Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 10/14/19 as of 10/15/19 02:00 EDT ##
- *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
- ### Document Downloader Links ###
- #### Epoch 1 Document/Downloader links ####
- ```
- <none>
- ```
- #### Epoch 2 Document/Downloader links ####
- ```
- http://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
- http://abelincolnplumbing.com/sitemap/lph4cp3uhcerg4eyyfuj8wshre/
- http://alplastkuchnie.pl/wp-admin/qAwZmwwdEVNlKHZaHKYRdof/
- http://amoozeshstore.ir/css/ju23ib8mkvwx9nfvywvhm9gfa3xvgsup/
- http://cbdagshai.org/sitebuok/UACPuLDcSixTBVcsnbBnxMjZgGO/
- http://decorstyle.ig.com.br/wp-content/languages/cAYciQWuiFGdqx/
- http://deepaktech.xyz/wp-admin/owv2o9utn5ybr2w021v42hr/
- http://doubscoton.fr/ghana-visa/FAPIgpcXAJZExV/
- http://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
- http://fdni.ir/wp-admin/xcJOXZbVVOXkzXGywrHHPlDOcurfB/
- http://gotranslate.co/wp-admin/0qan9gc71sjc51hwn7/
- http://industrialautomation.vertscend.in/gbxhlu/RXXCNToKkSXunJagB/
- http://jeevandeepayurveda.com/wp-content/fjp09eio1v6fzk1uoc/
- http://kaihuai.xyz/wp-admin/b37vn6ao7zk7hw8/
- http://lalauwinoise.fr/wp-includes/OzmjVEceMTOYTwlEOevysMitLPPs/
- http://learnsleek.com/wp-content/ijUHATFHxEYqStdqqWYOzIgGMub/
- http://massivewebtech.com/sitemap/8ea4r1anrxfvdg4te/
- http://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
- http://mrig.ro/wp-includes/ufbvyk2mhgbmee6totfxv7vb6b93o/
- http://newregionalsmartschool.com/tgpm/kw2iifsv3rqdg4tb/
- http://nhuantienthanh.com/wp-admin/jdzl3tlek09vqu07oy4mlp6px7eqe/
- http://ntvlaw.vn/wp-admin/wjacatidryjun84ulq3d9dlt7cny/
- http://pandajj.jp/mobile/u7uo2wgjrrriurf2813wntl14t/
- http://pandasoftwares.com/wp-content/RQcjMMAXnOoYnCOiIOdFwhhRI/
- http://phukiennhabepgiare.com/asgypk/sklsdbzy202mcb/
- http://propase.de/bia/SdSLXJuUwuNru/
- http://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
- http://studology.com/zli/mpBanLFRPNom/
- http://thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
- http://www.aventuras-picantes.com/wp-snapshots/FthxqcoxgzZWUqXGmYLgQJsIqlLQD/
- http://www.picogram.co.kr/fo/wp-content/6p50vmcpqc4rbmlx3axg7gbixvotx9v7h0/
- http://www.thebloodhandmovie.com/4f1wvc8cql/aGVSsdeXvA/
- https://6-milescoast.vn/wp-content/s7rfibr3s3jbyrl30/
- https://berryevent.es/test/aELPvIcOyjzNDQtIXgRlcJFg/
- https://doubscoton.fr/ghana-visa/FAPIgpcXAJZExV/
- https://eagleswingsbrasil.com.br/wp-content/cvftbl8h48wcvcxo8tqfi3i/
- https://gotranslate.co/wp-admin/0qan9gc71sjc51hwn7/
- https://iglogistics.in/sitemap/IWsGGmeNX/
- https://imtglobals.com/wp-includes/FaaMfPCN/
- https://infinite-help.org/blogs/uuw3a2dqi4y4e9lts/
- https://jeevandeepayurveda.com/wp-content/fjp09eio1v6fzk1uoc/
- https://kore.lk/wp-includes/EgvhkmnRVU/
- https://ksiazkitomojacodziennosc.pl/wp-includes/ktvTNpjKvNKIeFdg/
- https://merrylu.co.il/wp-includes/wvejvajn61tz9gui/
- https://mododimarmi.co.uk/balloon_lib/5630dcudhqdpepof3hwh6nhwhq1qlkp222/
- https://norbertwaszak.pl/tmp/NNzfYHoDAXOmfclUEtxocIEJoO/
- https://nucleitech.co/cgi-bin/hapllbfq4h2ow26z6pufhxtj/
- https://pandasoftwares.com/wp-content/RQcjMMAXnOoYnCOiIOdFwhhRI/
- https://primesoftwaresolutions.com/wp-admin/fyt6ycm7c8tz2oq3uzrazxuol30ifhe7/
- https://raanjitshrestha.com.np/sitemaps/85zcxslcih6cva78kh7tclwt9okmb1o1josb9a/
- https://sarkargar.com/blogs/vHuhpjaWEPVevmMUoLBfkeVyaS/
- https://sellkorbo.com/wp-includes/FywTzFQMebzaYU/
- https://waresky.com/wp-admin/tWrcMNyDzpAfwnqEGQDevraTE/
- https://wecanaccess.com/wp-includes/VtbByXZpxRiM/
- https://www.energie-service.fr/wp-includes/lzs1qc7ohyjh4fj7ns2oxgxrjmjr/
- https://www.paigeplacements.co.uk/wp-admin/fxZIEjGhIqiNFewKdta/
- https://www.talentscoutz.nl/exact_lib/aSUnhzOjlkARZUremYcWP/
- ```
- #### Epoch 3 Document/Downloader links ####
- ```
- <none>
- ```
- ### Payloads per Epoch by Document ###
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:10:14 21:43:00 (Attachment Only - Doc based - Office 365 Light Blue)
- SHA256:
- 98e6e1fcfcdcd781dc6a6ee78308caebff2089564750ac7cdec363759f64069d
- 1aff9b8cd34eb9f94eb1d595f919826dd34484594b1347ed0df0fa4ee69ffded
- ea12af3ca9287acb75995ae2f3bd9f015208b73392e485129c7a73ec90cb0071
- 6562aec794ffea9ec4f8bddde4f20d67c20d04f73c3b8178a3a59a897d2cfb3c
- bc3af0beb53c90a6ae67319fa91676ab76a0b833149429c1c40b616610fa5c4b
- 115024d05c7208312469cb4bbae754d6e883c4ef6f1710a7ae3a2754f01335e5
- d69691f4567bd9f036fe6331e8e8823ad4914988c7df0fdc459d7236d0972548
- 6dcbaf2188565661608649c6ae0e0a5b274add5bd0c1ac2a7fafb3c9d286823f
- ef722fab41d2e7a9a3a9fb19840cfd21d4f995573852e12bc60102e0d0f8cf0b
- f71129f0c7868ac0ce98560b0ae66c2c7fc749aab2614babe5f1d854f89b10b3
- 06f1f3ab993e994fe2b14126c50f009854081f55e52e26d5f0e2a325c5c5280f
- c559ce796c179fc7eb3bd1b158ae13a49977fc5ba41f3b01fe9f0e74e3cd2816
- http://rastreon.com/wp-admin/901/
- http://www.offmaxindia.com/wp-includes/smu471/
- http://ahenkhaircenter.com/blogs/k8iuno285918/
- http://bluem-man.com/wp-content/uploads/2019/10/btrua567818/
- https://agusbatik.xyz/wp-includes/5e6252/
- Creation Time 2019:10:14 14:00:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 01229fde004126ba6df17483f9b09d931d2cb8176d1e7ea93429060ad1acd953
- 821bbf19e0ecadb7bfca5653af68b7621f36056ffeab88439f3f8ded3d4d9e78
- 6344da18eb94a826503a8fdc8484c6e3d090d64e9b45af94dfb0815cbdf78832
- fef332a512d0c08388093254e894647cc0467180ccfed2f62d48935141203fb3
- e05140800d32b3a3bb25e4cb9965233eedbc26f3f7b245388e0ba3ff000a684e
- 9ae7f9cee0f7fe878d1202d43474a2c4b743e885d0cb6bb69fc3ae866c29d51a
- 833f5ead05a94b8b5a5caf92c435c84c9915353a7e66e82924c4684172cf6c55
- a4affe707d20a6ae831e018abf97987cf6cb17b032e137d548344265f7d61e20
- d1b64bb432f11c7fb3381db7b69f3e5ef807263fc50c26a5ddf51199b032881e
- 0dcc8eb548067469f061ed2c8530f0c1700b7269e00a10717f4b32ec07f23751
- 70740940b8e5ab3572f1e383c3d9471896da25889b8a411a751d7d7e6178b9bd
- 1c5e88478951954d44d7267b187e20097935571960244751f175dc59e51eabdd
- c03a2eca9f700c25e42a378b4858ea9e7f588265330f54499a5e858a6d2b3601
- b7ea6f2300ac885f1f5eb15ee6f6d483d836c6a0cb27c7d9e1424847022004aa
- 279f05b4d38cffa688fe7126a2852e01b5c39b9a992eed4c1f81ec3c22fc07c1
- 178c41b40d0ecfa10d5a5441b4a1ed1c440b6ba64f9042afb5b0c073cdcab8ec
- 066141f452bc59cbad7e80ca2de0d905f407a922c94aa22bc85e21977a394ae0
- 0424b0d25db89ef0323da9a4bbaeab6889efd33390e64f4fb4176653fae49ed3
- http://andrewsiceloff.com/wp-admin/cj2d0009/
- http://beansmedia.com/zeus16/wp-includes/tubaw5y35/
- http://abhidhammasociety.com/wp-snapshots/ih3vzdc9/
- http://pcf08.com/wp-content/02447/
- http://acquiring-talent.com/dpaj/05gd575/
- Creation Time 2019:10:14 06:26:00 (Attachment Only - Doc based - Office 365 Light Blue)
- SHA256:
- e0aad4bfa80b2319ccc82e57255980fcdf1b2ec97f226e164bece5c89292ac98
- 22658d77fd5039916ac02479db779439c25e0b522606521493bcb7bf05156efc
- 07a87371066aab8a4bbfe91b8902a7e7f105d6ac12e06bbec1c2166797257f02
- 2440413f7987ab520445c2e8c9ee31e727f032ad23d9e0af148727ccc226b492
- 4af96f2f51c9c90f3aba74d15ac64f03f128e63c21b167902ab123cf0470d396
- b22b335375bb18a4a410841873cb9dc67b7576ef6f36ce5401c3195d2a319606
- bb441f7bd6348033492fcecfb8134b1f083c9ce231c2b8e08fd66e15a3cac3c2
- c03f88ae1e5da27428ba3ea3be82fc837f901c0cdc7a795c2f9399802d773cc1
- e1b1419fa89dc0ac9f63ff134e8c3942399a0d9061ae68ba7e8fef7ac1620769
- f7434e1b582f41f5bf7ab94526165ca3fb75a28e9027858e89307130129d5cb4
- 51ed11c8c22dd61a87c19f4e18c926faf61f169083bd07b451370a59f25cca5e
- 7d0631daed8c62fa643d21a6fa7966829bbeae4fa24d8311f6745d20dddb87aa
- e4b94f3779381664253d1f0b536da20ea9b8c2c3d2f29c066b7c830ff9fbcd39
- 13ee328a94a3dccc2ebc3418fedf2feaba59dd58c5543ae3d35f7f5495e4852d
- 91c8914a73f4f9822a7764b63bb8aa4791534c8bbf24581dae431c75871a1887
- 74da0d14b6272caadda205ca00d01fc8b9c27f12a9ef296c38a848326e700eec
- 8a29a5e93475cbd533260056742186aacbff486a9ec602efe43225a3bef0bbb9
- 91b7731d0baea45c46e04d0ae90e40911c484a6833b71af1cabcf7dabebfccd9
- a19bd9ffd0774cfc6961c9bc12a7927f83880712a888d8c8f14166cacecb699a
- 5b6cd9d142d1490cfe1cbdb69b6ced76328762769a5dafcbc419486db3d2ef28
- fcf52143a611e85d6f76ac31d3574ebf4b0b9e6a65593cbf7bc3e6b273add324
- aacaffd95b11bc2adfa5c9ca23deadf0389369e8c0619ce251776f3aee38e249
- 750b8560c0ed92477d795d9765a816c4530b2facf801d9b270edecdcb5248ab0
- 7094ace73d2f97f7ddca29ffe4c64a2771d28dfcdedbaa3a6320afc86f80603a
- 278cd91b9d1b2631d22436891a8ddde52d0baf6f925a22e6f31e29697e9115fb
- cd094fc2717295f64cbe858dcaf1be806258d9ae24fc38b21bf51b656c8136f7
- 5d78217b0e599e1d53787f7ce8ac2fd639b0218819ef22e6a1f9fb66acb52974
- 8f07a60385a56e9fd6b1eae0da32a77b689a19ca167b481e0bd7af45dcade9d3
- 033d959d2b20ca148c5c2d492783092ee6ce9ba886a996b4ccfe7c8fb1e9c5c4
- http://coastaltherapy.com/wp-includes/chz0u9347/
- http://brandsofzambia.com/wp-includes/0qssg3841/
- https://buseacycle.com/cgi-bin/gk056/
- http://www.bokslink.com/wp-includes/pk97096/
- https://www.hollywoodclub.xyz/wp-includes/ua67v3288/
- ```
- #### SHA256s for Epoch 1 Payload EXEs ####
- ```
- 03150e8e65c02b6b7d8475ebf3c8f4bb79290fa56422a87614d236033ee2b48b
- bf1b7b86355d25582395bfcf29fbeee255735f1414295f2e762622a77992cfce
- 7101298b8c908a3df85eb5e911abd19df2577b0205e82d18a62cb159950420bb
- 90a311f70635ee979eb4d453d7433c25b00631e88e678fc0b25511531452423a
- 4b28154f980d8fec3b4a0367c107f3966f9358bd27ca20385d3e1422a61bcf67
- eba85bb06013b34ddcd137039de98f8839a16e7173cd530601fec1420b1c6f2b
- 7241c208a1068273eca2d48b01329dd24c028069ee6ba9a0682f340502fdac1b
- 19ba380dc6cd0bd5138b58bdcf436094783bb552450acf00f3e622c8abd3c037
- 803a45ac7528778b79aa8eb3121df53ace507a11ec237fc11789bc86b20e58e8
- 186124390f7320e38060af72b6370e20a6d8407b64f392c34d8e5708d06342e2
- 00dce1e20b8469aecc0938f2ddec66b813c12dedb50b0b67c3e6a3032c3ca0b0
- 2a274443136d602107f0572bd62ef67d0b056a7fd007d880e0a4f8277d94dd46
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:10:14 22:53:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 53620e1b75287e983e410de49de97d665037b3684d84ce040d4ba8a6481b8f58
- 36fb67228a8d4b9aa6722d8a8f935a6b98787dc11f436048ec67a9be5b5cbde2
- 9430e0cd15e3ddfe6566b33b0c52570affed58d1b859dfedcd39d3a76d5d168d
- b3d0e41cee035547d96aef38a7238087911795634a2183e561e76d1c1924db8e
- 1b9cec27e9674373d03393625901fe65ba9fff893327729d2b8a3e6198e2bac9
- 4c90b077a74cc32600d1979f423d132780919fe912341b0e8f7849eb8efcb96b
- 25f5c4b163d0c957f4d1a29c7067c5b3af65d849ac9941d482b21f8e0663ae56
- http://stn.methodist.org.hk/wp-includes/T8jR1an1/
- https://collectables.nojosh.com.au/wp-content/U/
- https://elemanbank.com/test/7/
- http://ndcgc.org/compview/CO7k5c/
- https://myboho.store/generalo/U3DnzUY/
- Creation Time 2019-10-14 21:55:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 65465e0a3fe7e6e272964075299237890df38d972ce142681c8b8750e3f0c416
- 4dfaf2ee35f6a30e2336ba472d6bef789180ee3b2a334130a45341022e65d3e0
- https://voiceacademyusa.com/85rs/cfEfsshfH9/
- https://topinarabic.com/oht0878/bz/
- https://bestbusinesssoftware.net/img/8Xz/
- http://armmonya.com/landingpagemayo/5mth/
- http://www.southtrustlaw.com/wp-content/n0wghBtL/
- Creation Time 2019:10:14 14:06:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- e293ac4fd9ae3f24c026134f7e8916b8cd5dbd60052f9fc142b99fc26dff4a34
- 6806781932608a121e4ecbc70bdb5d52b6e7cf3a8ea7d04a6054564412a1507b
- 63e1801ee2c4b9fd49980188f100d78efb85c360a5772a4eeafce7eee56c3d9c
- 8027f994b15a87a2979b7bc3d2859fe870f4e48390f4111a8cb2a5bdec3ade87
- e2573050b86260f2cb314e404d4707a0e1c4a55ca6744be8ea208a4bd506b772
- fe03ad92a84a4921f451efe03720355bc824ff6ae8adef6db61df37d8f55fc02
- b9eace5099f9b21ed788af60fd9c3b3cf9509a3399b9b3544dad335a6db19f42
- 47743ded84b237578256ff3b47733a5f21a16e6e5e01a3343cfaef68d886012b
- e856662ba9743307b0729746e88844935cacc1f126cbd2709c5f10916676ebd5
- 3a1de6759fc0039067506c5ab0ebd5ad36c0173697eb7471a92ea7f86dc79cd3
- 2145862aba3d8cc8826acd44d477a75272b352ec7dbcdd8d9c97384a7859aff6
- 67f4da0d309df5ca4c0c471d66467216c8340344d46e6cb8e89f69b52f420da7
- 6c99037935694767f5e9184f14b22c663d21fe7ca5d285831443e03481aea304
- 6b325be6419e72c49b00c5ba558a209c71c6ff7d4eccadc3aeb2bbab0a8278f2
- 64b77f1692bb7c3b025efe878f74c2ad7b9f26122b5f6337ea9977dd14b17345
- 9b5efc2d114906c3a4aa5216a643f746e7567bfe68e0189c2c392825f2037245
- 30f719049a3c0ffa36ce6f8d3c16b59b45cc6b0d8819a7cff3c3f800e826477c
- 8edb637175120d1ea84fb7c7485289e37fa637b81f17842bfad637d01acc21df
- https://filegst.com/wp-admin/Kl/
- https://www.merceko.com/wp-content/1ek7/
- https://kampusmania.com/wp-content/4f2c8/
- https://vps333.com/07h31/1gjy9/
- http://nuttlefiberart.com/wp-admin/eIDCaO/
- Creation Time 2019:10:14 08:04:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- aaacb4245b5148a8aebac72aca353c26f6416244245f1133fc970eead5a09263
- 743cbe14b1ce2c36a33f6047b578814d0971914d4ea19528ccaa9f6587512041
- 98d55bf21166e777fd12058e82b8a8533516e0393bc76c8b7a5c3543b435d88e
- 9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1
- beb93578e6fdbd88ee83913aab8d262d52171d49bb33e1595a675792bf14f7df
- b3a4b4a64add212bd94c23dec191bfb2f0d9f03bea4e30784a4b3a7418a75d15
- 47768d7b832e4b1a88f974b7feb09b8064ac6bc6b518ecf0a8a46170e9c9089b
- 9b10e585c2cd4b8437f2bb9f585d183ddfa0cf97eb52260a69d8ef470c6468c9
- 51d5ff4595dd43f58bfd451d1cebe4c70d839c5b378f5624cf8d6107fcd3138f
- 5313c089b467c74d15a3e25f3276e4bb54646e714b74b47346f95b3dfb05028d
- 47b62e5bf50472c44ecd7c55259fa5624b3919cd5b7df7ba141d4138de3697fd
- d4e4f73d81aee3a5fd62fa44adc8507c75702f34ba1765f37640b8f008ee83d4
- 88d5157106592f38933c47902588fd3291efd1fdd677cbd859991463f9231f90
- 62a736710fdeb5a0d6fe03346fc9e71fd9254c3f3e9c1ba3c5f07b43a39abdc9
- b874c8afd60d9e34fc10d5b2e99a1e4fc96fd7827e24c7479e9127a88ad30444
- http://deredia.com/cgi-bin/SSAnMNgWb8/
- http://chuaviemxoangyduc.com/q5jh8d/P/
- http://www.bompas.fr.mialias.net/wp/o/
- http://www.geoexpert.gr/wp-includes/k6m/
- http://rsudsuka.demakkab.go.id/error/av33/
- Creation Time 2019:10:14 05:52:00 (URLs - Doc based - Activation Wizard)
- SHA256:
- ece6cafc7d33ff5c5e1088557d6910bf1ca80076c9c7380f677179ae4c87fe91
- c73a32d51b8ff9bef3b5efbccef5c3299ef574c2792788579e3f6f489d197c85
- a2b091adb5da4474fce9323b1c130b1292bb2a5b19c8c599f6f29ee74f928e21
- ae3bbc6f6fca6185867937591db90f11e3a9c7e75842def8c0804f521057ddc4
- 7cfb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c
- 90db1a86fc31835ddde90b668303a4ee1ac0235e0c118a0df7566c67bec85e8c
- 40bbb3fe88e19da7f1bb228cdac548be3e7cae38cbfdd4854a0c0f2a94de7a3c
- f2202d9be7f00d20a9d710d138c691924aa965e87c2760b6ce5b691edb47a0f5
- d71b3132e0f94efd3c496494f4d4d52a9617a5e2fe065c696a2df578b67efed7
- 1ed97850eda185c45b83ae3c95913540e6ce99843f08330ee53528022b489cbb
- 479b2d71bbc158ca3b6a4483234f031c63607d0a82bf47b6a9fda4ee09af8590
- 287851d55cc6e6edbc6699ddc667e03264012594d0cd8aa493b14f7f812ad353
- df97775b296bfb453612a0168eba8045f2e50f1a7f7ef2215d6c9351b5e988fa
- 92456f1a9db8890926fcd83f58c9f172ea97b0a01156d1e9a5899b6793ed71b2
- 48986c0d387f6ddfc7be16cf868ca579dd63640bb6181a93fae20f4ef0ccbcc0
- 42c71c3ca07f4957ffc521984c302d544ed3b977b67eecda2de6906229f55070
- c57c38061c7d2db913a18e151c2065fccb09250b6498f1e026bb0b4e0ce89315
- http://tendenciasv.com/wp-admin/1d972a/
- http://www.correlation.ca/fonts/FSKrYOc/
- http://www.moneyhairparty.com/class.local/parts_service/s4y0/
- http://www.divinedollzco.com/wp-content/upgrade/kcbg/
- http://dncvietnam.com/wp-includes/4bv4z7u/
- ```
- #### SHA256s for Epoch 2 Payload EXEs ####
- ```
- 18235ac8c4482d9c0ca96be91ed18cbc601fa793f03d1820d8ffe492d6ff42ec
- f80d1675a57f1bd13e2a39ea36614457cf67ba0dcd855f5eff60984f56db0c12
- a33353b8af41a2c8c526cf73db3a091e48056c4b5e4e0c1ec13f416bde627754
- 7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b
- 4a1d45b5fbe5029805fcd500f8c2f8ee68b04a2b376b5a2e92d665fb6abe421c
- 141bf6620706cf5c4ee1ceeed26f238399fb1a9e2e9276bdf163f8d4792f0f1f
- 078f898a197b903c5825119f4d6f47f12552a93f471d1ca9a203f9b313e8da04
- 6231c216cefa2b2a468ed366dc3c79dc6f0be1d28f2811f8a3ee7627e071b4a1
- a4532a333319600efa847ac6b63b58e855838df70063ceeb58d605f81d223922
- ```
- #### Epoch 3 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-10-14 21:18:00 (Attachment Only - Doc based - Protected View)
- SHA256:
- b736c4a412b303fd853a53f42b6e79efb4980b126731f1570f9c604bc7c8a76f
- efcb946a760e6a3d26b520206a6fb4e78f1be826525eedea234fa15564ac4eb4
- d4687b8be48f9149f0b47b86bf7a04b5bb3c3c537fe0f80bb719d2db8f27b618
- https://bulby.pl/wp-includes/qBzhlPwzp/
- https://radiokameleon.ba/wp-includes/cvsky29-prh8p1-157/
- http://cc14927-wordpress.tw1.ru/sitemap/p3oyypjxz-0a64sp-1997516/
- http://smilesanitations.com/calendar/ZmLeHr/
- http://greenseeblickhotel.com/wp-admin/ZuvFbm/
- Creation Time 2019-10-14 19:00:00 (Attachment Only - Doc based - Product Notice)
- SHA256:
- a0a3c98ab38bfa6e739ec9a7aea6e80c85df17e2185d4ab5656aea0b04ee56c4
- 5fd76eadfce3d67e09ae1d239565a7122398ce62d9f1eec700683b9b491594d8
- d941f0ef8f88684073db4c7c42d70e07b8cfcfbce4c6cb44dccf8d5770aba8c1
- f5115574fb3307957692fd9fa1c519b553f48e23a444b119b7316b6aa596903c
- http://tour.nicestore.co.kr/wp-content/kCEtESh/
- http://4carisma.com/emailblasttest/uOrzSi/
- https://staging.smsmagica.com/wp-content/fbzkgca-ax2qpb-051/
- http://www.alphadomus.co.nz/widgets/kv8sd5y/CVghpHSg/
- https://imm2h.my/cgi-bin/AwkVtxRys/
- Creation Time 2019:10:14 14:12:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 1dee09b40f84fedce8227e251073f269971a16e39e75af46c3658f0802c828f3
- 02637a928a1357211f2aa024dea577c20facd413ab3fc38d63aff28a244f8942
- 9c737f17d9ac55e290f8c6166fec9ddd812eef3ff9e846fbaf9205dd93ff5570
- 4911743db8475a1f84e3433b32947f561bc6d9aa877357f753081e8b4adfd617
- 743839dc9bd260d177aa80127c1004b26b979c809ce86abf6fa40f2d41f6354c
- e8c7bb58ef823d08eb194fb1fedb0bfb208a2243f964187b2fd4605cdd473f9b
- 3b2fe8d9f982bb6ebb3daf8a0ee1025c70e739d2c81ee8c7166387ed5e495574
- 29a608717722de33cd8c30dbe63a278d9ddbee3a7d3d4683f66df5b469a45137
- e264ae6197e494f76996920dd014893569ce52b0c59b33c5b05ebe7ee56bb0aa
- https://shreeumiyagroup.com/cgi-bin/ib5et-43gf-415252037/
- https://electrokav.com/wp-content/JKJEKOXEZ/
- http://amitnawani.com/wp-content/xMGvEIgX/
- https://janekvaltin.com/ubpos/x4at35ypd3-ylzvfos-017391080/
- https://duperadz.com/wp-includes/YzdCIlU/
- Creation Time 2019:10:14 06:34:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 0fd6a365a2d09c09849e41d21fc1cc9f6772fecb3e84d18ebe4bc27f4c17c4b9
- e3456221e5332e6179fccb616e43aae746a7754f8b2648722c6650cb0cf51e44
- a42446ed70bd4f68d6b40e0778dc63abf2c5a0990d16320c455e0663c0edf58d
- daf97cac595f41a4b47302c6fa18fd67ccecb5cb7bae4038f888e75600116353
- 32f63e43025bec0ab84d29606245f390e5540cfce5f7f419c07aea437143ec4b
- b87b20f4d500add0436edac27734ce0c609d10379beda7ffb02f705ab8ee13c2
- 2b749588aa3523e9644d17fe2bf784136c663d893186acb91cba6db46f76077f
- dc09e23329319098cdc638d024b525e1607a120794b0056ca55aefcd09498c96
- d950ccbe9ff2214b1d3c97b5f349a6aa1a0edb5223a5fb9a785ec95f0b505f44
- d39a6a1d0951def6197cfe68fefec82c9cb08e7cc0c24b8b30fd132c4e62c830
- 418ddce03eae7264ec5dbb8288fd6dcae6e0f655f30ad96147df6920d2d0337e
- bdeb9cfdc8fa093d0801cfd7dc03b3de8133c502e9c93e83917c7a4e79db10fb
- 39713c39c938ba2f28025c5e1d02826985e3967edf79cd8ca1bd989c816bd744
- 4f31de253eae084511f793b019fe32cea798953adf38e73c00de8ebcba78b113
- 609c04e060ff983b5ac38b03f2931629fa2af411a284503966fae46980dd31fd
- 6088fef0ba3079e5fe8a1fbb8f266de203a4ca065fc1ca3868536ccc37d69e4f
- 449c00a2fee32d17f30e14d0138f2b5e3cb7d269c0f5f200875ef7d6ab65e893
- bdefb45ba3f52e28044c332452111de6238fdf5bacfd02850a49b0b8cb1885c6
- 69fc66a5d03a564ad445bf91235d9134a1b9f61544f9373b2839af65dcb4d659
- 79c1ce11d724cde41d6003f7a70e296e781249d95ab34949b77d72f25eed0612
- 89fc4f5028d780923b7d20846ea8bff55c93bb68dccf1cc8b1f7cd87eec0726f
- bc332d26f3170ad635237b6c65cda8de6315f77ef68d32547267104d6d958ba6
- a9ab016ccaf853bde09b7ef4af37fdfe991d55924bb7762ac587e0789f2f586e
- 6b6ae5fa4e8db2885801ae4ba3c9e5f3af88f8bb8252e2c70fc8cb9caca59628
- 0aedb6ed1158d94c065e72b403d86d09fc4e701f86e6f25f599735241ee691a4
- http://sgnr.in/dietitiansakshi/a4deno3w-7ke7y2-706370412/
- http://pedrootavio.top/cgi-bin/9iale-ca6dtr6gk-56151762/
- https://j-cta.org/wp-admin/LgboYIm/
- https://thehomebenefitprogram.com/wp-includes/HrciCN/
- https://adanzyeyapi.com/wp-includes/4v0p-t1e6s6m6-098/
- Creation Time 2019:10:11 18:58:00 (Attachment Only - Doc based - Activation Wizard)
- SHA256:
- 8ad4219d6ad69b1f42d1be3af394cba0fd2f824c1a99e9e19ff19afb4fc1fbb6
- https://sabal.com/wp-admin/fQZAoTt/
- http://www.spectradubai.com/cgi-bin/SPYhlL/
- http://tendenciasv.com/wp-admin/tbj3o8-lrayg3nw48-6757766/
- http://institutobiodelta.com.br/wp-content/kg34rqzas-1esvd9avn-4822/
- http://echoxc.com/wp-content/dZPTRTmS/
- ```
- #### SHA256s for Epoch 3 Payload EXEs ####
- ```
- bd16d173440debec2eb2c8a056584edf4a7a32d2a42bf73b8e4a59f364ec6710
- 3eecb70a724f130e93f0d9e64b374864c4fadd76ba4b2977ad6dead44a6d2f53
- d26610e4560edbdcba6d4c93f9e9ded03103c036033838ef09c11daea9e305ca
- 10b43555bdddeba125afd25463be6ae1d30fd6b822f2cebc09fddd894f501744
- 48bcd0ae01752f80eb96c86850c837b19e68bfc72ac316a7c3378e2320f39022
- 507f386cda99a321f7c5c3b88e91532e154fc98d177904086710bdd73810c2c7
- ```
- ### C2's Per Epoch ###
- #### Epoch 1 C2s ####
- ```
- 109.104.79.48:8080
- 109.169.86.13:8080
- 110.36.234.146:80
- 114.79.134.129:443
- 119.159.150.176:443
- 119.59.124.163:8080
- 119.92.51.40:8080
- 123.168.4.66:22
- 125.99.61.162:7080
- 138.68.106.4:7080
- 139.5.237.27:443
- 142.93.82.57:8080
- 149.62.173.247:8080
- 151.80.142.33:80
- 159.203.204.126:8080
- 170.84.133.72:7080
- 170.84.133.72:8443
- 178.249.187.151:8080
- 178.79.163.131:8080
- 181.143.101.18:8080
- 181.188.149.134:80
- 181.29.101.13:8080
- 181.36.42.205:443
- 181.44.166.242:80
- 183.82.97.25:80
- 184.69.214.94:20
- 185.187.198.10:8080
- 185.86.148.222:8080
- 186.0.95.172:80
- 186.1.41.111:443
- 187.188.166.192:80
- 189.160.49.234:8443
- 189.166.68.89:443
- 189.180.243.255:8080
- 190.1.37.125:443
- 190.10.194.42:8080
- 190.104.253.234:990
- 190.158.19.141:80
- 190.221.50.210:8080
- 190.230.60.129:80
- 190.230.60.129:8080
- 190.38.14.52:80
- 190.85.152.186:8080
- 190.97.30.167:990
- 191.82.16.60:80
- 200.51.94.251:143
- 200.57.102.71:8443
- 200.58.171.51:80
- 201.163.74.202:443
- 201.199.93.30:443
- 203.25.159.3:8080
- 212.71.237.140:8080
- 216.98.148.181:8080
- 217.199.160.224:8080
- 46.101.212.195:8080
- 46.163.144.228:80
- 46.28.111.142:7080
- 46.29.183.211:8080
- 46.41.151.103:8080
- 5.1.86.195:8080
- 5.196.35.138:7080
- 5.77.13.70:80
- 50.28.51.143:8080
- 51.15.8.192:8080
- 62.75.143.100:7080
- 62.75.160.178:8080
- 68.183.170.114:8080
- 68.183.190.199:8080
- 71.244.60.230:7080
- 71.244.60.231:7080
- 76.69.29.42:80
- 77.245.101.134:8080
- 77.55.211.77:8080
- 79.129.0.173:8080
- 79.143.182.254:8080
- 80.85.87.122:8080
- 81.169.140.14:443
- 82.196.15.205:8080
- 86.42.166.147:80
- 87.106.77.40:7080
- 88.250.223.190:8080
- 89.188.124.145:443
- 91.205.215.57:7080
- 91.83.93.105:8080
- 91.83.93.124:7080
- 94.183.71.206:7080
- ```
- #### Epoch 1 - Spam C2s ####
- ```
- 37.187.5.82:8080
- 45.55.82.2:8080
- 185.94.252.27:8080
- ```
- #### Epoch 1 - Stealer C2s ####
- ```
- 75.127.72.18:8080
- 190.115.18.139:8080
- 66.228.32.31:443
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
- KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
- h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 101.187.237.217:20
- 104.131.11.150:8080
- 104.131.44.150:8080
- 104.236.246.93:8080
- 115.78.95.230:443
- 124.240.198.66:80
- 133.167.80.63:7080
- 136.243.177.26:8080
- 138.201.140.110:8080
- 144.139.247.220:80
- 149.202.153.252:8080
- 152.89.236.214:8080
- 159.65.25.128:8080
- 167.71.10.37:8080
- 169.239.182.217:8080
- 173.212.203.26:8080
- 178.79.161.166:443
- 181.143.194.138:443
- 181.143.53.227:21
- 181.31.213.158:8080
- 182.176.106.43:995
- 182.176.132.213:8090
- 182.76.6.2:8080
- 185.187.198.15:80
- 185.94.252.13:443
- 186.75.241.230:80
- 189.209.217.49:80
- 190.106.97.230:443
- 190.108.228.48:990
- 190.145.67.134:8090
- 190.18.146.70:80
- 190.211.207.11:443
- 190.226.44.20:21
- 190.228.72.244:53
- 190.53.135.159:21
- 192.254.173.31:8080
- 192.81.213.192:8080
- 198.199.114.69:8080
- 199.255.156.210:8080
- 200.71.148.138:8080
- 201.184.105.242:443
- 201.251.43.69:8080
- 206.189.98.125:8080
- 211.63.71.72:8080
- 212.71.234.16:8080
- 217.160.182.191:8080
- 222.214.218.192:8080
- 24.45.195.162:7080
- 24.45.195.162:8443
- 27.147.163.188:8080
- 27.4.80.183:443
- 31.12.67.62:7080
- 31.172.240.91:8080
- 37.157.194.134:443
- 41.220.119.246:80
- 45.33.49.124:443
- 46.105.131.87:80
- 47.41.213.2:22
- 5.196.74.210:8080
- 59.103.164.174:80
- 62.75.187.192:8080
- 67.225.229.55:8080
- 78.24.219.147:8080
- 80.11.163.139:21
- 80.11.163.139:443
- 85.104.59.244:20
- 85.106.1.166:50000
- 85.54.169.141:8080
- 86.98.25.30:53
- 87.106.136.232:8080
- 87.106.139.101:8080
- 87.230.19.21:8080
- 91.205.215.66:8080
- 92.222.216.44:8080
- 92.233.128.13:143
- 94.192.225.46:80
- 94.205.247.10:80
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam C2s ####
- ```
- 23.253.207.142:8080
- 185.187.198.4:8080
- 46.228.205.245:4143
- ```
- #### Epoch 2 - Stealer C2s ####
- ```
- 173.214.174.107:443
- 104.131.58.132:8080
- 176.31.200.130:8080
- 46.105.131.69:443
- 24.45.195.162:7080
- 24.45.195.162:8443
- 80.11.163.139:443
- 94.192.225.46:80
- 209.141.41.136:8080
- 46.29.183.210:8080
- 198.58.112.7:443
- 185.42.221.78:443
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
- PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
- AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
- ```
- #### Epoch 3 C2s ####
- ```
- 113.52.135.33:7080
- 138.197.140.163:8080
- 143.95.101.72:8080
- 144.76.62.10:8080
- 157.7.164.178:8081
- 173.249.157.58:8080
- 176.58.93.123:80
- 178.249.187.150:7080
- 181.113.229.139:990
- 181.47.235.26:993
- 186.10.16.244:53
- 190.117.206.153:443
- 190.13.146.47:443
- 192.241.220.183:8080
- 200.55.168.82:20
- 201.196.15.79:990
- 203.99.182.135:443
- 203.99.187.137:443
- 203.99.188.203:990
- 212.112.113.235:80
- 213.138.100.98:8080
- 216.70.88.55:8080
- 216.75.37.196:8080
- 5.189.148.98:8080
- 51.38.134.203:8080
- 70.32.94.58:8080
- 78.109.34.178:443
- 83.169.33.157:8080
- 91.109.5.28:8080
- 93.78.205.196:443
- 94.177.253.126:80
- 95.216.207.86:7080
- ```
- #### Epoch 3 - Spam C2s ####
- ```
- 192.241.241.221:443
- 185.187.198.5:8080
- 41.185.29.128:8080
- ```
- #### Epoch 3 - Stealer C2s ####
- ```
- 178.32.255.133:443
- 198.46.150.196:7080
- ```
- #### Current Epoch 3 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
- 4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
- iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
- because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
- this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1, Epoch 2 and Epoch 3? ####
- ```
- (09/17/19)
- With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
- ```
- #### Community Lists/Samples ####
- ```
- https://pastebin.com/NBrrVSpT - @excutemalware
- https://otx.alienvault.com/pulse/5da4cfc209cc7632c784efcc - @SecSome
- https://twitter.com/reecdeep/status/1183685203363090432
- https://pastebin.com/2xSMEALG
- https://twitter.com/Paladin3161/status/1183584219903053825
- https://pastebin.com/CMvn0vkB
- https://twitter.com/Paladin3161/status/1183584028751843328
- https://pastebin.com/xcp7ZWhb
- https://twitter.com/Paladin3161/status/1183723826787389441
- https://pastebin.com/5SVWPPpb
- (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
- ```
- #### Credits ####
- ```
- Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
- Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
- C2 info/RSA Keys - @CapeSandbox, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
- Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
- Spam Templates - @devnullnoop, @lazyactivist192
- Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
- https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
- @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
- at no charge to this cause!
- ```
- ### Daily Log 10/14/19 ###
- ```
- @ps66uk and @jroosen here:
- Getting out some bugs in our processes to get more streamlined. I wanted to take a second to thank everyone that helps us make this happen.
- Thank you for your time, your effort and even just answering a simple question here and there. All of the work of the community goes together
- to solve a bigger puzzle!
- It is late tonight and I will fill more in tomorrow. - @jroosen
- ```
- #### General News ####
- ```
- Marco Ramilli found what seems to be highly targeted malspam against a business that happened to use a remote SOC. We are not
- sure this was more than a reply chain spam that happened to get lucky(or use some intelligence for once) to select the right
- email to use to reply. We have reached out to the author for more info though to be sure our suspicions are correct.
- Original Article:
- https://securityaffairs.co/wordpress/92501/malware/emotet-gang-targetes-external-soc.html
- Herbie Zimmerman shared a handy way to get out the payload URLs from the latest series of docs here in his tweet:
- https://twitter.com/HerbieZimmerman/status/1183853997846941698
- Brad over @malware_traffic tweeted about a Trickbot gtag: mor21 followup to an initial Emotet E1 Infection here:
- https://twitter.com/malware_traffic/status/1183773041177743360
- ```
- #### Drops Report ####
- ```
- D00RT was once again reporting on what was dropping where:
- emotet/trickbot - JP
- https://twitter.com/D00RT_RM/status/1183663002698027008
- Brad over @malware_traffic tweeted about a Trickbot gtag: mor21 followup to an initial Emotet E1 Infection here:
- https://twitter.com/malware_traffic/status/1183773041177743360
- We also observed Trickbot gtag: mor21 dropping all over the globe today.
- ```
- #### Email Template Report ####
- ```
- We are still seeing strong spamming globally in various languages. Reply chains and generic malspam. I am continuing to
- see a steady increase in attachment malspam as the botnets build in strength.
- I do not know what to make of the reasonably random distro of templates. Not sure why things vary like they do during the
- day but this chart that @ps66uk put together is interesting to watch how things fall into place on:
- E1 ModifyDate: 2019:10:14 06:26:00 CreateDate: 2019:10:14 06:26:00 coastaltherapy.com office 365 lt blue
- E2 ModifyDate: 2019:10:14 05:52:00 CreateDate: 2019:10:14 05:52:00 tendenciasv.com wizard
- E3 ModifyDate: 2019:10:14 06:34:00 CreateDate: 2019:10:14 06:34:00 sgnr.in wizard
- E1
- E2 ModifyDate: 2019:10:14 08:04:00 CreateDate: 2019:10:14 08:04:00 deredia.com wizard
- E3
- E1 ModifyDate: 2019:10:14 14:00:00 CreateDate: 2019:10:14 14:00:00 andrewsiceloff.com wizard
- E2 ModifyDate: 2019:10:14 14:06:00 CreateDate: 2019:10:14 14:06:00 filegst.com wizard
- E3 ModifyDate: 2019:10:14 14:12:00 CreateDate: 2019:10:14 14:12:00 shreeumiyagroup.com wizard
- E1 ModifyDate: 2019:10:14 21:43:00 CreateDate: 2019:10:14 21:43:00 rastreon.com office 365 lt blue
- E2 ModifyDate: 2019:10:14 21:55:00 CreateDate: 2019:10:14 21:55:00 voiceacademyusa.com wizard
- E3 ModifyDate: 2019:10:14 19:00:00 CreateDate: 2019:10:14 19:00:00 tour.nicestore.co.kr product notice
- E1
- E2 ModifyDate: 2019:10:14 22:53:00 CreateDate: 2019:10:14 22:53:00 stn.methodist.org.hk wizard
- E3 ModifyDate: 2019:10:14 21:18:00 CreateDate: 2019:10:14 21:18:00 bulby.pl activation
- ```
- #### Link Regex Report ####
- ```
- (These are experimental, use at your own risk.)
- Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works lately:
- These were updated:
- https?:\/\/.+?\/(administrator|academy|alphabet|App_Data|assets|backup|beta|blogs|cache|cgi-bin|checkformats|cfm|consultation|core|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|gallery|GoogleSpeech|hino|homepage|images|INC|Inf|INF|js|lib|LLC|lm|menusa|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|SOUBORY|test|trademark|themes|tmp|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-Enfold|wp-includes)\/([A-Za-z0-9|]{7,36})\/(\"|\n)
- https?:\/\/.+?\/([0-9a-z\-_]{3,11})\/([A-Z0-9\/]{7,32})?([A-Za-z]{7,32})\/(\"|\n)
- These were not:
- https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/
- Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
- this does not help.
- ```
- #### Payloads Report ####
- ```
- Something seemed to stop up the pipeline today at the Emotet malware factory around 15:00UTC. I am not sure exactly what
- happened but we only saw 5-8 hash busts on each epoch. Some of them had a lot of corrupted downloads of late. This may mean
- C2 issues.
- There was a newer loader released today around 21:00UTC that is smaller than 200KB but I am not sure what the changes are yet.
- If @lazyactivist192 has time he may be able to see what he can find out tomorrow.
- ```
- #### C2 Report ####
- ```
- E1 86
- E2 78
- E3 32
- 110.36.234.146:80 moved from E3 to E1 - while this is quite rare, we have seen it happen before. Out of all the C2s, this
- happens maybe handful times a month for unknown reasons.
- ```
- #### Closing ####
- ```
- Looks like there may be some distro/c2 problems in Emotet land. It could also be harbinger of change too.
- Be on the lookout!
- TT
- ```
- #### Sandbox 10/14/19 ####
- ```
- E1
- https://capesandbox.com/analysis/2997/
- E2
- https://capesandbox.com/analysis/2995/
- E3
- https://capesandbox.com/analysis/2996/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement