Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 09/18/19 as of 09/19/19 01:45 EDT ##
- *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
- ### Document Downloader Links ###
- #### Epoch 1 Document/Downloader links seen for 09/18/19 ####
- ```
- <none>
- ```
- #### Epoch 2 Document/Downloader links seen for 09/18/19 ####
- ```
- <none>
- ```
- #### Epoch 3 Document/Downloader links seen for 09/18/19 ####
- ```
- <none>
- ```
- ### Payloads per Epoch by Document ###
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
- ```
- Creation Time 2019-09-18 19:03:00 (Attachment Only - Docx based with embedded JSE - Protected View)
- SHA256:
- b5a9b073c35be4462f63e39f9d1a5df88aa146ae8a74978c624073b4dbe8bef8
- a9654cbaccc8394389d791d865bd59766d45b20cd4b9e753ebee275a0d671af3
- a35b700fc21adcbde82f1883584cb0353a2f1ce0839fea801f00d86e9866a4e5
- 7921256c11c83cbfe08f42648703fed477f6ca468de315ddaaeaa0c5a0229025
- https://www.cityvisualization.com/wp-includes/88586/
- https://87creationsmedia.com/wp-includes/zz90f27/
- http://karencupp.com/vura1qw/s0li7q9/
- http://www.magnumbd.com/wp-includes/w2vn93/
- http://minmin96.xyz/wp-includes/l5vaemt6/
- Creation Time 2019-09-18 14:38:00 (Attachment Only - Doc based - Protected View)
- SHA256:
- 15a3596629f6772062ff562e943a574ed8b378ead279fb67be922d584abf731a
- 67bf25d1b01502974657fc85c823e2b765620e80ac29843fb5367f934c6e14af
- 185aad1ed76889c3bc266d57be88a308fe4e327cf628b00ba9bf5cd20f1b8537
- a02ea75848580682d7bbaecb3b4fd991be2c46832f42daf9328dd3eec0825664
- e1bce4d42b83a244af8cd06f990a20606602ea6cb6cc4ca5eee5e89abc601343
- d1e721dd421d6bad1dcc2ac1b44c482f89cfc8bdb5a2d5ad744edb8fd47d41a5
- 09940bc30b89d0e269e0b1226e575459018309af1b612d6f6fbe3f6dea40b5cf
- e22a9596f5f82e75feb46ab5c8690f25842fe03d03aa9cce41e9d8ba301268fe
- c1f7f8b62bd82cb682f69cfeb9f05e2404e3de061d9ce06e2dbe586ec199e547
- c6355ca1a2710e7fd4b2cd4ab4066c5fd46db99735166f1d3ee09780641ce382
- f4903ce8ea06e78db686bccd687857f7129f425cb03b79ac39ee6a7ad5567d2e
- 0273ff39d3d80423866d88d377797daa3477c93a0aca537d18674d5dbc8817fa
- 44193897b15e5b25abd4fdaec44923b9b44eef2d49b330934bc47f91d6a82107
- 583a4805108c1e8eb72160e73c3359d54fff3240b57e5705364035428ab5d471
- e5bb80609117df7494c7b5ce9b996c25bd06db8c82cd404484e84b8f2a15010c
- 2fc714f53a8a70cb55710477b662cf89039b83279fc24ab34a1e862dcfd926b5
- cff8d68e20920ba54a2842961706a6d210ddc344194861f654de469e555259ca
- 9df2d703ae7175247156855b30d60cb132e98a7748ffbb476182e8bf78031530
- 83fd823455aa7341bfb8e4d9c9d092062505913668325b48d49f4ed8eafc8d99
- http://thinhvuongmedia.com/wp-admin/n2keep7/
- https://mnpasalubong.com/wp-admin/nsmz9az032/
- http://trunganh.xyz/wp-content/uzq50/
- https://iptivicini.com/npkx/jwpy938/
- https://www.cezaevinegonder.com/conf/fd45/
- Creation Time 2019-09-18 10:25:00 (Attachment Only - Doc based - Protected View)
- SHA256:
- 75f68366e8b144b780ccf59e9ed7ddb89c5af57dac5b0ab80dcb053d91208e67
- 36ea49b2ded19e91a3e07d1cfc27ebb27e5889bd86d4ccd0bb4893f192c01a85
- fdbb2b99702c4dfc9004f0ebb6a8c65183d67ccc1f5a614244ccd9d7c0881703
- 755b78935524886fa8c43b7a25f2292932dbe4779eec7e1ea4bcf8e65c3dbd49
- 38b00ebc637a043552847aa372906789377b42f8588b1c8477fb8cf1a39975a3
- e34737fd1379f3ecbdd6f854cf00fc597057e3dedfe8df140232fc11961466ac
- dbafda67f0ef7d86b4dce799bfa797c50b6f94560a347057f25fca79e08b4598
- 3cd19e6844c2a25029a5ed56a0d803298e006c1d62a87ae537718052109cf0ac
- 4a914195a0fe3ced9590abc67d5171ad425121c1774bd44b176ea02625ecc73a
- 3a6dde6fd3ad067cb05b8b1d6a6a8f91fb8cb6326b6f04bc8c68eca656ca6b08
- 09a904d15676cc6a188bfdae4eb18afc123b0ccc73693f2197c0c995946de11f
- e20ac03386f55a13bc3bd048afbd6dfe25742ef1d3efdf350ba04c1afefd22e0
- 719c25a2922197a50e29dc13500c64715dad9b9f0da298af079e7e346b831ead
- aed648985f14e2de723c4907f21b8028fbf1896ffb5a67b86fe3dcf8b6666016
- http://brikee.com/gallery/4dcmn72430/
- https://www.echelona.net/wp-content/tyh57769/
- http://grupoeq.com/leds/dal52301/
- http://kirstenbijlsma.com/ecp4/mhh20305/
- http://paifi.net/ssfm/bm840/
- Creation Time 2019:09:18 06:22 (Attachment Only - Doc based - Protected View)
- SHA256:
- 01997bf9c459e1250484878af709735d9dc1343db78ee117e14056b28316bafa
- 1ce0bc0a3cecaa2241c21250e4b3d763529e94e858536a3687474084032e3980
- 825c80d062051acfbcaa45dcc3939da8866a6dc71f8da31cae4ac6feca9a3463
- 360f281360d3b69a414e4a9c367ed67a8401bfb1c6d1203d5d558400130b52e5
- 4dcfdbd73ec71eb47bec2b47b6805862b7b293abc8164b2f026d28e5f9faa84f
- 825c80d062051acfbcaa45dcc3939da8866a6dc71f8da31cae4ac6feca9a3463
- 5337010281693ce4799107545c9444a616ed6bb6cddc50905a114004fa4ccf4c
- 475d0fca066d6a90ec8fc6c38554f93f5c9c547d76a7714a3bfa72a8d2f45079
- 1183fb03a7aadf6028ad96311034c4541cf9784223692d7cb637dd0562b693b6
- 3f5a2ddf0ce35dcbb69bc07a247923226b7f1554788e4d913156c4df5587e0f7
- fc3bf8ae50dba94341ef983729d33e4bcbf347412145ec41834701896a79ffda
- ec61f28c35692cfad5b115c56f29e1aa5ea62425448cc42fe78392c1627545d1
- a4bb536c33391f0217fbd4e62cad15dd0995078aa6277641b34493b06a45d54b
- bf3fc32ab210d1583a926a1cb8777ac9f78d9615ba79dc7f79298526a42e34d0
- d5b9cfc175db0e99d88e07d631e699068fac095a211d92afe8d7dc762bb0151d
- e62936a928c0f2259973811d55f2bf018089b1532d0e59c2ace42921abf1d8bd
- 449e8d2c64a643f4ffc796b921a0996d3b4d06bc41fa374ac8bc899068bf7ca0
- http://dirproperties.com/cgi-bin/fd14999/
- http://run-germany.com/scripts/jc828208/
- http://saxtorph.net/DOC/5ndqov018/
- https://sukhumvithomes.com/sathorncondos.com/ucwna794/
- http://vanscheers.com/cgi-bin/gorp7v455370/
- Creation Time 2019:09:17 17:51 (Attachment Only - Doc based - Blue Office 365)
- SHA256:
- b3ac4bad78694e606ba685d44e10edca9307a356268edf15d41c765023b51010
- 581c365eaf2f810aad99863c554d1f250df2ee303c9730350ac26af80bfec379
- 6403f5c81411c98c3d86890d4b3787a334ca3b37e6e3d09ed8a148d2d64ebdb6
- 246560e045e5e090a4a165da0238cc7340fc85d4412cce1fc5592698f1206e00
- 0d19aa73c37bcbe27e9e3b3eaad9c5b02e8d27bf6656700388aa0b46365c9425
- 21cfcdac6e5f2d9ae30de0a6a2a31537a14766d3bb0d747ed76da07a9fb90433
- 7d31a000c8fc9ac94b74ec200eb7889ed31b2bd934e66f1c795d70d2806a916b
- ede47da9bf4f9ac755b67561d1d3c6e3a8c90ac071f6f165bb8d430a107cf1b2
- a35dbba6ee021b32447958ebb080cd92322df466c2176333da0aa6a8908a195c
- f6e9f4bd578f0ce81b02105a8ca6fe1a3d5dcae69a207d131e3bd1427226c743
- 4f8e0f4215fe887f29e3f6351c826ac1cc6305305c43c800ff38e2933374dbac
- e554334c4dcf2e1e4184191907b4d6c83d513c79ae71e25d2f9fa4bad22ee8b0
- https://stackspay.com/wp-includes/0sxfg82114/
- https://www.reza-khosravi.com/wp-content/q2/
- http://w3brasil.com/sistema/p5q207/
- https://www.pronhubhd.com/cgi-bin/m0cux6/
- https://www.karenshealthfoods.com/wp-includes/95oos267/
- Creation Time 2019:09:17 10:49:00 (Attachment Only - Docx based - Accept the license agreement)
- SHA256:
- 2c5e35988c772ca2ecfbe0a4608a983244c4790aaf251800316d46f69eba19ad
- 3c1f66712738a67c4f8805b1580142181969041b62a9ac6bc2dfe0197cb50eca
- 34d2b83245696fa1dd24ef9ed4b33ef9172e9f6e274928628bd24c1de0763b47
- bf0ef180e13f8ac6fb5f147a7773a688f1d54fc6f478ca90ac403074eae33a21
- eb4571b997aaf51434fa77fcecd83cda43489882eeaae99c680859f54b47429b
- 65ed503aa5df39bc7549a1f214248e65642e0aca37baf8de16c879f4aa41f266
- 8b8f082d17bf74b4be2eaffe167bb0e228052366ec07ee8fb3bdc2ac3d8a314c
- c18c17e19cbd27f03f6fd71d4134c325706c9af836d641ed389029d7d7ef18a4
- 95ca385f5ccd5e1ece5d34148fd82d01eebd1194308108a951650059cf09160e
- 08c9f6ca7ae476b878ff40120a051af4aea32eeb2be40a4b052f3ee35e29a4a0
- 4c33a6fcc83d536e49d620fc48d8719984f4d16de4c48081c25483122a0209e3
- ce8542b000044b2a84f282bc0b0935debb8a39eb36eb293f528c7dc3280d9e5c
- http://fitchciapara.com/wp-admin/rau3e7/
- https://www.internetshoppy.com/wp-includes/971426/
- https://blog.medkad.com/wp-admin/e9684/
- http://www.sirijayareddypsychologist.com/roawk/0kwsol940/
- http://komatireddy.net/wp-content/911968/
- Creation Time 2019:09:17 06:17:00 (Attachment Only - Docx based - Accept the license agreement)
- SHA256:
- 76e96261a65bb317f4172d624456d5c309c9d051103b987453eb9963ec8a92f0
- c10f92893f43eea05733b1b4b8ec0d8aac8573a5da19c79a26f2edec85aa80fe
- 23a1816874f187f506dcec05e215e6aa9ad2e5aa5ae724fde708d09811211927
- 0029ae9d5f47187d586e165f0c8d6570f45b02b5119ec1017db53f361c00a64e
- 3cc81f3afddb01557b191ea19b85f9741814c3d91740979244e8a6f54c1dd27d
- 7ff1f47725f414bc141e1fbedcd39f75b6248bbba554183937d675f7f1e158f5
- 78789d26eca37d1a801133bda3765085a3115e67ef8f9336c2603888e4517a0b
- https://gpmandiri.com/wp-includes/5u9493/
- http://ketabnema.com/sitemap/uenjlbm4074/
- https://www.njb-gmbh.com/wp-admin/o2p1fm4237/
- https://brkhukuk.com/wp-admin/1xk1qcm0404/
- https://interpathlaboratories.com/wp-admin/bn67564/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 09/18/19 #### (Newest on top)
- ```
- 23bb7590d1f79e552182bf686882d05f31035b76be173b24308ea374bdeaf58d
- 8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1
- f3679c5fcfba9a2305477378495291f070f4602380f986839801d614320cf65c
- 94748d9e061b57b1c04be9966c30f8dbb390d073140be46c4be4aef5b2315fa2
- d2f7affdd9a9c6fd06911934ae409a2922e02619233305b074224f6f08229f39
- 594ef82d8231a52c0bb564a4b46afd87b75813d1ad9f29414286216b2eaa0920
- 309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a
- e73b7d9172d1200f45ada487a5aa4d0a641a33cce0cb3d7078908be0293c21f5
- f599cebdfed9fd070a1ec3f1c5da758a99a34f7c34b82f3aab109dbdd6884ad5
- 7d2b45d3dc790cc7ba185e2401d19dd92f406d3aa2244598b82827bada6e2ca0
- 1057b6a2de11cf5a4cd02ca63a0358e752958cb2071072d9aa18ce9af429c8b0
- fddbf337fde21c0d948ac8e0f7878065655324f4b17db53cb9f912e978c61bf6
- 6e44750084848cd5370fbfac2e2633ecfe78ec5e47a158b1253d1301d198089c
- a0fedd6c211bf5ca4daecd8bd7692ed695affb940295b9cf56900ead2f1501f7
- 1d9d30b657cc82fa0397eed989c55bfba0e36c0e86649da3a415f93d4ebd8368
- 6006c3811e6f9a593d81dd654e809374e52c890a50f3b37214c214652bf837e8
- 97a0ccdb1a7fe09194b55c511da8f0d8fad771552f0ddfb4590f9cabc6c50c39
- 57c6aa9c0bbe5128d5a973b9d54f89580dda7e7e74e0c33f11a931b5ea7c85da
- 808599731e8fb31e34698279017f4089a96dbfae8dae9792074668f7c2dbdbc2
- 2e7d08e3849bc46efa5adf0534cabde27f0d6594d496d4860d1c341909a745b7
- f00d4a1f4b6dfdf0f87cd7d9703097b5784558e36bf6f8eff875978b5aecb308
- e3d787ba2e917f95458a133150928c4ade94312a660376adb4d6db6f51267a54
- 64b4579254159ab523b798c325aa1c8c1ae803916b6e540d4e77dce8528df28c
- 7e382b9387df2935ab3893349b2ae3b3109e5fd472bfcfcbe2fb1375de822f9e
- c1d8e0dd90d7fd2fc854203267c087129e91138b9aa8b95ca233310cb734740f
- 88782073c5f89d505a2537b6afa0dd8a79fb9400a43b4db347aef287fd747de0
- 8b3940be43fcd410777ade2db8c3a3a717d14c610229fffd0ea475ecbbf8e75c
- a2c913e6bd67035590680d7bee92286e05dc5b35996d64793af2f75077f181b9
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
- ```
- Creation Time 2019-09-18 19:03:00 (Attachment Only - Docx based with embedded JSE - Protected View)
- SHA256:
- 492200f1889c3f0351bfb8829f4c9c0e75e49ca7236594c69b503968a2203a0c
- 9371ff0a86790bb9e2fa2a6255d6ecc4ceaef9453ea6b69d7d31302d34fb92f3
- https://www.wuus.org.cn/3eusq/ly5js61iu_f07y3m4-5718594/
- http://proslandvietnam.com/css/b8u3_00lsmx0zgc-495/
- http://nympropiedades.cl/wp-admin/iq3pr_81osc29-842240/
- http://picnicapp.co.uk/wp-includes/vLFkVtMg/
- https://www.bildideen.site/wp-includes/wtjFNonb/
- Creation Time 2019:09:18 14:32 (Attachment Only - Doc based - Protected View)
- SHA256:
- 203d07f2686d1cb2849b204e2884b27c1e70f6049cfa280c5831c5209db12393
- 7b2142363813a41fd3a512ca6bbd2e3d73d274558f58ca990d78a1537ebfcbd8
- e52d9448e78d875f07fc9cdbe18ebbf755a69b95aec37d147d0ce509de3e7c66
- 5c39f7d201d031baea0aa681c8b159c59beaca86729cb6cbaaa1b3d30b7386ed
- 4745993c2538522d79efc7406292f2e9429efd8ab52a81f7919173d3e3e1bdcc
- 7a72d0ebc33c4783b64a8cfb1c31c2e81ce1f4a0833c691783f5aa8e998ab7ac
- b6e8132c9284fc40ed53bd0fd11363ab05f7a4a54ea53dfbf69d8380b0238af1
- f413e1b7c64a5c2a3cf534b1f2461c57f3f4cd409797f3b63ee5f2714f3f9c22
- 62e147f40b55a9c44c9bfed3b6cef7ec260075f7e17385914ee87e4ac7967e00
- aa8cef9d0598417bb9e25c165cbcc306ed4c466726943d32b944c8abdb97efb9
- https://www.patrickglobalusa.com/wp-admin/fSRkAFjqv/
- https://pipizhanzhang.com/wp-admin/3ciornz_iulayscz-679646/
- https://tankhoi.vn/wp-includes/XTSugzNaz/
- https://www.supercrystal.am/wp-admin/PdMInSgs/
- https://hotel-bristol.lu/dlry/MAnJIPnY/
- Creation Time 2019:09:18 06:25 (Attachment Only - Doc based - Protected View)
- SHA256:
- 3bb3f51c6389095a28d24cae5612b884d6908a6c2b96faffcaf6191cbab7f285
- 1c42d4b099223ac713f83dabb6dd66ea15be112f3e4da062d9f5e9c6c0b2dd0a
- dd442fc6c3db3f41e8068555b522b6e6dab4f2bc234f5676941c7e15a76c5d85
- 1274dd5dd2bc9b4c7a37b6ee901fcf5aa8763c1e7c3f1aef160d2034e0ffc9db
- 20e3ff86f8d4187f7c24a65971bdf430209dcf5a5c688233c996197afc60eb6d
- 5d9074f7b096f8e2beef12adcc34389826fd7047e6db1b7ad7987b6426660345
- e3b86e4b26e65fc6f8ea29edfac3f88790fd578f0a0d4ff62293e7251c291bf1
- 9ba509dd67f58781c0183818a2d3bd09f106a53dcc6347dc7c8c2e804a17ebf9
- 7ca5c4a07813ee202833a7e81ff946186641b7b7244c2fa3a941d3a056648db9
- fb4e1c1e2cbdefea107b0b4c1975b252d2f48db4a8b38afb7198dfefe1c818e9
- 15ccc052b68c5810289d342a5948f85182c5cc1e986376f14cf9fb59aed90b11
- 70cc040393abf70571b1eba5d205b9aa1e56d3415d422dc9607a0ee9d400addd
- 7650c46d99e30ac4678c5e390e71dc770fe5b5cede6c491d6a1382a855df08df
- e39d15deb293e51f7aa1c9dcae995aa61cb4848bf908d0d9b2bfcbea791a3b52
- c3363f7026bab3a44561745c749a0a5b3d8b444a2dcc25f78423df6c2f87bc08
- 7fb5be103a91415ae30d59797f2804f102d0101f223a2c52cd62174e536ba7df
- f4c13de897d181917fbb9f6e20df405cb093e1417789be348b496c6740af7cd4
- e390f85b04ea7c826aac049170e915dc04ed1e9763e1163145404f14469551b3
- 7818a8583af67f1e49db54d231cc7ce728217262b0318979f9871abd6f120e44
- 7e93c332bc5aec32fdcfb7feae457032e4c42408d7dadb04a7d31c61deb22102
- b4640705afb53530f51f23f931c0f35592c456e897f5858c48587682d78082cc
- 0eeaa9b6bfa6fccadd06807466edd3b6e8e573c827a80ebd14144131083bad13
- 6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915
- c7be7c3546a65937333fbc094586515a2415f7b54e29558f8f4337e18cd50eb9
- b57545580b3fa9582bd35ef2f76ee447eceb3d3e9ba2f187e90d080ca2e2a5e1
- 7818a8583af67f1e49db54d231cc7ce728217262b0318979f9871abd6f120e44
- c22cf047ae5d11fb1b825f2d9d12b2388bcd766a61c98299c831d6ee19e8bf98
- 645a6c69822672372ba9c952c80b144b87646b4257bac4ad4888bdbbf5cbbe9e
- http://shael.org/hosting/TYXchcKkHz/
- http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/
- https://herrenmode.tk/5usqjlew/ttg22zcf_q5chov-377215/
- http://nfbio.com/img/upload_Image/edm/pic_2/u6q4ucq7_hyg8uzhh-369963559/
- http://endofhisrope.net/2008-08_PSBearDonate/qmiuOZvDj/
- Creation Time 2019:09:17 18:40 (Attachment Only - rtf based - Accept the license agreement)
- SHA256:
- a582abc9959dc6bf4f194137346f8b1499ea16a3323f6fa9788fee7222e005da
- 70806f99f7f064a0de78179b272b157132705d2ea8b7b304d8e00dbd5af17925
- a582abc9959dc6bf4f194137346f8b1499ea16a3323f6fa9788fee7222e005da
- 33cba618d674f70209c0baf6681edbb947e1f74fd30bf2060f8c99b44b90f91e
- 2d3ee28cbaf2d5ce25485c102c8eb5156181f6a77a9c21ae08bca23ce70bf648
- a492d83b9218e1c55c12c2c5d581f871175ff6e8ed6d4b53cbbaae4eba856a5a
- 3b8dcbe357c69971faa80c48316e7587fcc5a0e0c6243772e3c61f75f669cd36
- https://www.randomelements.co.uk/tfmuz14/lfEcgPfoq/
- https://www.wanbuy.net/wp-includes/1njjz_tnye71hdc-64236/
- http://www.perubakes.ml/wp-includes/d7k2_pvffym7oz-9913706/
- http://foxnib.com/c3uftcyx/mg8jp0zp0_0gtxu-17/
- https://clubedoestudante.net.br/wp/RcQUCaJC/
- Creation Time 2019:09:17 10:36:00 (Docx based - Accept the license agreement)
- SHA256:
- 9fe890f4a1393ef301e24b02ab3c173f230ad7a982808ce6daf130c861422208
- 1a6a015dc1f9f6613a6985242037198cb3449d74694e0f759d4787e866d723b1
- c3008e9a03adfd6c38977a19ab58fb4fc6e4a9efcba3b8904a52f4e03a6aec67
- 294566e0ea5c9c1799e88e60515941f4b2378c3922bd2186abf2115cb74bd4fb
- 970f8a5fa9f4fac079dd454f0bf310844594e7409f96aaa32198a2fa2b8bf496
- f66455a0741d598fcc588487c45d00bc38200c0c6aa8882f42d80aac35755913
- f7c74161c5207c1c29bfb9d7819c198492383af0e50dbe2bdb9d92bfc8416228
- 8c7ef5a2e3d1dcf21b299b92bb25f0f27394434d6970a7bb118b5105cb9c013f
- d2d0e76dfaf8de51d4a0b7cd5ebd0335c0ec5c48db4c29672f5e93c7ebe5f2ec
- 373b47d463e44a804d7d96c608b5ce63bd47bd5a771700e31d03f37db003aabe
- 3b219e22b7710e28261412a4f30eb0cf2275a574ebbfcdcf60be33017033a7fa
- 16fc49eb29963ddd1f26ddc5fe3641d442203e0d02bc94b8aac4e89f8d0b20be
- ccfc24bc3390c2031f73cd4238009315b5a171ccdedb436ff89cbc4881ab7016
- 9b2924585f99809491c11d8531f7c7af24cd43e8f1bd1bda5cc1ed01b517e37f
- 486783e0d46f9109a88a49d28ca2ecc80f16d17b0c3c061c3a020c47dbeaa6f9
- 2a820ad1d8e5d9a9f6784ebfe923d0f04e21aafdb92f4c5690a8eef478ed7859
- d80f4801c5a57425d47c7927005c8e28998b7c2e278df3b748f9df3b40e1f713
- 92e7008a245ee8368d3f1874b37435c7fa3a785347c8eff53c122c1f122a195c
- 315130b83a7f72b9a2dc0d80e2f7ab655840e18a317e681359280f9044a08672
- dab4d2b81481a0f61c8a0ed234ea66b80e94c0807dbb5a6a2de3d202a75cef7a
- 1848522165ace7ce9ff1f53e88039ed69275387510e16fa2329e97ef5b4f32f1
- 81b8847ec43cf7dd13778e8ce7a6b891aadc6840218db937ebd9c705db87ec77
- 018599fbe46df0a07db76894a61c7ad4f7cb1fa2fff9ff9a7ba9257f6e3f2396
- c5ab2f42e3cedcab4419bcdfbf6942e767f6b180cb240cf35ad94acac850e744
- b966e5e26cc174f2653f201b89e78527546deddf40d0636296ce22d3d7d9c311
- 9fc914aed1f80f3f61017d771e183f3579a16b9e6db8713984088e84e947b230
- 907f9ad5a331dc074f21e4774f272e5f23cff189e480c0211bbf84667da49765
- 907f9ad5a331dc074f21e4774f272e5f23cff189e480c0211bbf84667da49765
- dd97442f6ab0ced920894b956096ec3100a44dff6ea98a64300831d39eb1943a
- 980de188ea70ff424ac12f58f162af0d25d462a81238af1999d5fd01bad86ed7
- fcd33673c55fc7e18ac1c551c921c5eb07a06f359cf17c72ed8b9f028d820d43
- e2e5332d03d72db8f5a17a08afcc61896f81b7159602c312460c0725f4c62afd
- 1b87e582570698d2b8a86c848a381a15cede79f3edfef972e3717d1109c94494
- 1653888c8df3d948ae5304995c366395ada6d04df1286c31766f45972bef70a5
- f89731c8e6cc34608531bfb1cb5aa7a91f5c73d29e75ec8bcf7062048b718ba2
- 7f54968aaf31bf88392e5dcc8f33b202a60134554dc28d415600f6bd270539da
- bb004c5f5314522439f9ac498d1b88a40ab3671bcb9afa60453fa664bd1db4e1
- e9053bf42b30a14c12d6bbf372a90fe83fea082074ac82bcd675c85ad9cc7a08
- 9e73d4891b1e26790a7d54b4797b203ce598ff3724199ae9628d3de9e878434f
- 7acfad68bd1636e23b5fcf7fa948f37fe6b55aa65e50227a7383e48773817e66
- d3e1412b028439ac119eaa35c19b976426dc1ce4cb2f77bd6df06c638af967ea
- 76307e4d81b03744b0f26d389017ba08da6123d52c150d53f7ac93363147b350
- 6f0cd32b2c5ede784297c4b229e16548b8737bf021cc690d907fbf50a2c630b6
- e8681714b8d9cbac7d8c45f5503316f694546569194e882e6c279ab284930f53
- 53e6def7839ac12acf3dd01780f2d754f712a1865c8e8418b31f90f17447e523
- be44975fcf708de8c8f4915046cb5e9710b02f47ecc156dd499a9dbc883b54a8
- f06d1abada97c93d7f65d8daddf46fdf35fedc33d27a3bd55fdc9a4687aed238
- 4e06546e19285495330037973a2650c91a0ae20f58e1131dcc63b30272c1b0aa
- bb5c969551fb12a1b5d2a09638bf92d9b0f516634be00084e63309b6df314051
- 482df5bf63299d66ee877eb5ed9ca8ad68fbc0b1ea87f5d368b4672f7e8f7112
- c4c46d71907fcf06235ef0dbb6233b2d407a088a029361f20f81d2f5d37369f7
- https://www.59055.cn/wp-content/f7c18_onqapey8-49048/
- https://www.xinlou.info/wp-content/zomusjj_rgsps3-791960/
- https://larissalinhares.com.br/wp-admin/ttzTQwatYY/
- https://toptarotist.nl/cgi-bin/r1y59l_283xx-97329804/
- http://www.robotechcity.com/wp-content/nyCCqximrj/
- Creation Time 2019:09:17 06:08:00 (Docx based - Accept the license agreement)
- SHA256:
- c6880efe4062e3254f3371baf586afe7b0abfc6cb15e1802c3d401ffb57c9bb2
- 0bfdb7c16ea90ca488091dd91c529600fccd023b99a4d2d0fbdb542a5447f757
- 7de6cef7ae4d09a7dc710ecf60e938710637f9e4a4cb31ab2f5f037d961da1a0
- c75751d0d1c623158e45dd65bc79e4071a8f590c92892b939d42816286f9df40
- c75751d0d1c623158e45dd65bc79e4071a8f590c92892b939d42816286f9df40
- 4fc91dccc92a16a3756a3d6b5955462533611d03765a36e0555faa7ee8c595d3
- 408de3e3f0b8cbe63f7e31b408f2c0173c9b7687e3e7b8bc5acbf57a73f52309
- e12b9616768a97b6d3b368b9c9a35a269495fc3a5f2272ac6391b55df927fd95
- 1986674bce852ad112adb646ce5844c237dd81dfb66e5aeefd1a8428ac7d7de9
- a6969d658c428af2e3d9557544048155a1aefdb5ae02c5d2c76c834b0302f1dd
- 6c002c186596a1584507c47a6adcd05939430aa12231c8c5f7d5604ea6f6937b
- 97fa8af4227693fff6c84b7c0f1d9157eac15dca37537bb2fe8f9e53fdfed112
- e63978bfd491b351ce03b38f28018fd2d27b3c64db5508d8775bce37a3d64068
- c7702e498489aaa115c5f39d1ba16687750a8d6722a335d803dfc79f148974ed
- 569960ebecbf0e9b2db5237d98e5bdf49effbc58d93b48bdc19f54c33fa1fd58
- 1ac1339bef3b3af22a21b773c3ca02aa0d4b91bb64956245869b9a1a629dfb5d
- 6ab480a6f6ff404049f13b52903cb8c5502af57732c5c5d268b523ac4b0a4034
- f4f27a7c4bdae3ea41e498081d9ab595130f025009bf630a8904e3c1ae1ba233
- ca2c057bfd2de086bb34ca6086ab1f6d95c0787ef4188a0410948f65b02d3a6f
- 8b77aa604f61e476035ed606648debd481fe3958826870ce2e9936649888e907
- 910e4106584163b9ac811530207d76cbaf09663266cc0d5e1d280c5260bac182
- 5f911c16ce697dfa570b6dfc49ad3336de2eeb5dd6220764470b570b54437a16
- 8f78f512d3d31d330ec66b5a0f6591530c98be95c930becb709669bb2f7a4e3f
- 26537bbe3ad050882fe631ceb89d091fb896c14cfc5e858ae25df196cfbcf2ac
- ae6cc69539214162748e3bf5a7205250773f1f9524dcd8608fd24e84bc346e8a
- ac562e7935b52ecb175701ee4e5685674fb9ba73d25111c74bd22e896bda23c1
- 34f6d590ab5cf40a3b69cd72e2bb79d48853b212ce0077538994d6c74ae68296
- c3000990b6241738f623398dcca4f3e9a4c8fca0e3cef841802ec414f8e5dfdf
- 577a13b37fa869efdd7b55c2b4adf57862b97dabff23b60f00d21b212cc06d6f
- dd54fa680448e15c87aaa1a9fcfbe8043a33374ca7157fb0d160701e5c59c214
- b71d94535403330947c1faa9be7eb6d9e2c175c02d803d878319c52bb1fbea6c
- 515ee84618a9fdf820100d3a081d1a8bd7839ebe80c9b0044cd35d712a235182
- http://maceju.com/blog/wp-content/uploads/ke35rmm8a_lks5g8-82/
- https://maymaychihai.com/wp-admin/MgBWkjXP/
- http://jannahqu.org/wp-content/c72aexcrys_zuuy0kvr6r-8372/
- http://szmoldparts.com/wp-admin/nHqceUHmJ/
- http://nomadztruck.com/wp-content/uploads/SfwpziJD/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 09/18/19 #### (Newest on top)
- ```
- 4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29
- 6bbc1fc04607dc91b4bc52faafb15b3c5a51778bc59487684d3dfa64a1c85a71
- 5a67047d3fb53be7ec8ca8bfb263a3b3e05aa93a089d674b91a0d252e0b0c8ef
- f328a0876b9806078eca40e09bd723463996630d9bb1457a36ea4353d00c8eab
- c9b60d1567424c3ce1038e46b2eb41cd6ecb06d314062cfc29d65321609e5de2
- cb92e490eff25ed3f275f14b15ef1cda794970d6d4ddf46279d333553051af26
- 0fae6c3af5c0ef961cd310ef6dfad78d4efc9dc228bf0fd9fe1deb4e2b8c4e8f
- 6fe29dacf133d35e2080fbabd36595b3acde1ccf3a93ce1cc03f5c68c16d3d49
- 63ca489e319ed939ebf9a7b7ee4c694cc027a6f81c6584c76fdaf146e5812776
- 6580fb801190866204d0bf9f8339fd1ba661fb54fefde2807fe1ed6954173028
- d1f4d2eb619f40c6d029d3d7db69ab5243f13764cde34be2d7615d7fcc51f896
- 8bfd54b812d52486e2b5f8d9915b94bf337e9e70272fe15524e56f1bdd96ee20
- fad0f60716c31c81b3af488118da8e01165a1711c82bd15e454eb408aa925f5a
- c6956ba0b2c1649230a1f6d23e3649a9f60607b8958c6ff765a30d07eefa4452
- f448d4ee7c677b03fc3f2e0cfbd841f3361d2b4e7e85dc170c1a6eeee3e9711d
- 3a4fd102f184d7bf0f86a6293768c3ec25995d8557ace103397e02679ed85202
- 9f1f91690c309dfa0ff0ea7feb55461b416f99bfbe9861255cc8119cbffeef66
- 563058089e2ea5ec592a28221b720c1599a94c55fb21ca0901f22639d8d5ea5a
- 187c043e2ca4afc9bb749343bfa86d71ba4c27f48ae24493e32e5f24a8a5f678
- a9eb1827847a8d138cd4ff4aa1a061982200f3dde7b8e8a6ea217be001c94002
- 8c35139ae0dd0ae28353c0ec45cabe8628f27236dca06930536bf9d745c4a30a
- cbb891687bd4dfaf99fe1cd98fbc39887822a4a00df6eaff34505cd8a7d6546d
- 10d48e0f73575123ead8003f955c689e585c39d23835947f5ff79fa83ec48175
- 74a66a1148d715fd7901aefbf07563d505ccb861a48f10a91d2198de0a441812
- 43fbcb882f2b1c9fed152e41e944ea023dbb3d3b9de0a4a3e507f5211ec24225
- d07148d27082571f7ade59a37e44d618316a45e96f1db6f260e888fdbf6faa3c
- 46d03d1c8dda57b69f327e3ef9f242f6e6389a8696b918558eddd67e78850362
- 5f208601e2b4cb36e2fc220e201e59eb025e4686070eef535a51de6de89e0a72
- 5f5ac6b315e30a2dd7ba704e5a790e5760b9de75c0eb908d5fe672b53dd4dbee
- fc81e3737774f617528664c56969a27515404720faa4e7aa396f6870ea106132
- ac3542968fd7a626d10916452d1c1b6a1d3f23022109ebb28e45f1809a3f313a
- 2d94064e58ff267c9231def715dd1e9c01f88cbbea49d5fcf0ec06bd47de8b98
- e05795787afee605b45484cf74306603f7ac09ff20a69966901143ec39cad466
- dca789ccf64d9aa572b43d102dea2a7605b9cb9396ec5b29e11514ee088b7dd8
- ab4bae99ce6e421071d511867827a3c448f4858f5771a4efc1934ebc48c51ada
- 1f0bb28bb47cd80b08ffd08740ca47b91964c637bb5de23361a2ba41fa31db9c
- ```
- #### Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
- ```
- Creation Time 2019:09:18 15:20 (Attachment Only - Doc based - Protected View)
- SHA256:
- 291108e76aa29a2cffe54fbb938938f3c0b3495276481b7fd92869188828b35d
- 64e94504ab11f0fe3f3207da28902e9d699707d95478e22dbeca0de669dfad5e
- 67b949c40e680b32757b8e60fe0a01a1a08781e8af7756e563fc26d985032977
- 705cb2b6dede75c722a0b001ed9797b729465f113286b495a4e8e78998ac557a
- cd64df4432b53cd92db53b9a424a86b4df0ea3c50de36ab8fc967751423b156e
- f44386cd1fb4acae231833634044f4c219d6b72c03f9a7dacf98a25db3dbc889
- https://www.brooklynlilly.com/wp-content/PyVMSpAl/
- http://blog.internationalfertilityacademy.com/wp-content/plugins/classic-editor/jzbNbooyL/
- http://marcofama.it/mail-icons/lwnei7-dxih50s9p-883209316/
- http://think1.com/wp-content/ktTAcbN/
- http://drapart.org/Prensa/k0viv68-5v5-2137/
- Creation Time 2019:09:18 06:34 (Attachment Only - Doc based - Protected View)
- SHA256:
- 102786cf9bf58279d2564e81a98a3a3db9837e6a63c299372946da66c8da128d
- 674babcd87c78efd5fd0497c4089ddc548361a2eccea80fc93e693ab26682c90
- 0bcba8185e0801f427ecdbc93b5e7691065e315f56a29525cd9c83e42bead7a9
- 65d30eac355e49c33b4152afb0c5b4ae43002299e994a7461106beef908f040f
- 9a064ef8d927384d69879f5711cdd91dd26b6a1b53ba40c0642b185a9c1d05eb
- 5227f61a42d3dce99a3c607ed66b1cb4b65703c4fe1846f31d5c254d67f525ef
- 6a911ce34b005cf9abd4468df82caf441b69eb45c00bca5fa03b5b636f0a5110
- bb79ab15d8913361881f564ad2368be86c5fc55aeb829057c95a55dffd781071
- ac4ce5a9ca0a1dcf08f157a555029d8803faf9b8f92eba1e071605f31fd6cfbd
- 4aa2be4d10eed47e6e2a82cc61bc012da82b39bf0b9ff214a21ce7b4eb6a05d4
- 68cf954a2ac70d69005dd78276beb58690d3dc3959f24e706a35116e4e873a38
- 870901eb42447a5c2735977e211f7064d038ba01031f17137058d5f9f7c57be9
- http://higo.net/JupvMyhM/
- http://kursy-bhp-sieradz.pl/pub/dDqkeXb/
- http://lesantivirus.net/css/qj199-j311-12675/
- http://leafdesign.jp/imge/QfFPZDeO/
- http://tpc.hu/arlista/OmwmIQkgP/
- ```
- #### SHA256s for Epoch 3 Payload EXEs seen on 09/18/19 #### (Newest on top)
- ```
- 7d16ff3bbf102fdbf9ae57a989c374af5ae0c35f479ef96c6b1d7b70239c61fc
- cd60405e73b8aef34208e8cc737353bf6430615e7f931d5850162a912932dfac
- ebbfb63ec9e4eecc19ef5b646b07b5321a64ae7dd04c5d53260a9b6e5ee49435
- 8a8191e04bc54c70efff447d15c8879e3787fdb4457f78572c45819087180312
- a194476031faab308e1df330874d3ee3ada33643e1175ebb04ca8ce8dc7e79be
- 4c1b66e17da3a3b2345ae4d61b98932e689ed3bbc62be85070971fe1ec4b36df
- 7f13b9531f35abd6c53a4d130b31aed491639300230bb8731c9d74dbe3033fd5
- c1b13b6c15034d297c209059fcc3550e92075d2544e04ddd180f1714db5a0281
- d64f0173d83b2d0b9ced81a05cc7721fe16fc403a2f8c46c599048619a70fe44
- 51683ec664865c346f79a8cd7874e8bc7f14d711573443941080b801d565c264
- 892e9d54abdfdce0cbf824f53349920d18c2399be1d8ee09103bf98c49f589e2
- 601e39f53fce47ab29c03ded6f2def7d170ad0d24130830e8a6aff96184b413f
- f3679c5fcfba9a2305477378495291f070f4602380f986839801d614320cf65c
- 94748d9e061b57b1c04be9966c30f8dbb390d073140be46c4be4aef5b2315fa2
- 594ef82d8231a52c0bb564a4b46afd87b75813d1ad9f29414286216b2eaa0920
- 99446d4e8017f6bc1277310c5c3a0fc1d9cbdab9d34c5022125feaab3a595537
- 309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a
- e73b7d9172d1200f45ada487a5aa4d0a641a33cce0cb3d7078908be0293c21f5
- f599cebdfed9fd070a1ec3f1c5da758a99a34f7c34b82f3aab109dbdd6884ad5
- 7d2b45d3dc790cc7ba185e2401d19dd92f406d3aa2244598b82827bada6e2ca0
- ```
- ### C2's Per Epoch ###
- #### Epoch 1 C2s ####
- ```
- 104.236.243.129:8080
- 109.104.79.48:8080
- 109.169.86.13:8080
- 119.59.124.163:8080
- 123.168.4.66:22
- 138.68.106.4:7080
- 149.62.173.247:8080
- 151.80.142.33:80
- 159.203.204.126:8080
- 178.79.163.131:8080
- 179.62.18.56:443
- 181.188.149.134:80
- 181.36.42.205:443
- 181.81.143.108:80
- 183.82.97.25:80
- 183.87.87.73:80
- 185.86.148.222:8080
- 186.83.133.253:8080
- 187.155.233.46:443
- 187.188.166.192:80
- 189.129.4.186:80
- 189.244.245.238:80
- 190.1.37.125:443
- 190.117.206.153:443
- 190.19.42.131:80
- 190.200.64.180:7080
- 190.221.50.210:8080
- 190.230.60.129:80
- 190.230.60.129:80
- 198.199.106.229:8080
- 200.21.90.6:8080
- 200.57.102.71:8443
- 200.58.171.51:80
- 201.163.74.202:443
- 203.25.159.3:8080
- 207.180.208.175:8080
- 217.113.27.158:443
- 217.199.175.216:8080
- 23.92.22.225:7080
- 46.21.105.59:8080
- 46.29.183.211:8080
- 46.41.151.103:8080
- 5.196.35.138:7080
- 5.77.13.70:80
- 50.28.51.143:8080
- 51.15.8.192:8080
- 62.210.142.58:8080
- 62.75.143.100:7080
- 71.244.60.230:7080
- 71.244.60.231:7080
- 77.245.101.134:8080
- 77.55.211.77:8080
- 79.127.57.42:80
- 79.143.182.254:8080
- 80.85.87.122:8080
- 81.169.140.14:443
- 86.42.166.147:80
- 88.250.223.190:8080
- 89.188.124.145:443
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam C2s ####
- ```
- 104.236.185.25:8080
- 31.31.78.203:8080
- 45.55.82.2:8080
- ```
- #### Epoch 1 - Stealer C2s ####
- ```
- 66.228.32.31:443
- 198.50.170.27:8080
- 216.98.148.157:8080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
- KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
- h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.97.95.218:143
- 104.131.11.150:8080
- 104.236.246.93:8080
- 117.197.124.36:443
- 136.243.177.26:8080
- 138.201.140.110:8080
- 142.44.162.209:8080
- 144.139.247.220:80
- 149.202.153.252:8080
- 159.65.25.128:8080
- 162.243.125.212:8080
- 169.239.182.217:8080
- 173.212.203.26:8080
- 175.100.138.82:22
- 177.246.193.139:20
- 178.254.6.27:7080
- 178.62.37.188:443
- 178.79.161.166:443
- 179.32.19.219:22
- 181.143.53.227:21
- 182.176.106.43:995
- 182.176.132.213:8090
- 182.76.6.2:8080
- 185.129.92.210:7080
- 185.94.252.13:443
- 186.4.172.5:443
- 186.4.172.5:8080
- 186.4.194.153:993
- 188.166.253.46:8080
- 189.209.217.49:80
- 190.145.67.134:8090
- 190.186.203.55:80
- 190.226.44.20:21
- 190.53.135.159:21
- 198.199.88.162:8080
- 201.212.57.109:80
- 201.250.11.236:50000
- 206.189.98.125:8080
- 211.63.71.72:8080
- 212.71.234.16:8080
- 217.160.182.191:8080
- 222.214.218.192:8080
- 31.12.67.62:7080
- 31.172.240.91:8080
- 37.157.194.134:443
- 37.208.39.59:7080
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 46.105.131.87:80
- 59.152.93.46:443
- 62.75.187.192:8080
- 64.13.225.150:8080
- 75.127.14.170:8080
- 78.188.105.159:21
- 78.24.219.147:8080
- 85.104.59.244:20
- 86.98.25.30:53
- 87.106.136.232:8080
- 87.106.139.101:8080
- 87.230.19.21:8080
- 88.156.97.210:80
- 91.205.215.66:8080
- 91.83.93.103:7080
- 91.92.191.134:8080
- 92.222.125.16:7080
- 92.222.216.44:8080
- 94.205.247.10:80
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam C2s ####
- ```
- 69.43.168.232:443
- 185.187.198.4:8080
- 46.228.205.245:4143
- ```
- #### Epoch 2 - Stealer C2s ####
- ```
- 46.105.131.69:443
- 176.31.200.130:8080
- 104.131.58.132:8080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
- PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
- AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
- ```
- #### Epoch 3 C2s ####
- ```
- 108.179.216.46:8080
- 138.197.140.163:8080
- 139.59.242.76:8080
- 149.202.153.251:8080
- 152.168.220.188:80
- 159.69.211.211:7080
- 178.249.187.150:7080
- 181.230.126.152:8090
- 190.10.194.42:8080
- 190.104.64.197:443
- 190.13.146.47:443
- 190.146.81.138:8090
- 190.171.105.158:7080
- 190.55.39.215:80
- 190.55.86.138:8443
- 190.92.103.7:80
- 192.163.221.191:8080
- 200.82.147.93:7080
- 201.113.23.175:443
- 203.150.19.63:443
- 216.154.222.52:7080
- 216.70.88.55:8080
- 45.33.1.161:8080
- 46.32.229.152:8080
- 70.45.30.28:80
- 78.109.34.178:443
- 83.110.75.153:8090
- 83.169.33.157:8080
- ```
- #### Epoch 3 - Spam C2s ####
- ```
- 41.185.29.128:8080
- 94.177.253.126:80
- ```
- #### Epoch 3 - Stealer C2s ####
- ```
- 178.32.255.133:443
- 198.46.150.196:7080
- ```
- #### Current Epoch 3 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
- 4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
- iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
- because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
- this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1, Epoch 2 and Epoch 3? ####
- ```
- (09/17/19)
- With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/arKqrRyh - @executemalware
- https://pastebin.com/326t7QiV - @Paladin3161
- https://pastebin.com/3Lp9pfpb - @SecSome
- https://pastebin.com/3FPvZ9f4 - @HerbieZimmerman
- https://twitter.com/malware_traffic/status/1174423386245738496?s=20 - @malware_traffic
- (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
- ```
- #### Credits ####
- ```
- Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
- Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
- C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
- Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161
- Spam Templates - @devnullnoop
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- ### Daily Log 09/18/19 ###
- ```
- @JRoosen here with a bunch of data that @ps66uk put together and I added to and built on. I am still having a lot of fires at
- dayjob unrelated to Emotet but doing my best with the rest of the team to get you the latest IOCs and details.
- ```
- #### General News ####
- ```
- As many people reported, we have a new template which @ps66uk has dubbed "Protected View".
- We also saw a short run of my favorite Light Blue Offset junk template this morning on E1.
- ```
- #### Drops Report ####
- ```
- We saw today Dreambot being dropped on E1 along side of Trickbot. Most of the drops from Emotet of late have been Trickbot
- and the gtags MOR* on all botnets. Today we saw MOR3. There was also talk of GBA* gtag Trickbot being dropped but did not see any
- personally.
- ```
- #### Email Template Report ####
- ```
- I am still not getting anything that is Emotet related but I am hearing more and more instances of reply chain based spam. It seems
- like all of the exfiltration of email after C2 woke up is being used also. We have heard of and seen dates from late Aug to Early
- September being used as the message being replied to.
- All emails today seemed to be attachment only based and the attachments were docx with embedded JSEs or DOCx(docm) or even RTF yesterday
- and today!
- @ps66uk noted some of the new phrasing of the reply text in the reply change emails.
- https://twitter.com/ps66uk/status/1174430064169115650?s=20
- Here are his full notes on this:
- Text added to reply-chain emails:
- ----
- I am getting very frustrated that after multiple phone calls nobody seems to be able to resolve this issue. Further to our conversationI have forwarded the email. Kindly assist, please. Thanks :)
- ----
- Please find attached your most recent documents.
- ----
- Please open the attached document.
- ----
- Please process attached doc. If you require anything further, please do not hesitate to contact our office.
- ----
- Payroll reports are attached to this e-mail.
- ----
- Please see/review attached.
- ----
- Hello, please find attached remittance advice for our recent payment to you
- ----
- I know we chatted recently about this β but I canβt recall if we discussed this moment.
- ----
- Malspam was being sent out in DE, ES and FR quite heavily this morning in addition to the normal EN. One thing that seems
- clear after the break is that the emotet team is taking a more multilingual approach this time. Each day this week we have seen
- languages we normally do not see this often.
- ```
- #### Link Regex Report ####
- ```
- Waiting for more the next few days IF they come back.
- ```
- #### Payloads Report ####
- ```
- @lazyactivist192 saw a new larger loader (400KB+) today released on all 3 botnets. He saw very strong similarities between this
- new loader and Trickbot's loader. I highly doubt this is a coincidence. It seems like the Emotet guys have been trying to find a
- better loader for some time. This was being released on C2 and distro at the same time.
- We observed today that E3 seemed to only have 2 quintets of payloads. I am not sure if that was just Ivan running out of
- time or if this was something else going on. It seemed like there was more loader updates but a lack of distro happening for some
- reason.
- Seems like C2 loader updates and distro loader updates are starting to sync up again. I don't remember seeing them with the same
- hashes for quite a long time. They had been following different hash busting patterns and also different loader types for a while
- as noted by @lazyactivist192 before the break and up to the current time.
- It seems like distro and C2 on E1 and E2 stopped hash busting or attempting to give new loaders after about 12:00 UTC. At first
- E3 did the same but then did a limited run of the older loader hash busting until about 16:00UTC. Then we saw all 3 do a large
- Trickbot like loader around 20:00 UTC +/- 2 hours.
- ```
- #### C2 Report ####
- ```
- Combos(IP/port) on E1 and E2 are about double to 2.5x what we see on E3. I am not sure why this is or what the purpose of E3
- is as of yet. So far no signs of E4 but would not be surprised if it appeared.
- 60 combos on E1
- 68 combos on E2
- 27 combos on E3
- ```
- #### Closing ####
- ```
- Some of the other guys will be handling these reports since I am headed on vacation soon for a few weeks on Friday. I almost want
- to stay behind and work on this but not really :P The Cryptolaemus team will continue to do their best to give you the latest
- news and IoCs regarding Emotet and Ivan. It should be noted that these people in the team are all 100% volunteer and go out of
- their way to provide this info beyond their dayjob. We appreciate all the thank you messages that we get and the stories we here of
- how this has helped you. It is an honor to be a part of this effort!
- TT
- ```
- #### Sandbox 09/18/19 ####
- ```
- E1
- https://capesandbox.com/submit/status/103/
- E2
- https://capesandbox.com/submit/status/106/
- E3
- https://capesandbox.com/submit/status/105/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement