API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 12/11/18

jroosen
Dec 11th, 2018
2,517
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 42.53 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 12/11/18 as of 12/11/18 21:30 EST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 12/11/18 ####
  5. ```
  6.  
  7. http://13.127.126.242/EN_US/Transactions/2018-12/
  8. http://35.227.184.106/EN_US/Clients_transactions/12_18/
  9. http://429days.com/US/Transactions-details/12_18/
  10. http://51.255.193.96/wordpress/US/Transactions/122018/
  11. http://ahapropertisyariah.com/En_us/Payments/122018/
  12. http://almansoordarulilaj.com/EN_US/Messages/122018/
  13. http://arctarch.com/US/ACH/2018-12/
  14. http://artsly.ru/Telekom/Transaktion/11_18/
  15. http://ballbkk.com/US/Payments/2018-12/
  16. http://blogs.dentalface.ru/US/Transactions/12_18/
  17. http://ccv.com.uy/En_us/Transaction_details/12_18/
  18. http://construccionesrm.com.ar/EN_US/Transactions-details/122018/
  19. http://craftww.pl/Telekom/Transaktion/11_18/
  20. http://cy17.ru/EN_US/Attachments/12_18/
  21. http://dienlanh365.net/EN_US/Clients_Messages/122018/
  22. http://djunreal.co.uk/En_us/Documents/122018/
  23. http://drcarrico.com.br/EN_US/Clients_Messages/2018-12/
  24. http://estab.org.tr/estab2/EN_US/Transactions/122018/
  25. http://fon-gsm.pl/ip5daee/Telekom/Rechnungen/112018/
  26. http://greenplastic.com/Telekom/Rechnung/11_18/
  27. http://gujaratisamajjobs.com/En_us/Details/12_18/
  28. http://heke.net/Telekom/Rechnung/112018/
  29. http://henneli.com/Telekom/Transaktion/112018/
  30. http://indocatra.co.id/wp-admin/Telekom/Rechnungen/11_18/
  31. http://inpakpapier.nl/US/Transactions/2018-12/
  32. http://italytools.kiev.ua/US/Information/122018/
  33. http://katajambul.com/Telekom/Rechnungen/112018/
  34. http://kientrucviet24h.com/US/Transaction_details/12_18/
  35. http://kingfishervideo.com/Telekom/Rechnungen/11_18/
  36. http://kkorner.net/US/ACH/12_18/
  37. http://kosmosnet.gr/US/ACH/12_18/
  38. http://labersa.com/Telekom/Rechnungen/11_18/
  39. http://levellapromotions.com.au/En_us/Clients_information/2018-12/
  40. http://library.cifor.org/tmp-delete/lib/__MACOSX/US/Documents/12_18/
  41. http://lutgerink.com/En_us/Transactions-details/2018-12/
  42. http://madisonmichaels.com/Telekom/RechnungOnline/11_18/
  43. http://maipiu.com.ar/US/Information/12_18/
  44. http://marthashelleydesign.com/Telekom/Rechnungen/112018/
  45. http://megascule.ro/Telekom/RechnungOnline/112018/
  46. http://menne.be/Telekom/Transaktion/112018/
  47. http://meunasahmee.id/wp-admin/user/US/Messages/2018-12/
  48. http://meweb.com.au/Telekom/Transaktion/112018/
  49. http://miketec.com.hk/US/Transactions-details/12_18/
  50. http://minet.nl/Telekom/RechnungOnline/11_18/
  51. http://miniaturapty.com/Telekom/Rechnung/11_18/
  52. http://minterburn.co.uk/Telekom/Rechnungen/112018/
  53. http://mmss2015.malaysianmedics.org/US/Messages/122018/
  54. http://mofables.com/Telekom/Transaktion/112018/
  55. http://mswebpro.com/Telekom/Rechnungen/11_18/
  56. http://nasuha.shariainstitute.com/EN_US/Attachments/122018/
  57. http://net96.it/Telekom/Transaktion/112018/
  58. http://pepperhome.ru/En_us/Payments/122018/
  59. http://proxectomascaras.com/Telekom/Transaktion/112018/
  60. http://raldafriends.com/Telekom/Rechnung/11_18/
  61. http://rjm.2marketdemo.com/En_us/Clients/2018-12/
  62. http://roxt.com.my/EN_US/Details/122018/
  63. http://runawaynetworks.com/US/Clients_Messages/122018/
  64. http://shopclicksave.net/US/Details/122018/
  65. http://shreesaasthatextiles.com/US/Details/122018/
  66. http://simgen.ca/En_us/Information/12_18/
  67. http://slittlefield.com/Telekom/RechnungOnline/112018/
  68. http://soloprime.com/US/Clients_Messages/2018-12/
  69. http://standart-uk.ru/En_us/Attachments/122018/
  70. http://starstonesoftware.com/Telekom/Rechnungen/11_18/
  71. http://strike3productions.com/Telekom/Rechnungen/11_18/
  72. http://sublimemediaworks.com/EN_US/Transaction_details/2018-12/
  73. http://support.redbook.aero/wp-includes/US/Details/122018/
  74. http://tasha9503.com/EN_US/Clients_Messages/12_18/
  75. http://terifischer.com/US/Clients_transactions/2018-12/
  76. http://therundoctor.co.uk/Telekom/Transaktion/11_18/
  77. http://thestylistonline.com/Telekom/Rechnungen/112018/
  78. http://tracychilders.com/Telekom/Transaktion/112018/
  79. http://travelandsmile.it/En_us/Clients_transactions/122018/
  80. http://travelsureuk.com/EN_US/Details/2018-12/
  81. http://u6195215.ct.sendgrid.net/wf/click?upn=gDVu0bOg93Kr1-2FiiEIyB-2BVrm3A4bp1FMtw5OSIJtPZTDAg0tjoW27KYSKEHxU76fqTvgaiS8E0CNULMjnxRAAw-3D-3D_qe80j3tbggoe73ttjudT-2FFaDm-2B9fdVHh-2BBhauNll6IjSJvHWSyZB9hc65z-2B9qrOI1WZKR4XQKLmci47cXfZlHOx49XtCwclJRMmlUTx-2F3tapbuXJuvpa7syZW963BFGczt16bX9v9PcJrutJl4yKuth6G-2Fr5GFbDtgExgXq15zoTLirkelqWCBKUMGcZI1FI5b4K5ZSYR0HYKgcGZIZRwy09FEoHGR5j8DIUTSMfdEo-3D/
  82. http://vasicweb.com/Telekom/Rechnung/11_18/
  83. http://wazzah.com.br/Telekom/Rechnungen/112018/
  84. http://websayfaniz.com/US/Payments/122018/
  85. http://www.estab.org.tr/estab2/EN_US/Transactions/122018/
  86. http://www.gandomdasht.com/EN_US/Details/12_18/
  87. http://www.indigomusic.com.ve/En_us/Payments/122018/
  88. http://www.italyrestaurante.com.br/US/Transactions-details/2018-12/
  89. http://www.katajambul.com/Telekom/Rechnungen/112018/
  90. http://www.localfuneraldirectors.co.uk/EN_US/Clients/2018-12/
  91. http://www.luckyslots.club/EN_US/Transactions-details/122018/
  92. http://www.newsvisory.com/US/Transactions-details/122018/
  93. http://www.onlinessberbank.ru/EN_US/Transaction_details/2018-12/
  94. http://www.standart-uk.ru/En_us/Attachments/122018/
  95. http://www.topsalesnow.com/EN_US/Clients_information/12_18/
  96. http://www.zengqs.com/En_us/Messages/2018-12/
  97. http://yhcts.com/US/Clients_Messages/12_18/
  98. http://zoom-machinery.com/US/Attachments/12_18/
  99. http://zuix.com/Telekom/RechnungOnline/11_18/
  100. https://support.redbook.aero/wp-includes/US/Details/122018/
  101. https://zone3.de/EN_US/Transactions-details/2018-12/
  102.  
  103. ```
  104. #### Epoch 2 Document/Downloader links seen for 12/11/18 ####
  105. ```
  106.  
  107. http://13.114.25.231/COMET/SIGNS/PAYMENT/NOTIFICATION/12/10/2018/files/En_us/Invoice-receipt/
  108. http://13.228.100.132/IRS/IRS-Online-Center/Record-of-Account-Transcript/
  109. http://13noj.org/INVOICE/2249/OVERPAYMENT/INFO/US_us/Past-Due-Invoices/
  110. http://142.93.201.106/IRS.GOV/Internal-Revenue-Service-Online/Verification-of-Non-filing-Letter/
  111. http://159.65.107.159/Internal-Revenue-Service-Online/Wage-and-Income-Transcript/
  112. http://1miras.ru/IRS.GOV/IRS-Online-Center/Tax-Return-Transcript/December-11-2018/
  113. http://2.moulding.z8.ru/Ref/17183085Dec2018/US/Invoice-for-z/w-12/10/2018/
  114. http://31.207.35.116/wordpress/PaymentStatus/LLC/En_us/Invoice-for-b/k-12/10/2018/
  115. http://35.242.233.97/Invoice/82162284/Corporation/US_us/New-order/
  116. http://51.68.57.147/ACH/PaymentAdvice/scan/US_us/Need-to-send-the-attachment/
  117. http://8ninths.com/EXT/PaymentStatus/FILE/En/Paid-Invoices/
  118. http://aal-ver.com/IRS/Internal-Revenue-Service-Online-Center/Tax-Return-Transcript/
  119. http://adanavho.org.tr/INV/0993034FORPO/2532193451/newsletter/EN_en/ACH-form/
  120. http://adarma.xyz/IRS.GOV/IRS-Press-treasury-gov/Record-of-Account-Transcript/12112018/
  121. http://advantechnologies.com/IRS/IRS-Online-Center/Wage-and-Income-Transcript/
  122. http://aliciametrofarm.com/IRS-Transcript-treasury-gov/Tax-Account-Transcript/
  123. http://alstar.shariainstitute.co.id/IRS-Online-Center/Tax-Account-Transcript/12112018/
  124. http://amgadvertiser.com/Invoice/43295958/LLC/En_us/Invoice-Corrections-for-83/78/
  125. http://arina.jsin.ru/ACH/PaymentAdvice/doc/En_us/Scan/
  126. http://aureliaroge.fr/Invoice/12326100/Download/EN_en/Paid-Invoices/
  127. http://beshig.de/F484/invoicing/Document/US_us/Invoice-1783766/
  128. http://bestshariaproperty.com/IRS.GOV/IRS.gov/Record-of-Account-Transcript/
  129. http://betis.biz/ACH/PaymentAdvice/Download/En/Question/
  130. http://bingge168.com/InvoiceCodeChanges/DOC/US/Outstanding-Invoices/
  131. http://biodieseldelplata.com/PaymentStatus/default/En_us/Invoices-Overdue/
  132. http://blog.powersoft.net.ec/INVOICE/default/En/Past-Due-Invoices/
  133. http://bridgeventuresllc.com/Corporation/US/Open-Past-Due-Orders/
  134. http://clinicapalmieri.com.br/wp-content/IRS.GOV/Internal-Revenue-Service/Verification-of-Non-filing-Letter/12112018/
  135. http://crab.dc.ufc.br/M02/invoicing/files/En/6-Past-Due-Invoices/
  136. http://datthocuphuquoc.xyz/IRS/IRS.gov/Wage-and-Income-Transcript/
  137. http://dayphoihoaphat.org/IRS.GOV/IRS-Online-Center/Tax-Return-Transcript/
  138. http://dbwsweb.com/launchers/Invoice/5087497/files/US_us/Invoice-Number-381357/
  139. http://delhifabrics.com/invoices/1310/26221/Corporation/US_us/Inv-966766-PO-0H927696/
  140. http://demo.letuscode.com/IRS.GOV/IRS-Transcript-treasury-gov/Record-of-Account-Transcript/
  141. http://dimax.kz/Inv/6175174472/scan/En/Past-Due-Invoice/
  142. http://donnebella.com/IRS/IRS-Online/Tax-Account-Transcript/
  143. http://dparmm1.wci.com.ph/INVOICE/4139/OVERPAYMENT/sites/En/Invoice-Number-088395/
  144. http://elixtra.com.ng/IRS/IRS-Online-Center/Tax-Account-Transcript/
  145. http://enfaseprint.com.br/INVOICE/6486/OVERPAYMENT/Dec2018/En_us/Paid-Invoice/
  146. http://etherealms.com/Inv/132623054/Corporation/US/Inv-23528-PO-1T381902/
  147. http://evaxinh.edu.vn/IRS/Record-of-Account-Transcript/
  148. http://extremsport.ru/Invoice/428173841/Corporation/US_us/Important-Please-Read/
  149. http://fitnesstrener-jozef.eu/Invoice/7079263/doc/US/Past-Due-Invoices/
  150. http://fredrikhoyer.no/invoices/22714/5927/FILE/US/Paid-Invoices/
  151. http://gazeta-lady.uz/EP880/invoicing/FILE/En/Summit-Companies-Invoice-0834917/
  152. http://gentesanluis.com/Invoice/245860471/doc/US/Open-Past-Due-Orders/
  153. http://globalsecurity.com.pl/IRS/Internal-Revenue-Service/Wage-and-Income-Transcript/12112018/
  154. http://gn.prometeopro.com/850795/SurveyQuestionsfiles/En/Invoice-for-l/t-12/11/2018/
  155. http://grupolorena.com.sv/EXT/PaymentStatus/LLC/US_us/Invoices-attached/
  156. http://helia.ee/hkhk/IRS-Online/Verification-of-Non-filing-Letter/
  157. http://humas.unila.ac.id/Southwire/XHM54332882/LLC/En/Past-Due-Invoices/
  158. http://inowhere.org/IRS/Internal-Revenue-Service-Online/Tax-Account-Transcript/December-11-2018/
  159. http://institutoamericano.edu.mx/IRS.GOV/IRS-Online/Verification-of-Non-filing-Letter/
  160. http://irtk.kz/INVOICE/sites/En_us/Need-to-send-the-attachment/
  161. http://iudr.utcb.ro/wp-content/uploads/PaymentStatus/INFO/En/New-order/
  162. http://jamieatkins.org/IRS/IRS-Online/Tax-Return-Transcript/
  163. http://jd-studio.net/IRS.GOV/IRS-Online/Tax-Return-Transcript/12112018/
  164. http://jd-studio.net/Southwire/KTL870387956/doc/EN_en/Invoices-Overdue/
  165. http://jiedianvip.com/FC966/invoicing/FILE/EN_en/Invoice-Corrections-for-17/76/
  166. http://jimlowry.com/X01/invoicing/xerox/En_us/Inv-794798-PO-6Y881441/
  167. http://karamina.com/IRS/IRS-Press-treasury-gov/Verification-of-Non-filing-Letter/
  168. http://kellydarke.com/ACH/PaymentAdvice/FILE/US/Question/
  169. http://konsagrada.com/Dec2018/En_us/Sales-Invoice/
  170. http://lanele.co.za/IRS-Online-Center/Record-of-Account-Transcript/
  171. http://liliandiniz.com.br/IRS/Internal-Revenue-Service/Tax-Account-Transcript/12112018/
  172. http://limaxbatteries.com/IRS/Internal-Revenue-Service-Online/Tax-Return-Transcript/December-11-2018/
  173. http://lostivale.celsur.eu/IRS/IRS-Transcript-treasury-gov/Tax-Return-Transcript/
  174. http://lrservice.com.ua/wp-includes/Southwire/KCY5735683679/Corporation/En/Outstanding-Invoices/
  175. http://madrededeusprime.com.br/EXT/PaymentStatus/default/US/Invoice-for-n/z-12/12/2018/
  176. http://mailrelay.comofms.com/wf/click?upn=hn5mCe45Rv6iN-2FoZbeB61HqKBxHg5rOBH2hrn5FRYRwIn86UkewxaITLykm8-2FKHeafAiO5uilVJIYrKIV5MIPR8gUrCHzeGcfhL-2FC-2F8-2FsyA-3D_QbSvzgKd8E0jzmNa-2FbNPjV3fPw-2FKZ2cb54eqnPFBKJ1p8Dl8qe3FKKlETTwsHrJsIn2onSiLlIlrKkdNB9C6dpwOP5bTyG95k-2BMdnsSCnpOZpLnFZGWEyt8yiMM5VNVZSeQtYUfp-2FZcy4XPMZbkpi8IG4NMCjxvQZUg9nSTCbDwlwtDtRQTOIuilBPcmZzA7z58G-2B1BK-2BygKeakC9FSXCCWGPOaDiudmrUBS0pSKHMo-3D/
  177. http://mattayom31.go.th/Southwire/YYZ094715649/Corporation/US/Paid-Invoice/
  178. http://mayurika.co.in/PaymentStatus/default/EN_en/Question/
  179. http://meunasahgantung.id/IRS.GOV/IRS/Wage-and-Income-Transcript/
  180. http://meunasahkrueng.id/invoices/7879/3634/default/EN_en/Invoice-Number-88876/
  181. http://meunasahteungeh.id/PaymentStatus/sites/En/Paid-Invoice/
  182. http://mgupta.me/Internal-Revenue-Service/Tax-Return-Transcript/
  183. http://mioshi.it/IRS.GOV/IRS-Online/Verification-of-Non-filing-Letter/12112018/
  184. http://movil-sales.ru/InvoiceCodeChanges/Corporation/En_us/Service-Report-8493/
  185. http://mtskhazanahtangsel.sch.id/default/US/Invoice-for-you/
  186. http://musedesign.eu/ACH/PaymentInfo/Dec2018/En/Past-Due-Invoice/
  187. http://nolife.antonov.ooo/EXT/PaymentStatus/Download/US/309-93-222183-923-309-93-222183-518/
  188. http://nottingham24hourplumbers.co.uk/87536/SurveyQuestionsLLC/En_us/Outstanding-Invoices/
  189. http://nova-cloud.it/H23/invoicing/DOC/US/Open-Past-Due-Orders/
  190. http://noveletras.com.br/IRS.GOV/IRS-irsonline-treasury-gov/Tax-Account-Transcript/
  191. http://ntkomputer.com/INV/843702FORPO/7715347798/newsletter/EN_en/Invoice-Corrections-for-86/46/
  192. http://nuancecrusaders.com/InvoiceCodeChanges/Document/US/Service-Invoice/
  193. http://oficinadenatacao.com.br/IRS/IRS-Transcript-treasury-gov/Verification-of-Non-filing-Letter/
  194. http://olyfkloof.co.za/Southwire/VGD7518671887/DOC/En_us/Outstanding-Invoices/
  195. http://outletsa.top/IRS/Wage-and-Income-Transcript/
  196. http://ozanarts.com/IRS.GOV/IRS/Tax-Account-Transcript/12112018/
  197. http://petotreska.sk/429667/SurveyQuestionsxerox/En/Overdue-payment/
  198. http://ph.alessandrodelpiero.eu/wp-content/uploads/Southwire/JTU077211610/sites/US_us/Sales-Invoice/
  199. http://playassustentable.com/IRS/Internal-Revenue-Service/Tax-Account-Transcript/
  200. http://projekty.michalski24.pl/PaymentStatus/files/US/Past-Due-Invoices/
  201. http://propertisyariahexpo.com/Invoice/30501274/newsletter/En/Invoice/
  202. http://puuk.desa.id/Ref/900751138DOC/En/Paid-Invoice/
  203. http://radiocorfm.com.br/INV/554140FORPO/260837364306/sites/US/Inv-01197-PO-0Q225462/
  204. http://reparaties-ipad.nl/IRS/IRS.gov/Wage-and-Income-Transcript/December-10-2018/
  205. http://roddom.601125.ru/IRS/IRS-irsonline-treasury-gov/Record-of-Account-Transcript/12112018/
  206. http://rumahnonriba.shariainstitute.co.id/2008891/SurveyQuestionsdoc/En/Open-invoices/
  207. http://salazars.me/IRS-Online/Record-of-Account-Transcript/12102018/
  208. http://sandau.biz/Inv/3998163986/Document/EN_en/Outstanding-Invoices/
  209. http://saudigeriatrics.org/Invoice/141251800/xerox/US_us/ACH-form/
  210. http://sciww.com.pe/Invoice/500875705/default/En_us/Past-Due-Invoices/
  211. http://selfinvest.me/invoices/32746/5074/sites/US/Past-Due-Invoices/
  212. http://sijin-edu.com/Southwire/NBD78072363/INFO/En/Outstanding-Invoices/
  213. http://simonsolutions.us/Inv/49535228726/doc/US_us/Invoices-Overdue/
  214. http://simple.org.il/invoices/5769/1637/INFO/US_us/ACH-form/
  215. http://steninger.us/Inv/5721747767/sites/En_us/Paid-Invoices/
  216. http://t2tdesigns.com/Internal-Revenue-Service-Online-Center/Wage-and-Income-Transcript/
  217. http://tayloredsites.com/INV/64747FORPO/30608892568/sites/US/Invoice/
  218. http://techniartist.com/X307/invoicing/Corporation/US/Past-Due-Invoice/
  219. http://teumpeun.id/INVOICE/0548/OVERPAYMENT/files/En_us/Past-Due-Invoices/
  220. http://thecreativeshop.com.au/Invoice/237010511/sites/US_us/Invoice-3117736/
  221. http://theoncarrier.com/Z835/invoicing/newsletter/En_us/New-order/
  222. http://theshowzone.com/Ref/4398277557doc/US/Summit-Companies-Invoice-68865564/
  223. http://tiasaludable.es/InvoiceCodeChanges/default/En/Important-Please-Read/
  224. http://timeq.uz/IRS/Internal-Revenue-Service-Online-Center/Tax-Account-Transcript/December-11-2018/
  225. http://tommyleetattoo.com/IRS/IRS-Online-Center/Tax-Return-Transcript/
  226. http://travelcentreny.com/InvoiceCodeChanges/sites/En/Scan/
  227. http://ulukantasarim.com/IW73/invoicing/scan/US/Invoice/
  228. http://utorrentpro.com/IRS/IRS.gov/Verification-of-Non-filing-Letter/December-10-2018/
  229. http://vendere-su-internet.com/Invoice/9129415/FILE/EN_en/Past-Due-Invoices/
  230. http://vysokepole.eu/Invoice/27026268/xerox/EN_en/Invoice-receipt/
  231. http://webeye.me.uk/ACH/PaymentAdvice/LLC/US_us/Outstanding-Invoices/
  232. http://wolmedia.net/PaymentStatus/newsletter/US_us/Paid-Invoice/
  233. http://wp2.shopcoach.net/Southwire/DWT59606095/Document/US/Need-to-send-the-attachment/
  234. http://www.58hukou.com/IRS.GOV/Internal-Revenue-Service-Online-Center/Verification-of-Non-filing-Letter/December-10-2018/
  235. http://www.actld.org.tw/wp-content/upload/PaymentStatus/newsletter/En/Past-Due-Invoices/
  236. http://www.anewcreed.com/IRS/IRS-Online/Record-of-Account-Transcript/December-10-2018/
  237. http://www.internetjogasz.hu/doc/EN_en/2-Past-Due-Invoices/
  238. http://www.madhavguragain.com.np/Q15/invoicing/scan/US/Invoice-receipt/
  239. http://www.maoyue.com/IRS/IRS-Transcript-treasury-gov/Wage-and-Income-Transcript/
  240. http://www.sonidoerb.com/Internal-Revenue-Service-Online-Center/Tax-Account-Transcript/
  241. http://www.zras.sk/IRS/Internal-Revenue-Service/Verification-of-Non-filing-Letter/December-11-2018/
  242. http://xn--80apahsgdcod.xn--p1ai/ACH/PaymentAdvice/DOC/En_us/Open-Past-Due-Orders/
  243. http://xn--e1aceh5b.xn--p1acf/Ref/5561605408Corporation/En/Open-Past-Due-Orders/
  244. http://xprto.com/IRS.GOV/Internal-Revenue-Service-Online-Center/Tax-Return-Transcript/
  245. http://xyfos.com/PaymentStatus/xerox/EN_en/Invoice-receipt/
  246. http://yildizyelken.com/PaymentStatus/FILE/En_us/Invoice-for-you/
  247. http://zoox.com.br/Ref/43687246DOC/En_us/Invoice/
  248. https://u7188081.ct.sendgrid.net/wf/click?upn=UYokheBJ8a7GqU-2FRkuYTlrz-2FZEIqvfmPCUKr-2F1hypJK-2B8eaXa9G1syv38-2BbJEwO930gKQQQlyi9igPXLDQieStp-2BPzLkh8GoSYzrcQ1WexeP1DD5ddyErA2BO0nSKVzx_pNJ-2FomNXNRtxCB5EKYR41BcRb3Ow4ydgbPUhQNLt0jUR7FkF9t-2Bm6ioQB1TkckqhlENmKrns-2FJSIkk15IqDBJaRKH4-2BHSaHx1ypZWSQyOoS38ljpPyiR6gL-2BAexQiVTfu4XR7yv7QhY9VlsMpdDl38auvLF2NySY4Vq43a1BybKgySpL4UZqQR1oYDE17iLMNMm30M213OqFc19vY8Ti7YxMAwBYo-2B-2BlS4DfvNhkBCI-3D/
  249. https://url.emailprotection.link/?ayL72bfBub-Dd-Y3yvvPpz8JfYmmIlgEjoSDUuj2vrnTpKguZ2uBjdTXs9T6g67cYRs7ukI8Vce7sFWtjSexgNKXb_oyGrtmjYbQr5a7YYXq9E_f_RB502wFp0zjyO1SG/
  250. https://www.vdvlugt.org/Download/EN_en/Important-Please-Read/
  251.  
  252. ```
  253. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  254. ```
  255.  
  256. Creation Time 2018-12-11 16:43:00
  257. SHA256:
  258. 3befd2ff92a6e44aa5f96100cdf23fd2e90ca5906e146650c0dc7b20fe536840
  259. 284c3a0d2e9f103c4ff6cdceec3589a5855839a4167215b7e52aa65e74d6f7e8
  260. b6955090207eb4c0f966efdc1365af90159cb40be7f579716c693ee0e12bbfb0
  261. af5a74e47fc0edbbc55e1c428cdafa709f11dddd10914b927460576eda22b9c4
  262. a4500ed828f467535b428d06e8cae32f2b4b0da89075cfb98edc440e0db0ec19
  263. dca094da292f1baf9214433ede0b338300b482927feba8d0453c32bc4faa643b
  264. 118b0a94577d96a62f6f02abc002f45c623eecb49a162ea23a6d1dadd99d8565
  265. edf94332030835be705444400ece3531732ccacc9814c991bd430076cd685e0e
  266. 6954c28d71387c75ca4051ced8d85554865c41adf805dab864b3ef73b606372b
  267. c513e19d839b77fe9c559dd15bef47e600d488c0e94327a6dda1b7c30f7e181a
  268. ac2504489ba1c5dfebc23b4d3e5ba49bdc3f77fa8df498dfe3337d6239d87859
  269. fa9f7e3f4404da540fa3c02e81519e94a9bab259da185b4ef5eae5f60d4150ac
  270. 5b3c1131dbd35c7ea6b6033e7287feb8c04df3a606f1b1fc2dad39f1436ccbd8
  271. e7969e2527a7546b0d920dc062f9ee5a1063de0c58283b1205ed9d94a7d3e3d3
  272. 284d51c796efca8dfe018b87e2c5900087ee682a1f576c3fb947a932a85c30ab
  273. 94005e77efe72d9bcd885368cf6354c834f06211d690f4bb3c1ecad18ba75f93
  274. cc17a382adb09ba7cbed792d1d8fc69a726f17217931c9fda479b5bcfabda4ac
  275. f2d205720fbcdb268a15c1a896066f2dc5d79eb3af8adb350f3b0fc5fb60d45e
  276. c3dc667db396e465d77e005b1ac07c8bbf90590eeb899324151fdc5ca1636002
  277. f06b540ae669a3bae314f0c0568be43725268b0eff343a8b46c52274e7fbfff0
  278. 0a98f3a2408c0ea9605bd54973457d950c981364635ea635d44296e06afca407
  279. d99cc410c2cb60f42c00a404d14db9e45c58968068b450ef8154351990fdec31
  280. 53ff5e0690c95f967a3225548d4e1574121bfd703ec02518dceec8e60ea9dcd0
  281. b5b97b2ac9d0fb5d4c622a716418c2c12d1596388b7bbcf5f67ed6da1a179b13
  282. bd4c9089b3a1d6c47fc352118fdb55f36f7b4c32b7188c2fbdc7fa557bfa75a5
  283. 8dcdff54c1f2656dd043c88f890e114b84289bd0c29ea5a51f236e6ae55b081d
  284. 8426a01c579099123a06aa79763ece9fa7ab7baade2f8aac1a3da7a3d7a81347
  285. 17cd0076c4acd416ecc70eb16dea1e8193ca06b2469a24935d0e8c5902d0245b
  286. b075009d6d60412033ddf575d357129966634de0ea03d52674f28f793cddd045
  287. eb668f8399d760f3ba0b05da4911a0287d8c80412c0714510fec33cc7867c59a
  288. 0445f0e1cba785ce71541d322bda5f3cf1ae57989937bb319011899ea1195702
  289. cce005f32371e2a250591676f82ed8a617e69a1c6a4f000c3767439aac43c2db
  290. eb22198c6aeb29b62502e44a6f93c8b7cbc85a6c8644e5083abbc3d7d6b83ef1
  291. 968b91b86dc5d376ebeeddb7ab88e6baf87e52de5329435b0544ba0be111a5c4
  292. 1c994fbf5be5f5e824cfd1114a1d06481abfb8a71fa7ccc2c82869e1dff4de75
  293. 729441771cc4906510b47f00315cfc9c24a972da55a7a4b872d34c9ed3434c80
  294. 8e3b1d27c99c8c0cfba77955345cf96564f36674b8268866a6e7542b98dcc722
  295. cc3337fea8763275624790a105dcbd6638fe318fd5f9fa773006969b6f6cd31d
  296. 7936bba46b8081218f8b1264156947b21e7906593198556d776ff0d838a494fa
  297. ea60b10c972bbde2dc2c21dbe58c0dc1d4f8028af27cfefe0c22a925e56a1335
  298.  
  299. http://marc.optimroute.com/tLztWf7
  300. http://demo.madadaw.com/wp-content/tmp/TTfTg7Evqv
  301. http://jongewolf.nl/5OYh89LgeV
  302. http://demo3.grafikaart.cz/b0JiLRY3
  303. http://cialgweb.shidix.es/pjOB6i3
  304.  
  305.  
  306.  
  307. Creation Time 2018-12-11 11:41:00
  308. SHA256:
  309. 0cb42294db30ac198ae10e486d57044512de3b5456d6fc67ac685de8e4b3a927
  310. 141c753c6b7a0b6a3b7b3447f39cc3472986af48e0dd49c1a69d9d350f3647e5
  311. c8b7aa605ff8de9a23c0a2ace427837c144b1ce08a01df787e0f30a7da0678be
  312. ff4535612022aa55c297e9c3da3e61ac53a1ac789ebf9590298d6215ff83f556
  313. 017603535ebc9d5f39b70ec336500bbac0b5f6e5f182e588a77c291e8cb1643b
  314. 0307a1be8eda689f7848ce3dcd0fdb1e2997a9ef8c8be8fb5e488fb3ca992ba5
  315. a0d1a8d065b807999116f314e15b5266303b23050a342e86b1b42fb17aeefd5b
  316. 035fb6b514793907c8c581723bff797d0c17a575f2829efb063b9b0f0790827b
  317. ffabd687d9cf43281c8b74637947056d6ce9984f6037e4391b47624ea49d5610
  318. 594abad289b56d8f24e6e31437e5dfe170254b78b44b2de42ca114a1dd7ec686
  319. 8687256332b825b9e1611e485a7ac13c4345d413b9d4286b9398e216835cd3a8
  320. c470fa799f64fb2757ced32422af71f78a6ede911b4da7aefbfc68463fe616b5
  321. 22ba50d1088d4ac7889efd1c1bf61ecba95a66c258627aff5038f8333e05b843
  322. f137e134b5b9210be444c6b998c0ae23e26507fbe9f4bf60af476754bfac3397
  323. c17e134a6fe28b9f62cdb2fe6b5a9b0600b666c3717dbfbec0b00d7263578b67
  324. 557ff8681060858189f690c4f1a59d0779b3435199cc5ba326e484aa4783dddb
  325. f958ba0874b49b95298001989b402a7d8df3fa7355b9a55602b50e24a53b662c
  326. eee6830831a475aaac8b41726e1613b68cacd756e9cd983bc220e661c1406ef8
  327. 9ca199fa6ce05f87bee5c06d001a7960a4ad8bc72b76496d51102b7353f835fb
  328. e18c343366cb9960bc5db383c5c6a2baddd7a2984b4d53b2ae06c333289594b8
  329. a21306164f5d52e8129a043eb6e757915a4b33fe8c7a8d2ff88f4d68fa7eb517
  330. 0d40e78140016cd3c1ac3617c33a28bff93a1b6b16afd5437f8a483ed07aba88
  331. 0482510761e512b403a940dc62bfed52740e510891d6905c49c71930b500f0a6
  332. c9c582b756c048adc10340f970552c3c322eed37c80ceeba6004b4558a8b4922
  333. 851129bac6e27bb6dd9e2c009d83f62f1ff8c071b576a76d56dcc7bc1bf4ba35
  334. 7311f0e313336a56c62473379de9675ef702a6f63c6c901e5bea0093d6979984
  335. 7cd1c6c7dfc79c7a4c22051e19c0dd172a2f50ae3a9df35b98e68bfdd5362a88
  336. 3881b8302a3eb1bafbd9433b45a3dd9588f4132e91f5c3bdedcf2884c209ac01
  337. 5a5d6775a82ef31b587b369dbbdf8b82c2b6ad6652af0047ea28c4c1a62e47a8
  338. e4d98d043d553950aecdf963898333f035c5942da9aef7b1441696d8c634d693
  339. 3162b361dcc9b81e73075f593579efd840fc61acbeb715246cb6274098229bf0
  340. c76c5ef10138fe4c5ed29f3bdd5be06c7deb1aab6ca1642116c445e6d8977cf3
  341. fc129b8cfdcacaebbc790822bcc330bbbeed319c1b3d0d6f51f025647dae89da
  342.  
  343. http://amigosdelanochetemplaria.com/UGoo19ojm
  344. http://smkn41jakarta.sch.id/YjjvJDX
  345. http://cvetisbazi.ru/334qi3Mu
  346. http://filmenew.com/8JguPaaj
  347. http://pos.vedigitize.com/IcRyzEEV
  348.  
  349. Creation Time 2018-12-11 10:13:00
  350. SHA256:
  351. 622236af0f17d63b3760b94ce4e40f98aae7b1f3b07451f9a23df8c781f4ed66
  352. fdadd1f1ff12a666ce75a31407250668613fc51e1a9a19e79f42d1470b5ef17d
  353. 40d68a9e3e2db5c2951a1e94c424888e0b219248778bda9cab056878663f6b4c
  354. 292434550dccf3840465aa8da4253bb09f752f32328a4c2107a9c14746f782f3
  355. c817b4f4ad8dba2eb34fa7ec9f9fcfdfb673f62892a1664c9276603623ada5bd
  356. 429a2a827dbf19df3bd4e495eaf7f4bba8d582c74cf3ee32654ff47bf236663a
  357. 64a51976f3d079bee1ac65fad5285afd8abe59a911123c3b7286821150918885
  358. 9f2a1fc21b7e659bcb7f1f2b9a41602d29a566d036fbabc3d909d483ce3bcd93
  359.  
  360. http://turkandtaylor.com/ijqIEeI
  361. http://filmenew.com/8JguPaaj
  362. http://sharianewsinstitute.co.id/RMGgaZj
  363. http://nhathep.xyz/z6svisJgf
  364. http://www.podcast.rs/NPDjHohcmZ
  365.  
  366. Creation Time 2018-12-11 03:58:00 (GER LANG)
  367. SHA256:
  368. 4efe36fb3524dbfdbdb69d0f0e5b5bc5956ef21c61db62b02d2832b2109e7ac7
  369. d3a011264c0c100271d3e5d8955c40074f999e23a74970d56c6faeb896e1b680
  370. c0edb684403ae543fc40f3cc470500c9db2ee027800869e4336f31996843f2ba
  371. a3849964f40209f82631604fae42bcc2bf20d3caab0d0fda68fa4a21fd17568b
  372. b309472c8809329d968ab3e3e48bfae5499587c6aeb7a8819474b146fafe5f92
  373. 98da9dd05d671c820a9d96ab1e1382090f605cb31bd7a3bed1aa267d5b6d7e4b
  374. dec2e1946e10fb57532708445317748ebaff00d7db72d1cffb269f28ca8f24dd
  375. d5ce43ba76bef9cd273774bc2cd25b03851cf7312e5980d0e9b1a867e8a0f391
  376. a8e1009f98504a74ccc95c585183b9a9c12058505e27707600367361d7250f18
  377. b78371649fa8dbc9cda0b35163bba5268eb118fc43d8c9c2aa1b93c923e7420d
  378. 9082687a185b85d73249398ae96eed41e3b11fc3b8e1aedad82d3b09dff97144
  379. c4aa7d75a7a8ced7cc2fe6aacc9c20dcfc4c17741fca36eb13931d25ee9052de
  380. ba1bd30e42ff3a3d22b131776d1c32a9a3fa547c961a93a0b1ae34611e7f5afb
  381. ba3d81dd2b935d85dc984eed5e9ecfaf7d11700f8604a4ef35584514af9434b8
  382. e8c57b1dec354916c38633a5168eac27d26979692db12a263cfbb77b836f4583
  383. 90b8952043a625011a5ee51b1b8f5763a1e7b3a0210832f9ebffb44f99e9e4a7
  384. 79911ea4793028fe901c0f532876349e283ce5a0bf43865d006fbd1aaf79ac21
  385. 576e4374a417eae65218cb5b978c998bb5a18fc5f44c55a9d6b00a4590dff5f7
  386. a3766e23fac6816092f2a21e61e3c1055769fe7434a19f5459f87b8bdfb07677
  387. bd7058216f649c0b5055a8d359e157e771f01f37da00b96094728d14852cf64a
  388. 7a63f4e7760fc60f3dfe882c73f260f0ca2553f230b791f699e88a06dcc5ef92
  389. d453b45e714d3096492f98b12aad111c73c9d9a5f626c5be33e8932ef293bca0
  390. 071da6eddd102473494cdf495c3526abb0325ff999725fec276439ecd8b1cd1f
  391. 0ba1ecacb091d0c7d73a3e3b3cdbb91cf484cc3e27301ee85ad326ac708c4983
  392. 6fa92c73bf5d6a2db8fb6c9fd6363ab09e4920a7ab2a743aed312451fa0a5d99
  393. 14189cf7847135fba2eb68d4420b07ec51b43a8210fb4bf36e3c0ff99b4a7700
  394. 0031b50822f6773844ef1e5393571bbf5ca23e11d02c58c6340503ecab775f2a
  395. 519923f418b2f07f248a5d9b05b1880ae357d95592af2756c12bd45e91c76203
  396. b26443f2ac3d9d18f9ebd8ff1d007cddd24b11c0e619efc298dc0871021ff715
  397. d0c847034b6e1d67d8c8b219427714d5843b9113e4c7aab5ca5eff13273d6b55
  398. 4c45ade2034bb99923f37237486b1c21a3158d165ea5ca4deaf2305567d35f7d
  399. 71f5172915f4754b4d65518c98ff95193a1722dbe51f6fd8d76ce12a7c2f2d11
  400. 2f57ea9c2b9eb385b5cd1841ef8ae511928169ddcc164fbc65cea0bcabf63c55
  401. 93ce820136d27711e02663926c1684ddef5c96339d51d8f784862e8188682eaf
  402. c31f859f07baabdc0b65c04093b1ad5f6c40dd899f2393ed018f68d033a43402
  403. de08a0eb8e2c716cb05fa39139d63efae52943c5c9d2ae4682c0530d45bbc8bf
  404.  
  405. http://verdient.com/zewhvAL06A
  406. http://pos.vedigitize.com/IcRyzEEV
  407. http://alphasecurity.mobi/RRJln1x
  408. http://www.umobile.ru/xUx5otP7
  409. http://vinhomess.vn/WllpdTafl
  410.  
  411. Creation Time 2018-12-10 21:00:00
  412. SHA256:
  413. 2e766404c50addd67ef227c566ce09080620b4630c9de43a78502606ae6e282c
  414. 518f2ea20c1edf6749ad20255c7599023bd283b4144c6d6aaf7ab5f3e36380f8
  415. d2f32a918e5d68d85b5ca908053f2d7f1cf9349334d1c97760e23391d1187a88
  416. 8a80d6ac6f675f4d686ec42e3bfe69c0f6f8765deed223fa5244661c43a65130
  417. 6ec235345457ca640741484a67a90e25a3826aa01f495da92c69b4af9586cb3f
  418. ade1b9c410834646d644cd54184fc76209fa64bdf401de5ebaf9553bddfb92a0
  419. 22d083fb9781fbea67acb81c7aef8ffaa2b38305955f4c4fe704f204faf518c5
  420. 02201956c4b0d15f0e046f92cbfe774c32601612e41d34f8cfb943d444da7b34
  421. a2b928a8f2861f0024656bae18e5eb1784832ad2140bf1805120999c708f079c
  422. 580f37eb668de1f42da0d8e5894d5bdfea442f5e9b43f88bb02f152f404062dc
  423. 21f44321d05ffa234019a05d336bd9ec45286deb6ad8385e701742355fa6a1fa
  424. 3f300accd6239c42e4d8b17c29ec02e3458ad0d98e17c5d6960e6c7752a1288a
  425. d284bd24a5058dea1122dccc87a98984963130371ca88282e8ac6f11d66b0780
  426. 958c683bbf204cd0357c0ad4876140ca3ae39e43700dc2cb544c8a15e4b80af4
  427.  
  428. http://auburnhomeinspectionohio.com/Val7Hn3KqC/
  429. http://welikeinc.com/4meAlxzT/
  430. http://samsunsalma.com/HdT3m3dj/
  431. http://hyboriansolutions.net/jUhuVm0Qf/
  432. http://da2000.com/eFj467fO/
  433.  
  434.  
  435. Creation Time 2018-12-10 16:20:00 Attachment Only
  436. SHA256:
  437. b44c31ddd706ead6c449640cbe85105e8813bb998f94cc520e746499e0c5366e
  438.  
  439. http://www.icarzone.com/Gepc2iZ
  440. http://innovad.nl/s2YGVCqe
  441. http://santaya.net/W1WB0BuP3Q
  442. http://robwalls.com/6cS4MK9Vz
  443. http://scottmazza.com/cpZVGKIzb
  444.  
  445. ```
  446. #### SHA256s for Epoch 1 Payload EXEs seen on 12/11/18 ####
  447. ```
  448.  
  449. d810a3f8b7a7ff21699f298a1c1f7860241e715f7c73e1bfe62a57d971517fae
  450. c0b352679aca1dd910f70d27a68ff766c5bf18f878cbb7de2c55a0fa25695b94
  451. 851d2c40c020bfa0e2b9e77ce1d6111af78983d8812331cb29d90268b369f67e
  452. 73bb8bcf408a2b7aa513d67c6c7eb5c4a7eebd236b076e8a3b3a23b7c0cdc02f
  453. 7cfe69409033ab7a3f126cc58a3edeea33710cfc1262a00ecb7f917caed4142d
  454. d80ce8f2ffebebeef06e89dde3548651fbc3ba121c1343ba83b436a94abb2a26
  455. cea59824f01cfa6aa246998926693e7b8a03d61dbd833b0f1b8bddb00e84bac8
  456. 03be0611115dabcee2d0f5dbb0381b8de19f4bd32ac10f40d7aac4488277b894
  457.  
  458. ```
  459. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  460. ```
  461.  
  462. Creation Time 2018-12-11 19:27:00
  463. SHA256:
  464. 155ebb8d8f186fe67b33839a1e3b1507b2483568ad54f7fbde04dd0ae3ec53f2
  465. e748817fa3c0f2ae856d4a86c331faa72b41e164a8dae52e4bd0d595c63d7f8a
  466. 286c9360ba463c6515cc05f9112ceb951fe4ff36ed0bdbdff8049d028d7cd8db
  467. eb87f2bd3a67f7cc7ef91fb9baa0772f3fbcc1282cebf3308be35c84387d1647
  468. 99104952a46ae18d261857a05a14871f7698b79addc77a02879d403bca0a5f5a
  469. 7287bde921ae0c3a085f45285bf743fee9056d3f1e68cfe75d9344f35d83bd49
  470. 9da68912a28bb72630fb8ea1dbf27580805f44cb8a5c014481d497acf7c8963a
  471. 049d11de3d48f0666ba0481f536ad79675d3d87912b29ae24c39e0fe6d548617
  472. 2b3c6ce1906a520bc5c1eb5a7c78e39dd90584ae1bcdc4aaad6d010d6d75a7db
  473. 1c5a8bb042f680abefa2f04bdd7285eb0f50a84ea43bad16999f885711ab7d57
  474. 36219fcba10366fdf4da3dcb8830360078035bf1bbe0e9a084f619d2ffdf36c3
  475. 9445075843d5f2b689c16eb0e892dea308f6adf5b14b084d1fa125a22f5b78ca
  476. 8499d8c122b2162fde5d9b0f8131704025adbf80f060a3020e6c504d00d48a6f
  477. 495668d482b454f24e3505d6e7fd2ee8760d3fdac279bca5198c374cb33cfb97
  478. 77666e11193488c25356373e3754131e6e89e47d2b96dc57c7b2d1e49946a152
  479. ba6051214a53698d7fcee7e8fdbe21c346c3f3b1c05cb06b8cca9640a5689fb4
  480. 5343870e90e7cebc2bd6bafd0459e92b6b46f9e054ebc93cf3dafb7805a28cb2
  481. 7941f50a4f5f089b250b3320493a15c415336cc17c30950408b8e853a45742a2
  482. 42cd95489dfddb5a5150c18684e2cf31dd32aabf6da20ca8146330dc095f7ba0
  483. f16c86535c43c56e3d13b7f337dcae2c913c4c3b90932f2fb10b36945cc86003
  484. 048aa20a92b1bdf3d8933f19a54ba8503271fcf193888058d0e66b980e5710c3
  485. e3874210f5624f712b884aa2c54420515788b7a697d8a87fb11b9d09442c9cd8
  486. b0c9274c859cc339e77e211d167d1d1a5e9c97f8648b4d115e60438429560c90
  487. b2439cddc58b0998e269917e9d9d6e3799b5254aa527d30ce5615bccf9a8f917
  488. 843f3b75fd971e2afc5f084c9d95d4547e38b67c18835e18cd165f47ad12ae9f
  489.  
  490. http://shophousekhaisontowncity.com/PL
  491. http://www.mygidas.lt/m
  492. http://www.natuhemp.net/m
  493. http://c-sert.ru/assets/images/zIM8ozmY
  494. http://nusantararental.com/Z4aZh
  495.  
  496. Creation Time 2018-12-11 15:12:00
  497. SHA256:
  498. aaac76e5b08544652f24ac5e45aa1cb7b394ba89cdd8138b6f9035cd4d7cc1bf
  499. a5f088c0d95323ff2312bcaeb46550dcad4b6f088c379462e75195a3885ba523
  500. 9485c1cc2703475ff84bf3a9cf503d085a88dbc5448f3c11d749c82d5f64bc9c
  501. 87d024fd7ab4ea0fc3d2886271f1b8eb958a9865305d22eb4a5567797f804e8a
  502. f7f143d608eba43fa328b4d1857113b96bbbdb0d66f8e56496e12868238a4a30
  503. fe2175246bf66ae38fc888f946262334b7785df63a46a633db831c779ba42c87
  504. 8a2aa646606a81da31988e4be5c4e036637750b35de6d9d5a9cf5e4aeda01e69
  505. 6fd72fb9f559db3a197c82f332164dd94580ff5153375799193f72d4214fede7
  506. ec1d4631feee673b7e85a10a1ccfe3f398159f0ee61f0af6c0053953a59f2b38
  507. 6561ca07a8da854aba37a819f6890c98ee827996fdf35e19f623124f254392f4
  508. 1bd4b7020384820b8d8c9475270cefee84e23cdda960b52743b7bfed9a19c2ad
  509. 39d3d511f63c4d7f1a96a2bf0ad57feeec5f9eb4eee05cef753cc857d62fcdc4
  510. 7fb81c6f3de34f1e1a797435bce186142f1c7cf88831d20a6d203c48ae54043a
  511. 8fa53179bfd6fac9e611d6188b0fe1c0680c1eb624486702c2344ac91dcff6e7
  512. 74b3f7f76bb6bfc061bc99f82cb78a3d72855b75552b667d6fe471a002552115
  513. c5b3f1116233d833fea4ec154856fdb0401b0226cbd553eff19673376f1fb56f
  514. 8ae58c0e07be5fa039546d44b762082132f977ce717e0544d9ab8927deb94f35
  515. defc383516ea5db2bb292ae1b55b72a577f05be6e22659db7bbd47bf53716df6
  516. 3f8dd40729bc6cf1f9f39596544c88e2d1f386f8baa1bf4988db79a90aa56924
  517.  
  518. http://bike-nomad.com/9CL7x
  519. http://ulco.tv/5niKlzn
  520. http://pioneerelectrical.co.uk/Rzz
  521. http://mobiledatechannel.com/TT
  522. http://identist.az/wp-content/qMb1nH
  523.  
  524. Creation Time 2018-12-11 11:28:00
  525. SHA256:
  526. 49ddfa0d7a671d2b38f58f2f8847e0e60b4a16ce19c174db9d5e6f65474c0e1e
  527. ab081a761c797658b5af4310f636364d9d0193aa13d4b026e90be8c2b8a240a8
  528. de4d61651a07f3f6b4be3ab8bd53cc9acd3e5e36b50aa736f79b928fa83d07f8
  529. e2e32ad11337b9d136fd17ece2a47ce4963a2da9cc48335f346af49741c6f12a
  530. 66055ec57096d4875bca296136902ad9f06b2affc050ba64e2358f6308178425
  531. af4ecd9c34fdbab679c352f8355ca1be3f849364de8f5528aa2053ef39113d54
  532. 22f27e1b46fe32a2f7cd24670f6d1c6d678968914e3b918ca2c78b3d0348d274
  533. 26e9c3b634762b28869936af0f09cc95e2272c5c25cf4c022cbfe98ff38b678c
  534. c3a6600646f886dd8552018f28e4169742b99255f383d62f61884e1cf04dc02a
  535. 54a07347185583bc7024fcccd9b7a7742c27ced8f020ecca60adb34dbccae4ea
  536. f86179fb8c8043a57c0df6ea54c799ed2dc8d1b9d659b648520b978b0c737c58
  537. 18af2ff24dd0757173893ed9c66f9f1946f6127c5e2bb4a5e44d5b37897b0555
  538. 11413a8e1f7845aaa25fdf16834eecc322830db9de56bc9a7cb606473a19fff9
  539. 4e37106fffe50787a13cc5402323f008da09ac8bed5f66cd89743a95a453c4b0
  540.  
  541. http://zoeticbuildingandsupply.com/Z
  542. http://jualthemewordpress.com/W4XzMg
  543. http://shariaexclusive.com/Qod6x
  544. http://animalovers.us/cRXX
  545. http://coinminingbtc.com/m
  546.  
  547. Creation Time 2018-12-11 09:49:00
  548. SHA256:
  549. 42934e5f92f9e05d492445c78a03062bf2533ba13a8fa0021c0345ad1f9ee205
  550. 1c61efeec0f6cb819e27271073dfedc65bdbf1b5351da727a1e061a2317a5f27
  551. 0a73c1ce094754d15fd60109125095723ca04e224617a3a5efb17aeb67526ac9
  552. 09c8e1e5739ef4cfd8dc8b033c1c7c023064f70a10859ca28a59833539ee2a0a
  553. 41cf5471ae393b1f68ad76871662e2b0a08c7f015be833f7ef6996b1198f15be
  554. 73aa2afabc1a40a8b6a3146c017a3984c6b548dd58912e058181cd2bd85e97ff
  555. fd12f0e3f949511f64ee729d4433a656444cfc3c709be67ea19154b05f5630b0
  556. 1a2246436af1c15467f2bb58e1e4d8007b14078ce7813becfd15fd27a1113119
  557. 7501fe0c9157bd20bb7ec81e441debeeec2c6849f200288531997709de06481d
  558.  
  559. http://shariaexclusive.com/Qod6x
  560. http://animalovers.us/cRXX
  561. http://creamistryfranchise.com/5vAfyDtA
  562. http://coinminingbtc.com/m
  563. http://nusantararental.com/Z4aZh
  564.  
  565. Creation Time 2018-12-11 09:22:00
  566. SHA256:
  567. d567010c93cb4f0b1100e00abd90e1e911ec246262cd0bec5716078ad4cbd843
  568. 2e39011c629390e0849cf84572dc0894ae390625fd928b5a993aac5d79944a5b
  569. 5b6870b815f0f1aadda7460634c77aa6b3378b2664878f8f23348873601ac3af
  570.  
  571. http://coinminingbtc.com/m
  572. http://nusantararental.com/Z4aZh
  573. http://www.phillipjohnson.co.uk/yP7gDa
  574. http://sileam.com/CGq
  575. http://www.vario-reducer.com/izriRd
  576.  
  577. Creation Time 2018-12-11 08:47:00
  578. SHA256:
  579. 7a25518007e3d077c43165b755697e0ab92e2153e72ed484602c59e899567aa8
  580. 71a03c2b1ac93bbd3f7e4d174508a0e2bda3558e2b44bb05c8c00615a82c6a71
  581.  
  582. http://nusantararental.com/Z4aZh
  583. http://www.phillipjohnson.co.uk/yP7gDa
  584. http://sileam.com/CGq
  585. http://simonsolutions.us/QyL
  586. http://www.vario-reducer.com/izriRd
  587.  
  588.  
  589. Creation Time 2018-12-10 21:10:00
  590. SHA256:
  591. cc2405f09c798ecc2766a908277a56e5255dd97a21757e293ad7104105982faf
  592. 4f9e90fdea5dffe26c45708e6ffb06fda9ece8db28f52282426826ea1f09c69b
  593. 5db8e82da29b84edcad955dd15ce35f22429a0d55ebbf7a4138130ca533dde0d
  594. ce930600f3276d5d60abd3ca5f5f3885493198e5f686c7fa817446f53f3eccb9
  595. 80e3911ae9f497ef95f294bbf0d23eec3b72c398f2ade4fc959cdaffd287d547
  596. aae99acef6c295567966311797e716cf7f929d872e35d5a66070eb5b31f0e687
  597. 88be98adbd949ec853acc153758beaf76b3a2264d874a726292c9348bb4356e9
  598. 73c9ac34cf377bec45c99076e8a8e1aea6370aa483f5eb26638fe14767aaf99c
  599. 4acb34a5ad58767decbe0a134a53198f8cbfb3902ed3c33170f4dd153a6ed1ec
  600. f90b4e2348300224409f6b24f046ad3e0e0fa5955919b9747582489fb6d7896f
  601. 6bc6ebc35bf3e324b586b5b609ca34f0e258686e1629816d560e6d0c41222501
  602. aa286272082cca85eac7c696fc5a1017a9bd966cc1385e0f2a5731da5732cb9a
  603. 39c6fb1616686f9215267abdb8bed605a92a2a61ce9a31aa224e5e7bf5cab38e
  604. 360035165ba00c544f7094ca9b266c6183fe8123d228b64bcc6a9da227818a6e
  605. 1e2655fab10ec9da57b5c40b5b21be8eb15f843099d6c0a97fc79de97f087e82
  606. c15e3d116467d0f50b20ef670b7bcbd74ca9f6aa5686b7932b2518f74cd6e888
  607. 1e81d8655afcc259bac31b1dbd8f3024f4a85e2e5e19f89aa487cd58f3fc4a8b
  608. 1ce82e779cb17501c0b2548e6e081a2ec7cae498f015f96afa550190b8a5e0ad
  609. 096714b94c2dd4e3a2f666b1d8598a2dd824109f946070b3139eb802ed20927e
  610. bd5c4b5bd4e8239b87cec01747c64d98db9202105fdeb01308535dc3356353c1
  611. 05fbf69ba94638a93443bc0b3cc97cf4b1e140133620db00bab3fef0529f8583
  612. d0db55784134fa5e3568ec7ec0d88d6665aa87f136dbe05807ec4d141ab354eb
  613. 122c756c88f5f94a39e1b107c1db7628613521b5d9c85402e252b87fb83c007b
  614. dce8e8ee3f6996c414afa1e92e527f9269df0e4205a596b00c5d9ece1f3cccb3
  615. c072adca0179a17c59bf53ad5428d2e4070ab55f2169d7a5704a8ca526ea9a10
  616. d3bac6d14e6586279dddb3c3e0f9ddb579a0e178a664953b69e98988123f2d39
  617. 84ed9cd3abfa4f6b84460ae0b747230fed7fc469e32b767395f7afe5dde247e9
  618. ffeac69d7a31cb513bd9fa83baa053ddb4adddd35c0d9c416933a9b83eabbcd1
  619. 14a74ba9d54a1f9b8de7846d46fcea94d15f5eba4f4c1361994721c6c2abb464
  620. 885194cc0fa0d5c3f75c2153fd17db324427b0a648c917d196b2341a1b8ede4d
  621. 58674aad9b17f181eb82a583bde0851e387b67569247829d3c1f0fed4022b00f
  622. 16552a612e691dc1d70d033ac4306e0047f0bb532a59fac53aa85f61adb09078
  623. 3ac17a9ba5176a35b11ae0cd448b697eccdf3928dffa981aa363fb8ede12caaf
  624. 565b69806dc552489e62facbb678883a9725f776f8e067ba2ab6319ce2176fad
  625. c65bc24db7d92869a677355342481fb74146b869515fb9bdd64812dde0f44b7f
  626. 16d1eb33627f995503e9bcef79bb799e72482b530c50ebd43f34ffe576bfc0a7
  627. 2676c3383f24a6c7de1bbb881192c53892cadf82c71b90e72e5147fdc39ccc3b
  628. 254c189fcab836ff9d69506217bf7c4662b057dda6ede51759c2b6f004a35a16
  629. dd07c09b322a4086eb1f8927c75d71702d27a395a2c5cb44e90585fb529b6861
  630. f44c4e4dfb7fea1efa2f19edbf542ad9805eab720a79d6551b1aec77511038ff
  631.  
  632. http://wpthemes.com/QdO/
  633. http://tom-steed.com/Qb/
  634. http://bobvr.com/9IRHSA/
  635. http://alexzstroy.ru/5oe/
  636. http://herbliebermancommunityleadershipaward.org/xjg6c8/
  637.  
  638. ```
  639. #### SHA256s for Epoch 2 Payload EXEs seen on 12/11/18 ####
  640. ```
  641.  
  642. 394ef2460cbe0e6acda5fed798c4ed03f0f56bad42bdb1246173f0fecfe897ed
  643. 0e09a3e2295d9bb4ec59482b0e76b0a9aa6c46343bbe38ff81bfc9d8a0688cdb
  644. 3db66c42a6628442217ec3ca7d6fd6c3a4fc3eb674553cb5c251c8dfe5173bc9
  645. bb1cbf550ce197e311ce879001734eee8737ba5db645e6e7fa950d76a8c136c5
  646. 1e52802cd86b2cde0eae7cf7dd01b66bcfbd83e95228f5efe7e492096e134e28
  647. c1d283d4a58f3946130325244ac4e995fcce846cdbf942a0731219b0f7e94997
  648. 096372be762c47497b94f93ab42538fcf1eac084c82cdd9c9e73dabe1a91200e
  649. bad78bd589ec811f14b2da9557452dac85385b41ff0a18dc59b2fdf64f8a7ff1
  650. 4a9c9adc0400e5f2088d3f4710890acda0cf16a7fca7b31e5681a097e2d9c272
  651.  
  652. ```
  653. #### Epoch 1 C2s ####
  654. ```
  655. (Port is 80 unless noted)
  656.  
  657. 109.104.79.48:8080
  658. 133.242.208.183:8080
  659. 138.68.139.199:443
  660. 144.76.117.247:8080
  661. 152.169.192.209:443
  662. 159.65.76.245:443
  663. 165.227.213.173:8080
  664. 179.33.30.194:7080
  665. 179.52.124.226:443
  666. 181.170.160.21:443
  667. 181.46.149.53
  668. 185.86.148.222:8080
  669. 186.66.93.242
  670. 186.96.193.55
  671. 189.134.34.13:50000
  672. 189.178.109.180:7080
  673. 189.225.119.5:8443
  674. 190.0.28.219:443
  675. 190.0.28.219:8080
  676. 190.85.8.157:8080
  677. 192.155.90.90:7080
  678. 198.199.185.25:443
  679. 198.61.196.18:8080
  680. 200.105.164.138
  681. 201.244.43.242:7080
  682. 210.2.86.72:8080
  683. 217.34.55.79:8443
  684. 219.94.254.93:8080
  685. 23.254.203.51:8080
  686. 49.212.135.76:443
  687. 5.9.128.163:8080
  688. 50.101.109.25:8443
  689. 60.240.221.183:443
  690. 69.198.17.20:8080
  691. 81.132.30.110:8080
  692. 92.48.118.27:8080
  693. 96.21.235.243:8080
  694.  
  695. ```
  696. #### Spam/Stealer C2s ####
  697. ```
  698.  
  699. 181.225.227.251
  700. 192.237.251.185
  701. 206.81.7.25
  702. 71.58.165.119
  703.  
  704. ```
  705. #### Epoch 2 C2s ####
  706. ```
  707. (Port is 80 unless noted)
  708.  
  709. 101.187.199.72:7080
  710. 103.53.44.26
  711. 115.71.233.127:443
  712. 137.59.227.184:443
  713. 142.163.208.70:8090
  714. 165.227.191.145:8080
  715. 185.20.104.238:8080
  716. 187.147.253.144:50000
  717. 188.122.51.199:990
  718. 191.102.109.158:443
  719. 197.89.216.173
  720. 198.74.58.47:443
  721. 200.25.160.121:990
  722. 201.171.3.20
  723. 211.115.111.19:443
  724. 217.13.106.160:7080
  725. 217.165.116.167:443
  726. 221.162.74.239
  727. 222.235.126.213:443
  728. 39.88.192.28:50000
  729. 45.123.3.54:443
  730. 45.227.225.46:8080
  731. 46.130.113.218
  732. 49.207.182.22
  733. 5.230.147.179:8080
  734. 5.35.242.34:7080
  735. 67.205.149.117:443
  736. 69.198.17.7:8080
  737. 70.52.138.10:50000
  738. 81.7.10.106:7080
  739. 83.222.124.62:8080
  740. 84.200.106.120:8080
  741. 87.191.170.153:443
  742. 88.174.131.38:7080
  743. 91.236.245.65:8080
  744. 95.141.175.240:443
  745. 98.142.208.27:443
  746.  
  747. ```
  748. #### Epoch 2 - Spam/Stealer C2s ####
  749. ```
  750.  
  751. 104.174.150.202
  752. 139.162.157.8
  753. 24.35.180.220
  754.  
  755. ```
  756. #### Credits and Notes Section ####
  757. ```
  758. Updated 7/13/18
  759. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
  760.  
  761. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
  762.  
  763. UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
  764.  
  765. What is Epoch 1 and Epoch 2?
  766. Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and payload hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
  767.  
  768. ```
  769. #### Community Lists ####
  770. ```
  771.  
  772. https://pastebin.com/PWuRsPqh - @James_inthe_box
  773.  
  774.  
  775. ```
  776. #### Credits ####
  777. ```
  778. (OC from @JRoosen and/or combination work of the following)
  779. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie, @Bitterman59,
  780. @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42
  781. C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic, @0xtadavie, @devnullnoop, @gorimpthon, @Racco42
  782. Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic,
  783. @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42
  784. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop
  785.  
  786. Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
  787.  
  788. Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
  789.  
  790. ```
  791. #### Daily Log ####
  792. ```
  793.  
  794. It seems like there are some select malspam runs every day that are not distributed to everyone equally or at all. This may be the reason we are seeing some long payload quintets that last 3-6 hours when they would normally change faster. During that time another quintet that is not being distributed by links will be sent out as attachments to people. Be on the lookout for these such as the one that @pancak3lullz found today:
  795. https://twitter.com/pancak3lullz/status/1072616093922009088
  796.  
  797. I received low volumes of spam this morning but it really picked up in the late afternoon and we finished with a total of 400+ today.
  798.  
  799.  
  800. ```
  801. #### Sandbox 12/11/18 ####
  802. (all with fakenet and MITM unless spam/secondary infection)
  803. ```
  804. Epoch 1 C2 run at 22:10 https://app.any.run/tasks/4c2366b0-de81-421f-bfde-bbd738569e22
  805. ```
  806.  
  807. ```
  808. Epoch 2 C2 run at 21:43 https://app.any.run/tasks/47fa044f-e627-4b87-b7c9-473e2808b275
  809. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!