API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/09/18

jroosen
Sep 19th, 2019
11,292
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 38.07 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 09/18/19 as of 09/19/19 01:45 EDT ##
  2. *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
  3.  
  4. ### Document Downloader Links ###
  5.  
  6. #### Epoch 1 Document/Downloader links seen for 09/18/19 ####
  7. ```
  8.  
  9. <none>
  10.  
  11.  
  12. ```
  13. #### Epoch 2 Document/Downloader links seen for 09/18/19 ####
  14. ```
  15.  
  16. <none>
  17.  
  18.  
  19. ```
  20. #### Epoch 3 Document/Downloader links seen for 09/18/19 ####
  21. ```
  22.  
  23. <none>
  24.  
  25.  
  26. ```
  27.  
  28. ### Payloads per Epoch by Document ###
  29.  
  30.  
  31. #### Epoch 1 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
  32. ```
  33.  
  34.  
  35. Creation Time 2019-09-18 19:03:00 (Attachment Only - Docx based with embedded JSE - Protected View)
  36. SHA256:
  37. b5a9b073c35be4462f63e39f9d1a5df88aa146ae8a74978c624073b4dbe8bef8
  38. a9654cbaccc8394389d791d865bd59766d45b20cd4b9e753ebee275a0d671af3
  39. a35b700fc21adcbde82f1883584cb0353a2f1ce0839fea801f00d86e9866a4e5
  40. 7921256c11c83cbfe08f42648703fed477f6ca468de315ddaaeaa0c5a0229025
  41.  
  42. https://www.cityvisualization.com/wp-includes/88586/
  43. https://87creationsmedia.com/wp-includes/zz90f27/
  44. http://karencupp.com/vura1qw/s0li7q9/
  45. http://www.magnumbd.com/wp-includes/w2vn93/
  46. http://minmin96.xyz/wp-includes/l5vaemt6/
  47.  
  48.  
  49. Creation Time 2019-09-18 14:38:00 (Attachment Only - Doc based - Protected View)
  50. SHA256:
  51. 15a3596629f6772062ff562e943a574ed8b378ead279fb67be922d584abf731a
  52. 67bf25d1b01502974657fc85c823e2b765620e80ac29843fb5367f934c6e14af
  53. 185aad1ed76889c3bc266d57be88a308fe4e327cf628b00ba9bf5cd20f1b8537
  54. a02ea75848580682d7bbaecb3b4fd991be2c46832f42daf9328dd3eec0825664
  55. e1bce4d42b83a244af8cd06f990a20606602ea6cb6cc4ca5eee5e89abc601343
  56. d1e721dd421d6bad1dcc2ac1b44c482f89cfc8bdb5a2d5ad744edb8fd47d41a5
  57. 09940bc30b89d0e269e0b1226e575459018309af1b612d6f6fbe3f6dea40b5cf
  58. e22a9596f5f82e75feb46ab5c8690f25842fe03d03aa9cce41e9d8ba301268fe
  59. c1f7f8b62bd82cb682f69cfeb9f05e2404e3de061d9ce06e2dbe586ec199e547
  60. c6355ca1a2710e7fd4b2cd4ab4066c5fd46db99735166f1d3ee09780641ce382
  61. f4903ce8ea06e78db686bccd687857f7129f425cb03b79ac39ee6a7ad5567d2e
  62. 0273ff39d3d80423866d88d377797daa3477c93a0aca537d18674d5dbc8817fa
  63. 44193897b15e5b25abd4fdaec44923b9b44eef2d49b330934bc47f91d6a82107
  64. 583a4805108c1e8eb72160e73c3359d54fff3240b57e5705364035428ab5d471
  65. e5bb80609117df7494c7b5ce9b996c25bd06db8c82cd404484e84b8f2a15010c
  66. 2fc714f53a8a70cb55710477b662cf89039b83279fc24ab34a1e862dcfd926b5
  67. cff8d68e20920ba54a2842961706a6d210ddc344194861f654de469e555259ca
  68. 9df2d703ae7175247156855b30d60cb132e98a7748ffbb476182e8bf78031530
  69. 83fd823455aa7341bfb8e4d9c9d092062505913668325b48d49f4ed8eafc8d99
  70.  
  71. http://thinhvuongmedia.com/wp-admin/n2keep7/
  72. https://mnpasalubong.com/wp-admin/nsmz9az032/
  73. http://trunganh.xyz/wp-content/uzq50/
  74. https://iptivicini.com/npkx/jwpy938/
  75. https://www.cezaevinegonder.com/conf/fd45/
  76.  
  77. Creation Time 2019-09-18 10:25:00 (Attachment Only - Doc based - Protected View)
  78. SHA256:
  79. 75f68366e8b144b780ccf59e9ed7ddb89c5af57dac5b0ab80dcb053d91208e67
  80. 36ea49b2ded19e91a3e07d1cfc27ebb27e5889bd86d4ccd0bb4893f192c01a85
  81. fdbb2b99702c4dfc9004f0ebb6a8c65183d67ccc1f5a614244ccd9d7c0881703
  82. 755b78935524886fa8c43b7a25f2292932dbe4779eec7e1ea4bcf8e65c3dbd49
  83. 38b00ebc637a043552847aa372906789377b42f8588b1c8477fb8cf1a39975a3
  84. e34737fd1379f3ecbdd6f854cf00fc597057e3dedfe8df140232fc11961466ac
  85. dbafda67f0ef7d86b4dce799bfa797c50b6f94560a347057f25fca79e08b4598
  86. 3cd19e6844c2a25029a5ed56a0d803298e006c1d62a87ae537718052109cf0ac
  87. 4a914195a0fe3ced9590abc67d5171ad425121c1774bd44b176ea02625ecc73a
  88. 3a6dde6fd3ad067cb05b8b1d6a6a8f91fb8cb6326b6f04bc8c68eca656ca6b08
  89. 09a904d15676cc6a188bfdae4eb18afc123b0ccc73693f2197c0c995946de11f
  90. e20ac03386f55a13bc3bd048afbd6dfe25742ef1d3efdf350ba04c1afefd22e0
  91. 719c25a2922197a50e29dc13500c64715dad9b9f0da298af079e7e346b831ead
  92. aed648985f14e2de723c4907f21b8028fbf1896ffb5a67b86fe3dcf8b6666016
  93.  
  94. http://brikee.com/gallery/4dcmn72430/
  95. https://www.echelona.net/wp-content/tyh57769/
  96. http://grupoeq.com/leds/dal52301/
  97. http://kirstenbijlsma.com/ecp4/mhh20305/
  98. http://paifi.net/ssfm/bm840/
  99.  
  100. Creation Time 2019:09:18 06:22 (Attachment Only - Doc based - Protected View)
  101. SHA256:
  102. 01997bf9c459e1250484878af709735d9dc1343db78ee117e14056b28316bafa
  103. 1ce0bc0a3cecaa2241c21250e4b3d763529e94e858536a3687474084032e3980
  104. 825c80d062051acfbcaa45dcc3939da8866a6dc71f8da31cae4ac6feca9a3463
  105. 360f281360d3b69a414e4a9c367ed67a8401bfb1c6d1203d5d558400130b52e5
  106. 4dcfdbd73ec71eb47bec2b47b6805862b7b293abc8164b2f026d28e5f9faa84f
  107. 825c80d062051acfbcaa45dcc3939da8866a6dc71f8da31cae4ac6feca9a3463
  108. 5337010281693ce4799107545c9444a616ed6bb6cddc50905a114004fa4ccf4c
  109. 475d0fca066d6a90ec8fc6c38554f93f5c9c547d76a7714a3bfa72a8d2f45079
  110. 1183fb03a7aadf6028ad96311034c4541cf9784223692d7cb637dd0562b693b6
  111. 3f5a2ddf0ce35dcbb69bc07a247923226b7f1554788e4d913156c4df5587e0f7
  112. fc3bf8ae50dba94341ef983729d33e4bcbf347412145ec41834701896a79ffda
  113. ec61f28c35692cfad5b115c56f29e1aa5ea62425448cc42fe78392c1627545d1
  114. a4bb536c33391f0217fbd4e62cad15dd0995078aa6277641b34493b06a45d54b
  115. bf3fc32ab210d1583a926a1cb8777ac9f78d9615ba79dc7f79298526a42e34d0
  116. d5b9cfc175db0e99d88e07d631e699068fac095a211d92afe8d7dc762bb0151d
  117. e62936a928c0f2259973811d55f2bf018089b1532d0e59c2ace42921abf1d8bd
  118. 449e8d2c64a643f4ffc796b921a0996d3b4d06bc41fa374ac8bc899068bf7ca0
  119.  
  120. http://dirproperties.com/cgi-bin/fd14999/
  121. http://run-germany.com/scripts/jc828208/
  122. http://saxtorph.net/DOC/5ndqov018/
  123. https://sukhumvithomes.com/sathorncondos.com/ucwna794/
  124. http://vanscheers.com/cgi-bin/gorp7v455370/
  125.  
  126.  
  127. Creation Time 2019:09:17 17:51 (Attachment Only - Doc based - Blue Office 365)
  128. SHA256:
  129. b3ac4bad78694e606ba685d44e10edca9307a356268edf15d41c765023b51010
  130. 581c365eaf2f810aad99863c554d1f250df2ee303c9730350ac26af80bfec379
  131. 6403f5c81411c98c3d86890d4b3787a334ca3b37e6e3d09ed8a148d2d64ebdb6
  132. 246560e045e5e090a4a165da0238cc7340fc85d4412cce1fc5592698f1206e00
  133. 0d19aa73c37bcbe27e9e3b3eaad9c5b02e8d27bf6656700388aa0b46365c9425
  134. 21cfcdac6e5f2d9ae30de0a6a2a31537a14766d3bb0d747ed76da07a9fb90433
  135. 7d31a000c8fc9ac94b74ec200eb7889ed31b2bd934e66f1c795d70d2806a916b
  136. ede47da9bf4f9ac755b67561d1d3c6e3a8c90ac071f6f165bb8d430a107cf1b2
  137. a35dbba6ee021b32447958ebb080cd92322df466c2176333da0aa6a8908a195c
  138. f6e9f4bd578f0ce81b02105a8ca6fe1a3d5dcae69a207d131e3bd1427226c743
  139. 4f8e0f4215fe887f29e3f6351c826ac1cc6305305c43c800ff38e2933374dbac
  140. e554334c4dcf2e1e4184191907b4d6c83d513c79ae71e25d2f9fa4bad22ee8b0
  141.  
  142. https://stackspay.com/wp-includes/0sxfg82114/
  143. https://www.reza-khosravi.com/wp-content/q2/
  144. http://w3brasil.com/sistema/p5q207/
  145. https://www.pronhubhd.com/cgi-bin/m0cux6/
  146. https://www.karenshealthfoods.com/wp-includes/95oos267/
  147.  
  148. Creation Time 2019:09:17 10:49:00 (Attachment Only - Docx based - Accept the license agreement)
  149. SHA256:
  150. 2c5e35988c772ca2ecfbe0a4608a983244c4790aaf251800316d46f69eba19ad
  151. 3c1f66712738a67c4f8805b1580142181969041b62a9ac6bc2dfe0197cb50eca
  152. 34d2b83245696fa1dd24ef9ed4b33ef9172e9f6e274928628bd24c1de0763b47
  153. bf0ef180e13f8ac6fb5f147a7773a688f1d54fc6f478ca90ac403074eae33a21
  154. eb4571b997aaf51434fa77fcecd83cda43489882eeaae99c680859f54b47429b
  155. 65ed503aa5df39bc7549a1f214248e65642e0aca37baf8de16c879f4aa41f266
  156. 8b8f082d17bf74b4be2eaffe167bb0e228052366ec07ee8fb3bdc2ac3d8a314c
  157. c18c17e19cbd27f03f6fd71d4134c325706c9af836d641ed389029d7d7ef18a4
  158. 95ca385f5ccd5e1ece5d34148fd82d01eebd1194308108a951650059cf09160e
  159. 08c9f6ca7ae476b878ff40120a051af4aea32eeb2be40a4b052f3ee35e29a4a0
  160. 4c33a6fcc83d536e49d620fc48d8719984f4d16de4c48081c25483122a0209e3
  161. ce8542b000044b2a84f282bc0b0935debb8a39eb36eb293f528c7dc3280d9e5c
  162.  
  163. http://fitchciapara.com/wp-admin/rau3e7/
  164. https://www.internetshoppy.com/wp-includes/971426/
  165. https://blog.medkad.com/wp-admin/e9684/
  166. http://www.sirijayareddypsychologist.com/roawk/0kwsol940/
  167. http://komatireddy.net/wp-content/911968/
  168.  
  169. Creation Time 2019:09:17 06:17:00 (Attachment Only - Docx based - Accept the license agreement)
  170. SHA256:
  171. 76e96261a65bb317f4172d624456d5c309c9d051103b987453eb9963ec8a92f0
  172. c10f92893f43eea05733b1b4b8ec0d8aac8573a5da19c79a26f2edec85aa80fe
  173. 23a1816874f187f506dcec05e215e6aa9ad2e5aa5ae724fde708d09811211927
  174. 0029ae9d5f47187d586e165f0c8d6570f45b02b5119ec1017db53f361c00a64e
  175. 3cc81f3afddb01557b191ea19b85f9741814c3d91740979244e8a6f54c1dd27d
  176. 7ff1f47725f414bc141e1fbedcd39f75b6248bbba554183937d675f7f1e158f5
  177. 78789d26eca37d1a801133bda3765085a3115e67ef8f9336c2603888e4517a0b
  178.  
  179. https://gpmandiri.com/wp-includes/5u9493/
  180. http://ketabnema.com/sitemap/uenjlbm4074/
  181. https://www.njb-gmbh.com/wp-admin/o2p1fm4237/
  182. https://brkhukuk.com/wp-admin/1xk1qcm0404/
  183. https://interpathlaboratories.com/wp-admin/bn67564/
  184.  
  185.  
  186. ```
  187. #### SHA256s for Epoch 1 Payload EXEs seen on 09/18/19 #### (Newest on top)
  188. ```
  189.  
  190. 23bb7590d1f79e552182bf686882d05f31035b76be173b24308ea374bdeaf58d
  191. 8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1
  192. f3679c5fcfba9a2305477378495291f070f4602380f986839801d614320cf65c
  193. 94748d9e061b57b1c04be9966c30f8dbb390d073140be46c4be4aef5b2315fa2
  194. d2f7affdd9a9c6fd06911934ae409a2922e02619233305b074224f6f08229f39
  195. 594ef82d8231a52c0bb564a4b46afd87b75813d1ad9f29414286216b2eaa0920
  196. 309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a
  197. e73b7d9172d1200f45ada487a5aa4d0a641a33cce0cb3d7078908be0293c21f5
  198. f599cebdfed9fd070a1ec3f1c5da758a99a34f7c34b82f3aab109dbdd6884ad5
  199. 7d2b45d3dc790cc7ba185e2401d19dd92f406d3aa2244598b82827bada6e2ca0
  200. 1057b6a2de11cf5a4cd02ca63a0358e752958cb2071072d9aa18ce9af429c8b0
  201. fddbf337fde21c0d948ac8e0f7878065655324f4b17db53cb9f912e978c61bf6
  202. 6e44750084848cd5370fbfac2e2633ecfe78ec5e47a158b1253d1301d198089c
  203. a0fedd6c211bf5ca4daecd8bd7692ed695affb940295b9cf56900ead2f1501f7
  204. 1d9d30b657cc82fa0397eed989c55bfba0e36c0e86649da3a415f93d4ebd8368
  205. 6006c3811e6f9a593d81dd654e809374e52c890a50f3b37214c214652bf837e8
  206. 97a0ccdb1a7fe09194b55c511da8f0d8fad771552f0ddfb4590f9cabc6c50c39
  207. 57c6aa9c0bbe5128d5a973b9d54f89580dda7e7e74e0c33f11a931b5ea7c85da
  208. 808599731e8fb31e34698279017f4089a96dbfae8dae9792074668f7c2dbdbc2
  209. 2e7d08e3849bc46efa5adf0534cabde27f0d6594d496d4860d1c341909a745b7
  210. f00d4a1f4b6dfdf0f87cd7d9703097b5784558e36bf6f8eff875978b5aecb308
  211. e3d787ba2e917f95458a133150928c4ade94312a660376adb4d6db6f51267a54
  212. 64b4579254159ab523b798c325aa1c8c1ae803916b6e540d4e77dce8528df28c
  213. 7e382b9387df2935ab3893349b2ae3b3109e5fd472bfcfcbe2fb1375de822f9e
  214. c1d8e0dd90d7fd2fc854203267c087129e91138b9aa8b95ca233310cb734740f
  215. 88782073c5f89d505a2537b6afa0dd8a79fb9400a43b4db347aef287fd747de0
  216. 8b3940be43fcd410777ade2db8c3a3a717d14c610229fffd0ea475ecbbf8e75c
  217. a2c913e6bd67035590680d7bee92286e05dc5b35996d64793af2f75077f181b9
  218.  
  219.  
  220. ```
  221. #### Epoch 2 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
  222. ```
  223.  
  224. Creation Time 2019-09-18 19:03:00 (Attachment Only - Docx based with embedded JSE - Protected View)
  225. SHA256:
  226. 492200f1889c3f0351bfb8829f4c9c0e75e49ca7236594c69b503968a2203a0c
  227. 9371ff0a86790bb9e2fa2a6255d6ecc4ceaef9453ea6b69d7d31302d34fb92f3
  228.  
  229. https://www.wuus.org.cn/3eusq/ly5js61iu_f07y3m4-5718594/
  230. http://proslandvietnam.com/css/b8u3_00lsmx0zgc-495/
  231. http://nympropiedades.cl/wp-admin/iq3pr_81osc29-842240/
  232. http://picnicapp.co.uk/wp-includes/vLFkVtMg/
  233. https://www.bildideen.site/wp-includes/wtjFNonb/
  234.  
  235.  
  236. Creation Time 2019:09:18 14:32 (Attachment Only - Doc based - Protected View)
  237. SHA256:
  238. 203d07f2686d1cb2849b204e2884b27c1e70f6049cfa280c5831c5209db12393
  239. 7b2142363813a41fd3a512ca6bbd2e3d73d274558f58ca990d78a1537ebfcbd8
  240. e52d9448e78d875f07fc9cdbe18ebbf755a69b95aec37d147d0ce509de3e7c66
  241. 5c39f7d201d031baea0aa681c8b159c59beaca86729cb6cbaaa1b3d30b7386ed
  242. 4745993c2538522d79efc7406292f2e9429efd8ab52a81f7919173d3e3e1bdcc
  243. 7a72d0ebc33c4783b64a8cfb1c31c2e81ce1f4a0833c691783f5aa8e998ab7ac
  244. b6e8132c9284fc40ed53bd0fd11363ab05f7a4a54ea53dfbf69d8380b0238af1
  245. f413e1b7c64a5c2a3cf534b1f2461c57f3f4cd409797f3b63ee5f2714f3f9c22
  246. 62e147f40b55a9c44c9bfed3b6cef7ec260075f7e17385914ee87e4ac7967e00
  247. aa8cef9d0598417bb9e25c165cbcc306ed4c466726943d32b944c8abdb97efb9
  248.  
  249. https://www.patrickglobalusa.com/wp-admin/fSRkAFjqv/
  250. https://pipizhanzhang.com/wp-admin/3ciornz_iulayscz-679646/
  251. https://tankhoi.vn/wp-includes/XTSugzNaz/
  252. https://www.supercrystal.am/wp-admin/PdMInSgs/
  253. https://hotel-bristol.lu/dlry/MAnJIPnY/
  254.  
  255.  
  256. Creation Time 2019:09:18 06:25 (Attachment Only - Doc based - Protected View)
  257. SHA256:
  258. 3bb3f51c6389095a28d24cae5612b884d6908a6c2b96faffcaf6191cbab7f285
  259. 1c42d4b099223ac713f83dabb6dd66ea15be112f3e4da062d9f5e9c6c0b2dd0a
  260. dd442fc6c3db3f41e8068555b522b6e6dab4f2bc234f5676941c7e15a76c5d85
  261. 1274dd5dd2bc9b4c7a37b6ee901fcf5aa8763c1e7c3f1aef160d2034e0ffc9db
  262. 20e3ff86f8d4187f7c24a65971bdf430209dcf5a5c688233c996197afc60eb6d
  263. 5d9074f7b096f8e2beef12adcc34389826fd7047e6db1b7ad7987b6426660345
  264. e3b86e4b26e65fc6f8ea29edfac3f88790fd578f0a0d4ff62293e7251c291bf1
  265. 9ba509dd67f58781c0183818a2d3bd09f106a53dcc6347dc7c8c2e804a17ebf9
  266. 7ca5c4a07813ee202833a7e81ff946186641b7b7244c2fa3a941d3a056648db9
  267. fb4e1c1e2cbdefea107b0b4c1975b252d2f48db4a8b38afb7198dfefe1c818e9
  268. 15ccc052b68c5810289d342a5948f85182c5cc1e986376f14cf9fb59aed90b11
  269. 70cc040393abf70571b1eba5d205b9aa1e56d3415d422dc9607a0ee9d400addd
  270. 7650c46d99e30ac4678c5e390e71dc770fe5b5cede6c491d6a1382a855df08df
  271. e39d15deb293e51f7aa1c9dcae995aa61cb4848bf908d0d9b2bfcbea791a3b52
  272. c3363f7026bab3a44561745c749a0a5b3d8b444a2dcc25f78423df6c2f87bc08
  273. 7fb5be103a91415ae30d59797f2804f102d0101f223a2c52cd62174e536ba7df
  274. f4c13de897d181917fbb9f6e20df405cb093e1417789be348b496c6740af7cd4
  275. e390f85b04ea7c826aac049170e915dc04ed1e9763e1163145404f14469551b3
  276. 7818a8583af67f1e49db54d231cc7ce728217262b0318979f9871abd6f120e44
  277. 7e93c332bc5aec32fdcfb7feae457032e4c42408d7dadb04a7d31c61deb22102
  278. b4640705afb53530f51f23f931c0f35592c456e897f5858c48587682d78082cc
  279. 0eeaa9b6bfa6fccadd06807466edd3b6e8e573c827a80ebd14144131083bad13
  280. 6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915
  281. c7be7c3546a65937333fbc094586515a2415f7b54e29558f8f4337e18cd50eb9
  282. b57545580b3fa9582bd35ef2f76ee447eceb3d3e9ba2f187e90d080ca2e2a5e1
  283. 7818a8583af67f1e49db54d231cc7ce728217262b0318979f9871abd6f120e44
  284. c22cf047ae5d11fb1b825f2d9d12b2388bcd766a61c98299c831d6ee19e8bf98
  285. 645a6c69822672372ba9c952c80b144b87646b4257bac4ad4888bdbbf5cbbe9e
  286.  
  287. http://shael.org/hosting/TYXchcKkHz/
  288. http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/
  289. https://herrenmode.tk/5usqjlew/ttg22zcf_q5chov-377215/
  290. http://nfbio.com/img/upload_Image/edm/pic_2/u6q4ucq7_hyg8uzhh-369963559/
  291. http://endofhisrope.net/2008-08_PSBearDonate/qmiuOZvDj/
  292.  
  293.  
  294. Creation Time 2019:09:17 18:40 (Attachment Only - rtf based - Accept the license agreement)
  295. SHA256:
  296. a582abc9959dc6bf4f194137346f8b1499ea16a3323f6fa9788fee7222e005da
  297. 70806f99f7f064a0de78179b272b157132705d2ea8b7b304d8e00dbd5af17925
  298. a582abc9959dc6bf4f194137346f8b1499ea16a3323f6fa9788fee7222e005da
  299. 33cba618d674f70209c0baf6681edbb947e1f74fd30bf2060f8c99b44b90f91e
  300. 2d3ee28cbaf2d5ce25485c102c8eb5156181f6a77a9c21ae08bca23ce70bf648
  301. a492d83b9218e1c55c12c2c5d581f871175ff6e8ed6d4b53cbbaae4eba856a5a
  302. 3b8dcbe357c69971faa80c48316e7587fcc5a0e0c6243772e3c61f75f669cd36
  303.  
  304. https://www.randomelements.co.uk/tfmuz14/lfEcgPfoq/
  305. https://www.wanbuy.net/wp-includes/1njjz_tnye71hdc-64236/
  306. http://www.perubakes.ml/wp-includes/d7k2_pvffym7oz-9913706/
  307. http://foxnib.com/c3uftcyx/mg8jp0zp0_0gtxu-17/
  308. https://clubedoestudante.net.br/wp/RcQUCaJC/
  309.  
  310. Creation Time 2019:09:17 10:36:00 (Docx based - Accept the license agreement)
  311. SHA256:
  312. 9fe890f4a1393ef301e24b02ab3c173f230ad7a982808ce6daf130c861422208
  313. 1a6a015dc1f9f6613a6985242037198cb3449d74694e0f759d4787e866d723b1
  314. c3008e9a03adfd6c38977a19ab58fb4fc6e4a9efcba3b8904a52f4e03a6aec67
  315. 294566e0ea5c9c1799e88e60515941f4b2378c3922bd2186abf2115cb74bd4fb
  316. 970f8a5fa9f4fac079dd454f0bf310844594e7409f96aaa32198a2fa2b8bf496
  317. f66455a0741d598fcc588487c45d00bc38200c0c6aa8882f42d80aac35755913
  318. f7c74161c5207c1c29bfb9d7819c198492383af0e50dbe2bdb9d92bfc8416228
  319. 8c7ef5a2e3d1dcf21b299b92bb25f0f27394434d6970a7bb118b5105cb9c013f
  320. d2d0e76dfaf8de51d4a0b7cd5ebd0335c0ec5c48db4c29672f5e93c7ebe5f2ec
  321. 373b47d463e44a804d7d96c608b5ce63bd47bd5a771700e31d03f37db003aabe
  322. 3b219e22b7710e28261412a4f30eb0cf2275a574ebbfcdcf60be33017033a7fa
  323. 16fc49eb29963ddd1f26ddc5fe3641d442203e0d02bc94b8aac4e89f8d0b20be
  324. ccfc24bc3390c2031f73cd4238009315b5a171ccdedb436ff89cbc4881ab7016
  325. 9b2924585f99809491c11d8531f7c7af24cd43e8f1bd1bda5cc1ed01b517e37f
  326. 486783e0d46f9109a88a49d28ca2ecc80f16d17b0c3c061c3a020c47dbeaa6f9
  327. 2a820ad1d8e5d9a9f6784ebfe923d0f04e21aafdb92f4c5690a8eef478ed7859
  328. d80f4801c5a57425d47c7927005c8e28998b7c2e278df3b748f9df3b40e1f713
  329. 92e7008a245ee8368d3f1874b37435c7fa3a785347c8eff53c122c1f122a195c
  330. 315130b83a7f72b9a2dc0d80e2f7ab655840e18a317e681359280f9044a08672
  331. dab4d2b81481a0f61c8a0ed234ea66b80e94c0807dbb5a6a2de3d202a75cef7a
  332. 1848522165ace7ce9ff1f53e88039ed69275387510e16fa2329e97ef5b4f32f1
  333. 81b8847ec43cf7dd13778e8ce7a6b891aadc6840218db937ebd9c705db87ec77
  334. 018599fbe46df0a07db76894a61c7ad4f7cb1fa2fff9ff9a7ba9257f6e3f2396
  335. c5ab2f42e3cedcab4419bcdfbf6942e767f6b180cb240cf35ad94acac850e744
  336. b966e5e26cc174f2653f201b89e78527546deddf40d0636296ce22d3d7d9c311
  337. 9fc914aed1f80f3f61017d771e183f3579a16b9e6db8713984088e84e947b230
  338. 907f9ad5a331dc074f21e4774f272e5f23cff189e480c0211bbf84667da49765
  339. 907f9ad5a331dc074f21e4774f272e5f23cff189e480c0211bbf84667da49765
  340. dd97442f6ab0ced920894b956096ec3100a44dff6ea98a64300831d39eb1943a
  341. 980de188ea70ff424ac12f58f162af0d25d462a81238af1999d5fd01bad86ed7
  342. fcd33673c55fc7e18ac1c551c921c5eb07a06f359cf17c72ed8b9f028d820d43
  343. e2e5332d03d72db8f5a17a08afcc61896f81b7159602c312460c0725f4c62afd
  344. 1b87e582570698d2b8a86c848a381a15cede79f3edfef972e3717d1109c94494
  345. 1653888c8df3d948ae5304995c366395ada6d04df1286c31766f45972bef70a5
  346. f89731c8e6cc34608531bfb1cb5aa7a91f5c73d29e75ec8bcf7062048b718ba2
  347. 7f54968aaf31bf88392e5dcc8f33b202a60134554dc28d415600f6bd270539da
  348. bb004c5f5314522439f9ac498d1b88a40ab3671bcb9afa60453fa664bd1db4e1
  349. e9053bf42b30a14c12d6bbf372a90fe83fea082074ac82bcd675c85ad9cc7a08
  350. 9e73d4891b1e26790a7d54b4797b203ce598ff3724199ae9628d3de9e878434f
  351. 7acfad68bd1636e23b5fcf7fa948f37fe6b55aa65e50227a7383e48773817e66
  352. d3e1412b028439ac119eaa35c19b976426dc1ce4cb2f77bd6df06c638af967ea
  353. 76307e4d81b03744b0f26d389017ba08da6123d52c150d53f7ac93363147b350
  354. 6f0cd32b2c5ede784297c4b229e16548b8737bf021cc690d907fbf50a2c630b6
  355. e8681714b8d9cbac7d8c45f5503316f694546569194e882e6c279ab284930f53
  356. 53e6def7839ac12acf3dd01780f2d754f712a1865c8e8418b31f90f17447e523
  357. be44975fcf708de8c8f4915046cb5e9710b02f47ecc156dd499a9dbc883b54a8
  358. f06d1abada97c93d7f65d8daddf46fdf35fedc33d27a3bd55fdc9a4687aed238
  359. 4e06546e19285495330037973a2650c91a0ae20f58e1131dcc63b30272c1b0aa
  360. bb5c969551fb12a1b5d2a09638bf92d9b0f516634be00084e63309b6df314051
  361. 482df5bf63299d66ee877eb5ed9ca8ad68fbc0b1ea87f5d368b4672f7e8f7112
  362. c4c46d71907fcf06235ef0dbb6233b2d407a088a029361f20f81d2f5d37369f7
  363.  
  364. https://www.59055.cn/wp-content/f7c18_onqapey8-49048/
  365. https://www.xinlou.info/wp-content/zomusjj_rgsps3-791960/
  366. https://larissalinhares.com.br/wp-admin/ttzTQwatYY/
  367. https://toptarotist.nl/cgi-bin/r1y59l_283xx-97329804/
  368. http://www.robotechcity.com/wp-content/nyCCqximrj/
  369.  
  370. Creation Time 2019:09:17 06:08:00 (Docx based - Accept the license agreement)
  371. SHA256:
  372. c6880efe4062e3254f3371baf586afe7b0abfc6cb15e1802c3d401ffb57c9bb2
  373. 0bfdb7c16ea90ca488091dd91c529600fccd023b99a4d2d0fbdb542a5447f757
  374. 7de6cef7ae4d09a7dc710ecf60e938710637f9e4a4cb31ab2f5f037d961da1a0
  375. c75751d0d1c623158e45dd65bc79e4071a8f590c92892b939d42816286f9df40
  376. c75751d0d1c623158e45dd65bc79e4071a8f590c92892b939d42816286f9df40
  377. 4fc91dccc92a16a3756a3d6b5955462533611d03765a36e0555faa7ee8c595d3
  378. 408de3e3f0b8cbe63f7e31b408f2c0173c9b7687e3e7b8bc5acbf57a73f52309
  379. e12b9616768a97b6d3b368b9c9a35a269495fc3a5f2272ac6391b55df927fd95
  380. 1986674bce852ad112adb646ce5844c237dd81dfb66e5aeefd1a8428ac7d7de9
  381. a6969d658c428af2e3d9557544048155a1aefdb5ae02c5d2c76c834b0302f1dd
  382. 6c002c186596a1584507c47a6adcd05939430aa12231c8c5f7d5604ea6f6937b
  383. 97fa8af4227693fff6c84b7c0f1d9157eac15dca37537bb2fe8f9e53fdfed112
  384. e63978bfd491b351ce03b38f28018fd2d27b3c64db5508d8775bce37a3d64068
  385. c7702e498489aaa115c5f39d1ba16687750a8d6722a335d803dfc79f148974ed
  386. 569960ebecbf0e9b2db5237d98e5bdf49effbc58d93b48bdc19f54c33fa1fd58
  387. 1ac1339bef3b3af22a21b773c3ca02aa0d4b91bb64956245869b9a1a629dfb5d
  388. 6ab480a6f6ff404049f13b52903cb8c5502af57732c5c5d268b523ac4b0a4034
  389. f4f27a7c4bdae3ea41e498081d9ab595130f025009bf630a8904e3c1ae1ba233
  390. ca2c057bfd2de086bb34ca6086ab1f6d95c0787ef4188a0410948f65b02d3a6f
  391. 8b77aa604f61e476035ed606648debd481fe3958826870ce2e9936649888e907
  392. 910e4106584163b9ac811530207d76cbaf09663266cc0d5e1d280c5260bac182
  393. 5f911c16ce697dfa570b6dfc49ad3336de2eeb5dd6220764470b570b54437a16
  394. 8f78f512d3d31d330ec66b5a0f6591530c98be95c930becb709669bb2f7a4e3f
  395. 26537bbe3ad050882fe631ceb89d091fb896c14cfc5e858ae25df196cfbcf2ac
  396. ae6cc69539214162748e3bf5a7205250773f1f9524dcd8608fd24e84bc346e8a
  397. ac562e7935b52ecb175701ee4e5685674fb9ba73d25111c74bd22e896bda23c1
  398. 34f6d590ab5cf40a3b69cd72e2bb79d48853b212ce0077538994d6c74ae68296
  399. c3000990b6241738f623398dcca4f3e9a4c8fca0e3cef841802ec414f8e5dfdf
  400. 577a13b37fa869efdd7b55c2b4adf57862b97dabff23b60f00d21b212cc06d6f
  401. dd54fa680448e15c87aaa1a9fcfbe8043a33374ca7157fb0d160701e5c59c214
  402. b71d94535403330947c1faa9be7eb6d9e2c175c02d803d878319c52bb1fbea6c
  403. 515ee84618a9fdf820100d3a081d1a8bd7839ebe80c9b0044cd35d712a235182
  404.  
  405. http://maceju.com/blog/wp-content/uploads/ke35rmm8a_lks5g8-82/
  406. https://maymaychihai.com/wp-admin/MgBWkjXP/
  407. http://jannahqu.org/wp-content/c72aexcrys_zuuy0kvr6r-8372/
  408. http://szmoldparts.com/wp-admin/nHqceUHmJ/
  409. http://nomadztruck.com/wp-content/uploads/SfwpziJD/
  410.  
  411. ```
  412. #### SHA256s for Epoch 2 Payload EXEs seen on 09/18/19 #### (Newest on top)
  413. ```
  414.  
  415. 4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29
  416. 6bbc1fc04607dc91b4bc52faafb15b3c5a51778bc59487684d3dfa64a1c85a71
  417. 5a67047d3fb53be7ec8ca8bfb263a3b3e05aa93a089d674b91a0d252e0b0c8ef
  418. f328a0876b9806078eca40e09bd723463996630d9bb1457a36ea4353d00c8eab
  419. c9b60d1567424c3ce1038e46b2eb41cd6ecb06d314062cfc29d65321609e5de2
  420. cb92e490eff25ed3f275f14b15ef1cda794970d6d4ddf46279d333553051af26
  421. 0fae6c3af5c0ef961cd310ef6dfad78d4efc9dc228bf0fd9fe1deb4e2b8c4e8f
  422. 6fe29dacf133d35e2080fbabd36595b3acde1ccf3a93ce1cc03f5c68c16d3d49
  423. 63ca489e319ed939ebf9a7b7ee4c694cc027a6f81c6584c76fdaf146e5812776
  424. 6580fb801190866204d0bf9f8339fd1ba661fb54fefde2807fe1ed6954173028
  425. d1f4d2eb619f40c6d029d3d7db69ab5243f13764cde34be2d7615d7fcc51f896
  426. 8bfd54b812d52486e2b5f8d9915b94bf337e9e70272fe15524e56f1bdd96ee20
  427. fad0f60716c31c81b3af488118da8e01165a1711c82bd15e454eb408aa925f5a
  428. c6956ba0b2c1649230a1f6d23e3649a9f60607b8958c6ff765a30d07eefa4452
  429. f448d4ee7c677b03fc3f2e0cfbd841f3361d2b4e7e85dc170c1a6eeee3e9711d
  430. 3a4fd102f184d7bf0f86a6293768c3ec25995d8557ace103397e02679ed85202
  431. 9f1f91690c309dfa0ff0ea7feb55461b416f99bfbe9861255cc8119cbffeef66
  432. 563058089e2ea5ec592a28221b720c1599a94c55fb21ca0901f22639d8d5ea5a
  433. 187c043e2ca4afc9bb749343bfa86d71ba4c27f48ae24493e32e5f24a8a5f678
  434. a9eb1827847a8d138cd4ff4aa1a061982200f3dde7b8e8a6ea217be001c94002
  435. 8c35139ae0dd0ae28353c0ec45cabe8628f27236dca06930536bf9d745c4a30a
  436. cbb891687bd4dfaf99fe1cd98fbc39887822a4a00df6eaff34505cd8a7d6546d
  437. 10d48e0f73575123ead8003f955c689e585c39d23835947f5ff79fa83ec48175
  438. 74a66a1148d715fd7901aefbf07563d505ccb861a48f10a91d2198de0a441812
  439. 43fbcb882f2b1c9fed152e41e944ea023dbb3d3b9de0a4a3e507f5211ec24225
  440. d07148d27082571f7ade59a37e44d618316a45e96f1db6f260e888fdbf6faa3c
  441. 46d03d1c8dda57b69f327e3ef9f242f6e6389a8696b918558eddd67e78850362
  442. 5f208601e2b4cb36e2fc220e201e59eb025e4686070eef535a51de6de89e0a72
  443. 5f5ac6b315e30a2dd7ba704e5a790e5760b9de75c0eb908d5fe672b53dd4dbee
  444. fc81e3737774f617528664c56969a27515404720faa4e7aa396f6870ea106132
  445. ac3542968fd7a626d10916452d1c1b6a1d3f23022109ebb28e45f1809a3f313a
  446. 2d94064e58ff267c9231def715dd1e9c01f88cbbea49d5fcf0ec06bd47de8b98
  447. e05795787afee605b45484cf74306603f7ac09ff20a69966901143ec39cad466
  448. dca789ccf64d9aa572b43d102dea2a7605b9cb9396ec5b29e11514ee088b7dd8
  449. ab4bae99ce6e421071d511867827a3c448f4858f5771a4efc1934ebc48c51ada
  450. 1f0bb28bb47cd80b08ffd08740ca47b91964c637bb5de23361a2ba41fa31db9c
  451.  
  452.  
  453. ```
  454. #### Epoch 3 Payloads by Document SHA256 - All Times UTC #### (Newest on top)
  455. ```
  456.  
  457. Creation Time 2019:09:18 15:20 (Attachment Only - Doc based - Protected View)
  458. SHA256:
  459. 291108e76aa29a2cffe54fbb938938f3c0b3495276481b7fd92869188828b35d
  460. 64e94504ab11f0fe3f3207da28902e9d699707d95478e22dbeca0de669dfad5e
  461. 67b949c40e680b32757b8e60fe0a01a1a08781e8af7756e563fc26d985032977
  462. 705cb2b6dede75c722a0b001ed9797b729465f113286b495a4e8e78998ac557a
  463. cd64df4432b53cd92db53b9a424a86b4df0ea3c50de36ab8fc967751423b156e
  464. f44386cd1fb4acae231833634044f4c219d6b72c03f9a7dacf98a25db3dbc889
  465.  
  466. https://www.brooklynlilly.com/wp-content/PyVMSpAl/
  467. http://blog.internationalfertilityacademy.com/wp-content/plugins/classic-editor/jzbNbooyL/
  468. http://marcofama.it/mail-icons/lwnei7-dxih50s9p-883209316/
  469. http://think1.com/wp-content/ktTAcbN/
  470. http://drapart.org/Prensa/k0viv68-5v5-2137/
  471.  
  472.  
  473. Creation Time 2019:09:18 06:34 (Attachment Only - Doc based - Protected View)
  474. SHA256:
  475. 102786cf9bf58279d2564e81a98a3a3db9837e6a63c299372946da66c8da128d
  476. 674babcd87c78efd5fd0497c4089ddc548361a2eccea80fc93e693ab26682c90
  477. 0bcba8185e0801f427ecdbc93b5e7691065e315f56a29525cd9c83e42bead7a9
  478. 65d30eac355e49c33b4152afb0c5b4ae43002299e994a7461106beef908f040f
  479. 9a064ef8d927384d69879f5711cdd91dd26b6a1b53ba40c0642b185a9c1d05eb
  480. 5227f61a42d3dce99a3c607ed66b1cb4b65703c4fe1846f31d5c254d67f525ef
  481. 6a911ce34b005cf9abd4468df82caf441b69eb45c00bca5fa03b5b636f0a5110
  482. bb79ab15d8913361881f564ad2368be86c5fc55aeb829057c95a55dffd781071
  483. ac4ce5a9ca0a1dcf08f157a555029d8803faf9b8f92eba1e071605f31fd6cfbd
  484. 4aa2be4d10eed47e6e2a82cc61bc012da82b39bf0b9ff214a21ce7b4eb6a05d4
  485. 68cf954a2ac70d69005dd78276beb58690d3dc3959f24e706a35116e4e873a38
  486. 870901eb42447a5c2735977e211f7064d038ba01031f17137058d5f9f7c57be9
  487.  
  488. http://higo.net/JupvMyhM/
  489. http://kursy-bhp-sieradz.pl/pub/dDqkeXb/
  490. http://lesantivirus.net/css/qj199-j311-12675/
  491. http://leafdesign.jp/imge/QfFPZDeO/
  492. http://tpc.hu/arlista/OmwmIQkgP/
  493.  
  494.  
  495. ```
  496. #### SHA256s for Epoch 3 Payload EXEs seen on 09/18/19 #### (Newest on top)
  497. ```
  498.  
  499.  
  500. 7d16ff3bbf102fdbf9ae57a989c374af5ae0c35f479ef96c6b1d7b70239c61fc
  501. cd60405e73b8aef34208e8cc737353bf6430615e7f931d5850162a912932dfac
  502. ebbfb63ec9e4eecc19ef5b646b07b5321a64ae7dd04c5d53260a9b6e5ee49435
  503. 8a8191e04bc54c70efff447d15c8879e3787fdb4457f78572c45819087180312
  504. a194476031faab308e1df330874d3ee3ada33643e1175ebb04ca8ce8dc7e79be
  505. 4c1b66e17da3a3b2345ae4d61b98932e689ed3bbc62be85070971fe1ec4b36df
  506. 7f13b9531f35abd6c53a4d130b31aed491639300230bb8731c9d74dbe3033fd5
  507. c1b13b6c15034d297c209059fcc3550e92075d2544e04ddd180f1714db5a0281
  508. d64f0173d83b2d0b9ced81a05cc7721fe16fc403a2f8c46c599048619a70fe44
  509. 51683ec664865c346f79a8cd7874e8bc7f14d711573443941080b801d565c264
  510. 892e9d54abdfdce0cbf824f53349920d18c2399be1d8ee09103bf98c49f589e2
  511. 601e39f53fce47ab29c03ded6f2def7d170ad0d24130830e8a6aff96184b413f
  512. f3679c5fcfba9a2305477378495291f070f4602380f986839801d614320cf65c
  513. 94748d9e061b57b1c04be9966c30f8dbb390d073140be46c4be4aef5b2315fa2
  514. 594ef82d8231a52c0bb564a4b46afd87b75813d1ad9f29414286216b2eaa0920
  515. 99446d4e8017f6bc1277310c5c3a0fc1d9cbdab9d34c5022125feaab3a595537
  516. 309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a
  517. e73b7d9172d1200f45ada487a5aa4d0a641a33cce0cb3d7078908be0293c21f5
  518. f599cebdfed9fd070a1ec3f1c5da758a99a34f7c34b82f3aab109dbdd6884ad5
  519. 7d2b45d3dc790cc7ba185e2401d19dd92f406d3aa2244598b82827bada6e2ca0
  520.  
  521. ```
  522.  
  523. ### C2's Per Epoch ###
  524.  
  525.  
  526. #### Epoch 1 C2s ####
  527. ```
  528.  
  529. 104.236.243.129:8080
  530. 109.104.79.48:8080
  531. 109.169.86.13:8080
  532. 119.59.124.163:8080
  533. 123.168.4.66:22
  534. 138.68.106.4:7080
  535. 149.62.173.247:8080
  536. 151.80.142.33:80
  537. 159.203.204.126:8080
  538. 178.79.163.131:8080
  539. 179.62.18.56:443
  540. 181.188.149.134:80
  541. 181.36.42.205:443
  542. 181.81.143.108:80
  543. 183.82.97.25:80
  544. 183.87.87.73:80
  545. 185.86.148.222:8080
  546. 186.83.133.253:8080
  547. 187.155.233.46:443
  548. 187.188.166.192:80
  549. 189.129.4.186:80
  550. 189.244.245.238:80
  551. 190.1.37.125:443
  552. 190.117.206.153:443
  553. 190.19.42.131:80
  554. 190.200.64.180:7080
  555. 190.221.50.210:8080
  556. 190.230.60.129:80
  557. 190.230.60.129:80
  558. 198.199.106.229:8080
  559. 200.21.90.6:8080
  560. 200.57.102.71:8443
  561. 200.58.171.51:80
  562. 201.163.74.202:443
  563. 203.25.159.3:8080
  564. 207.180.208.175:8080
  565. 217.113.27.158:443
  566. 217.199.175.216:8080
  567. 23.92.22.225:7080
  568. 46.21.105.59:8080
  569. 46.29.183.211:8080
  570. 46.41.151.103:8080
  571. 5.196.35.138:7080
  572. 5.77.13.70:80
  573. 50.28.51.143:8080
  574. 51.15.8.192:8080
  575. 62.210.142.58:8080
  576. 62.75.143.100:7080
  577. 71.244.60.230:7080
  578. 71.244.60.231:7080
  579. 77.245.101.134:8080
  580. 77.55.211.77:8080
  581. 79.127.57.42:80
  582. 79.143.182.254:8080
  583. 80.85.87.122:8080
  584. 81.169.140.14:443
  585. 86.42.166.147:80
  586. 88.250.223.190:8080
  587. 89.188.124.145:443
  588. 91.205.215.57:7080
  589. 91.83.93.124:7080
  590.  
  591.  
  592. ```
  593. #### Epoch 1 - Spam C2s ####
  594. ```
  595.  
  596. 104.236.185.25:8080
  597. 31.31.78.203:8080
  598. 45.55.82.2:8080
  599.  
  600. ```
  601. #### Epoch 1 - Stealer C2s ####
  602. ```
  603.  
  604. 66.228.32.31:443
  605. 198.50.170.27:8080
  606. 216.98.148.157:8080
  607.  
  608. ```
  609. #### Current Epoch 1 RSA Public Key ####
  610. ```
  611.  
  612. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
  613. KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
  614. h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
  615.  
  616.  
  617. ```
  618. #### Epoch 2 C2s ####
  619. ```
  620.  
  621. 103.97.95.218:143
  622. 104.131.11.150:8080
  623. 104.236.246.93:8080
  624. 117.197.124.36:443
  625. 136.243.177.26:8080
  626. 138.201.140.110:8080
  627. 142.44.162.209:8080
  628. 144.139.247.220:80
  629. 149.202.153.252:8080
  630. 159.65.25.128:8080
  631. 162.243.125.212:8080
  632. 169.239.182.217:8080
  633. 173.212.203.26:8080
  634. 175.100.138.82:22
  635. 177.246.193.139:20
  636. 178.254.6.27:7080
  637. 178.62.37.188:443
  638. 178.79.161.166:443
  639. 179.32.19.219:22
  640. 181.143.53.227:21
  641. 182.176.106.43:995
  642. 182.176.132.213:8090
  643. 182.76.6.2:8080
  644. 185.129.92.210:7080
  645. 185.94.252.13:443
  646. 186.4.172.5:443
  647. 186.4.172.5:8080
  648. 186.4.194.153:993
  649. 188.166.253.46:8080
  650. 189.209.217.49:80
  651. 190.145.67.134:8090
  652. 190.186.203.55:80
  653. 190.226.44.20:21
  654. 190.53.135.159:21
  655. 198.199.88.162:8080
  656. 201.212.57.109:80
  657. 201.250.11.236:50000
  658. 206.189.98.125:8080
  659. 211.63.71.72:8080
  660. 212.71.234.16:8080
  661. 217.160.182.191:8080
  662. 222.214.218.192:8080
  663. 31.12.67.62:7080
  664. 31.172.240.91:8080
  665. 37.157.194.134:443
  666. 37.208.39.59:7080
  667. 41.220.119.246:80
  668. 45.123.3.54:443
  669. 45.33.49.124:443
  670. 46.105.131.87:80
  671. 59.152.93.46:443
  672. 62.75.187.192:8080
  673. 64.13.225.150:8080
  674. 75.127.14.170:8080
  675. 78.188.105.159:21
  676. 78.24.219.147:8080
  677. 85.104.59.244:20
  678. 86.98.25.30:53
  679. 87.106.136.232:8080
  680. 87.106.139.101:8080
  681. 87.230.19.21:8080
  682. 88.156.97.210:80
  683. 91.205.215.66:8080
  684. 91.83.93.103:7080
  685. 91.92.191.134:8080
  686. 92.222.125.16:7080
  687. 92.222.216.44:8080
  688. 94.205.247.10:80
  689. 95.128.43.213:8080
  690.  
  691.  
  692. ```
  693. #### Epoch 2 - Spam C2s ####
  694. ```
  695.  
  696. 69.43.168.232:443
  697. 185.187.198.4:8080
  698. 46.228.205.245:4143
  699.  
  700. ```
  701. #### Epoch 2 - Stealer C2s ####
  702. ```
  703.  
  704. 46.105.131.69:443
  705. 176.31.200.130:8080
  706. 104.131.58.132:8080
  707.  
  708. ```
  709. #### Current Epoch 2 RSA Public Key ####
  710. ```
  711.  
  712. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
  713. PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
  714. AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
  715.  
  716.  
  717. ```
  718. #### Epoch 3 C2s ####
  719. ```
  720.  
  721. 108.179.216.46:8080
  722. 138.197.140.163:8080
  723. 139.59.242.76:8080
  724. 149.202.153.251:8080
  725. 152.168.220.188:80
  726. 159.69.211.211:7080
  727. 178.249.187.150:7080
  728. 181.230.126.152:8090
  729. 190.10.194.42:8080
  730. 190.104.64.197:443
  731. 190.13.146.47:443
  732. 190.146.81.138:8090
  733. 190.171.105.158:7080
  734. 190.55.39.215:80
  735. 190.55.86.138:8443
  736. 190.92.103.7:80
  737. 192.163.221.191:8080
  738. 200.82.147.93:7080
  739. 201.113.23.175:443
  740. 203.150.19.63:443
  741. 216.154.222.52:7080
  742. 216.70.88.55:8080
  743. 45.33.1.161:8080
  744. 46.32.229.152:8080
  745. 70.45.30.28:80
  746. 78.109.34.178:443
  747. 83.110.75.153:8090
  748. 83.169.33.157:8080
  749.  
  750.  
  751. ```
  752. #### Epoch 3 - Spam C2s ####
  753. ```
  754.  
  755. 41.185.29.128:8080
  756. 94.177.253.126:80
  757.  
  758. ```
  759. #### Epoch 3 - Stealer C2s ####
  760. ```
  761.  
  762. 178.32.255.133:443
  763. 198.46.150.196:7080
  764.  
  765. ```
  766. #### Current Epoch 3 RSA Public Key ####
  767. ```
  768.  
  769. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
  770. 4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
  771. iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
  772.  
  773.  
  774. ```
  775. #### Credits and Notes Section ####
  776. ```
  777.  
  778. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
  779. because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
  780. this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  781. https://pastebin.com/u/jroosen
  782.  
  783. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  784. I am providing them for your benefit in case you want to parse them to be sure.
  785.  
  786. ```
  787. #### What is Epoch 1, Epoch 2 and Epoch 3? ####
  788. ```
  789.  
  790. (09/17/19)
  791. With the find of Epoch 3 today that split from Epoch 1, this section will be rewritten to reflect these changes in time.
  792.  
  793. ```
  794. #### Community Lists ####
  795. ```
  796.  
  797. https://pastebin.com/arKqrRyh - @executemalware
  798. https://pastebin.com/326t7QiV - @Paladin3161
  799. https://pastebin.com/3Lp9pfpb - @SecSome
  800. https://pastebin.com/3FPvZ9f4 - @HerbieZimmerman
  801. https://twitter.com/malware_traffic/status/1174423386245738496?s=20 - @malware_traffic
  802.  
  803. (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
  804.  
  805. ```
  806. #### Credits ####
  807. ```
  808. Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
  809.  
  810. Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
  811.  
  812. C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
  813.  
  814. Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @p5yb34m, @malware_traffic, @Paladin3161
  815.  
  816. Spam Templates - @devnullnoop
  817.  
  818. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  819. helping out with this!
  820.  
  821. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  822. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  823. @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  824.  
  825. ```
  826. ### Daily Log 09/18/19 ###
  827. ```
  828.  
  829. @JRoosen here with a bunch of data that @ps66uk put together and I added to and built on. I am still having a lot of fires at
  830. dayjob unrelated to Emotet but doing my best with the rest of the team to get you the latest IOCs and details.
  831.  
  832. ```
  833.  
  834. #### General News ####
  835. ```
  836.  
  837. As many people reported, we have a new template which @ps66uk has dubbed "Protected View".
  838.  
  839. We also saw a short run of my favorite Light Blue Offset junk template this morning on E1.
  840.  
  841. ```
  842. #### Drops Report ####
  843. ```
  844.  
  845. We saw today Dreambot being dropped on E1 along side of Trickbot. Most of the drops from Emotet of late have been Trickbot
  846. and the gtags MOR* on all botnets. Today we saw MOR3. There was also talk of GBA* gtag Trickbot being dropped but did not see any
  847. personally.
  848.  
  849. ```
  850.  
  851. #### Email Template Report ####
  852.  
  853. ```
  854. I am still not getting anything that is Emotet related but I am hearing more and more instances of reply chain based spam. It seems
  855. like all of the exfiltration of email after C2 woke up is being used also. We have heard of and seen dates from late Aug to Early
  856. September being used as the message being replied to.
  857.  
  858. All emails today seemed to be attachment only based and the attachments were docx with embedded JSEs or DOCx(docm) or even RTF yesterday
  859. and today!
  860.  
  861. @ps66uk noted some of the new phrasing of the reply text in the reply change emails.
  862. https://twitter.com/ps66uk/status/1174430064169115650?s=20
  863.  
  864. Here are his full notes on this:
  865.  
  866. Text added to reply-chain emails:
  867. ----
  868. I am getting very frustrated that after multiple phone calls nobody seems to be able to resolve this issue. Further to our conversationI have forwarded the email. Kindly assist, please. Thanks :)
  869. ----
  870. Please find attached your most recent documents.
  871. ----
  872. Please open the attached document.
  873. ----
  874. Please process attached doc. If you require anything further, please do not hesitate to contact our office.
  875. ----
  876. Payroll reports are attached to this e-mail.
  877. ----
  878. Please see/review attached.
  879. ----
  880. Hello, please find attached remittance advice for our recent payment to you
  881. ----
  882. I know we chatted recently about this – but I can’t recall if we discussed this moment.
  883. ----
  884.  
  885. Malspam was being sent out in DE, ES and FR quite heavily this morning in addition to the normal EN. One thing that seems
  886. clear after the break is that the emotet team is taking a more multilingual approach this time. Each day this week we have seen
  887. languages we normally do not see this often.
  888.  
  889. ```
  890.  
  891. #### Link Regex Report ####
  892.  
  893. ```
  894.  
  895. Waiting for more the next few days IF they come back.
  896.  
  897. ```
  898.  
  899. #### Payloads Report ####
  900.  
  901. ```
  902.  
  903. @lazyactivist192 saw a new larger loader (400KB+) today released on all 3 botnets. He saw very strong similarities between this
  904. new loader and Trickbot's loader. I highly doubt this is a coincidence. It seems like the Emotet guys have been trying to find a
  905. better loader for some time. This was being released on C2 and distro at the same time.
  906.  
  907. We observed today that E3 seemed to only have 2 quintets of payloads. I am not sure if that was just Ivan running out of
  908. time or if this was something else going on. It seemed like there was more loader updates but a lack of distro happening for some
  909. reason.
  910.  
  911. Seems like C2 loader updates and distro loader updates are starting to sync up again. I don't remember seeing them with the same
  912. hashes for quite a long time. They had been following different hash busting patterns and also different loader types for a while
  913. as noted by @lazyactivist192 before the break and up to the current time.
  914.  
  915. It seems like distro and C2 on E1 and E2 stopped hash busting or attempting to give new loaders after about 12:00 UTC. At first
  916. E3 did the same but then did a limited run of the older loader hash busting until about 16:00UTC. Then we saw all 3 do a large
  917. Trickbot like loader around 20:00 UTC +/- 2 hours.
  918.  
  919. ```
  920.  
  921. #### C2 Report ####
  922.  
  923. ```
  924. Combos(IP/port) on E1 and E2 are about double to 2.5x what we see on E3. I am not sure why this is or what the purpose of E3
  925. is as of yet. So far no signs of E4 but would not be surprised if it appeared.
  926.  
  927. 60 combos on E1
  928. 68 combos on E2
  929. 27 combos on E3
  930.  
  931. ```
  932.  
  933. #### Closing ####
  934.  
  935. ```
  936.  
  937. Some of the other guys will be handling these reports since I am headed on vacation soon for a few weeks on Friday. I almost want
  938. to stay behind and work on this but not really :P The Cryptolaemus team will continue to do their best to give you the latest
  939. news and IoCs regarding Emotet and Ivan. It should be noted that these people in the team are all 100% volunteer and go out of
  940. their way to provide this info beyond their dayjob. We appreciate all the thank you messages that we get and the stories we here of
  941. how this has helped you. It is an honor to be a part of this effort!
  942.  
  943. TT
  944.  
  945. ```
  946. #### Sandbox 09/18/19 ####
  947.  
  948. ```
  949.  
  950. E1
  951. https://capesandbox.com/submit/status/103/
  952.  
  953.  
  954. E2
  955. https://capesandbox.com/submit/status/106/
  956.  
  957.  
  958. E3
  959. https://capesandbox.com/submit/status/105/
  960.  
  961. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!