Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 04/25/19 as of 04/26/19 00:45 EDT ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 04/25/19 ####
- ```
- http://199.com.vn/wp-includes/OtsMj-EpSzDLpVBLXiHD2_XvHClxKaT-FX/
- http://35.193.25.17/wp-admin/EgvtD-XTXPEHmzSYb6Plv_hGQnENtH-KCQ/
- http://aabad21.com/wp-admin/ofRO-thDjD1hTuAhAxN3_yLTlTbJN-8Q4/
- http://aadityaindiawordpress.000webhostapp.com/wp-admin/Vehbn-eKgJDoeydCQ40to_jwlPupncx-SP/
- http://academic.ie/error/Habd-NHMdLDOCKg9YOF_mzZaXhKU-H5/
- http://adrenaline.ma/wp-admin/kZZf-dBjg6WWPODSvPA_pHRWHbtR-nq/
- http://agadmin.ga/wp-content/SjwLA-MgMKCZGmdDwBxqo_bLlShwdka-xA/
- http://ajmen.pl/wp-admin/TzYLE-SYmIiUQeKPdcP3f_erSSNjnY-NNj/
- http://alaha.vn/wp-admin/goMy-UVra6Slyf4ZB4TK_TIAJvmFmS-aD/
- http://alasisca.id/wp-includes/NRnd-mY6VwO7lh8oDTVw_KmuLTPpYx-ahH/
- http://albitagri.biz/wp-admin/fFmb-y7aV7t8XS2DUNp4_zOnhbnfVb-Qg/
- http://alnasseb.com/cgi-bin/IlFx-7334wHJqfF3pDc_mGUTRXtnY-Vq/
- http://altituderh.ma/wp-admin/cahC-pYIBSFAKm39zUU6_vKbrFbwv-Aga/
- http://ammaterra.com/wp-content/jELXC-2nMGZ4OUOBbsQeF_dlVxesCX-ni/
- http://animevn-hd.000webhostapp.com/phim/UvDIS-wAKY8f7UDwjrkiV_OwCzjnxzp-u7/
- http://annalikes.de/wp-admin/BIGc-2z3NxtMFknyP1t_mUizLmqVc-jzb/
- http://antonieta.es/wp-includes/cqZh-wTWLnLv1TUc0JaG_mdfiAnFO-BpR/
- http://aroimmo.mg/wp-includes/JuMs-eek97yBVkphQGpU_CwoaFajM-RQ/
- http://art3d.org/wp-admin/NVjW-0UZNhlJI4OIHxvq_oIUDvxgs-eXk/
- http://atervaxt.org/nordicdreamers/dXgL-uuJENNWDWjxVs33_mseVZYayO-ZF/
- http://atomixx.com/wp-admin/qWgm-VUpt1SRKX6jzuMs_ACMdSbzY-suD/
- http://azavtobus.az/cimbria.tk/Necy-GaXwsk8EYMPesX8_KuLicmrk-ySO/
- http://bac.edu.my/wp-admin/tijNv-w6GM2qA7hkcpFDO_udnPnVoN-tI/
- http://balecohost.nl/wp-admin/jTUZ-9GQrCoA7fzMdH5_mSDpLIFt-LSk/
- http://bandycuper.se/wp-admin/mjvYL-EzctktjAYNK1qF_ELdaWOyqr-n44/
- http://beopres.rs/beopres.rs/SQOLM-OTVH5wtSLljcAZ_oGWlJQrr-RC/
- http://busing.cl/wp-includes/MltYP-iSp4uCgWqlCQpfT_RChsijin-4q/
- http://ccc.ac.th/sym/nTGH-muusbW9bfRfDG3c_ERtGIHzBH-Xg/
- http://chase.at/wp-content/uploads/jrBr-4ZZsa90dEvenwU_SCpHQUAhN-ars/
- http://cheapesthost.com.ng/cgi-bin/Jgpl-AVVwPZO7UEfAVD_BsPxEfQNl-8K/
- http://chiyababu.000webhostapp.com/wp-admin/rjULM-WCUeYl6m84tiWfS_YKhJlzFh-d2H/
- http://dac-website.000webhostapp.com/wp-content/fMvW-i6YKm9az11t7el_FuonGHYhG-UmS/
- http://darkparticle.com/MEhN-kZCXSNC8Gr55qr3_cBNaPojw-RN/
- http://drmarins.com/wp-includes/XaJN-X6NN9wFEbi620J_uIBfXqYY-k4/
- http://dsn.website/wp-content/anXr-ihwBymQa0H0QKAs_tkqkuNtaM-wU/
- http://dynotestcenter.fi/wp-includes/jVrwU-cKsUyK3hggy1NN_cYQjBlBT-tZ/
- http://ed-pharma.co/nbproject/yUFnb-l1M6LDFLDmP7XrV_lFPaUTrTH-5E/
- http://elgoall.today/cgi-bin/KJOH-M31rksrM9JxzOz_oFsyxUwKT-tbX/
- http://etmerc.com/12-22-2015/legale/vertrauen/04-2019/
- http://fondation.itir.fr/wp-includes/lLrf-8kiRR7dGzfJajs_seJjfFJI-Uj/
- http://frisa.com.br/frisa.com.br/QezM-IAMJR8FXBvmKJqM_xYPlrIBY-xB/
- http://fteola.cf/wp-admin/uBlbH-L8L9450tN3llCO_NBGTdrkD-7tV/
- http://hada-y.com/WWE/Bxlsd-CH5AggGXjmdFZBF_PMRbyfsN-LLd/
- http://hcmobile.tk/wp-admin/jFxiY-GPWbvAggIENWC5_YPFasITfh-NXE/
- http://ibot.live/wp-content/UtmFa-8W8UVLeLMjr5qN_rocXBnDgw-ZRP/
- http://iimmpune.in/awstatsicons/dSRz-5jc3HNHB8dZ5yd_JzmYkGzGS-F0/
- http://jsc.go.ke/wp-content/uploads/AbnO-ncKCS534ju0479p_ZcrakfVb-Wnq/
- http://kihoku.or.jp/wp-admin/otBHf-IG0qC3NOH5uepmU_HfyHoprEv-sr/
- http://kunstencultuurprijs.nl/wp-includes/ZOvy-JkdkIQpjT3dDr7_KgaDsZWWa-eGZ/
- http://lejintian.cn/wp-admin/BRCh-dIJoxUYtRdoeJi4_yxEOTOvf-HMb/
- http://lighthouse.kz/wp-admin/lEBV-pYuVKrKZPdC7Us_rxaTJnCWD-nzH/
- http://mahyapoor.ir/wp-includes/ObhV-wL3faDe647Q0Jg_UNrxpcuBl-yW/
- http://ma-masalikilhuda.sch.id/wp-content/EHBb-IjSlcEnGkje0aWZ_GCADoAeoK-sby/
- http://mdmiraz.tk/wp-includes/gtJIZ-UwvXBwqoWrFwUJ_zoKHgDbP-Eu/
- http://mekosoft.vn/wp-content/uploads/qTPj-Bf5Ia4IhX1FsNA_iDObjAow-7N/
- http://missourisolarenergycontractors.info/qr7qxgl/LLmCl-TNNOn0MRbSr17j_skctkVyRb-kN/
- http://mlx8.com/wvpb/RdanG-4NQboohZnD6gVw_MnlZNhKq-6RT/
- http://mobila.tj/5z5ecjp/Welmf-yfLnmilJjfIi45o_AsqfsRSXt-JOf/
- http://ndalima.co.za/ndalima/yptLy-RjIzzoSumFcchEw_bwIBkobxF-gu/
- http://orientaltourism.com.ua/wp-includes/fnrg-It7PVDDfEq1ZAgU_HldtKRXc-vj/
- http://pcccthudo.vn/wp-content/uploads/2019/03/TzXO-yL7QQxyHmwRVSBp_IsMVySrk-VFo/
- http://pilingexperts.com/wp-admin/BPHG-3kq9W1i2mz8F5eS_JvOpzyVY-zdA/
- http://portaljacui.com.br/wp-content/aETC-27SDAvilFWbpd4t_dhovwQLXQ-Vb/
- http://progpconsultoria.com.br/wp-content/ZdvlV-XyrPQXYagyz4BiP_UaiGYlgvx-EM/
- http://quantrixglobalservicesltd.com/wp-content/aOvG-oI0LwEEqvincM4_zuaDCtBA-u98/
- http://racing-experiences.com/wp-admin/qQUwZ-vapvNQzp6ELKQc_uerxOtcWi-DYs/
- http://rapolaswordpress.000webhostapp.com/wp-admin/NSRNZ-TjNrLmCd9ZXh42_YknYobnS-xv/
- http://real-websolutions.nl/images/WGncK-rABrQ0KIvIHLJA_kbdUmaXZr-HS/
- http://school118.uz/wp-admin/xPhx-oKfTE18pAi1pSo_QNgeoEeN-jot/
- http://stca.tn/vxdfqpo/KfYo-YafR6hY10foSt98_ySDAjKqd-tbV/
- http://stinehelles.dk/wp-content/ugmyJ-wFFZy98jAEh1lo_LxZpETGPD-7oO/
- http://strijkert.nl/download/MFfN-mTYc6FX6EVjgFPa_qSTPQhjt-uI/
- http://sumuktida.ru/certificate/VWDXh-ER5Rb8RtGNceYx8_bnbMIrIMJ-yr/
- http://sunrisesupplies.com/random/zfVE-AsSKi0maP6hjRVM_JyJMuOsu-kvB/
- http://teiamais.pt/wp-admin/alYnb-yhp8puPL8k0Mlhp_UiRMPgVD-5H/
- http://tom11.com/tram/PqQD-tFasfSqwt5o2PS7_jrbgimmx-zL/
- http://toools.es/bankinter_/sFCMF-FBajbcFUhDMNqS_lhbExTGLc-MFx/
- http://toppprogramming.com/mail/hSdNs-GeFnyNZQXXFd4oI_xjGNCCulb-ZBK/
- http://toshnet.com/cgi-bin/nMPI-3YuXswleUMOQrA_JOgQleDO-TA/
- http://trier.dk/85312169/ugpjJ-zBxExOzbFbZcwU_dJFLXUmBu-PNM/
- http://trwebwizard.com/blog/dgfHi-pLJKLxJfKOM8yGp_YzGqsRCiQ-Z0/
- http://tryfull.jp/DISOR-phy5oaBjMelxx4C_aDUtzFmNZ-T3W/
- http://try-kumagaya.net/4_19/hTiB-et3N45R7UJMV5R_clpybvoWX-R6y/
- http://twinbox.biz/HlAGS-YbC7afvsnwR4ytu_xrhstgsY-Ai/
- http://tys-yokohama.co.jp/FCKeditor/srKAG-JR3BAGiw1v9tfVr_mYprZajpL-p1K/
- http://underthechristmastree.co.uk/wp-content/RWHbt-oOfsaube8rE6KK_pyHqsKeNX-CU/
- http://unitedworks.info/test/YucXW-k7Irh9JXQJ7zXsM_sjEAsPsG-GB/
- http://unixboxes.com/mixes/OxOUx-MpNNzPjknsm8tmN_UUXvhExu-VET/
- http://upine.com/aju-daju/oTAut-5lYdesZgHlopXs_YHrwsvGOq-gr/
- http://usmanbahmad.com/wp-admin/rPpU-Uu7txRiZCHA3ug_xGsnEQbVA-VLu/
- http://valencia.mx/popi/deyr-aFrK3H0hVlTWz9_yxjPZPQg-d7/
- http://vaness.nl/WwpwL-SU2IGPdtHFOMva_darAlOxCy-Vxi/
- http://verter.ch/images/WddE-KjKqd2xz4cChaoc_ANzYVVftE-yP0/
- http://vicentinos.com.br/wp-content/EDoV-LaR5H9tnr2Usdq_aZgShRNgU-qz/
- http://viftrup.com/typo3/QmkIC-CeD0Tb210UDlER_QMdImnaar-hLU/
- http://visafile.vn/wp-admin/qFmPi-Jhi4pjwyQ69Lm99_fROUQRAO-Qv/
- http://visoport.com/demo/vZZC-WkBo4vGHLJ6ghC_pgJnBGto-gF4/
- http://vorpalsilence.com/assets/images/KcIm-jyZkLePmgwXLpMC_dSmdJdROy-G7b/
- http://walstan.com/sites/pages/css/DmVwE-E930rsBsCvfbTW_CLhOhinJ-8Ve/
- http://wamjelly.com/css/wxHav-mshplN9ttrjKXm_yqBVxUrts-OWS/
- http://webaphobia.com/images/XyhXB-uFPiHYwL2WQLUwc_XyEpPARU-F2/
- http://welcometothefuture.com/CT/IJLAD-ELYwNZIV78VehOr_hJyNvjKXt-tb/
- http://wickysplace.com/images/wUEdB-h29ywPz7N7PpJYM_NKwsCNWjN-GI/
- http://wierceniaarten.pl/wp-includes/EYJpB-z5ApmDrs8tVHv2_rRGCRpWu-Na/
- http://wishmanmovie.com/wp-includes/rQkuJ-SyKh8CQJMehgJ5t_xTOktWvf-SSE/
- http://witka.net/cgi-bin/lUFm-7NaGxhRFZkkzLI_PMyzhTIy-Wm/
- http://wolflan.com/OSDYO-WLdf9GImUbW9jvL_UuAiCRhJ-bM/
- http://wrapmotors.com/wp-includes/OTKil-7DrQd4NpFvmSSs_LfsEcnrq-oX3/
- http://www.1hpgaming.com/sitemaps/lfMa-7EjbmzpunMQHmt_ThcFnLZsf-Mt/
- http://www.beimingye.com/wp-includes/WqnmQ-lX3u7FTdsiJEgP_ZLpruENGe-UQK/
- http://xn--12c7bhah2cq4a0ba7c5ap6ryb8d.com/cgi-bin/MgSnA-seXszMumCv5FTC_RmWfNkFm-p2/
- http://xn----8sbabmdgae0av6czacej5c.xn--90ais/test/GTip-a4xUh7avazzTrd_TDKbEWPu-zE/
- http://yas-kala.ir/wp-content/RENyD-huH2iWIn9Nha7zL_YusxEJfvZ-Xz/
- https://0day.ru/wp-content/PAFj-dfNaBD5k6Q1NHHj_rDEZqRIb-iBr/
- https://2laughs.com/wp-includes/nuWtd-irBrliAxwZ70oD_KJnpafXK-IV/
- https://8ps.com/vkwum/KeaU-jE73YWQJF1uzX5_VmqwuxHTx-1H/
- https://adrani.gr/wp-content/aSOt-u9uxdklSC8zsKx_wSbxsQYrz-F6L/
- https://agisco.it/e/yXNt-4VcTAa9raHYSRg_mQWfRNQm-HP/
- https://ajuba.com.br/wp-admin/Egvq-vMzngoxsvu3BoW_YMrvwXokV-pj/
- https://ani2watch.net/wp-admin/EOJh-8HN6odwUBEtO0Hk_lhRwFaNR-ix/
- https://arielaspa.com/wp-includes/PWAY-ElZbztT4rt8NpXc_ZyLndnYk-Nc/
- https://avicloan.com/wp-content/kOEie-irNuNwqlNc8Ry8_WZUTBhbzg-uLz/
- https://b-agent.tokyo/wp-content/translate-accelerator/OgKFl-FZHb0XQbYfEdL9c_qIacjfmu-yq/
- https://barometrs.com/wp-includes/PvhkM-ImkmvpR6Ugi2Q2H_VjtDvfivq-Yer/
- https://diaocancu.vn/diaocancu.vn/BAYH-t5vHmQQUPvRTpF_iRJltJQY-OrO/
- https://dj-tobeat.de/DOC/iUAo-V16kiaAvap6ZOco_uwpVtZeO-n2/
- https://happyroad.vn/wp-admin/cQDit-tO6l5qkrVBRvUe_wOfNNCup-RN/
- https://ideaware.pl/wp-content/HzXP-RbinbRoEdegSVb_zwDqwLnzC-fW/
- https://inversioneslopezminaya.com/wp-includes/tPht-9V5ZiQQf0xChGE_sYsyGthli-el/
- https://j22e.ga/wp-admin/qluE-Xt1Q0AilqaLLHMe_lIlrBGNlk-Q4/
- https://lucky119.com/wzzeb/IYZyb-4ZqzbE4yOsL89QD_ECNcoVcdJ-q50/
- https://materne.fr/contenu/tEmZ-R6gqwiS8dOSLEcR_YiMIAakt-Hr/
- https://online-shirt.de/wp-content/HsLGB-cXCwJpTI3ygy2E1_VthDUbIr-vn6/
- https://press.toteme-studio.com/wp-includes/WkRW-WAgzep1rMek9bc4_wMrrWhLf-OO/
- https://richlo.tw/wp-admin/nTpD-NVkx2IIoA0TuUto_zXFnoVyHM-pL/
- https://sherburnesculptures.com/wp-content/aEjz-R02CZIyzcFn1sGS_knHcezRVA-ddG/
- https://solove.show/wp-content/PdQx-AvJYElBQrhK2R2_fQLKBlqJ-xBP/
- https://stellan.nl/stellan/anUUa-oclMsAvlpWpRcjw_jlZWELPOo-mJ/
- https://toprebajas.com/wp-admin/Ieusi-tZn2hXA7IdDNGZj_NxMkcSlc-aYQ/
- https://trinizilla.com/wp-includes/VLyl-uog7bE3A5QAI5Z_osUUOdQUq-xwc/
- https://www.moletta.hu/wp-content/LkHc-jTy6UmLwMZNo8v_NiCJEPsCN-t7/
- https://www.versatilehairshop.com/m8gzo1y/ARKf-Gqbj63yPM0HsJzF_vTRnbeds-b6k/
- ```
- #### Epoch 2 Document/Downloader links seen for 04/25/19 ####
- ```
- http://0rdp.com/wp-content/INC/BFGTOC5X/
- http://112sarj.com/wp-admin/LLC/93caQpouDS/
- http://11vet.com/wp-admin/Scan/dEV0V7y6gD/
- http://139.99.113.144/cgi-bin/DOC/oHFRrccxTyv/
- http://159.65.47.211/wp-content/uploads/LLC/mJ3Jqlxs/
- http://18.220.178.19/wp-content/DOC/dMSy97nt/
- http://192.163.204.167/layout/Document/WS9K2WRl/
- http://1nsr.com/ssd/DOC/p1XTSsnITtig/
- http://203.157.182.14/apifile/mat_doc/Document/LPf16lKOLD3J/
- http://247mediums.nl/wp-content/Document/O5DWQZDa1KA/
- http://2aide.fr/phpmyadmin_/DOC/Mts41hwqGwic/
- http://39.106.17.93/wp-includes/6vrko-5iv87v2-zidez/
- http://47.104.205.183/wp-content/INC/ftYw7diB2Z/
- http://60708090.xyz/wp-admin/9ozx8-c65se43-kgnyk/
- http://67ms.top/wp-admin/INC/HMlDkw3FXi/
- http://68.183.44.49/wp-includes/DOC/4DMwnXGd/
- http://7orus.org/wp-content/LLC/c1O8i9pPoUOG/
- http://8bdolce.co.kr/wp-content/uploads/DOC/PRT7htcSPUXL/
- http://a2-trading.com/wp-admin/DOC/MUBBGU4h/
- http://a2-trading.com:80/wp-admin/DOC/MUBBGU4h/
- http://aadsons.in/wp-content/FILE/4XzSxFDNZol/
- http://acqueon.com/partnernet/LLC/cZDHeNAN8/
- http://adamsm.co.za/wp-includes/LLC/huhoy9WuI/
- http://admiris.net/cgi-bin/FILE/eGhOQWEzd/
- http://aerdtc.gov.mm/wp-content/uploads/FILE/hva0eHzv2ApB/
- http://aesthetix.in/wp-admin/DOC/8te7eeww/
- http://agafryz.pl/wp-admin/tffsv-yspib-iirp/
- http://ageyoka.es/wp-includes/DOC/bT0UTholNU61/
- http://agrifarm.pk/wp-content/Document/aWGdImf8s/
- http://akeswari.org/wp-includes/FILE/GERhSILvT/
- http://albatrip.com/wp-content/Document/8zgFe8QT0/
- http://almourad.net/cgi-bin/DOC/D0ylSTWUlKRV/
- http://aloes.wys.pl/wp-admin/FILE/2Z0M6bVZgi9/
- http://alokdastk.000webhostapp.com/wp-admin/Document/fY0zM5V9/
- http://alpreco.ro/wp-includes/INC/JNA9RgAo4NO/
- http://altsouth.org/wp-content/LLC/1w1TsbbCfH/
- http://alvamater.com/wp-admin/FILE/OVsM6ivBcb9/
- http://amberley.in/onewebmedia/DOC/RuDnKVqr/
- http://anaaj.pk/wp-content/LLC/pXjhm4Qd/
- http://anb.intcom.kz/blogs/Document/lGpwkmnvwn12/
- http://anchr.com.ng/cgi-bin/FILE/GAG5VOw3/
- http://anphoto.tw/wp-content/uploads/DOC/QyGn5EmGqKx/
- http://apicforme.com/wp-admin/Scan/jml6nKk4/
- http://aptaus.org/wp-includes/INC/xqXK9tKWYJ4/
- http://arcsim.ro/wp-content/FILE/7Iniu37V/
- http://arefhasan.com/wp-admin/LLC/VGyKpJBn/
- http://areka-cake.ru/wow-animation/Scan/xdkti9JGp/
- http://arenaaydin.com/wp-admin/DOC/6WZpPXfW/
- http://arsesled.ir/wp-admin/INC/6IP7kP0v/
- http://arteza.co.id/wp-includes/FILE/uQwaacm2MQe/
- http://artpizza.pl/wp-content/plugins/beaver-builder-lite-version/modules/idx_config/DOC/jVubEZUDCiR/
- http://artspace.cf/wp-includes/Scan/hoDu0sA6/
- http://asgrad.art/wp-includes/9gjw-wu5aez-ebjp/
- http://asharqiya.com/ar/j4xb8s3-gnpo7eg-cvpglcq/
- http://ashhalan.com/wp-includes/asain45-zc6gd-yscw/
- http://asis.kz/wp-admin/Document/anzpdCgpOFGA/
- http://asri-no.ir/wp-admin/INC/TWVHZJJl2MNU/
- http://astroblu.win/0backup-media/b5l5-8ct912-mpzoksf/
- http://aulamania.com/wp-admin/Scan/pdB3irhP/
- http://aurora.nl/cgi-bin/FILE/hv3wkWXXO/
- http://autmont.com/wp/fvqjjy6-9blw5yi-hmedqfl/
- http://awasayblog.000webhostapp.com/wp-admin/LLC/Ym8hc9vn7/
- http://babababy.ga/LLC/Scan/76UOKepnqbcp/
- http://baggo.pt/wp-admin/INC/ppiXb8Pcw/
- http://baires.online/cgi-bin/bhuc6z-6uw3c-meuxo/
- http://bancotec.net/wp-content/LLC/PZdeR5OJK1rz/
- http://baping.xyz/wp-includes/FILE/ooI3b3xWYQP/
- http://baranlenz.com/wp-admin/LLC/MxexKGEx3Kla/
- http://barbeq.ru/wp-includes/DOC/CtKt04dY/
- http://bashak.com.ng/mgelq/FILE/x0ms11PAMPM/
- http://bashia24.com/js/LLC/tAojFBsZ/
- http://bastan.co/wp-content/FILE/GRpB23BU/
- http://bastari.net/wp-includes/LLC/2sssCgOo/
- http://bestflexiblesolarpanels.com/local/Document/1PvDX24wx/
- http://bixbox.vn/wp-includes/FILE/jt1IpBI9fMy/
- http://bizajans.com/engl/INC/nCLFmnsT/
- http://bizertanet.tn/wp-content/Document/5w3YCTYsGJvK/
- http://blog.sigma-solutions.vn/wp-content/FILE/bN93l7kZJx/
- http://boyuji.cn/wp-includes/7tw7hx-coofhk2-bygj/
- http://brotechvn.com/wp-includes/49emm-uw4xeol-gicx/
- http://c919.ltd/wp-includes/js/tinymce/Document/SMIUjq59/
- http://cafeplus.cf/wp-admin/DOC/NXzZGEd2sw00/
- http://camperdiem.wroclaw.pl/wp-includes/Scan/HaQb7xSbls/
- http://carsuperheros.com/wp-content/ty5p-cs2iys8-ffpk/
- http://casalfama.pt/wp-includes/yubi3o-90n6z-nxpa/
- http://cecav.utad.pt/cecav_prev/oulht-wevyqs0-otlp/
- http://centersv.kz/wp-admin/nvfo54d-uvvgid3-uqri/
- http://chapter42.be/wp-admin/Scan/OOuyBjGaUe/
- http://coine2c.com/wp-admin/Document/N4TXNpkcnkP/
- http://csnserver.com/blog/FILE/BH9ssw8xhb/
- http://czcad.com/wp-admin/Document/CPXE8dFz/
- http://danslestours.fr/calendar/o2bm-ze5648y-ybjfbby/
- http://daoyee.com/daoyee.nt/elrbvp-l59j0x-nfdp/
- http://dchkoidze97.000webhostapp.com/INC/DOC/JVdpeoOj/
- http://decotek.org/orange/INC/dZfkQlTEOaaj/
- http://dimatigutravelagency.co.za/dimatigu/qffkb3-tz897n5-ezyfx/
- http://ecominser.cl/k2rojqs/INC/dbKZZ94C/
- http://eiamheng.com/EES/LLC/q4uSkM44/
- http://elenihotel.gr/wp-admin/Scan/mcYFvKAW/
- http://emst.com.ua/wp-admin/LLC/gYyCLgL3bZ/
- http://enseta.com/wp-admin/INC/VhRETdppE/
- http://eturnera.com/wp-admin/INC/JXICRv88LPEU/
- http://femalespk.com/amwgi/Document/RRvgvvxiRz4/
- http://finessebs.com/cgi-bin/thgv32-khyziwe-mlcckef/
- http://gce.com.vn/wp-admin/Document/EiX2b35YyXXA/
- http://grasscutter.sakuraweb.com/wp-admin/Document/ZsUUTzYbqan3/
- http://grimix.co.il/wp-admin/LLC/dyFfxviI/
- http://grulacdc.org/wp-snapshots/LLC/F1vPTrtjk4y/
- http://grumpymonkeydesigns.com/qCIbEPWO/LLC/NaQ9pM228n3/
- http://grupohasar.com/filemanager/uploads/DOC/BbOL628FNWYQ/
- http://halalonlines.000webhostapp.com/wp-admin/Scan/3jamtbrR/
- http://haovok.com/wp-content/uploads/2019/LLC/daBm7oLYz/
- http://hcgdrops.club/hcgdrops/FILE/ID682PXM58Y/
- http://hotissue.xyz/wp-content/be5h-05qok-sqrydef/
- http://hydtvshow.xyz/wp-content/DOC/pYNcc4SD/
- http://iddeia.org.br/wp-admin/FILE/svemClVksz/
- http://ikeba-fia.unkris.ac.id/wp-content/FILE/GbhcbLhUKQH/
- http://impactclub.ml/wp-admin/Scan/HeoGINYg8M/
- http://inandmusicgroup.com/wp-includes/Document/3TzvlUWsCHHM/
- http://info-checkus.000webhostapp.com/wp-admin/LLC/lMDbFjgxrK/
- http://isais.or.id/4wo96yq/Scan/MPFYxyNa2L/
- http://itqan.qa/wp-includes/LLC/hedH9iUzracO/
- http://jbint.org/wp-content/Scan/ysI1bcJZVmD/
- http://jmd-be.com/wp-content/FILE/oHDIVDJOPz/
- http://jurafonden.dk/wp-admin/FILE/xycmtjtrif/
- http://jyothilabala.com/wp-content/9acu-vga9xwb-tgvdumy/
- http://kimuyvu.com/wp-admin/Document/08BFbN4KSmr/
- http://leesin.work/wp-admin/DOC/VokhIefIUL/
- http://lequie.de/wp-includes/qim3-ah3024j-jcru/
- http://likenow.tv/wp-admin/INC/6KZHVDkshuuf/
- http://lorigamble.com/wp-admin/INC/hJH0y0so/
- http://luxycode.com/wp-content/DOC/W2Ols88xG1/
- http://mance.me/eroticartsagency.com/INC/3IdNdxts/
- http://marcofama.it/tmp/INC/sk0Vd75U8/
- http://millenoil.com/modules/smarty/sysplugins/FILE/hpkQXIc7u/
- http://mindymusic.nl/US/Scan/COdwLdcr/
- http://mmtsystem.net/wp-includes/Scan/yuu8uCqMT/
- http://mobility-advice.org.uk/cache/FILE/JwPpi4XpGt0/
- http://moolchi.com/wp-includes/LLC/umvy1iKh/
- http://narayanhrservices.com/wp-admin/Document/wOjMKy5Cd/
- http://nativis.at/wp-admin/FILE/pean3sr3R/
- http://newgmp.000webhostapp.com/wp-admin/Scan/JG1vxgDirn/
- http://newlaw.vn/wp-content/DOC/uTxh3tCdyyYw/
- http://nhahuyenit.me/wp-admin/INC/YcjkRRDg/
- http://ogdaily.com/wp-content/Document/aSYDuvDWDQ/
- http://onlinemafia.co.za/cgi-bin/FILE/Us9LQVkRP/
- http://ostaz.ml/wp-includes/Scan/K4ZWfhXg8/
- http://oxenta.com/wp-admin/FILE/FfI0aODKuLP/
- http://phanphoidongydungha.com/o4ci7l9/INC/UbxquS6Bi6z/
- http://publiplast.tn/wp-admin/DOC/5AfyWL2h/
- http://raorizwan.com/mail.nexitsystems.com/Document/5PLisWZZNO/
- http://redlk.com/tqpjo/Scan/UftRuaEmi2h/
- http://reismagos.org/wp-includes/DOC/Hr7cSKQA/
- http://removeblackmold.info/wp-admin/LLC/fmkSSQQpEg/
- http://rusticwood.ro/ww4w/FILE/IRIAFuBVc/
- http://sahityiki.com/wp-content/Document/5sW2c36r/
- http://sblegalpartners.com/wp-includes/Document/48MOBvTnTEO/
- http://sbs-careers.viewsite.io/css/8pf7v-3zsgunt-zdcv/
- http://scilijas.com.ba/componentsasd/FILE/xW5hUD7zTpWu/
- http://sdilindia.com/wp-admin/INC/DdVCFNY59U/
- http://sendestar.com/wp-includes/DOC/lFoREPbI/
- http://shakhmed.com/css/FILE/yQP5rQql9jLD/
- http://shopfreemart.com.tw/me4sdp9/DOC/rFTLNP6F3QPH/
- http://shopfreemart.com.tw/me4sdp9/FILE/JxPR0BtnaOs/
- http://signs-unique.com/tn3gallery_full/Scan/ueuak6Bxlu/
- http://slmssdc.000webhostapp.com/wp-admin/DOC/Y9hS0j0lHw/
- http://smits.by/application/DOC/COhyszYNSkoU/
- http://sneezy.be/downloads/Scan/bbgS1EMMmo/
- http://softica.dk/includes/FILE/zOgnlKzE/
- http://solpro.com.co/wp-includes/DOC/gTb91Y6tAZ/
- http://solpro.com.co/wp-includes/LLC/zEWrFzpS/
- http://solpro.com.co/wp-includes/Scan/jQHM9PERSiA/
- http://songdung.vn/4d4ixle/DOC/HYgBv8CFypi/
- http://sonthuyit.com/assets/25drn1q-c218j-vctym/
- http://sooq.tn/g435goi/LLC/Snq8H0Rs/
- http://sotayvang.com/zydoe/FILE/OojF5GGWdcQz/
- http://sparkcreativeworks.com/cgi-bin/INC/5ZKHsB36/
- http://spitbraaihire.co.za/Scan/xCujoX3N/
- http://spyguys.net/cgi-bin/LLC/jZoxe8Lzq/
- http://stanica.ro/suspended.page/DOC/Pz4Ba9lCYB/
- http://steelimage.ca/cgi-bin/Document/sIhh72ulT/
- http://steensbjerg.dk/wp-content/LLC/MoJhaHI2/
- http://steinoe.dk/random/LLC/mfUWqq2GjmpE/
- http://stickzentrum.ch/informationen/Document/nmBzDOCEPz/
- http://swiftender.com/api/sub/content/uvltjbka.1688.wdkcv/
- http://tb-it.dk/dresscode/Scan/T4Smjvtt/
- http://thedopplershift.co.uk/Information/LLC/w8hVYpn53es/
- http://theothercentury.com/FILE/8WWR9Qet/
- http://thunkablemain.000webhostapp.com/wp-admin/INC/83ptVEXfxAz/
- http://titancctv.com/img/6rweiz0-c5y5s-rvbswyc/
- http://tjr.dk/amsterdam/FILE/ft0F6LiwheI/
- http://tony-berthold.de/_private/FILE/ghduTTrL3/
- http://topgas.co.th/lthJk-9l1PUQnCptcE7D_OXJdrcYg-yCU/LLC/2xctcrJ0/
- http://tpc.hu/arlista/Document/HwdRdSEOit/
- http://tplsite.be/sleepandparty/Document/6aaqHSrDKBVM/
- http://tradelam.com/fonts/LLC/hwXgo085dLt/
- http://travelhealthconsultancy.co.uk/images/Document/5ZZNWLrbwUY/
- http://try1stgolf.com/ebay/DOC/t6w0pulbA/
- http://turkandtaylor.com/wvw/Document/vnyta9UE8IU/
- http://turnbull.dk/GSSSite/DOC/NKXgmaJYma7W/
- http://ukdn.com/TempHold/Document/fZRRfC4NREy/
- http://undersun.jp/LLC/E0tlYP2t/
- http://unioneconsultoria.com.br/a5n3run/Document/sggPdd9pbp/
- http://urbanmad.com/wp-snapshots/Document/HkpZb4QCCg/
- http://ursaminormedia.com/About_Me_files/LLC/BTJBTmw5u/
- http://usgmsp.com/temp/FILE/XlSxIa6kVo8/
- http://usmadetshirts.com/loges/DOC/hQngDZHB94/
- http://uss.ac.th/cgi-bin/FILE/GDddX7MX/
- http://vastralaya.shop/ynibgkd65jf/Scan/ToKGN8vSc/
- http://vcontenidos.com/wp-admin/LLC/cvKYwKPk2J8/
- http://velowear.dk/wp-content/FILE/zsoo1wv7S/
- http://videografi.unsri.ac.id/wp-content/Scan/Bv8qn61Sue01/
- http://vinik.com.br/ssl/w72wgkb-ieclx-cjys/
- http://vipkon.com.tr/wp-includes/Scan/zyvGWnI9/
- http://visciglia.com.ar/wp-includes/DOC/btsapXED/
- http://vitalazu.com/wp-includes/Scan/SK6Bcdzd/
- http://vitallita.com/wp-includes/Document/aJQetqNq/
- http://vophone.com/portal/cache/LLC/Q1savIN7l/
- http://voyage.co.ua/mailsend/DOC/eXyORgeGMU/
- http://warah.com.ar/2PS/INC/U7NTNzbz/
- http://watchesofswitzerland.eu/wp-content/LLC/MdIuHQ2yerR/
- http://webbsmail.co.uk/Scan/VtoTwwH1XCST/
- http://webdesign2010.hu/FILE/asihbMvM9/
- http://willemvanleeuwen.nl/autos/Scan/Ko9DaN4t/
- http://wirelessdatanet.net/2/INC/Jhm54nRMkFn/
- http://wordcooper.com/wp-includes/Scan/p4oJcoyx/
- http://worksonpaper.jp/about/Document/gyGj8cBz6VE8/
- http://wuelser.com/dbox/FILE/zh3B7fSeB/
- http://www.aeffchens.de/wp-includes/LLC/A7Ea2WV4nHS/
- http://www.altriga.com/wp-content/ohac-98z0jh-nhdtmp/
- http://www.glasspro.kz/wp-admin/Scan/kgU6KhFJsWxt/
- http://www.kampolis.eu/test/hdqj8n-t4fk4-yaoaiii/
- http://www.mahala.es/old-web/f1h8-1hikh-qubijcw/
- http://www.nekudots.com/wp-content/Scan/uNandEWEsw/
- http://www.nylag.org/wp-content/upgrade/4ret-1lcji8-bzqj/
- http://www.remyshair.com/wp-includes/Scan/abIV8YQMXw/
- http://www.veryplushhair.com/wp-content/FILE/RMkSgxCpCNbn/
- http://xn--altnoran-vkb.com.tr/cgi-bin/Scan/lfFPjmSZfc/
- http://ylla.com.pe/phpmailo/Scan/AOI5m3iTAmP/
- http://yoyoplease.com/ebay/LLC/j0hJkr9Rl/
- http://zaboty.net/DOC/beQY4ZN1oOm/
- http://zahidahmedtk.000webhostapp.com/wp-admin/LLC/WPsHhpN3kXm/
- https://113bola.com/cvtex/DOC/ddAIYbg4v/
- https://18uproom.com/cgi-bin/Document/xLjquodgBV/
- https://2drive.us/nb/LLC/TtanW1nrJUwA/
- https://2tor.com.mx/wp-admin/Document/da4kvYva/
- https://acewatch.vn/wp-content/t9ps3uf-vmbwbh-uohwi/
- https://adsvive.com/wp-admin/em97r3c-1km2ni-usmcb/
- https://aeginc.co/wp-includes/Scan/OyZ8E1Bt/
- https://anhungland.vn/wp-admin/LLC/IKqtHzB0R/
- https://antosipark.es/img/Document/GRrzIF6c/
- https://beutify.com/wp-content/plugins/tm-woocommerce-compare-wishlist/go1u9rd-d4axfrw-ahqb/
- https://blog.ozobot.com/wp-content/Document/wSoN4aeX/
- https://chunbuzx.com/wp-includes/dr8bp-ld7i87-igjtfjb/
- https://cssshk.com/wp-admin/q7r6-q2cdc7-rsgj/
- https://denglu.net/wp-includes/tap7-243aihc-ipbg/
- https://dosejuice.com/wp-content/uploads/FILE/oK0Qu6V4PCaO/
- https://drews.com.co/wp-includes/DOC/a0K4kd0cNs/
- https://fastrxtransfer.com/cgi-bin/Document/BWEX8Ci6QH/
- https://finvestree.com/calendar/Scan/iOi6ORpgWEr/
- https://flutters.cn/wp-includes/faonag-hxlvgnz-lnuvw/
- https://gdai.co.il/Search-Replace-DB-master/4br3om-w7orviv-blzcy/
- https://giovanigioiellieriditalia.it/wp-content/DOC/zcyfhOtdZ/
- https://grimix.co.il/wp-admin/LLC/dyFfxviI/
- https://infinitemediausa.com/wp-includes/Document/FuLIxBLNKKzi/
- https://innomade.ch/upgrade/Scan/InWpS9ZJJZCt/
- https://invu-sa.com/wp-includes/LLC/PPr2fCrNv/
- https://jillysteaparty.com/wp-includes/DOC/ADfgCIQjz/
- https://mansanz.es/banuelos.mansanz.es/Scan/Mdc7EZVyH0/
- https://nutricioncorporativa.com/wp-content/FILE/sLXPRyYt/
- https://ortusbeauty.com/error/ngxu1-tlsuxg1-mzgms/
- https://shop.ziskejtelo.cz/9uhni6x/INC/5DMjVAvBZ5oy/
- https://solpro.com.co/wp-includes/DOC/gTb91Y6tAZ/
- https://solpro.com.co/wp-includes/LLC/zEWrFzpS/
- https://solpro.com.co/wp-includes/Scan/jQHM9PERSiA/
- https://sputnik-sarja.de/LLC/QfvDv9ddh/
- https://suzukiquangbinh.com.vn/wp-admin/e3alzoq-cwzv8-mvgn/
- https://vensys.es/blogs/Document/HH8n8fewY35E/
- https://winfo.ro/_TO_DELETE/m/DOC/yUrwSrFogQDz/
- https://www.admolex.com/sorf-test/DOC/7ZYdZsqDq/
- https://www.apel-sjp.fr/wp-admin/Scan/xSmBK6lyLA/
- https://www.bdmp-lvbw.de/wordpress/wp-content/uploads/DOC/3egahrSARjZ4/
- https://www.cavus2.com/kurye/Scan/EnHOBQzcnbhc/
- https://www.nylag.org/wp-content/upgrade/4ret-1lcji8-bzqj/
- https://www.orthosystem.de/wp-admin/Document/4Yz4XS5tfTKN/
- https://www.pinafore.club/wp-admin/0zg016-b2gn48c-elbg/
- https://www.reupfam.com/ddeleteme/wp-content/pluginsold/wysija-newsletters/helpers/DOC/AAh15xnP6BPG/
- https://www.thebermanlaw.group/wp-content/FILE/9GAhnKQW/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-04-25 16:30 (JS Based - Fake Error)
- SHA256:
- f49b59f066266e3221f9a73108d13447ae21166858233d7c50c54ad6dd9d1fe0
- http://agenlama.com/wp-admin/Sfh/
- http://4gstartup.com/wp-content/Hdc94/
- http://atakorpub.com/emailing2016/81311y/
- http://aioplace.com/aio-set/H2xWQE/
- http://5stmt.com/wp-content/Fn/
- Creation Time 2019-04-25 09:15 (JS Based - Fake Error)
- SHA256:
- edab37a0304b9b8cb7c0140043b1c41de464928d5835545575e593b95f5f9295
- https://dolanmbakboyo.com/wp-admin/Td5/
- http://lotuspolymers.com/wp-includes/GacU/
- http://kamsic.com/wp-includes/4U/
- http://tierramilenaria.com/wordpress/uK0WFk/
- http://brikee.com/contact/GndK/
- Creation Time 2019-04-25 04:26:00 (AttOnly - DOC Based - ENG - Off-Center - Light Blue White)
- SHA256:
- 16754818e4e071e1e913202fd189ed68e44b4167bff05e6f0772b7b97f0435dd
- 8a7a8547ddce9ccbbfff450b91bdb693ebd734e37cde35587468b2f30ff32a61
- 810b8248edda471909cf61ffea303590c7c63f8f26fbfb1807ed8c02e03a70cb
- 66b5b8b453c1cca49f2978e19042e8202c6c5e44edf84bb42d58d1cbcf18a980
- e0b3c0f45c63de7c2eab57b3f920281bc6e44894b9391694bf78637e86dce359
- 91fbfc9c3a47336a026ff1557ea663e392a8551324dca352c64df10e97814d4c
- 391c2757da03c6b44ddab75a400dfddd4abcded2d75c13f34dcd628df9e369da
- 3198c65f66230c83a6b1f671d6c1ede9511f3136f4934c05c953dc8b4b76b7b1
- 60cf3c663017bd42f2c7d615022ff4c934f3dab850dbe3f720eaa06e56070395
- 574653eced1774698549b0242c867c09c070ec3e7f5d19c0c0ac936c9fafba84
- 35e8092b65707dd8ddee8f2c0434e7fadab538202b1ee51108c05f7fd7ee01f1
- 7d84f8c150b6bf1e53e7714e7bb8a91a18cbae5fc8a8104ecb361a46abfadcc0
- 99021e529ada964a33da6465dfc552326a261f3bc4078087123e4817ab3e0d1e
- b2db4f689d5fecd8bcb1f69d8c07f3a3d8debfefe03a46b3efb0d43717d623de
- ca3a669610d3e155eebf8bfbfa5c03cd26378092810b77445520875062f4f827
- d92650da86cffbced2ee5a45c960cc5100130d8c4b02d9d49bbf077e5612cd4c
- 3ffe8867d7e849935403e9395bb2ef88dc7247dce6a388f1e7dbfb24f70a3ea7
- 04dc7e6778079604ea9a48ca704f3edf6f0df1f5461a80be9e14a09d41391a23
- b03494d47b9271271a9a93dc23c0e224ae7699e5b7a530188732a834db2f4ac2
- 222e4c0033e888e7b28c914d77ba721798509b5e7ba521703d946b1c03c5e243
- 96437bc0e4bd30cb51019855e41983bf2d468eecfe82ed55c8e3c7367d77e193
- e1d55600d650f9db1198ea73ce960bc1f8023cb15b05d986a97887a5d90c0d75
- 2b19ee7ac2c3ea407fe6143032ed6834c6ca1f1f24c5aabd25f58a732d021740
- c464d2462aeb4ecc2bfc0a13aeb66afa506bba56e0446a7f5f4e06bd1c9c4dfb
- 162e4e6f76c3c481766a5a842e4e663b12fe6c99979b0dc18862248766c9f74c
- 1d063c9084dd5a6e5c71a0c2967511ce74f739296133586c282eeb024411d4a9
- http://labersa.com/hotel/hn6B/
- http://rogerfleck.com/heldt.adv.br/tt0Dgg/
- http://sliceoflimedesigns.com/journal/tj4Y/
- http://snits.com/5C5/
- http://smejky.com/skola/Y36TUR/archive/M0m8J/
- Creation Time 2019-04-24 17:00 (JS Based - Fake Error)
- SHA256:
- b7fd23feb71f19a87e0130334f8dcbc28479db18fbd6ba0a89e9a64dc525c919
- http://al-awalcentre.com/wp-content/Q2sF/
- http://thetechbycaseyard.com/wp-content/fGNyT/
- http://ichikawa.net/wvvccw/CtwFb0/
- http://naasgroup.com/cgi-bin/Zqoy/
- http://paulklosterimages.com/cgi-bin/JKJJ/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 04/25/19 ####
- ```
- 0e33d65259bd510273ed2410fc9498ff837ff17b735d68257a1196dc353c8b26
- ca39cba6b05ae49873b70804dfd8ab9f535dd3b0e5b3297434df1214072bdafb
- 3bb7ac0388fc31d72abc3c78fb8c86f360e8e15de192aed274efead9dd570e7f
- 73118de8f59147aebf7c10194614e95de52e527902f7df7985649f906ccdc4da
- af013886eeb2007f529fc382684cf467a4df62d9cc6e494c3f9d186ed2b1d565
- 65f641c306829d00beadb6c1a3cdc0d64ba5f0ff89cc9883c662287624d44198
- 37b8196ca3455a2c6e144481d44bef88add15c317d3fba58952121438159b2fc
- dd5b5853a81893823d266f1db8122f9bf5272ca83e347cc8111fdb740d9c6174
- 4d41820d47ac50e151ded930977e398f2293f77a12033e5942719d6760342542
- d705c3791f977e140d771f3805e2dd4e5cee69e8c28eb85256abbadbaf02f91d
- 0f3c17170fe7e9e01f27fadf5b3556b9102aede5801ebe00a2c51b27be54cdd7
- d390912ef71b2d1c1fba1940b604983215d02da301eb1e6699f6c15809d0aec2
- a5407bb05915505e97061521a27a6a895b87bfb84b6e796bea9da0fcd102a214
- 96d633b7d47202d73b8946a8194f2007f1347f74c1c5e7bcb293727468161684
- cc859640783449e54f2a3fb0a2c4f981f59dabdf41f04f62c4fd93984f617717
- c05aaa9feb92170a452eeb73861632963ec014366de203f4b01c56d67ef9c04e
- eba0ee83ead32eb557d941eb2de76fdd9049f7d68d32d85c3aa3c5b7f6593fec
- ab6456f37990927386a03b1e0e6c69ac3a16035069f4f421ac6d074f03e2c29b
- 3228416a3dcfda8a180c86af876fb81ba2829bf45cf460e5d0b0bcda0c6e93e6
- 53be6100f57e160bb4ea73c179f8786a8e2a772dec2deae3e34fda742eb0d575
- 3c0d62cfa2df4944ff7d4919c3c0e3129c38bab63b5e24d7179cb204e0a7e595
- 34244952fab971b6504507202a2703f20aa67af75a0ba910d406183e7347aa87
- c10d72bbd365d00284aeeca6f32b08658928a8f1bc692966006deb34ad4c6699
- aca300c25bf3abbac24087551a64862f5d12dddf17a3700ceb6fd39fc16baf0e
- f3f315879d123ed6a38c3bfb5bb1a5703dbae81de450e9915b8e9c648d3e81f0
- 0c944a202ff6ac81acb2eec7bf8af8948ce223432cf7fce163315fc62b6f0dd6
- a08309105ae6ceecce2e0713c53dbd2cb23bebbf58a33ffc1b68459fb6dae2e4
- 64a9ebc37b8efec983fdb9d97be074fa57b456cc2e59f05a413a4b99ea9bbffa
- f4017043829fdd9039e6f7928e56df527e9699388c5370f301ef89712ec1f0dc
- 515eb76b5fc7a029132ee4a8b7cd4b234f268f96e4350ea75dd5c99a88237325
- 214ad946d41c6f04035df42be621fd5d76112d9e14aaf933dc765609d46b572b
- ac3f16c8e8f2f5b1efd32465d40a593d162a30a26cb5ea9a2e934f989a5a9aba
- 73dbe0ed37f1e77ac87ee2a42cb74bdcf233d0a3cf5917434b099a59429fc702
- f077718722fee051e7455876fbd070bb57e4972af559699ecbeeb5b5e35eec11
- 9c38b0b64eb091eb10521ee5a602940020afa164615cc93898e771dff24c97ce
- 358685bd63f4e40864316f226a77e67fa99da1329feba49a6e2d99dd7b6a7a63
- 323154c4cb75b02983bc4e076be06997644eb8852384aa8d92b48131bc085f00
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-04-25 13:36:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 8065d2137332893c6e189b09a0e6b480e2f2955e827e0b67e4418e6a268da467
- 22e222168d5dea3d7f837da60fca78acc3257915fda97c18ed7af63dfc7542cd
- 41040e62590fee09c32389db40112c48a8a985b407340e12cdd19965862c2c72
- 7a6a2c210aefa9f680207555c2b909616b54e3999945d22a47241c2987debd7b
- 00a73162489f59b1cc4fc07208676176c19eadbe5c4c0f16b0bd3f7c15a9a03a
- e0d1b4b5d7f6b432340d9483b96e4893637d0f897b59a00967ee2a0767888fa8
- 78439b66ed766396e16c865a6857de42d166f42227e728f1635a552e07918506
- 79aa4c12cd7acda388199e7e59ac3481b7e738ae2b3a43ac06bf08dd8f6b4419
- 3dbb4ca641797b6f3729fbd6512e83b47426b4a20d6b490d81100dcd6786d15e
- 1c8ce25de7c3e61223b74c0c25c390b08157c35ee523cd3ad13d0e5f04d72301
- b52455d11893e16aac2aa2451a747902bfd0d41454a58f4dd11a8a15c6aabf34
- 7b793df9dc306e78aec1741d9ef0f38a9e7b5677bac66779c18de85334ad953d
- 1581b1babbda10ae6971f0e9ff822a65aa8bd4d98ea920dbeb9261e6e5f3939f
- 85986ff033d06fc7f8b1eaff949a4ad970240c2a64bada0f041756bcbf184bb4
- 7b556613e2f814670e721619781c1327dc6982655beef492a03e8b5449b7782b
- af22c77a25d4738ab3550a2f7e89ff2bfbb76663615bd067a6901040a33f464f
- 023da94a6a1283b26662c3583780102af5205108cb647b2ef546a4a8e5b9aa9f
- 828b7e9914f932108e52249577fa80987f20ebda94b8654fdc2964baa4d929a4
- 8cf9f14b8d68b1b2305b8f1519e274ec4e74aa9338d046605c0e788b5e30f8a5
- 26ca73ee3cbc5062f47556b88c88609a17dda511375f29fe7271300cb82da360
- aff24983ac7001c5451dc2846b5a32b7344d81c4cd7d2840042995b3044d98e5
- 4f4e11330d4a08dc6efb1ea46d5a662e9f538b86664ffe3d721e5294ceb7d430
- 67d05dd367015c892e3f0f50e5737a5138f00f626a134a85f1c2a6496132e691
- db2e803c063b6a8d618aa3aa5ad2bb2ee303b496e647a5b82a79dbbbaabff95b
- 3a0f72ddd376610e76f1a2fcea2a6526284a7f2272714f06056d90a3edc8f4d6
- 2d4c029c63ed1ca1131a3ddda7fd4e66078676407a476a00ccd09d2a85c8079b
- 7218111a64d849c230b9d6d315953fd4eacad8211eaaf6f03c1fc25414fdb608
- 2be2d55078be5d7a6982c89413fe4039cd65fd64f0e786481d785d726c24560d
- d5a00860e9c659e68ccc5150d9d54d702862aeab67453e12195cebb432f9e3cf
- b63bf916331ae1dec728a79c4f885b668b1eca1c6abdaea630a1940e44b621e8
- df0fb247a70c89c6562901405d16cc4d36f5052d95ecedc5b9ed5185a0125f91
- 52f088094f6aadfb98436b684c094e0ce059684797339ef65058cce7ef3447f1
- fd090323d4df1a960754906db0d1e9748537f5f25661f7a4ca2773240b58bc40
- bce589ff607e5a60063fea9c3b4ad8ce6a89ef833e395500363fa9ed9246cee9
- a11052d85933b9ebe77b92056e6efbd89393fecb51e3f0fd80a4cfa946cdb7d5
- 23398b697fcbad05afffa161f6335010f558d4974e81bd7d32cc4f1e07b06e59
- ba1753410ac11859abc6237cefbfd0fc63b872fae35967326374353049918c55
- 7d44f7f2b544573813e89633ebba598d028528adc829baeb4c549423b2228698
- 863bef93f145d590c49616b371a74a51cca7eaddb9be7b6a55d1d1ffd5f15cbd
- c10e6f58b4c3cef4ec5fc1bdb39d5d879c7a9c62e261bb47a74dff8c0d20118d
- de56ff30c012fd1c2b28d5d9c9747afe58cc414e185d59ba81f0dcaeda44dee1
- a0ce6a165177d79d8675d732c0f22f018dcae73487b2c9227508b0cd2c02d2f4
- 3a5f13bd1236171391ad45bf7369996f14b24bfcda152cada9bd04abd6351e6e
- 4c1f0a189477f1330c20a8a8869317569be3d5d87d018263babf560c454bc7ef
- 64f50f8c4e9bd7b196aa3d88694280da4762e02157d0f53ac68ca37e86d9e6f2
- 4fe8c71a6ac9f1846e68c90bafbdb7afd8ecc21bb59fc46dc45a053935386d31
- 4fe8c71a6ac9f1846e68c90bafbdb7afd8ecc21bb59fc46dc45a053935386d31
- d95e756519e7a387c644faeee84ab2c90ad53339bde37605dcba4c23c323be1c
- 3018734c8e915925793a54bfe29457bf245d9a58f3077d74ec22e2b04dcf9972
- 6e63ea61f944615450899ffdd9a9444c1051c7a66f3e5a089c4a6ed2da6e6ff1
- 372935f96d1e807f4891ffdcf2319728d0247660c0d7fe44738f3b58571751ce
- http://animzzz.net/wp-content/I_0f/
- http://apnaoasis.com/wp-content/Y3_iT/
- http://acsboda.com/wp-includes/yn_gp/
- http://congchung.isocial.vn/img/6S_yF/
- http://www.axasta.com/wp-content/T8_Fp/
- Creation Time 2019-04-25 14:30 (From ZIP - JS Based - Fake Error)
- SHA256:
- 582938eafb9954ac94a8c9c2769a82e7e029a82ee5695bb8c9bf22e7b0fe00cb
- https://kristyskincare.com/wp-admin/s_P8/
- https://addlab.it/dev/riunite/wp-content/uploads/js_composer/w0_R/
- http://46.101.45.199/wp-content/Ue_oH/
- http://4freemovie.gq/wp-content/Aa_V/
- http://subiran.ir/wp-admin/xn_I/
- Creation Time 2019-04-25 09:26:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 3d3d72d079ac4d6709a8fe663e2e3f3426e0d4e132615036c46b23038dc0cebf
- b3e6382f49c7cd0ca3321c6bfa1b08e7b3ec57ca9cad5c29e7e37f0eccd210fa
- 9e506b942c42727c6a4c007ae5473c50a71f58ad78e8873588c3fd451ecd7da5
- 7a32c78114368d7e0ff4a99ff1dab817060c58ad5e1c18cd2c1178255090c42c
- be6473351331956dc550f794617da15925785c04c3c8bb63f998ef08b032aa2a
- 87ab3e0ad7c910590c7b4d04a8e572906de0901846d696924351a7f79030497b
- 80e4962e2297df28f40fc5404c737e44c7a6f99dd3bc40c53952b9c989b56a97
- 47d15e14ae126a2a669ee71f409be3b80bb1127327933c8991b05ecd453cf656
- d3c085cb5444dd3bee1f04a36f095305000b3e22f59738a4cf3b370c1d203863
- b3eb13fb68b2dd06dc7ff59e33ab72db682a967d187a780318b91cd41748d263
- 4dcdf99c5887c75f537f1e0fb424246417848c992eafb905c73c8c93ac4aa5d1
- 3c77b75f825a5e26fe1e4876665eb7fb2854928e9f25e32abd3dea255027f387
- adb17498e7aef92a20608d0899bca2e9c61c730889b3105e8e56517bb54217bc
- http://sectaway.com/wp-includes/E_xv/
- http://ikatan.org/wp-includes/Y_1/
- http://cauar.com/wp-admin/M_V/
- http://qarardad.com/wp-admin/eU_F/
- http://mcclur.es/wp-content/m_R/
- Creation Time 2019-04-25 09:00:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- ee65c61941b260403e66e0b141cd9ba307540f8bdc79375c8f4609148e5f6cef
- http://tcmnow.com/cgi-bin/J4_5/
- http://teledis.fr/updates/O_6/
- http://obosonews.info/wp-content/H_IP/
- http://musicfacile.com/cgi-bin/zw_wX/
- http://teambored.co.uk/Invoice/U4_t/
- Creation Time 2019-04-24 20:45 (From ZIP - JS Based - Fake Error)
- SHA256:
- 6f785ecc79f5ca6ac6410eed4fa59bbe13ca49cc2e1f3e2bee9412811a6e3036
- http://jieyilashedu.com/cgi-bin/ul_H/
- http://www.whwzyy.cn/wp-includes/KV_R4/
- http://kathiacam.com/sitemaps/x_F/
- http://immigrant.ca/wp-content/D_em/
- http://elmedicodeldeportista.com/wp-includes/qY_3C/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 04/25/19 ####
- ```
- 89ad8630a68b508f373d798c888211d5246b1d8086b64a04cad510c2ce2e312c
- f7fcb9822c801db26abd77bf1f243878fdce87df2431230f329be543efe09bea
- 2b474a0af6d5b0659eb5948b1e27acb51ce24a329eb1783dcf87622f90ba8371
- 5438104f416bb8a85e3352871e0d05b137548134af616058ddb3f98bde0d1353
- 8c8e7a11ed3827b7643e0d453efb973e124d34fb16c031bcfed66ed1ef7277e1
- 9bba87cb6add739e1763cc7f8f97630e3761d640957495317c297ce8e7c6b1a3
- b6e1f873b74b44ff5a8a0844344c10041bc8c0cc74bb33ab0eeb07b060579d46
- 26d3b33686b7a4440a986d56200d53d680a2d2643adf30dfce629f6f5fd24af1
- 95d709d21907afca6c95b2e6599ebecc75cac82916b9a82ce89d811b948e3180
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 103.213.212.42:443
- 107.159.94.183:8080
- 109.104.79.48:8080
- 109.73.52.242:8080
- 139.59.19.157:80
- 144.76.117.247:8080
- 165.227.213.173:8080
- 175.107.200.27:443
- 176.58.93.123:8080
- 177.225.175.199:80
- 181.142.29.90:80
- 181.199.151.19:80
- 181.29.101.13:80
- 181.29.186.65:80
- 181.30.126.66:80
- 181.37.126.2:80
- 185.86.148.222:8080
- 185.94.252.249:443
- 185.94.252.27:443
- 186.139.160.193:8080
- 187.188.166.192:80
- 189.205.185.71:465
- 190.117.206.153:443
- 190.147.116.32:21
- 190.171.230.41:80
- 192.155.90.90:7080
- 192.163.199.254:8080
- 196.6.112.70:443
- 197.248.67.226:8080
- 197.91.152.93:80
- 200.107.105.16:465
- 200.114.142.40:8080
- 200.28.131.215:443
- 210.2.86.72:8080
- 213.172.88.13:80
- 219.94.254.93:8080
- 23.254.203.51:8080
- 24.150.44.53:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.118.216.70:80
- 45.33.35.103:8080
- 5.9.128.163:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 66.209.69.165:443
- 66.228.45.129:8080
- 69.163.33.82:8080
- 72.47.248.48:8080
- 77.82.85.35:8080
- 81.3.6.78:7080
- 82.226.163.9:80
- 85.132.96.242:80
- 88.215.2.29:80
- 89.135.138.149:80
- 91.205.215.57:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- 31.172.86.183:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 106.51.37.192:80
- 119.155.153.14:21
- 119.93.243.2:50000
- 124.123.42.93:80
- 133.242.156.30:7080
- 136.243.117.85:8080
- 138.201.140.110:8080
- 144.202.9.18:8080
- 147.135.210.39:8080
- 149.255.56.242:8080
- 159.0.130.149:443
- 162.243.125.212:8080
- 167.114.210.191:8080
- 173.255.196.209:8080
- 173.255.250.241:443
- 174.93.130.148:8443
- 175.100.138.82:22
- 176.63.173.71:995
- 177.230.108.144:22
- 177.242.214.30:80
- 178.62.37.188:443
- 178.79.161.166:443
- 179.14.2.75:21
- 180.150.87.75:22
- 181.39.51.243:993
- 183.82.110.170:53
- 186.4.234.27:443
- 186.85.38.31:443
- 187.189.195.208:8443
- 190.112.228.47:443
- 190.180.106.137:53
- 190.193.18.37:20
- 191.92.69.115:80
- 195.99.230.208:80
- 2.50.52.255:20
- 201.220.152.101:80
- 208.78.100.202:8080
- 211.63.71.72:8080
- 213.14.166.152:990
- 216.98.148.156:8080
- 217.13.106.160:7080
- 45.123.3.54:443
- 45.249.156.10:8090
- 45.33.49.124:443
- 5.230.147.179:8080
- 50.101.180.172:7080
- 50.31.0.160:8080
- 58.65.211.99:50000
- 58.9.168.7:990
- 62.75.187.192:8080
- 64.13.225.150:8080
- 67.205.149.117:8080
- 69.198.17.7:8080
- 69.45.19.145:8080
- 77.111.149.55:80
- 77.56.253.112:80
- 78.100.187.118:80
- 78.186.5.109:443
- 83.110.155.238:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 86.99.35.122:20
- 87.106.139.101:8080
- 91.205.215.66:8080
- 94.130.35.140:443
- 94.76.200.114:8080
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/CXswHAtM - @ps66uk
- https://pastebin.com/VzSYSNTj - @pollo290987
- https://otx.alienvault.com/pulse/5cc20fa1589f09f1979d6336/ - @SecSome
- https://pastebin.com/3p98x9Cb - @lazyactivist192
- https://twitter.com/CapeSandbox/status/1121388436248772608 - @CapeSandbox
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 04-24-19 ####
- ```
- General News:
- I only received a couple malspams today and it was not a heavy day. Still there was more news and changes to report.
- Again we are seeing weirdness in the deployment of the exe loader. It seems like we are really dealing with two types of binaries
- that are being switched out to see which one is more effective or not. James Quinn and I have been comparing notes over the past
- few days on this subject and he made an important discovery today. The Heaven's Gate usage was actually not coming from the
- loader itself but is coming into the picture only after loader contacts C2. He determined that the modules(for example the mail stealer)
- obtained from C2 were the ones being loaded via Heaven's Gate. If the loader is executed in an environment without Internet or C2
- access, this behavior is not seen. This was further confirmed by Kevin O'Reilly at the CAPE project later and @luca_nagy_.
- Here are the tweets and notes concerning this:
- https://twitter.com/lazyactivist192/status/1121444278549516295
- https://twitter.com/CapeSandbox/status/1121388436248772608
- https://twitter.com/CapeSandbox/status/1121447780466221056
- I must say that the amount of packages and yara rules built into CAPE are quite awesome! The CAPE Sandbox is an awesome project.
- I find it really cool that Kevin already had detection for this and an additional package already in the works!
- In other news:
- Trend Micro and other Bleeping Computer are reporting some "new" trends for Emotet C2 behavior.
- https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/
- https://twitter.com/BleepinComputer/status/1121446214564753408
- I found this report to be a little bit of old news with some misinformation. Here is why:
- The C2 protocol changed last month with the POST with 4 random directories added to the URL vs Large Cookie GET method.
- This was covered by a few organizations already and is about a month late. Example:
- https://cofense.com/emotet-update-new-c2-communication-followed-new-infection-chain/
- In addition to this, the information regarding the compromised connected devices is very questionable. It is well known
- that Emotet has been deploying a uPnP module and many of the Tier 1 C2 IPs are actually SOHO gateways with an infected
- windows box behind them that is using that port via uPnP. Just because you see other devices on that same IP, does not
- rule out that they are seperate PAT/Port Forwards on the same NAT IP/Firewall. This report spawned the following
- rebuttals regarding this:
- https://twitter.com/JayTHL/status/1121451004053131268
- https://twitter.com/raashidbhatt/status/1121464823940694018
- https://twitter.com/MalwareTechBlog/status/1121461070684573697
- Email Template Report:
- I only received 2 malspams today. One was an attachment based malspam in Spanish. The other was a generic link malspam.
- Other people such as @ps66uk mentioned they were also getting reply chain based malspams today and actually got quite
- a few malspams in general. I recommend checking out @ps66uk's report here:
- https://twitter.com/ps66uk/status/1121526438858035200
- https://twitter.com/ps66uk/status/1121361215446573056
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- *- The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- *"Load instructions attached"
- *"A printer friendly attachment is now included with each email."
- *"Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns - The following patterns were seen active still today just like yesterday.
- E1
- \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- E2
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
- Payloads Report:
- E1 had 3 quintets today. E1 did one round of DOCs as attachments only this morning. There was no indication of this group
- of documents on distro links. The last 2 quintets were once again ZIP/JS. It seemed liked some of the German based URLs
- \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/ were the ones doing the direct JS
- and the other E1 format was doing the ZIP/JS files. Most were ZIP/JS via links to today.
- I saw both Link based and direct DOC attachment stage 2.
- E1 EXE loaders have been interesting lately and there is clearly active work being done. Slow updates were seen in Distro
- all night and morning with spacing at a pace of about 5-10 hours. The new heavily obfuscated EXEs were seen until about 12:30 UTC.
- At that point the old loader came back for a single update. At 20:00UTC the old method of 10-15 minute hash busting came back for
- the E1 EXEs on distro and 2 hours on C2. All of the EXEs from this point until current time are the old loader still and still
- actively hash busting.
- E2 had 4 quintets today which is a normal count but the way they were deployed was not normal. It seemed liked 2 sets of ZIP/JS
- files were released with the hashbusting nonsense and then near the same time 2 sets of hash busting DOCs were released. One of
- the DOCs is still hash busting now every 10 minutes or so. Normally they are released 1 after the other but these 4 kinda overlaped
- each other. Maybe Ivan was getting lazy and just did it all at once. Interestingly, ZIP/JSes were coming from the pattern:
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/ links and .DOCs were coming from the other regex:
- https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/. It seems like there is duality for each botnet each day.
- Almost as if there are really 4 campaigns going at once.
- E2 EXE loaders were almost all the new loader style today with the exception of a release around 12:20 of the old style loader.
- This was followed promptly with a new loader type EXE at 14:45UTC and there were a few sporadic hash busts every 5 hours since then.
- E2 is still on the new loader now. C2 looks the same as Distro for the hashes available. James Quinn dumped the new loader
- and extracted the C2s for us! :) Thanks James!
- C2 Report:
- C2s did NOT change for E1 and remained at 57 combos in total. - recorded above
- C2s DID change for E2 and count remained at 67 combos in total. - recorded above
- Closing:
- I wanted to mention that Ivan is a fictional character I have made up that represents a random Russian name for the actor behind
- this. In reality it is not known who is really behind Emotet but it is likely a team of criminals and not any one person. It is
- a good thing we have a team of researchers/ISPs/Hosters/LEAs and Private Industry fighting that team. :)
- TT
- ```
- #### Sandbox 04/25/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-04-26 at 03:30 UTC - https://cape.contextis.com/analysis/69497/
- ```
- ```
- Epoch 2 C2 run on 2019-04-25 at 23:15 UTC - https://cape.contextis.com/analysis/69427/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement