API tools faq
paste
Advertisement
jroosen

Repost: Emotet Malware IoCs for 2019/04/25

jroosen
Apr 30th, 2019
2,173
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 52.82 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 04/25/19 as of 04/26/19 00:45 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 04/25/19 ####
  6. ```
  7.  
  8. http://199.com.vn/wp-includes/OtsMj-EpSzDLpVBLXiHD2_XvHClxKaT-FX/
  9. http://35.193.25.17/wp-admin/EgvtD-XTXPEHmzSYb6Plv_hGQnENtH-KCQ/
  10. http://aabad21.com/wp-admin/ofRO-thDjD1hTuAhAxN3_yLTlTbJN-8Q4/
  11. http://aadityaindiawordpress.000webhostapp.com/wp-admin/Vehbn-eKgJDoeydCQ40to_jwlPupncx-SP/
  12. http://academic.ie/error/Habd-NHMdLDOCKg9YOF_mzZaXhKU-H5/
  13. http://adrenaline.ma/wp-admin/kZZf-dBjg6WWPODSvPA_pHRWHbtR-nq/
  14. http://agadmin.ga/wp-content/SjwLA-MgMKCZGmdDwBxqo_bLlShwdka-xA/
  15. http://ajmen.pl/wp-admin/TzYLE-SYmIiUQeKPdcP3f_erSSNjnY-NNj/
  16. http://alaha.vn/wp-admin/goMy-UVra6Slyf4ZB4TK_TIAJvmFmS-aD/
  17. http://alasisca.id/wp-includes/NRnd-mY6VwO7lh8oDTVw_KmuLTPpYx-ahH/
  18. http://albitagri.biz/wp-admin/fFmb-y7aV7t8XS2DUNp4_zOnhbnfVb-Qg/
  19. http://alnasseb.com/cgi-bin/IlFx-7334wHJqfF3pDc_mGUTRXtnY-Vq/
  20. http://altituderh.ma/wp-admin/cahC-pYIBSFAKm39zUU6_vKbrFbwv-Aga/
  21. http://ammaterra.com/wp-content/jELXC-2nMGZ4OUOBbsQeF_dlVxesCX-ni/
  22. http://animevn-hd.000webhostapp.com/phim/UvDIS-wAKY8f7UDwjrkiV_OwCzjnxzp-u7/
  23. http://annalikes.de/wp-admin/BIGc-2z3NxtMFknyP1t_mUizLmqVc-jzb/
  24. http://antonieta.es/wp-includes/cqZh-wTWLnLv1TUc0JaG_mdfiAnFO-BpR/
  25. http://aroimmo.mg/wp-includes/JuMs-eek97yBVkphQGpU_CwoaFajM-RQ/
  26. http://art3d.org/wp-admin/NVjW-0UZNhlJI4OIHxvq_oIUDvxgs-eXk/
  27. http://atervaxt.org/nordicdreamers/dXgL-uuJENNWDWjxVs33_mseVZYayO-ZF/
  28. http://atomixx.com/wp-admin/qWgm-VUpt1SRKX6jzuMs_ACMdSbzY-suD/
  29. http://azavtobus.az/cimbria.tk/Necy-GaXwsk8EYMPesX8_KuLicmrk-ySO/
  30. http://bac.edu.my/wp-admin/tijNv-w6GM2qA7hkcpFDO_udnPnVoN-tI/
  31. http://balecohost.nl/wp-admin/jTUZ-9GQrCoA7fzMdH5_mSDpLIFt-LSk/
  32. http://bandycuper.se/wp-admin/mjvYL-EzctktjAYNK1qF_ELdaWOyqr-n44/
  33. http://beopres.rs/beopres.rs/SQOLM-OTVH5wtSLljcAZ_oGWlJQrr-RC/
  34. http://busing.cl/wp-includes/MltYP-iSp4uCgWqlCQpfT_RChsijin-4q/
  35. http://ccc.ac.th/sym/nTGH-muusbW9bfRfDG3c_ERtGIHzBH-Xg/
  36. http://chase.at/wp-content/uploads/jrBr-4ZZsa90dEvenwU_SCpHQUAhN-ars/
  37. http://cheapesthost.com.ng/cgi-bin/Jgpl-AVVwPZO7UEfAVD_BsPxEfQNl-8K/
  38. http://chiyababu.000webhostapp.com/wp-admin/rjULM-WCUeYl6m84tiWfS_YKhJlzFh-d2H/
  39. http://dac-website.000webhostapp.com/wp-content/fMvW-i6YKm9az11t7el_FuonGHYhG-UmS/
  40. http://darkparticle.com/MEhN-kZCXSNC8Gr55qr3_cBNaPojw-RN/
  41. http://drmarins.com/wp-includes/XaJN-X6NN9wFEbi620J_uIBfXqYY-k4/
  42. http://dsn.website/wp-content/anXr-ihwBymQa0H0QKAs_tkqkuNtaM-wU/
  43. http://dynotestcenter.fi/wp-includes/jVrwU-cKsUyK3hggy1NN_cYQjBlBT-tZ/
  44. http://ed-pharma.co/nbproject/yUFnb-l1M6LDFLDmP7XrV_lFPaUTrTH-5E/
  45. http://elgoall.today/cgi-bin/KJOH-M31rksrM9JxzOz_oFsyxUwKT-tbX/
  46. http://etmerc.com/12-22-2015/legale/vertrauen/04-2019/
  47. http://fondation.itir.fr/wp-includes/lLrf-8kiRR7dGzfJajs_seJjfFJI-Uj/
  48. http://frisa.com.br/frisa.com.br/QezM-IAMJR8FXBvmKJqM_xYPlrIBY-xB/
  49. http://fteola.cf/wp-admin/uBlbH-L8L9450tN3llCO_NBGTdrkD-7tV/
  50. http://hada-y.com/WWE/Bxlsd-CH5AggGXjmdFZBF_PMRbyfsN-LLd/
  51. http://hcmobile.tk/wp-admin/jFxiY-GPWbvAggIENWC5_YPFasITfh-NXE/
  52. http://ibot.live/wp-content/UtmFa-8W8UVLeLMjr5qN_rocXBnDgw-ZRP/
  53. http://iimmpune.in/awstatsicons/dSRz-5jc3HNHB8dZ5yd_JzmYkGzGS-F0/
  54. http://jsc.go.ke/wp-content/uploads/AbnO-ncKCS534ju0479p_ZcrakfVb-Wnq/
  55. http://kihoku.or.jp/wp-admin/otBHf-IG0qC3NOH5uepmU_HfyHoprEv-sr/
  56. http://kunstencultuurprijs.nl/wp-includes/ZOvy-JkdkIQpjT3dDr7_KgaDsZWWa-eGZ/
  57. http://lejintian.cn/wp-admin/BRCh-dIJoxUYtRdoeJi4_yxEOTOvf-HMb/
  58. http://lighthouse.kz/wp-admin/lEBV-pYuVKrKZPdC7Us_rxaTJnCWD-nzH/
  59. http://mahyapoor.ir/wp-includes/ObhV-wL3faDe647Q0Jg_UNrxpcuBl-yW/
  60. http://ma-masalikilhuda.sch.id/wp-content/EHBb-IjSlcEnGkje0aWZ_GCADoAeoK-sby/
  61. http://mdmiraz.tk/wp-includes/gtJIZ-UwvXBwqoWrFwUJ_zoKHgDbP-Eu/
  62. http://mekosoft.vn/wp-content/uploads/qTPj-Bf5Ia4IhX1FsNA_iDObjAow-7N/
  63. http://missourisolarenergycontractors.info/qr7qxgl/LLmCl-TNNOn0MRbSr17j_skctkVyRb-kN/
  64. http://mlx8.com/wvpb/RdanG-4NQboohZnD6gVw_MnlZNhKq-6RT/
  65. http://mobila.tj/5z5ecjp/Welmf-yfLnmilJjfIi45o_AsqfsRSXt-JOf/
  66. http://ndalima.co.za/ndalima/yptLy-RjIzzoSumFcchEw_bwIBkobxF-gu/
  67. http://orientaltourism.com.ua/wp-includes/fnrg-It7PVDDfEq1ZAgU_HldtKRXc-vj/
  68. http://pcccthudo.vn/wp-content/uploads/2019/03/TzXO-yL7QQxyHmwRVSBp_IsMVySrk-VFo/
  69. http://pilingexperts.com/wp-admin/BPHG-3kq9W1i2mz8F5eS_JvOpzyVY-zdA/
  70. http://portaljacui.com.br/wp-content/aETC-27SDAvilFWbpd4t_dhovwQLXQ-Vb/
  71. http://progpconsultoria.com.br/wp-content/ZdvlV-XyrPQXYagyz4BiP_UaiGYlgvx-EM/
  72. http://quantrixglobalservicesltd.com/wp-content/aOvG-oI0LwEEqvincM4_zuaDCtBA-u98/
  73. http://racing-experiences.com/wp-admin/qQUwZ-vapvNQzp6ELKQc_uerxOtcWi-DYs/
  74. http://rapolaswordpress.000webhostapp.com/wp-admin/NSRNZ-TjNrLmCd9ZXh42_YknYobnS-xv/
  75. http://real-websolutions.nl/images/WGncK-rABrQ0KIvIHLJA_kbdUmaXZr-HS/
  76. http://school118.uz/wp-admin/xPhx-oKfTE18pAi1pSo_QNgeoEeN-jot/
  77. http://stca.tn/vxdfqpo/KfYo-YafR6hY10foSt98_ySDAjKqd-tbV/
  78. http://stinehelles.dk/wp-content/ugmyJ-wFFZy98jAEh1lo_LxZpETGPD-7oO/
  79. http://strijkert.nl/download/MFfN-mTYc6FX6EVjgFPa_qSTPQhjt-uI/
  80. http://sumuktida.ru/certificate/VWDXh-ER5Rb8RtGNceYx8_bnbMIrIMJ-yr/
  81. http://sunrisesupplies.com/random/zfVE-AsSKi0maP6hjRVM_JyJMuOsu-kvB/
  82. http://teiamais.pt/wp-admin/alYnb-yhp8puPL8k0Mlhp_UiRMPgVD-5H/
  83. http://tom11.com/tram/PqQD-tFasfSqwt5o2PS7_jrbgimmx-zL/
  84. http://toools.es/bankinter_/sFCMF-FBajbcFUhDMNqS_lhbExTGLc-MFx/
  85. http://toppprogramming.com/mail/hSdNs-GeFnyNZQXXFd4oI_xjGNCCulb-ZBK/
  86. http://toshnet.com/cgi-bin/nMPI-3YuXswleUMOQrA_JOgQleDO-TA/
  87. http://trier.dk/85312169/ugpjJ-zBxExOzbFbZcwU_dJFLXUmBu-PNM/
  88. http://trwebwizard.com/blog/dgfHi-pLJKLxJfKOM8yGp_YzGqsRCiQ-Z0/
  89. http://tryfull.jp/DISOR-phy5oaBjMelxx4C_aDUtzFmNZ-T3W/
  90. http://try-kumagaya.net/4_19/hTiB-et3N45R7UJMV5R_clpybvoWX-R6y/
  91. http://twinbox.biz/HlAGS-YbC7afvsnwR4ytu_xrhstgsY-Ai/
  92. http://tys-yokohama.co.jp/FCKeditor/srKAG-JR3BAGiw1v9tfVr_mYprZajpL-p1K/
  93. http://underthechristmastree.co.uk/wp-content/RWHbt-oOfsaube8rE6KK_pyHqsKeNX-CU/
  94. http://unitedworks.info/test/YucXW-k7Irh9JXQJ7zXsM_sjEAsPsG-GB/
  95. http://unixboxes.com/mixes/OxOUx-MpNNzPjknsm8tmN_UUXvhExu-VET/
  96. http://upine.com/aju-daju/oTAut-5lYdesZgHlopXs_YHrwsvGOq-gr/
  97. http://usmanbahmad.com/wp-admin/rPpU-Uu7txRiZCHA3ug_xGsnEQbVA-VLu/
  98. http://valencia.mx/popi/deyr-aFrK3H0hVlTWz9_yxjPZPQg-d7/
  99. http://vaness.nl/WwpwL-SU2IGPdtHFOMva_darAlOxCy-Vxi/
  100. http://verter.ch/images/WddE-KjKqd2xz4cChaoc_ANzYVVftE-yP0/
  101. http://vicentinos.com.br/wp-content/EDoV-LaR5H9tnr2Usdq_aZgShRNgU-qz/
  102. http://viftrup.com/typo3/QmkIC-CeD0Tb210UDlER_QMdImnaar-hLU/
  103. http://visafile.vn/wp-admin/qFmPi-Jhi4pjwyQ69Lm99_fROUQRAO-Qv/
  104. http://visoport.com/demo/vZZC-WkBo4vGHLJ6ghC_pgJnBGto-gF4/
  105. http://vorpalsilence.com/assets/images/KcIm-jyZkLePmgwXLpMC_dSmdJdROy-G7b/
  106. http://walstan.com/sites/pages/css/DmVwE-E930rsBsCvfbTW_CLhOhinJ-8Ve/
  107. http://wamjelly.com/css/wxHav-mshplN9ttrjKXm_yqBVxUrts-OWS/
  108. http://webaphobia.com/images/XyhXB-uFPiHYwL2WQLUwc_XyEpPARU-F2/
  109. http://welcometothefuture.com/CT/IJLAD-ELYwNZIV78VehOr_hJyNvjKXt-tb/
  110. http://wickysplace.com/images/wUEdB-h29ywPz7N7PpJYM_NKwsCNWjN-GI/
  111. http://wierceniaarten.pl/wp-includes/EYJpB-z5ApmDrs8tVHv2_rRGCRpWu-Na/
  112. http://wishmanmovie.com/wp-includes/rQkuJ-SyKh8CQJMehgJ5t_xTOktWvf-SSE/
  113. http://witka.net/cgi-bin/lUFm-7NaGxhRFZkkzLI_PMyzhTIy-Wm/
  114. http://wolflan.com/OSDYO-WLdf9GImUbW9jvL_UuAiCRhJ-bM/
  115. http://wrapmotors.com/wp-includes/OTKil-7DrQd4NpFvmSSs_LfsEcnrq-oX3/
  116. http://www.1hpgaming.com/sitemaps/lfMa-7EjbmzpunMQHmt_ThcFnLZsf-Mt/
  117. http://www.beimingye.com/wp-includes/WqnmQ-lX3u7FTdsiJEgP_ZLpruENGe-UQK/
  118. http://xn--12c7bhah2cq4a0ba7c5ap6ryb8d.com/cgi-bin/MgSnA-seXszMumCv5FTC_RmWfNkFm-p2/
  119. http://xn----8sbabmdgae0av6czacej5c.xn--90ais/test/GTip-a4xUh7avazzTrd_TDKbEWPu-zE/
  120. http://yas-kala.ir/wp-content/RENyD-huH2iWIn9Nha7zL_YusxEJfvZ-Xz/
  121. https://0day.ru/wp-content/PAFj-dfNaBD5k6Q1NHHj_rDEZqRIb-iBr/
  122. https://2laughs.com/wp-includes/nuWtd-irBrliAxwZ70oD_KJnpafXK-IV/
  123. https://8ps.com/vkwum/KeaU-jE73YWQJF1uzX5_VmqwuxHTx-1H/
  124. https://adrani.gr/wp-content/aSOt-u9uxdklSC8zsKx_wSbxsQYrz-F6L/
  125. https://agisco.it/e/yXNt-4VcTAa9raHYSRg_mQWfRNQm-HP/
  126. https://ajuba.com.br/wp-admin/Egvq-vMzngoxsvu3BoW_YMrvwXokV-pj/
  127. https://ani2watch.net/wp-admin/EOJh-8HN6odwUBEtO0Hk_lhRwFaNR-ix/
  128. https://arielaspa.com/wp-includes/PWAY-ElZbztT4rt8NpXc_ZyLndnYk-Nc/
  129. https://avicloan.com/wp-content/kOEie-irNuNwqlNc8Ry8_WZUTBhbzg-uLz/
  130. https://b-agent.tokyo/wp-content/translate-accelerator/OgKFl-FZHb0XQbYfEdL9c_qIacjfmu-yq/
  131. https://barometrs.com/wp-includes/PvhkM-ImkmvpR6Ugi2Q2H_VjtDvfivq-Yer/
  132. https://diaocancu.vn/diaocancu.vn/BAYH-t5vHmQQUPvRTpF_iRJltJQY-OrO/
  133. https://dj-tobeat.de/DOC/iUAo-V16kiaAvap6ZOco_uwpVtZeO-n2/
  134. https://happyroad.vn/wp-admin/cQDit-tO6l5qkrVBRvUe_wOfNNCup-RN/
  135. https://ideaware.pl/wp-content/HzXP-RbinbRoEdegSVb_zwDqwLnzC-fW/
  136. https://inversioneslopezminaya.com/wp-includes/tPht-9V5ZiQQf0xChGE_sYsyGthli-el/
  137. https://j22e.ga/wp-admin/qluE-Xt1Q0AilqaLLHMe_lIlrBGNlk-Q4/
  138. https://lucky119.com/wzzeb/IYZyb-4ZqzbE4yOsL89QD_ECNcoVcdJ-q50/
  139. https://materne.fr/contenu/tEmZ-R6gqwiS8dOSLEcR_YiMIAakt-Hr/
  140. https://online-shirt.de/wp-content/HsLGB-cXCwJpTI3ygy2E1_VthDUbIr-vn6/
  141. https://press.toteme-studio.com/wp-includes/WkRW-WAgzep1rMek9bc4_wMrrWhLf-OO/
  142. https://richlo.tw/wp-admin/nTpD-NVkx2IIoA0TuUto_zXFnoVyHM-pL/
  143. https://sherburnesculptures.com/wp-content/aEjz-R02CZIyzcFn1sGS_knHcezRVA-ddG/
  144. https://solove.show/wp-content/PdQx-AvJYElBQrhK2R2_fQLKBlqJ-xBP/
  145. https://stellan.nl/stellan/anUUa-oclMsAvlpWpRcjw_jlZWELPOo-mJ/
  146. https://toprebajas.com/wp-admin/Ieusi-tZn2hXA7IdDNGZj_NxMkcSlc-aYQ/
  147. https://trinizilla.com/wp-includes/VLyl-uog7bE3A5QAI5Z_osUUOdQUq-xwc/
  148. https://www.moletta.hu/wp-content/LkHc-jTy6UmLwMZNo8v_NiCJEPsCN-t7/
  149. https://www.versatilehairshop.com/m8gzo1y/ARKf-Gqbj63yPM0HsJzF_vTRnbeds-b6k/
  150.  
  151. ```
  152. #### Epoch 2 Document/Downloader links seen for 04/25/19 ####
  153. ```
  154.  
  155. http://0rdp.com/wp-content/INC/BFGTOC5X/
  156. http://112sarj.com/wp-admin/LLC/93caQpouDS/
  157. http://11vet.com/wp-admin/Scan/dEV0V7y6gD/
  158. http://139.99.113.144/cgi-bin/DOC/oHFRrccxTyv/
  159. http://159.65.47.211/wp-content/uploads/LLC/mJ3Jqlxs/
  160. http://18.220.178.19/wp-content/DOC/dMSy97nt/
  161. http://192.163.204.167/layout/Document/WS9K2WRl/
  162. http://1nsr.com/ssd/DOC/p1XTSsnITtig/
  163. http://203.157.182.14/apifile/mat_doc/Document/LPf16lKOLD3J/
  164. http://247mediums.nl/wp-content/Document/O5DWQZDa1KA/
  165. http://2aide.fr/phpmyadmin_/DOC/Mts41hwqGwic/
  166. http://39.106.17.93/wp-includes/6vrko-5iv87v2-zidez/
  167. http://47.104.205.183/wp-content/INC/ftYw7diB2Z/
  168. http://60708090.xyz/wp-admin/9ozx8-c65se43-kgnyk/
  169. http://67ms.top/wp-admin/INC/HMlDkw3FXi/
  170. http://68.183.44.49/wp-includes/DOC/4DMwnXGd/
  171. http://7orus.org/wp-content/LLC/c1O8i9pPoUOG/
  172. http://8bdolce.co.kr/wp-content/uploads/DOC/PRT7htcSPUXL/
  173. http://a2-trading.com/wp-admin/DOC/MUBBGU4h/
  174. http://a2-trading.com:80/wp-admin/DOC/MUBBGU4h/
  175. http://aadsons.in/wp-content/FILE/4XzSxFDNZol/
  176. http://acqueon.com/partnernet/LLC/cZDHeNAN8/
  177. http://adamsm.co.za/wp-includes/LLC/huhoy9WuI/
  178. http://admiris.net/cgi-bin/FILE/eGhOQWEzd/
  179. http://aerdtc.gov.mm/wp-content/uploads/FILE/hva0eHzv2ApB/
  180. http://aesthetix.in/wp-admin/DOC/8te7eeww/
  181. http://agafryz.pl/wp-admin/tffsv-yspib-iirp/
  182. http://ageyoka.es/wp-includes/DOC/bT0UTholNU61/
  183. http://agrifarm.pk/wp-content/Document/aWGdImf8s/
  184. http://akeswari.org/wp-includes/FILE/GERhSILvT/
  185. http://albatrip.com/wp-content/Document/8zgFe8QT0/
  186. http://almourad.net/cgi-bin/DOC/D0ylSTWUlKRV/
  187. http://aloes.wys.pl/wp-admin/FILE/2Z0M6bVZgi9/
  188. http://alokdastk.000webhostapp.com/wp-admin/Document/fY0zM5V9/
  189. http://alpreco.ro/wp-includes/INC/JNA9RgAo4NO/
  190. http://altsouth.org/wp-content/LLC/1w1TsbbCfH/
  191. http://alvamater.com/wp-admin/FILE/OVsM6ivBcb9/
  192. http://amberley.in/onewebmedia/DOC/RuDnKVqr/
  193. http://anaaj.pk/wp-content/LLC/pXjhm4Qd/
  194. http://anb.intcom.kz/blogs/Document/lGpwkmnvwn12/
  195. http://anchr.com.ng/cgi-bin/FILE/GAG5VOw3/
  196. http://anphoto.tw/wp-content/uploads/DOC/QyGn5EmGqKx/
  197. http://apicforme.com/wp-admin/Scan/jml6nKk4/
  198. http://aptaus.org/wp-includes/INC/xqXK9tKWYJ4/
  199. http://arcsim.ro/wp-content/FILE/7Iniu37V/
  200. http://arefhasan.com/wp-admin/LLC/VGyKpJBn/
  201. http://areka-cake.ru/wow-animation/Scan/xdkti9JGp/
  202. http://arenaaydin.com/wp-admin/DOC/6WZpPXfW/
  203. http://arsesled.ir/wp-admin/INC/6IP7kP0v/
  204. http://arteza.co.id/wp-includes/FILE/uQwaacm2MQe/
  205. http://artpizza.pl/wp-content/plugins/beaver-builder-lite-version/modules/idx_config/DOC/jVubEZUDCiR/
  206. http://artspace.cf/wp-includes/Scan/hoDu0sA6/
  207. http://asgrad.art/wp-includes/9gjw-wu5aez-ebjp/
  208. http://asharqiya.com/ar/j4xb8s3-gnpo7eg-cvpglcq/
  209. http://ashhalan.com/wp-includes/asain45-zc6gd-yscw/
  210. http://asis.kz/wp-admin/Document/anzpdCgpOFGA/
  211. http://asri-no.ir/wp-admin/INC/TWVHZJJl2MNU/
  212. http://astroblu.win/0backup-media/b5l5-8ct912-mpzoksf/
  213. http://aulamania.com/wp-admin/Scan/pdB3irhP/
  214. http://aurora.nl/cgi-bin/FILE/hv3wkWXXO/
  215. http://autmont.com/wp/fvqjjy6-9blw5yi-hmedqfl/
  216. http://awasayblog.000webhostapp.com/wp-admin/LLC/Ym8hc9vn7/
  217. http://babababy.ga/LLC/Scan/76UOKepnqbcp/
  218. http://baggo.pt/wp-admin/INC/ppiXb8Pcw/
  219. http://baires.online/cgi-bin/bhuc6z-6uw3c-meuxo/
  220. http://bancotec.net/wp-content/LLC/PZdeR5OJK1rz/
  221. http://baping.xyz/wp-includes/FILE/ooI3b3xWYQP/
  222. http://baranlenz.com/wp-admin/LLC/MxexKGEx3Kla/
  223. http://barbeq.ru/wp-includes/DOC/CtKt04dY/
  224. http://bashak.com.ng/mgelq/FILE/x0ms11PAMPM/
  225. http://bashia24.com/js/LLC/tAojFBsZ/
  226. http://bastan.co/wp-content/FILE/GRpB23BU/
  227. http://bastari.net/wp-includes/LLC/2sssCgOo/
  228. http://bestflexiblesolarpanels.com/local/Document/1PvDX24wx/
  229. http://bixbox.vn/wp-includes/FILE/jt1IpBI9fMy/
  230. http://bizajans.com/engl/INC/nCLFmnsT/
  231. http://bizertanet.tn/wp-content/Document/5w3YCTYsGJvK/
  232. http://blog.sigma-solutions.vn/wp-content/FILE/bN93l7kZJx/
  233. http://boyuji.cn/wp-includes/7tw7hx-coofhk2-bygj/
  234. http://brotechvn.com/wp-includes/49emm-uw4xeol-gicx/
  235. http://c919.ltd/wp-includes/js/tinymce/Document/SMIUjq59/
  236. http://cafeplus.cf/wp-admin/DOC/NXzZGEd2sw00/
  237. http://camperdiem.wroclaw.pl/wp-includes/Scan/HaQb7xSbls/
  238. http://carsuperheros.com/wp-content/ty5p-cs2iys8-ffpk/
  239. http://casalfama.pt/wp-includes/yubi3o-90n6z-nxpa/
  240. http://cecav.utad.pt/cecav_prev/oulht-wevyqs0-otlp/
  241. http://centersv.kz/wp-admin/nvfo54d-uvvgid3-uqri/
  242. http://chapter42.be/wp-admin/Scan/OOuyBjGaUe/
  243. http://coine2c.com/wp-admin/Document/N4TXNpkcnkP/
  244. http://csnserver.com/blog/FILE/BH9ssw8xhb/
  245. http://czcad.com/wp-admin/Document/CPXE8dFz/
  246. http://danslestours.fr/calendar/o2bm-ze5648y-ybjfbby/
  247. http://daoyee.com/daoyee.nt/elrbvp-l59j0x-nfdp/
  248. http://dchkoidze97.000webhostapp.com/INC/DOC/JVdpeoOj/
  249. http://decotek.org/orange/INC/dZfkQlTEOaaj/
  250. http://dimatigutravelagency.co.za/dimatigu/qffkb3-tz897n5-ezyfx/
  251. http://ecominser.cl/k2rojqs/INC/dbKZZ94C/
  252. http://eiamheng.com/EES/LLC/q4uSkM44/
  253. http://elenihotel.gr/wp-admin/Scan/mcYFvKAW/
  254. http://emst.com.ua/wp-admin/LLC/gYyCLgL3bZ/
  255. http://enseta.com/wp-admin/INC/VhRETdppE/
  256. http://eturnera.com/wp-admin/INC/JXICRv88LPEU/
  257. http://femalespk.com/amwgi/Document/RRvgvvxiRz4/
  258. http://finessebs.com/cgi-bin/thgv32-khyziwe-mlcckef/
  259. http://gce.com.vn/wp-admin/Document/EiX2b35YyXXA/
  260. http://grasscutter.sakuraweb.com/wp-admin/Document/ZsUUTzYbqan3/
  261. http://grimix.co.il/wp-admin/LLC/dyFfxviI/
  262. http://grulacdc.org/wp-snapshots/LLC/F1vPTrtjk4y/
  263. http://grumpymonkeydesigns.com/qCIbEPWO/LLC/NaQ9pM228n3/
  264. http://grupohasar.com/filemanager/uploads/DOC/BbOL628FNWYQ/
  265. http://halalonlines.000webhostapp.com/wp-admin/Scan/3jamtbrR/
  266. http://haovok.com/wp-content/uploads/2019/LLC/daBm7oLYz/
  267. http://hcgdrops.club/hcgdrops/FILE/ID682PXM58Y/
  268. http://hotissue.xyz/wp-content/be5h-05qok-sqrydef/
  269. http://hydtvshow.xyz/wp-content/DOC/pYNcc4SD/
  270. http://iddeia.org.br/wp-admin/FILE/svemClVksz/
  271. http://ikeba-fia.unkris.ac.id/wp-content/FILE/GbhcbLhUKQH/
  272. http://impactclub.ml/wp-admin/Scan/HeoGINYg8M/
  273. http://inandmusicgroup.com/wp-includes/Document/3TzvlUWsCHHM/
  274. http://info-checkus.000webhostapp.com/wp-admin/LLC/lMDbFjgxrK/
  275. http://isais.or.id/4wo96yq/Scan/MPFYxyNa2L/
  276. http://itqan.qa/wp-includes/LLC/hedH9iUzracO/
  277. http://jbint.org/wp-content/Scan/ysI1bcJZVmD/
  278. http://jmd-be.com/wp-content/FILE/oHDIVDJOPz/
  279. http://jurafonden.dk/wp-admin/FILE/xycmtjtrif/
  280. http://jyothilabala.com/wp-content/9acu-vga9xwb-tgvdumy/
  281. http://kimuyvu.com/wp-admin/Document/08BFbN4KSmr/
  282. http://leesin.work/wp-admin/DOC/VokhIefIUL/
  283. http://lequie.de/wp-includes/qim3-ah3024j-jcru/
  284. http://likenow.tv/wp-admin/INC/6KZHVDkshuuf/
  285. http://lorigamble.com/wp-admin/INC/hJH0y0so/
  286. http://luxycode.com/wp-content/DOC/W2Ols88xG1/
  287. http://mance.me/eroticartsagency.com/INC/3IdNdxts/
  288. http://marcofama.it/tmp/INC/sk0Vd75U8/
  289. http://millenoil.com/modules/smarty/sysplugins/FILE/hpkQXIc7u/
  290. http://mindymusic.nl/US/Scan/COdwLdcr/
  291. http://mmtsystem.net/wp-includes/Scan/yuu8uCqMT/
  292. http://mobility-advice.org.uk/cache/FILE/JwPpi4XpGt0/
  293. http://moolchi.com/wp-includes/LLC/umvy1iKh/
  294. http://narayanhrservices.com/wp-admin/Document/wOjMKy5Cd/
  295. http://nativis.at/wp-admin/FILE/pean3sr3R/
  296. http://newgmp.000webhostapp.com/wp-admin/Scan/JG1vxgDirn/
  297. http://newlaw.vn/wp-content/DOC/uTxh3tCdyyYw/
  298. http://nhahuyenit.me/wp-admin/INC/YcjkRRDg/
  299. http://ogdaily.com/wp-content/Document/aSYDuvDWDQ/
  300. http://onlinemafia.co.za/cgi-bin/FILE/Us9LQVkRP/
  301. http://ostaz.ml/wp-includes/Scan/K4ZWfhXg8/
  302. http://oxenta.com/wp-admin/FILE/FfI0aODKuLP/
  303. http://phanphoidongydungha.com/o4ci7l9/INC/UbxquS6Bi6z/
  304. http://publiplast.tn/wp-admin/DOC/5AfyWL2h/
  305. http://raorizwan.com/mail.nexitsystems.com/Document/5PLisWZZNO/
  306. http://redlk.com/tqpjo/Scan/UftRuaEmi2h/
  307. http://reismagos.org/wp-includes/DOC/Hr7cSKQA/
  308. http://removeblackmold.info/wp-admin/LLC/fmkSSQQpEg/
  309. http://rusticwood.ro/ww4w/FILE/IRIAFuBVc/
  310. http://sahityiki.com/wp-content/Document/5sW2c36r/
  311. http://sblegalpartners.com/wp-includes/Document/48MOBvTnTEO/
  312. http://sbs-careers.viewsite.io/css/8pf7v-3zsgunt-zdcv/
  313. http://scilijas.com.ba/componentsasd/FILE/xW5hUD7zTpWu/
  314. http://sdilindia.com/wp-admin/INC/DdVCFNY59U/
  315. http://sendestar.com/wp-includes/DOC/lFoREPbI/
  316. http://shakhmed.com/css/FILE/yQP5rQql9jLD/
  317. http://shopfreemart.com.tw/me4sdp9/DOC/rFTLNP6F3QPH/
  318. http://shopfreemart.com.tw/me4sdp9/FILE/JxPR0BtnaOs/
  319. http://signs-unique.com/tn3gallery_full/Scan/ueuak6Bxlu/
  320. http://slmssdc.000webhostapp.com/wp-admin/DOC/Y9hS0j0lHw/
  321. http://smits.by/application/DOC/COhyszYNSkoU/
  322. http://sneezy.be/downloads/Scan/bbgS1EMMmo/
  323. http://softica.dk/includes/FILE/zOgnlKzE/
  324. http://solpro.com.co/wp-includes/DOC/gTb91Y6tAZ/
  325. http://solpro.com.co/wp-includes/LLC/zEWrFzpS/
  326. http://solpro.com.co/wp-includes/Scan/jQHM9PERSiA/
  327. http://songdung.vn/4d4ixle/DOC/HYgBv8CFypi/
  328. http://sonthuyit.com/assets/25drn1q-c218j-vctym/
  329. http://sooq.tn/g435goi/LLC/Snq8H0Rs/
  330. http://sotayvang.com/zydoe/FILE/OojF5GGWdcQz/
  331. http://sparkcreativeworks.com/cgi-bin/INC/5ZKHsB36/
  332. http://spitbraaihire.co.za/Scan/xCujoX3N/
  333. http://spyguys.net/cgi-bin/LLC/jZoxe8Lzq/
  334. http://stanica.ro/suspended.page/DOC/Pz4Ba9lCYB/
  335. http://steelimage.ca/cgi-bin/Document/sIhh72ulT/
  336. http://steensbjerg.dk/wp-content/LLC/MoJhaHI2/
  337. http://steinoe.dk/random/LLC/mfUWqq2GjmpE/
  338. http://stickzentrum.ch/informationen/Document/nmBzDOCEPz/
  339. http://swiftender.com/api/sub/content/uvltjbka.1688.wdkcv/
  340. http://tb-it.dk/dresscode/Scan/T4Smjvtt/
  341. http://thedopplershift.co.uk/Information/LLC/w8hVYpn53es/
  342. http://theothercentury.com/FILE/8WWR9Qet/
  343. http://thunkablemain.000webhostapp.com/wp-admin/INC/83ptVEXfxAz/
  344. http://titancctv.com/img/6rweiz0-c5y5s-rvbswyc/
  345. http://tjr.dk/amsterdam/FILE/ft0F6LiwheI/
  346. http://tony-berthold.de/_private/FILE/ghduTTrL3/
  347. http://topgas.co.th/lthJk-9l1PUQnCptcE7D_OXJdrcYg-yCU/LLC/2xctcrJ0/
  348. http://tpc.hu/arlista/Document/HwdRdSEOit/
  349. http://tplsite.be/sleepandparty/Document/6aaqHSrDKBVM/
  350. http://tradelam.com/fonts/LLC/hwXgo085dLt/
  351. http://travelhealthconsultancy.co.uk/images/Document/5ZZNWLrbwUY/
  352. http://try1stgolf.com/ebay/DOC/t6w0pulbA/
  353. http://turkandtaylor.com/wvw/Document/vnyta9UE8IU/
  354. http://turnbull.dk/GSSSite/DOC/NKXgmaJYma7W/
  355. http://ukdn.com/TempHold/Document/fZRRfC4NREy/
  356. http://undersun.jp/LLC/E0tlYP2t/
  357. http://unioneconsultoria.com.br/a5n3run/Document/sggPdd9pbp/
  358. http://urbanmad.com/wp-snapshots/Document/HkpZb4QCCg/
  359. http://ursaminormedia.com/About_Me_files/LLC/BTJBTmw5u/
  360. http://usgmsp.com/temp/FILE/XlSxIa6kVo8/
  361. http://usmadetshirts.com/loges/DOC/hQngDZHB94/
  362. http://uss.ac.th/cgi-bin/FILE/GDddX7MX/
  363. http://vastralaya.shop/ynibgkd65jf/Scan/ToKGN8vSc/
  364. http://vcontenidos.com/wp-admin/LLC/cvKYwKPk2J8/
  365. http://velowear.dk/wp-content/FILE/zsoo1wv7S/
  366. http://videografi.unsri.ac.id/wp-content/Scan/Bv8qn61Sue01/
  367. http://vinik.com.br/ssl/w72wgkb-ieclx-cjys/
  368. http://vipkon.com.tr/wp-includes/Scan/zyvGWnI9/
  369. http://visciglia.com.ar/wp-includes/DOC/btsapXED/
  370. http://vitalazu.com/wp-includes/Scan/SK6Bcdzd/
  371. http://vitallita.com/wp-includes/Document/aJQetqNq/
  372. http://vophone.com/portal/cache/LLC/Q1savIN7l/
  373. http://voyage.co.ua/mailsend/DOC/eXyORgeGMU/
  374. http://warah.com.ar/2PS/INC/U7NTNzbz/
  375. http://watchesofswitzerland.eu/wp-content/LLC/MdIuHQ2yerR/
  376. http://webbsmail.co.uk/Scan/VtoTwwH1XCST/
  377. http://webdesign2010.hu/FILE/asihbMvM9/
  378. http://willemvanleeuwen.nl/autos/Scan/Ko9DaN4t/
  379. http://wirelessdatanet.net/2/INC/Jhm54nRMkFn/
  380. http://wordcooper.com/wp-includes/Scan/p4oJcoyx/
  381. http://worksonpaper.jp/about/Document/gyGj8cBz6VE8/
  382. http://wuelser.com/dbox/FILE/zh3B7fSeB/
  383. http://www.aeffchens.de/wp-includes/LLC/A7Ea2WV4nHS/
  384. http://www.altriga.com/wp-content/ohac-98z0jh-nhdtmp/
  385. http://www.glasspro.kz/wp-admin/Scan/kgU6KhFJsWxt/
  386. http://www.kampolis.eu/test/hdqj8n-t4fk4-yaoaiii/
  387. http://www.mahala.es/old-web/f1h8-1hikh-qubijcw/
  388. http://www.nekudots.com/wp-content/Scan/uNandEWEsw/
  389. http://www.nylag.org/wp-content/upgrade/4ret-1lcji8-bzqj/
  390. http://www.remyshair.com/wp-includes/Scan/abIV8YQMXw/
  391. http://www.veryplushhair.com/wp-content/FILE/RMkSgxCpCNbn/
  392. http://xn--altnoran-vkb.com.tr/cgi-bin/Scan/lfFPjmSZfc/
  393. http://ylla.com.pe/phpmailo/Scan/AOI5m3iTAmP/
  394. http://yoyoplease.com/ebay/LLC/j0hJkr9Rl/
  395. http://zaboty.net/DOC/beQY4ZN1oOm/
  396. http://zahidahmedtk.000webhostapp.com/wp-admin/LLC/WPsHhpN3kXm/
  397. https://113bola.com/cvtex/DOC/ddAIYbg4v/
  398. https://18uproom.com/cgi-bin/Document/xLjquodgBV/
  399. https://2drive.us/nb/LLC/TtanW1nrJUwA/
  400. https://2tor.com.mx/wp-admin/Document/da4kvYva/
  401. https://acewatch.vn/wp-content/t9ps3uf-vmbwbh-uohwi/
  402. https://adsvive.com/wp-admin/em97r3c-1km2ni-usmcb/
  403. https://aeginc.co/wp-includes/Scan/OyZ8E1Bt/
  404. https://anhungland.vn/wp-admin/LLC/IKqtHzB0R/
  405. https://antosipark.es/img/Document/GRrzIF6c/
  406. https://beutify.com/wp-content/plugins/tm-woocommerce-compare-wishlist/go1u9rd-d4axfrw-ahqb/
  407. https://blog.ozobot.com/wp-content/Document/wSoN4aeX/
  408. https://chunbuzx.com/wp-includes/dr8bp-ld7i87-igjtfjb/
  409. https://cssshk.com/wp-admin/q7r6-q2cdc7-rsgj/
  410. https://denglu.net/wp-includes/tap7-243aihc-ipbg/
  411. https://dosejuice.com/wp-content/uploads/FILE/oK0Qu6V4PCaO/
  412. https://drews.com.co/wp-includes/DOC/a0K4kd0cNs/
  413. https://fastrxtransfer.com/cgi-bin/Document/BWEX8Ci6QH/
  414. https://finvestree.com/calendar/Scan/iOi6ORpgWEr/
  415. https://flutters.cn/wp-includes/faonag-hxlvgnz-lnuvw/
  416. https://gdai.co.il/Search-Replace-DB-master/4br3om-w7orviv-blzcy/
  417. https://giovanigioiellieriditalia.it/wp-content/DOC/zcyfhOtdZ/
  418. https://grimix.co.il/wp-admin/LLC/dyFfxviI/
  419. https://infinitemediausa.com/wp-includes/Document/FuLIxBLNKKzi/
  420. https://innomade.ch/upgrade/Scan/InWpS9ZJJZCt/
  421. https://invu-sa.com/wp-includes/LLC/PPr2fCrNv/
  422. https://jillysteaparty.com/wp-includes/DOC/ADfgCIQjz/
  423. https://mansanz.es/banuelos.mansanz.es/Scan/Mdc7EZVyH0/
  424. https://nutricioncorporativa.com/wp-content/FILE/sLXPRyYt/
  425. https://ortusbeauty.com/error/ngxu1-tlsuxg1-mzgms/
  426. https://shop.ziskejtelo.cz/9uhni6x/INC/5DMjVAvBZ5oy/
  427. https://solpro.com.co/wp-includes/DOC/gTb91Y6tAZ/
  428. https://solpro.com.co/wp-includes/LLC/zEWrFzpS/
  429. https://solpro.com.co/wp-includes/Scan/jQHM9PERSiA/
  430. https://sputnik-sarja.de/LLC/QfvDv9ddh/
  431. https://suzukiquangbinh.com.vn/wp-admin/e3alzoq-cwzv8-mvgn/
  432. https://vensys.es/blogs/Document/HH8n8fewY35E/
  433. https://winfo.ro/_TO_DELETE/m/DOC/yUrwSrFogQDz/
  434. https://www.admolex.com/sorf-test/DOC/7ZYdZsqDq/
  435. https://www.apel-sjp.fr/wp-admin/Scan/xSmBK6lyLA/
  436. https://www.bdmp-lvbw.de/wordpress/wp-content/uploads/DOC/3egahrSARjZ4/
  437. https://www.cavus2.com/kurye/Scan/EnHOBQzcnbhc/
  438. https://www.nylag.org/wp-content/upgrade/4ret-1lcji8-bzqj/
  439. https://www.orthosystem.de/wp-admin/Document/4Yz4XS5tfTKN/
  440. https://www.pinafore.club/wp-admin/0zg016-b2gn48c-elbg/
  441. https://www.reupfam.com/ddeleteme/wp-content/pluginsold/wysija-newsletters/helpers/DOC/AAh15xnP6BPG/
  442. https://www.thebermanlaw.group/wp-content/FILE/9GAhnKQW/
  443.  
  444. ```
  445. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  446. ```
  447.  
  448. Creation Time 2019-04-25 16:30 (JS Based - Fake Error)
  449. SHA256:
  450. f49b59f066266e3221f9a73108d13447ae21166858233d7c50c54ad6dd9d1fe0
  451.  
  452. http://agenlama.com/wp-admin/Sfh/
  453. http://4gstartup.com/wp-content/Hdc94/
  454. http://atakorpub.com/emailing2016/81311y/
  455. http://aioplace.com/aio-set/H2xWQE/
  456. http://5stmt.com/wp-content/Fn/
  457.  
  458. Creation Time 2019-04-25 09:15 (JS Based - Fake Error)
  459. SHA256:
  460. edab37a0304b9b8cb7c0140043b1c41de464928d5835545575e593b95f5f9295
  461.  
  462. https://dolanmbakboyo.com/wp-admin/Td5/
  463. http://lotuspolymers.com/wp-includes/GacU/
  464. http://kamsic.com/wp-includes/4U/
  465. http://tierramilenaria.com/wordpress/uK0WFk/
  466. http://brikee.com/contact/GndK/
  467.  
  468. Creation Time 2019-04-25 04:26:00 (AttOnly - DOC Based - ENG - Off-Center - Light Blue White)
  469. SHA256:
  470. 16754818e4e071e1e913202fd189ed68e44b4167bff05e6f0772b7b97f0435dd
  471. 8a7a8547ddce9ccbbfff450b91bdb693ebd734e37cde35587468b2f30ff32a61
  472. 810b8248edda471909cf61ffea303590c7c63f8f26fbfb1807ed8c02e03a70cb
  473. 66b5b8b453c1cca49f2978e19042e8202c6c5e44edf84bb42d58d1cbcf18a980
  474. e0b3c0f45c63de7c2eab57b3f920281bc6e44894b9391694bf78637e86dce359
  475. 91fbfc9c3a47336a026ff1557ea663e392a8551324dca352c64df10e97814d4c
  476. 391c2757da03c6b44ddab75a400dfddd4abcded2d75c13f34dcd628df9e369da
  477. 3198c65f66230c83a6b1f671d6c1ede9511f3136f4934c05c953dc8b4b76b7b1
  478. 60cf3c663017bd42f2c7d615022ff4c934f3dab850dbe3f720eaa06e56070395
  479. 574653eced1774698549b0242c867c09c070ec3e7f5d19c0c0ac936c9fafba84
  480. 35e8092b65707dd8ddee8f2c0434e7fadab538202b1ee51108c05f7fd7ee01f1
  481. 7d84f8c150b6bf1e53e7714e7bb8a91a18cbae5fc8a8104ecb361a46abfadcc0
  482. 99021e529ada964a33da6465dfc552326a261f3bc4078087123e4817ab3e0d1e
  483. b2db4f689d5fecd8bcb1f69d8c07f3a3d8debfefe03a46b3efb0d43717d623de
  484. ca3a669610d3e155eebf8bfbfa5c03cd26378092810b77445520875062f4f827
  485. d92650da86cffbced2ee5a45c960cc5100130d8c4b02d9d49bbf077e5612cd4c
  486. 3ffe8867d7e849935403e9395bb2ef88dc7247dce6a388f1e7dbfb24f70a3ea7
  487. 04dc7e6778079604ea9a48ca704f3edf6f0df1f5461a80be9e14a09d41391a23
  488. b03494d47b9271271a9a93dc23c0e224ae7699e5b7a530188732a834db2f4ac2
  489. 222e4c0033e888e7b28c914d77ba721798509b5e7ba521703d946b1c03c5e243
  490. 96437bc0e4bd30cb51019855e41983bf2d468eecfe82ed55c8e3c7367d77e193
  491. e1d55600d650f9db1198ea73ce960bc1f8023cb15b05d986a97887a5d90c0d75
  492. 2b19ee7ac2c3ea407fe6143032ed6834c6ca1f1f24c5aabd25f58a732d021740
  493. c464d2462aeb4ecc2bfc0a13aeb66afa506bba56e0446a7f5f4e06bd1c9c4dfb
  494. 162e4e6f76c3c481766a5a842e4e663b12fe6c99979b0dc18862248766c9f74c
  495. 1d063c9084dd5a6e5c71a0c2967511ce74f739296133586c282eeb024411d4a9
  496.  
  497. http://labersa.com/hotel/hn6B/
  498. http://rogerfleck.com/heldt.adv.br/tt0Dgg/
  499. http://sliceoflimedesigns.com/journal/tj4Y/
  500. http://snits.com/5C5/
  501. http://smejky.com/skola/Y36TUR/archive/M0m8J/
  502.  
  503. Creation Time 2019-04-24 17:00 (JS Based - Fake Error)
  504. SHA256:
  505. b7fd23feb71f19a87e0130334f8dcbc28479db18fbd6ba0a89e9a64dc525c919
  506.  
  507. http://al-awalcentre.com/wp-content/Q2sF/
  508. http://thetechbycaseyard.com/wp-content/fGNyT/
  509. http://ichikawa.net/wvvccw/CtwFb0/
  510. http://naasgroup.com/cgi-bin/Zqoy/
  511. http://paulklosterimages.com/cgi-bin/JKJJ/
  512.  
  513. ```
  514. #### SHA256s for Epoch 1 Payload EXEs seen on 04/25/19 ####
  515. ```
  516.  
  517. 0e33d65259bd510273ed2410fc9498ff837ff17b735d68257a1196dc353c8b26
  518. ca39cba6b05ae49873b70804dfd8ab9f535dd3b0e5b3297434df1214072bdafb
  519. 3bb7ac0388fc31d72abc3c78fb8c86f360e8e15de192aed274efead9dd570e7f
  520. 73118de8f59147aebf7c10194614e95de52e527902f7df7985649f906ccdc4da
  521. af013886eeb2007f529fc382684cf467a4df62d9cc6e494c3f9d186ed2b1d565
  522. 65f641c306829d00beadb6c1a3cdc0d64ba5f0ff89cc9883c662287624d44198
  523. 37b8196ca3455a2c6e144481d44bef88add15c317d3fba58952121438159b2fc
  524. dd5b5853a81893823d266f1db8122f9bf5272ca83e347cc8111fdb740d9c6174
  525. 4d41820d47ac50e151ded930977e398f2293f77a12033e5942719d6760342542
  526. d705c3791f977e140d771f3805e2dd4e5cee69e8c28eb85256abbadbaf02f91d
  527. 0f3c17170fe7e9e01f27fadf5b3556b9102aede5801ebe00a2c51b27be54cdd7
  528. d390912ef71b2d1c1fba1940b604983215d02da301eb1e6699f6c15809d0aec2
  529. a5407bb05915505e97061521a27a6a895b87bfb84b6e796bea9da0fcd102a214
  530. 96d633b7d47202d73b8946a8194f2007f1347f74c1c5e7bcb293727468161684
  531. cc859640783449e54f2a3fb0a2c4f981f59dabdf41f04f62c4fd93984f617717
  532. c05aaa9feb92170a452eeb73861632963ec014366de203f4b01c56d67ef9c04e
  533. eba0ee83ead32eb557d941eb2de76fdd9049f7d68d32d85c3aa3c5b7f6593fec
  534. ab6456f37990927386a03b1e0e6c69ac3a16035069f4f421ac6d074f03e2c29b
  535. 3228416a3dcfda8a180c86af876fb81ba2829bf45cf460e5d0b0bcda0c6e93e6
  536. 53be6100f57e160bb4ea73c179f8786a8e2a772dec2deae3e34fda742eb0d575
  537. 3c0d62cfa2df4944ff7d4919c3c0e3129c38bab63b5e24d7179cb204e0a7e595
  538. 34244952fab971b6504507202a2703f20aa67af75a0ba910d406183e7347aa87
  539. c10d72bbd365d00284aeeca6f32b08658928a8f1bc692966006deb34ad4c6699
  540. aca300c25bf3abbac24087551a64862f5d12dddf17a3700ceb6fd39fc16baf0e
  541. f3f315879d123ed6a38c3bfb5bb1a5703dbae81de450e9915b8e9c648d3e81f0
  542. 0c944a202ff6ac81acb2eec7bf8af8948ce223432cf7fce163315fc62b6f0dd6
  543. a08309105ae6ceecce2e0713c53dbd2cb23bebbf58a33ffc1b68459fb6dae2e4
  544. 64a9ebc37b8efec983fdb9d97be074fa57b456cc2e59f05a413a4b99ea9bbffa
  545. f4017043829fdd9039e6f7928e56df527e9699388c5370f301ef89712ec1f0dc
  546. 515eb76b5fc7a029132ee4a8b7cd4b234f268f96e4350ea75dd5c99a88237325
  547. 214ad946d41c6f04035df42be621fd5d76112d9e14aaf933dc765609d46b572b
  548. ac3f16c8e8f2f5b1efd32465d40a593d162a30a26cb5ea9a2e934f989a5a9aba
  549. 73dbe0ed37f1e77ac87ee2a42cb74bdcf233d0a3cf5917434b099a59429fc702
  550. f077718722fee051e7455876fbd070bb57e4972af559699ecbeeb5b5e35eec11
  551. 9c38b0b64eb091eb10521ee5a602940020afa164615cc93898e771dff24c97ce
  552. 358685bd63f4e40864316f226a77e67fa99da1329feba49a6e2d99dd7b6a7a63
  553. 323154c4cb75b02983bc4e076be06997644eb8852384aa8d92b48131bc085f00
  554.  
  555.  
  556. ```
  557. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  558. ```
  559.  
  560. Creation Time 2019-04-25 13:36:00 (DOC Based - ENG - 365 Blue Box)
  561. SHA256:
  562. 8065d2137332893c6e189b09a0e6b480e2f2955e827e0b67e4418e6a268da467
  563. 22e222168d5dea3d7f837da60fca78acc3257915fda97c18ed7af63dfc7542cd
  564. 41040e62590fee09c32389db40112c48a8a985b407340e12cdd19965862c2c72
  565. 7a6a2c210aefa9f680207555c2b909616b54e3999945d22a47241c2987debd7b
  566. 00a73162489f59b1cc4fc07208676176c19eadbe5c4c0f16b0bd3f7c15a9a03a
  567. e0d1b4b5d7f6b432340d9483b96e4893637d0f897b59a00967ee2a0767888fa8
  568. 78439b66ed766396e16c865a6857de42d166f42227e728f1635a552e07918506
  569. 79aa4c12cd7acda388199e7e59ac3481b7e738ae2b3a43ac06bf08dd8f6b4419
  570. 3dbb4ca641797b6f3729fbd6512e83b47426b4a20d6b490d81100dcd6786d15e
  571. 1c8ce25de7c3e61223b74c0c25c390b08157c35ee523cd3ad13d0e5f04d72301
  572. b52455d11893e16aac2aa2451a747902bfd0d41454a58f4dd11a8a15c6aabf34
  573. 7b793df9dc306e78aec1741d9ef0f38a9e7b5677bac66779c18de85334ad953d
  574. 1581b1babbda10ae6971f0e9ff822a65aa8bd4d98ea920dbeb9261e6e5f3939f
  575. 85986ff033d06fc7f8b1eaff949a4ad970240c2a64bada0f041756bcbf184bb4
  576. 7b556613e2f814670e721619781c1327dc6982655beef492a03e8b5449b7782b
  577. af22c77a25d4738ab3550a2f7e89ff2bfbb76663615bd067a6901040a33f464f
  578. 023da94a6a1283b26662c3583780102af5205108cb647b2ef546a4a8e5b9aa9f
  579. 828b7e9914f932108e52249577fa80987f20ebda94b8654fdc2964baa4d929a4
  580. 8cf9f14b8d68b1b2305b8f1519e274ec4e74aa9338d046605c0e788b5e30f8a5
  581. 26ca73ee3cbc5062f47556b88c88609a17dda511375f29fe7271300cb82da360
  582. aff24983ac7001c5451dc2846b5a32b7344d81c4cd7d2840042995b3044d98e5
  583. 4f4e11330d4a08dc6efb1ea46d5a662e9f538b86664ffe3d721e5294ceb7d430
  584. 67d05dd367015c892e3f0f50e5737a5138f00f626a134a85f1c2a6496132e691
  585. db2e803c063b6a8d618aa3aa5ad2bb2ee303b496e647a5b82a79dbbbaabff95b
  586. 3a0f72ddd376610e76f1a2fcea2a6526284a7f2272714f06056d90a3edc8f4d6
  587. 2d4c029c63ed1ca1131a3ddda7fd4e66078676407a476a00ccd09d2a85c8079b
  588. 7218111a64d849c230b9d6d315953fd4eacad8211eaaf6f03c1fc25414fdb608
  589. 2be2d55078be5d7a6982c89413fe4039cd65fd64f0e786481d785d726c24560d
  590. d5a00860e9c659e68ccc5150d9d54d702862aeab67453e12195cebb432f9e3cf
  591. b63bf916331ae1dec728a79c4f885b668b1eca1c6abdaea630a1940e44b621e8
  592. df0fb247a70c89c6562901405d16cc4d36f5052d95ecedc5b9ed5185a0125f91
  593. 52f088094f6aadfb98436b684c094e0ce059684797339ef65058cce7ef3447f1
  594. fd090323d4df1a960754906db0d1e9748537f5f25661f7a4ca2773240b58bc40
  595. bce589ff607e5a60063fea9c3b4ad8ce6a89ef833e395500363fa9ed9246cee9
  596. a11052d85933b9ebe77b92056e6efbd89393fecb51e3f0fd80a4cfa946cdb7d5
  597. 23398b697fcbad05afffa161f6335010f558d4974e81bd7d32cc4f1e07b06e59
  598. ba1753410ac11859abc6237cefbfd0fc63b872fae35967326374353049918c55
  599. 7d44f7f2b544573813e89633ebba598d028528adc829baeb4c549423b2228698
  600. 863bef93f145d590c49616b371a74a51cca7eaddb9be7b6a55d1d1ffd5f15cbd
  601. c10e6f58b4c3cef4ec5fc1bdb39d5d879c7a9c62e261bb47a74dff8c0d20118d
  602. de56ff30c012fd1c2b28d5d9c9747afe58cc414e185d59ba81f0dcaeda44dee1
  603. a0ce6a165177d79d8675d732c0f22f018dcae73487b2c9227508b0cd2c02d2f4
  604. 3a5f13bd1236171391ad45bf7369996f14b24bfcda152cada9bd04abd6351e6e
  605. 4c1f0a189477f1330c20a8a8869317569be3d5d87d018263babf560c454bc7ef
  606. 64f50f8c4e9bd7b196aa3d88694280da4762e02157d0f53ac68ca37e86d9e6f2
  607. 4fe8c71a6ac9f1846e68c90bafbdb7afd8ecc21bb59fc46dc45a053935386d31
  608. 4fe8c71a6ac9f1846e68c90bafbdb7afd8ecc21bb59fc46dc45a053935386d31
  609. d95e756519e7a387c644faeee84ab2c90ad53339bde37605dcba4c23c323be1c
  610. 3018734c8e915925793a54bfe29457bf245d9a58f3077d74ec22e2b04dcf9972
  611. 6e63ea61f944615450899ffdd9a9444c1051c7a66f3e5a089c4a6ed2da6e6ff1
  612. 372935f96d1e807f4891ffdcf2319728d0247660c0d7fe44738f3b58571751ce
  613.  
  614. http://animzzz.net/wp-content/I_0f/
  615. http://apnaoasis.com/wp-content/Y3_iT/
  616. http://acsboda.com/wp-includes/yn_gp/
  617. http://congchung.isocial.vn/img/6S_yF/
  618. http://www.axasta.com/wp-content/T8_Fp/
  619.  
  620.  
  621. Creation Time 2019-04-25 14:30 (From ZIP - JS Based - Fake Error)
  622. SHA256:
  623. 582938eafb9954ac94a8c9c2769a82e7e029a82ee5695bb8c9bf22e7b0fe00cb
  624.  
  625. https://kristyskincare.com/wp-admin/s_P8/
  626. https://addlab.it/dev/riunite/wp-content/uploads/js_composer/w0_R/
  627. http://46.101.45.199/wp-content/Ue_oH/
  628. http://4freemovie.gq/wp-content/Aa_V/
  629. http://subiran.ir/wp-admin/xn_I/
  630.  
  631. Creation Time 2019-04-25 09:26:00 (DOC Based - ENG - 365 Blue Box)
  632. SHA256:
  633. 3d3d72d079ac4d6709a8fe663e2e3f3426e0d4e132615036c46b23038dc0cebf
  634. b3e6382f49c7cd0ca3321c6bfa1b08e7b3ec57ca9cad5c29e7e37f0eccd210fa
  635. 9e506b942c42727c6a4c007ae5473c50a71f58ad78e8873588c3fd451ecd7da5
  636. 7a32c78114368d7e0ff4a99ff1dab817060c58ad5e1c18cd2c1178255090c42c
  637. be6473351331956dc550f794617da15925785c04c3c8bb63f998ef08b032aa2a
  638. 87ab3e0ad7c910590c7b4d04a8e572906de0901846d696924351a7f79030497b
  639. 80e4962e2297df28f40fc5404c737e44c7a6f99dd3bc40c53952b9c989b56a97
  640. 47d15e14ae126a2a669ee71f409be3b80bb1127327933c8991b05ecd453cf656
  641. d3c085cb5444dd3bee1f04a36f095305000b3e22f59738a4cf3b370c1d203863
  642. b3eb13fb68b2dd06dc7ff59e33ab72db682a967d187a780318b91cd41748d263
  643. 4dcdf99c5887c75f537f1e0fb424246417848c992eafb905c73c8c93ac4aa5d1
  644. 3c77b75f825a5e26fe1e4876665eb7fb2854928e9f25e32abd3dea255027f387
  645. adb17498e7aef92a20608d0899bca2e9c61c730889b3105e8e56517bb54217bc
  646.  
  647. http://sectaway.com/wp-includes/E_xv/
  648. http://ikatan.org/wp-includes/Y_1/
  649. http://cauar.com/wp-admin/M_V/
  650. http://qarardad.com/wp-admin/eU_F/
  651. http://mcclur.es/wp-content/m_R/
  652.  
  653. Creation Time 2019-04-25 09:00:00 (DOC Based - ENG - 365 Blue Box)
  654. SHA256:
  655. ee65c61941b260403e66e0b141cd9ba307540f8bdc79375c8f4609148e5f6cef
  656.  
  657. http://tcmnow.com/cgi-bin/J4_5/
  658. http://teledis.fr/updates/O_6/
  659. http://obosonews.info/wp-content/H_IP/
  660. http://musicfacile.com/cgi-bin/zw_wX/
  661. http://teambored.co.uk/Invoice/U4_t/
  662.  
  663. Creation Time 2019-04-24 20:45 (From ZIP - JS Based - Fake Error)
  664. SHA256:
  665. 6f785ecc79f5ca6ac6410eed4fa59bbe13ca49cc2e1f3e2bee9412811a6e3036
  666.  
  667. http://jieyilashedu.com/cgi-bin/ul_H/
  668. http://www.whwzyy.cn/wp-includes/KV_R4/
  669. http://kathiacam.com/sitemaps/x_F/
  670. http://immigrant.ca/wp-content/D_em/
  671. http://elmedicodeldeportista.com/wp-includes/qY_3C/
  672.  
  673. ```
  674. #### SHA256s for Epoch 2 Payload EXEs seen on 04/25/19 ####
  675. ```
  676.  
  677. 89ad8630a68b508f373d798c888211d5246b1d8086b64a04cad510c2ce2e312c
  678. f7fcb9822c801db26abd77bf1f243878fdce87df2431230f329be543efe09bea
  679. 2b474a0af6d5b0659eb5948b1e27acb51ce24a329eb1783dcf87622f90ba8371
  680. 5438104f416bb8a85e3352871e0d05b137548134af616058ddb3f98bde0d1353
  681. 8c8e7a11ed3827b7643e0d453efb973e124d34fb16c031bcfed66ed1ef7277e1
  682. 9bba87cb6add739e1763cc7f8f97630e3761d640957495317c297ce8e7c6b1a3
  683. b6e1f873b74b44ff5a8a0844344c10041bc8c0cc74bb33ab0eeb07b060579d46
  684. 26d3b33686b7a4440a986d56200d53d680a2d2643adf30dfce629f6f5fd24af1
  685. 95d709d21907afca6c95b2e6599ebecc75cac82916b9a82ce89d811b948e3180
  686.  
  687. ```
  688. #### Epoch 1 C2s ####
  689. ```
  690.  
  691. 103.201.150.209:80
  692. 103.213.212.42:443
  693. 107.159.94.183:8080
  694. 109.104.79.48:8080
  695. 109.73.52.242:8080
  696. 139.59.19.157:80
  697. 144.76.117.247:8080
  698. 165.227.213.173:8080
  699. 175.107.200.27:443
  700. 176.58.93.123:8080
  701. 177.225.175.199:80
  702. 181.142.29.90:80
  703. 181.199.151.19:80
  704. 181.29.101.13:80
  705. 181.29.186.65:80
  706. 181.30.126.66:80
  707. 181.37.126.2:80
  708. 185.86.148.222:8080
  709. 185.94.252.249:443
  710. 185.94.252.27:443
  711. 186.139.160.193:8080
  712. 187.188.166.192:80
  713. 189.205.185.71:465
  714. 190.117.206.153:443
  715. 190.147.116.32:21
  716. 190.171.230.41:80
  717. 192.155.90.90:7080
  718. 192.163.199.254:8080
  719. 196.6.112.70:443
  720. 197.248.67.226:8080
  721. 197.91.152.93:80
  722. 200.107.105.16:465
  723. 200.114.142.40:8080
  724. 200.28.131.215:443
  725. 210.2.86.72:8080
  726. 213.172.88.13:80
  727. 219.94.254.93:8080
  728. 23.254.203.51:8080
  729. 24.150.44.53:80
  730. 37.59.1.74:8080
  731. 43.229.62.186:8080
  732. 45.118.216.70:80
  733. 45.33.35.103:8080
  734. 5.9.128.163:8080
  735. 51.255.50.164:8080
  736. 62.75.143.100:7080
  737. 66.209.69.165:443
  738. 66.228.45.129:8080
  739. 69.163.33.82:8080
  740. 72.47.248.48:8080
  741. 77.82.85.35:8080
  742. 81.3.6.78:7080
  743. 82.226.163.9:80
  744. 85.132.96.242:80
  745. 88.215.2.29:80
  746. 89.135.138.149:80
  747. 91.205.215.57:7080
  748.  
  749. ```
  750. #### Epoch 1 - Spam/Stealer C2s ####
  751. ```
  752.  
  753. 31.172.86.183:8080
  754. 104.236.185.25:8080
  755. 50.116.63.9:7080
  756.  
  757. ```
  758. #### Current Epoch 1 RSA Public Key ####
  759. ```
  760.  
  761.  
  762. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  763.  
  764. ```
  765. #### Epoch 2 C2s ####
  766. ```
  767.  
  768. 106.51.37.192:80
  769. 119.155.153.14:21
  770. 119.93.243.2:50000
  771. 124.123.42.93:80
  772. 133.242.156.30:7080
  773. 136.243.117.85:8080
  774. 138.201.140.110:8080
  775. 144.202.9.18:8080
  776. 147.135.210.39:8080
  777. 149.255.56.242:8080
  778. 159.0.130.149:443
  779. 162.243.125.212:8080
  780. 167.114.210.191:8080
  781. 173.255.196.209:8080
  782. 173.255.250.241:443
  783. 174.93.130.148:8443
  784. 175.100.138.82:22
  785. 176.63.173.71:995
  786. 177.230.108.144:22
  787. 177.242.214.30:80
  788. 178.62.37.188:443
  789. 178.79.161.166:443
  790. 179.14.2.75:21
  791. 180.150.87.75:22
  792. 181.39.51.243:993
  793. 183.82.110.170:53
  794. 186.4.234.27:443
  795. 186.85.38.31:443
  796. 187.189.195.208:8443
  797. 190.112.228.47:443
  798. 190.180.106.137:53
  799. 190.193.18.37:20
  800. 191.92.69.115:80
  801. 195.99.230.208:80
  802. 2.50.52.255:20
  803. 201.220.152.101:80
  804. 208.78.100.202:8080
  805. 211.63.71.72:8080
  806. 213.14.166.152:990
  807. 216.98.148.156:8080
  808. 217.13.106.160:7080
  809. 45.123.3.54:443
  810. 45.249.156.10:8090
  811. 45.33.49.124:443
  812. 5.230.147.179:8080
  813. 50.101.180.172:7080
  814. 50.31.0.160:8080
  815. 58.65.211.99:50000
  816. 58.9.168.7:990
  817. 62.75.187.192:8080
  818. 64.13.225.150:8080
  819. 67.205.149.117:8080
  820. 69.198.17.7:8080
  821. 69.45.19.145:8080
  822. 77.111.149.55:80
  823. 77.56.253.112:80
  824. 78.100.187.118:80
  825. 78.186.5.109:443
  826. 83.110.155.238:8090
  827. 84.241.10.111:53
  828. 85.104.59.244:20
  829. 86.99.35.122:20
  830. 87.106.139.101:8080
  831. 91.205.215.66:8080
  832. 94.130.35.140:443
  833. 94.76.200.114:8080
  834. 95.128.43.213:8080
  835.  
  836. ```
  837. #### Epoch 2 - Spam/Stealer C2s ####
  838. ```
  839.  
  840. 198.58.114.91:4143
  841. 213.136.86.219:7080
  842. 91.205.215.10:7080
  843.  
  844. ```
  845. #### Current Epoch 2 RSA Public Key ####
  846. ```
  847.  
  848. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  849.  
  850. ```
  851. #### Credits and Notes Section ####
  852. ```
  853.  
  854. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  855. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  856. https://pastebin.com/u/jroosen
  857.  
  858. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  859. I am providing them for your benefit in case you want to parse them to be sure.
  860.  
  861. ```
  862. #### What is Epoch 1 and Epoch 2? ####
  863. ```
  864.  
  865. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  866.  
  867. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  868. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  869. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  870. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  871. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  872. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  873. time period.
  874. Here are some observations I have noted since I have been watching these botnets:
  875.  
  876. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  877. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  878. being delivered in maldocs on Epoch 2 at any one time.
  879. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  880. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  881. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  882. Monday morning/Sunday night.
  883. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  884. Epoch 2 may have a document hosted on host.tld/B.
  885. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  886. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  887. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  888. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  889. - C2s are never shared between Epochs/Botnets.
  890. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  891. via C2 to stay ahead of AV defs.
  892. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  893. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  894. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  895. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  896. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  897. spam template, word template, document type and even payload.
  898.  
  899. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  900.  
  901. ```
  902. #### Community Lists ####
  903. ```
  904.  
  905. https://pastebin.com/CXswHAtM - @ps66uk
  906. https://pastebin.com/VzSYSNTj - @pollo290987
  907. https://otx.alienvault.com/pulse/5cc20fa1589f09f1979d6336/ - @SecSome
  908. https://pastebin.com/3p98x9Cb - @lazyactivist192
  909. https://twitter.com/CapeSandbox/status/1121388436248772608 - @CapeSandbox
  910.  
  911. ```
  912. #### Credits ####
  913. ```
  914. (OC from @JRoosen and/or combination work of the following)
  915.  
  916. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  917. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  918. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  919.  
  920. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  921. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  922.  
  923. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  924. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  925. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192
  926.  
  927. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  928.  
  929. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  930. helping out with this!
  931.  
  932. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  933. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  934. @urlscanio and @Virustotal for providing services/software no charge to this cause!
  935.  
  936. ```
  937. #### Daily Log 04-24-19 ####
  938. ```
  939.  
  940. General News:
  941.  
  942. I only received a couple malspams today and it was not a heavy day. Still there was more news and changes to report.
  943. Again we are seeing weirdness in the deployment of the exe loader. It seems like we are really dealing with two types of binaries
  944. that are being switched out to see which one is more effective or not. James Quinn and I have been comparing notes over the past
  945. few days on this subject and he made an important discovery today. The Heaven's Gate usage was actually not coming from the
  946. loader itself but is coming into the picture only after loader contacts C2. He determined that the modules(for example the mail stealer)
  947. obtained from C2 were the ones being loaded via Heaven's Gate. If the loader is executed in an environment without Internet or C2
  948. access, this behavior is not seen. This was further confirmed by Kevin O'Reilly at the CAPE project later and @luca_nagy_.
  949. Here are the tweets and notes concerning this:
  950.  
  951. https://twitter.com/lazyactivist192/status/1121444278549516295
  952. https://twitter.com/CapeSandbox/status/1121388436248772608
  953. https://twitter.com/CapeSandbox/status/1121447780466221056
  954.  
  955. I must say that the amount of packages and yara rules built into CAPE are quite awesome! The CAPE Sandbox is an awesome project.
  956. I find it really cool that Kevin already had detection for this and an additional package already in the works!
  957.  
  958. In other news:
  959.  
  960. Trend Micro and other Bleeping Computer are reporting some "new" trends for Emotet C2 behavior.
  961. https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/
  962. https://twitter.com/BleepinComputer/status/1121446214564753408
  963.  
  964. I found this report to be a little bit of old news with some misinformation. Here is why:
  965.  
  966. The C2 protocol changed last month with the POST with 4 random directories added to the URL vs Large Cookie GET method.
  967. This was covered by a few organizations already and is about a month late. Example:
  968. https://cofense.com/emotet-update-new-c2-communication-followed-new-infection-chain/
  969.  
  970. In addition to this, the information regarding the compromised connected devices is very questionable. It is well known
  971. that Emotet has been deploying a uPnP module and many of the Tier 1 C2 IPs are actually SOHO gateways with an infected
  972. windows box behind them that is using that port via uPnP. Just because you see other devices on that same IP, does not
  973. rule out that they are seperate PAT/Port Forwards on the same NAT IP/Firewall. This report spawned the following
  974. rebuttals regarding this:
  975.  
  976. https://twitter.com/JayTHL/status/1121451004053131268
  977. https://twitter.com/raashidbhatt/status/1121464823940694018
  978. https://twitter.com/MalwareTechBlog/status/1121461070684573697
  979.  
  980. Email Template Report:
  981.  
  982. I only received 2 malspams today. One was an attachment based malspam in Spanish. The other was a generic link malspam.
  983. Other people such as @ps66uk mentioned they were also getting reply chain based malspams today and actually got quite
  984. a few malspams in general. I recommend checking out @ps66uk's report here:
  985. https://twitter.com/ps66uk/status/1121526438858035200
  986. https://twitter.com/ps66uk/status/1121361215446573056
  987.  
  988. Review:
  989. What we know about the threaded templates/reply chain:(changes are marked with *)
  990.  
  991. - Emails are sourced from once (or still) compromised users all over the world.
  992. - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  993. to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
  994. back as far as June 2018.
  995. - Now on E1 and E2.
  996. - Now seeing German based templates that are essentially the same thing but in German.
  997. *- The injected reply is usually prefaced with the following:
  998. "Attached is your confidential docs."
  999. "Attached please find the wire transfer form."
  1000. "Thank you for your help. Please see the attached."
  1001. *"Load instructions attached"
  1002. *"A printer friendly attachment is now included with each email."
  1003. *"Click on the attachment to open or save the printer friendly version of your report."
  1004. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  1005. - Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
  1006. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  1007. - These templates are pretty limited in run and not very numerous.
  1008.  
  1009. Link Regex Report:
  1010.  
  1011. Regex directory patterns - The following patterns were seen active still today just like yesterday.
  1012.  
  1013. E1
  1014. \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/
  1015. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  1016.  
  1017. E2
  1018. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  1019. https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
  1020.  
  1021. Payloads Report:
  1022.  
  1023. E1 had 3 quintets today. E1 did one round of DOCs as attachments only this morning. There was no indication of this group
  1024. of documents on distro links. The last 2 quintets were once again ZIP/JS. It seemed liked some of the German based URLs
  1025. \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/ were the ones doing the direct JS
  1026. and the other E1 format was doing the ZIP/JS files. Most were ZIP/JS via links to today.
  1027. I saw both Link based and direct DOC attachment stage 2.
  1028.  
  1029. E1 EXE loaders have been interesting lately and there is clearly active work being done. Slow updates were seen in Distro
  1030. all night and morning with spacing at a pace of about 5-10 hours. The new heavily obfuscated EXEs were seen until about 12:30 UTC.
  1031. At that point the old loader came back for a single update. At 20:00UTC the old method of 10-15 minute hash busting came back for
  1032. the E1 EXEs on distro and 2 hours on C2. All of the EXEs from this point until current time are the old loader still and still
  1033. actively hash busting.
  1034.  
  1035. E2 had 4 quintets today which is a normal count but the way they were deployed was not normal. It seemed liked 2 sets of ZIP/JS
  1036. files were released with the hashbusting nonsense and then near the same time 2 sets of hash busting DOCs were released. One of
  1037. the DOCs is still hash busting now every 10 minutes or so. Normally they are released 1 after the other but these 4 kinda overlaped
  1038. each other. Maybe Ivan was getting lazy and just did it all at once. Interestingly, ZIP/JSes were coming from the pattern:
  1039. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/ links and .DOCs were coming from the other regex:
  1040. https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/. It seems like there is duality for each botnet each day.
  1041. Almost as if there are really 4 campaigns going at once.
  1042.  
  1043. E2 EXE loaders were almost all the new loader style today with the exception of a release around 12:20 of the old style loader.
  1044. This was followed promptly with a new loader type EXE at 14:45UTC and there were a few sporadic hash busts every 5 hours since then.
  1045. E2 is still on the new loader now. C2 looks the same as Distro for the hashes available. James Quinn dumped the new loader
  1046. and extracted the C2s for us! :) Thanks James!
  1047.  
  1048. C2 Report:
  1049.  
  1050. C2s did NOT change for E1 and remained at 57 combos in total. - recorded above
  1051. C2s DID change for E2 and count remained at 67 combos in total. - recorded above
  1052.  
  1053. Closing:
  1054.  
  1055. I wanted to mention that Ivan is a fictional character I have made up that represents a random Russian name for the actor behind
  1056. this. In reality it is not known who is really behind Emotet but it is likely a team of criminals and not any one person. It is
  1057. a good thing we have a team of researchers/ISPs/Hosters/LEAs and Private Industry fighting that team. :)
  1058.  
  1059. TT
  1060.  
  1061. ```
  1062. #### Sandbox 04/25/19 ####
  1063. (all with fakenet and MITM unless spam/secondary infection)
  1064. ```
  1065.  
  1066. Epoch 1 C2 run on 2019-04-26 at 03:30 UTC - https://cape.contextis.com/analysis/69497/
  1067.  
  1068. ```
  1069.  
  1070. ```
  1071.  
  1072. Epoch 2 C2 run on 2019-04-25 at 23:15 UTC - https://cape.contextis.com/analysis/69427/
  1073.  
  1074. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!