Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 10/15/19 as of 10/16/19 01:00 EDT ##
- *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
- ### Document Downloader Links ###
- #### Epoch 1 Document/Downloader links ####
- ```
- http://adonis-negar.com/wp-admin/Amazon/En/Orders_details/2019-10/
- http://antsmontessori.in/wp-admin/Amazon/EN/Transaction_details/102019/
- http://avis.life/thumbnails/Amazon/En/Transactions/2019-10/
- http://domainresearch.site/wp-admin/AMAZON/Clients_transactions/102019/
- http://doypack.net.pl/wp-content/Amazon/En/Information/102019/
- http://dtj.com.vn/wp-content/Amazon/En/Transactions-details/10_19/
- http://gebrauchtwohnwagen24.de/wp-content/Amazon/En/Details/2019-10/
- http://i5t.ir/wp-admin/Amazon/Clients_Messages/2019-10/
- http://internetordbogen.dk/cgi-bin/Amazon/En/Clients_transactions/102019/
- http://iranmadan.com/rdwfl/Amazon/Clients_Messages/10_19/
- http://kursy-bhp-sieradz.pl/pub/Amazon/EN/Transaction_details/102019/
- http://minemoore.com/wp-admin/AMAZON/Details/102019/
- http://noithat168.vn/assets/Amazon/En/Clients_Messages/102019/
- http://sextruyen.com/wp-content/Amazon/EN/Messages/2019-10/
- http://sgnr.in/dietitiansakshi/Amazon/Transactions/102019/
- http://sozvezdie.sgu.ru/wp-content/Amazon/Clients_information/10_19/
- http://test2.hunterxx.com/wp-includes/Amazon/En/Orders-details/2019-10/
- http://theamericanaboriginal.com/class.popular/Amazon/En/Attachments/102019/
- http://tomasoni.ind.br/dashboard/Amazon/En/Transactions-details/10_19/
- http://trungtamdayhocthaonguyen.edu.vn/cgialfa/Amazon/En/Transactions-details/102019/
- http://unitedctc.com/wp-includes/Amazon/En/Clients_information/2019-10/
- http://usad.sytes.net/usad/AMAZON/Details/102019/
- http://vls-online.de/ab2ffb56648fc08f89197ae37a33a579/Amazon/EN/Payments/102019/
- http://weidling.com.bo/CatalogoWeidling/Amazon/En/Clients_information/102019/
- http://www.mobileheadlines.mobi/wp-content/Amazon/Payments/2019-10/
- https://ai.forcast.cl/wp-content/plugins/Amazon/Clients_Messages/2019-10/
- https://aideah.com/address/Amazon/Orders_details/10_19/
- https://aideah.com/address/AMAZON/Payments/10_19/
- https://buykaa.com/wp-admin/Amazon/Orders-details/10_19/
- https://dakotv.online/wp-admin/Amazon/En/Payments_details/2019-10/
- https://dibarcellona.it/tropcj8kfd/Amazon/EN/Transactions/102019/
- https://diezeitinsel.de/wp-admin/Amazon/Clients_transactions/2019-10/
- https://domainresearch.site/wp-admin/AMAZON/Clients_transactions/102019/
- https://drovus.com/wp-content/Amazon/Clients/10_19/
- https://ecotech.wegostation.com/yf92/Amazon/EN/Details/2019-10/
- https://fundeartescolombia.org/wp-includes/Amazon/Information/10_19/
- https://ghpctech.co.za/cgi-bin/AMAZON/Information/102019/
- https://happyfava.com/Fb/Amazon/Details/102019/
- https://i5t.ir/wp-admin/Amazon/Clients_Messages/2019-10/
- https://jailaxmidigi.com/y0k0/Amazon/EN/Transactions/2019-10/
- https://mundonovo.ms.gov.br/v2/Amazon/EN/Attachments/102019/
- https://phamthaifood.com/4ib60l/Amazon/Orders-details/10_19/
- https://taxisieradz.pl/wp-includes/Amazon/Transactions/102019/
- https://womenslifestyle.co.za/wp-admin/Amazon/Attachments/10_19/
- https://www.mundonovo.ms.gov.br/v2/Amazon/EN/Attachments/102019/
- https://www.mxsii.com/wp-content/Amazon/En/Payments/2019-10/
- https://yubantu.com/wp-includes/Amazon/Information/2019-10/
- https://zin.com.vn/wp-includes/Amazon/En/Orders_details/10_19/
- ```
- #### Epoch 2 Document/Downloader links ####
- ```
- http://13.56.215.142/kqb/assets/uploads/banner/tFrFhrZlYxpyvwnghTEJGbB/
- http://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
- http://abelincolnplumbing.com/sitemap/lph4cp3uhcerg4eyyfuj8wshre/
- http://computerservicecenter.it/wp-content/ggl5odmqj8118aclyyjygf0mbkhcts1/
- http://decorstyle.ig.com.br/wp-content/languages/cAYciQWuiFGdqx/
- http://doubscoton.fr/ghana-visa/fapigpcxajzexv/
- http://echoxc.com/wp-content/ezz1hnj7vlk41ai5i28pkqb8eironillckl4e6/
- http://ftk.unsada.ac.id/u8uu/ru046mehrv3m1x6ufa4iblgokynts0eyfc38eo/
- http://homeconcept.rs/cgi-bin/kf5is9fl37n0lo7ddczwx2oxd/
- http://infinite-help.org/blogs/uuw3a2dqi4y4e9lts/
- http://lamme.edu.vn/wp-admin/lbc0mscsps2f6c46rml4auf/
- http://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
- http://naytigida.ru/wp-content/5f99r985ssptpqgzmzl8vl/
- http://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
- http://pandajj.jp/mobile/u7uo2wgjrrriurf2813wntl14t/
- http://phukiennhabepgiare.com/asgypk/sklsdbzy202mcb/
- http://practic.eu/wp-admin/hzzfehgkucdyy5u6/
- http://propase.de/bia/SdSLXJuUwuNru/
- http://quangcaogiaodich.com/wp-content/upgrade/xgzh62p8cavq8mkb/
- http://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
- http://ristrutturaitalia.com/softaculous/3howjjtxeekvig9ojttljcas3qprev/
- http://vencury.com/wp-includes/bypz06s0cpojqzdhq2h386dd018n4k633/
- http://www.alertaempresarial.com.br/wp-content/eksyeGiDnKFgyVFYWCD/
- http://www.computerservicecenter.it/wp-content/ggl5odmqj8118aclyyjygf0mbkhcts1/
- http://www.thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
- http://www.uk-scholars.co.uk/tmp/JUfUimFF/
- https://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
- https://afghanbazarrugs.com/txj/papkaa17/re_honey/BNKakubLkcGukSpqU/
- https://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
- https://homeconcept.rs/cgi-bin/kf5is9fl37n0lo7ddczwx2oxd/
- https://integralmakeup.com/blogs/5epbb5lije9k5lkyp/
- https://mimaarifsumbersariunggul.com/tipskeluar.ga/0n8wfvk3ymnb946y4gbsnre6p/
- https://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
- https://naytigida.ru/wp-content/5f99r985ssptpqgzmzl8vl/
- https://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
- https://practic.eu/wp-admin/hzzfehgkucdyy5u6/
- https://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
- https://wolfoxcorp.com/wp-admin/rpwkkRpA/
- https://www.openwaterswimli.com/roawk/uojyabzmujpk8xj01v2vdpsck/
- ```
- #### Epoch 3 Document/Downloader links ####
- ```
- <none>
- ```
- ### Payloads per Epoch by Document ###
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-10-15 20:27:00 (Attachment Only - Doc based - Office 365 Light Blue)
- SHA256:
- 1272407a4f539ba89289b4f9a5f3f21e2b93175754ec2ede5f4293defccec426
- 690501aa83c490c2d1a3e67656fb989315bcc36c7141aa218712f96e34b47d7e
- 071f17da843b9a60c01a2363ba7abd47a32762374711012a9f5130feb2beb7d8
- fb560ae5ca853646da335a5f5103a62af230206eb28050c9e2273264dc0ba1e9
- 595aa34e97e38ccdcf5288a910ca47cafc56c68aaf8ce82153b93d0a681eeb49
- f92d8f0727ce63ff92eeacfad78868c22b0a6b93180e818192e8f39522b55489
- https://kenoryn.com/wl96sonk/3twu0732/
- https://monteriaradio38grados.com/93dqf1b/2778/
- http://dsiun.com/wp-content/plugins/ku799fw5/
- https://ncaaf-live-broadcast.xyz/wp-admin/v532/
- http://digitalvriksh.com/database/g31259/
- Creation Time 2019:10:15 18:46:00 (Link Based - Doc based - Protected View)
- SHA256:
- 10aa87f8618a7b4308d74e0772fde0996f61e061795ca77d55bb19140408fb8c
- 92bc10e9534bf00c22c9edc4bc2965b9f777e125d0f6fec0ba4ae5aa66d52a94
- 0e1c8745e9301ee229a0dcd69ad6519b1ab98d75b1fc7890eea6601200e92641
- 1390bb4ca3a11cf7fb677d31f845c6df22624ae93a6d0fffa5fb9e997427bb76
- 790618be3c6fc1f6b98a62e75fbafb8fb5fbd378b29b54fbfd725d6abfb398a1
- 16db9fb903f2c7d2d79214c581a5e7ae8553ee83316a3912b7ed2c0d2257dae6
- f0082efdd26c03d43cf0ee1a505a30443ef74a2c115cc40748f491113dc23d05
- 522a014557821c0a84fc89a01725a56932c0cc7980f5b911b33ed0f8a24ac9b2
- 08857d1311208160a289e95a5400bf81f716660d14902b248b06d084f90347e0
- f5189b14ba8404fce5cd40690ba836b3457f9377f7838ff9faa1a601f60f79b1
- 2152fbad3513dd5379c38fe389d4498b91658d48d51aaf5a1cd0c459014d6fff
- bad065ff3070ed4ed599ef360d856c32f3ce24d2c3dfdc509b8a272acb9ccee2
- 8915156e0bccca9cc915aa92a8d9187c7d76572c27cf10a0174ba45348df215d
- 269408890a0201546fd9e6491e9faa69a23ef14700a2f44c5c0478e6f118754d
- c44d05684e1a24af563609b4401f1040899f66fd141e72bd2f8196a922ac0cda
- 874c81af86050772d38b357b20b1277b990a3c9d4aca1d075621f91d56508f5c
- ce1b1e121300c81fb4911ffca9ad4e9ff9c97d5bfa891ab0e63dafed0e7a2b4d
- 953ddc2a4551a854a56a8efc2927d879e20990f876986120b0402f94f674652d
- e7fb305c158c9c88d143780bf5c101474d9137934e62630954144bf3c4dccba5
- 3f1bbbabe1e05b9e43fa5ae0e9d5a96453c56a69decb0ad12ec95de41413fd32
- 3c866e75a06786b1d89e1c36edb4cf09f01efcb0f21b7f7ffb1f8ce1f1417dd8
- 0566088323877077891156736a05dee206c8e437c78cbd78a6dc62a3f8c16f73
- 9a6c32ddfb492db9dfbf6c3e0de1f1c8cefe2f7c47345fa41686e003d58f7041
- f590d423af75fa8cf6a5915a1ccac8257c206069ec9f9977abb7bbe4213107ee
- 24284175584e1fc385fdd06773ebb6bc7949e44aec39640b441b3fc18dda66b2
- 7e6cd597c941c7dd8bc8d4b63424813995facaecd61449b09c5ba3d110059475
- b3001ce5ebfb490e697f2c70a1054db46d00e1f356d4a093e6d86a070a0595f4
- 399af038b85ac6fae04518f8184a3a1edbcd7bf1431a3040117841076c98b8d0
- fc5fbb257f31fb177294ab6e6f3ea04a8970494055a12b1bae78369191b84cad
- e9f57a3baab078932a1ef837884717faf5e5848597b197f9fd51f7283b23eb78
- f8fb24fd3ebc27ca286d789288b878be6007fbb699e885cb5a6cd38727103a2e
- c6ca39cb9c082a15bd7a642f4781d0879f1b2ed3431929cc545578f6cb3f1cdc
- 30ca40f3f7c946b5838a198828c9e2512f78d6448edc61c1804c739000e8fc06
- f4ee1316bd9c5f7ee19027ac6abbf60cb38e1c9a87d26a5b184a4f994abe2877
- 3320584b9ff8ec6316f5da22e3c6e91a8350e28ebcfc186f8b964aa492d53a5f
- ae7f330f64b8b88b3d0d6dd7331e54a5d5402d47da8962d5bb7d08ea1f354b64
- 4bc057f3db3c2ef84fcf01de00cbcc80409e7424f0d8bfaff37b95ccb819d919
- ac7dbd4b542c99263be54d207ef3f3edbffb3c949eb18947ef798b06d8facbe3
- 43b8e0e61fe4438bdaf676f3acfbd240f2ade1afcc726afd06b3b665660bad41
- 5dcae1d06a6878c8e5fff686b26b0a1d9bab8f6abd58517e407c6ebe2287e19f
- a25ec185bb5d2cf2550b905eaefb84db9baf87291aa2e257ffcd031dc99f8afb
- 907cadf4a15eeaa1a730ec11a0267524e54056ae10f1f9fac8e1f91b6fdf1c18
- 304af803ae5f29e3c64a5b53d9d338dab0052b7a3af59731cf9816851c0ebf01
- 9175adcd422dd6bb1cd00baa05ed4726500e8bfc83483d325bc62df2412ba8c1
- 6b243bfc4f62852f7ae8d56b50b0c7455d24f7677692cedbd93283b929028d53
- 92f2129011ff40887e7e13b8e989b3e9dcb8362149836f3799eb3e627922765c
- 14715f5002046fb51bb8b6042b84289c33154146b32da3f822edeff102503bc5
- 5e9aadb1e017e1a38574147a1003ebe71a088a68cf9996cffb75fbce6b0edecb
- d2c49a1be31fb4609daf01aa6db60d363102e6a9c28bd39c4b81819f8da1d5bd
- c6ca39cb9c082a15bd7a642f4781d0879f1b2ed3431929cc545578f6cb3f1cdc
- 43b8e0e61fe4438bdaf676f3acfbd240f2ade1afcc726afd06b3b665660bad41
- 5dcae1d06a6878c8e5fff686b26b0a1d9bab8f6abd58517e407c6ebe2287e19f
- a25ec185bb5d2cf2550b905eaefb84db9baf87291aa2e257ffcd031dc99f8afb
- 907cadf4a15eeaa1a730ec11a0267524e54056ae10f1f9fac8e1f91b6fdf1c18
- 304af803ae5f29e3c64a5b53d9d338dab0052b7a3af59731cf9816851c0ebf01
- 9175adcd422dd6bb1cd00baa05ed4726500e8bfc83483d325bc62df2412ba8c1
- 6b243bfc4f62852f7ae8d56b50b0c7455d24f7677692cedbd93283b929028d53
- 92f2129011ff40887e7e13b8e989b3e9dcb8362149836f3799eb3e627922765c
- 14715f5002046fb51bb8b6042b84289c33154146b32da3f822edeff102503bc5
- 5e9aadb1e017e1a38574147a1003ebe71a088a68cf9996cffb75fbce6b0edecb
- d2c49a1be31fb4609daf01aa6db60d363102e6a9c28bd39c4b81819f8da1d5bd
- https://yourgpshelper.com/wp-admin/vh6228400/
- https://kyokushinmiddleeast.com/wp-content/d4hobs889/
- https://tamakoshisanchar.com/hthz91/k6ilycx353/
- http://www.bergamaegesondaj.com/1t20111y63/ic5501/
- https://www.organizersondemand.com/cgi-bin/6vtd7304/
- Creation Time 2019:10:15 14:29:00 (Link Based - Doc based - Activation Wizard)
- SHA256:
- 4bfd5a4e581dd85cab23508eecbcbad89550cbe060408be3d747d1e8eea04fd9
- 6815ab89d025eae163fcd448aaa4a87f8730ee8961b724a2b3470360dc9037bd
- 18000ebe7c49c94eca6e58664214f97c3185969abdcd2044c70299928d42aaf8
- 7b95dc2b98eb124084181e9dda48bfa70045b870db5caf4df15aa61a3ad92714
- 5a8412ec688e8386bb2730ba2ef807e6cde91188100d5059cd483616212e1598
- ea45c1d1a4d48b7ec172b1e918631f8232c6f1c140cee0e5d96ce268f5f873c7
- 4d7c1c7c4ff40498bc65ad2f4aca01a7922d25d2d4af1098e5bc99db4f9adddb
- 74230383430602f2b347920321b50ae83d3fd57239d330992fe4ac8f4afc8bf2
- 1bece13571bf31298dc30330de0f43eed3c1c2f4cbac6611cff004745743abf8
- ae9754684f8deeb5bf3e3c92c0c08a5d6427292f27229801a7239674c0c3f98a
- c1b0e020e6c4fa5acdd45738fea950410f145686ccf8e4bfe1043ae579b5bb1a
- c899750aec102373fd71d7925e2df439f974a4f568095f119525bb3ca2f29696
- http://nazmulchowdhury.xyz/wp-admin/436n7t4/
- http://www.cmalamiere.com/wp-admin/ta04mn49702/
- http://nuhoangsexy.net/cgi-bin/a8hfqc0/
- http://shakerianpaper.com/wp-includes/rfl396/
- https://learntech2earn.com/learntech2earn.com/7vsva2359/
- Creation Time 2019:10:15 10:59:00 (Attachment Only - Doc based - Protected View)
- SHA256:
- e061fc196548258cdf45ceb1fe070b3341b126ae2dcc228a50f64dfcd14ce5a2
- 7f3ecc0a0c414c22b201be7a7e9340b176b904a759f2eb0ef6d7ece60b94fac5
- f658562149b0bfe1d2573f6944f1f0c9a685964d6520e8ec94e06c61d4cd7ba6
- 3ee7382ce422f248581ce2b9bac4fede98b404476305372b5b5d8b2d0a526860
- 723665559d82ad10ff008347bba19514ae4dbc74081d0ea4f4e6d2bc6829b9b2
- 0029ae9d5f47187d586e165f0c8d6570f45b02b5119ec1017db53f361c00a64e
- 23a1816874f187f506dcec05e215e6aa9ad2e5aa5ae724fde708d09811211927
- 3cc81f3afddb01557b191ea19b85f9741814c3d91740979244e8a6f54c1dd27d
- c10f92893f43eea05733b1b4b8ec0d8aac8573a5da19c79a26f2edec85aa80fe
- https://gpmandiri.com/backup/9uda06/
- https://amazingbdshop.com/coin/f6bvd843/
- http://socosport.com/sitemap/4is36803/
- http://mwclinic.com/cgi-bin/p23602/
- https://www.technicalakshay.com/HiBossRefer/x3ywyx44354/
- Creation Time 2019:10:15 06:30:00 (Attachment Only - Doc based - Office 365 Light Blue)
- SHA256:
- 6583f644ae00be1b2a7065d1968db14e3bd800a2ba85bf02fbf4957f4cf25f4f
- e3afb8fae1ccace6f21f2dfae82b06b4027bf3d65d7affe88f4e01a32f10f77a
- f4050822237ae5128bb06dc93ef57505096ce73bdb8c01d94d6ad6173f48424a
- 0df06a7276916bee5c55f6945444661e726d3254957f380ac7bf9a5faaeaa0f4
- 8fedcc1999503bfcfe1c5f6c96a43bcbdcca8f12b81449f120d7adbbb8981565
- 592408b90e55cb8b8a313766e7f9e93d3f5aa37da57e83a8173688a03c374e95
- 7050b208aba6653d1d215066f96335a95f44dd413eca9073a1186308fd4c3748
- 9d5e30a8fda7248fb95fe78154d3c8904142c49deb17b44eadb1a7d9c3c0b807
- 5a892f00438c83f38c17eceef0ad34ff1041d573f00b1ebf2c149149be3d13c8
- f3ac3cb3c32a7bc99099f0e4cf3c15d0be31bcfe575c90aefedc35962b3790ed
- f65d26f21c88de99e8a3899d938492ed695b451ddce518c8e3b20babb05482de
- 9f526c3a522915c297de0e18380598309d22d892e461ac2bb41382472c10882e
- 5b13915c59441e32692d03e1df316cfb7f23b2655a3f6d2110467621391918a1
- 69c81cf5685167a686f138026336486cc7493ad59e9fabcc930741e780f0b142
- https://luaviettours.com/wp-content/qk10566/
- https://rocketbagger.com/0iayq/7m39842/
- http://rachel-may.com/stats/qkn501182/
- https://za-ha.com/test/g3h06/
- https://jkwardrobe.com/zvap/nh48k06442/
- Creation Time 2019:10:14 22:32:00 (Attachment Only - Doc based - Office 365 Light Blue)
- SHA256:
- 5543a1bd3b54c1ff0d959d64fa2dcbe7922adebc3155a4422339b32b013de45b
- 42876a385bf2f356a43e67d697120123a9ef949ec88587000d5b27ce605bd041
- ac771f34d05f5150695dfcc652491a2500586f5a6bfd060c41af7e4c980e7c0d
- 330ac3789801a0269b50ba9bd156d40ca58953ea84e66c54b792d4a78a460a97
- 7969282e1f1dbdd27c157f9059d807fb79b07cfabde6c21c690940939a7c19b8
- 6aa2b7943181cb77d0a8cf25b0cfc6b57c1f20bf3859c3ea24ed2028edb7d375
- c559ce796c179fc7eb3bd1b158ae13a49977fc5ba41f3b01fe9f0e74e3cd2816
- 649f6bb4e5e7afe04481f9a1afcc3b0b43952a5ed03fd7df9d1dc6accb16760a
- 4df3bad19f2377a1591cc52d768b20fd9bab4a2ba34bf3ed01502dd514ee126f
- 4ed323a010761880a295015526c27686adcee666bb988f22084b8d821b9cfece
- b5b71ae1322ccdf789600d147b5d71efc1ed2bbb64fec89b57ea83c7a6539d30
- 2e0c18e745a559d60f15c6aa3bd0d15877bfc9e1cb1147b1440435b840bc665a
- 0266554fff3f06613d1843b8c4fab78ff24f7b0370905e339eae2fbecc42e962
- c3d357a6d7dcc77bfce817971f7e19ae16d072a67dbb8ca1afff2a70b87acce0
- d2f4ddc19be4d04b68e9454ae9c190b6d2680f94f9d1c03bb6e498bd8aa2b14f
- abfd1df828a90a4e451de42d66163c8d6e81a48c9518f50f29cb4e0624bf6b06
- 0becf2fff586ac24a52162721e3852655e20f6249052df575a6d161bb478d8fd
- 8d6fbe6f8d571269d098a2b59ce71f78259f6be7042067e4c8c355ea122f9c4c
- 69a55d53310ab3bd2ff2e9f7eb2541e22b2de62d665dae5964264003898d71d3
- 1d33105371aeafc19ca4ccd297e6b51d25bef7fc78bea9fed8732949fc7dba57
- 806398f2d0089c0b3b667f962be7c9fe7a8af2f230eae8b4907f1722b531e2d3
- dd510d9be830c14f4e06cc6626ab31700299430dfe98d19507fe7e4dc54292c6
- d79faccaed0250f79102b97be15a91349ceee0aaabead6027f63dda6961b6f56
- 98e6e1fcfcdcd781dc6a6ee78308caebff2089564750ac7cdec363759f64069d
- ea12af3ca9287acb75995ae2f3bd9f015208b73392e485129c7a73ec90cb0071
- 115024d05c7208312469cb4bbae754d6e883c4ef6f1710a7ae3a2754f01335e5
- 6562aec794ffea9ec4f8bddde4f20d67c20d04f73c3b8178a3a59a897d2cfb3c
- 1aff9b8cd34eb9f94eb1d595f919826dd34484594b1347ed0df0fa4ee69ffded
- d69691f4567bd9f036fe6331e8e8823ad4914988c7df0fdc459d7236d0972548
- 6dcbaf2188565661608649c6ae0e0a5b274add5bd0c1ac2a7fafb3c9d286823f
- ef722fab41d2e7a9a3a9fb19840cfd21d4f995573852e12bc60102e0d0f8cf0b
- f71129f0c7868ac0ce98560b0ae66c2c7fc749aab2614babe5f1d854f89b10b3
- 06f1f3ab993e994fe2b14126c50f009854081f55e52e26d5f0e2a325c5c5280f
- 419fab9270789386aae58bff912099873dd87dbd4bcbd3ac64b63d46ec9c5b5b
- http://www.offmaxindia.com/wp-includes/smu471/
- http://ahenkhaircenter.com/blogs/k8iuno285918/
- https://dieutrixuongkhop.xyz/wp-admin/rts7nl6310/
- http://bluem-man.com/wp-content/uploads/2019/10/btrua567818/
- https://agusbatik.xyz/wp-includes/5e6252/
- ```
- #### SHA256s for Epoch 1 Payload EXEs ####
- ```
- 3b84df99ab9980cfb87380d48f8819bd217eea2553e3e3d2a2942ab35a1688e0
- 908619a387352495ff2ea2d8e46c70aa1e390dd5f6a87e5898d5eb146e30cf85
- 4ccb4e885119ed8356f145caa1856f0b617701c6fe85e2523a499ca4e2959da2
- 5a51b5ef825d24b6c6e80a155a2a58d9f5a80f6d34b3f45059a38c6073116c09
- 0bc19c1c25a5884dd846841150c9de183a78a509e6480536e5ff723eef4e188a
- 447a57b8ca984ee2d39cfe7e879a2a79bd6382d025f733a7553da87a4b1761c7
- 83b59305347b3939113353adcfd1f8cefa64f97a7ef58dde3d579471b4f0b935
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-10-15 23:01:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- a2eb4f874c6413b15efaa65685fa08b732becd0b95f9f475f3cb73bed3829efe
- 218c45c91fa0be74585431f8c31e051d14cfb4f7c4d2fd8fa907437a0931bb92
- 8bca3619e1d96a4f65c87ddf636f4b8c2ee685a7b9498ab486e79ceae8da118e
- https://avizhgan.org/wp-admin/ovUE5/
- http://specialolympicsthai.com/wp-admin/si/
- https://clubforabeautifulpeople.com/amazon/o8ipu7/
- http://alefban.ir/wp-admin/t1/
- https://stmarymagdaleneanglican.com/audio/6j1o/
- Creation Time 2019:10:15 20:22:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 028ae05dcd0701c88f8a84b7ae03dc831e02feeceff2f6d4a918f5f9fbb4151d
- 70d3f1e487250b276d1d1c623aba03396ce3358ac248b06cd6f61034d674a3c4
- 44493ff5aaaecaa4766b4a635e18959a4969a0e26731569d3123fbba7173097e
- https://outletsmm.com/wp-includes/LLRy/
- http://gogoldteam.com/wp-admin/iaurh3/
- https://mipitaly.com/wp-includes/zsw7/
- https://armoniaterra.com/css/whh/
- https://www.tastytasty.org/cgi-bin/itz6eK/
- Creation Time 2019:10:15 14:24:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 2c86551de2ee6c2d5efc4ca6c9827e39d8cda122feb6918c0a2589c7481a9a2e
- 0741442af57012483cf19a051af75c8d88051990e97279cecf01e30e28f72924
- dff2f28ac588547f2dac0a18adea063b83f05e982d8c8d30a026a7ef4f957f7d
- http://alicellimports.com.br/wp-content/v7y/
- http://www.orchardim.com/wp-content/themes/bb-theme/xVZcU/
- http://angeliclady.com/wp-admin/3zha/
- https://www.quantangs.com/a7421hv/ugr/
- http://advaitatours.com/wp-content/EcdN/
- Creation Time 2019:10:15 12:30:00 (Link Based - Doc based - Activation Wizard)
- SHA256:
- df91a1ac4a5bd0b217a595df36604a3fe138f48d993d13cdd63001ed9a7b1d21
- 917b85a446b5ea93d86bd13a15a9c326b877c12a93625ed95697815b3d0f81fa
- f376290bebb4e9024c73be95cd740e69ae9c415d8ae687b62f81f4accd82885d
- 2d2a788d801b54885935a3885a9dee4c055925dfb823dcfadbd6efe55d1fba75
- 7b931ec5621709d3969812592cdb50e0882750e2c47c2c4365a34e7fc5fa0266
- 4575a77ee3e8d1a50e28e875e6e8885d9d5b3552adbcaf4d2f2b649a9e8b6342
- 08645769c3949e27fbdefa1f69273106cf4c0f065b0af5990faf096a6a9401bc
- 26975d8df7a6f29d9b0738cf129c05a09dede7f49087a4e9b4f37389c8296031
- 769204bad8c9ca952dd2e0e890c11be7d55b8b6b97fd3b71da64c9d8e5d15622
- a4eb8657310c6007cc7cab45abc85c59fb8507da4de10f9a1cbed23f533968ff
- 368069025a5bdbd8c2e6faff0f923d0af11ae51a9c054a831cf47bca9568a015
- 475b0fc3657d161c2a5595049dd8a8ea526ae735f0b9027523e074afca7b8cd4
- 808a824fe79c041ec0c10f085a59a43f4dec3eb115060ff5c41a0fc03eda8e61
- 93ad00d8ad19d4e4bea1f2173212eebf130ad49155ce9664fd0acb84309da54e
- 52e619486a1a33966a6f66e38bb9d7141170359550fbde3a762fee4d61abcec3
- eeffbfb3e0086690daabbe8c06da48d8b733f6d32faf805b46f579d48a826617
- bdbbef1b94ec083476de03eb8663202b23ad61a10feb950a1618b92f33379d21
- 7d662e561cb87bbe2e9364ad01ebafdf698e6674f586911763d78fb41a92b608
- b8312b2f2307c96f88c50c350d00ee482d5239a1df056bb13d9d70d5a3cd5572
- 36592afdc56324618df8484c3b22fefce0938dd2b744a9a7ee16194e65901a51
- 96180e36f1aaf793b035fd2fbc43f6e391654bb45ced84f650b7a1f07ab1651a
- 01f50f9a2cb84c55c22b7180d292d1bc114a9199f21bbcd11636ce40e02b9ced
- 5bb9ef6c0425ac7e802c8d85cab8edaeb6ed76d50750689277061ad74494012c
- b53f91f1a89c24134d01940e102de3d206749566206ca2031ea972b6671ee0f2
- b8a95a161aed8a5972d5e58e2c73e2f2c5ad9a4bb0451650ebb469e79bb9e707
- dfbaeef579e35bc8558271dd31d06b67ffc777f1d4bb1ef3667bc0417d661dca
- 147fe523e1ae4348b1f48636c426ef9b6e87ed2e9181f40001202cc4314e947c
- ea7304c60683281ff965fecd5aadfae4f638ee29d0029b655ad0558652979854
- 77f023e563126af1547f88944d2731c45bc4d3a1396e659a830796d6017b370b
- 335c45e434abcfea56e711f07e70b1833c2ee3a908a0034d4a06014757a8829d
- 7a3af79ec78b9f9f1f4dabfd0fa1a4a494e2d45fa8a41d8b4363840bb8c71b72
- 3eb08d849055acd3f33fc33175a03d5b2f2747df0cdd0056dc5fce518f3eca16
- 6f872a034515acdd50003e31c6bc7454b66c4f4dbff5b30438c03bca540e49c6
- 7547f0acf822bf1682b703d4601b317bb31b455d54b95f888934c0735cf3e917
- 07bc28f1cf91ee11863e948a5750707ccf4d63b5faeaab560418136c1c2247da
- 1104d69a7e7859e35a1b3776c3c4443f2b7629f0dd27d927c4f1e60163ccb415
- 3b7b7825c22c98e92b56b2f91413dd646e24f6a585ae9280aac00643a3461db2
- b937c36acd7e4eb55d230612f54c280485baac8f211136e1cae8cec2ce01650e
- ca286615c290329b222f383098532878acbd364f1f78946eedbf5a021af82017
- 8540ba3a13bdc1e30317112ab0cd000afd1f7c5cd7e37a7c9099bfab6cd0d9ea
- 7ba7b8fb650f52c35ac1dddd712a9b1064f626584470243d09c1026286133699
- 4602ca95349e092ccf2871ed672f3e25e5e075e1c77347f0dcf5882ac8b567a6
- 9986cf3834a40866e18074e8e116af8b84b20430378f0ff03612a0ea353306c5
- 374ca70244e5e03fa21a16a03cd0fe991ebf9adb8b16bd36f7c2925d5e42b6c4
- a82d0be951b1d734863c19cd3612fee7b9729368f77edc12d219e7b0b99dd453
- 45f3098fcbb8f0278795a46dc5b850cf584e15d4e920975f72c41c3518ea3cb9
- ae869cc6ab914b7172ad9d671a10c91ebd5c6d1d16877aa7ca7b77c3e1cd7b27
- 0b9ac38e0728cf2489128bea67c59f345f9b4e72e57eab4769b4f833433f523b
- c5cdcc1bdd5396be718076d23d8faa2daed0d19490a52f1fee34a0f42740000c
- af93df491db94871e4bfaebf33e030a9585e63bcc4a07433ecd8924d1494d301
- https://mokhoafacebookvn.com/wp-content/themes/lalita/Kj6VMJsiof/
- http://newgensolutions.net/joomla_30/n0k0/
- https://sodadino.com/wp-admin/gczk/
- http://www.turbodisel.net/wp-content/8AsE/
- https://codedriveinfo.com/RasilaKitchen/rUJtk/
- Creation Time 2019:10:15 06:37:00 (Link Based - Doc based - Activation Wizard)
- SHA256:
- 705cb2b6dede75c722a0b001ed9797b729465f113286b495a4e8e78998ac557a
- 8a24fa5559548b9414da1c76e255e4b5cf6f16cc80d5743bed869599bb1418e1
- 00e1092958fd08006fe0bc5955fc7a8267fad03f8482e2dc771ff1c1faff014b
- 1217b4f2d31bb80eb4569f319b245c24b5b177acd54c6469265a4ff7067cb322
- 8cb5e9da02e80e27cce18b1ff73fb3b0cc29a891883f70c3b4ec0e2ee3c7f1da
- 1cd3e25d85cf6f45c8358982bc52f8ba94b5d693cc7510fffeffe38a3e0e2e52
- 05fb49211d189621125b1da0ad3cc485d2924c0ac1d99ff5a7b67d01477584a3
- 12f6da35f09b264ec1cb9291a7e050d62cadae6ff5bee2a6d2c42627398b71d8
- ec4813239bd8758d3b9f21a904c59a6034e2a69959e2cced38531aa2f2d578c4
- 966289e3ea024701d4a9100121a23ec111a1db8e88cd42ed4a7cfab0265376df
- 31f247266240014d6274494f0bba4e99bb765258a8f46eae877a72264478735c
- b74640aa4bd46979ea19cf3cd39e4cd266aec24b2b534b68d8c859ef1a886207
- e92d5d54d7ac67199e8e1d7e67d86412c97f1777895fc4666e976b185dd552f3
- c46a6d3905493802ab18ab5dc2ad46ced25cf65d086a9d60dfeaa566109182cf
- 1e026778cfc7779101b31b1b5124b4f6ad0736a6d87fbe8c74ebbd75b3e5eccc
- bb7c3803c2e92524a13029bc1e9f5bbe2f174e51c024f42c4977f8ace99d3af0
- 869ee3ef69eced65c65e2258977215f1c18e4ee76eb8ed4e2d09f996afaa0288
- 199617b42b2ad3331132598a5fa74eab21a096b92e5659eded73b5e29e52bc78
- d3b2b51765b32c6e9db582e6c2037014b003624dd5bf1929219e6b64a04e9ff5
- d6d7a79806cf233ec3e0e08309806a9fe41ff409611700feec7840c252950130
- 28c118eb887eca2318d20852c58da150a74f83569f4eab9cb521810744ba0341
- cd6427a75f50b379d208de9f2d170fa95a368923d647c07b019b80ffd5cbdbf6
- fca83d5f5968ddcbf3db713307fc5100a236438446552a24d04f3386e8f85ce7
- a512b3690cd8f5ad1265dab5c7634ba847d886de0c461f44a3bfb55e8a8c6068
- 1dad3f3ef99fc1062be000ce7621dc31c956385a440d79577f60305a0bedaa86
- ce7f6400c83411937f920292e56b0422904c9d05e654b70e958f6af8ba3727c3
- 76b115608dead1bb0b2d479cda1de6ee10c42e26f7c79fe994fc1bd107aa2b4f
- d83f25fa068aa77ef1bc42c51e4abad8905ae6803679d5172e7b7ff8f7a33e5b
- bc8cb8901daa22e155ff59efe9d04d0ef993633c487cc22928b08a318d081b65
- 37173a83addab2b5b045990499aaa4c510606b2c96c336c2522b38d0981bc677
- 415c38813cce1d61c555b60570975df11a09ed33856b25c979ed7240266461d5
- c17b7a04dcbe5600add8cdac558772a87753701e3f4c444f56ee470830dbf4d8
- 00b4e81213a7ace5d34dbe4adafbd930db6c5022506ed04456db95836d31a59a
- b6a6fba787c6272bf0cd5355e5322ebfd495d441bf2f9f10dd71463bb83be998
- 2476b3d12d8306b26009e5548f9300f1fead6f879383cd33d242bf932a3f43c6
- 90621ba7b9506705db5f6475924186ee10b9987927b478d76a3d77996c1ccc3e
- fc58835652aeef6d647436e9e7df55eb91b845556edf25759c46dc1232427bad
- 90ac9ea79c3480de26a8efaa2e4a26c122fcaffdf9d33c15201c24f202d7c12d
- e1f0001dffe449a13eb4595f3640db4acd46594014e3aed6854e9cc2edbd92e1
- 3ee20248770fc12898c56d122499e23b7c9a381cdd9800dffcafb1f6784b560c
- 030ec12fc05a59afe05b97a138af6fc76b23e2ad0595b8a9d07b86c5fcf8c95d
- 3a997ff933555c9e8a622903c9b2b872b1823548fdc1d29e8caa9a04792967d1
- d8afbf71b6549643dd9c8fffdeb9f155f47d79146d74ed3068b800e913960711
- fc92865d4bd2021f7821e6d9a5c3edb3063402968538d1251126ee83842ac484
- cc74788cd16341049fbbf77ff76f63f12bb0fb383b70dd991ea952c958cd5a27
- 56b3153042ca226e1bb415ab6ced0a2e167bb5d3b26244fb0229e4d42cd4de1f
- 673603f8767ff4f48ede8b9a9468d1cb0859156402121b43d74f0a98e00cde8a
- 37928fe6a405c74986abb3929d8b81f47184b8147ce2d0e6491a1d551e8d735f
- a06fbcf8e9caf46cdb8a93636c737e81c672d5d2a5257bc08fa950f7de41fdd8
- c789835ff2471f9ddb45f8ddab400f224bc80473e11c21ae7f9ea713a5664fb7
- http://drapart.org/Prensa/wn/
- http://kikinet.jp/ds/b54LWnii45/
- http://pbcenter.home.pl/pbc/ib3k/
- https://proxectomascaras.com/wp-admin/FUCPOXyKQU/
- http://blog.yst.global/wp-content/languages/2jlffy/
- ```
- #### SHA256s for Epoch 2 Payload EXEs ####
- ```
- 8eb78f57619a173819ea9ef22dbebdf89bb7b0497c29eb6e3f0c72413049cac7
- a149195bda6d322f2b926bb355db34f73b109acc33fb9d89cbb6ff49f74962e3
- deca3be654504d28d58507d7d847b1bb35c9d23535c008ef7ce27d9ad1a23f5f
- 1bfc6da346cdaf9662dfb63af5decb9fac725170815c31aa5ac5fe8691444c1c
- 88cb9fee414906e4d55a82c4c3564bb1181072683db1c3f0e9820090a6f40072
- 6de788187b9a790f0a378b94f02582e1453d4f77f5ac4c742c7ffc4bef0ea157
- 455ef6d0b604616a90a98f66c763d393267e97ab85134e328db164c7f2ba7a03
- 0897d9a44d1aa4b7afe9a3fda15c54d9062ca988c31201386fea03838734e7f2
- 8245d6840bde1c3d2fad9999d01e33702d237f6aed4b45d5ffbc9eca54e76309
- ```
- #### Epoch 3 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-10-15 20:31:00 (Attachment Only - Doc based - Office 365 Light Blue)
- SHA256:
- ca233b0697ce71f04a9e6e71607824c5025d0a322c5655317f31a9ff8faf9724
- 8fd59e9d4cf0204fb2150669371ba4b76b21a240c69d59dbf2046289659e0339
- f26b2247511e08b80a30cc56ad3d320f0bc3f9736311b4c1a9ff0b01556f0a3b
- https://www.showlize.com/wp-admin/UEZadGA/
- https://volvoselektshop.no/wp-includes/KoBdQv/
- http://hardpro.online/wp-admin/MsdBsRq/
- http://4carisma.com/wp-includes/6yuc4j-b4bav9hl-78292/
- http://tour.nicestore.co.kr/wp-content/9eud0sth-corn4suz-8842819/
- Creation Time 2019:10:15 18:41:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 50ba6c11a19df2620491682d944eefd0ad856f1253c59b4959500aa0c5182a60
- 84a7a9dd1e4fc9bc8e316ea6a894d489da74ab4208bc5a2fe9ed06bbd98eac55
- 8778f1762abf9b1deae0d8b76105946cb3a25332c6335dd7e4aca5bbff499116
- a148042d873b28da79ba005e604a2e7d28227830fe1264d29fb679a8e23695b7
- http://www.vatro.cl/wp-content/8vf1-mheqjsye-27023898/
- http://www.wferreira.adv.br/wp-admin/CbBnUJQ/
- http://prewento.com/imageupload/eghdelc-zhj9tjrxx-38035901/
- https://mbve.org/wp-content/tUpjsi/
- https://travelstream.com.au/wp-content/TkocEVA/
- Creation Time 2019-10-15 12:56:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 614a8ef97f7f6c4e718b1fd7a4fedac995e1289ac4477bbc1f457a233f464ef0
- d1c49eeb9e4350c4ebbd656ab9d6fa457c3a057b25755d41104854eb410081dc
- d3d0919a80cc46fba029eb2f331804b34ca4ac839f2291843d31a91912b516fe
- b9fab5e620ea5ec59c44a3872cafba4df29184c9575a24c2938652ab117853ea
- 3207b07d4dad052adf1f5447b56722f8a1a22186e5c49e3478d85be6766f0dfb
- 40c4beeaa000e872f1dda534948f075daf934fead512eba803296db0f591a598
- 0437364c362b0416dbc13ec438f3ac833e2f247e40f6a1db33720e07197666d9
- 7d832f2a1a8cce5a4bfc0167af31d1eb5bb9727346ce70dfe6d3dda728d9297d
- 79bde91228ed0e22355d282894439abd811b19d99d4c16e14565f9289202fd20
- 39116e70ccf0ca32b442f140e24bb2aad72584275df034cd9921804261a556a4
- be72c05c4d22e148571af37229c198237569ac33db54c1808ea54b262cb21cab
- 7238181b9475f8848e793cba69112d5b514840ed00e7a20793ae64feeb708383
- ca5bf3d75505de3906a5d934bf39efc9b0bbbb2bd6e5b573ebfdd1b9a4186717
- 4aa739c88b1524a5dab32949050d69a170622e979302b2fff4cbdb842061d118
- https://www.billboardstoday.com/browser/RmFAYq/
- http://www.dipeshengg.com/test1.dipeshengg.net/tQwvlFnK/
- http://atlanticcity.com/bignews/wp-content/cache/wp-rocket/WTySNG/
- http://pharm-aidrx.com/wp-admin/CebJmLd/
- http://muhakkikkalemler.com/wp-content/yfzxewwU/
- Creation Time 2019:10:15 06:14:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- fe36d7abab37c33f53f880b854adbdc41c477c29e22bcd4c05157c64f1092502
- acf5ae92cb4790c618954890e937bdee1d7d4f0cdaea6d5a7830ea458a6dfeeb
- 2cac3bd06e20880356b15050a2b8c68c91041e898d733820babfd9f9a6868c6c
- 75b2dad768ab13fbe100739c5a0fffed2da92b3dcccfed3876e86df6d5fcff2c
- 13b75ebb603ecd470f6d4a374bb81cb9770aa95af31e6fc2926ccff9d432cfd0
- 1606d9614cdab77b6d8b6b85e72e89a799ad6c12fefb44da496642fe070f9c27
- http://medienparadies.com/wp-content/bvAXLWZ/
- https://www.8hu.me/wp-includes/ihgyi-wmhzz3e-35993/
- http://www.mscr.in/pomyo/8dpt-ok5r9-195/
- http://gaspardetvalentine.fr/wp-includes/go9v14-d2ynk-011503/
- http://cert-center.ir/wp-content/9lwy4-zp25txg-12/
- ```
- #### SHA256s for Epoch 3 Payload EXEs ####
- ```
- 1d87e313dc2ac37a7f618221614cd21616bf368cc450bdec07fc00f5ba99af75
- 95ece329880c6772146256a7efc273bfa7b8228b37fcb542668a58e344f7780c
- 5d4f975ecd81b7b7b137248174b40ed935db6a9aab30279e38dddae4a5ab7a8a
- 78ff30dad5b8e1f4ed05f2af139805673bf567b92c8ff17de0f3212394c7f0c8
- bfdc3d72a69f8b5d91dcd726788840e6aa5d3c748f71ef0cd047de44f85e2798
- 4bbfadcc074943af243cae7a9425575614e27b446b323f1db450c37b6c74652f
- 1ad0035a970f4babc4060839210c385bab09fac65651c8d15e1284b95feb7f35
- ```
- ### C2's Per Epoch ###
- #### Epoch 1 C2s ####
- ```
- 104.131.58.132:8080
- 109.104.79.48:8080
- 109.169.86.13:8080
- 110.36.234.146:80
- 114.79.134.129:443
- 119.159.150.176:443
- 119.59.124.163:8080
- 119.92.51.40:8080
- 123.168.4.66:22
- 125.99.61.162:7080
- 138.68.106.4:7080
- 139.5.237.27:443
- 14.160.93.230:80
- 142.93.82.57:8080
- 149.62.173.247:8080
- 151.80.142.33:80
- 159.203.204.126:8080
- 170.84.133.72:7080
- 170.84.133.72:8443
- 178.249.187.151:8080
- 178.79.163.131:8080
- 181.143.101.18:8080
- 181.188.149.134:80
- 181.29.101.13:8080
- 181.36.42.205:443
- 181.44.166.242:80
- 181.59.253.20:21
- 183.82.97.25:80
- 184.69.214.94:20
- 185.187.198.10:8080
- 185.86.148.222:8080
- 186.0.95.172:80
- 186.1.41.111:443
- 187.188.166.192:80
- 189.160.49.234:8443
- 189.166.68.89:443
- 190.1.37.125:443
- 190.10.194.42:8080
- 190.104.253.234:990
- 190.221.50.210:8080
- 190.230.60.129:80
- 190.230.60.129:8080
- 190.38.14.52:80
- 190.85.152.186:8080
- 190.97.30.167:990
- 200.51.94.251:143
- 200.57.102.71:8443
- 200.58.171.51:80
- 201.163.74.202:443
- 201.199.93.30:443
- 203.25.159.3:8080
- 212.71.237.140:8080
- 217.199.160.224:8080
- 46.101.212.195:8080
- 46.163.144.228:80
- 46.28.111.142:7080
- 46.29.183.211:8080
- 46.41.151.103:8080
- 5.1.86.195:8080
- 5.196.35.138:7080
- 50.28.51.143:8080
- 51.15.8.192:8080
- 62.75.143.100:7080
- 62.75.160.178:8080
- 68.183.170.114:8080
- 68.183.190.199:8080
- 71.244.60.230:7080
- 71.244.60.231:7080
- 74.208.68.48:8080
- 76.69.29.42:80
- 77.245.101.134:8080
- 77.55.211.77:8080
- 79.129.0.173:8080
- 79.143.182.254:8080
- 80.85.87.122:8080
- 81.169.140.14:443
- 82.196.15.205:8080
- 86.42.166.147:80
- 87.106.77.40:7080
- 88.250.223.190:8080
- 89.188.124.145:443
- 91.205.215.57:7080
- 91.83.93.124:7080
- 94.183.71.206:7080
- ```
- #### Epoch 1 - Spam C2s ####
- ```
- 37.187.5.82:8080
- 45.55.82.2:8080
- 185.94.252.27:8080
- ```
- #### Epoch 1 - Stealer C2s ####
- ```
- 190.115.18.139:8080
- 75.127.72.18:8080
- 173.214.174.107:443
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
- KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
- h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 101.187.237.217:20
- 104.131.11.150:8080
- 104.131.44.150:8080
- 104.236.246.93:8080
- 115.78.95.230:443
- 124.240.198.66:80
- 133.167.80.63:7080
- 136.243.177.26:8080
- 138.201.140.110:8080
- 144.139.247.220:80
- 149.202.153.252:8080
- 152.89.236.214:8080
- 159.65.25.128:8080
- 162.241.208.52:8080
- 167.71.10.37:8080
- 169.239.182.217:8080
- 173.212.203.26:8080
- 178.79.161.166:443
- 181.143.194.138:443
- 181.143.53.227:21
- 181.31.213.158:8080
- 182.176.106.43:995
- 182.176.132.213:8090
- 182.76.6.2:8080
- 185.187.198.15:80
- 185.94.252.13:443
- 186.4.172.5:443
- 186.4.172.5:8080
- 186.75.241.230:80
- 189.209.217.49:80
- 190.106.97.230:443
- 190.108.228.48:990
- 190.145.67.134:8090
- 190.211.207.11:443
- 190.226.44.20:21
- 190.228.72.244:53
- 190.53.135.159:21
- 192.81.213.192:8080
- 198.199.114.69:8080
- 199.255.156.210:8080
- 200.113.106.18:465
- 200.51.94.251:80
- 200.71.148.138:8080
- 201.184.105.242:443
- 201.251.43.69:8080
- 206.189.98.125:8080
- 211.63.71.72:8080
- 212.71.234.16:8080
- 217.160.182.191:8080
- 222.214.218.192:8080
- 24.45.195.162:7080
- 24.45.195.162:8443
- 27.147.163.188:8080
- 27.4.80.183:443
- 31.12.67.62:7080
- 31.172.240.91:8080
- 37.157.194.134:443
- 41.220.119.246:80
- 45.33.49.124:443
- 46.105.131.87:80
- 47.41.213.2:22
- 5.196.74.210:8080
- 59.103.164.174:80
- 62.75.187.192:8080
- 67.225.229.55:8080
- 69.164.201.54:8080
- 78.24.219.147:8080
- 80.11.163.139:21
- 80.11.163.139:443
- 85.104.59.244:20
- 85.54.169.141:8080
- 86.98.25.30:53
- 87.106.136.232:8080
- 87.106.139.101:8080
- 87.230.19.21:8080
- 91.205.215.66:8080
- 92.222.216.44:8080
- 92.233.128.13:143
- 94.192.225.46:80
- 94.205.247.10:80
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam C2s ####
- ```
- 23.253.207.142:8080
- 185.187.198.4:8080
- 46.228.205.245:4143
- ```
- #### Epoch 2 - Stealer C2s ####
- ```
- 173.214.174.107:443
- 104.131.58.132:8080
- 176.31.200.130:8080
- 46.105.131.69:443
- 185.42.221.78:443
- 198.58.112.7:443
- 46.29.183.210:8080
- 209.141.41.136:8080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
- PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
- AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
- ```
- #### Epoch 3 C2s ####
- ```
- 113.52.135.33:7080
- 138.197.140.163:8080
- 143.95.101.72:8080
- 144.76.62.10:8080
- 154.120.227.206:8080
- 157.7.164.178:8081
- 176.58.93.123:80
- 178.249.187.150:7080
- 181.113.229.139:990
- 181.47.235.26:993
- 186.10.16.244:53
- 190.117.206.153:443
- 190.13.146.47:443
- 192.241.220.183:8080
- 200.55.168.82:20
- 201.196.15.79:990
- 203.99.182.135:443
- 203.99.187.137:443
- 203.99.188.203:990
- 212.112.113.235:80
- 213.138.100.98:8080
- 216.70.88.55:8080
- 216.75.37.196:8080
- 5.189.148.98:8080
- 51.38.134.203:8080
- 70.32.94.58:8080
- 83.169.33.157:8080
- 91.109.5.28:8080
- 94.177.253.126:80
- 95.216.207.86:7080
- ```
- #### Epoch 3 - Spam C2s ####
- ```
- 192.241.241.221:443
- 185.187.198.5:8080
- 41.185.29.128:8080
- ```
- #### Epoch 3 - Stealer C2s ####
- ```
- 178.32.255.133:443
- 198.46.150.196:7080
- ```
- #### Current Epoch 3 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
- 4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
- iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
- because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
- this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1, Epoch 2 and Epoch 3? ####
- ```
- (09/17/19)
- With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
- ```
- #### Community Lists/Samples ####
- ```
- https://twitter.com/Paladin3161/status/1184089483395756033
- https://pastebin.com/WTWUJBZD
- https://twitter.com/Paladin3161/status/1184089200410296322
- https://pastebin.com/pXwf1fen
- https://twitter.com/Paladin3161/status/1184306042181545984
- https://pastebin.com/0NJ2kRXi
- https://twitter.com/Paladin3161/status/1184306254396583936
- https://pastebin.com/56RnJ7w4
- jp host
- https://twitter.com/tiketiketikeke/status/1184070345671577600
- https://pastebin.com/K7wcB4rt - @executemalware
- (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
- ```
- #### Credits ####
- ```
- Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
- Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
- C2 info/RSA Keys - @CapeSandbox, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
- Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
- Spam Templates - @devnullnoop, @lazyactivist192
- Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
- https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
- @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
- at no charge to this cause!
- ```
- ### Daily Log 10/15/19 ###
- ```
- @jroosen here, @ps66uk and I worked on compiling this list from all of group members today. :)
- Another day and another pile of Emotet docs. I can tell you the last two days I have seen spam numbers I have not seen in months. I hit about
- 50 generic malspams yesterday after hours and about 25 or so today. All of them have been of the annoying generic attachment variety for the
- most part. Once again, if it has an Office macro, into the trash it goes. I don't understand how this type of attack is so prolific.
- Nevertheless, the botnets are gaining strength and bot counts now. I am sure we are going to see more and more links.
- ```
- #### General News ####
- ```
- Today E1 brought back the Amazon template from last year. We tweeted about that earlier here:
- https://twitter.com/Cryptolaemus1/status/1184192833303044100
- ```
- #### Drops Report ####
- ```
- We saw a variant being dropped of Gozi V3 this morning that was not using the tor module. We also saw more Trickbot drops and of course
- gtag: mor22 now. How about gtag: les00 sometime? :)
- Per Usual @D00RT_RM was tweeting about drops:
- https://twitter.com/D00RT_RM/status/1184227358011809792
- Also Brad @malware_traffic was showing the activity of the latest Trickbot gtag: mor22 with a new settings.ini renamed to TRRBlacklist.txt:
- https://twitter.com/malware_traffic/status/1184149648673402880
- ```
- #### Email Template Report ####
- ```
- We are noticing a lot of docs lately across all epochs at all times of the day. It seems like the normal shutdown time after 1-2UTC is
- no longer being done and the botnets are continuing to spam throughout the night. Particularily targeting JP,KR and HK but also the
- favorite punching bags of late which is include DE PL and ES. Templates are being sent in the native language text of the target.
- That means that in a one hour spam we saw JP, KR, DE, PL and ES all being sent at once. Strangely we also saw RU being targeted
- in native Russian language which seems to indicate that not even Putin scares Ivan and the Emotet gang.
- E1 Creation Time 2019:10:14 22:32:00 (Attachment Only - Doc based - Office 365 Light Blue) www.offmaxindia.com
- E1 Creation Time 2019:10:15 06:30:00 (Attachment Only - Doc based - Office 365 Light Blue) luaviettours.com
- E2 Creation Time 2019:10:15 06:37:00 (Link Based - Doc based - Activation Wizard) drapart.org
- E3 Creation Time 2019:10:15 06:14:00 (Attachment Only - Doc based - Activation Wizard) medienparadies.com
- E1 Creation Time 2019:10:15 10:59:00 (Attachment Only - Doc based - Protected View) gpmandiri.com
- E2 Creation Time 2019:10:15 12:30:00 (Link Based - Doc based - Activation Wizard) mokhoafacebookvn.com
- E3 Creation Time 2019:10:15 12:56:00 (Attachment Only - Doc based - Activation Wizard) billboardstoday.com
- E1 Creation Time 2019:10:15 14:29:00 (Link Based - Doc based - Activation Wizard) nazmulchowdhury.xyz
- E2 Creation Time 2019:10:15 14:24:00 (Attachment Only - Doc based - Activation Wizard) alicellimports.com.br
- E3
- E1 Creation Time 2019:10:15 18:46:00 (Link Based - Doc based - Protected View) yourgpshelper.com
- E2
- E3 Creation Time 2019:10:15 18:41:00 (Attachment Only - Doc based - Activation Wizard) www.vatro.cl
- E1 Creation Time 2019:10:15 20:27:00 (Attachment Only - Doc based - Office 365 Light Blue) kenoryn.com
- E2 Creation Time 2019:10:15 20:22:00 (Attachment Only - Doc based - Activation Wizard) outletsmm.com
- E3 Creation Time 2019:10:15 20:31:00 (Attachment Only - Doc based - Office 365 Light Blue) showlize.com
- E1
- E2 Creation Time 2019:10:15 23:01:00 Creation Time (Attachment Only - Doc based - Activation Wizard) avizhgan.org
- E3
- As you can see above we are over the normal churn of 4 sets of 5 payloads(quintets) a day, we are now seeing 5+ in some cases.
- ```
- #### Link Regex Report ####
- ```
- (These are experimental, use at your own risk.)
- E1 brought back the same regex from last year with the Amazon Template. This Regex handles it just fine:
- https?:\/\/.+?\/(AMAZON|Amazon)\/.+?\/([0-9\-_]{5,7})\/
- Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works lately:
- These were revived/updated:
- https?:\/\/.+?\/(AMAZON|Amazon)\/.+?\/([0-9\-_]{5,7})\/
- These were not:
- https?:\/\/.+?\/(administrator|academy|alphabet|App_Data|assets|backup|beta|blogs|cache|cgi-bin|checkformats|cfm|consultation|core|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|gallery|GoogleSpeech|hino|homepage|images|INC|Inf|INF|js|lib|LLC|lm|menusa|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|SOUBORY|test|trademark|themes|tmp|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-Enfold|wp-includes)\/([A-Za-z0-9|]{7,36})\/(\"|\n)
- https?:\/\/.+?\/([0-9a-z\-_]{3,11})\/([A-Z0-9\/]{7,32})?([A-Za-z]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/
- Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
- this does not help.
- ```
- #### Payloads Report ####
- ```
- Binary loader updates across all botnets on C2 are still in sync with distro and still quite infrequent. We are not seeing much over 6 hash
- busts a day per botnet.
- @ps66uk notes we missed an E1 EXE hash 1ad0035a970f4babc4060839210c385bab09fac65651c8d15e1284b95feb7f35
- ```
- #### C2 Report ####
- ```
- E1 84
- E2 81
- E3 30
- ```
- #### Closing ####
- ```
- As predicted, the botnets are gathering strength and spamming more. Also, it isn't going to get better anytime soon with more doc templates
- and payload sites per day being pushed out. Ivan and the Emotet gang have even brought links back to E1. The Emotet Malware factory shows
- no signs of slowing down and quite the opposite!This is not going to end well for everyone when the actors go to cash in on their installs
- by dropping various ransomware. Use these IOCs, check for C2 traffic, if you find anything, time for cleaning of your network like you would
- clean your house if someone had MRSA! As many in the community like to say if you have Emotet on your network chances are you have another
- infection already!
- TT
- ```
- #### Sandbox 10/15/19 ####
- ```
- E1
- https://capesandbox.com/analysis/3039/
- E2
- https://capesandbox.com/analysis/3040/
- E3
- https://capesandbox.com/analysis/3041/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement