API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/10/15

jroosen
Oct 16th, 2019
3,428
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 44.21 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 10/15/19 as of 10/16/19 01:00 EDT ##
  2. *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
  3.  
  4. ### Document Downloader Links ###
  5.  
  6. #### Epoch 1 Document/Downloader links ####
  7. ```
  8. http://adonis-negar.com/wp-admin/Amazon/En/Orders_details/2019-10/
  9. http://antsmontessori.in/wp-admin/Amazon/EN/Transaction_details/102019/
  10. http://avis.life/thumbnails/Amazon/En/Transactions/2019-10/
  11. http://domainresearch.site/wp-admin/AMAZON/Clients_transactions/102019/
  12. http://doypack.net.pl/wp-content/Amazon/En/Information/102019/
  13. http://dtj.com.vn/wp-content/Amazon/En/Transactions-details/10_19/
  14. http://gebrauchtwohnwagen24.de/wp-content/Amazon/En/Details/2019-10/
  15. http://i5t.ir/wp-admin/Amazon/Clients_Messages/2019-10/
  16. http://internetordbogen.dk/cgi-bin/Amazon/En/Clients_transactions/102019/
  17. http://iranmadan.com/rdwfl/Amazon/Clients_Messages/10_19/
  18. http://kursy-bhp-sieradz.pl/pub/Amazon/EN/Transaction_details/102019/
  19. http://minemoore.com/wp-admin/AMAZON/Details/102019/
  20. http://noithat168.vn/assets/Amazon/En/Clients_Messages/102019/
  21. http://sextruyen.com/wp-content/Amazon/EN/Messages/2019-10/
  22. http://sgnr.in/dietitiansakshi/Amazon/Transactions/102019/
  23. http://sozvezdie.sgu.ru/wp-content/Amazon/Clients_information/10_19/
  24. http://test2.hunterxx.com/wp-includes/Amazon/En/Orders-details/2019-10/
  25. http://theamericanaboriginal.com/class.popular/Amazon/En/Attachments/102019/
  26. http://tomasoni.ind.br/dashboard/Amazon/En/Transactions-details/10_19/
  27. http://trungtamdayhocthaonguyen.edu.vn/cgialfa/Amazon/En/Transactions-details/102019/
  28. http://unitedctc.com/wp-includes/Amazon/En/Clients_information/2019-10/
  29. http://usad.sytes.net/usad/AMAZON/Details/102019/
  30. http://vls-online.de/ab2ffb56648fc08f89197ae37a33a579/Amazon/EN/Payments/102019/
  31. http://weidling.com.bo/CatalogoWeidling/Amazon/En/Clients_information/102019/
  32. http://www.mobileheadlines.mobi/wp-content/Amazon/Payments/2019-10/
  33. https://ai.forcast.cl/wp-content/plugins/Amazon/Clients_Messages/2019-10/
  34. https://aideah.com/address/Amazon/Orders_details/10_19/
  35. https://aideah.com/address/AMAZON/Payments/10_19/
  36. https://buykaa.com/wp-admin/Amazon/Orders-details/10_19/
  37. https://dakotv.online/wp-admin/Amazon/En/Payments_details/2019-10/
  38. https://dibarcellona.it/tropcj8kfd/Amazon/EN/Transactions/102019/
  39. https://diezeitinsel.de/wp-admin/Amazon/Clients_transactions/2019-10/
  40. https://domainresearch.site/wp-admin/AMAZON/Clients_transactions/102019/
  41. https://drovus.com/wp-content/Amazon/Clients/10_19/
  42. https://ecotech.wegostation.com/yf92/Amazon/EN/Details/2019-10/
  43. https://fundeartescolombia.org/wp-includes/Amazon/Information/10_19/
  44. https://ghpctech.co.za/cgi-bin/AMAZON/Information/102019/
  45. https://happyfava.com/Fb/Amazon/Details/102019/
  46. https://i5t.ir/wp-admin/Amazon/Clients_Messages/2019-10/
  47. https://jailaxmidigi.com/y0k0/Amazon/EN/Transactions/2019-10/
  48. https://mundonovo.ms.gov.br/v2/Amazon/EN/Attachments/102019/
  49. https://phamthaifood.com/4ib60l/Amazon/Orders-details/10_19/
  50. https://taxisieradz.pl/wp-includes/Amazon/Transactions/102019/
  51. https://womenslifestyle.co.za/wp-admin/Amazon/Attachments/10_19/
  52. https://www.mundonovo.ms.gov.br/v2/Amazon/EN/Attachments/102019/
  53. https://www.mxsii.com/wp-content/Amazon/En/Payments/2019-10/
  54. https://yubantu.com/wp-includes/Amazon/Information/2019-10/
  55. https://zin.com.vn/wp-includes/Amazon/En/Orders_details/10_19/
  56. ```
  57. #### Epoch 2 Document/Downloader links ####
  58. ```
  59. http://13.56.215.142/kqb/assets/uploads/banner/tFrFhrZlYxpyvwnghTEJGbB/
  60. http://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
  61. http://abelincolnplumbing.com/sitemap/lph4cp3uhcerg4eyyfuj8wshre/
  62. http://computerservicecenter.it/wp-content/ggl5odmqj8118aclyyjygf0mbkhcts1/
  63. http://decorstyle.ig.com.br/wp-content/languages/cAYciQWuiFGdqx/
  64. http://doubscoton.fr/ghana-visa/fapigpcxajzexv/
  65. http://echoxc.com/wp-content/ezz1hnj7vlk41ai5i28pkqb8eironillckl4e6/
  66. http://ftk.unsada.ac.id/u8uu/ru046mehrv3m1x6ufa4iblgokynts0eyfc38eo/
  67. http://homeconcept.rs/cgi-bin/kf5is9fl37n0lo7ddczwx2oxd/
  68. http://infinite-help.org/blogs/uuw3a2dqi4y4e9lts/
  69. http://lamme.edu.vn/wp-admin/lbc0mscsps2f6c46rml4auf/
  70. http://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
  71. http://naytigida.ru/wp-content/5f99r985ssptpqgzmzl8vl/
  72. http://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
  73. http://pandajj.jp/mobile/u7uo2wgjrrriurf2813wntl14t/
  74. http://phukiennhabepgiare.com/asgypk/sklsdbzy202mcb/
  75. http://practic.eu/wp-admin/hzzfehgkucdyy5u6/
  76. http://propase.de/bia/SdSLXJuUwuNru/
  77. http://quangcaogiaodich.com/wp-content/upgrade/xgzh62p8cavq8mkb/
  78. http://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
  79. http://ristrutturaitalia.com/softaculous/3howjjtxeekvig9ojttljcas3qprev/
  80. http://vencury.com/wp-includes/bypz06s0cpojqzdhq2h386dd018n4k633/
  81. http://www.alertaempresarial.com.br/wp-content/eksyeGiDnKFgyVFYWCD/
  82. http://www.computerservicecenter.it/wp-content/ggl5odmqj8118aclyyjygf0mbkhcts1/
  83. http://www.thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
  84. http://www.uk-scholars.co.uk/tmp/JUfUimFF/
  85. https://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
  86. https://afghanbazarrugs.com/txj/papkaa17/re_honey/BNKakubLkcGukSpqU/
  87. https://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
  88. https://homeconcept.rs/cgi-bin/kf5is9fl37n0lo7ddczwx2oxd/
  89. https://integralmakeup.com/blogs/5epbb5lije9k5lkyp/
  90. https://mimaarifsumbersariunggul.com/tipskeluar.ga/0n8wfvk3ymnb946y4gbsnre6p/
  91. https://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
  92. https://naytigida.ru/wp-content/5f99r985ssptpqgzmzl8vl/
  93. https://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
  94. https://practic.eu/wp-admin/hzzfehgkucdyy5u6/
  95. https://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
  96. https://wolfoxcorp.com/wp-admin/rpwkkRpA/
  97. https://www.openwaterswimli.com/roawk/uojyabzmujpk8xj01v2vdpsck/
  98.  
  99. ```
  100. #### Epoch 3 Document/Downloader links ####
  101. ```
  102. <none>
  103. ```
  104.  
  105. ### Payloads per Epoch by Document ###
  106.  
  107. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  108. ```
  109.  
  110. Creation Time 2019-10-15 20:27:00 (Attachment Only - Doc based - Office 365 Light Blue)
  111. SHA256:
  112. 1272407a4f539ba89289b4f9a5f3f21e2b93175754ec2ede5f4293defccec426
  113. 690501aa83c490c2d1a3e67656fb989315bcc36c7141aa218712f96e34b47d7e
  114. 071f17da843b9a60c01a2363ba7abd47a32762374711012a9f5130feb2beb7d8
  115. fb560ae5ca853646da335a5f5103a62af230206eb28050c9e2273264dc0ba1e9
  116. 595aa34e97e38ccdcf5288a910ca47cafc56c68aaf8ce82153b93d0a681eeb49
  117. f92d8f0727ce63ff92eeacfad78868c22b0a6b93180e818192e8f39522b55489
  118.  
  119. https://kenoryn.com/wl96sonk/3twu0732/
  120. https://monteriaradio38grados.com/93dqf1b/2778/
  121. http://dsiun.com/wp-content/plugins/ku799fw5/
  122. https://ncaaf-live-broadcast.xyz/wp-admin/v532/
  123. http://digitalvriksh.com/database/g31259/
  124.  
  125. Creation Time 2019:10:15 18:46:00 (Link Based - Doc based - Protected View)
  126. SHA256:
  127. 10aa87f8618a7b4308d74e0772fde0996f61e061795ca77d55bb19140408fb8c
  128. 92bc10e9534bf00c22c9edc4bc2965b9f777e125d0f6fec0ba4ae5aa66d52a94
  129. 0e1c8745e9301ee229a0dcd69ad6519b1ab98d75b1fc7890eea6601200e92641
  130. 1390bb4ca3a11cf7fb677d31f845c6df22624ae93a6d0fffa5fb9e997427bb76
  131. 790618be3c6fc1f6b98a62e75fbafb8fb5fbd378b29b54fbfd725d6abfb398a1
  132. 16db9fb903f2c7d2d79214c581a5e7ae8553ee83316a3912b7ed2c0d2257dae6
  133. f0082efdd26c03d43cf0ee1a505a30443ef74a2c115cc40748f491113dc23d05
  134. 522a014557821c0a84fc89a01725a56932c0cc7980f5b911b33ed0f8a24ac9b2
  135. 08857d1311208160a289e95a5400bf81f716660d14902b248b06d084f90347e0
  136. f5189b14ba8404fce5cd40690ba836b3457f9377f7838ff9faa1a601f60f79b1
  137. 2152fbad3513dd5379c38fe389d4498b91658d48d51aaf5a1cd0c459014d6fff
  138. bad065ff3070ed4ed599ef360d856c32f3ce24d2c3dfdc509b8a272acb9ccee2
  139. 8915156e0bccca9cc915aa92a8d9187c7d76572c27cf10a0174ba45348df215d
  140. 269408890a0201546fd9e6491e9faa69a23ef14700a2f44c5c0478e6f118754d
  141. c44d05684e1a24af563609b4401f1040899f66fd141e72bd2f8196a922ac0cda
  142. 874c81af86050772d38b357b20b1277b990a3c9d4aca1d075621f91d56508f5c
  143. ce1b1e121300c81fb4911ffca9ad4e9ff9c97d5bfa891ab0e63dafed0e7a2b4d
  144. 953ddc2a4551a854a56a8efc2927d879e20990f876986120b0402f94f674652d
  145. e7fb305c158c9c88d143780bf5c101474d9137934e62630954144bf3c4dccba5
  146. 3f1bbbabe1e05b9e43fa5ae0e9d5a96453c56a69decb0ad12ec95de41413fd32
  147. 3c866e75a06786b1d89e1c36edb4cf09f01efcb0f21b7f7ffb1f8ce1f1417dd8
  148. 0566088323877077891156736a05dee206c8e437c78cbd78a6dc62a3f8c16f73
  149. 9a6c32ddfb492db9dfbf6c3e0de1f1c8cefe2f7c47345fa41686e003d58f7041
  150. f590d423af75fa8cf6a5915a1ccac8257c206069ec9f9977abb7bbe4213107ee
  151. 24284175584e1fc385fdd06773ebb6bc7949e44aec39640b441b3fc18dda66b2
  152. 7e6cd597c941c7dd8bc8d4b63424813995facaecd61449b09c5ba3d110059475
  153. b3001ce5ebfb490e697f2c70a1054db46d00e1f356d4a093e6d86a070a0595f4
  154. 399af038b85ac6fae04518f8184a3a1edbcd7bf1431a3040117841076c98b8d0
  155. fc5fbb257f31fb177294ab6e6f3ea04a8970494055a12b1bae78369191b84cad
  156. e9f57a3baab078932a1ef837884717faf5e5848597b197f9fd51f7283b23eb78
  157. f8fb24fd3ebc27ca286d789288b878be6007fbb699e885cb5a6cd38727103a2e
  158. c6ca39cb9c082a15bd7a642f4781d0879f1b2ed3431929cc545578f6cb3f1cdc
  159. 30ca40f3f7c946b5838a198828c9e2512f78d6448edc61c1804c739000e8fc06
  160. f4ee1316bd9c5f7ee19027ac6abbf60cb38e1c9a87d26a5b184a4f994abe2877
  161. 3320584b9ff8ec6316f5da22e3c6e91a8350e28ebcfc186f8b964aa492d53a5f
  162. ae7f330f64b8b88b3d0d6dd7331e54a5d5402d47da8962d5bb7d08ea1f354b64
  163. 4bc057f3db3c2ef84fcf01de00cbcc80409e7424f0d8bfaff37b95ccb819d919
  164. ac7dbd4b542c99263be54d207ef3f3edbffb3c949eb18947ef798b06d8facbe3
  165. 43b8e0e61fe4438bdaf676f3acfbd240f2ade1afcc726afd06b3b665660bad41
  166. 5dcae1d06a6878c8e5fff686b26b0a1d9bab8f6abd58517e407c6ebe2287e19f
  167. a25ec185bb5d2cf2550b905eaefb84db9baf87291aa2e257ffcd031dc99f8afb
  168. 907cadf4a15eeaa1a730ec11a0267524e54056ae10f1f9fac8e1f91b6fdf1c18
  169. 304af803ae5f29e3c64a5b53d9d338dab0052b7a3af59731cf9816851c0ebf01
  170. 9175adcd422dd6bb1cd00baa05ed4726500e8bfc83483d325bc62df2412ba8c1
  171. 6b243bfc4f62852f7ae8d56b50b0c7455d24f7677692cedbd93283b929028d53
  172. 92f2129011ff40887e7e13b8e989b3e9dcb8362149836f3799eb3e627922765c
  173. 14715f5002046fb51bb8b6042b84289c33154146b32da3f822edeff102503bc5
  174. 5e9aadb1e017e1a38574147a1003ebe71a088a68cf9996cffb75fbce6b0edecb
  175. d2c49a1be31fb4609daf01aa6db60d363102e6a9c28bd39c4b81819f8da1d5bd
  176. c6ca39cb9c082a15bd7a642f4781d0879f1b2ed3431929cc545578f6cb3f1cdc
  177. 43b8e0e61fe4438bdaf676f3acfbd240f2ade1afcc726afd06b3b665660bad41
  178. 5dcae1d06a6878c8e5fff686b26b0a1d9bab8f6abd58517e407c6ebe2287e19f
  179. a25ec185bb5d2cf2550b905eaefb84db9baf87291aa2e257ffcd031dc99f8afb
  180. 907cadf4a15eeaa1a730ec11a0267524e54056ae10f1f9fac8e1f91b6fdf1c18
  181. 304af803ae5f29e3c64a5b53d9d338dab0052b7a3af59731cf9816851c0ebf01
  182. 9175adcd422dd6bb1cd00baa05ed4726500e8bfc83483d325bc62df2412ba8c1
  183. 6b243bfc4f62852f7ae8d56b50b0c7455d24f7677692cedbd93283b929028d53
  184. 92f2129011ff40887e7e13b8e989b3e9dcb8362149836f3799eb3e627922765c
  185. 14715f5002046fb51bb8b6042b84289c33154146b32da3f822edeff102503bc5
  186. 5e9aadb1e017e1a38574147a1003ebe71a088a68cf9996cffb75fbce6b0edecb
  187. d2c49a1be31fb4609daf01aa6db60d363102e6a9c28bd39c4b81819f8da1d5bd
  188.  
  189. https://yourgpshelper.com/wp-admin/vh6228400/
  190. https://kyokushinmiddleeast.com/wp-content/d4hobs889/
  191. https://tamakoshisanchar.com/hthz91/k6ilycx353/
  192. http://www.bergamaegesondaj.com/1t20111y63/ic5501/
  193. https://www.organizersondemand.com/cgi-bin/6vtd7304/
  194.  
  195. Creation Time 2019:10:15 14:29:00 (Link Based - Doc based - Activation Wizard)
  196. SHA256:
  197. 4bfd5a4e581dd85cab23508eecbcbad89550cbe060408be3d747d1e8eea04fd9
  198. 6815ab89d025eae163fcd448aaa4a87f8730ee8961b724a2b3470360dc9037bd
  199. 18000ebe7c49c94eca6e58664214f97c3185969abdcd2044c70299928d42aaf8
  200. 7b95dc2b98eb124084181e9dda48bfa70045b870db5caf4df15aa61a3ad92714
  201. 5a8412ec688e8386bb2730ba2ef807e6cde91188100d5059cd483616212e1598
  202. ea45c1d1a4d48b7ec172b1e918631f8232c6f1c140cee0e5d96ce268f5f873c7
  203. 4d7c1c7c4ff40498bc65ad2f4aca01a7922d25d2d4af1098e5bc99db4f9adddb
  204. 74230383430602f2b347920321b50ae83d3fd57239d330992fe4ac8f4afc8bf2
  205. 1bece13571bf31298dc30330de0f43eed3c1c2f4cbac6611cff004745743abf8
  206. ae9754684f8deeb5bf3e3c92c0c08a5d6427292f27229801a7239674c0c3f98a
  207. c1b0e020e6c4fa5acdd45738fea950410f145686ccf8e4bfe1043ae579b5bb1a
  208. c899750aec102373fd71d7925e2df439f974a4f568095f119525bb3ca2f29696
  209.  
  210. http://nazmulchowdhury.xyz/wp-admin/436n7t4/
  211. http://www.cmalamiere.com/wp-admin/ta04mn49702/
  212. http://nuhoangsexy.net/cgi-bin/a8hfqc0/
  213. http://shakerianpaper.com/wp-includes/rfl396/
  214. https://learntech2earn.com/learntech2earn.com/7vsva2359/
  215.  
  216. Creation Time 2019:10:15 10:59:00 (Attachment Only - Doc based - Protected View)
  217. SHA256:
  218. e061fc196548258cdf45ceb1fe070b3341b126ae2dcc228a50f64dfcd14ce5a2
  219. 7f3ecc0a0c414c22b201be7a7e9340b176b904a759f2eb0ef6d7ece60b94fac5
  220. f658562149b0bfe1d2573f6944f1f0c9a685964d6520e8ec94e06c61d4cd7ba6
  221. 3ee7382ce422f248581ce2b9bac4fede98b404476305372b5b5d8b2d0a526860
  222. 723665559d82ad10ff008347bba19514ae4dbc74081d0ea4f4e6d2bc6829b9b2
  223. 0029ae9d5f47187d586e165f0c8d6570f45b02b5119ec1017db53f361c00a64e
  224. 23a1816874f187f506dcec05e215e6aa9ad2e5aa5ae724fde708d09811211927
  225. 3cc81f3afddb01557b191ea19b85f9741814c3d91740979244e8a6f54c1dd27d
  226. c10f92893f43eea05733b1b4b8ec0d8aac8573a5da19c79a26f2edec85aa80fe
  227.  
  228. https://gpmandiri.com/backup/9uda06/
  229. https://amazingbdshop.com/coin/f6bvd843/
  230. http://socosport.com/sitemap/4is36803/
  231. http://mwclinic.com/cgi-bin/p23602/
  232. https://www.technicalakshay.com/HiBossRefer/x3ywyx44354/
  233.  
  234. Creation Time 2019:10:15 06:30:00 (Attachment Only - Doc based - Office 365 Light Blue)
  235. SHA256:
  236. 6583f644ae00be1b2a7065d1968db14e3bd800a2ba85bf02fbf4957f4cf25f4f
  237. e3afb8fae1ccace6f21f2dfae82b06b4027bf3d65d7affe88f4e01a32f10f77a
  238. f4050822237ae5128bb06dc93ef57505096ce73bdb8c01d94d6ad6173f48424a
  239. 0df06a7276916bee5c55f6945444661e726d3254957f380ac7bf9a5faaeaa0f4
  240. 8fedcc1999503bfcfe1c5f6c96a43bcbdcca8f12b81449f120d7adbbb8981565
  241. 592408b90e55cb8b8a313766e7f9e93d3f5aa37da57e83a8173688a03c374e95
  242. 7050b208aba6653d1d215066f96335a95f44dd413eca9073a1186308fd4c3748
  243. 9d5e30a8fda7248fb95fe78154d3c8904142c49deb17b44eadb1a7d9c3c0b807
  244. 5a892f00438c83f38c17eceef0ad34ff1041d573f00b1ebf2c149149be3d13c8
  245. f3ac3cb3c32a7bc99099f0e4cf3c15d0be31bcfe575c90aefedc35962b3790ed
  246. f65d26f21c88de99e8a3899d938492ed695b451ddce518c8e3b20babb05482de
  247. 9f526c3a522915c297de0e18380598309d22d892e461ac2bb41382472c10882e
  248. 5b13915c59441e32692d03e1df316cfb7f23b2655a3f6d2110467621391918a1
  249. 69c81cf5685167a686f138026336486cc7493ad59e9fabcc930741e780f0b142
  250.  
  251. https://luaviettours.com/wp-content/qk10566/
  252. https://rocketbagger.com/0iayq/7m39842/
  253. http://rachel-may.com/stats/qkn501182/
  254. https://za-ha.com/test/g3h06/
  255. https://jkwardrobe.com/zvap/nh48k06442/
  256.  
  257. Creation Time 2019:10:14 22:32:00 (Attachment Only - Doc based - Office 365 Light Blue)
  258. SHA256:
  259. 5543a1bd3b54c1ff0d959d64fa2dcbe7922adebc3155a4422339b32b013de45b
  260. 42876a385bf2f356a43e67d697120123a9ef949ec88587000d5b27ce605bd041
  261. ac771f34d05f5150695dfcc652491a2500586f5a6bfd060c41af7e4c980e7c0d
  262. 330ac3789801a0269b50ba9bd156d40ca58953ea84e66c54b792d4a78a460a97
  263. 7969282e1f1dbdd27c157f9059d807fb79b07cfabde6c21c690940939a7c19b8
  264. 6aa2b7943181cb77d0a8cf25b0cfc6b57c1f20bf3859c3ea24ed2028edb7d375
  265. c559ce796c179fc7eb3bd1b158ae13a49977fc5ba41f3b01fe9f0e74e3cd2816
  266. 649f6bb4e5e7afe04481f9a1afcc3b0b43952a5ed03fd7df9d1dc6accb16760a
  267. 4df3bad19f2377a1591cc52d768b20fd9bab4a2ba34bf3ed01502dd514ee126f
  268. 4ed323a010761880a295015526c27686adcee666bb988f22084b8d821b9cfece
  269. b5b71ae1322ccdf789600d147b5d71efc1ed2bbb64fec89b57ea83c7a6539d30
  270. 2e0c18e745a559d60f15c6aa3bd0d15877bfc9e1cb1147b1440435b840bc665a
  271. 0266554fff3f06613d1843b8c4fab78ff24f7b0370905e339eae2fbecc42e962
  272. c3d357a6d7dcc77bfce817971f7e19ae16d072a67dbb8ca1afff2a70b87acce0
  273. d2f4ddc19be4d04b68e9454ae9c190b6d2680f94f9d1c03bb6e498bd8aa2b14f
  274. abfd1df828a90a4e451de42d66163c8d6e81a48c9518f50f29cb4e0624bf6b06
  275. 0becf2fff586ac24a52162721e3852655e20f6249052df575a6d161bb478d8fd
  276. 8d6fbe6f8d571269d098a2b59ce71f78259f6be7042067e4c8c355ea122f9c4c
  277. 69a55d53310ab3bd2ff2e9f7eb2541e22b2de62d665dae5964264003898d71d3
  278. 1d33105371aeafc19ca4ccd297e6b51d25bef7fc78bea9fed8732949fc7dba57
  279. 806398f2d0089c0b3b667f962be7c9fe7a8af2f230eae8b4907f1722b531e2d3
  280. dd510d9be830c14f4e06cc6626ab31700299430dfe98d19507fe7e4dc54292c6
  281. d79faccaed0250f79102b97be15a91349ceee0aaabead6027f63dda6961b6f56
  282. 98e6e1fcfcdcd781dc6a6ee78308caebff2089564750ac7cdec363759f64069d
  283. ea12af3ca9287acb75995ae2f3bd9f015208b73392e485129c7a73ec90cb0071
  284. 115024d05c7208312469cb4bbae754d6e883c4ef6f1710a7ae3a2754f01335e5
  285. 6562aec794ffea9ec4f8bddde4f20d67c20d04f73c3b8178a3a59a897d2cfb3c
  286. 1aff9b8cd34eb9f94eb1d595f919826dd34484594b1347ed0df0fa4ee69ffded
  287. d69691f4567bd9f036fe6331e8e8823ad4914988c7df0fdc459d7236d0972548
  288. 6dcbaf2188565661608649c6ae0e0a5b274add5bd0c1ac2a7fafb3c9d286823f
  289. ef722fab41d2e7a9a3a9fb19840cfd21d4f995573852e12bc60102e0d0f8cf0b
  290. f71129f0c7868ac0ce98560b0ae66c2c7fc749aab2614babe5f1d854f89b10b3
  291. 06f1f3ab993e994fe2b14126c50f009854081f55e52e26d5f0e2a325c5c5280f
  292. 419fab9270789386aae58bff912099873dd87dbd4bcbd3ac64b63d46ec9c5b5b
  293.  
  294. http://www.offmaxindia.com/wp-includes/smu471/
  295. http://ahenkhaircenter.com/blogs/k8iuno285918/
  296. https://dieutrixuongkhop.xyz/wp-admin/rts7nl6310/
  297. http://bluem-man.com/wp-content/uploads/2019/10/btrua567818/
  298. https://agusbatik.xyz/wp-includes/5e6252/
  299.  
  300. ```
  301. #### SHA256s for Epoch 1 Payload EXEs ####
  302. ```
  303. 3b84df99ab9980cfb87380d48f8819bd217eea2553e3e3d2a2942ab35a1688e0
  304. 908619a387352495ff2ea2d8e46c70aa1e390dd5f6a87e5898d5eb146e30cf85
  305. 4ccb4e885119ed8356f145caa1856f0b617701c6fe85e2523a499ca4e2959da2
  306. 5a51b5ef825d24b6c6e80a155a2a58d9f5a80f6d34b3f45059a38c6073116c09
  307. 0bc19c1c25a5884dd846841150c9de183a78a509e6480536e5ff723eef4e188a
  308. 447a57b8ca984ee2d39cfe7e879a2a79bd6382d025f733a7553da87a4b1761c7
  309. 83b59305347b3939113353adcfd1f8cefa64f97a7ef58dde3d579471b4f0b935
  310. ```
  311. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  312. ```
  313.  
  314. Creation Time 2019-10-15 23:01:00 (Attachment Only - Doc based - Activation Wizard)
  315. SHA256:
  316. a2eb4f874c6413b15efaa65685fa08b732becd0b95f9f475f3cb73bed3829efe
  317. 218c45c91fa0be74585431f8c31e051d14cfb4f7c4d2fd8fa907437a0931bb92
  318. 8bca3619e1d96a4f65c87ddf636f4b8c2ee685a7b9498ab486e79ceae8da118e
  319.  
  320. https://avizhgan.org/wp-admin/ovUE5/
  321. http://specialolympicsthai.com/wp-admin/si/
  322. https://clubforabeautifulpeople.com/amazon/o8ipu7/
  323. http://alefban.ir/wp-admin/t1/
  324. https://stmarymagdaleneanglican.com/audio/6j1o/
  325.  
  326. Creation Time 2019:10:15 20:22:00 (Attachment Only - Doc based - Activation Wizard)
  327. SHA256:
  328. 028ae05dcd0701c88f8a84b7ae03dc831e02feeceff2f6d4a918f5f9fbb4151d
  329. 70d3f1e487250b276d1d1c623aba03396ce3358ac248b06cd6f61034d674a3c4
  330. 44493ff5aaaecaa4766b4a635e18959a4969a0e26731569d3123fbba7173097e
  331.  
  332. https://outletsmm.com/wp-includes/LLRy/
  333. http://gogoldteam.com/wp-admin/iaurh3/
  334. https://mipitaly.com/wp-includes/zsw7/
  335. https://armoniaterra.com/css/whh/
  336. https://www.tastytasty.org/cgi-bin/itz6eK/
  337.  
  338. Creation Time 2019:10:15 14:24:00 (Attachment Only - Doc based - Activation Wizard)
  339. SHA256:
  340. 2c86551de2ee6c2d5efc4ca6c9827e39d8cda122feb6918c0a2589c7481a9a2e
  341. 0741442af57012483cf19a051af75c8d88051990e97279cecf01e30e28f72924
  342. dff2f28ac588547f2dac0a18adea063b83f05e982d8c8d30a026a7ef4f957f7d
  343.  
  344. http://alicellimports.com.br/wp-content/v7y/
  345. http://www.orchardim.com/wp-content/themes/bb-theme/xVZcU/
  346. http://angeliclady.com/wp-admin/3zha/
  347. https://www.quantangs.com/a7421hv/ugr/
  348. http://advaitatours.com/wp-content/EcdN/
  349.  
  350. Creation Time 2019:10:15 12:30:00 (Link Based - Doc based - Activation Wizard)
  351. SHA256:
  352. df91a1ac4a5bd0b217a595df36604a3fe138f48d993d13cdd63001ed9a7b1d21
  353. 917b85a446b5ea93d86bd13a15a9c326b877c12a93625ed95697815b3d0f81fa
  354. f376290bebb4e9024c73be95cd740e69ae9c415d8ae687b62f81f4accd82885d
  355. 2d2a788d801b54885935a3885a9dee4c055925dfb823dcfadbd6efe55d1fba75
  356. 7b931ec5621709d3969812592cdb50e0882750e2c47c2c4365a34e7fc5fa0266
  357. 4575a77ee3e8d1a50e28e875e6e8885d9d5b3552adbcaf4d2f2b649a9e8b6342
  358. 08645769c3949e27fbdefa1f69273106cf4c0f065b0af5990faf096a6a9401bc
  359. 26975d8df7a6f29d9b0738cf129c05a09dede7f49087a4e9b4f37389c8296031
  360. 769204bad8c9ca952dd2e0e890c11be7d55b8b6b97fd3b71da64c9d8e5d15622
  361. a4eb8657310c6007cc7cab45abc85c59fb8507da4de10f9a1cbed23f533968ff
  362. 368069025a5bdbd8c2e6faff0f923d0af11ae51a9c054a831cf47bca9568a015
  363. 475b0fc3657d161c2a5595049dd8a8ea526ae735f0b9027523e074afca7b8cd4
  364. 808a824fe79c041ec0c10f085a59a43f4dec3eb115060ff5c41a0fc03eda8e61
  365. 93ad00d8ad19d4e4bea1f2173212eebf130ad49155ce9664fd0acb84309da54e
  366. 52e619486a1a33966a6f66e38bb9d7141170359550fbde3a762fee4d61abcec3
  367. eeffbfb3e0086690daabbe8c06da48d8b733f6d32faf805b46f579d48a826617
  368. bdbbef1b94ec083476de03eb8663202b23ad61a10feb950a1618b92f33379d21
  369. 7d662e561cb87bbe2e9364ad01ebafdf698e6674f586911763d78fb41a92b608
  370. b8312b2f2307c96f88c50c350d00ee482d5239a1df056bb13d9d70d5a3cd5572
  371. 36592afdc56324618df8484c3b22fefce0938dd2b744a9a7ee16194e65901a51
  372. 96180e36f1aaf793b035fd2fbc43f6e391654bb45ced84f650b7a1f07ab1651a
  373. 01f50f9a2cb84c55c22b7180d292d1bc114a9199f21bbcd11636ce40e02b9ced
  374. 5bb9ef6c0425ac7e802c8d85cab8edaeb6ed76d50750689277061ad74494012c
  375. b53f91f1a89c24134d01940e102de3d206749566206ca2031ea972b6671ee0f2
  376. b8a95a161aed8a5972d5e58e2c73e2f2c5ad9a4bb0451650ebb469e79bb9e707
  377. dfbaeef579e35bc8558271dd31d06b67ffc777f1d4bb1ef3667bc0417d661dca
  378. 147fe523e1ae4348b1f48636c426ef9b6e87ed2e9181f40001202cc4314e947c
  379. ea7304c60683281ff965fecd5aadfae4f638ee29d0029b655ad0558652979854
  380. 77f023e563126af1547f88944d2731c45bc4d3a1396e659a830796d6017b370b
  381. 335c45e434abcfea56e711f07e70b1833c2ee3a908a0034d4a06014757a8829d
  382. 7a3af79ec78b9f9f1f4dabfd0fa1a4a494e2d45fa8a41d8b4363840bb8c71b72
  383. 3eb08d849055acd3f33fc33175a03d5b2f2747df0cdd0056dc5fce518f3eca16
  384. 6f872a034515acdd50003e31c6bc7454b66c4f4dbff5b30438c03bca540e49c6
  385. 7547f0acf822bf1682b703d4601b317bb31b455d54b95f888934c0735cf3e917
  386. 07bc28f1cf91ee11863e948a5750707ccf4d63b5faeaab560418136c1c2247da
  387. 1104d69a7e7859e35a1b3776c3c4443f2b7629f0dd27d927c4f1e60163ccb415
  388. 3b7b7825c22c98e92b56b2f91413dd646e24f6a585ae9280aac00643a3461db2
  389. b937c36acd7e4eb55d230612f54c280485baac8f211136e1cae8cec2ce01650e
  390. ca286615c290329b222f383098532878acbd364f1f78946eedbf5a021af82017
  391. 8540ba3a13bdc1e30317112ab0cd000afd1f7c5cd7e37a7c9099bfab6cd0d9ea
  392. 7ba7b8fb650f52c35ac1dddd712a9b1064f626584470243d09c1026286133699
  393. 4602ca95349e092ccf2871ed672f3e25e5e075e1c77347f0dcf5882ac8b567a6
  394. 9986cf3834a40866e18074e8e116af8b84b20430378f0ff03612a0ea353306c5
  395. 374ca70244e5e03fa21a16a03cd0fe991ebf9adb8b16bd36f7c2925d5e42b6c4
  396. a82d0be951b1d734863c19cd3612fee7b9729368f77edc12d219e7b0b99dd453
  397. 45f3098fcbb8f0278795a46dc5b850cf584e15d4e920975f72c41c3518ea3cb9
  398. ae869cc6ab914b7172ad9d671a10c91ebd5c6d1d16877aa7ca7b77c3e1cd7b27
  399. 0b9ac38e0728cf2489128bea67c59f345f9b4e72e57eab4769b4f833433f523b
  400. c5cdcc1bdd5396be718076d23d8faa2daed0d19490a52f1fee34a0f42740000c
  401. af93df491db94871e4bfaebf33e030a9585e63bcc4a07433ecd8924d1494d301
  402.  
  403. https://mokhoafacebookvn.com/wp-content/themes/lalita/Kj6VMJsiof/
  404. http://newgensolutions.net/joomla_30/n0k0/
  405. https://sodadino.com/wp-admin/gczk/
  406. http://www.turbodisel.net/wp-content/8AsE/
  407. https://codedriveinfo.com/RasilaKitchen/rUJtk/
  408.  
  409. Creation Time 2019:10:15 06:37:00 (Link Based - Doc based - Activation Wizard)
  410. SHA256:
  411. 705cb2b6dede75c722a0b001ed9797b729465f113286b495a4e8e78998ac557a
  412. 8a24fa5559548b9414da1c76e255e4b5cf6f16cc80d5743bed869599bb1418e1
  413. 00e1092958fd08006fe0bc5955fc7a8267fad03f8482e2dc771ff1c1faff014b
  414. 1217b4f2d31bb80eb4569f319b245c24b5b177acd54c6469265a4ff7067cb322
  415. 8cb5e9da02e80e27cce18b1ff73fb3b0cc29a891883f70c3b4ec0e2ee3c7f1da
  416. 1cd3e25d85cf6f45c8358982bc52f8ba94b5d693cc7510fffeffe38a3e0e2e52
  417. 05fb49211d189621125b1da0ad3cc485d2924c0ac1d99ff5a7b67d01477584a3
  418. 12f6da35f09b264ec1cb9291a7e050d62cadae6ff5bee2a6d2c42627398b71d8
  419. ec4813239bd8758d3b9f21a904c59a6034e2a69959e2cced38531aa2f2d578c4
  420. 966289e3ea024701d4a9100121a23ec111a1db8e88cd42ed4a7cfab0265376df
  421. 31f247266240014d6274494f0bba4e99bb765258a8f46eae877a72264478735c
  422. b74640aa4bd46979ea19cf3cd39e4cd266aec24b2b534b68d8c859ef1a886207
  423. e92d5d54d7ac67199e8e1d7e67d86412c97f1777895fc4666e976b185dd552f3
  424. c46a6d3905493802ab18ab5dc2ad46ced25cf65d086a9d60dfeaa566109182cf
  425. 1e026778cfc7779101b31b1b5124b4f6ad0736a6d87fbe8c74ebbd75b3e5eccc
  426. bb7c3803c2e92524a13029bc1e9f5bbe2f174e51c024f42c4977f8ace99d3af0
  427. 869ee3ef69eced65c65e2258977215f1c18e4ee76eb8ed4e2d09f996afaa0288
  428. 199617b42b2ad3331132598a5fa74eab21a096b92e5659eded73b5e29e52bc78
  429. d3b2b51765b32c6e9db582e6c2037014b003624dd5bf1929219e6b64a04e9ff5
  430. d6d7a79806cf233ec3e0e08309806a9fe41ff409611700feec7840c252950130
  431. 28c118eb887eca2318d20852c58da150a74f83569f4eab9cb521810744ba0341
  432. cd6427a75f50b379d208de9f2d170fa95a368923d647c07b019b80ffd5cbdbf6
  433. fca83d5f5968ddcbf3db713307fc5100a236438446552a24d04f3386e8f85ce7
  434. a512b3690cd8f5ad1265dab5c7634ba847d886de0c461f44a3bfb55e8a8c6068
  435. 1dad3f3ef99fc1062be000ce7621dc31c956385a440d79577f60305a0bedaa86
  436. ce7f6400c83411937f920292e56b0422904c9d05e654b70e958f6af8ba3727c3
  437. 76b115608dead1bb0b2d479cda1de6ee10c42e26f7c79fe994fc1bd107aa2b4f
  438. d83f25fa068aa77ef1bc42c51e4abad8905ae6803679d5172e7b7ff8f7a33e5b
  439. bc8cb8901daa22e155ff59efe9d04d0ef993633c487cc22928b08a318d081b65
  440. 37173a83addab2b5b045990499aaa4c510606b2c96c336c2522b38d0981bc677
  441. 415c38813cce1d61c555b60570975df11a09ed33856b25c979ed7240266461d5
  442. c17b7a04dcbe5600add8cdac558772a87753701e3f4c444f56ee470830dbf4d8
  443. 00b4e81213a7ace5d34dbe4adafbd930db6c5022506ed04456db95836d31a59a
  444. b6a6fba787c6272bf0cd5355e5322ebfd495d441bf2f9f10dd71463bb83be998
  445. 2476b3d12d8306b26009e5548f9300f1fead6f879383cd33d242bf932a3f43c6
  446. 90621ba7b9506705db5f6475924186ee10b9987927b478d76a3d77996c1ccc3e
  447. fc58835652aeef6d647436e9e7df55eb91b845556edf25759c46dc1232427bad
  448. 90ac9ea79c3480de26a8efaa2e4a26c122fcaffdf9d33c15201c24f202d7c12d
  449. e1f0001dffe449a13eb4595f3640db4acd46594014e3aed6854e9cc2edbd92e1
  450. 3ee20248770fc12898c56d122499e23b7c9a381cdd9800dffcafb1f6784b560c
  451. 030ec12fc05a59afe05b97a138af6fc76b23e2ad0595b8a9d07b86c5fcf8c95d
  452. 3a997ff933555c9e8a622903c9b2b872b1823548fdc1d29e8caa9a04792967d1
  453. d8afbf71b6549643dd9c8fffdeb9f155f47d79146d74ed3068b800e913960711
  454. fc92865d4bd2021f7821e6d9a5c3edb3063402968538d1251126ee83842ac484
  455. cc74788cd16341049fbbf77ff76f63f12bb0fb383b70dd991ea952c958cd5a27
  456. 56b3153042ca226e1bb415ab6ced0a2e167bb5d3b26244fb0229e4d42cd4de1f
  457. 673603f8767ff4f48ede8b9a9468d1cb0859156402121b43d74f0a98e00cde8a
  458. 37928fe6a405c74986abb3929d8b81f47184b8147ce2d0e6491a1d551e8d735f
  459. a06fbcf8e9caf46cdb8a93636c737e81c672d5d2a5257bc08fa950f7de41fdd8
  460. c789835ff2471f9ddb45f8ddab400f224bc80473e11c21ae7f9ea713a5664fb7
  461.  
  462. http://drapart.org/Prensa/wn/
  463. http://kikinet.jp/ds/b54LWnii45/
  464. http://pbcenter.home.pl/pbc/ib3k/
  465. https://proxectomascaras.com/wp-admin/FUCPOXyKQU/
  466. http://blog.yst.global/wp-content/languages/2jlffy/
  467.  
  468. ```
  469. #### SHA256s for Epoch 2 Payload EXEs ####
  470. ```
  471. 8eb78f57619a173819ea9ef22dbebdf89bb7b0497c29eb6e3f0c72413049cac7
  472. a149195bda6d322f2b926bb355db34f73b109acc33fb9d89cbb6ff49f74962e3
  473. deca3be654504d28d58507d7d847b1bb35c9d23535c008ef7ce27d9ad1a23f5f
  474. 1bfc6da346cdaf9662dfb63af5decb9fac725170815c31aa5ac5fe8691444c1c
  475. 88cb9fee414906e4d55a82c4c3564bb1181072683db1c3f0e9820090a6f40072
  476. 6de788187b9a790f0a378b94f02582e1453d4f77f5ac4c742c7ffc4bef0ea157
  477. 455ef6d0b604616a90a98f66c763d393267e97ab85134e328db164c7f2ba7a03
  478. 0897d9a44d1aa4b7afe9a3fda15c54d9062ca988c31201386fea03838734e7f2
  479. 8245d6840bde1c3d2fad9999d01e33702d237f6aed4b45d5ffbc9eca54e76309
  480. ```
  481. #### Epoch 3 Payloads by Document SHA256 - All Times UTC ####
  482. ```
  483.  
  484. Creation Time 2019-10-15 20:31:00 (Attachment Only - Doc based - Office 365 Light Blue)
  485. SHA256:
  486. ca233b0697ce71f04a9e6e71607824c5025d0a322c5655317f31a9ff8faf9724
  487. 8fd59e9d4cf0204fb2150669371ba4b76b21a240c69d59dbf2046289659e0339
  488. f26b2247511e08b80a30cc56ad3d320f0bc3f9736311b4c1a9ff0b01556f0a3b
  489.  
  490. https://www.showlize.com/wp-admin/UEZadGA/
  491. https://volvoselektshop.no/wp-includes/KoBdQv/
  492. http://hardpro.online/wp-admin/MsdBsRq/
  493. http://4carisma.com/wp-includes/6yuc4j-b4bav9hl-78292/
  494. http://tour.nicestore.co.kr/wp-content/9eud0sth-corn4suz-8842819/
  495.  
  496. Creation Time 2019:10:15 18:41:00 (Attachment Only - Doc based - Activation Wizard)
  497. SHA256:
  498. 50ba6c11a19df2620491682d944eefd0ad856f1253c59b4959500aa0c5182a60
  499. 84a7a9dd1e4fc9bc8e316ea6a894d489da74ab4208bc5a2fe9ed06bbd98eac55
  500. 8778f1762abf9b1deae0d8b76105946cb3a25332c6335dd7e4aca5bbff499116
  501. a148042d873b28da79ba005e604a2e7d28227830fe1264d29fb679a8e23695b7
  502.  
  503. http://www.vatro.cl/wp-content/8vf1-mheqjsye-27023898/
  504. http://www.wferreira.adv.br/wp-admin/CbBnUJQ/
  505. http://prewento.com/imageupload/eghdelc-zhj9tjrxx-38035901/
  506. https://mbve.org/wp-content/tUpjsi/
  507. https://travelstream.com.au/wp-content/TkocEVA/
  508.  
  509. Creation Time 2019-10-15 12:56:00 (Attachment Only - Doc based - Activation Wizard)
  510. SHA256:
  511. 614a8ef97f7f6c4e718b1fd7a4fedac995e1289ac4477bbc1f457a233f464ef0
  512. d1c49eeb9e4350c4ebbd656ab9d6fa457c3a057b25755d41104854eb410081dc
  513. d3d0919a80cc46fba029eb2f331804b34ca4ac839f2291843d31a91912b516fe
  514. b9fab5e620ea5ec59c44a3872cafba4df29184c9575a24c2938652ab117853ea
  515. 3207b07d4dad052adf1f5447b56722f8a1a22186e5c49e3478d85be6766f0dfb
  516. 40c4beeaa000e872f1dda534948f075daf934fead512eba803296db0f591a598
  517. 0437364c362b0416dbc13ec438f3ac833e2f247e40f6a1db33720e07197666d9
  518. 7d832f2a1a8cce5a4bfc0167af31d1eb5bb9727346ce70dfe6d3dda728d9297d
  519. 79bde91228ed0e22355d282894439abd811b19d99d4c16e14565f9289202fd20
  520. 39116e70ccf0ca32b442f140e24bb2aad72584275df034cd9921804261a556a4
  521. be72c05c4d22e148571af37229c198237569ac33db54c1808ea54b262cb21cab
  522. 7238181b9475f8848e793cba69112d5b514840ed00e7a20793ae64feeb708383
  523. ca5bf3d75505de3906a5d934bf39efc9b0bbbb2bd6e5b573ebfdd1b9a4186717
  524. 4aa739c88b1524a5dab32949050d69a170622e979302b2fff4cbdb842061d118
  525.  
  526. https://www.billboardstoday.com/browser/RmFAYq/
  527. http://www.dipeshengg.com/test1.dipeshengg.net/tQwvlFnK/
  528. http://atlanticcity.com/bignews/wp-content/cache/wp-rocket/WTySNG/
  529. http://pharm-aidrx.com/wp-admin/CebJmLd/
  530. http://muhakkikkalemler.com/wp-content/yfzxewwU/
  531.  
  532. Creation Time 2019:10:15 06:14:00 (Attachment Only - Doc based - Activation Wizard)
  533. SHA256:
  534. fe36d7abab37c33f53f880b854adbdc41c477c29e22bcd4c05157c64f1092502
  535. acf5ae92cb4790c618954890e937bdee1d7d4f0cdaea6d5a7830ea458a6dfeeb
  536. 2cac3bd06e20880356b15050a2b8c68c91041e898d733820babfd9f9a6868c6c
  537. 75b2dad768ab13fbe100739c5a0fffed2da92b3dcccfed3876e86df6d5fcff2c
  538. 13b75ebb603ecd470f6d4a374bb81cb9770aa95af31e6fc2926ccff9d432cfd0
  539. 1606d9614cdab77b6d8b6b85e72e89a799ad6c12fefb44da496642fe070f9c27
  540.  
  541. http://medienparadies.com/wp-content/bvAXLWZ/
  542. https://www.8hu.me/wp-includes/ihgyi-wmhzz3e-35993/
  543. http://www.mscr.in/pomyo/8dpt-ok5r9-195/
  544. http://gaspardetvalentine.fr/wp-includes/go9v14-d2ynk-011503/
  545. http://cert-center.ir/wp-content/9lwy4-zp25txg-12/
  546.  
  547. ```
  548. #### SHA256s for Epoch 3 Payload EXEs ####
  549. ```
  550. 1d87e313dc2ac37a7f618221614cd21616bf368cc450bdec07fc00f5ba99af75
  551. 95ece329880c6772146256a7efc273bfa7b8228b37fcb542668a58e344f7780c
  552. 5d4f975ecd81b7b7b137248174b40ed935db6a9aab30279e38dddae4a5ab7a8a
  553. 78ff30dad5b8e1f4ed05f2af139805673bf567b92c8ff17de0f3212394c7f0c8
  554. bfdc3d72a69f8b5d91dcd726788840e6aa5d3c748f71ef0cd047de44f85e2798
  555. 4bbfadcc074943af243cae7a9425575614e27b446b323f1db450c37b6c74652f
  556. 1ad0035a970f4babc4060839210c385bab09fac65651c8d15e1284b95feb7f35
  557.  
  558. ```
  559. ### C2's Per Epoch ###
  560.  
  561. #### Epoch 1 C2s ####
  562. ```
  563. 104.131.58.132:8080
  564. 109.104.79.48:8080
  565. 109.169.86.13:8080
  566. 110.36.234.146:80
  567. 114.79.134.129:443
  568. 119.159.150.176:443
  569. 119.59.124.163:8080
  570. 119.92.51.40:8080
  571. 123.168.4.66:22
  572. 125.99.61.162:7080
  573. 138.68.106.4:7080
  574. 139.5.237.27:443
  575. 14.160.93.230:80
  576. 142.93.82.57:8080
  577. 149.62.173.247:8080
  578. 151.80.142.33:80
  579. 159.203.204.126:8080
  580. 170.84.133.72:7080
  581. 170.84.133.72:8443
  582. 178.249.187.151:8080
  583. 178.79.163.131:8080
  584. 181.143.101.18:8080
  585. 181.188.149.134:80
  586. 181.29.101.13:8080
  587. 181.36.42.205:443
  588. 181.44.166.242:80
  589. 181.59.253.20:21
  590. 183.82.97.25:80
  591. 184.69.214.94:20
  592. 185.187.198.10:8080
  593. 185.86.148.222:8080
  594. 186.0.95.172:80
  595. 186.1.41.111:443
  596. 187.188.166.192:80
  597. 189.160.49.234:8443
  598. 189.166.68.89:443
  599. 190.1.37.125:443
  600. 190.10.194.42:8080
  601. 190.104.253.234:990
  602. 190.221.50.210:8080
  603. 190.230.60.129:80
  604. 190.230.60.129:8080
  605. 190.38.14.52:80
  606. 190.85.152.186:8080
  607. 190.97.30.167:990
  608. 200.51.94.251:143
  609. 200.57.102.71:8443
  610. 200.58.171.51:80
  611. 201.163.74.202:443
  612. 201.199.93.30:443
  613. 203.25.159.3:8080
  614. 212.71.237.140:8080
  615. 217.199.160.224:8080
  616. 46.101.212.195:8080
  617. 46.163.144.228:80
  618. 46.28.111.142:7080
  619. 46.29.183.211:8080
  620. 46.41.151.103:8080
  621. 5.1.86.195:8080
  622. 5.196.35.138:7080
  623. 50.28.51.143:8080
  624. 51.15.8.192:8080
  625. 62.75.143.100:7080
  626. 62.75.160.178:8080
  627. 68.183.170.114:8080
  628. 68.183.190.199:8080
  629. 71.244.60.230:7080
  630. 71.244.60.231:7080
  631. 74.208.68.48:8080
  632. 76.69.29.42:80
  633. 77.245.101.134:8080
  634. 77.55.211.77:8080
  635. 79.129.0.173:8080
  636. 79.143.182.254:8080
  637. 80.85.87.122:8080
  638. 81.169.140.14:443
  639. 82.196.15.205:8080
  640. 86.42.166.147:80
  641. 87.106.77.40:7080
  642. 88.250.223.190:8080
  643. 89.188.124.145:443
  644. 91.205.215.57:7080
  645. 91.83.93.124:7080
  646. 94.183.71.206:7080
  647. ```
  648. #### Epoch 1 - Spam C2s ####
  649. ```
  650. 37.187.5.82:8080
  651. 45.55.82.2:8080
  652. 185.94.252.27:8080
  653. ```
  654. #### Epoch 1 - Stealer C2s ####
  655. ```
  656. 190.115.18.139:8080
  657. 75.127.72.18:8080
  658. 173.214.174.107:443
  659. ```
  660. #### Current Epoch 1 RSA Public Key ####
  661. ```
  662. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
  663. KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
  664. h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
  665. ```
  666. #### Epoch 2 C2s ####
  667. ```
  668. 101.187.237.217:20
  669. 104.131.11.150:8080
  670. 104.131.44.150:8080
  671. 104.236.246.93:8080
  672. 115.78.95.230:443
  673. 124.240.198.66:80
  674. 133.167.80.63:7080
  675. 136.243.177.26:8080
  676. 138.201.140.110:8080
  677. 144.139.247.220:80
  678. 149.202.153.252:8080
  679. 152.89.236.214:8080
  680. 159.65.25.128:8080
  681. 162.241.208.52:8080
  682. 167.71.10.37:8080
  683. 169.239.182.217:8080
  684. 173.212.203.26:8080
  685. 178.79.161.166:443
  686. 181.143.194.138:443
  687. 181.143.53.227:21
  688. 181.31.213.158:8080
  689. 182.176.106.43:995
  690. 182.176.132.213:8090
  691. 182.76.6.2:8080
  692. 185.187.198.15:80
  693. 185.94.252.13:443
  694. 186.4.172.5:443
  695. 186.4.172.5:8080
  696. 186.75.241.230:80
  697. 189.209.217.49:80
  698. 190.106.97.230:443
  699. 190.108.228.48:990
  700. 190.145.67.134:8090
  701. 190.211.207.11:443
  702. 190.226.44.20:21
  703. 190.228.72.244:53
  704. 190.53.135.159:21
  705. 192.81.213.192:8080
  706. 198.199.114.69:8080
  707. 199.255.156.210:8080
  708. 200.113.106.18:465
  709. 200.51.94.251:80
  710. 200.71.148.138:8080
  711. 201.184.105.242:443
  712. 201.251.43.69:8080
  713. 206.189.98.125:8080
  714. 211.63.71.72:8080
  715. 212.71.234.16:8080
  716. 217.160.182.191:8080
  717. 222.214.218.192:8080
  718. 24.45.195.162:7080
  719. 24.45.195.162:8443
  720. 27.147.163.188:8080
  721. 27.4.80.183:443
  722. 31.12.67.62:7080
  723. 31.172.240.91:8080
  724. 37.157.194.134:443
  725. 41.220.119.246:80
  726. 45.33.49.124:443
  727. 46.105.131.87:80
  728. 47.41.213.2:22
  729. 5.196.74.210:8080
  730. 59.103.164.174:80
  731. 62.75.187.192:8080
  732. 67.225.229.55:8080
  733. 69.164.201.54:8080
  734. 78.24.219.147:8080
  735. 80.11.163.139:21
  736. 80.11.163.139:443
  737. 85.104.59.244:20
  738. 85.54.169.141:8080
  739. 86.98.25.30:53
  740. 87.106.136.232:8080
  741. 87.106.139.101:8080
  742. 87.230.19.21:8080
  743. 91.205.215.66:8080
  744. 92.222.216.44:8080
  745. 92.233.128.13:143
  746. 94.192.225.46:80
  747. 94.205.247.10:80
  748. 95.128.43.213:8080
  749. ```
  750. #### Epoch 2 - Spam C2s ####
  751. ```
  752. 23.253.207.142:8080
  753. 185.187.198.4:8080
  754. 46.228.205.245:4143
  755. ```
  756. #### Epoch 2 - Stealer C2s ####
  757. ```
  758. 173.214.174.107:443
  759. 104.131.58.132:8080
  760. 176.31.200.130:8080
  761. 46.105.131.69:443
  762. 185.42.221.78:443
  763. 198.58.112.7:443
  764. 46.29.183.210:8080
  765. 209.141.41.136:8080
  766. ```
  767. #### Current Epoch 2 RSA Public Key ####
  768. ```
  769. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
  770. PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
  771. AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
  772. ```
  773. #### Epoch 3 C2s ####
  774. ```
  775. 113.52.135.33:7080
  776. 138.197.140.163:8080
  777. 143.95.101.72:8080
  778. 144.76.62.10:8080
  779. 154.120.227.206:8080
  780. 157.7.164.178:8081
  781. 176.58.93.123:80
  782. 178.249.187.150:7080
  783. 181.113.229.139:990
  784. 181.47.235.26:993
  785. 186.10.16.244:53
  786. 190.117.206.153:443
  787. 190.13.146.47:443
  788. 192.241.220.183:8080
  789. 200.55.168.82:20
  790. 201.196.15.79:990
  791. 203.99.182.135:443
  792. 203.99.187.137:443
  793. 203.99.188.203:990
  794. 212.112.113.235:80
  795. 213.138.100.98:8080
  796. 216.70.88.55:8080
  797. 216.75.37.196:8080
  798. 5.189.148.98:8080
  799. 51.38.134.203:8080
  800. 70.32.94.58:8080
  801. 83.169.33.157:8080
  802. 91.109.5.28:8080
  803. 94.177.253.126:80
  804. 95.216.207.86:7080
  805.  
  806. ```
  807. #### Epoch 3 - Spam C2s ####
  808. ```
  809. 192.241.241.221:443
  810. 185.187.198.5:8080
  811. 41.185.29.128:8080
  812. ```
  813. #### Epoch 3 - Stealer C2s ####
  814. ```
  815. 178.32.255.133:443
  816. 198.46.150.196:7080
  817. ```
  818. #### Current Epoch 3 RSA Public Key ####
  819. ```
  820. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
  821. 4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
  822. iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
  823. ```
  824. #### Credits and Notes Section ####
  825. ```
  826.  
  827. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
  828. because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
  829. this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  830. https://pastebin.com/u/jroosen
  831.  
  832. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  833. I am providing them for your benefit in case you want to parse them to be sure.
  834.  
  835. ```
  836. #### What is Epoch 1, Epoch 2 and Epoch 3? ####
  837. ```
  838.  
  839. (09/17/19)
  840. With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
  841.  
  842. ```
  843. #### Community Lists/Samples ####
  844. ```
  845.  
  846. https://twitter.com/Paladin3161/status/1184089483395756033
  847. https://pastebin.com/WTWUJBZD
  848.  
  849. https://twitter.com/Paladin3161/status/1184089200410296322
  850. https://pastebin.com/pXwf1fen
  851.  
  852. https://twitter.com/Paladin3161/status/1184306042181545984
  853. https://pastebin.com/0NJ2kRXi
  854.  
  855. https://twitter.com/Paladin3161/status/1184306254396583936
  856. https://pastebin.com/56RnJ7w4
  857.  
  858. jp host
  859. https://twitter.com/tiketiketikeke/status/1184070345671577600
  860.  
  861. https://pastebin.com/K7wcB4rt - @executemalware
  862.  
  863. (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
  864. ```
  865. #### Credits ####
  866. ```
  867. Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
  868.  
  869. Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
  870.  
  871. C2 info/RSA Keys - @CapeSandbox, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
  872.  
  873. Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
  874.  
  875. Spam Templates - @devnullnoop, @lazyactivist192
  876.  
  877. Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  878. helping out with this!
  879.  
  880. Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
  881. https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
  882. @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
  883. at no charge to this cause!
  884.  
  885. ```
  886. ### Daily Log 10/15/19 ###
  887. ```
  888.  
  889. @jroosen here, @ps66uk and I worked on compiling this list from all of group members today. :)
  890. Another day and another pile of Emotet docs. I can tell you the last two days I have seen spam numbers I have not seen in months. I hit about
  891. 50 generic malspams yesterday after hours and about 25 or so today. All of them have been of the annoying generic attachment variety for the
  892. most part. Once again, if it has an Office macro, into the trash it goes. I don't understand how this type of attack is so prolific.
  893. Nevertheless, the botnets are gaining strength and bot counts now. I am sure we are going to see more and more links.
  894.  
  895. ```
  896. #### General News ####
  897. ```
  898.  
  899. Today E1 brought back the Amazon template from last year. We tweeted about that earlier here:
  900.  
  901. https://twitter.com/Cryptolaemus1/status/1184192833303044100
  902.  
  903. ```
  904. #### Drops Report ####
  905. ```
  906.  
  907. We saw a variant being dropped of Gozi V3 this morning that was not using the tor module. We also saw more Trickbot drops and of course
  908. gtag: mor22 now. How about gtag: les00 sometime? :)
  909. Per Usual @D00RT_RM was tweeting about drops:
  910. https://twitter.com/D00RT_RM/status/1184227358011809792
  911. Also Brad @malware_traffic was showing the activity of the latest Trickbot gtag: mor22 with a new settings.ini renamed to TRRBlacklist.txt:
  912. https://twitter.com/malware_traffic/status/1184149648673402880
  913.  
  914. ```
  915. #### Email Template Report ####
  916. ```
  917.  
  918. We are noticing a lot of docs lately across all epochs at all times of the day. It seems like the normal shutdown time after 1-2UTC is
  919. no longer being done and the botnets are continuing to spam throughout the night. Particularily targeting JP,KR and HK but also the
  920. favorite punching bags of late which is include DE PL and ES. Templates are being sent in the native language text of the target.
  921. That means that in a one hour spam we saw JP, KR, DE, PL and ES all being sent at once. Strangely we also saw RU being targeted
  922. in native Russian language which seems to indicate that not even Putin scares Ivan and the Emotet gang.
  923.  
  924. E1 Creation Time 2019:10:14 22:32:00 (Attachment Only - Doc based - Office 365 Light Blue) www.offmaxindia.com
  925.  
  926. E1 Creation Time 2019:10:15 06:30:00 (Attachment Only - Doc based - Office 365 Light Blue) luaviettours.com
  927. E2 Creation Time 2019:10:15 06:37:00 (Link Based - Doc based - Activation Wizard) drapart.org
  928. E3 Creation Time 2019:10:15 06:14:00 (Attachment Only - Doc based - Activation Wizard) medienparadies.com
  929.  
  930. E1 Creation Time 2019:10:15 10:59:00 (Attachment Only - Doc based - Protected View) gpmandiri.com
  931. E2 Creation Time 2019:10:15 12:30:00 (Link Based - Doc based - Activation Wizard) mokhoafacebookvn.com
  932. E3 Creation Time 2019:10:15 12:56:00 (Attachment Only - Doc based - Activation Wizard) billboardstoday.com
  933.  
  934. E1 Creation Time 2019:10:15 14:29:00 (Link Based - Doc based - Activation Wizard) nazmulchowdhury.xyz
  935. E2 Creation Time 2019:10:15 14:24:00 (Attachment Only - Doc based - Activation Wizard) alicellimports.com.br
  936. E3
  937.  
  938. E1 Creation Time 2019:10:15 18:46:00 (Link Based - Doc based - Protected View) yourgpshelper.com
  939. E2
  940. E3 Creation Time 2019:10:15 18:41:00 (Attachment Only - Doc based - Activation Wizard) www.vatro.cl
  941.  
  942. E1 Creation Time 2019:10:15 20:27:00 (Attachment Only - Doc based - Office 365 Light Blue) kenoryn.com
  943. E2 Creation Time 2019:10:15 20:22:00 (Attachment Only - Doc based - Activation Wizard) outletsmm.com
  944. E3 Creation Time 2019:10:15 20:31:00 (Attachment Only - Doc based - Office 365 Light Blue) showlize.com
  945.  
  946. E1
  947. E2 Creation Time 2019:10:15 23:01:00 Creation Time (Attachment Only - Doc based - Activation Wizard) avizhgan.org
  948. E3
  949.  
  950. As you can see above we are over the normal churn of 4 sets of 5 payloads(quintets) a day, we are now seeing 5+ in some cases.
  951.  
  952. ```
  953. #### Link Regex Report ####
  954. ```
  955. (These are experimental, use at your own risk.)
  956.  
  957. E1 brought back the same regex from last year with the Amazon Template. This Regex handles it just fine:
  958. https?:\/\/.+?\/(AMAZON|Amazon)\/.+?\/([0-9\-_]{5,7})\/
  959. Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works lately:
  960.  
  961. These were revived/updated:
  962. https?:\/\/.+?\/(AMAZON|Amazon)\/.+?\/([0-9\-_]{5,7})\/
  963.  
  964. These were not:
  965. https?:\/\/.+?\/(administrator|academy|alphabet|App_Data|assets|backup|beta|blogs|cache|cgi-bin|checkformats|cfm|consultation|core|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|gallery|GoogleSpeech|hino|homepage|images|INC|Inf|INF|js|lib|LLC|lm|menusa|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|SOUBORY|test|trademark|themes|tmp|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-Enfold|wp-includes)\/([A-Za-z0-9|]{7,36})\/(\"|\n)
  966. https?:\/\/.+?\/([0-9a-z\-_]{3,11})\/([A-Z0-9\/]{7,32})?([A-Za-z]{7,32})\/(\"|\n)
  967. https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  968. https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/
  969.  
  970. Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
  971. this does not help.
  972.  
  973. ```
  974. #### Payloads Report ####
  975. ```
  976.  
  977. Binary loader updates across all botnets on C2 are still in sync with distro and still quite infrequent. We are not seeing much over 6 hash
  978. busts a day per botnet.
  979.  
  980. @ps66uk notes we missed an E1 EXE hash 1ad0035a970f4babc4060839210c385bab09fac65651c8d15e1284b95feb7f35
  981.  
  982. ```
  983. #### C2 Report ####
  984. ```
  985.  
  986. E1 84
  987. E2 81
  988. E3 30
  989.  
  990. ```
  991.  
  992. #### Closing ####
  993.  
  994. ```
  995.  
  996. As predicted, the botnets are gathering strength and spamming more. Also, it isn't going to get better anytime soon with more doc templates
  997. and payload sites per day being pushed out. Ivan and the Emotet gang have even brought links back to E1. The Emotet Malware factory shows
  998. no signs of slowing down and quite the opposite!This is not going to end well for everyone when the actors go to cash in on their installs
  999. by dropping various ransomware. Use these IOCs, check for C2 traffic, if you find anything, time for cleaning of your network like you would
  1000. clean your house if someone had MRSA! As many in the community like to say if you have Emotet on your network chances are you have another
  1001. infection already!
  1002.  
  1003. TT
  1004.  
  1005. ```
  1006. #### Sandbox 10/15/19 ####
  1007.  
  1008. ```
  1009.  
  1010. E1
  1011. https://capesandbox.com/analysis/3039/
  1012.  
  1013.  
  1014. E2
  1015. https://capesandbox.com/analysis/3040/
  1016.  
  1017.  
  1018. E3
  1019. https://capesandbox.com/analysis/3041/
  1020.  
  1021. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!