Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---
- layout: post
- title: "Daily Emotet IoCs and Notes for 05/21/19"
- date: 2019-05-21 23:59 +0100
- categories: emotet
- ---
- ## Emotet Malware Document links/IOCs for 05/21/19 as of 05/22/19 01:00 BST ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/21/19 ####
- ```
- <none>
- ```
- #### Epoch 2 Document/Downloader links seen for 05/21/19 ####
- ```
- http://3glav.ru/css/lm/LElPNvTAyeCNgL/
- http://912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
- http://9coderz.com/wp-admin/lm/lm/VtuGyUdGncbiGlUmipu/
- http://adil-darugar.fr/wp-admin/Scan/trrMBcbN/
- http://advokat-kov.ru/new/Document/dcm61tc0sudmm5n860qu1ra_ubwtq8m-5670754007/
- http://aio.sakura.ne.jp/forum3d/c9q8c85-7x79nvt-zefc/
- http://airconfidencebd.org/wp-content/hfrhybo35jocmt9rykxk92d9_ws2nvv-804221103844/
- http://akihi.net/BBS/omra-4vws5-ilkw/
- http://akoagro.com/wp-includes/FILE/fsrauTLdLBq/
- http://aktpl.com/wp-includes/f8kqjc4-rsaxk-cgivh/
- http://alageum.chook.kz/wp-content/uploads/Scan/04263hkou_u9q456yn8-3307251785606/
- http://alphalif.se/css/esp/vcpf5ck3gkufnd1tcz06m1dpe0wu_2kkhrv2r7-223819466498611/
- http://ambil-hadiahpb.cf/css/Document/zvv6pzemxix7bkqkxcdven37o7v7p8_w4gnn62w-746465135047600/
- http://anase.org/wp-content/Pages/iq89n0t5_yfxzp-070843819/
- http://an-premium.ru/wp-admin/7b6ech5-svgat05-fnyjvh/
- http://anpuchem.cn/wp-admin/2spx3-fd0s9jc-wxcnzqe/
- http://appsville.global/wp-includes/6m7d5hr-jolf92s-dxvkhvz/
- http://aradministracionintegral.com/wp-content/uploads/q4qzpxt57s_s90s0-562133435485/
- http://asatc.ovh/wp-admin/rctqjq-n5326-wzslqtb/
- http://atkt.markv.in/_notes/FILE/OCTbubxwjOUENnC/
- http://ayashige.sakura.ne.jp/FAQ/wp3mn-06n4afc-usedfbr/
- http://azbeton.ro/wp-content/Document/vtjHcnFgqglXQqzqEkohRLJd/
- http://b118group.com/wp/b0gk3v7xqs_8737y8-565189409480/
- http://batdongsanminhmanh.com/wp-content/uploads/Plik/VSHZLPQDixgGn/
- http://bcaa.gq/wp-includes/Pages/WoJUHWDOFhNKDkbe/
- http://bestit.biz/suspended.page/esp/ZrnXUqWtuAfQZQRQSBUrFxEDGWGwvk/
- http://biyoistatistikdoktoru.com/wp-content/0094ofi-io04bs-wgexsrj/
- http://blog.dmtours.lk/wp-content/FILE/ruaXvPMVnjujCTjeLLT/
- http://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
- http://blog.tactfudosan.com/wordpress/Document/KAsyYWOZLfoEhvrJgr/
- http://blogs.ct.utfpr.edu.br/mansano/9nlp-wepue-agwyqrc/
- http://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
- http://boilerservice-cambridge.co.uk/muun/esp/IhCsETyWZrho/
- http://bonizz.com/DMC/parts_service/5eh2hsadldjems1kq3wlh403v_e39t3mz1ud-335687791589/
- http://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
- http://caddish-seventies.000webhostapp.com/wp-admin/4ur9tmys2h_75g6pp-73387052/
- http://carlyarts.tk/cgi-bin/0hz63w-s3alcb-vjrm/
- http://chinmayacorp.com/COPYRIGHT/Plik/tjDkGOTPHOJ/
- http://chirurgien-ophtalmo-retine.fr/wp-admin/Scan/trrMBcbN/
- http://cielecka.pl/ilum.pl/Document/f7djienirh5otecveisehl6oi_tn22d-108070575/
- http://cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
- http://congchunggiakhanh.vn/wp-content/lm/lmjQDFYXEANYNpuvmqbCJs/
- http://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
- http://consortiumgardois.eu/images/FILE/kzfYkwNCziLHPSLvhPexT/
- http://coronadobaptistchurch.org/wp-includes/paclm/nrzbbwc9xordu0f1pojvw03um0v42_ucm04gi-866893424118465/
- http://corporateipr.com/m9c/phutz63-w90emms-oukwmr/
- http://crsigns.co.uk/wp-includes/rncjoymd9s61_ahrbb-46845098052870/
- http://dag.gog.pk/wp-includes/PLIK/wndpifvajs/
- http://daizys.nl/BKP-06-05-019/sites/HxflDlFmdMdWWyqIrRZHCGWSE/
- http://data.iain-manado.ac.id/wp-content/jvqzpj-qqv5yn-iujro/
- http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC/
- http://dembo.bangkok.th.com/wp-content/uploads/ZJzsVKdzRzmVYxKMwQhxC//
- http://demositem.cf/wp-admin/lm/gfjj522nshq21esba0bgt5_ig360-20814056176637/
- http://diarioprimeraplana.com.mx/wp-admin/04t8ju-5o1m33-exgwn/
- http://disperumkim.baliprov.go.id/wp-content/JAaJgGgshskUmKanMFIDcM/
- http://dnmartin.net/wp-includes/v62mbu6-bulqh0-mqvdot/
- http://dog-mdfc.sakura.ne.jp/img/5oxre-zuektz-igln/
- http://dronint.com/wp-admin/tt4up7x-989rvv-uykocm/
- http://ds-cocoa.com/form/mfcz-els553-gutvyak/
- http://duwon.net/wpp-app/co8s3b-3tkel3v-sgew/
- http://ecommercefajeza.web.id/wp/tbkh1v-qjzzn3-wvojp/
- http://economika.com.ve/email/paclm/dsbzhob4b8seeq_zl3zlxclc7-7223513679032/
- http://e-controlempresarial.com/wp/paclm/02oyix5wanbeegnxcnudm_m9wha6e-6640018143938/
- http://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
- http://egplms.okmot.kg/wp-includes/mf75rsm-y1pndse-apjgbfv/
- http://emcimed.ml/wp-admin/INC/beCmcstHEcYWSdunsNpV/
- http://esquso.com/wp-includes/parts_service/zncgw5r30ehtff4w4_nvu506u-84590229280717/
- http://eticasolucoes.com.br/controle/FILE/urjm9ad0e20oke9_yys4j-1833857769/
- http://eurofutura.com/carloghio/parts_service/JYRByxVSfhNOpVVTASyyBhBR/
- http://exenture.net/mySHiT/mhv8eiw14_tj1q863agg-191035311473/
- http://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
- http://faggioni.site/c/LLC/vyjd8e7lofux_y85bv-123015212024842/
- http://fearis.sakura.ne.jp/data/yrvn-jsbee-qckg/
- http://fills.info/d907-e9y5h-tahwufs/
- http://filosofiya.moscow/2vx0z2/m0jt45-5vk7cj-kzcs/
- http://fireprotectionservicespennsylvania.review/wp-content/k3nlc-jupmj-vxzwydm/
- http://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
- http://focuseducationcentre.cf/zayarlin/Document/bEjkgNhfyDTjBiljqJwhvIaDu/
- http://gamingproapps.com/wp-admin/05wvu0-b8bm2-mujg/
- http://garage-ucg.com/_mm/cshqzve-2wrp3b6-acmsyoc/
- http://gatewaymontessori.edu.gh/5r0x/INC/sor5jniomi1bw8se6reyjodziydt_dk6pdtw-885852414780/
- http://giangdinh.vn/wp-admin/LLC/AmMcutbAcsZgoLPpvSBSFJFL/
- http://giaoducvacongnghe.com/wp-admin/parts_service/s5nvqu5cu5xiavsm_tt4g6sg-9685915454/
- http://gilmatas.000webhostapp.com/wp-admin/yznvck5zdjh_m6ewq2-12021270394/
- http://gite-la-gerbiere.fr/lib/bf1vgc-kym3vl-moyonq/
- http://glumory.co.id/wp-admin/qlomqukhp4rm409zcqi35hdp_3ezcpjzr5-7274514462/
- http://graminea.or.id/cgi-bin/esp/dRfhYjIAqKiRZKZtpFcXvsFYUD/
- http://greencampus.uho.ac.id/wp-content/uploads/vyeow9-3fruh-vbno/
- http://grinq.com.ua/wp-content/qon3os-lg1iwjy-xwfjr/
- http://grupoxn.com/wp-content/h2uy3p-uanu36y-qpfbabc/
- http://guidafinanziamentieuropei.it/dup-installer/esp/whISpSbNpvwrdNdxBlTfEMDIUKOs/
- http://halcelemates.com.ng/cgi-bin/qspgn-miqx4yz-hudi/
- http://haovok.com/wp-content/uploads/2019/i6pygi1-skve9j1-upduf/
- http://haovok.com/wp-content/uploads/2019/vy24ysx-hdhlv8k-nyuqxqd/
- http://havistore.net/wp-includes/wt6adv7-xupjzl1-sidkes/
- http://hestoghundehuset.dk/wp-admin/mPKrLBEEMiHVhKYpHeEc/
- http://iamzb.com/aspnet_client/system_web/c0rft63-7sh4lwp-rskuhl/
- http://ibuying.pk/mvmbb6/ei43a-fw9o8-druj/
- http://ideenn.ml/wp-includes/esp/5et9jh3fkakhc0tqf6mf_36yoe7na2-28649149907/
- http://ipdesign.pt/wp-content/8j81y6r-r7axbj-coot/
- http://itcshop.com.ng/fasttrackcash/Inf/qrjYUODRuCg/
- http://jajiedgenet.name.ng/wp/DOK/x963ssn0_skxizz6j-099060478701887/
- http://javed.co.uk/wp-admin/f3pafo-bac855-vrgxw/
- http://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
- http://kauzar.com.br/wp-admin/9naj-wg0geu-jvhkq/
- http://kgdotcom.my/wp-content/e6k9v2v6m0_tfl09azf-288153120/
- http://kipsoft.vn/wp-admin/uXHCWQYIsUwy/
- http://kirakima.sakura.ne.jp/_yoru.oldcake/app/webroot/i23z-b91g84-kvrrlys/
- http://kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
- http://krasotatver.ru/wp-admin/n53x-uxotfh-dxkbol/
- http://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
- http://kujuaid.net/2006/9cs63i4-rbynm-zrnxuqw/
- http://kumakun.com/aikawa/2q13-86mdf3-hjxhhr/
- http://kuramodev.com/wp-admin/esp/2lcrz1uaq99jqg6x_btdci7az-5511668994948/
- http://lab-quality.com/wp-includes/549lfpr-f98te73-fkqna/
- http://lejintian.cn/wp-admin/bmyd-j0qwdr-gwyynxv/
- http://lencoltermicosonobom.com.br/wp-content/ina4-ows9b-vnirk/
- http://les.nyc/wp-content/uploads/zuxbjd6mgcbofmz_1lwfz-96882379608/
- http://lesantivirus.net/css/esp/LvxnSHShDjxTiArIvTtXhDOGX/
- http://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
- http://lizerubens.be/wp-admin/parts_service/IWuXVRHMja/
- http://lnemacs.com/updatecoreo/paclm/QOqcLyIDnqskRUPrQtAY/
- http://logicsoccer.vip/wp-includes/PLIK/DyyyskgffSivMY/
- http://longokura.com/wp-includes/Pages/RphdkFQwbj/
- http://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
- http://luisromero.es/cafe/LLC/d02zuso2z3r0o07_uge4o-3011321187376/
- http://luxconstruction.mackmckie.me/cgi-bin/LLC/jbiat3az5san8nte6g_mhl1i2rv-47824935/
- http://luz.ch/fuurball/paclm/tayiwtdw9gvgb21rvi815umr4_l1k2tafz-916097634479/
- http://maloninc.com/archive/lienu7-gmeqaps-nrnqb/
- http://manorviews.co.nz/images/paclm/mcpf0o3f5me1zh2x2xarr5c_c2kog9qp6-11133861/
- http://marbellastreaming.com/admin/3b1zwi824hbk1pe2coubcbob_5nlp4bh-14804269498/
- http://markantic.com/wp-includes/LLC/oXitshkRMjCSa/
- http://markelliotson.com/sites/k47y5hwtw8h_aqzp3l-449059094/
- http://masana.cat/pix/parts_service/wBwhQtYEVIEpsMPtRsyl/
- http://masterchoicepizza.com/wp-content/uploads/i650-0aa2od7-pdxlvg/
- http://masters-catering.kz/star/Scan/4srrh6lm3eqgk7goazhnkodrbaio_eaxlbr-436287246/
- http://mattshortland.com/ozXYuMOiYlguFF/
- http://mayupan.com/css/Pages/jamcysmfx_d379k-789309688595/
- http://mazzglobal.com/51655165g/sites/zuutn9zkjzzsbhffa5d0fpvaw9z_jzv2j6b-263923452810966/
- http://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
- http://melondisc.co.th/47bd/atyb-h8smk3-qvbbwsh/
- http://mic3412.ir/wp-includes/LLC/hsnp7lhg0fbqhj1dph7c4fmspwvz_r66ocyu3-858421356/
- http://mickreevesmodels.co.uk/micks_chat/INC/KfNJTKdmSYiueWhbqeYVzigbOaUj/
- http://misbragasusadas.com/wp-admin/paclm/okb30cee6xhg1cbi279ssznmewh88k_mimhl-536403870815322/
- http://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
- http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb/
- http://mjeas.seas.num.edu.mn/4jew/Pages/DddiRVHssfjb//
- http://mmgbarbers.sk/wp-content/hmESzqKrW/
- http://monsterz.net/blog2/FILE/fCuLIWGTqBVwcPDfUQRVodcKJxEmI/
- http://m-ros.es/wp-admin/nfbyibe-l6cpr-wvgd/
- http://mtaconsulting.com/wp-content/Pages/ntq8h5pnhzsb_c98jimy0lh-77243452881/
- http://multicapmais.com/js/esp/jLOgrxpWZ/
- http://mwvisual.com/scfv/bYofxzLIBlDANzJQJhwNsOgzvfU/
- http://myofficeplus.com/Document/zJLRnsotorjEVuGxH/
- http://ndm-services.co.uk/DOC/gsnhdhup7vp8u3onxtqzbn_mso4v7e-4060977015/
- http://nforsdt.org.np/cgi-bin/LLC/rJhJsoFerEAbFVKOgJweNESInf/
- http://ninhodosanimais.com.br/wp-admin/2r5n-hqg5fh-riwe/
- http://noons.ru/wp-admin/DOK/mpmd1xmzhl8ijhcvdh2d40r249a_07m8onqzs-192022041933115/
- http://novaoptica.pt/wp-admin/rnsoyvw-8y64rg-ppgc/
- http://nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
- http://osarofc.com/wp-content/0svg-ykzyl-eczxl/
- http://ovakast.com/wp-admin/zbb9q-if7z3-xncfy/
- http://paywhatyouwant.io/cgi-bin/INC/RycXLpkwbaXNzSdOQYrWlxXoi/
- http://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
- http://planetkram.com/cgi-bin/FILE/lydb59kvj94x2qxaf0lo_95s38g-70862676621395/
- http://pmalyshev.ru/wp-admin/FILE/x54foocsocq3hddk_c3e68-88316015852100/
- http://priatman.co.id/old/gmvor-qkevv-kmjsj/
- http://priatman.co.id/old/gmvor-qkevv-kmjsj//
- http://print-consult.be/ResponsiveImageGallery/61p114nlua4w2_8mcik3tixr-083144052/
- http://prom-alp.kz/wp-admin/1skay-qbj32qb-aoivyzz/
- http://qwelaproducts.co.za/wp/voo74gu-yc23wv6-eysshi/
- http://rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
- http://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
- http://rociton.com.bd/wp-content/parts_service/f40sb8gz9nnsppjgt7tclxs_gq8nvjogop-96874256/
- http://rzd-med.kz/wp-admin/parts_service/sw52j2qr0y_aaqn7hq5b-378256719777818/
- http://sanalkeyfi.com/wp-includes/Dok/qauowl45eharem4bo5i0_9vtspc-07835495394/
- http://sa-pient.com/wp-admin/uhiz5-waz5h1-oeokf/
- http://sawitandtravel.com/cgi-bin/4xaib1-5gzkqtk-ncyncpf/
- http://seabird.com.ph/html5lightbox/e49fc-v1zh9o-zrdsp/
- http://sexlustoys.com/app/heotbm4-5ea4e-qbhgzg/
- http://shadzisti.ir/wp-includes/bka7-9lmu27-vhofm/
- http://skilancein.000webhostapp.com/assets/INF/BztYZLgGvYARNnbzPsTRtTUGJy/
- http://slppoffice.lk/wp-admin/cjr9zzp-rf7yx2-rbvxv/
- http://smake.in/wp-admin/4ssh779-i04deq-vsarad/
- http://smartschools.co.zw/wp-content/f8sy-k74kuj-xsaidw/
- http://snowballnaturals.com/cgi-bin/gsai-g663ics-kgisfcn/
- http://songdung.vn/4d4ixle/zxkthq-p764b-mmzxllf/
- http://sreelabels.com/wp/x1zu-9l83g-fhhdw/
- http://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
- http://sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
- http://steventoddart.com/cgi-bin/78djj4-9rsc3m6-rwtqz/
- http://subkhonov.com/LLC/Document/qWrWCtrmDmBwslubhyvcaBfWhiQX/
- http://sulkanvariasimotor.com/cgi-bin/Dane/QdSsDaRPbt/
- http://supercopa.cl/assets/esp/zugnnetz0suvx017j01zwr3_x33y9-0543142109882/
- http://swansgateshoppingcentre.com/wp-includes/Scan/ok6ulsnds83m0s_6gz9lcuo8c-605978940826/
- http://tbwysx.cn/build/9631pb-3ndkdr6-ieae/
- http://teiamais.pt/wp-admin/ir05prk-vawjdhm-mwwvx/
- http://teknisi-it.id/COPYRIGHT/FILE/VppKShnPdkhRjUEXEeooCIIAhwbUDA/
- http://thegeekmind.pt/wp-admin/hyxd-4bsn17c-hfsreja/
- http://theoptimacreative.com/backer/DOC/lzdtnRntp/
- http://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
- http://toorya.in/wp-content/csbluri-69vjyo-gvib/
- http://torneosnh.com/lucho/qgyr-kn326x-dxbtpa/
- http://trademarkloft.com/wp/LLC/MRWfXNPWcWfmIEtA/
- http://travel2njoy.com/wp-admin/30f8i-871i1f1-hcbtiyx/
- http://trendybirdie.it/wp-admin/l26xb-qw1gs-nbrr/
- http://usemycredit.ml/wp-includes/lm/qr0k1llf_9epghq0f-911869644204054/
- http://veresk-studio.ru/wp-admin/e032ur-7ivwl-evprfzy/
- http://vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
- http://vinyasayogaschool.co.in/wp-admin/Pages/srSdAHPKkqZbXQVsEkPcjTBAUxFM/
- http://voctech-resources.com/cgi-bin/Scan/yygznlklj5_donv8-334023278047356/
- http://warwickvalleyliving.com/images/classes/89ofu-pyt3kp6-ucnuue/
- http://www.912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
- http://www.adil-darugar.fr/wp-admin/Scan/trrMBcbN/
- http://www.cmg.asia/wp-content/uploads/DOK/bkmrGzXzIEZODqVCVwBTcQiNn/
- http://www.maria-hilber.at/wordpress/y0og46-pud86sj-qmdnev/
- http://www.nucleomargarethferes.com.br/wp-includes/3lte794qnmo8qdk8p_cbdl68-46700341/
- http://www.rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
- http://www.vidalgesso.com.br/wp-content/parts_service/0dxp3gqybi_khdxx-76852614/
- http://xpelair.com.ng/wp-admin/uwenu-wdun3-aurp/
- http://yaxiang1976.com.tw/wp-admin/01hx-6w7iiy-boqkmey/
- http://yk-style.net/weibo/erjm9-7dlg8an-zsldtn/
- http://zhas-daryn.kz/toreshim.kz/LLC/ndpZCyBJjxPtWoCjvwxzqByfXVQsuT/
- http://zmeyerz.com/homepage_files/paclm/ATMrNHzXJjfIFDTQmcCNmiPHPRUXO/
- https://akihi.net/BBS/omra-4vws5-ilkw/
- https://blog.laviajeria.com/wp-content/uploads/gsaujyf-ry06n-dssec/
- https://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
- https://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
- https://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
- https://conjurosdelcorazon.info/wordpress/Inf/1hpu9k3q05djyl3gq5722_d7u08f-5929583887/
- https://dnmartin.net/wp-includes/v62mbu6-bulqh0-mqvdot/
- https://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
- https://euma.vn/yfbh/pvhwwa-xg74b4-bknrdh/
- https://exposicaoceramicaearte.com.br/cgi-bin/Scan/cuhgcn4fje3ftup_x82vkmk-064904430823956/
- https://fitnepali.com/wp-content/plugins/vtt3uru-k3dfd-rfeqkz/
- https://hlclighting.ca/wp/Scan/oylkuxb7d3zafh4_yyzho55c-730553405724/
- https://kamasexstory.com/wp-content/y2o6h-vnm6vw-ehxybl/
- https://katesemernya.ru/wp-content/parts_service/fl3u8puxwduomh55mrw44jisppz10r_nfmkflw-998458487096619/
- https://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
- https://liantrip.com/x6sm/INC/k9iovbtzedsa1ptk3j_9gqdpmgi-906696776/
- https://longokura.com/wp-includes/Pages/RphdkFQwbj/
- https://lr12sp10.org/wp-admin/8nu0md8-38qsi0-iqme/
- https://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
- https://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
- https://placo.de/typo3_src-7.6.11/3jo2nmg-58mws-pospv/
- https://proxindo.id/wp-admin/FILE/vgsupeyhnlc8ka4tbdu72wde7khpa_1ganzrzry-05828045/
- https://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
- https://rzd-med.kz/wp-admin/parts_service/sw52j2qr0y_aaqn7hq5b-378256719777818/
- https://srgranel.pt/blogs/LLC/yi2j7x85stn1at_4dvhbnr-47282747/
- https://thethaoams.com/wp-admin/k8xc-vr0ue-ryktr/
- https://topaqiqah.com/wp-admin/iwrivz-kuvph-szzyiic/
- https://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
- https://www.sseg.ch/wp-content/ytn7-eh9d9a0-jphxofx/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:05:21 15:47:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 3186aa73cfd05f2eb1377f4f2d4f1c1e92fcd17c16931a836685006c9e541d22
- b5b3b11a8102211cdc96d8c632632302c7581a2782188bba735064fc79a9dd92
- c3d9a7610c958cfb1e53f7f0347f039b7f886091b34e7b40c01b37b162966604
- f4222ea98ed930fc2bb5e61b8a6552c7e2d14068e1a8e4e5ca880d8ca7fb84de
- a2b9b0f88df424553ed318b9d60253acf17a87110ec122fd85b9d1eb48905c93
- 1f0ca6fb3208beccb72075ff4cb11d637bb78a28b008231f20cd559d23f54599
- 60687bd472c8e22c380001350f2211e246237ae722fc0bd6b0ad58d07630dc1c
- 54b34632fc88ff88fb0de3ea6861249c72c0606e379617189646ac1601f91a46
- cf5e0fbd285d9f04b16748729d7e284aa32224195016ef192626e6b6d8778825
- deaa8bd161e8f3e7c7b6fc6f698a83f2f8772529eb0d0b596c7be47b29b3d76e
- 7bb902370e4d515163f834fc59508529311503a60257ff22bfa17dc48c75950c
- http://lucy-jade.com/wp-includes/tbzu5/
- http://feti-navi.net/wp-admin/gfod2z3668/
- http://vinkagu.com/wp-admin/1mc0544/
- http://hashkorea.com/wp-includes/sp0d763/
- http://phigvelers.com/Library/7tak1867/
- Creation Time 2019:05:21 11:11:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- f9ab3d277291f373e3d2986e76401a707948eaef5d22cb884c278f962fd4d035
- 1b48a315a4e8c5a5b7095883e663dd0b43f40f9bb60d17bda594c37648371469
- b7c079f1f0580be195115872575caa40cd63137a5aaffdbd447708e1723dc4e3
- fa38aaec56c44bf5e2e151cfeaed8b47b19491e1fdec93c77baf5803c5f4d0d8
- 4cc271756b3556d783f24f14250e61f7ac3113dd3cccdf3ed91544b4e1254d21
- 04f15c494871ac098989011d3ea2d97fb75117407937a5bec50dfd87cdfdcdc4
- b408e06a045d97382580d5f1a7b1d5183368de3cb0cf3324647f1d802ba95bef
- d4813f30ddf8126ecbfff6875784ac8d0ed7396ed7f6fea7b48fc9d53a86c0ce
- 1a09ca29dffdc772442b2d5c3b5a5ba6aac16bb132b2f793e959f25bfd71d223
- 7bb6d38374d20b09092ee76894f5f10bfd4c18dfb75b1277e6a41f5b9bda0c31
- baf34bf1cc0f032834397222dd59c2557bf5f07cd0224e7f09e6195a35ca90bd
- e2b1de5edef455be4fc02f63386113d5f9388964c88a8b203f8c64b95dccfcf2
- 2d637c739528b1bb6ef74565459d1bba3879d812cdef35bef1db18502fc719b1
- ff032e980b8d7ace5618a79ffe8dc09a99d8b133de6d9adfee43690367475f37
- b7c079f1f0580be195115872575caa40cd63137a5aaffdbd447708e1723dc4e3
- 4ff3858e96b9e76a27c8441347cfebb98dd1ccc58748f794b8c797aa19df75d3
- b408e06a045d97382580d5f1a7b1d5183368de3cb0cf3324647f1d802ba95bef
- 7fbec185d4b8ea5ae64de6f2e47a48091582437d26f55c547eb62da373341431
- 98594d722c9887eccf2912c97c05c72c95d2cd03f795ae4752f307d28b8dfecb
- http://indahtour.com/test/xyswwg35509/
- http://bike-nomad.com/thumbnails/525v731481/
- http://esnconsultants.com/medals/oftqcsg954/
- http://heuveling.net/l3d74/
- http://leeger.net/joomla/c60/
- Creation Time 2019:05:21 06:34:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 834731391b0defa34d6dd096260d88d3af4e1fe78eb152da8c75d95b80d3345e
- 0b5cec0a3865e2e0ba377217d7ff4496f9ed54659317318ffc5b8c58b3476afb
- ec362e5792698b74941f6f06159f2d713c1380f926756c267f6cf226306f3027
- b8492e02cf746690321944c8d37a32f8a4fbe6edf749f89b576eb6aff540c631
- 297d50491edaf2865e9a7373885527e50fc33c7deda6e964e3dc67bdc7ad4d9b
- e14b09b539e527769866b24ff31f22a977173876fe8eb0cd0c707ad61a2f57b6
- a02a597810a1af3c6c0ae138bc202ed4cb52b282c335ef4ff002386939442909
- 2bdb377ede44fad994ccf12a517461d5547ca0d3a5fd327599ac26100348ae07
- e5c395bb17baa9f804633f78c45f2af5b333e6b66a92a247018ee70d0d6d34e0
- 27911ae09f81e29840684c546276dd3e1401627c12f8097adc8a135dd4c1a3b4
- 55570679e088d70af551ec6fa946e413c40a333acdba4b089f4768780df18cc0
- d3f31e2cfc818d9a8deeada5caeb6354c3673021e0f396625cf42acf1452a08e
- 000f398424798d053f45b56c1326f3aae46357986172cb4434968564f7082340
- 4da31a497839d41fb1bad2694cebbcd58b05f3b900eb951539f7b68bf6064b1d
- f2882f50d8d76f576ae6ef158d018ea5cbd402742b2e72f61d448acc4433ba49
- b8492e02cf746690321944c8d37a32f8a4fbe6edf749f89b576eb6aff540c631
- bd27a9089dcf0492fe56ad777c70400668738cbc0661d6df0e448d5db3e6880d
- 942ac5d45abfb5aa4fabdaeb89ad88b3ac4a22a7619149b0d5745284f2d5f210
- 0939b437c0e22c3f99833a517bdaa2038f044a85f59e36bf4a358e72ac84ba30
- 51c7b0fb847932c47785886b721ce98dd2d6534b6904a65b1b73e4113a9647a2
- http://nemexis.com/v2/iogkxow886/
- http://giumaithanhxuan.com/bipq/1265/
- http://lifetransformersgroup.com/cgi-bin/0px3t7/
- http://mejalook.com/blog/46nq99/
- http://mejiadigital.net/4a30/
- also
- http://169.61.9.157/v2/iogkxow886/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/21/19 ####
- ```
- bbb17749e7d4493a06e557a500eefd2f3472439ca955d2b2f74367c431d39348
- 9281bed7f99d4dc0c5066c7437bf66ef884b22e3c64386b60ba120ee7600fd71
- 1da42da7db4625dc10cc670638d2ec0f214173b4e2feea0828236de9b6683e5b
- 4cdc642df81767d815fa348ad81f7804678ee15b47785f2056d5818b55700c7a
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:05:21 15:38:00 (Attachment only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 0bc575f2877b8823c88e054f060f9615f107f667ad9b3ab7ef81342257f62ae0
- 7d90829f67ffeaa277c1f148853d1bc8029b50061fcb67f954794ae02da8e6d5
- 005031fa9bc41b117502d84a3bc07e4d0dcdefad19bceac8d55f982628b66497
- be426ab8a0fd5fa32dbd356f2cf9ffb1f470c11f521bde62bf1130c6b4824a93
- http://tataaquila.com/wp-content/VnZCUGsIx/
- http://quangcaobanghieu.vn/wp-admin/mnxcr_prcplofs-543418/
- http://entertech.pt/ftp_sat/pfd770s9cd_tv21zy-3/
- http://mentes.bolt.hu/zscf/ZnHNjKBqK/
- https://midnighthare.co.uk/joomla/qCwEdMNIU/
- Creation Time 2019:05:21 11:29:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 728d0def3186dc60e0b0ae365fe750930be37151b1a1e8165a25288026dd2b16
- 18cfb63256920dbdbfb323029eefefb87868d876d3a3e20374c78bcb36912222
- d3be1c51eb2242f7e9075192475a9c79797f2444ff427ae31ae7d98323cbe6aa
- 1fed16048c546058c202c2e4ac47e2724345734bc81e2ddd417470bbde6a458b
- 65c01a898852e52de112235be2f89cbbe01875ec22602fa5b8759d1a6a99e074
- 52478e946ce21f5575e44e8ca7eea3fa4bc19884766d780b4d1c86008968de59
- 4aed490385893bc87057809f30522a8bd1f5fbb1e98228eacdaea0c7b32db406
- b2d41d179fd265f8c043a1e1320dbd29da3cc2f969b0608843c3ec8461aea9c1
- 88972b986e79467a4922b16b7e8de50e325535a0f75e480fef2b4eb883fbe87d
- 5dc74367c0888088fb09a1a4528071ed03d5a911f49b77278c2768799494e42b
- 9e76fa48088b08ad51c00814310c9e18c11de27b79dd3655252c371c13d646d3
- ab56d467250815ce59a4e180f4a1fce5e5b3dca9765e3efb63f42fddc16ab441
- bc53b88dd6f5907e4d225bf3bdd87dd0446ca9801f23b4f723b40a01df00217d
- 43214f8a94c8b6ab6e615e19deee6da3f3f1492e090cbeea4c216ff17d3cec7c
- 3fd03f7835e04318c0d189ed5125ce9bc8e593513bdf47b25c86c2543a4e119c
- d3ac2a40b74f11795c013911171f27ae3cc66c23fb836105b3417e93c8d6530e
- 3107bec7fa6f9a0def69ab8138e924f921d8434e9e07b4aa0aed8e5473a34ced
- 07c5f5aa86e104945318cec323bf33c2b8f3075be7faa05c819c87c7b5d3d84d
- c3c972f236a7821a015c19783efee3001cab85beb0be4d321eecd6892b35f4dc
- fe0a4235cacb127cdd5a233de289afd77aaa9466beab667fe94277cd1b0d6dbc
- 5eddaa7d2cca79266cb9f5a6cddf70a70c9b4c970289f6956969453f10cd3d0d
- 47656e32b028df9497bce411005c7694d400656330c94071b4ac073928654378
- 751d2fb9c58cca3176b5a0052b76ed9943ca49fdfba93624162a2934ab79e070
- 9733c729501430b4d4df9ac843c4ee8e700fb9986e3e0084c450a8842f8dbc80
- 7df44517d6b3d9c8f96b5eee9ec19bdb9ef9a9fec10df254878a8d97c7acc590
- 8a1268300ed1420980b983cc13772eba3468ed2dbefb1da04fe86222bec651f6
- 789a0c9cdda263bb30fd3ef55ca52f8a13ae62e48e411777bc2d743ffe32c1ed
- 9f7521fc26126b288e5680cc9e5f4d5c48b2cb0f00330e1c967cc19b43544a5c
- 3cf84933b09c7ba41dc44c87d7d25ab09bb483e9a65c61419533ca390ceeedf7
- 82b442d216bf026aaab691c10d73e9728b018985ab8836458d8eb7c0717e8431
- 56c3ed80ab25a9d8f9be95a185904784cb4f3317ebeba195c74e411374cf38a9
- 9b5dabab677cc2e0ea7c151f246e4c9591d51a04ce590fc079eb1666cc44f1b7
- 884ce8c4a4f79ad45ee76097b8574455992f335d468d3dc39b2da7230800db54
- 1f9135d4728db1169f5b2c9ca06799ee283292f4ec89e1297f97a281dd72ed9f
- 7ab11f10f3e8c44689c783fa8a81a4cb8198c8c4c590ee3b8a7098cfab26926d
- 2eec2788ab92c6656545389dd8870c596083c10f9c7de05e410ed6cc88996f1b
- e37911f348a0646d43bbd18ca495938da81550e77bcce2fdf6825ad4983746d7
- 0c8195dc142129c79c44a0cfd36ad7e7107a54bdb3fda3dfce49ea4ef4ff7f15
- c7fc9b8dac0a223d3dc280f2a3b161b2592304a055a1f6c9dcb385e329d44a4b
- b7c866e1206e59ccc9331f6bc979987fc8d4039e986d05591ba8d1080a77bba2
- fd07b84f52ac3c5692366db8c7fd6f7915062e311a26192c079c39990e38eddf
- 4058c92ce66ee6c95a068c47aa7c881305e2e84ac60d8b8f52d0735b42605686
- b570f6b13a46f9cd00bfeb5898b0789778a1af9853838cf09a969794f0f271b4
- e3a0c9da4600559e06487c241e247cd54062c0dc80e05a5554229213494ec110
- 72306a55d75df63a03d274eba3eef0568b5882f0e84fbc9969e85dc5ebf81358
- 31191c4cb6466678da508d0481f4dff50402262c264047215850d74eaaa4ed7d
- c70342a18c7acb9fcee47653f65d5fa6adc363ae35c94db9092c85a3c5e049ad
- 76458b834de22f4dff0ef5087e8ce583339ff73fae4018094b371b281c3bb5c7
- 192150e5d5005d3650f182bea9365cbb4a6cc50b57f72f48705f5c905e228554
- f1d8695c5978de94a912c3951bb5529653bbfd2852a913264a8486e9620284fb
- http://mireiatorrent.com/wp-includes/bj07f0biw9_0sj91efi-0/
- http://msograteful.com/codImwUJbt/
- http://escoder.net/cgi-bin/OmrZcAEqS/
- http://priyainfosys.com/products/FSrnZTOgOA/
- http://llona.net/bqi776dm_agvux-6816533798/
- Creation Time 2019:05:21 07:46:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 739add20d743a8d00b6fc26c0e0985b6876748fe5fee82b81c62b49cb151f571
- f3a34ec584abd1dcdad7c65782cba7b633124e29a05649adb97b0e6492f37e4f
- 28b9a555d40cbe24c10a99bb5f18f99a26bac4d6ae19c80b7eb07cfa2c1466af
- a044a40de89da2345b2ebe7ba33c7cfd51693afc8e070bbb90158f4a21be57a6
- 6a1449aa4e7284a079bd98df27e9a86960108a897f0f7a785e769d94744a93c0
- d53204c2b76437fa76c196709795ca2a123dc8fda1815b38d95ddb98b274176d
- a6df8746b9d74d6fdd4109d3b81acce0399c6c3f8104a074d171eb8c4b09ffed
- 7c579c44bc0dfdbf7869860b97621b3a2da7d2e7a99f8c1faf944f76b0c9cc8f
- 31d241738b7f029d100af0d13b0822647caf41e507612398ce3c5017c67532e2
- 448747e9b705f47ab849ddf077736650b0e45ce63e7e42008a31d71228e3e793
- 5c0e8c8cb4b045e9683ca8f2e266b1fef7e1240fc1e3059e876c273745ea1592
- 0d916a1d131df981f5598d9f98538a2b637e8d924a40fa541c1bbe2852615df0
- 55da62fdf470a46c62d6189c5f83b709563510689c96b67136c15ca6411aa845
- c9d6408f645ddd2d73c96d56ed1a6ed7fa1be5d10062ee76bdb88da1b6db6056
- be4c3f33dfd43a0a47857c13cbab9d0fc05e10a94e1ab58553d8553de3634a0b
- 335a5fd3eca63f5a2fdd5496da37d5bd954bff56610be700434521b827ee1105
- https://mobilizr.com/slagmite/vfao_7pkco0lob-674967226/
- http://mmesupport.com/upload_docs/7qnxu0_on92iv5o8u-07294/
- https://miv-survey.com/ws/xz8yftcm6t_bdxduwga3w-3/
- http://moolo.pl/pub/NauVcJcbPH/
- http://mstation.jp/2004christmas/ybgiax_c3bk83e7-33621494/
- also
- https://www.slagmite.com/vfao_7pkco0lob-674967226/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/21/19 ####
- ```
- 5043fefebe7b86a1f6c9cce3851198c9e57ec13bb20a092def794eed67520648
- 51465a36762cd888020e933c9ecd34d8834b38cb424616b5ab155c50791bcf79
- e53bde18c9de202dfe978dfd02a456fae1d1db6188491841fedadc306b10d68e
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 110.93.196.197:80
- 111.67.12.221:8080
- 134.101.222.153:80
- 159.69.2.128:7080
- 163.18.23.242:80
- 175.107.200.27:443
- 181.110.239.26:80
- 181.143.101.18:8080
- 181.15.177.100:443
- 181.15.243.22:80
- 181.16.127.226:443
- 181.164.227.212:80
- 181.198.67.178:20
- 181.199.151.19:80
- 181.211.130.109:443
- 181.29.101.13:80
- 181.31.49.178:80
- 181.39.134.122:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.71.75.2:80
- 186.86.177.193:80
- 187.178.9.19:20
- 187.188.166.192:80
- 187.190.237.104:8080
- 187.242.204.142:80
- 189.196.140.187:80
- 190.113.233.4:7080
- 190.117.206.153:443
- 190.123.35.82:50000
- 190.147.12.71:443
- 190.180.52.146:20
- 190.252.229.53:80
- 191.97.116.232:443
- 192.155.90.90:7080
- 196.6.112.70:443
- 200.107.105.16:465
- 200.127.0.8:80
- 200.28.131.215:443
- 200.32.61.210:8080
- 200.57.102.71:8443
- 200.58.171.51:80
- 200.80.198.34:80
- 201.251.229.37:80
- 203.25.159.3:8080
- 205.186.154.130:80
- 216.154.222.52:7080
- 216.98.148.136:4143
- 217.113.27.158:443
- 217.199.175.216:8080
- 217.92.171.167:53
- 218.161.88.253:8080
- 219.74.237.49:443
- 219.94.254.93:8080
- 23.254.203.51:8080
- 31.179.135.186:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.73.124.235:8080
- 46.21.105.59:8080
- 46.249.204.99:8080
- 51.255.50.164:8080
- 62.192.227.125:80
- 62.75.141.51:7080
- 62.75.143.100:7080
- 66.209.69.165:443
- 69.163.33.82:8080
- 71.244.60.231:8080
- 71.43.69.2:443
- 72.47.248.48:8080
- 79.143.182.254:8080
- 80.0.106.83:80
- 81.143.213.156:7080
- 81.183.213.36v
- 81.213.182.115:8443
- 81.3.6.78:7080
- 82.226.163.9:80
- 82.71.157.57:443
- 85.132.96.242:80
- 86.155.233.74:8080
- 87.246.58.59:80
- 89.134.144.41:8080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- <not updated>
- 61.92.159.208:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.11.83.52:443
- 103.53.44.20:80
- 104.236.206.44:8080
- 105.228.3.127:465
- 109.194.50.231:80
- 117.218.17.6:990
- 134.196.53.52:7080
- 134.209.14.155:8080
- 136.243.177.26:8080
- 138.201.140.110:8080
- 147.135.210.39:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 174.136.14.100:8080
- 174.96.5.251:465
- 175.100.138.82:22
- 177.230.108.144:22
- 177.242.202.30:8080
- 177.242.214.30:80
- 177.246.193.139:20
- 178.152.78.149:20
- 178.62.37.188:443
- 178.79.161.166:443
- 179.32.19.219:22
- 181.129.30.82:80
- 181.175.142.212:990
- 181.189.213.231:465
- 182.176.132.213:8090
- 182.176.94.236:20
- 182.188.47.206:990
- 183.82.100.135:80
- 183.82.110.170:53
- 186.113.19.171:80
- 186.4.167.166:80
- 186.4.234.27:443
- 187.177.154.167:990
- 187.189.195.208:8443
- 189.154.42.168:80
- 189.209.217.49:80
- 190.145.67.134:8090
- 190.147.53.122:990
- 190.25.255.98:443
- 190.25.255.98:80
- 190.72.136.214:465
- 191.92.69.115:80
- 2.50.4.159:443
- 200.21.90.6:80
- 200.85.46.122:80
- 201.199.89.223:8443
- 201.220.152.101:80
- 201.238.152.20:465
- 207.44.45.27:22
- 211.248.17.209:443
- 211.63.71.72:8080
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 23.95.95.18:80
- 24.139.205.186:8080
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 45.55.201.204:7080
- 46.100.165.6:53
- 46.105.131.87:80
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.9.168.7:443
- 58.9.168.7:990
- 59.103.164.174:80
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 69.251.12.43:80
- 69.45.19.145:8080
- 71.244.60.230:8080
- 73.189.66.63:80
- 74.207.227.96:443
- 77.56.253.112:80
- 78.186.5.109:443
- 78.188.7.213:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 86.151.202.16:20
- 87.106.136.232:8080
- 87.106.139.101:8080
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.76.200.114:8080
- 95.128.43.213:8080
- 98.142.208.27:443
- 98.144.73.193:80
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- <not updated>
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- Alienvault
- https://twitter.com/SecSome/status/1130907545290383360?s=20
- @JayTHL analysis of domains
- https://twitter.com/JayTHL/status/1130705185691590656?s=20
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-21-19 ####
- ```
- Again no sign of emotet to me today in UK.
- E1 running as DOC attachment-only again; observed hashes drawn from anyrun and hybridanalysis.
- Given there were 87 observed hashes in E2 DOC, there are likely additonal E1 hashes out there
- After 250 URLs delivering 87 DOC hashes, E2 snuck in a DOC attachment-only run at the end of the day; observed hashes for latter drawn from anyrun and hybridanalysis.
- Limited updates to both epoch EXE, 3 copies of 74k each.
- A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
- General News:
- <>
- REVIEW:
- If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
- to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
- https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
- or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
- I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
- You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
- https://twitter.com/JayTHL/status/1126204098670411779
- Email Template Report:
- Generic templates on the most part, the usual body text listed below.
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- - The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- "Load instructions attached"
- "A printer friendly attachment is now included with each email."
- "Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns
- E1
- *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
- https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
- E2
- https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
- These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
- Payloads Report:
- E1 emails would seem to be attachment-based only, no sign of active URLs.
- DOC hashes above were drawn from anyrun and hybridanalysis.
- E2 emails about 250 URL, and that was just from two sets - the third E2 was attachment-only, no urls found. DOC finished updating ~20:20
- E1 EXE - only 4 hashes observed, three were ~74k, one was 14k (broken)
- E2 EXE - only 3 hashes observed, all ~74k
- This 74k EXE seems to be a V5
- C2 Report:
- Combining C2 from all E1 EXE gave 90 unique combos in total. - recorded above
- Combining C2 from all E2 EXE gave 93 unique combos in total. - recorded above
- Closing:
- I am out of office for next couple of days but will get the key indicator lists together
- @ps66uk
- TT
- ```
- #### Sandbox 05/21/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-05-21
- https://app.any.run/tasks/a720cac8-b419-49d0-ade5-3e9a1c40f23a/
- https://app.any.run/tasks/5a3ad520-0643-4d7c-a616-762fd07f517e/
- https://app.any.run/tasks/caea02b7-8711-44f3-954b-8ec838862cf0/
- ```
- ```
- Epoch 2 C2 run on 2019-05-21
- https://app.any.run/tasks/221ca6b3-5303-4ee0-8d04-d09d72f2c813/
- https://app.any.run/tasks/0aae5596-2f41-4555-9447-9d085d186e8a/
- https://app.any.run/tasks/bca47fc4-5935-450b-97a3-a9cb7a84ead3/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement