API tools faq
paste
ExecuteMalware

2020-07-27 Emotet IOCs

ExecuteMalware
Jul 27th, 2020
2,631
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 25.02 KB | None | 0 0
raw download clone embed print report
  1. THREAT ATTRIBUTION: EMOTET
  2.  
  3. SENDERS OBSERVED
  4. angelica[.]salas@surtidorelectrico[.]com
  5. cavalli[.]manager@sinteks[.]com
  6. clara[.]mellado@espex[.]cl
  7. cucck@tmsholding[.]vn
  8. info@f-tec-elektro[.]com
  9. info@steelstone[.]co[.]ke
  10. kemigasfiscalvc@grupokemigas[.]com[.]br
  11. muhammad[.]adnan@dynamicshipping[.]com
  12. parinacochas@jofran[.]com[.]pe
  13. regiao2@meusatelite[.]com[.]br
  14.  
  15. MALDOC DISTRIBUTION URLS
  16. hxxp://ammonhair[.]nl/cerrado/a7dkhtq_poapk4wyi_matriz/5uud_yOV4uh4/
  17. hxxp://ariefsetiawan[.]com/emakbelajarmasak[.]com/payment/
  18. hxxp://armadalecfc[.]com/wp-admin/parts_service/z8kdwyil7/
  19. hxxp://arsan[.]com[.]br/img_b2w/browse/eie3gal7wpm/gss7048832003927605618l5ehus9fmmpgs81/
  20. hxxp://avanwilligen[.]nl/swift/8hgx27/rlmqi149591676656852396ovptrflozmq8oa34a/
  21. hxxp://bakbo[.]dk/album/lm/dm455690kt474fc574/
  22. hxxp://bobsstuff[.]com/images/docs/036726275m2e7twz7b1ydtdh54/
  23. hxxp://bodenstein[.]co[.]za/images/Overview/48y9muumqhsa/
  24. hxxp://bosisio[.]net/www/789303519-eawBkzrZfm-resource/interior-portal/9jle-syu6/
  25. hxxp://bouwer[.]cc/fonts/RyiTiIEy-NOtfEBqKROxW-sector/interior-space/wtkb-95wtv2zvwwy0/
  26. hxxp://brandfish[.]co[.]uk/wp-admin/98Y9V2fH_QAQ6g4XO34A_array/test_space/E1yLwHjUx4Z_zfg6rngJr/
  27. hxxp://bratecbrt[.]com/cgi-bin/z8nb5-wqh1-364324/
  28. hxxp://breedenandsilver[.]com/wp-content/gd3pd7tejnl3-94ztssbbt2cm-disk/close-area/Laj0b-vw3LLu2bc/
  29. hxxp://briffe[.]com[.]br/-/9200902_PPHS8oigs_array/verifiable_space/SfOxx_ftnNp23eca/
  30. hxxp://brimdata[.]dk/file/closed-section/verified-forum/VOQb4s-MG4dHqMs36/
  31. hxxp://broganfamily[.]org/cgi-bin/IShGiKz/
  32. hxxp://bryanbuchan[.]com/photo/available_sector/xjylpwcL_2uFyYkrc_profile/543075_nnPGlciQolGI/
  33. hxxp://burchardt[.]dk/__backup/multifunctional_bd8t0t4ok0sc_i55zd6tsi/special_warehouse/1908694_uGiG5J2sx1XPJQm/
  34. hxxp://businsurance[.]nl/IMG/crnxCXGMI/
  35. hxxp://byrdits[.]com/icon/cnj2yqh-ves-21/
  36. hxxp://byteresa[.]com/jewelry/available-to-250s/corporate-ol9zpt6iamfkd-s453z3/vq5lir4bzext-9z3x2/
  37. hxxp://cabelectrical[.]com[.]au/images/private-array/91022997-sXO8u3-warehouse/IvGoBgnwY-idbqJqi1vq8/
  38. hxxp://cacildavelasco[.]com[.]br/livros/open-zone/guarded-forum/U1VRVj4JyKu-7f7H8kIwc1hp/
  39. hxxp://cairocad[.]com/cgi-bin/21-i9v70-29/
  40. hxxp://caixasacusticasparizotto[.]com[.]br/sitevelho/jmzhv-gf7-565215/
  41. hxxp://callcentres[.]com[.]au/kpi_masterclass_dk_2008/J7ezs-OOU70INhDP34Y-array/guarded-area/84768128182-q1y5YgE/
  42. hxxp://camminachetipassa[.]it/multifunctional_60146341_pZdIhPA1jpgoq/guarded_forum/47l3t_4s5u2175/
  43. hxxp://caritatea[.]nl/hannah/135657280_GKRATkmUlBZ_array/57o291zymnt93c_glcl5t07pmafs_4zm8zpg6_hq5j1tgnq80/5273584_Tg8GlPFqsIx/
  44. hxxp://casabatraneasca[.]ro/fonts/070772659-l2kZ1JV-array/test-warehouse/5823966353-F1t4Z8hk6Q9d/
  45. hxxp://cathelest[.]com/Barcode/esp/16en5e/s4788440667412voxp2c0yem5pa/
  46. hxxp://ccideapsdev-001-site2[.]ctempurl[.]com/wp-admin/40ntrb5waw8j_t3c0q_resource/corporate_space/ewqxe135k_v0s400wv0suxx0/
  47. hxxp://ccsau[.]com/screenshots/report/6b4hmuvf9/
  48. hxxp://cddvd[.]kz/cgi-bin/4dm7nwdr2m/
  49. hxxp://ceda[.]com[.]tr/wp-includes/protected-array/1013002440-7neh4H5KOOl-warehouse/5j2x0-54z1v6vxw1/
  50. hxxp://ceelen[.]nl/cgi-bin/10888951522-3TwXguZOZOS-resource/individual-86751898-vCyWh4TQk/k2OaabFU8P-ld7k8m6oG/
  51. hxxp://centeklabs[.]com/wp-content/eTrac/8f112or/
  52. hxxp://centralaviationsolutions[.]com/buxg3g1/qlq7443491677436415gvaan6wt65p3j6z/
  53. hxxp://centraltrophy[.]com/old/report/db8kxlp/
  54. hxxp://centreforitexcellence[.]com[.]au/owncloud/common_section/verified_k711vneei_p0pr6/wgat8hf_y7twyx073/
  55. hxxp://cequel[.]com[.]br/blog/zmer29vomxl/
  56. hxxp://certezacpa[.]com/ourfirstvalentinesday/INC/
  57. hxxp://cflaval[.]org/quiSommesNous/multifunctional-module/external-portal/6mm7rv-5xsyx12v1/
  58. hxxp://cgemtalent[.]com/open-call/hy6jV8GXg-HzFp5acKq-module/security-2727002365-kL7ZPzggws1yQT/8Ix27H2Ye2-1mm0LzmG/
  59. hxxp://cghmedia[.]com/subsets/uc6zc6uw-cxe4o-28384/
  60. hxxp://chcquimica[.]com[.]br/loja/001943/
  61. hxxp://chmiola[.]net/studio/flsHUm/
  62. hxxp://chrisdior[.]com[.]au/test/balance/qgtkbp60x0/
  63. hxxp://chrisgreenhalgh[.]co[.]uk/parts_service/tg7ymomoywky/
  64. hxxp://chrishalaska[.]com/php/report/685c6352621072ofckpme6qzp/
  65. hxxp://chrisrambo[.]com/video/iko1-fmeh5-70818/
  66. hxxp://christandy[.]co[.]uk/google98e59a1059d40ebb[.]html/53jbrtj4rb-gf4o4t3-076819364-ydieyfQk/guarded-cloud/r6n7uw2-xyy9vu/
  67. hxxp://chromaccess[.]com/ZIlCH5-pp5YzKbFM-sector/sob2-81i-ylLr45QPPy-Gw48Dh0d3us8/54787076130-fAaCHe/
  68. hxxp://cicatsw[.]com/Bootstrap/dOTcPjpGn/
  69. hxxp://cleanbydesignllc[.]com/cgi-bin/disponible/dx7-mdv01br1j-zona/R06E6-SZ7oLagJ7HKE89Z/003339931-M8f2/
  70. hxxp://commtech[.]net[.]au/privado/1w2d4k2x_62gz892jydp6_recurso/7671813803_4eSf9Q0Xz2I/
  71. hxxp://crazefm[.]com/ww12/balance/
  72. hxxp://csds[.]ca/css/abierto/fvfp-vlq8xx3-caja/337925312496-KC3898bDm/
  73. hxxp://cuadros[.]pe/cgi-bin/eTrac/roac8z/b735847741276362nvthm2p78mg48iwa3/
  74. hxxp://curioussolutions[.]ro/ana/321612-IBFIEeO0fN1sO/o0vuoq25ao19ov4-ax8t69hex019yb3q-modulo/wc29yu6t77yuu-4hulx0/
  75. hxxp://cyberneticservices[.]in/css/t2q4kmim-hy-77674/
  76. hxxp://cyclegypsy[.]com/indexcyclegypsy_files/7177733062-Gk8Mg/exYRqEjG3V-XURnaa-sector/SNOlqhg-asNcjGsBUaN/
  77. hxxp://damiancollier[.]com/paradiselost/statement/s7nr8p8ut/
  78. hxxp://danaldea[.]ro/cgi-bin/Reporting/ymyqnyoa1a/pof37567927744174643v1vp9vxa7l/
  79. hxxp://designsoft[.]ro/avion/dzlky58/
  80. hxxp://dockerydesign[.]com/wp-content/comun/btv6gnf3o55al-bjjmu-recurso/8v-k6ssb6w/lL30m2I1-bvYmwdfdru3l/
  81. hxxp://dralcalde[.]es/extras/comun/yBmFw-5Imv4SlrH6H-matriz/7ybue8no16o-bdryhg0o5/
  82. hxxp://duck[.]org/images/Reporting/jj8g03q/
  83. hxxp://duffyweber[.]com/healthspring/7USXH/
  84. hxxp://eastbriscoe[.]co[.]uk/ajax[.]googleapis[.]com/tWXHiq/
  85. hxxp://egyptiancastle[.]com/contact_us/Y797T6P760O822/
  86. hxxp://enricodoeser[.]nl/bestanden/report/
  87. hxxp://envirohealth[.]org/files/abierto/L7hJ9qd-cjiQ0c23u-caja/3521086-6o98hC7/
  88. hxxp://esdras[.]nl/files/cerrado/widny5hr5fk6-c0ttpb42x-seccion/SsPExCyw-BNKqJqMCr3jii/
  89. hxxp://etimber[.]se/wusage5/protegido/bluv0_db5u_seccion/zy571p_dwqdwtp0p/
  90. hxxp://euphoriafit[.]com/hazel/ees2a1h5bal/9c8amu649820371co7w2i2qcb0nz65/
  91. hxxp://exeo[.]com/birthday/report/36h53jcnms3f/b764495492407405rpwzw90ybukghmfb/
  92. hxxp://exilum[.]com/homegrownorlando[.]com/djsv1tay8/
  93. hxxp://fabiosbarros[.]com[.]br/wp-includes/paclm/mnewt7zzs/q7160052980119607xxz9yqd1rn/
  94. hxxp://fitsystems[.]com/fonts/swift/
  95. hxxp://forestanalytics[.]net/cgi-bin/privado/1r581wijt_0xx_modulo/vacm_bjfcqpip524d8kj5/
  96. hxxp://geisterhouse[.]com/cgi-bin/privado/fFGgs8NJ_lob6NVxpIGXaL_disco/1pk7PB2vH_ikdh7Eu9Xd88/
  97. hxxp://gigawebtecnologia[.]com[.]br/bkp/report/45y059856683070f82hatrr5dvtg6ag/
  98. hxxp://gregemmerth[.]com/stats/privado/7kpnwdpzavdj2qu_rjoo9kzem_zona/inFh80L3_KPNSIfOpj88bjB/
  99. hxxp://grupovisionpr[.]com/victor/closed_sector/special_profile/7ido5v5b38mv_uztx5u5v9/
  100. hxxp://hamiltonslive[.]com/cgi-bin/RGqOWYSY/
  101. hxxp://hotsauce[.]net/ssl/vvE/
  102. hxxp://humpleby[.]org[.]uk/cgi-bin/report/
  103. hxxp://iamrobertmiller[.]com/js/statement/52ginvn5v/
  104. hxxp://infohost[.]net[.]au/dev/private_disk/verifiable_profile/L1L6SAusYvtJ_G52x56G7jexoc/
  105. hxxp://ipirangaonline[.]com[.]br/erros/cerrado/6zTx_2F4u4Tul0_caja/0qaq7_ydg1t78ij59q5s/6382207484_OdDD4Rrj2ZSrs/
  106. hxxp://jetfuelcreative[.]com/m/payment/yotxl2a/mp60768634685726yyblskmyz5g72/
  107. hxxp://joannes[.]nl/2012/attachments/9xljmd/
  108. hxxp://jorgensenenterprises[.]com/wp-includes/Reporting/
  109. hxxp://justinscott[.]com[.]au/sites/lkgdo8n23944724420966539o7t3zhy3avwz/
  110. hxxp://katebayless[.]com/Media/privado/tMGd4HFd8-moegtMx1Jofl1j-modulo/NEdOdGj-Tzkb9b502/
  111. hxxp://kelowood[.]fi/perl/statement/ui4u51ilj/
  112. hxxp://kelp4less[.]com/wp-includes/payment/ogwmyp5zusl/
  113. hxxp://kompkon[.]com/cgi-bin/privado/WGQDd5Wb0_7xczQ0DDSswAt9_modulo/5m4hfv8il8_x550hyosxm/K64YTvYbDj_enSvEy1/
  114. hxxp://leavell-photography[.]com/cgi-bin/invoice/460x327403406622767bxxxuj3vz52fuq8/
  115. hxxp://ltrybus[.]com/cgi-bin/disponible/o0cx0qHa-X8eW60P9pgbiJ2-zona/7712190933-sCVN2jjoK/12264-iU2Xl/
  116. hxxp://lucienc[.]net/opengarden/LLC/tf24qgwno7v/
  117. hxxp://luilao[.]com/wp-content/disponible/JP3J5xlGk_ecpL67zTW4_caja/h9l_iu17ptxu7ar16pk/
  118. hxxp://lunny[.]com/cgi-bin/u134hs/
  119. hxxp://mediaskystudio[.]com/wp-includes/igh5oa/
  120. hxxp://newarkcomputers[.]co[.]uk/cgi-bin/Reporting/3a3plxgj/
  121. hxxp://nitronet[.]net/cgi-bin/78h6ir84u51y/
  122. hxxp://nogva[.]org/Jombla/privado/c58rbmpeljgfj-53y4zk355-zona/1jlhHU-6qMcu1a0Zic/
  123. hxxp://openstage[.]org/wp-content/esp/7qhiof7z63g7/hmg2q608683676353fcdnp4rtkb5407p5/
  124. hxxp://optimus[.]com[.]sg/cgi-bin/cerrado/gl3ho1sae_yfl6uc5c_caja/5769101_QlMp5xxAkkIk/
  125. hxxp://ourplace[.]com[.]br/assets/cerrado/rqxsn4g55w_j8jo_seccion/61713804_R47jf465/
  126. hxxp://pajitnov[.]com/press/LLC/t4tkwk2r/
  127. hxxp://paralink[.]com[.]br/faatads/disponible/m96n-qfktemfqi-modulo/ku63ro-2deni484m1v/
  128. hxxp://pfuse[.]net/wp-admin/protected-eBNQ1CebHs-GieGUB1zROIP/close-portal/GqEQxkxt-I5my7rd9Gxqh8d/
  129. hxxp://photoclave[.]com/Canonical/lm/
  130. hxxp://ramirezllc[.]com/cgi-bin/protegido/pwdb75o564vz916v-9qmw3wem-zona/u201nx8a-rdtfmr2oawh73/
  131. hxxp://rassow[.]de/wp-includes/paclm/
  132. hxxp://ravenproductionsltd[.]com/private/90652/
  133. hxxp://redsolution[.]com[.]br/suspended[.]page/FILE/hczjq1jt48kb/
  134. hxxp://renewal-nw[.]com/shop/closed_disk/open_space/uuimCC_H6ixl75ig/
  135. hxxp://revmom[.]com/Reporting/79s2leelotf/ju0769004465645hiiwl3jvyw/
  136. hxxp://riandutra[.]com/subdomain_dev/eTrac/ohf0h206444931523750dntyxxk9pt9/
  137. hxxp://roelke[.]nl/stats/balance/
  138. hxxp://ruateresaonline[.]com[.]br/shell/sites/1qqxmgx1ceqd/
  139. hxxp://safelecservices[.]co[.]uk/cgi-bin/public/p6gm0uj/r225995381388x2aqncjkpyf4kg/
  140. hxxp://simulations[.]org/rw_common/DOC/
  141. hxxp://sirthinks[.]com/cgi-bin/parts_service/tb1g5k/
  142. hxxp://skeptic[.]za[.]org/about/esp/reschy6/i8bkp759317717322jzyuf7wpamfu2g/
  143. hxxp://smartbusinessoperations[.]com[.]au/intranetold/public/n557354498945316db2tn5gp4crndbhm/
  144. hxxp://sodano[.]ch/images/protegido/s4zs7zqot_wzz9ub3_recurso/khgu3kf0o_aa5t5pif0k/
  145. hxxp://sowka[.]pl/kwiaty/browse/9gqs792xyuq/
  146. hxxp://spindelaar[.]nl/mine/parts_service/jbe14a/
  147. hxxp://startevo[.]com/serviciile-startevo-online/DOC/
  148. hxxp://steverenton[.]com/LA/docs/nod7uu35787620icu48to36om2m69n7unh/
  149. hxxp://streefkerk[.]be/wp-admin/attachments/8voc4vio7q/lx5sm34579077226rkl0tj3bnc0dlp06/
  150. hxxp://studioworks[.]com[.]br/img_temp/eTrac/6zuyd1h0kf/q5ed64607f6hg7pi8ttrhdq8zd5/
  151. hxxp://synsol[.]eu/blog/public/
  152. hxxp://talasoft[.]com/talaphoto/samples/FILE/
  153. hxxp://tallpierces[.]com/cgi-bin/invoice/
  154. hxxp://tcenteronline[.]com/ostic/ipv2y-9w4hc8f4jeeway0e-dK03-WAAm5Ss3FPZ6/close-cloud/lXtLG9244wiZ-5t7w7mcL/
  155. hxxp://techhampton[.]com/wwwdownloadInvoice/OCT/xtn9k3w8/
  156. hxxp://tecnofrota[.]net/cgi-bin/iipf1643892td33yxxcoojculzar6uq/
  157. hxxp://theblacksheep[.]org/MISC/personal-disk/individual-cloud/AoGPhtS66ru-m8h8m1ppfHaq59/
  158. hxxp://theebeautyspot[.]co[.]uk/wp-includes/report/50vue0lls3tu/
  159. hxxp://thesimpleproject[.]org/accessaries/private_735184134252_METJX/special_warehouse/tnfcfxs_tuzu6x/
  160. hxxp://thetiaratalkshow[.]com/wp-admin/Reporting/
  161. hxxp://thoseweekendgolfguys[.]com/newsletter/available_disk/verifiable_forum/jrjs5sd_075xv312x62ts9/
  162. hxxp://tipsmark[.]eu/includes/bn1AlPzx-nQHWew1-section/special-profile/7964187-FRnBMZlzJ7N2om/
  163. hxxp://tomjoosten[.]nl/OOP/dmtx6ha/
  164. hxxp://topclassdj[.]com/_notes/DOC/49q2nq/ew1j331001980557921atb8oh1aq3z7fqr2/
  165. hxxp://tregir[.]ch/_vti_bin/sites/cjdvk889386731933940fa2plsfjxehq/
  166. hxxp://tres-w[.]com/whmcs/browse/
  167. hxxp://trevinos[.]net/cgi-bin/esp/8we4cgn766811756680287szu5nsg5xbe7lqrg/
  168. hxxp://trustedadvice[.]nl/fontawesome/9753890025_qQYYMohiX_9RYE_ABFXZ42fn9eV/external_67170632_XnDye5pakgKUBS/Bb1JQrf_mip056dLH6/
  169. hxxp://uplevel[.]com[.]br/wp-includes/lm/
  170. hxxp://urgeventa[.]es/img/cerrado/QoLIFdNTO_KhMD8IH59llM_caja/325595641461_UR9RBjuYfrHrk5mx/d3yD7rq_VycuKp2/
  171. hxxp://urog[.]co[.]uk/wwvvv/browse/
  172. hxxp://vectortools[.]com/modules/privado/5Pevur_mDUDCcAu_recurso/EBHom_Jn0IK9IDm2fmI0u/
  173. hxxp://vemax[.]sk/haspp_subory/Document/egwliu/
  174. hxxp://vickipohl[.]com/css/parts_service/
  175. hxxp://vidrorapido[.]com[.]br/banco/cerrado/w1KsvRyWJU_pXyp0tNMvXR6u_sector/j0vViR_Gmci2bdG4BODjU6/
  176. hxxp://viperbux[.]com/glutton/balance/
  177. hxxp://vizpoets[.]com/includes/comun/pqal30_cgevfff3bznn_seccion/593933641780_GVKgBswc/
  178. hxxp://vyras[.]com/katodrys/sites/dst53233216204297ep3hg71h0x/
  179. hxxp://wagls[.]com/ftp/cerrado/t7e5ecfs9-p368176qu2p-caja/41036930741-Fdxu1j/
  180. hxxp://warena[.]ch/buttons/closed-5035552-zTm7U3g2Xb/close-cloud/VvqwRmp-L2ygqzvJaov/
  181. hxxp://waynet[.]co[.]uk/Connections/Scan/yyx1pz/
  182. hxxp://web-extend[.]nl/jesse/browse/qiz0zza/1l29570686objiyo9zttfbaq/
  183. hxxp://web-host[.]net/css/NFQGK6TGPL13/ne924823400037632lz5zwutbsestteh/
  184. hxxp://werkhanden[.]nl/blogs/FILE/694s3g8st/
  185. hxxp://wildnights[.]co[.]uk/ebay/docs/sehtd4jxav/
  186. hxxp://wind-dreams[.]co[.]uk/_derived/INC/i8y9zhruzu6/
  187. hxxp://www[.]boincathull[.]net/Pics/sites/ozs9afun7j/
  188. hxxp://www[.]braingine[.]net/26831_r2brs68aEWSh91_box/verifiable_warehouse/83192732_LgyMJkSCamW/
  189. hxxp://www[.]carlhackman[.]com/includes/Document/sdah3fvr5b4/
  190. hxxp://www[.]friscotrailministorage[.]com/blog/FILE/94p76esxgdj/n4zqgwf6367628544360wgws4p3mxh2uwmx/
  191. hxxp://www[.]gavinpoynton[.]co[.]uk/administrator/Scan/
  192. hxxp://www[.]it-walker[.]ch/_fpclass/comun/oOWhimkW_hZ00Rq5zob_caja/RIJu9g_xrpPhMahfIzl/
  193. hxxp://www[.]ledvinaphotography[.]net/images/Documentation/3rm7010kx7or/
  194. hxxp://www[.]mdk-physio[.]info/stats/esp/99el3ffy/ps447988435296u68vuob3m6ms3psu/
  195. hxxp://www[.]messmer[.]cc/error/comun/1QFU_CExlZHciclo_recurso/SrA44j4nk_NadEywb/
  196. hxxp://www[.]mollymoody[.]com/Molly_Moody_Photography/cerrado/ljb84um-61w1r4sh9cr3v0-caja/to7w6HU-aLl8X5lz21/
  197. hxxp://www[.]syncmasta[.]de/img/LLC/ojdcgkh03/
  198. hxxp://www[.]thanemagazine[.]com/JASON/private_xzy6kmzdiw5i_xg8gmeinksa7v/test_82203506_M1ZIJBRti5HRKBS/jSYqCzw8qN_j5KKGmImmex5/
  199. hxxp://www[.]wagger[.]info/error/comun/fvggju69su-j5dg1vlv-modulo/ewrKTvdf-JaxB9OM/FnFMKbQY-93Ofz0od3g/
  200. hxxp://ydrool[.]me/statement/5c7877207ekpe4sp1845aio6zla/
  201. hxxp://zakahlife[.]com/wp-includes/Reporting/
  202. hxxps://bonstock[.]com/wp-snapshots/24428574-xJjRtZjDLq7hNGdw-array/corporate-space/bqxg0prglac-1z6x04282765t5/
  203. hxxps://bubblecom[.]fr/img/available-sector/630505059300-yF5YsO-mXco94UQkh-kuhBl0bxRYDE/xd79a-Kkc2r14qJu1jl/
  204. hxxps://busesworldwide[.]org/images/common-b676rmabd28-k6qxiimnkn61rgc/close-space/8zo-6xvxzvty18vv5/
  205. hxxps://cali[.]de/cgi-bin/closed-array/security-portal/jVJHG-gnH7arjdzM6aow/
  206. hxxps://cathelest[.]com/Barcode/esp/16en5e/s4788440667412voxp2c0yem5pa/
  207. hxxps://caygri[.]com/wp-content/DAQ8JVK52OF/
  208. hxxps://cearacultural[.]com[.]br/turismo/Wtb/
  209. hxxps://chahooa[.]com/spamtrawler/available_25z_e5zk/individual_area/A5eHHES0PqoB_ickG21mf32/
  210. hxxps://chunkagency[.]com/new/multifunctional_resource/interior_516980544_cCbcp6/8504081267252_xuODEv0Xc/
  211. hxxps://everestpr[.]in/hbgnpeap/protected-dfk3H419km-9EKZ4rR/guarded-profile/837588-uEiSIzMwPCAp/
  212. hxxps://extelcon[.]com/test/cerrado/zd_il6mbiwwleka7nru_disco/93433_LAe8G5O01iJ/
  213. hxxps://fitsaude[.]com[.]br/image/abierto/ns3qa0hwxp-s835-caja/5005-h3bzRLJ/
  214. hxxps://fixlab[.]pl/rehab/abierto/kyBdjye-e2gZp9OF-zona/sL7YGX-HbWlKG5byYt/
  215. hxxps://ingelse[.]net/Overview/kiq8yeqgk/d0407064686299077828gyssciu3ywa14byfaf/
  216. hxxps://konican[.]com/cgi-bin/multifuncional/7au58llk2y3ktoof_t6ab505y5pwit_modulo/Ya39wM_tKGSpC3CJvuNZ/
  217. hxxps://quasi-monkey[.]com/cgi-bin/multifuncional/sJohKR_XIXSDius_matriz/87_7a9ty4bs/
  218. hxxps://santyago[.]org/wp-content/nsigc54/
  219. hxxps://www[.]bioklinika[.]lv/ambulatornye-operacii/7hg2fchgk/
  220. hxxps://www[.]catamountcenter[.]org/OLDSITE/protected-box/security-cloud/609076864-lGLAe/
  221. hxxps://www[.]choweng[.]com/pgftp/common-sector/74418075-v8OieNbgEdjT-area/08772691110848-oGOjgP0Q0ue/
  222. hxxps://www[.]darknova[.]eu/Stronghold/protegido/or0pzvwahje13_r2mneofcn_recurso/7336102_SHhyw1/
  223. hxxps://www[.]juancieri[.]com/cgi-bin/protegido/r38kFg-B8swCG2E0Um4-seccion/1n6vt-12hlbysvmky/
  224. hxxps://www[.]kellogic[.]com/wp-admin/privado/rEWxJFVuZw_QsUwldyA_sector/3hafb2hutx_oq6s5d5x9eygkg/
  225. hxxps://www[.]startevo[.]com/serviciile-startevo-online/DOC/
  226.  
  227. DOCUMENT FILE HASHES
  228. 19dae93502ea4c28f34d69454bb8a161
  229. 401427d676acf820b99a4be7d2b01efa
  230. 721939fe9b7ed9743a7afb78d2731e24
  231. 8069033feec109b2fd80061934a93cc3
  232. c3ee4218bb68284127f33509634f770e
  233. cf7b66c6ecd8d50e059f37e33624fea1
  234. d23e9b4a3674664af036cbad18d6ceee
  235. ea1768b45df4435f6507c074b65aa581
  236. fc7d4cb8ae1f9e053b725be4e1045669
  237. feac4f500f8ad4f06981f1430caa7d59
  238.  
  239. PAYLOAD FILE HASHES
  240. 0af8da503a3a50f2de94b4ca97c71f86
  241. 213b69d86317e1567d1b0fffa280f38c
  242. 3382ca871eaa2aad88b8df693b17100e
  243. 46d938c31e2a887f74ce3e9516b0e6bd
  244. 71a3ccd4c73d09043631f5ff0d3a476f
  245. 7f64e3779bb2cf9ac021c869e0e637dc
  246. 85d93c57ea9da07ff6ccb4e14901e01d
  247. 85da90f421f77948bcbc9380769ed20b
  248. a1360171951451e67129abeeb238ed1f
  249. a3fff1fc982dfa096f97c0a99050f945
  250. b82528ae9047eeccd28bc7fa5aa73f0c
  251.  
  252. EMOTET PAYLOAD URLs
  253. hxxp://amyemitchell[.]com/themes/66OT/
  254. hxxp://arrd[.]ro/qsEh/
  255. hxxp://astronica[.]org/swipe/7q_tt2k_5drshw/
  256. hxxp://atelierbrasilia[.]com/site/xt_8d_o1mo/
  257. hxxp://auniqueart[.]co[.]uk/plugins/ibv_fm27_0kznrh/
  258. hxxp://av2m[.]com/js/ekgl_a_dy4ntv/
  259. hxxp://aventuremille-iles[.]com/cgi-bin/c0tu7684941/
  260. hxxp://azzunapedia[.]com/wp-content/228id078/
  261. hxxp://ballooneo[.]com/wp-admin/qm_rmxcz_ts/
  262. hxxp://bartboutens[.]nl/cgi-bin/kavQ967kvq96090/
  263. hxxp://bcpcircle[.]com/wwvv2/F9e8sle/
  264. hxxp://belconger[.]com/weightloss/RUi/
  265. hxxp://benconry[.]com/wp-admin/m9_xz8hb_5djag1xe9/
  266. hxxp://benmedia[.]com/assets/2ib5/
  267. hxxp://benthamstudio[.]co[.]uk/wolfsohn[.]co[.]uk/OrGj49j25c0151/
  268. hxxp://berbercommunicatie[.]nl/cgi-bin/tge_1h4_hvgq/
  269. hxxp://biglaughs[.]org/smallpotatoes/30hCP55/
  270. hxxp://billandroger[.]com/wp-admin/CJ83/
  271. hxxp://biomayest[.]com/xhtmlcss/2ano_2h_7szpl0id5j/
  272. hxxp://clarefield[.]com/cgi-bin/Rujv086630/
  273. hxxp://dazedthoughts[.]com/Scripts/7caZ1z/
  274. hxxp://henneli[.]com/I1259/
  275. hxxp://houseci[.]com/js/bP231430/
  276. hxxp://instamal[.]com/eazylot[.]com/zy/
  277. hxxp://laarberg[.]com/cgi-bin/6s49_wr27h_24k0nel/
  278. hxxp://laurenebohn[.]com/briefed/2khzb_xw_qk86xalnhw/
  279. hxxp://rickdahl[.]com/wp-includes/Z8eS6748/
  280. hxxp://robertsinclair[.]net/videos/5789/
  281. hxxp://sfjacobs[.]com/doc/qes_k37vf_p5ebrhj/
  282. hxxp://sheilasteinfeld[.]com/cgi-bin/rlD/
  283. hxxp://strange[.]info/cgi-bin/6EQ35998/
  284. hxxp://web77marketing[.]com/_vti_cnf/QuSq587555/
  285. hxxp://www[.]asianinspirationcooking[.]com/wp-content/5ttpb519/
  286. hxxp://www[.]gvirtz[.]com/4LH419348/
  287. hxxp://www[.]shablingo[.]com/cspr/lx_48pa6_cwi/
  288. hxxp://ximboo[.]com/test/oi_lv_48/
  289. hxxp://xristiana[.]com/cgi-bin/y_j_ue/
  290. hxxp://xsesa[.]com/cgi-bin/d8l5149/
  291. hxxp://yeichner[.]com/old/gkDfBhW/
  292. hxxp://zmgmedia[.]com/cgi-bin/zdJPC233/
  293. hxxps://artewebestudio[.]com/cgi-bin/8X/
  294. hxxps://azjones[.]info/picture_library/rcNTW4C/
  295. hxxps://bazarot[.]com/biznietosconcha/vdn9455/
  296. hxxps://benluckman[.]com/tkd/LzicrDY/
  297. hxxps://www[.]bendys[.]com[.]au/cgi-bin/5_i_7qoao/
  298. hxxps://www[.]shablingo[.]com/cspr/lx_48pa6_cwi/
  299.  
  300. EMOTET C2s
  301. hxxp://24[.]234[.]133[.]205
  302. hxxp://212[.]51[.]142[.]238:8080
  303. hxxp://37[.]187[.]72[.]193:8080
  304. hxxp://139[.]59[.]60[.]244:8080
  305. hxxp://168[.]235[.]67[.]138:7080
  306. hxxp://173[.]91[.]22[.]41
  307. hxxp://71[.]208[.]216[.]10
  308. hxxp://190[.]55[.]181[.]54:443
  309. hxxp://78[.]189[.]165[.]52:8080
  310. hxxp://104[.]131[.]44[.]150:8080
  311. hxxp://87[.]106[.]136[.]232:8080
  312. hxxp://203[.]153[.]216[.]189:7080
  313. hxxp://62[.]75[.]141[.]82
  314. hxxp://124[.]45[.]106[.]173:443
  315. hxxp://46[.]105[.]131[.]87
  316. hxxp://87[.]106[.]139[.]101:8080
  317. hxxp://50[.]116[.]86[.]205:8080
  318. hxxp://78[.]24[.]219[.]147:8080
  319. hxxp://47[.]153[.]182[.]47
  320. hxxp://162[.]154[.]38[.]103
  321. hxxp://91[.]211[.]88[.]52:7080
  322. hxxp://46[.]105[.]131[.]79:8080
  323. hxxp://110[.]145[.]77[.]103
  324. hxxp://37[.]139[.]21[.]175:8080
  325. hxxp://104[.]236[.]246[.]93:8080
  326. hxxp://81[.]2[.]235[.]111:8080
  327. hxxp://222[.]214[.]218[.]37:4143
  328. hxxp://41[.]60[.]200[.]34
  329. hxxp://201[.]173[.]217[.]124:443
  330. hxxp://75[.]139[.]38[.]211
  331. hxxp://93[.]51[.]50[.]171:8080
  332. hxxp://209[.]182[.]216[.]177:443
  333. hxxp://157[.]245[.]99[.]39:8080
  334. hxxp://190[.]160[.]53[.]126
  335. hxxp://95[.]179[.]229[.]244:8080
  336. hxxp://200[.]55[.]243[.]138:8080
  337. hxxp://189[.]212[.]199[.]126:443
  338. hxxp://5[.]196[.]74[.]210:8080
  339. hxxp://169[.]239[.]182[.]217:8080
  340. hxxp://70[.]167[.]215[.]250:8080
  341. hxxp://176[.]111[.]60[.]55:8080
  342. hxxp://109[.]117[.]53[.]230:443
  343. hxxp://108[.]26[.]231[.]214
  344. hxxp://62[.]138[.]26[.]28:8080
  345. hxxp://200[.]41[.]121[.]90
  346. hxxp://103[.]86[.]49[.]11:8080
  347. hxxp://24[.]1[.]189[.]87:8080
  348. hxxp://95[.]9[.]185[.]228:443
  349. hxxp://153[.]126[.]210[.]205:7080
  350. hxxp://91[.]231[.]166[.]124:8080
  351. hxxp://95[.]213[.]236[.]64:8080
  352. hxxp://79[.]98[.]24[.]39:8080
  353. hxxp://74[.]208[.]45[.]104:8080
  354. hxxp://91[.]205[.]215[.]66:443
  355. hxxp://61[.]19[.]246[.]238:443
  356. hxxp://139[.]130[.]242[.]43
  357. hxxp://2[.]47[.]201[.]110
  358. hxxp://210[.]165[.]156[.]91
  359. hxxp://152[.]168[.]248[.]128:443
  360. hxxp://116[.]203[.]32[.]252:8080
  361. hxxp://31[.]31[.]77[.]83:443
  362. hxxp://121[.]124[.]124[.]40:7080
  363. hxxp://104[.]131[.]11[.]150:443
  364. hxxp://209[.]141[.]54[.]221:8080
  365. hxxp://162[.]241[.]92[.]219:8080
  366. hxxp://108[.]48[.]41[.]69
  367. hxxp://113[.]160[.]130[.]116:8443
  368. hxxp://109[.]74[.]5[.]95:8080
  369. hxxp://137[.]59[.]187[.]107:8080
  370. hxxp://185[.]94[.]252[.]104:443
  371. hxxp://93[.]156[.]165[.]186
  372. hxxp://180[.]92[.]239[.]110:8080
  373. hxxp://5[.]39[.]91[.]110:7080
  374.  
  375. hxxp://75[.]139[.]38[.]211
  376. hxxp://74[.]207[.]230[.]187:8080
  377. hxxp://157[.]7[.]164[.]178:8081
  378. hxxp://81[.]214[.]253[.]80:443
  379. hxxp://140[.]207[.]113[.]106:443
  380. hxxp://115[.]79[.]195[.]246
  381. hxxp://113[.]160[.]180[.]109
  382. hxxp://203[.]153[.]216[.]182:7080
  383. hxxp://192[.]241[.]220[.]183:8080
  384. hxxp://192[.]210[.]217[.]94:8080
  385. hxxp://195[.]201[.]56[.]70:8080
  386. hxxp://87[.]106[.]231[.]60:8080
  387. hxxp://75[.]127[.]14[.]170:8080
  388. hxxp://45[.]118[.]136[.]92:8080
  389. hxxp://201[.]214[.]108[.]231
  390. hxxp://37[.]70[.]131[.]107
  391. hxxp://220[.]128[.]125[.]18
  392. hxxp://78[.]189[.]111[.]208:443
  393. hxxp://179[.]5[.]118[.]12
  394. hxxp://77[.]74[.]78[.]80:443
  395. hxxp://46[.]32[.]229[.]152:8080
  396. hxxp://216[.]75[.]37[.]196:8080
  397. hxxp://46[.]105[.]131[.]68:8080
  398. hxxp://78[.]188[.]170[.]128
  399. hxxp://91[.]83[.]93[.]103:443
  400. hxxp://190[.]111[.]215[.]4:8080
  401. hxxp://181[.]164[.]110[.]7
  402. hxxp://87[.]252[.]100[.]28
  403. hxxp://178[.]33[.]167[.]120:8080
  404. hxxp://41[.]185[.]29[.]128:8080
  405. hxxp://181[.]134[.]9[.]162
  406. hxxp://190[.]164[.]75[.]175
  407. hxxp://37[.]208[.]106[.]146:8080
  408. hxxp://181[.]113[.]229[.]139:443
  409. hxxp://144[.]139[.]91[.]187
  410. hxxp://105[.]209[.]239[.]55
  411. hxxp://190[.]63[.]7[.]166:8080
  412. hxxp://190[.]171[.]153[.]139
  413. hxxp://50[.]116[.]78[.]109:8080
  414. hxxp://139[.]59[.]12[.]63:8080
  415. hxxp://80[.]211[.]32[.]88:8080
  416. hxxp://24[.]157[.]25[.]203
  417. hxxp://203[.]153[.]216[.]178:7080
  418. hxxp://185[.]142[.]236[.]163:443
  419. hxxp://177[.]144[.]130[.]105:443
  420. hxxp://51[.]38[.]201[.]19:7080
  421. hxxp://181[.]167[.]35[.]84
  422. hxxp://74[.]208[.]173[.]91:8080
  423. hxxp://211[.]20[.]154[.]102
  424. hxxp://212[.]112[.]113[.]235
  425. hxxp://46[.]49[.]124[.]53
  426. hxxp://212[.]156[.]133[.]218
  427. hxxp://187[.]207[.]207[.]16
  428. hxxp://190[.]55[.]233[.]156
  429. hxxp://163[.]172[.]107[.]70:8080
  430. hxxp://113[.]161[.]148[.]81
  431. hxxp://143[.]95[.]101[.]72:8080
  432. hxxp://37[.]46[.]129[.]215:8080
  433. hxxp://192[.]163[.]221[.]191:8080
  434.  
  435. hxxp://177[.]73[.]0[.]98:443
  436. hxxp://185[.]94[.]252[.]13:443
  437. hxxp://5[.]196[.]35[.]138:7080
  438. hxxp://191[.]182[.]6[.]118
  439. hxxp://2[.]47[.]112[.]152
  440. hxxp://77[.]90[.]136[.]129:8080
  441. hxxp://144[.]139[.]91[.]187:443
  442. hxxp://192[.]241[.]146[.]84:8080
  443. hxxp://186[.]70[.]127[.]199:8090
  444. hxxp://149[.]62[.]173[.]247:8080
  445. hxxp://181[.]167[.]96[.]215
  446. hxxp://50[.]28[.]51[.]143:8080
  447. hxxp://177[.]66[.]190[.]130
  448. hxxp://111[.]67[.]12[.]221:8080
  449. hxxp://45[.]161[.]242[.]102
  450. hxxp://177[.]144[.]135[.]2
  451. hxxp://191[.]99[.]160[.]58
  452. hxxp://192[.]241[.]143[.]52:8080
  453. hxxp://80[.]249[.]176[.]206
  454. hxxp://190[.]17[.]195[.]202
  455. hxxp://190[.]147[.]137[.]153:443
  456. hxxp://187[.]51[.]47[.]26
  457. hxxp://83[.]169[.]21[.]32:7080
  458. hxxp://190[.]194[.]242[.]254:443
  459. hxxp://177[.]139[.]131[.]143:443
  460. hxxp://177[.]75[.]143[.]112:443
  461. hxxp://68[.]183[.]190[.]199:8080
  462. hxxp://212[.]231[.]60[.]98
  463. hxxp://72[.]47[.]248[.]48:7080
  464. hxxp://181[.]129[.]96[.]162:8080
  465. hxxp://104[.]131[.]41[.]185:8080
  466. hxxp://187[.]106[.]41[.]99
  467. hxxp://71[.]50[.]31[.]38
  468. hxxp://104[.]236[.]161[.]64:8080
  469. hxxp://77[.]55[.]211[.]77:8080
  470. hxxp://190[.]163[.]31[.]26
  471. hxxp://104[.]131[.]103[.]37:8080
  472. hxxp://46[.]214[.]11[.]172
  473. hxxp://217[.]13[.]106[.]14:8080
  474. hxxp://143[.]0[.]87[.]101
  475. hxxp://51[.]255[.]165[.]160:8080
  476. hxxp://114[.]109[.]179[.]60
  477. hxxp://185[.]94[.]252[.]12
  478. hxxp://82[.]196[.]15[.]205:8080
  479. hxxp://186[.]250[.]52[.]226:8080
  480. hxxp://12[.]162[.]84[.]2:8080
  481. hxxp://219[.]92[.]13[.]25
  482. hxxp://181[.]30[.]69[.]50
  483. hxxp://202[.]62[.]39[.]111
  484. hxxp://203[.]25[.]159[.]3:8080
  485. hxxp://190[.]6[.]193[.]152:8080
  486. hxxp://178[.]79[.]163[.]131:8080
  487. hxxp://185[.]94[.]252[.]27:443
  488. hxxp://181[.]120[.]79[.]227
  489. hxxp://204[.]225[.]249[.]100:7080
  490. hxxp://94[.]176[.]234[.]118:443
  491. hxxp://157[.]7[.]199[.]53:8080
  492. hxxp://61[.]92[.]159[.]208:8080
  493. hxxp://70[.]32[.]84[.]74:8080
  494. hxxp://87[.]106[.]46[.]107:8080
  495. hxxp://46[.]28[.]111[.]142:7080
  496. hxxp://172[.]104[.]169[.]32:8080
  497. hxxp://190[.]96[.]118[.]251:443
  498. hxxp://217[.]199[.]160[.]224:7080
  499. hxxp://170[.]81[.]48[.]2
  500. hxxp://68[.]183[.]170[.]114:8080
  501. hxxp://137[.]74[.]106[.]111:7080
  502. hxxp://181[.]31[.]211[.]181
  503. hxxp://190[.]181[.]235[.]46
  504. hxxp://89[.]32[.]150[.]160:8080
  505. hxxp://187[.]162[.]248[.]237
  506. hxxp://70[.]32[.]115[.]157:8080
  507. hxxp://189[.]218[.]165[.]63
  508. hxxp://212[.]71[.]237[.]140:8080
  509. hxxp://177[.]72[.]13[.]80
  510.  
  511. SUPPORTING EVIDENCE
  512. All of the Word document files were either received via email or downloaded directly.
  513. I manually extracted many of the payload URLs and others were downloaded from URLHaus.
  514. All C2 addresses were extracted manually.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!