  507. 9911388a489874cdb1847af9734243bcbd0ccf0d1a0e2f390679ecaae6ab6039
  508. be79c4427d6b7c050ec4a350dfab38238379706dceeb7efdc2dd7c246aa6661d
  509. 56d6ca3e8a6d8076e108ffc90c437bdd37ca7d5004f950a18cad4eb5a0a744dd
  510. 416e4acce2b50545f884fb326c1fc0e37842a7052f0a5f26ee4c3aca4170eedb
  511. 02d820ebbe08fa00979e71fa126fe98ce2227e1155352d02e8e5dcac72d26926
  512. da045e2ac1403f0ee35b92de92d936eab1054754892a51d78c5970edbb206412
  513. 9f1d9a160c52ae086aa022d81a79efbc507d2b3eacbe6b7d8266b28d5c9afb18
  514. 514048623894671bf9954a3b5c56f5fc9c1f20f3a7cc515b5145e62b916c2313
  515. 5151fb7aec67ade6838e6bcdf2b90d8ff349e225c4202534b81129e2d43b9500
  516. 6976ad542d5495c4add7acb55a44cf5226f6c4e3336260db188060134ad77a88
  517. 982ceb7f898200836f847b10d81ee7faff43d103248981b66effc3e2ddc44d54
  518. aeabcd1504dc47b7801a7cf3e9614423588bbdff581bec8eadba5e3d3dc306ab
  519. da723897bf490193511b89fabd65f2c80a746afd15a92b0a0ce5500d174198c5
  520. fea79dddbbb958f8a6ab5f425fcf90b8391ea2582be757f6f85db049c8833818
  521. d38a5dcf8157badd948c4b633cc3c96be182b1e3966e22768b1c50d9313307f4
  522. 8e99ad401099d70ff532f41b98bfd114d7d9fa9b3972402b12fb572e619d9c38
  523. 6969d147438848f98bf4d55ede9a9e822055edcf9e3366c3420b83d365f0dc74
  524. 9ab00da32f0d6c67849a91f88d3287d4d25012d502e0c5c356276af231b9afe1
  525. 9911388a489874cdb1847af9734243bcbd0ccf0d1a0e2f390679ecaae6ab6039
  526. 8a91912e2cf6bde4a46ee9f7f66dcd1e025480dc6e474d8040b6f1fcc6fb8272
  527. 982ceb7f898200836f847b10d81ee7faff43d103248981b66effc3e2ddc44d54
  528. 56d6ca3e8a6d8076e108ffc90c437bdd37ca7d5004f950a18cad4eb5a0a744dd
  529. da723897bf490193511b89fabd65f2c80a746afd15a92b0a0ce5500d174198c5
  530. 21cdaab8dd50a13fcc92475cb4950bdc8e41974638d1b664fc927db9152d56ee
  531. 134f5027b747b4620b5ff089f50772b7a040e3bfdf2a7a3c1311f1e0d3548916
  532. b04d811c669288b47d71ed7140fa92ec6fedfd828dabeda508e30e6b02373d2c
  533. 514048623894671bf9954a3b5c56f5fc9c1f20f3a7cc515b5145e62b916c2313
  534. de161123edb795124fb3c79c800286106da29bbc03fbc8caf21f6a0c411bbeba
  535. 1bbee951c39bd4fe6c34dda1d615b86564b100c105d334ad7bef9b48c6b3575a
  536. 9f1d9a160c52ae086aa022d81a79efbc507d2b3eacbe6b7d8266b28d5c9afb18
  537. 66bd9e4e0fe63329de8bb3fd2eea2695d2639c7f2f8b374092d5d6d60c55e850
  538. be79c4427d6b7c050ec4a350dfab38238379706dceeb7efdc2dd7c246aa6661d
  539. da045e2ac1403f0ee35b92de92d936eab1054754892a51d78c5970edbb206412
  540. 71da989508ec611531680c84d36ce583dc8bed2800938af7bd45fb6937982da5
  541. 1e360c20dc040640807c1c84c439030d4a27c3e434bbfdf6f5ab5bacfbb6c353
  542. ef9f3787a87bcf2dd72770ab3e397680d41a04398b29b6f505db824d452fb075
  543. 2a80e79117ec8b828d768ebccafbf64d4ec2c876d8cfe1bb7a8c07006764e9b8
  544. 81a374b16c07ef7a78b1d1b9bbb00548ef1f51ddcbc819f9a5a627f6443a6560
  545. b617f7b321c180d7ebf7dae416c8c95d44c315f2d42665572f538c183ed3af1e
  546. 1e1dad9aa4809fa42137bb56cbcd4bd1b290bba4be09d4888b6415cc2cb2ec3a
  547. 416e4acce2b50545f884fb326c1fc0e37842a7052f0a5f26ee4c3aca4170eedb
  548. 06db63774447c6e612358d5ac55d6528288c6d84f9b840a9d512b7e5f5d19a04
  549. a7c6d747cba49ff0581bd295df4be6ac4f5a2f137e1b9506e16f55ca67b902f8
  550. 7a0f9f8f54bfe6335b0dc00a047620829cd328e526686bc0e7d064cfc05312cf
  551. 794c7c25c8801298d45c2e08d711dfae269f9906c2f4dc52d6808eb3a13b9e6f
  552. df244f0fe36c8a746c98dd2f565c4eac24a9ddbb0a76a7f4b31f96d844095cdf
  553. afa7a1626e4b444e1f9614544924914f07581e56bb2def0653a3e69895e7d985
  554.  
  555. https://www.nasabonebolango.com/wp-admin/wRn/
  556. http://ankhop.xyz/wp-includes/IM2e6/
  557. http://woocommerce-19591-66491-179337.cloudwaysapps.com/khabwwo/uWFCi/
  558. http://weightlosspalace.com/hlwk49gos/Oi/
  559. http://reviewtral.com/csgldw6/BbE8V/
  560.  
  561. ```
  562. #### SHA256s for Epoch 1 Payload EXEs seen on 04/03/19 ####
  563. ```
  564.  
  565. a0442947008c37e919ef17c6b043d52a21641117afe7164eac782ddc937760ed
  566. fc69773d67a80f1ebaef6573258a6a0fe25644fb0f44d50a50407b6f85454ad0
  567. 4997a3964043bf68c591d9ef999065969072b1c32713613af831be5eb6ff4677
  568. 02d3448aa5cb6148be9bf9a6eb5cc97c1b28ed283091101d01d8eeae437a5cda
  569. 5451aa6ba692e6691d944d36d1807f521e3613f9703497371be83d063738490e
  570. fa064dc608a2df6a3dda78e053253832afac701c46add2def1674ccd9d3e60fa
  571. d251e89e375f2d1f113c43df9760c45e68327779352ad11bbb967c38cec038d7
  572. fe9de1f3c64515670e8ce339b88112451a02bf8e13787b362a8f044ddbc1d027
  573. 42993a2216b39609dc1ed7218ab36535d424affc1fd70147092e16f7b79659e9
  574. 4451b10aa03f16391700dd3015dc97920a69c875f55248d41e3abaf73715707f
  575. f06169ddcb7724b496ca0dfe948ba45e61f14bdd682e5e1402cfa9267718efbb
  576. e56ff52200f3b4a323047d1f8209a2b3f1455c28401ec19ced86739f10780451
  577. 301ec590a8d59f49fa1f402d677ef57dfc3a57dc3aae40ebd7db43a04ae66762
  578. 797c0243d5311b5b780223056873251eafe96d3ebfbf347d1790619fd4356b72
  579. 7316e1e5d068569ee8317615082d1a2ee14271bcebe6260c041ba1734576b71c
  580. 851e025ba4df9e14ab26cded6865b59f2e9c4d76b8e630cca8f4d1cb511600e1
  581. ead4494fbfd8c9b99611fdfad5d6984dc9d8bdd06c0556acd576bced672004cd
  582. bd7cfb09563b67a0552e98b985771e6071670ed56430a543668bf0009bd69a74
  583. c21cb87127962b2314c67a86946d2e283e7f70a56f91ddfdb87ce61225a3f68b
  584. 721cd42b7b12be62e3a01b2004b721a28505d6d41fab06387275dabbc78178e9
  585. ba14880095618b6a47e840459c3c8b3bab5317a0dad528573e11011182ff6b31
  586. 9fa7464d70f82e5f78159ba7892b3cf7a721a416a7774a3e676a745d957ec152
  587. ecf8d7efc1d69099130f58d52b45a9dea5f872f5039d1381a12f863d2be0e979
  588. aab78260bd85b387b71fb172e27d0ab70932638ec4dcfcd0c3e0310b23ba458e
  589. ecfde93aa6cde3960dc9c3fc8187f7f81f5c2836c74f02ae511115c74c6a2702
  590. 68b083c58c18ebb1e35af03972b922554868ab6cd354be065af2860fb57cc6b5
  591. c6948b5ed190085e21038c49fe8f3a81d5b83e57494f4948b0eee8d909977729
  592. d0c2af31317cfe7841288e516b1f7025cf1ffbd92615725910a0facebff42235
  593. dfdec2e3cf5adb059cca9505fc7b3e2e7296024ae6c0c72f1e634fab8146eb56
  594. bcb8b28707e76c8680c0407f392fe57fd4137688e94e06dfe52923bf82a4cfa3
  595. f34b70d814383afaf13bfaa1159ef60f1044e61b6e56d13ff211fb20e0892eb0
  596. 9338dd926e15ee2b0bd871d169dd0bf7426bb610ad75e2417fe7af6a892c0f4c
  597. 12fbd8f96a625ef373fe09384985b0a429e7e8b44f5b89766126b9e9c0bc7f7a
  598. 19520cbd9671c5b663507bdcd7c95a39a4a5c944968b7c5153d20cbb45b5858f
  599. 24013248dd0a023787bb7ae2da235bcb9599cb2152b35501131ddee8bf3993ab
  600. 85cd1ad863d293ced65a24b96af4a755819c10e1500ddd94ce449477f9e98194
  601. 3a9e31419f787fec1dff6fb54fa73c6d62fc51cac3b8064ad200e78f6bb38bc6
  602. 04d7e64478dad44717e1ddd6db0a3c4fd4456441fdf64559d65dcc92c0daa0c0
  603. c8845e958f30f10dbe838d2aa78ad55b80df791f34321801c13da5bfc9d2e07a
  604. 7e98be547295b0c566bee7bdab80ee16a3b71ea0e1c371d9d968932535096e8e
  605. cbd984c07fbe97e2a3ad00c5e2d411ca69335049cf7fa550a9b331919a8e8cfa
  606. 45226fa8a6c9dbee32036149d3f417053322f5675d4ae456ccf136df5ec00420
  607. 6970fe894abc2cc9fc7957f12e5345d8d8ffa08c9f01c6a8f680bbe7f26215ba
  608. 1c04c3194707d05887397466eee226b381576e88b716d1dbf77c30556a61abd1
  609. 88a47bf9dff053869465ea5ef903350dda9a0350afd6ef734ac10a9240afce94
  610. 896acc7e5f5095db63ec1744ca895aed164bb3718f0b7a6df409cc93f3461ab6
  611. c0437c57f0a8456bff7e2ec9ef4d298c4e82540e7d2774b6c4333f8f8327ad0d
  612. 9db30255a1dc8430b19195a9af4de4937ac3a6118a3d6589c842627710c842c2
  613. 1bd9b7d069fc4a464671800c03a3c41a74395058f7c941db51608bd8a2c68f44
  614. f722ae880dced5b7e3048f02c5121decd5bcf1b74800cff360920d16f1ad4ead
  615. 0a45b7034b5fe0e6ce7b5ec92f36343e7694d9342ab3a6beb7a996cbd6e06f47
  616. bb854b1dfc4336dda969ce9fa0c2ae649d487821b6b8d5d0512a4ff7f617dcdd
  617. 4495447ebb434423103b2da44c41c3138a491eb0c3e5c68b33cf362c0a54aa49
  618. cea82e88c17ad5889f35a6c60bce74249fcacd1dc5defc7f042d9b6518e201c6
  619. 24cd1ff5207e05dd0810ce10d44c38cbcaa259a04ee7c012aa2f5b2f0cd842df
  620. d0f3c0b0833cc1edea22fba1ae2a583aaa11c14a9c56aef1304d2fe0dc4b24e4
  621. e51472d13fed4a2991ef84ea896eceba7537b5e4d4440cb3ee6ff7c9c2c3f9bc
  622. f0eb86df737f3a37b0d3ce7c0c5f0212f59eec6de04fae30f02b727a1d853be2
  623. 8dee819f45523d71f2387baa190d641b75e3ac49fedef12611c119467dfdf57f
  624. a7b656f8256ed4644d93af776794432219b1c6ec56b746cb5792a8342ccc2dc2
  625. ba0cd39836f61151ebee70a898597509b71764a3c83fc5664c5c47e8667bb7bc
  626. a049ae66127c2b5706abe3d923c92026b02f6636414369f69f43fcc15d117348
  627. 4fb5bec1fa7961b3c74c4d7c228c5d91fff90cf438b11d01e3131a5f881364fd
  628. f8b418f7c56ef6412a56faed83ec8bb3711490b263e5c28372d2166dbb631321
  629. 0222a87be75485d667997c3bc3d4350ca0ea86e24d78914ff72a0490650f6fc0
  630. 6edc794710d2900be30df3de9a5926319881819ba8b3cd5663b53edb1aec404d
  631. b34c2ffa18666d0380b1f459f3f2614d968b36e5df17ad858a07084a223b97d1
  632. 9285f5cde96fa08176e4814c9be074ce89ef7ab79e0633b64c26fdd6d4479ed8
  633. 64e5eb9f7cfed750fa598ce933c743dc6ac3785d6450778d284a3ea0bda81a75
  634. 38be257f3f4f656ec75060a7a270816d083524f96007a72dcdec2f899defdc12
  635. 6fbfa3c6d1af897d66a6e7f5f8d487e82365df0cf6094590c1ee4fd78ee97d75
  636. e6151377d0336b6d10c28aacea6ef495601d8b870b52d7e207241226ebb557b7
  637. 4cc2f2adf523fc40dc79e0b2d83fa7a2e1f524d17a23e6f22f15ba4f9601ab0a
  638. e5ae3b49403bf2b0d8c47e259aa790bff5ba4406e6c5e1754f8c611026f81d92
  639. f571399023046c1ab127c412913332703f81bb73848c7e401119ba741880d134
  640. 4eb77693ad2c8a17c06c0cdf821c582888f51510bf96124b49d427aaaaa851a6
  641. b148594c97fd253a735a190ac2a84e3995eeee8a13afa05b420f1e525e966f3f
  642. 4665987ae7db1f9219b2a5692f3b4fa941866f207937a24496922b132b699d84
  643. 2614316b42b59f7e43749434e0f664a1dbc5b87130afeb7ef62d656f3daa11ab
  644. c5e446a0fc14a767353203f3821d80b3d9faa7b60eda8f01658d9a87c61b44db
  645. 81878364459d5264e223d561de059e494e310add3af7af86bd407a0513662974
  646. e6cc1fb5e987fd603da041686ba27ddad950ef028979c3dddbb8ff6a056c8fe7
  647. 0b106f4ab218cbd980c8374942065ffaec14056f368281ddbf794edd498cccb2
  648. 1ebc9cab208f03d200460860d63694ba8402d52c913119a9fb73082c08739daf
  649. 04d94d830a59bf1108acacc20e5e4839f3286c40aa50667ad73fd03fabe816a4
  650. 96420e0a5865ee1db93b1b5b81462ecf56c2633e08da66d2c9af5e64747e92fe
  651. 634aa5c547246f14317183f9b40afcb6ef35bda88c81b1aeafa1b0b33ca5c040
  652. 261a46f3782d0afb14675257177b13b2d0a0fb71c62b25359ced154026517474
  653. 41f1dae0faac77d60b5ea1e20a18d63eb06d3d0084ddada085964d4e3ad7cddb
  654. 76d6935689e0c22b1ed42aad198c8f78b95dba8f25da74fe04379a412847839e
  655. e9b30de47dc953f4eafe3ecac124f237de33d79d7d9b0b4aba3b7b02920bf2eb
  656. f46e6c2e68431e2d0c64684d516b0959cad8fb234802fec45370a03baff4a2fe
  657. 06f8c6e7b75637429ec52dd2c00e69e151e6cfe381a36e212a3d3771457866da
  658. e6b389802618bf70087fe446929ad34ddd631c626938e79591c2b345ec856ead
  659. dd1b3fdbd1d033ee19dca62bc2de83f2f6ab19e9cca15e2879d00949aa0fa75d
  660. 45d0f6fcd35025aabdccd7805e7e4f5d2d23b2d0e09b6a0ce30b518df19c6d66
  661. b963b59c24521a0155305d0d923c7a6e2c6f8ed5100c005e787498b581a5f0fc
  662. 6a8eebf7e74fb990214a97e7acf69b10fbf45716527f2eb577fd9859e2adf1b0
  663. 003d2ec7263dc56e77669cfa00838b97b2f274a956e3aa853f4720742efccaae
  664. bcfd80b648ba3bde82b7be3325430b638a874095be4b64b48aa1e9cf8c42c7a4
  665. 4555d2db90a1197eeb2835193b486b15e2236d2e415af354e509cd3b89816602
  666. 9c42692d035656412afbde974c8ac8c72bd3e732ccb9a0c6b0d7d75204fe12eb
  667. 2b05ba085d95a36cc6aa87f2aa0e0782570f395901c1ffcba1fe595713499eb4
  668. 628761fe75a6fe918354d40a45a913147c2dbe0cd10a9debf64c82fbfc8623a5
  669. 0e26720476eb85e283211167c3f5eec37752a65d7bd5ff7c8e9031d90542716c
  670. deaa51345567f67a643d17caee45ebd2c2ad0c48022f383ba82bb54555166e65
  671. aba4df4af24ac8e085e3c8e48962ddaedcb5024e0e82520f03ed74cdc6fc382e
  672. 7adcfbfbb59257e278b696228c570658f0483137969c112d6b9109dfa6e06f4e
  673. 7582782f660f558c0fddefc5b73d1d7145c25e83f777161333e4cce3dafca0b3
  674. 0c2d521ea64404049e823c804af3022835c66a74783a2edb0a81a4643e93dfb8
  675. f9256fa50276b9b4e85b6929aecac1a3502daf717212768e81beb59b906fbea9
  676. 96c460c4536ea39f117cdb11328791443d56f231b0873cec3592a9a223cfd97c
  677. d4a0d2c5e3960a7a7010a7d57707bbb14843d55116f54d11ae9db94bb390e8dc
  678. 98e4d6d8d0e68a5ea2b546c96feac3f2927fdbb689f0e0e9b99e39dee4fa22ce
  679. 23d6a449cc71017cc828df441000a9728aa4695325c0357e2dae5cdb0d445ebc
  680.  
  681. ```
  682. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  683. ```
  684.  
  685. Creation Time 2019-04-03 16:11:00 (From Password Zip - DOC Based - ENG - 365 Blue Box)
  686. SHA256:
  687. 1944959136488452820501c3a94c1d92103918ddf730900f10ee799abade7f1c
  688. b2c60886c2357e26e5102cd4b96d9232310254df13f9bcf573a8d3d9de7b0745
  689.  
  690. http://sapelelive.com/pure.api/P_zZ/
  691. https://zomorodluxury.ir/wp-admin/sV_c/
  692. https://codbility.com/dgitalcomposer.codbility.com/k6_M/
  693. http://love2wedmatrimonial.com/webfonts/mE_R/
  694. http://canacofactura.com.mx/factura_admin/z_u/
  695.  
  696.  
  697. Creation Time 2019-04-02 13:00:00 (From ZIP - JS Based - Fake Error)
  698. SHA256:
  699. ffbe73591031973cb52f6950ed61b168a0f0bda69f004db08846dfc1bd1d1920
  700.  
  701. https://entasystem.online/butter.function/T4_Px/
  702. http://pontoacessoweb.com.br/x6o5aq7/pW_t/
  703. http://www.liyuemachinery.com/config.replace/W_dK/
  704. https://www.wegaarts.org/wp-includes/Lo_F/
  705. http://afkar.today/test_coming.training/w_f/
  706.  
  707.  
  708. Creation Time 2019-04-03 06:53:00 (DOC Based - ENG - 365 Blue Box)
  709. SHA256:
  710. 4d6659512e1f705d9903d20577805f4803fa71a8d36d894bd9f23adde3ff5ef9
  711. 93f4c2581095e58d124e46901a8986f485a7d028321f67f85e17fb8f2ffdcfeb
  712. e340bbfe29b2651d4b6f0687ab21f884edece939008227d506bf4f27d07b395e
  713. 03db2b41ffd92d49ab707fe10425202440d4444618763cbd14ebb0ddaf877516
  714. 2d6ae248c1a0cd20728d4463c2fc0c932a028f0b04c73a833f39c5758c5278b0
  715. 1995728387077cbb0fdf558905d8f452d47f65dc1560af23e0413cc5a3703547
  716. a0cba7fc860cd5cdec3ea3744b0e4cdddcee136b0c770e2efeabcfc6326bc17c
  717. be752b7066a082be8bf72b6017d32bf574a4bc2eed227ad1c76715eb128a20fc
  718. 31c2f585e8dfc0275247071f3e8769aba7af6c7454292d02c3518d8a918741aa
  719. 5c1e73105c3ba3af020821889f659169aec08fbe8fa754406927ba282da55638
  720. cf6a7af412b8343527881eb75f1053cdac5b0a3b6934c690364ec9b46d7b9f44
  721. 196f7c641e4e11be712d4b472db8b88901795dd235ea0b267f045f33c9bb7abf
  722. 4b17a00142f8d03ff836bf90d9894ab7599df85fd199356f5789c079c7180c5b
  723. 9f17ffaa499b61315d3c3734dff8371176aedb00397d691848aab97031fdbf4c
  724. a0a1d46a505c3db1f984276d5a5b0d5f2c07934e40403228d0aadcd0e4f04d35
  725. d3e8e558418d8c90715bf1eb6184b8a0c09e635268a7dabdef3b25b93added35
  726. b78d2ff0649f15af675407c6b15e57c745a6d8a4854aac755ee2eed0ff383047
  727. b37884c4b291131c62f3eec13fdc9cd4f79b943c5b8d026a1201e0f579e95f25
  728. 7aad2e0c3bf6e22c2f67c4e168a160984563cbf4b877ebb0ef552591c5aaac78
  729. e01dd387181ef37cef23eb11c04b09daf907d1293dc9ce3f272b92e4154e2063
  730. 2caa5ebe3d400b2a3c8a4508a0e95dd215600200b213c442321a18c0b16306b9
  731. 05c4c00ba63deb1bb253a8f8d4dcf438ae7a056c571ec97a885d12e10ef1121d
  732. f7e5d344cc86f1d1026e9a7d3b0c30cff5a2cf53bc45546df6b2859b5e8652ec
  733. 2ce2439377f21b721840e76a09a69b2760824377e101f1f7a7a22a37115166a9
  734. 265824001d2583bb601f90eed3464c698d6833345669bc3d4a9a9f0abefcd3df
  735. 1ffea04fb611732aad37f6fe8861bdea11da24ad563941da4171db273384120c
  736. 23f34e4b4aecb9f01cc827ead5d65cb1069a133048da063c72af642c951878f7
  737. 9dce145f506b670e3989b7251d5b8dc1535f1828b9d774f64c536fe91c47554d
  738. cb42827c604568f8a513010048883a10dbb83184e2526a8ea7c3a65a0005f3f7
  739. 8fc9dc78a223cc418cd458efddac72cb356ddff3d4cc3a4880c71176f2f42ccc
  740. 07c59ba3e9f12070924f072ca43182daaaf9314b993d9e3aa2acc819ca2d3856
  741. 5145bf1f2e742dc5163ff3321b8727172c0a53b25c281f958f162c91ee14520e
  742. a538ebf9b21f16ea6797d0fe7356f1060943869e53b21b7a3151257d45cbb2b7
  743. 1a34a6b744407a560f6c22385979a38ac9e11f0b7c6b640e1e06d7b9774e33e4
  744. ffa74fa9f3179e512e23e879b2677f51c9fd09dfc57c05ef73c3d68d0eaddb82
  745.  
  746. https://www.agenvmax.xyz/wp-admin/0L_o/
  747. http://tcurso2000.com.br/wp-admin/a_vy/
  748. http://outofhandcreations.ca/function.closely/g_r/
  749. http://persianlarousse.ir/apn/z_c/
  750. https://xclusive.store/nextpost/g_G/
  751.  
  752. Creation Time 2019-04-02 23:00:00 (From ZIP - JS Based - Fake Error)
  753. SHA256:
  754. f29677dc2aeb9324b6a953176bb0a64a40b9662ef26fd81760c0ce36dfead16c
  755.  
  756. http://commonsensecarbuying.com/awstats/b_ru/
  757. http://nomadmimarlik.com/tangerinebanking/8_v0/
  758. http://www.secomunicandobem.com/wp-includes/YL_Xk/
  759. http://grafikonet.com/wp/6e_yq/
  760. http://mermaidwave.com/wp-includes/r_U1/
  761.  
  762. ```
  763. #### SHA256s for Epoch 2 Payload EXEs seen on 04/03/19 ####
  764. ```
  765.  
  766. c88c1fe476a34b0ca1eccaee913165754591de1f43170315fff4d11b90ee25fb
  767. dcaa2130e68e12a620db6930e78c2d213d8a429006bdedc9aff0816ad033a8d4
  768. c627e155a672c735219cb861b7e22842041f5145e56e7da88f8d071015f6a456
  769. a186a24cdd085c6b4f3bb2136f1c11a3ca7475fa08e91703723797ba8cf7778b
  770. a57ad8b5e72f94174480729805ad23eebe7a1b5e3c4cd970c8eed97f9687ef4a
  771. 354066184f09a5acb9865ffa5e0ffe56c6b6b67e9f42c87f4d0d4156e89dbfdc
  772. 4e194410a3ab30942e52bc95b3695530b800b0cbd38de4c1a321d5b9e5fd92f6
  773. 822d8c35e9160690c17e0ae9cad0cde1012b6b776fde4b834a7d3e4aa3983f1b
  774. f533ec81a0e981892b1b8cd56c45bb8bf2c0d528971eeba1e34c96df2d1c1150
  775. ec03a613d03532a6d23569442f7621f771138052e58556045fa807beb0632b49
  776. 25513bcb65ee561ef9b11f3c70ff4c838a7ee4420e39d0dc17e91ef20ee2884c
  777. 917f1758b89a8f51685fa8eea975f4f20d8aa62aceb92933846cfbe4bba234c0
  778. 38dbbd3a05a7775f5bd427d18629dc1b9bc6b46756f36b44d7aae1df795ea10c
  779. b5066acbe133acb1b9dc686ce0ae05049d01a52d60c5ba1044930a2c7a6d6a65
  780. 075a89f6538a7e971f8ac0278e6f66265bcb790dfdff2f2bc76e95aae1b92544
  781. 771580e238a6b45297eabb591c0b84d38cb91922ccbbf380581b58b8928f0912
  782. e14a657b6cac82fd559702afaa68a0c42ed52871ab775a722beaad428affdb67
  783. e504f517eb61b09eee75fe8790d0fa0b3881e993e509bba8cbb64a4b4ebb30ce
  784. c7e7ada0422e6a4f49c534721d71bce224c67062558c52f4593a69fbf7f8702b
  785. 1ae62be6855dad4fc4406ed520daac837f5beaf5de36c3d716185998d4d5d193
  786. 113aa67eb785baec23079210f7977e723478670c5b915bf6f7b3dc6fbd4905bb
  787. 1e917b9fef90bc40deaf6be885c481f172194c544977014ce207c957895b69d3
  788. f7b9cd2ce687ef3900f8c2ab8255dc4a3e9507efca2409db2c615ffb377fb07f
  789. 0e3b457b55a6c10931f9db6d6810dbe6e4005c2f878e525bb6dde172595fb03a
  790. 20b4b9eb85d71b4f638d8e7e8b67773259c8a26c6f02da33da202c1567684de9
  791. 75909c71168f64b374de4b2a70076454782914793f230ef116a2c9c05363226f
  792. 8c05c7ac7797ecb957d855405db3a357066418b1366402b4ade10e7cc6d85511
  793. e9c81e536a128fd38f805d9fc65fa29b5d939dda6df61e9666674b3486f391c5
  794. 3335397b1799bbc451213aad838e735de3dece586bc4e89bcf9ad40b435cd9ee
  795. e3caf4ac606b3d4972e4074c0a76da661085fdb03e970ace3a64bf86fc940090
  796. ad7881964679256ace45f058b6d25e30956992e29af5871e966c49494ef1eb24
  797. 9d48ed14b4abc56905c5875e849848447b2e8cc621d22c9f1597419be41a6d3e
  798. 003345afe8dfd32f402ec9c633f277874201e119742750199e71014dc2ea1892
  799. cb042f5f4579588e18144d3ca3280db46bcb3b827658ca4ac9eb4afc723a6efa
  800. da67815e7235167ea8a0c16d3b83b787d884d58ba282fccfa6ab14dea7070690
  801. 24fc999ad8587ff4d4f6044c64eb0a8c442fe7f57514947bb71953ae0769c2e7
  802. 18b3a60c41640a23563d55c0715a9ff705a99d38ca50d4a8c73acd062e9a3293
  803. 218ac49878d4d7048f718f833e6addc1dc634172a6a74e831468f55f154a3307
  804. ce2b5bb7c8ea5dc32f27e9c4b375cdcb5ea87e0724bfc6c658d6478b884ff4d8
  805. 5897d810a2dea21670933988c81e2ffc751ef116b2eedc2b1c3631e8ff6019ed
  806. a5d0cd444fa260f95c9d9c5bfaee7c57e6a33d00771325324c9a0ec54858ecd1
  807. 40e61e586895ef00aba3e7a803db0298beffcd6b24de528052b7e4fef27569c3
  808. 78732d62b14725712bac3880edae7899fefa1e29601ff27e412fe2fe6734922e
  809. f12d2428ceba60e62daa18645c5d5eb0d9ddf43dc88bfa4e282ae0fb3521a719
  810. 0c3871cce228c1c5091310c8905fd272d8fc0ea2e884cdcd2484bb378f412d38
  811. fcb92a36b370606b94be804f5536b99099a043d25b2b7aa9847e0b71a7100128
  812. e2a0eebe4998cda68b01c97fd25904e2dfbc2552129e8f2054de5fe0787ab521
  813. 9becfd2331e7629aa079b835cdae8af67bf37070893e60083842237d1b443c60
  814. 104bd0e78f1708d4b5f0982cfd99fa565687147bd7309ae77884b17aa1076ff9
  815. 5f3f9bf98fa30f6f82eef2258ff185169271f7f172ea04d64f52fa95f0811bd9
  816. 6fd1f0df2cb097bf6d5c3fe21bfe3f7fcf8677586827896c8906e878afe78827
  817. 9fceb0c1c78d950e9131c745e6a92e12c8711c9a614c4e09a2824a65122a1b60
  818. d788445fcdd41771a5a57ecc316748aa237cf20e53cb06f9023ecd1b7519249c
  819. fb75957b668699f4687433eecb8867421fcf6edde186792293c44053a12e6acd
  820. 76e8037aa04e8ecd81a0f8f943ffdcf62427638c94fdb8a91e8be7858af1094f
  821. 592c243871de4e5ab3ce9e569d06102c7fc18ee5be7bd33513722791e97fe669
  822. 571dd2e896488429635b8b6ba839b94e7367775b8933e813e73fa363804dbbae
  823. ef27c243d8572a897c28d3b21cfa9ab4fdf677aa0a559914528bacc3c1b2908a
  824. f85761c6529ced89db5f038d6bf38773992a588446f69a7d2a499e18e09bc90a
  825. ec23685355c030559d05401477bb259eaf3d5a01f7d8b01b6f6b461602824ae0
  826. 94b614d94c56ef579676a8161cadf6b93dbbfd04e1ff00e5b73b58ce979121a5
  827. 94ad6a4310773e7de643e259d70b34d06b685c3fff3d5ecee2b6301fafc463ff
  828. 3dbf0e22b4df9c48e993a0e16b5ac028ffab89ee133b6d707f16258cf28541ef
  829. 23155192c51fedcd4794fe3d2af52c9f3a5487cd35711cc065da703fb762796e
  830. 3b6d41db6d61e892d64471acaf28511360ab3312aa5c95b023e0f35a62ccf590
  831. 86f63c99e161226c5c7830b69be6c58cde7f1bfedc52a6d4a602b0ea7d9a07e2
  832. 4db1bfa158aef9bff689552dfd4b04f3c1a6015e395cac9acf97d4dc6b370d9d
  833. f29164ab7d0361cc6d2424db3c8748d9101f47854e0586a77761be609dad5670
  834. e99f805417495f1cf2fba3d85a6b04269ce38d53fe3b755f8039278b85315f4a
  835. 6f2619b70eb22cbe9487f988ca3a921b8c693740f3b5cded63104c3041bcb715
  836. 4f6a8c8b2d1689737c34ac548d5d40fd6f7b35d9b81f683310051e520f6c9e95
  837. 283b8733bb8e6a523db065a9f8d19ca4b0a3b980a15b518bbc25a6939afea860
  838. 0228edab971eb9213d206bb501bf9bd03e1920af720897b59ef4adb98b956ab4
  839. f6ecd300d3e313c682d6502f389640ee6418729a5ed45e3d1113f8b058f312e9
  840. 0520e756ff7f98b42946006da8b80fc615513edc93666a5a6ce571b4bb084118
  841. c74d84b05bb981413ba97134bb40c785e44d5923e72364beca2fd9470a02042b
  842. 044fbbc0634e7ab6b5a3ec5ba5caecb7d3479ff283a55610952ef6e1dd3531c2
  843. 8df5e2e08f40abcecd563480da5b68f90e466039ede9ea245d77ce7af59dcdd9
  844. 383cb9749c9b49aecf1bad48576d1a20601cbe1ec25e18461c0406df9a117731
  845. 436cb7eaf0a6bacff06f8196ce994d8856680204b85b687a3c5d2626fc128df6
  846. fa0b10f9fd9a45180365f224decd2d69b6275f1f65c4478999aa3b7cad44ea3f
  847. 990fc6053ec3537853c31dcfaa67ee37185464d5f9bc9cafd355098abe7b3d90
  848. 8483d36d8c28264b42eaca863c4d6f37a8c2ffececec6badafbffc39fa229217
  849. 20120abc0acca179891779c566ed33e317e679d0eebcffb369b11a5b65e3102a
  850. 4bb0af4fba72f986a7b97c526adcf45248bff45135212984ff8f6042984712ac
  851. ad47a4bf0d8da424cf318b6700dc51866bbf0bcb2fde404d1aa1d3c4b239503c
  852. 14fd095cdee8010c61f1f65adab4e122903ecce6fb4753caa9281381e7be8040
  853. c07b88b98caa626f2d2400471b43ea992a8ce2a107f433f9c66d41b557485853
  854. 6e310ca9b1a41d2d65e9aef125469601eeaede33823823a0db9e84739fe68427
  855. 83ce2d575c87cd1c3cd534dc2b38d0525a530cbf4f79abaef7398ecba72c4a28
  856. 504d17b959eb025c3dca3645221cba5d5bd0169b5de0919cfba5a70c240337c1
  857. cfe3ab4a4479c24d7b6d81a77aca46f405b77e87f95c4e1377135adc9641db08
  858. 0d6ba4291b66f2235df5017e91cd49accb1d15467dd3653a988e6ac4d79655d0
  859. df833cdea8c6becb4574631c1a9d4a814e7c75ceea0703f9109a7fdd8b7e1ec8
  860. 0ed3a1c72c9e1d7ea27fb3484c51292b81388738ceebb673e8a88a01eca2e961
  861. 77f444a35b5535592b628b5257bb0906fb721eb5b99b2784454a29e8b2c95723
  862. 08494958b2e43cf1fa6d0d5e5ee1439c5912894e6de052d0ed997a6760b450f6
  863. 74815fc5d473ed8c87d53cd424b7ae01fcae0be2e8fa12bb23ab551d1e36c413
  864. 4e230e3fc375deb03495348e1f078119ab0ebc723e86ec3563b38de152c0ff82
  865. 78ae36a33997fe2bff27f42209e6a229e38694fe3a2356817e8e06f24917dbe8
  866. 4a0d139bc830b61aefbd2bac6ec3482eafb5fa000d66cd201ffab5abe50fd272
  867. 26fd1d5d142109a21df7c34b959d6f209d8ddbf2c787e6986d5cb4184eb0609c
  868. bdef8ab24a469b17ab45dde23b8d015c3c6f8500d4a02c9392116a13ef7ef5a5
  869. cb042f5f4579588e18144d3ca3280db46bcb3b827658ca4ac9eb4afc723a6efa
  870. da67815e7235167ea8a0c16d3b83b787d884d58ba282fccfa6ab14dea7070690
  871.  
  872. ```
  873. #### Epoch 1 C2s ####
  874. ```
  875.  
  876. 104.2.2.153:8080
  877. 109.104.79.48:8080
  878. 109.73.52.242:8080
  879. 110.169.107.239:443
  880. 115.74.214.134:443
  881. 136.49.87.106:80
  882. 138.68.139.199:443
  883. 139.59.19.157:80
  884. 144.76.117.247:8080
  885. 154.120.228.126:8080
  886. 165.227.213.173:8080
  887. 176.58.93.123:8080
  888. 181.16.4.180:80
  889. 181.170.93.38:8080
  890. 181.44.231.127:443
  891. 184.160.113.4:993
  892. 185.86.148.222:8080
  893. 186.139.160.193:8080
  894. 187.153.103.175:443
  895. 187.189.210.143:80
  896. 190.0.32.206:8080
  897. 190.104.229.114:8090
  898. 190.117.206.153:443
  899. 190.117.82.103:443
  900. 192.155.90.90:7080
  901. 192.163.199.254:8080
  902. 197.248.67.226:8080
  903. 200.114.142.40:8080
  904. 200.125.190.126:8080
  905. 201.165.102.49:443
  906. 208.180.246.147:80
  907. 209.159.244.240:443
  908. 210.2.86.72:8080
  909. 219.94.254.93:8080
  910. 23.254.203.51:8080
  911. 43.229.62.186:8080
  912. 5.9.128.163:8080
  913. 51.255.50.164:8080
  914. 62.75.143.100:7080
  915. 66.209.69.165:443
  916. 67.241.81.253:8443
  917. 68.191.37.107:80
  918. 69.163.33.82:8080
  919. 71.11.157.249:80
  920. 72.47.248.48:8080
  921. 74.36.4.206:80
  922. 82.226.163.9:80
  923. 89.188.124.145:443
  924. 89.211.193.18:80
  925. 91.205.215.57:7080
  926. 92.48.118.27:8080
  927. 99.243.127.236:80
  928.  
  929. ```
  930. #### Spam/Stealer C2s ####
  931. ```
  932.  
  933. 31.172.86.183:8080
  934. 104.236.185.25:8080
  935. 50.116.63.9:7080
  936.  
  937. ```
  938. #### Current Epoch 1 RSA Public Key ####
  939. ```
  940.  
  941. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  942.  
  943. ```
  944. #### Epoch 2 C2s ####
  945. ```
  946.  
  947. 103.12.133.7:8080
  948. 104.236.135.119:8080
  949. 105.101.6.219:8080
  950. 133.242.156.30:7080
  951. 138.201.140.110:8080
  952. 147.135.210.39:8080
  953. 162.243.125.212:8080
  954. 167.114.210.191:8080
  955. 173.255.196.209:8080
  956. 173.255.250.241:443
  957. 174.106.108.31:80
  958. 174.93.130.148:8443
  959. 175.100.138.82:22
  960. 178.62.37.188:443
  961. 181.39.51.243:993
  962. 181.92.117.141:993
  963. 184.22.6.124:7080
  964. 186.4.234.27:443
  965. 187.189.195.208:8443
  966. 187.198.57.250:7080
  967. 189.159.103.149:8080
  968. 189.190.169.221:7080
  969. 190.161.186.116:80
  970. 192.186.96.125:8080
  971. 200.126.225.56:8080
  972. 201.152.34.208:995
  973. 201.220.152.101:80
  974. 203.210.237.200:993
  975. 204.184.25.150:143
  976. 208.78.100.202:8080
  977. 211.63.71.72:8080
  978. 212.122.71.196:995
  979. 217.13.106.160:7080
  980. 24.63.218.229:80
  981. 27.130.153.101:53
  982. 45.123.3.54:443
  983. 45.33.49.124:443
  984. 5.230.147.179:8080
  985. 50.31.0.160:8080
  986. 60.49.36.149:50000
  987. 62.75.187.192:8080
  988. 63.77.201.245:443
  989. 64.13.225.150:8080
  990. 67.205.149.117:443
  991. 69.198.17.7:8080
  992. 70.57.82.196:80
  993. 73.217.113.111:80
  994. 78.186.5.109:443
  995. 83.110.216.26:8443
  996. 83.222.124.62:8080
  997. 85.104.59.244:20
  998. 87.106.139.101:8080
  999. 87.106.210.123:80
  1000. 91.92.191.134:8080
  1001. 94.76.200.114:8080
  1002. 95.128.43.213:8080
  1003.  
  1004.  
  1005. ```
  1006. #### Epoch 2 - Spam/Stealer C2s ####
  1007. ```
  1008.  
  1009. 198.58.114.91:4143
  1010. 213.136.86.219:7080
  1011. 91.205.215.10:7080
  1012.  
  1013. ```
  1014. #### Current Epoch 2 RSA Public Key ####
  1015. ```
  1016.  
  1017. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  1018.  
  1019. ```
  1020. #### Credits and Notes Section ####
  1021. ```
  1022. Updated 7/13/18
  1023. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  1024. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  1025. https://pastebin.com/u/jroosen
  1026.  
  1027. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  1028. I am providing them for your benefit in case you want to parse them to be sure.
  1029.  
  1030. ```
  1031. #### What is Epoch 1 and Epoch 2? ####
  1032. ```
  1033.  
  1034. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  1035.  
  1036. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  1037. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  1038. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  1039. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  1040. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  1041. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  1042. time period.
  1043. Here are some observations I have noted since I have been watching these botnets:
  1044.  
  1045. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  1046. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  1047. being delivered in maldocs on Epoch 2 at any one time.
  1048. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  1049. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  1050. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  1051. Monday morning/Sunday night.
  1052. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  1053. Epoch 2 may have a document hosted on host.tld/B.
  1054. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  1055. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  1056. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  1057. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  1058. - C2s are never shared between Epochs/Botnets.
  1059. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  1060. via C2 to stay ahead of AV defs.
  1061. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  1062. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  1063. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  1064. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  1065. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  1066. spam template, word template, document type and even payload.
  1067.  
  1068. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  1069.  
  1070. ```
  1071. #### Community Lists ####
  1072. ```
  1073.  
  1074. https://pastebin.com/Xj1wYxbd - @pollo290987
  1075. https://twitter.com/ps66uk/status/1113360718600994816 - @ps66uk
  1076. https://twitter.com/James_inthe_box/status/1113471271344365568 - @James_inthe_box
  1077. https://otx.alienvault.com/pulse/5ca50a20578a7d058e7ff1d3/ - @SecSome
  1078.  
  1079. ```
  1080. #### Credits ####
  1081. ```
  1082. (OC from @JRoosen and/or combination work of the following)
  1083.  
  1084. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  1085. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42,
  1086. @papa_anniekey, @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  1087.  
  1088. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  1089. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial
  1090.  
  1091. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  1092. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  1093. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman
  1094.  
  1095. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  1096.  
  1097. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  1098. helping out with this!
  1099.  
  1100. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  1101. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  1102. @urlscanio and @Virustotal for providing services/software no charge to this cause!
  1103.  
  1104. ```
  1105. #### Daily Log ####
  1106. ```
  1107.  
  1108. Today ways interesting and I got blasted with a bunch of 64 malspams in timespan of 5 minutes at 19:42 EDT until about 19:47EDT.
  1109. They were all variations on the same theme of Invoice or Payment. Some of them referred to there being a password on the document
  1110. and others did not have the password. It was almost as if there was a high volume burst of all templates of late at this timeframe.
  1111. This was also seen by others but most malspam operations stopped around 20:00EDT or 00:00UTC. The malspam had the following format:
  1112.  
  1113. ------------------------
  1114.  
  1115. From: (Spoofed Full Name) <azaliamtzjuarez@usstick.com>
  1116. To: Victim@yourdomain.com
  1117. Subject: (Spoofed Full Name)
  1118.  
  1119. =0DSorry for the delay=E2=80=A6.
  1120.  
  1121.  
  1122. =0DIt=E2=80=99s a subscription to submit you invoices to us through their s=
  1123. ystem and at the same time you get our business, =0Dthen again I am just a=
  1124. ssuming on how system works.
  1125.  
  1126. Please sign in anytime at http://aradministracionintegral.com/wp-content/up=
  1127. loads/sec.myacc.docs.biz/ to view your invoice and access your reports.
  1128. Password: KUZJE
  1129.  
  1130.  
  1131. =0DThank you for your business!
  1132.  
  1133. ---
  1134.  
  1135. (Spoofed Full Name)=0DT 437.444.6830 | O 863.747.9347=0De-Mail:(Spoofed Email Address)
  1136.  
  1137.  
  1138. -----------------------
  1139.  
  1140. Around Noon EDT: Operation Zipper Stuck becomes Operation Zip Lock!
  1141.  
  1142. Interestingly, I heard reports today that some of the malspam coming in from BOTH epochs had attachments that were .zip files!
  1143. Not only is that a chance but we also saw the .zip files protected with a password. This is a first for both tactics and
  1144. something you will want to take note of. One of the first people to see this was @James_inthe_box and he posted it here:
  1145.  
  1146. https://twitter.com/James_inthe_box/status/1113471271344365568
  1147.  
  1148. Later after 1330EDT+, James observed that the attached .zips now contained a .doc file instead of the previous .js file.
  1149. The other interesting thing is that this .doc file and payloads did not appear on the distro infrastructure.
  1150.  
  1151. This evening I was able to confirm that there were limited runs of Operation Zip Lock on E1 also with the same attached
  1152. passworded .zip file and a document that WAS on distro already.
  1153.  
  1154. It seems like they are only attempting to use the password ruse on direct attachment .zip files in the spam templates.
  1155. I am not sure how you could do anything else honestly because the link based spam templates would need to lock
  1156. URLs to specific passworded .zip files or the .zips risk changing later on when the message is read.
  1157.  
  1158. All in all, operation Zip Lock is a bit underwhelming and easily blocked at the mail gateway by just blocking passworded
  1159. .zip attachments. You are doing that aren't you?? :)
  1160.  
  1161. Other than the attachments, E1 was all Doc files all day.
  1162.  
  1163. E2 started the day off with normal Docs but then progressed to .zip based .JS files. As noted above the .zip based Docs
  1164. were not seen on the E2 Distro infrastructure.
  1165.  
  1166. Still seeing the new Upgrade Blue Box document template on E1 and E2 as well as the 365 Blue Box one.
  1167.  
  1168. C2s DID change for E1 and decreased to 52 from 55 combos in total. - recorded above
  1169. C2s DID change for E2 and increased to 56 from 55 combos in total. - recorded above
  1170.  
  1171. Interesting analysis of the .js dropper from @sec_soup:
  1172.  
  1173. https://security-soup.net/a-quick-look-at-emotets-updated-javascript-dropper/
  1174.  
  1175. Lots of changes in the past few weeks. It is clear the Emotet Gang is not happy with auto reporting and is trying
  1176. every trick in the book to suppress that including Operation Zipper Stuck/Operation Zip Lock
  1177.  
  1178. That is it for today as if that wasn't enough.
  1179.  
  1180. ```
  1181. #### Sandbox 04/03/19 ####
  1182. (all with fakenet and MITM unless spam/secondary infection)
  1183. ```
  1184.  
  1185. Epoch 1 C2 run on 2019-04-04 at 03:45 UTC - https://cape.contextis.com/analysis/61110/
  1186.  
  1187. ```
  1188.  
  1189. ```
  1190.  
  1191. Epoch 2 C2 run on 2019-04-04 at 03:45 UTC - https://cape.contextis.com/analysis/61111/
  1192.  
  1193. ```
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!