API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/02/26

jroosen
Feb 26th, 2019
2,557
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 48.83 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 02/26/19 as of 02/26/19 23:59 EST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 02/26/19 ####
  5. ```
  6.  
  7. http://104.248.149.170/sendinc/messages/trust/EN_en/2019-02/
  8. http://13.231.226.136/sendincencrypt/legal/verif/En/022019/
  9. http://13.232.2.61/wp-content/uploads/sendincsecure/support/trust/EN/201902/
  10. http://13.233.183.227/sendincencrypt/service/ios/En/02-2019/
  11. http://13.234.1.52/sendincverif/legal/question/En_en/201902/
  12. http://13.58.169.48/__MACOSX/sendincsecure/support/ios/EN_en/02-2019/
  13. http://178.62.226.34/photosite2/sendincsecure/service/ios/EN_en/02-2019/
  14. http://1sana1bana.estepeta.com.tr/sendincsec/service/question/EN/02-2019/
  15. http://2ds.cl/sendincsec/service/trust/En_en/02-2019/
  16. http://3.89.91.237/Apple/service/trust/de_DE/2019-02/
  17. http://34.242.190.144/sendincsecure/messages/sec/En/2019-02/
  18. http://35.200.238.170/sendincsecure/service/trust/En/201902/
  19. http://35.224.158.246/apple.com/service/ios/DE_de/2019-02/
  20. http://35.225.248.161/apple/legal/verif/DE_de/02-2019/
  21. http://35.239.61.50/apple/support/question/De_de/2019-02/
  22. http://35.244.2.82/Telekom/Transaktion/022019/
  23. http://50.53.45.102/sendincsec/legal/secure/EN_en/022019/
  24. http://alextip.com/sendincsecure/messages/ios/En/02-2019/
  25. http://amazon-kala.com/sendincsecure/service/secure/en_EN/022019/
  26. http://annual.fph.tu.ac.th/wp-content/uploads/sendincsecure/support/sec/EN_en/02-2019/
  27. http://anpartsselskab.dk/sendincsec/messages/sec/EN_en/201902/
  28. http://asfaltov.kz/sendincencrypt/legal/question/En_en/022019/
  29. http://banglaixe.vn/sendincencrypt/legal/sec/EN/022019/
  30. http://bangoair.com/sendincencrypt/messages/verif/en_EN/2019-02/
  31. http://blog.aliatakay.com/sendincencrypt/support/ios/En/201902/
  32. http://bornkickers.kounterdev.com/wp-content/uploads/sendincsecure/service/question/en_EN/201902/
  33. http://byqkdy.com/sendincverif/service/ios/en_EN/2019-02/
  34. http://cetcf.cn/sendincsec/messages/question/En_en/201902/
  35. http://clavirox.ro/sendincverif/support/sec/EN/201902/
  36. http://cmasempresa.com/sendincverif/support/verif/En/2019-02/
  37. http://creativedistribuciones.com.co/sendincsecure/messages/question/en_EN/201902/
  38. http://crmz.su/Telekom/Transaktion/022019/
  39. http://dansavanh.in.th/wp-includes/sendincverif/service/trust/EN/2019-02/
  40. http://demo.liuzhixiong.top/sendincsecure/service/secure/En/022019/
  41. http://dverliga.ru/sendincencrypt/messages/sec/En/02-2019/
  42. http://dztech.ind.br/wp-content/uploads/sendincverif/support/secure/En_en/022019/
  43. http://eduapps.in/wp-content/uploads/sendincsecure/support/verif/EN_en/02-2019/
  44. http://engenbras.com.br/sendincsecure/support/secure/En/022019/
  45. http://eurobandusedtires.com/sendincsec/service/trust/en_EN/201902/
  46. http://farshzagros.com/sendinc/service/sec/En_en/2019-02/
  47. http://fashion-world.ga/sendinc/service/trust/En_en/02-2019/
  48. http://gbconnection.vn/sendincsec/service/ios/en_EN/022019/
  49. http://gk-innen-test.de/sendincsec/messages/secure/en_EN/201902/
  50. http://halal-expo.my/sendincsecure/service/trust/En/2019-02/
  51. http://hashtagvietnam.com/sendincverif/support/sec/En_en/022019/
  52. http://hayalbu.com/sendincencrypt/service/trust/en_EN/2019-02/
  53. http://hoanganhvunguyen.com/sendinc/support/trust/en_EN/02-2019/
  54. http://icspi.ui.ac.id/sendincencrypt/messages/trust/En_en/022019/
  55. http://kgwaduprimary.co.za/sendincsec/messages/ios/En/02-2019/
  56. http://kn-paradise.net.vn/sendincencrypt/messages/secure/EN/2019-02/
  57. http://lar.biz/sendincsec/service/verif/en_EN/022019/
  58. http://legits.net/sendincencrypt/service/ios/en_EN/201902/
  59. http://lightlycomeandfeel.com/sendincencrypt/legal/sec/EN_en/201902/
  60. http://liketop.tk/sendincsecure/legal/question/EN/201902/
  61. http://lionestateturkey.com/sendinc/legal/sec/en_EN/022019/
  62. http://manisatan.com/sendincsec/service/verif/En_en/2019-02/
  63. http://mantra4change.com/wp-content/uploads/sendincsec/support/question/En_en/02-2019/
  64. http://miamibeachprivateinvestigators.com/sendincsec/messages/sec/EN/201902/
  65. http://miamidadecountyprivateinvestigator.com/sendincencrypt/messages/secure/EN/022019/
  66. http://midtjyskbogfoering.dk/sendincsec/support/trust/En_en/02-2019/
  67. http://mikrotekkesicitakimlar.com/sendincencrypt/legal/ios/En_en/201902/
  68. http://mpgestaodepessoas.com.br/sendinc/support/ios/En_en/2019-02/
  69. http://musicatemporis.recordtogo.com/sendincencrypt/support/secure/EN_en/201902/
  70. http://ngkidshop.com/sendincverif/support/ios/En/022019/
  71. http://oesfomento.com.br/sendinc/service/ios/En/201902/
  72. http://ogilvy.africa/wp-content/uploads/sendincsecure/messages/sec/en_EN/022019/
  73. http://onisadieta.ru/sendinc/support/ios/En/022019/
  74. http://oreonfoods.com.br/sendinc/messages/verif/en_EN/201902/
  75. http://oticasvitoria.net/sendincencrypt/service/sec/En/201902/
  76. http://otojack.co.id/wp-content/uploads/sendincsec/legal/ios/En_en/201902/
  77. http://phy.mbstu.ac.bd/sendincverif/messages/ios/En/02-2019/
  78. http://pierwsza1a.cba.pl/sendincsecure/support/verif/En_en/02-2019/
  79. http://polibarral.pt/sendincverif/legal/question/En/022019/
  80. http://punjabanmutyaar.com/sendincverif/legal/question/En/201902/
  81. http://quranyar.ir/sendinc/legal/ios/En/2019-02/
  82. http://research.fph.tu.ac.th/wp-content/uploads/sendincencrypt/service/verif/EN/02-2019/
  83. http://rohrreinigung-wiener-neustadt.at/sendincverif/support/sec/En_en/201902/
  84. http://sandycreative.sk/sendincencrypt/service/trust/EN_en/201902/
  85. http://santuariodicasaluce.com/sendincencrypt/service/verif/En/02-2019/
  86. http://satofood.net/sendincsecure/service/ios/En_en/201902/
  87. http://seositesmm.ru/sendincsecure/legal/verif/en_EN/201902/
  88. http://shentiya.com/sendinc/messages/trust/En_en/02-2019/
  89. http://sijin-edu.com/sendincencrypt/legal/ios/En_en/022019/
  90. http://snki.ekon.go.id/sendincsec/support/question/EN_en/02-2019/
  91. http://spectra.com.ng/sendincencrypt/support/secure/en_EN/2019-02/
  92. http://suamaygiatduchung.com/sendinc/legal/sec/en_EN/2019-02/
  93. http://tanweb.site/sendinc/service/trust/En/022019/
  94. http://td-electronic.net/sendincsecure/service/secure/en_EN/201902/
  95. http://tellequelleblog.com/sendincverif/support/sec/En_en/201902/
  96. http://test-oaa-community.torpedo7.com/wp-content/sendincsecure/legal/secure/en_EN/022019/
  97. http://thammydiemquynh.com/sendincsecure/legal/ios/EN/02-2019/
  98. http://theme.ruquiaali.com/sendinc/legal/ios/EN/201902/
  99. http://tiendaflorencia.cl/sendincsecure/messages/secure/En/022019/
  100. http://tinhdauhanoi.org/sendincsec/service/verif/EN_en/022019/
  101. http://tmr.pe/sendincverif/service/verif/EN_en/2019-02/
  102. http://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
  103. http://tokyohousehunt.com/sendincverif/service/sec/En/201902/
  104. http://tongdailyson.com/sendincverif/service/question/En/02-2019/
  105. http://tony-shoes.com/sendincencrypt/support/verif/en_EN/2019-02/
  106. http://tvbildirim.com/sendincverif/service/trust/En/201902/
  107. http://umakara.com.ua/sendinc/legal/sec/En/02-2019/
  108. http://uno.smartcommerce21.com/sendinc/service/verif/EN_en/02-2019/
  109. http://upstartknox.com/sendincencrypt/messages/sec/En_en/02-2019/
  110. http://viticomvietnam.com/sendincsec/legal/verif/EN/02-2019/
  111. http://vvapor.top/sendincsecure/service/trust/En_en/022019/
  112. http://www.adhiekavisitama.com/sendinc/service/question/EN/02-2019/
  113. http://www.andrepitre.com/sendincverif/legal/verif/EN/2019-02/
  114. http://www.anvd.ne/wp-content/sendinc/support/sec/en_EN/02-2019/
  115. http://www.ccbaike.cn/sendinc/service/question/En/201902/
  116. http://www.chatpetit.com/sendincencrypt/legal/ios/EN_en/022019/
  117. http://www.erickdelarocha.com/sendincsec/service/question/EN_en/02-2019/
  118. http://www.hoteldonjuan.com.br/sendincencrypt/messages/trust/EN_en/022019/
  119. http://www.lccem.com/sendincsec/service/sec/EN_en/02-2019/
  120. http://www.maxhotelsgroup.com/wp-content/sendincencrypt/legal/trust/En_en/2019-02/
  121. http://www.santuariodicasaluce.com/sendincencrypt/service/verif/En/02-2019/
  122. http://www.sweethusky.com/sendincencrypt/legal/trust/En_en/02-2019/
  123. http://www.topreach.com.br/sendincsecure/service/ios/En/02-2019/
  124. http://xn--80ajahcbcdpeycafhi6j5d.xn--p1ai/sendincencrypt/legal/verif/EN_en/201902/
  125. http://xn--90achbqoo0ahef9czcb.xn--p1ai/sendincsecure/service/verif/EN_en/201902/
  126. https://tobiasdosdal.dk/sendincsecure/service/verif/En/022019/
  127.  
  128. ```
  129. #### Epoch 2 Document/Downloader links seen for 02/26/19 ####
  130. ```
  131.  
  132. http://128.199.68.28/doc/HYxCP-33_E-RI8/
  133. http://13.54.153.118/wp-content/download/ijxD-Ml_j-lLt/
  134. http://130.211.205.139/En/xerox/eJLyP-8JgjD_UvuQdYSlA-38/
  135. http://139.59.182.250/DE/JLXBNDPFIW9550938/
  136. http://144.76.14.182/scan/Invoice/eBfdi-Y6CJ_ZYWvXdJ-4kS/
  137. http://159.203.101.9/EN_en/Invoice_number/MMsZ-KvzY_LaORlG-Ws/
  138. http://159.89.167.92/De_de/ZRPVEY6845781/
  139. http://167.99.10.129/JZTFEY9597595/
  140. http://3d.tdselectronics.com/info/Invoice_Notice/ydKPn-ViY_BO-vGl/
  141. http://80smp4.xyz/De/IPZWFMKCWW6650138/
  142. http://89nepeansea.com/document/QXgmH-rBn_kkJLiEIrg-lna/
  143. http://9casino.net/En/document/Invoice/4310615934247/aDrn-Sj7_TZhEz-WjZ/
  144. http://ameen-brothers.com/cgi-bin/fqhe-aQ8_xELqzU-k0b/
  145. http://amthanhanhsangtheanh.com/EN_en/info/nYyx-oK_KpKfkY-Fg/
  146. http://asabme.ir/US_us/company/Copy_Invoice/QSrI-sx74_NnjxMxFwG-UT/
  147. http://asandarou.com/info/New_invoice/ArilW-fs_Rxce-8YM/
  148. http://authenticity.id/En/llc/Invoice_number/ThTQK-C1_nJqCvj-ea/
  149. http://barghgroup.com/En/company/Invoice_number/rpAw-Cb_KZyPard-mvO/
  150. http://bbmary.it/TJTBGPLWL2317408/
  151. http://bdmcash.tk/US_us/doc/Invoice_number/kFzy-vVhj_n-CN/
  152. http://bietthunghiduong24h.info/FNdJ-KypLg_d-nb/
  153. http://bondibackpackersnhatrang.com/doc/Invoice_number/SBvDQ-JYbY_zlRDc-MKW/
  154. http://book.oop.vn/wp-content/uploads/De/ULNOVTYC2809760/
  155. http://brandradiator.com/En/download/GDPiR-Tx5A_TUO-za/
  156. http://brisson-taxidermiste.fr/info/Copy_Invoice/JBsPG-jcB_BEKdPF-zct/
  157. http://buseguzellikmerkezi.com/corporation/Invoice_Notice/ZcyvM-Jxq_l-GI/
  158. http://caroulepourtoit.com/EN_en/Inv/VKZSf-LvA_xJtebNcy-NR/
  159. http://catslovingcats.com/corporation/603649716759445/sNkEP-1NZ_E-oQ/
  160. http://ccbaike.cn/US_us/download/New_invoice/FJyC-eOX_EecI-L9/
  161. http://congdonghuutri.com/info/Invoice_number/kVSw-lbg_iNMW-qkM/
  162. http://destino.coaching.interactivaclic.com/Copy_Invoice/uuew-Ze_Bgo-4l/
  163. http://deverlop.familyhospital.vn/uVpM-b6_cgrSxRH-Rr/
  164. http://easysh.xyz/ONDVVATDMK5976187/
  165. http://ellegantcredit.co.ke/EN_en/llc/44361141978579/ryved-iAI_NLLFGNJI-IL/
  166. http://fisika.mipa.uns.ac.id/icopia/files/En_us/scan/TOUa-xW3w_OGqoeFXm-XZ8/
  167. http://frog.cl/download/Copy_Invoice/PYQuX-stc_uCbxHT-FKp/
  168. http://ftt.iainbengkulu.ac.id/wp-content/uploads/DE_de/FGTRSTSFC1715404/
  169. http://fundacao-algarvia.pt/corporation/Invoice_Notice/mtnNO-wcS_UXuQ-9Ne/
  170. http://gabama.hu/US/download/Invoice_Notice/gljg-3eIQ_rAURFM-AG/
  171. http://garagemcustomfilm.com.br/En/hLPi-DKC2F_W-uJ/
  172. http://gfe.co.th/file/925127892346264/Cpar-Ox5j_d-Cq/
  173. http://h2o2.ir/corporation/51805900354176/HVnYn-pAeQ_RBSaSpQ-imr/
  174. http://health.escascollege.com/De/WRQFTF0830983/
  175. http://hellojakarta.guide/wp-content/uploads/de_DE/CDPNGC8611428/
  176. http://heroupforchange.com/scan/81478418655/SDOrF-6W_IFy-Oc/
  177. http://hiedbooks.vn/wp-includes/DE_de/TUQRLRIUKR3530125/
  178. http://highavailable.ir/wp-admin/En_us/OjSbM-LK_LFKDw-Nai/
  179. http://highframemedia.com/wp-content/Februar2019/BZTTANB7239632/
  180. http://hipecard.yazdvip.ir/US_us/xerox/Invoice_number/rzZW-APP_xf-7R/
  181. http://hitme.ga/de_DE/HBXCNG1081481/
  182. http://hostdm.com.br/US_us/file/Invoice_number/ptpb-Eb0y_dvtCyI-2C/
  183. http://hotelmeemure.com/download/New_invoice/MGqm-PpUHy_wr-WJN/
  184. http://hourofcode.cn/De/EXYMYMMAP9834900/
  185. http://huyhoanggia.vn/US_us/document/Invoice_number/ywDf-3HKt9_lkbfAtT-w9/
  186. http://ibrahimalsharidah.com/DE_de/TFJBIZXI0422155/
  187. http://ic-star.unila.ac.id/ZCVZBUZTC7697899/
  188. http://idonisou.com/De/LOTJDVLTR9816864/
  189. http://ifmcg.com/de_DE/OVNUYYGZL5918768/
  190. http://imfaded.xyz/TGSWBMLPF2211091/
  191. http://institutits.rs/En/doc/Inv/laBv-Imp_hlvXObn-nW/
  192. http://intrinsicsp.com/web/DE_de/WOXXTKCWYU0168895/
  193. http://irmao.pt/Inv/jlqj-iN_ca-PS/
  194. http://iya.net.cn/US/corporation/bUiD-sba_crQYWnh-X1/
  195. http://jamais.ovh/doc/Inv/TYbL-Pk_At-51/
  196. http://jasminbet.me/de_DE/TGURRRELY9014932/
  197. http://jayb.xyz/De_de/LWFHOXZTET7525393/
  198. http://jcipenang.org/wp-content/uploads/US/document/Invoice_number/NoCmj-BJp_SuaYH-B2w/
  199. http://jikelele.tech/DE/MVPQSHGL5509908/
  200. http://jongondernemersgroep.nl/DMJZCQXKY4396734/
  201. http://jugosdetoxveracruz.com/wp-content/De/SWXJKLVU7936688/
  202. http://kamajankowska.com/En/document/New_invoice/47444967349/nsIyk-QJkXm_FKnAfqrNL-Ss/
  203. http://kchina.org/file/New_invoice/8314239336/AwhXi-w15Z_fZtv-Hpq/
  204. http://kebunrayabaturraden.id/US/Copy_Invoice/ToOB-IOGm_VdNCHgIFB-K4/
  205. http://kgr.kirov.spb.ru/en_en/scan/copy_invoice/jxqa-mg_eyswi-ivk/
  206. http://khaivankinhdoanh.com/En_us/llc/New_invoice/xlFZ-BTK_WQb-Uh/
  207. http://korfezendustriyel.com/En_us/scan/Invoice_Notice/qcDu-A9HN_x-JU/
  208. http://laaddress.com/US_us/info/093140361837483/pWVqV-GCpX_BYGLbBw-Csn/
  209. http://labuzzance.com/De/VWBFIICC7342383/
  210. http://lanco-flower.ir/EN_en/scan/Invoice/qOhsK-rRl_h-7C/
  211. http://lesprivatzenith.com/EN_en/download/Invoice_number/ZjzJG-gT_fuhjFRVq-FR/
  212. http://log1992.com/info/Copy_Invoice/fbLw-P0_PbhAU-uK/
  213. http://low-host.com/company/PVgJ-f7wk_qMJDBlWDK-dJt/
  214. http://lsaca-nigeria.org/US/info/063080000795/qVGQl-3oEC_G-zd/
  215. http://madeinkano.com.ng/DE_de/LLHQTP2727512/
  216. http://madridcoffeefestival.es/US/document/840925069497975/LDSE-Rbk5_MLrwaFuN-Ic6/
  217. http://mahasiswa.uin-malang.ac.id/wp-content/uploads/En/scan/vAGBG-hTN5_PyIKZ-tyo/
  218. http://marbellaholiday.es/EN_en/info/Invoice_Notice/wEbti-TZzQh_GbrB-pJv/
  219. http://maxhotelsgroup.com/wp-content/doc/Inv/xxdi-pU_t-QS/
  220. http://mindomata.com/Invoice/RZLx-m0heV_ip-vf4/
  221. http://moldremoval.site/download/ghvs-Yf_iskPeJF-PBi/
  222. http://msc-goehren.de/EN_en/scan/Invoice_Notice/GBLfl-Wwh_kWDi-1Q/
  223. http://mulheresmaisfit.com.br/Februar2019/CCDLJH0865575/
  224. http://municipalismovalenciano.es/US/Bavl-scIE_MHkrBon-unA/
  225. http://myh-la.com/EN_en/document/Invoice/07756142614/jQXx-Jfyy_otc-S0E/
  226. http://n3machining.com/company/Invoice/PMyT-a8_BQ-KW/
  227. http://nastaranglam.com/EN_en/corporation/673893846555/ILogM-HtzP_fXqhSiRFb-Jj/
  228. http://nhatnguvito.com/US_us/llc/Invoice/HimL-E4Pn_KGQbFGH-8g/
  229. http://old.hello5.kr/wp-content/De_de/TGGHGDYR3081619/
  230. http://omidsalamat.ir/download/Invoice_Notice/ZFQZv-oP7f_mBTAG-LU/
  231. http://outdoorlivingandlandscapinginc.previewchanges.com/wp-content/uploads/EN_en/llc/Inv/LSZc-SI_j-l38/
  232. http://p10.devtech-labs.com/En/document/Invoice_Notice/adYw-CVlEV_Kknj-fB/
  233. http://pai.fai.umj.ac.id/DE_de/DDMXXHT6483094/
  234. http://partnerlookup.superiorpropane.com/wp-content/uploads/DE/YBWVHKTR6570207/
  235. http://pasca-ia.unri.ac.id/BXVPQB2769257/
  236. http://pby.com.tr/borcsor_pby/info/euVh-njUlw_fUCVwM-Q1E/
  237. http://petparents.com.br/En_us/Copy_Invoice/tHEZ-au0kE_TEkK-Z8n/
  238. http://phimphot.tk/De/QWCPRUQBP8242457/
  239. http://pisoradiantetop.com/EN_en/info/Inv/KiVbd-ph1_xhGSETlW-SFD/
  240. http://privateinvestigatorhomestead.com/info/Invoice/SksG-XcMpm_qZPshpxaA-h1f/
  241. http://privateinvestigatormiamibeach.com/US_us/ZVbJQ-VVAP_YtuMZao-gx/
  242. http://profit.5v.pl/De_de/QZCKNQ6601822/
  243. http://pronews.vn/xerox/yGWz-8C6b_uF-17m/
  244. http://qnapoker.com/US_us/doc/Invoice_Notice/LpIl-giKF5_FXEWOTP-iO/
  245. http://qsysi.com/EN_en/document/Invoice_number/GNmtc-c0NVt_HHEdea-CwU/
  246. http://quangcaohuynhphong.com/download/Invoice_number/SDzM-SHNa_AR-FR8/
  247. http://rednest.my/En/company/84696069014577/hXOpt-Qbm_XjbOgowbA-GaV/
  248. http://reitsinvestor.com/En/Invoice/59450765666/eEcmC-kWJ_mwNdVfbl-47/
  249. http://renbridal.vn/En/Copy_Invoice/55253955/yyPeo-C0A_sTAf-EdO/
  250. http://riadioon.com/De_de/WUHHKG3135848/
  251. http://rsiktechnicalservicesllc.com/xerox/153105368580468/VEiK-YP_dpIquGI-dHx/
  252. http://sandbox.empyrion.co.uk/Februar2019/UTGBLLRZ3343023/
  253. http://satishuppalphotography.com/DE/VCPIVTJA1225611/
  254. http://sealonbd.com/En/xerox/Invoice_Notice/978546019/VayN-c0s_SpSmBFzY-ZYp/
  255. http://securoworld.co.za/New_invoice/pZAZu-7MVw_USs-Vdd/
  256. http://setimosacramento.com.br/llc/New_invoice/DSlDH-teuvx_TdoVresJy-ZtR/
  257. http://sexivideo.sk/EN_en/file/89098361/ZVJby-17f_vvWYn-aF/
  258. http://sexvip.sk/US/scan/Invoice_number/DJnc-6Ky1B_uoYLZBCX-2d/
  259. http://shopniaz.com/Februar2019/UMCDOHDXQ6562700/
  260. http://slot-tube.cn/US_us/download/tNBw-YZ1_WfKZjpFLN-st/
  261. http://smartre.live/DE_de/JSVWOKM2488486/
  262. http://students2019.com/En_us/scan/144400157/xJgdN-ZyU0i_eF-8U5/
  263. http://tahatec.com/US/company/Copy_Invoice/YUXZ-XA_XwU-EDR/
  264. http://tahrazin.com/196664050005/Zglk-MfW_S-cif/
  265. http://tbilisiperforming.com/wp-content/EN_en/dbhz-wR5_Tbk-gC/
  266. http://teste.3achieve.com.br/De_de/DDEKYRP3267329/
  267. http://thietkewebwp.com/wp-content/uploads/corporation/Copy_Invoice/cGjw-GTw6H_e-Cc/
  268. http://thinhlv.vn/En/Invoice_number/WGRlS-XFt0O_IGNHrlsW-CIY/
  269. http://tisoft.vn/US/document/Inv/gaZj-jTcE_CNLgxEH-c8/
  270. http://tjrtrainings.com/file/wmIE-U6x_vbxKMFA-dp/
  271. http://toko.kojyou-project.com/EN_en/download/QLPUt-qZanw_JyZRYHp-a39/
  272. http://tplstore.com.pk/wp-content/LWBNWSPRB3094173/
  273. http://ucuzastropay.com.tr/De/HKFSGCWY2251299/
  274. http://umquartodecena.com/EN_en/xerox/Inv/ziol-8kX_fO-S8/
  275. http://vibur.com/Februar2019/XYLAYCBVPW9662653/
  276. http://vivaldoramos.com.br/De_de/AJUOOKPYNC8309387/
  277. http://wiselove.es/wp-includes/De/DBTIXVMY4156607/
  278. http://woody.market/document/FvFnX-Ca_hK-vr6/
  279. http://wp.10zan.com/wp-content/EN_en/scan/CsvlT-he7_GXt-RO9/
  280. http://www.80smp4.xyz/De/IPZWFMKCWW6650138/
  281. http://www.anjia8.net/DE_de/QBPGCKSMAL3786633/
  282. http://www.armeriatower.it/de_DE/HXCVTBMUM8983853/
  283. http://www.asesdeportivos.com/US/document/Invoice_Notice/MlMyJ-Waszp_AePXPosau-ee/
  284. http://www.cbmagency.com/doc/New_invoice/RvFE-OP_Wbbcxey-pm/
  285. http://www.ellebates.com/EN_en/xerox/Invoice_Notice/dUVU-FMF_OeCTKDEWS-VN6/
  286. http://www.erun-tech.com/de_DE/YDQKRMXQE3092771/
  287. http://www.fazartproducoes.com.br/En_us/llc/Inv/6141820416812/ahRn-TdQaZ_JWHFOMb-Un/
  288. http://www.imaginarta.com.au/De_de/EFVLEV6554728/
  289. http://xn--b3cfud2a8bbhes3dcy9ig0ce4k2g.com/document/Invoice_Notice/DbUK-m4RnW_rTzgmJu-DV/
  290. http://yduocsonla.info/llc/Copy_Invoice/aRAN-BjrQk_yHcoDMCOx-x9E/
  291. http://yfani.com/xerox/Copy_Invoice/uonTD-1fEpa_yKRlmf-T1/
  292. http://ylgcelik.site/file/New_invoice/xAHku-M0u_s-3MJ/
  293. http://zambiamarket.com/En/xerox/Invoice_Notice/3799330701061/PTJM-Iv2v_CcrsgMe-s3/
  294. https://riadioon.com/De_de/WUHHKG3135848/index.php.suspected/
  295. https://tischer.ro/EN_en/file/New_invoice/IZpt-TiJA_VjWADO-gn/
  296. https://www.dkstudy.com/En_us/scan/Inv/ikrF-FUkQ_IRizKYwqC-22a/
  297. https://www.verykool.net/vk_wp/wp-includes/US/Inv/6868969/IIct-A5u_Rf-4pU/
  298.  
  299. ```
  300. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  301. ```
  302.  
  303. Creation Time 2019-02-26 18:49:00 (XML Based - ENG - 365 Blue Box)
  304. SHA256:
  305. aca06c8f7084de9ab72d8a361d327f4795a70e26296f196a5638fc6bb0641401
  306. d6fba7cc6d1bf18162b4f93ae9edf531ac5e7c4a94f5ec2b66d2132fd6a3497d
  307. 852f31e672b297f2cda4a45b1be84db54f35f90a1fcd86acda0a727e7a6a679c
  308. 91c28ce218ea2714f34e1f1282713030db675cc1a349a766ebb2e1cbbcf07853
  309. 09f58a77538eb0e8244611cd718661f7e60172d370e6e1bcb2209b4034172469
  310. 4eb3ef8eb656b01bdc72e086d3f29ae3b9a2b0de38e350f764f408b3675b6bb5
  311. 38fa382996c415286f4d6dd5eef8a91120b190cce21b4805f0ca98f2d842ae17
  312. f9ebb2d70e98c849f0f27ff3076d907a329309fffb7d85ad434f57e58cce108f
  313. 23621abfbfc0dd988d9c6348ce1d3f04f60786b5b5bb5fe81fa086c219710457
  314. b66a1fdd95b1100a673947c3d858ac69fb5cc46fa72ba89a44222a9894c6c8ac
  315. 3e691d74b5dd13743471203c0fd337561c02a04d9a314164dc335ad0f75f36fd
  316. fe83c159702930a78c43ff4befa164b315140c93b717d2a987742b7f9b56fb69
  317. b65abe2bc70d26f3180215006a72adfb5565602bb696736af655a5b1d5488081
  318. 832a005ede634155c1d720c308bcf0779e9700fb8e3698f3b01c06ac23670436
  319. 1f95c1af1e74ca80e647791eb97e3b67072b473244e0fda65da5dfff9a75a8a2
  320. 15cc699a8f1d97892ea2875ccf093cfbab3df5376f6e6b84648f0367e2716ceb
  321. 72f1564103c5c69cab5221731c42bb6eea30a8ce8d4da8015d052f71b3849f5f
  322. a7af93422d03617f5c577db58fe469937e831c79a7691406eb7b458e7f4715b6
  323. 192cd102c7fda37f2d7f0a6411ce9fb3a95a00bd6021280c466682d7850a94eb
  324. 1634cdef680710dd4cdad340e2e173d5804e2e8ceb15f7150fa84acf6d6aa450
  325. 2f37984c5d62da70df37fe6a990206053d5e6280e10425e4d27691278cf913c6
  326. 664e468efaeede7cacbfaf2b9cb325bd3604a138f67b3b7dffcf96942e7d6cd5
  327. c65c750562832bb907c0a992cd6ec5ee68dd83c16a0859c8e0b2baafe504c297
  328. da3b6dac8ad9b8b7c4d86fcbcf5b9af37b6b65714043d6f58e2237e47d870a92
  329. 5abb9539e39d237dc7205ab4459a0066273ed78eb95528b5cae3d7dfdaeb2027
  330. b033b23434817a743849e2a2d060ed9cb0532220f533e5cf55360722b6ea17e0
  331. 88e9d770691f6761c415039a8a068b5c11ee3025386b60b6254f89fdc60e676f
  332. eb65ed486e76055181a5fe9a616830adcade99b5525f582e7cd68435002aa04c
  333. 64856c155c23fd4314fe1abd7056d307e6572a084ae2c01a5781dd876f880b62
  334. 8278814ac97824ff9ef6c0681e3c16fe0bddd7c2b5809f3ae1e4a9b1aa3fb720
  335. 477c8c8851e7c2734d40d7edbc2ee3bb8b5b61f4e8312c9432122ae687d73e21
  336. 1029e48c442e39f8a765ff26b6fa8776aee70c7a1ce284ee505a2bd0f8840e8b
  337. 81648b4f2c4f298ffcb522debc9959974e865047bda75982ad318f245e2109ec
  338. 9abdc884ed6dc9bad81c048502b7f87c9b2ed0aefa90c2e3170de4477cdf22ec
  339. a4bb873c6b291a1620ac1144b101a611ec8e0aa54f95c86a4a86783bbd39bbc2
  340. 56b1fac56be6b0999ce5e950ae19a66434d6cabc1fcada83104bedf21c4cf163
  341. 51a5321b13a728495d186452985568a696f32c647175486063391b061d098811
  342. 95a8aa1411f276844ac6779e6c23b766e5ec06073b710307884935e73411b1a2
  343. c0661e6d4c86df3f68baba1cc3f90aef917d289feaa6910db1a2e61381694e98
  344.  
  345. http://senboutiquespa.com/l5oBTin/
  346. http://tktool.net/13BDYWM/
  347. http://icebox.hospedagemdesites.ws/NFUvcViiv5/
  348. http://specialaccessengineering.com.my/eof86bw/82NbuvX/
  349. http://siamsoil.co.th/S1st9g7E/
  350.  
  351. Creation Time 2019-02-26 16:40:00 (XML Based - ENG - 365 Blue Box)
  352. SHA256:
  353. 92a0eda77aa6228243660d84c043c981078d61707e38c9c68f0b1a2b9a7944bb
  354. 86a014e9366e8b13f50bfd61c201ee744df857f0b849e56e4c27ad1ff79226ac
  355. a2d2c7b4f09156c92ea83131c8b58c1365fb81c1067c71758ce79fd5cffae920
  356. a73d3d09480982f39bcf85565f7c80ccf17ffccdc058575303aa60001d752fc1
  357. 54aef412bba04d649bc2e9e5d9573f2a836c60c2a7a7804dc8ef78f444c64948
  358. b11f40fec5ecae5abd8049433a9e4d36c3f6b1f15e8711d2d9d1b20864089194
  359. ad81ee9c88d6a3e602b5e1cceef48f9e66f93444c6d74ef992d6160f19bc2381
  360. 5a45681eac580e217bb158b36035a6723b4666f6d376221255e26eb67f22f22d
  361. 1fdff33d154b62db1a7e0d0fc4b8687af4235d3a0d5fd422aecb245d8b1d8f1b
  362. 985dcb0fbf31dd0683364d5f2b555642724e347f7674b8e2c12f1b1fdfd42bc5
  363. ca6d880143d30760071288e3a8cb959689c1be759b1eea18d83acd1af87fb610
  364. 85629bc7580e5d06ab3c6b082229eaf27fb150c951c98b6da9f9b1627dba0f53
  365.  
  366. http://quizvn.com/hyzPAJLkO/
  367. http://norwegiannomad.com/URjrVPkVZ2/
  368. http://www.kugelx.online/a5x6zEw/
  369. http://rage.by/xhcUpWF/
  370. http://packconcern.com/eilRSaX2Ep/
  371.  
  372. Creation Time 2019-02-26 12:37:00 (XML Based - ENG - 365 Blue Box)
  373. SHA256:
  374. a48dff8b732c96e54b3ca60eb2f3a128659a3cbf1d12d82b9035f7248b34b4ae
  375. 82d5b1ebed577b2bd2b3b46bee0f2c9d5e85fa37275f79115a9a6d45941bbdfd
  376. 697ce88302476ef8476b9ab4d1e91383086673ee020b7095164a982bf3511b51
  377. 260c5a6e4f9e20d18710aaf1d3231c8ebb8bc26a28b30c1d8052882d422e8078
  378. 65df60f09ec60a2a5eb29a93eaac23197086d476b6cb04036a0ea6c4058dcd0f
  379. 4eecdeffd34da88de6c4ee6218c5d60d7d43951734abcd35213a83d6aa03cb58
  380. 3b801db4ce58af52b3e542b6d7752b0d54d0506b12e8385ff3b2f3af3fb7321a
  381. 6301fca8a05635508f38d751a86e1af6bb69c803b8b593de3d448c1043ea9c7d
  382. 49c5b4484081df6c62e6c6f25dca25a9f9dd54f386d53370f0f0128cef79a028
  383. 4cccad42c96af66f31d646c1730cf40a0b121518e74cf2c80223362623b28a45
  384. 1755567b90e8c0727b6bb514e2674152484057d8fe3b5c41a6fca89ade1b092e
  385. ccbd1dc02645300cdae9bb85f1330444aa1a115650c53a74fc111c49be12ae69
  386. 52de6bdde7e63c0d644dd3920c2880ffc6654cc96a862a8e3a14b6278d93544b
  387. 2137c30e155c8ad7bde384578b09b8881543c5372a7e1ddc027b1a0eefe6c6b5
  388. b59dac75308d218f51da9eccd45298b94d5a84d3653560fa74161b19a2c9e69a
  389. 9efb41a809aa868bd97643723f7cc91ed6bfd4b7ec88c38cd205ed354b32594c
  390. 7f69435329710b79389438c4a04c8e8af72ec639bcbf4dad77be2cb3ef4f361e
  391. 08638038aaa86b2615c846c16499ba8296b64666b57679fbea247e638708aa1c
  392. 9854c6b7a5f168ea81b316419b57dd6d9f105736dbcf6ba338288319c8c4691b
  393. 2486736d8cf9e4593073b72a09d911c2d6c639fdba0fb509e2b89664659e9d42
  394. ad257b7c0d69b1e2bcb36864a724de8cf233300ce8eb284a712d89b12dd75bff
  395. d00f5f6abe3ac315e029aab7f968301997f0f36f8798c54ea780a31738ed9a30
  396. 7d970a0c773c4f24a320d53495b28c236913d5f577e07d3d86a1d6d7fcc05519
  397.  
  398. http://novelindo.xyz/qplmIzzXzm/
  399. http://neuedev.com/2GrtA9R5q/
  400. http://hungdonkey.com/UkNdQZrk4w/
  401. http://ile-olujiday.com/G872YxBFq3/
  402. http://matex.biz//M4fi1TXb/
  403.  
  404. Creation Time 2019-02-26 07:31:00 (XML Based - ENG - 365 Blue Box)
  405. SHA256:
  406. 0034b727feb3985b836da5a2aedbfea9e7fe279c3f8fdf4b79d119b0012a76e8
  407. b4e439207b9fb3b3a41fe67ca3bc9271ff765b5008bdb4dfcdb7632be1878e89
  408. 518f4493c92b6af70b917587ec8d636613cb24274e01bac8fd922b0e8511d997
  409. 760945e41c190c24b71d879af74b7f67c21551a4f88c05d3c29d544e61e1b662
  410. d789a6e411fbe96cd802a9247c6a1fa9f48a5842559cb1f06a51af22da4e8e17
  411. 203cec97d75b2173a998b553cc7cd0f8ef164e1892c7319d089ed57d75ec6221
  412. ed14efaf4b2a5997163e7b019d938deeefea97f1cc381a8eb3695be1e3d2c093
  413. 34c1e789fbda0b8ae7619a12f72553c841655b9333e6c6ca27d2252fad36c79e
  414. bcc686f4af7a8c0d347b642638b29ee19ead0841419080995fc745ff00e53ba0
  415. 0d4ee6523e47456d469b8beb7b251912f19c05b6bdfc207bc070ce72fc884d84
  416. 814a131867e606b84f959392dfe6d49f936b66a384d45a3dba6590c76499c0b9
  417. 6b3cd099d8da9ad0d94b272716644ed8f822e6b0b32523231c2ad7572893955a
  418. 724825a7b903a9c3cf3c205f61756a47b67dba4040577edf19732a1b635b4cb9
  419. 67dd92216d3371c20da3d25b1831a79bec712396f8791fbbd82545554a72cade
  420. 58697a84c64cf7899db47cc61745ad020d426946d4934a1072e8362b051e2aff
  421. fdb289dbc8b05c2e6cb9ef52c693f93c888b10ffaf52116738e99ded73e7b673
  422. 41ec193a3edc068fbfdd078924530de3111f2a094f33212d6d76f75415bcc911
  423. 69565b4328b1ccc38732c20b67fba08153cdb397d0ed22c9c1d7fb77828f622d
  424. 4515d3162aab3040eae1ffe2e608fba2437f78a2b4229176566f9dcec049e6f3
  425. 4a0ce507d8cc017065e3b10fbe920f1e27cd291dd147876eabf815ddddef09d8
  426. fae41f705ef728d03bd002a22c258f81ef71c03716722901d5447cee3ae24ee6
  427. 43df45560e819678f89a4d3a451e0a7fc883bd5de6ee1ea58dd0be1a4485d171
  428. d332a6d0855c8a37b837066f15f8c382720ca1d69fff07f3a617f69b239d0c4a
  429. 804bffaeb6d442f030d6659752f3df9a28f22957514248c487d5cec25da5995d
  430. 8a64d687563bc20b79fee78415ccd2833ba2cecbebf5b58dab54c5d1b1fc2b89
  431. 88a7f930e6dab797a739c9e89a4349a9f87dec1916bcfe00b83d696dcffe9493
  432. 10ea1b7a1a6acc18b483e3d2a9e08376330ab25a446386a29865edea1194f9c0
  433. 91d756917830242c53bd16b116de67b31d87f26d7a7cb1d286d47c163167ad11
  434.  
  435. http://bellenoirluxury.com/80JTl9YooQ/
  436. http://balohiji.com/3VxoN0UUc/
  437. http://beveragetraining.com/ZNCSNa1d/
  438. http://shop1.suptgniort.com/Sg9BnvE/
  439. http://az-moga-angliiski.com/6P9tgRQY/
  440.  
  441. Creation Time 2019-02-25 18:08:00 (DOCX Based - ENG - 365 Blue Box)
  442. SHA256:
  443. 27bfe27a4f0fe8da3fabaca074cb4d3982f3b117c4d402afc6ca148eceff80be
  444.  
  445. http://13.114.230.250/QV2skGqtTw/
  446. http://13.52.104.41/Igfq6xv5xo/
  447. http://13.127.212.245/3LwnZ1t8/
  448. http://206.189.181.0/Xht8nvYWZg/
  449. http://115.66.127.67/JS9zvxk1i/
  450.  
  451. ```
  452. #### SHA256s for Epoch 1 Payload EXEs seen on 02/26/19 ####
  453. ```
  454.  
  455. 00683b6d0e708f056339a1c43b84dd10385c5a82caebc5e44cf2076f00938ac1
  456. f19c5156038ed054881d7585277b6aabcfac775167c1d829a90e74608c744f30
  457. 071cd7f1a66bdf9808cb25a9e61e6b63b37af74a4778f61fa291889b8772e6c9
  458. 38227bad5aec9e050765cd31d68d7c9b8b421daeecba388d3c4621237b3b7000
  459. 78860697c308ffa65e9565c30469d0b2ca2bd0144ef645d99576155bc67ef4d8
  460. 1ce22ca76a41d1184cf723767b19a79807b1ccbc605337f4d8e7b7cd10b015d7
  461. e2678a61fdc8c7e104325ad0bdcecf9ab5e84ba51b67e6dcd4bbb56c62f79cc9
  462. d43c50ba81c75e94a44ca9dfa309d3e035135e5a61c4ef0dc24a3d6fff83654e
  463. 295ea5762a77df603fa1567452bfef83b8a8aae8a8d704aca5916bb9f01ebb21
  464. 4f8f2f52c8b84b93e32594edde7876f6a2437071d63187d0a3cc2f6a46b8e13c
  465. d4c18a0c38826d7c4167dafb990ad9fe7812e8770570ce7f5ab6e861f9ae1bc0
  466. b37ae6d9a5fb82ff702d4369c3531969766b3c5b9b719378aab6d5582c7d4fe9
  467. 0bdde91d032d0cff79d75dd731cbd7f20dcb4a853a2c9390acc47347b19b5994
  468. 6bb7ac1576b822b65b41688a55562b330aff688e657f3b15272c3eccdc96bc6c
  469. fa01b58a45fe79a2274f49cb95192adf5ee074246739ba7b218813d82ceb4fc2
  470. 1f79593cd05b1ffa5381a634ae35613a16c3f7203e4f8af9fc0eb4379804b7b9
  471. 4d490227e2f7e87589b30ae60305e1d236342e5e3782937a5b5d458bb9f11101
  472. 8853f59602034373614db6ad72f750a6b3ccc7d1c9afdfbe65682d52edcd5361
  473. b69b483eadad02cce8755f40517b11356cc868658a6f8f7d1c9ed05359170e66
  474. a36d85d5bcca49543bfa5dacc653f636c55f17fa904fcf905fa5b26ceb2d23cf
  475. 46e6f135cf86f9fa133a2805b7864eb9aa96240ce1363a063cdb2b726aa66e08
  476. 22abbfaeddc40a9655921ad9c18172b87578c72dba501305ecf9ee666c109529
  477. db660cd99f21d116375121be061ccbfecade73858541ba04c9657fa790de497b
  478. b06a74b22d43be32aa71a379773dacd3f6ca03405dd797e205a1cb91d865b7d6
  479. 0b21ec2e284789bda40e3722796c694f0603a9d9cf6d8bfbe99204b844d4b249
  480. f73818d00fc14af6af90e67f2a44643b35103f02f4daaa7f15a5d2b1bbf40ff3
  481. 6245de6b80b5a7474243af486d0e82834366ab4f09f19fe83f3d5c65ba0e9992
  482. 98587f1e1ca48341357223377e10a7288b01a49440060759c39e0f5c90341296
  483. 3892dedd6545f8b446490c9b6e2a42f937830932269316dcf378dfdd20777b6a
  484. 4be54d5a733566de83ffe6a5bfb0657c31bb3ea765f5a98c8654b442a91238c9
  485. dc87de4b298535ce64cc79aaa9c0a0f2593bc2ffc73f9eab21d161180fb5ec7e
  486. 0a039edc515214ac47767f7fc721d20fe725fe35418f8d658615f150b70ee591
  487.  
  488. ```
  489. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  490. ```
  491.  
  492. Creation Time 2019-02-26 17:22:00 (XML Based - ENG - 365 Blue Box)
  493. SHA256:
  494. 5bfec51fa15407b97649e82ac75431c0396834a58f479c5867a2c6cb3dc79f16
  495. 2f4a8b985f604f98966c8b90f9e0eeb15faf9b946a74098e7e02e1daed32321f
  496. b503f5345f1e2d0c94d3badad9dcb7e81693b7957dfdf678e7e38538c6ebe0e1
  497. 9da586512816c7ea64515606ddb2091b69ff2275dafa91e8e22cd35e3071e185
  498. 418fbb192d7dffd5566f8ae6103d6f4acd61617f8fa24ad798865cbffee8f316
  499. 39bdbe2bd134e87f809971d63830f3d7317573e648673a89ee7ee5db1dab6bd7
  500. 24ade1226ecf9646a624a0aae717841d1d95fcd73e6879f987976478b875feee
  501. 45cf732e41764f690bc76ffe3c102b22b46c0ee59276458e6d25c18cb8973c63
  502. 33c7c6dba2b9e22d96f5a15f9b9b2e5febc856c61e6db04bc6ad6402e14f6f69
  503. 1697aede6b63b12e4bd3c7fd5315f869bc03c8dcfe7ad124c68d2e2243baaf9b
  504. 4e18c01207fe70c74e7f683f04fbede2a2ac549d5705eff1e2957cfcc03b8171
  505. 9e431411937a9edea2200ee76b5c537c851e076a1c879321d7d8a3123aebe49d
  506. c5d6ccfa326d2811f3c73232234da81f462f443e675cf2c66ce528ddf9e0c00f
  507. 064ec7577a0395a67d194ff45ecd8212cf190a7d490eeb3d91037b9f54e20735
  508. 1c5154672bb992fb8dfde30f46bed885230d6f59f06109064d6640bf78e15644
  509. 5087d318c84a0da1f4285d235349d7adb282dd22ed82b57f333482e2ce490762
  510. d74a5240f866ba6fe1cd3191801478b52e1b6c6eb2d816071d7bc82857b2837c
  511. fd4e8e8b9b9012e0f749cb4aa5674c51e5a59cf61a7c1e03bd824002cc388f7f
  512. 5de9907b9809bc4bbf7681bd234e2a1b4ed94ed1fcce3d65458e7b8e5c9273a8
  513. d779789debf838e39c7b156c77d7608fe056cfdbe3912e310ac675c20e3b4366
  514. 6f3ea054beeae0724d4009af18e36320a13ea56caaea871e69650553bb0348c3
  515. 81145b2fb2844320be87e4a46c610e59bec1cd87927fee9ec27e030ea86cc277
  516. 66148dc14d4a2f6d80e3dbd5c7306d80b512cabef278730219ba8ff9a4cd9e77
  517. e55d99ff1e0089f1be742791bb4063d80064af7453d632ea4a92201ab4a3e3aa
  518. 11cbcbc4275ecb231eda3d05ee36174c171df853002b630ead6ac48df6a3a352
  519. 4257c368698066d0d22875607b377c75382bbf633ad33e1920974ee9853eaf29
  520. f64c4380f53448103e34059fc107f79cc9a3e3f30274b34e11c9e98e3f237a60
  521. 6b33974cf79a733076ed546329a0aa4c588594f6de2270114e003593d0d06098
  522. 689174eb7b2355558698cca49c0e9dee6ea2c80f67feff50d1d8adedc71d235e
  523. 9d6be45e1f04e6ccd2bf9eb63259037f9feca6afdbe115e391826b048f0ea6ef
  524. edae1160cf43fcea54b34250a4832d0be5393128bf5ed6e4c69029c70d9e50dd
  525. ca7ddb6228b5f173aee45abb7c6483c6bcd54fb089faa1a04a971b85b9d951db
  526. 77d6ec52d43bb8fc016e372a722e225f12fa2a13ccbdc044baf3227a7b5621f0
  527. 22cc274e9722677b5cbaa3bbb05f239d467eeaeb87914d7c6be602aaea19643b
  528. 0530a476eec6f9294ae9223e49787fe5046feac331f1ba645d70ca57932e791c
  529. 26151bade4306066274f3a6cbd3b822685802231cbdc2e011e20c6c86c696113
  530. 9b75ab63c39d355b22683608302b841dddd552fa78dacb9eb1afb87229f4bb57
  531. 4f658c3f7b071b9df4d99dfbe97d9b38ec634e96467ae7bf7c7e34ec84d8972e
  532. 1855a41ff3fa8bbdae33458f03070e2b89f3513b910d20bc7c14307949d23edc
  533.  
  534. http://www.bersamakacasepatan.com/XpYHO9Iss_YTI20Qvw/
  535. http://icon-stikepppni.org/zwPEso5VK4DW/
  536. http://nailart.cf/f81y3PKllFl8mU/
  537. http://moonyking.site/nIfkmaGIxu3_Ki/
  538. http://monikatex.ru/wp-admin/LBefv2g_2Wyik/
  539.  
  540. Creation Time 2019-02-26 12:07:00 (XML Based - ENG - 365 Blue Box)
  541. SHA256:
  542. e530faca252c14776053689a142bc6d4367ab75159b5e37c441cbe6d1e9588d7
  543. 92dae00e75ed95de371b4e2028aa0f9a7f79e30b65a8cc695ea3a318836a45c5
  544. 5699c66909d14b1b61f622ff42b922a46cb8ae8177cefa2a1391451ba34abe16
  545. b11d572f0e037e0997ab1965647f57d19a8cf73bc38e1ea2b691bfb41f0d1929
  546. b9215f1abcecfbe3b5cdcecf2a548b10daa6fdf24dc907962f6813d87b33b987
  547. 2e7c728cee11c7aa0d022637c131a5dad0a31b07593880b600bce5d3574fa4ef
  548. 6b805ec4cab6167125425f3a7086afddc0afe88a4cd3b3e7d17d0f16f9779723
  549. 5f7618f6c74e4e6f0e470a9e9f6eabd322ee4bcc58d351c37bb2e367f398ce8e
  550. 7b8c95c07d115482769f31b71c6fa495a02ed293842837354dab12109dd864ae
  551. 10e26c5f1f5ef588e8c0ee5067bf9685ebc93a0ca1157d7313c5e59de114977e
  552. b54dbc73a7539cf832ca4d2056e9011d5e131fc6889d6a2f59013f0d214d00c3
  553. 17a3379b97f7df970b3ab4d64cee53e71b4abe8884231af7d56a606d09eff199
  554. 698e4cc8e4287ccf34d8cec5b197c9c02df863a9c2d9932f33c0c06bd3640a3e
  555. e22e6713fbe474de97d83faedd935a18006339808f8c6be684fde400172daa96
  556. ac8aa87c17daa53d3b5ada4d90a47f0a047f0f0de54b010ed1425a63cd1f42b9
  557. 919aa3d407ae9806d655c496bb04d11c21a256fd72bab186aef4c1db7a5a6427
  558. ba558722343e777a6061fbc30ecb42b2a35e39b40993bede7eab7d77b27ea8bf
  559. ba1794f54d5f768c3981f784691cbea3de485dd59af3b808409755b130b49d65
  560. a69278e5fb9d6a23c0de928a03d7d5f6722f29918243a55b55171e0c03e9726b
  561. e319455c68a06927ecf2258202331d68a14c459a482195c91bccbf07186e106f
  562. 8aad1c889319dd45d7514be205d396623ced675d3b132410ac34a38dfcf7f2de
  563. f4b307d8ee916a9c8ea135319991aeb269152f95c8a4bb87374d91b5ff9afce3
  564. 28f1422531cc6c73d960c2c1bee3391f5cb0cb8e70d1b51348fddda10f4b3e6b
  565. f7932d3196dee5fa91a7e42b43dfb50a881dd0c3b1dec11e774702f1899d836f
  566. 5723ede9bab7eee9b4834c5a35b5393f8bde43c3233ee22e890f74759fa7db77
  567. 0c79a72910c8cde0a05340adb091ba3bcf526d322c744a278e6f0cfa7f3e67cc
  568. 038b324ef3263d79c1cce4c0c2f1ae2a8d43fefbff2dfbc86948a4c26c2d9fda
  569. 653366cccd0a0745aa418bf1f7a4a92c1df8153c3a38c5c75761771b8a833b84
  570. 2af817bdaacf5ac307a48c81abdf29693bcbab85038958578e84274eae5b282e
  571. 83c8fd0b1c45593ded0c978604949664da6cc52323265ae7e3431f24e185fbb0
  572. c3c6e347df9bfb158e92a4297e0fb461b1e72a35f450dd707ca1c7a7dbff3889
  573. 9c3510c5faf12594f0655dec13657219a80e95d6941d4a02d98b30ab4b2be897
  574. c3236848e23f8c63c9898a66a61a300621c02993c6f71206599957d0e9791a6f
  575. 22d1ee300eab08704579966a365cd4cee9e5df80f7773e218c59499739797490
  576. 14c89ca6a6df8c2f2a6b22e2e67b39a7645a0daa1bce8423b6533ae0352d1c20
  577. 328bee7e82485887c35ba8d3f77576a59f4b39fd6cbff65cfdbf085076391c03
  578. 8fd3157793582ae8889441860b90cf1b359af1b8e539b2570e49d04ba82ffbfc
  579. b7a2ab9883e92933c9aab4fbd6e826827bbb67fd59c046c2e1f8c2eeb99fde8c
  580.  
  581. http://m-driver.net/XzZ9cdayyT_v/
  582. http://sanabelksa.mazalat.net/i72OMNI4aEk_379eZ3bh8/
  583. http://mediaglass.com.br/yUxRqbdEI_sdqk/
  584. http://honorwave.com/Bhz6O4aiIS/
  585. http://www.deportetotal.mx/IvzeRlO3IbW9/
  586.  
  587. Creation Time 2019-02-26 07:46:00 (XML Based - ENG - 365 Blue Box)
  588. SHA256:
  589. 78033dabc197fcd86a27f237f4e559506bfeb569d287f54ff820438d87453a87
  590. b04e365ab3665da4518e5a58ef5c29f7bfd25b74408e148330eb2e95351ddcdd
  591. 4528859334fd3e072b87d5df523461406cd8a6c24819003640c423ad7d51ba07
  592. caf4e6d5e1bbcc0980d56540cfde7541d8926946bd2b213a988381ef58e6c902
  593. ec5629f01a79498082664a9ff708ad1a57591bd19c98db41769208036820c132
  594. 576a7ec105de76ce25878c2b0c6fa42c2a319f2bf68c6cdaa3ba1fd76a13fac5
  595. ac0c2ad9fd1a567a9280cf0f0f22bc99c60ed6b68fc66c63ec8db8acca74a206
  596. 29377dd7842ca3bb82732c8ef1e8d45c808365286c92dcc2058ea22bb0d7824e
  597. 67bb9baa946d3d7e8ca55aa9e4bffd1097b48f48024ac173a68945d4ad45d660
  598. e098ba90734a7b1f0571893b315b661cbfeaf13308a3e31671db6c4e9f1fba70
  599. 6726792ae8d1ac81cc12c6ce4cc7302521e47d86f1df14bbeca34d999e96081c
  600. 36f0b38b9917aa742b5fc5c246e68e0e17b5a6f41218709c358bbd1668e6ac08
  601. 837ed170f31c7cc9cd9c5f9cb1c39635b568c2d6fb67924730bfa945ad9fe074
  602. 68855811bdcb5c195a33aca732cafb88d67b8a47323b72366379f5db63d30510
  603. 84c4933b38896ec18c03894690e50bbc9e8c1e0c7656a55938c9512f26b94d54
  604. 60ae50043802304e6fbc4a4756d21168f1127cac6c6b4b78a7c0beb10993a4dd
  605. f1a7bc259dedaeb0bbbb8334fc4a8da86fbe171311121ef6014fc1638bb4de2e
  606. dd019409f7788f043f25b702d43a73d6ec0ccf7765f949bd35bb9b97380d0818
  607. c99cf8c4396927251f494cdd7f5e0997ea2986d8f82b3d52ce76fb8000402f0d
  608. 68da1ace44cabfca6dd26066170f235bb3c1befc7174d2a8b52ffa317ec5dd98
  609. 7c80d14674d7bea1701d69203d0c58b311a9c23c36452d860965e1cbca67b59a
  610. 581480a940294a33a276ead4c5c7242af77dfd8143782addfa328505529574c4
  611. 5793b6609d2d0a192d2aa823f1fb20f175fce90e514edd2a7bb6f4275992fb02
  612. d97ced47777998f3c38bd32ac881aed0d52437746e86c98ed9eb4872719045d0
  613. d849eb9eed97aad4c063dc6e2d6bd6220c6bc68291c5773b93fb98bd6d9d2099
  614. db28322725a491775fd5e21d50ae4976cde04b1fbc534f8c2ceead550895fbda
  615. 10639dfec1f37b6eedd6a8ea18f2893a896c34ceb5d766f4334b47ea0d83caea
  616. 02655ed234b7b790572b0de2370faecf2fcdc2dcd197c595a9c1977c31308fb7
  617. de013fbaf5acb3d3e3805102f70edea7c45767bd7a13a7830e573c71b655ed4a
  618. 8171ca6e97c4a9906ebba1c0d6148d99242e18bb395abd0adca0d882b37f68e3
  619. f67e3447a24bac417c9b568e474180f6a833620514f5f0eb3ba3dec3ade167f0
  620. 430c89e07f050a2363fffef490d17c45864a65f02f705983ad8794ea8faf69b8
  621.  
  622. http://ozon.misatheme.com/kAGBl08noF/
  623. http://18.136.103.27/vJa093y1h/
  624. http://haqtransportnetwork.com/dFh7OasoqGtFcLp5/
  625. http://havsanmuhendislik.com/t0fpYAonLLkj/
  626. http://hayattfs.com/wp-admin/css/w6vjRGuuGZW_XRXzogZ/
  627.  
  628. Creation Time 2019-02-25 20:05:00 (DOCX Based - ENG - 365 Blue Box)
  629. SHA256:
  630. 921c5e924e9c404e3aaa8bdae58c88dbd296963a1995a1877d9a597b5d1d9b73
  631.  
  632. http://18.130.198.164/PxWmqZmpu_Oa/
  633. http://35.237.142.66/IfII7733ADRH_3R/
  634. http://35.229.246.203/3KA7w6CWNqo_TT/
  635. http://13.127.80.82/ClvW8ZSqo0icX_OiB6Mv8/
  636. http://35.237.193.10/xr31jJmSGatoosb_afwin2J/
  637.  
  638. ```
  639. #### SHA256s for Epoch 2 Payload EXEs seen on 02/26/19 ####
  640. ```
  641.  
  642. 88f6f285e4223733943038cac220687d9eba3c067656d109be2e2e56efc649c2
  643. 1c5858044666f63c59465616034cce265ad0b35a492fa9988b5ca1e1002cd730
  644. ba37182248f817bc10862b9e5c36fa9a9056de6bf86a9ef815bae88a9e080cdc
  645. 0ad58a3864e58d1b8a2d18c45da6b9638fd2662703518a8f8e778832d7ba771c
  646. 08dd6cda25221612a3999d8cd624ef31c7dbd74eb1599452f3985d353e4c65c3
  647. 5f570013cefda51e717d1de35804b6aa87d5596ea29d606f360db9805a8e463e
  648. 77653eb825ee1133f212739a297cfdc7fd86e2a64fd0b7ef322f28fc597a89c8
  649. db2ac323cc2ca9e1e8e408902ed8a7aa94026e6217d8822a45aa68282dd47e36
  650. 1da62e9bbb7dcdd60fbe18ac339c6c0eddb9b00d885b6540d45f2b1af8c58229
  651. 06a3abdf76f5978eda6c2face7c14a90f88c15e50ad05597594ac1ec49d88475
  652. 8c49eb583ca33c119bbc488e2e9d56f16e85cb38206c9722dc791f60acfb68a0
  653. 7ce2e1ada0a90e52f177859eb45336ee65508dc4e31b4a0a5ef710232a6e7a99
  654. 245dbff7a2af6ca6c1644728ccd2d13e959ef684ff6fcecd52d23cb25de1de2d
  655. c13cf61d96bf0e74b6edb4fee05468a8b5b3857e09355644fdf581489a43b6b3
  656. 95656911004a28d9bd7fa40d2fca0fa69b6fd6dc068c1515115815c06a00aa6a
  657. d6d17cde1358f3226d6cacd2ec68403f2eb844c9c917c417adb166468667aca6
  658. 0d6fdf34dea7b0cde72b8a6b3d4ffe9c4af761ef57e96da2968deec116f097f6
  659. cce2d65c9f9364337a1a359c9c1fc6d2ac21b6d2c307ece6d1eb5a5f6c999616
  660. f7a4a26c10c86ce3c1e9b606ed3e59c4c12758c24de95bd68016200b28e6b06b
  661. 0c41caa3e19f68517fe621d8b827bf54af0d5661c77c9fa11536a4d7d01a50e2
  662. 481788a0ca18ce189a416dc3efd2f498d55915730a3af8b3fa4a86eb59e3a9e2
  663. a273f817c1e8852796ab7c9ab3f962b1e3789fd1e8f049486218b0f4f943da61
  664. 8447ded3d3b93e93a7fe0dbda7bb522a7544b1ca2c9831f43530e7fbfde5320f
  665. 2958329965565e9f47ebacafbbe9af34514167933a9676287f80e603a6f6c0db
  666. b12eb325cef695a2d008921076da99a72e792c0748d500ff5be322a38403cda4
  667. 1a0c38fd66cb28b8da75a61f265bc09ad3fad7cd8d26f0bf9ab8219f6be5e148
  668. 3ea426eb2fd9ee98b874ae6f1a8b9d89a4690223385eb7ce83d5e1a14be555c4
  669. 57cef90a2a882ffa5e1f7f3699d24fbfce441c614fa523d0506974a82a6e5012
  670. 6a040997df00c9cf8239b4a6c48c8ed65a09b83ab54c58e5b3d215e81f7aeb8c
  671. 64a7f5435dc9b22627acb00712af83ec946e879c575176f31d786a0422ee4966
  672. 8f5fa0819dea95ce9a5f2619ca5409c68f61cd4575d56053958288790d678313
  673. a1eb4a13bd8298ada4db1fcc5c00d5f96aa126b891d6198ba415a39ec02c0f9c
  674. 3f59c30e30e20ffd8132e13602543929e3ccc456a4ec2a3ffd685df894adf672
  675. 9d9b0f2c33fb032e5ba4aeffd11b2c01ac7867cfaa5f44cbbd44a3cb0287ee57
  676.  
  677. ```
  678. #### Epoch 1 C2s ####
  679. ```
  680.  
  681. 109.104.79.48:8080
  682. 123.168.4.66:465
  683. 138.68.139.199:443
  684. 144.76.117.247:8080
  685. 159.65.76.245:443
  686. 165.227.213.173:8080
  687. 168.226.35.218:80
  688. 173.94.53.3:8080
  689. 181.168.123.241:443
  690. 181.29.214.233:8080
  691. 181.56.165.97:53
  692. 183.87.87.73:80
  693. 185.86.148.222:8080
  694. 186.10.243.34:21
  695. 186.103.141.250:20
  696. 186.137.133.132:8080
  697. 186.176.27.230:8080
  698. 186.68.100.2:20
  699. 189.130.56.200:50000
  700. 189.166.103.82:143
  701. 190.191.218.44:80
  702. 192.155.90.90:7080
  703. 192.163.199.254:8080
  704. 194.154.80.106:443
  705. 200.27.55.100:443
  706. 201.212.113.14:50000
  707. 208.180.246.147:80
  708. 209.159.244.240:443
  709. 210.2.86.72:8080
  710. 219.94.254.93:8080
  711. 23.233.240.77:8443
  712. 23.254.203.51:8080
  713. 24.219.3.156:80
  714. 41.60.202.26:22
  715. 5.9.128.163:8080
  716. 51.255.50.164:8080
  717. 66.209.69.165:443
  718. 69.163.33.82:8080
  719. 70.114.194.228:80
  720. 70.177.115.200:20
  721. 70.50.87.59:8443
  722. 71.183.45.61:80
  723. 72.137.188.42:8080
  724. 72.47.248.48:8080
  725. 73.115.132.124:80
  726. 74.59.106.11:8080
  727. 92.48.118.27:8080
  728.  
  729. ```
  730. #### Spam/Stealer C2s ####
  731. ```
  732.  
  733. 104.236.185.25:8080
  734. 187.134.63.166:8080
  735. 189.180.186.235:8080
  736. 189.244.82.217:143
  737. 212.112.113.235:80
  738. 24.191.37.42:443
  739. 50.116.63.9:7080
  740. 73.185.42.52:8080
  741. 75.166.252.40:80
  742.  
  743. ```
  744. #### Current Epoch 1 RSA Public Key ####
  745. ```
  746.  
  747. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  748.  
  749. ```
  750. #### Epoch 2 C2s ####
  751. ```
  752.  
  753. 107.10.49.252:80
  754. 110.36.217.66:53
  755. 12.154.104.17:80
  756. 133.242.164.31:7080
  757. 138.201.140.110:8080
  758. 147.135.210.39:8080
  759. 153.121.36.202:7080
  760. 167.114.210.191:8080
  761. 172.98.243.40:80
  762. 173.167.83.97:8080
  763. 173.21.116.239:80
  764. 173.255.196.209:8080
  765. 173.255.250.241:443
  766. 173.8.8.73:80
  767. 178.62.37.188:443
  768. 187.138.90.97:143
  769. 187.153.90.98:80
  770. 190.194.4.221:80
  771. 191.92.83.137:990
  772. 201.137.254.209:465
  773. 201.137.255.80:20
  774. 201.151.157.61:80
  775. 201.164.251.76:443
  776. 208.78.100.202:8080
  777. 208.82.45.8:8080
  778. 211.115.111.19:443
  779. 217.13.106.160:7080
  780. 24.151.31.150:465
  781. 24.185.185.187:443
  782. 24.201.132.122:7080
  783. 45.123.3.54:443
  784. 45.63.17.206:8080
  785. 47.204.55.229:8080
  786. 5.230.147.179:8080
  787. 50.31.0.160:8080
  788. 62.75.187.192:8080
  789. 62.75.191.231:8080
  790. 64.228.72.40:7080
  791. 65.29.214.70:80
  792. 66.193.130.13:80
  793. 67.205.149.117:443
  794. 69.198.17.7:8080
  795. 70.115.70.154:80
  796. 71.244.183.150:443
  797. 71.41.68.158:8080
  798. 72.214.54.39:443
  799. 75.91.3.133:443
  800. 75.99.239.150:995
  801. 79.75.233.224:21
  802. 83.222.124.62:8080
  803. 87.106.210.123:80
  804. 94.76.200.114:8080
  805.  
  806. ```
  807. #### Epoch 2 - Spam/Stealer C2s ####
  808. ```
  809.  
  810. 183.82.123.254:80
  811. 198.58.114.91:4143
  812. 213.136.86.219:7080
  813. 37.209.252.79:80
  814. 64.228.72.40:8090
  815. 67.202.178.142:443
  816. 78.149.210.211:22
  817.  
  818. ```
  819. #### Current Epoch 2 RSA Public Key ####
  820. ```
  821.  
  822. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  823.  
  824. ```
  825. #### Credits and Notes Section ####
  826. ```
  827. Updated 7/13/18
  828. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  829. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  830. https://pastebin.com/u/jroosen
  831.  
  832. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  833. I am providing them for your benefit in case you want to parse them to be sure.
  834.  
  835. ```
  836. #### What is Epoch 1 and Epoch 2? ####
  837. ```
  838.  
  839. What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.
  840.  
  841. I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
  842. communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
  843. version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
  844. C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
  845. entity/group. Here are some observations I have noted since I have been watching these botnets:
  846.  
  847. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
  848. document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
  849. in maldocs on Epoch 2 at any time.
  850. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  851. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  852. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
  853. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
  854. have a document hosted on host.tld/B.
  855. - The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
  856. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  857. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  858. - C2s are never shared between Epochs/Botnets.
  859. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
  860. of AV defs.
  861. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  862. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  863. - The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.
  864.  
  865. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  866.  
  867. ```
  868. #### Community Lists ####
  869. ```
  870.  
  871. https://pastebin.com/qhSYcf9p - @Jan0fficial E1
  872. https://pastebin.com/W36gmycx - @Jan0fficial E2
  873. https://pastebin.com/dXx2Sv1X - @pollo290987
  874. https://otx.alienvault.com/pulse/5c75ab7fd06aba2669006f4f/ - @SecSome
  875.  
  876. ```
  877. #### Credits ####
  878. ```
  879. (OC from @JRoosen and/or combination work of the following)
  880.  
  881. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
  882. @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
  883. @shotgunner101, @HerbieZimmerman, @Outkast_TI
  884.  
  885. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
  886. @gorimpthon, @Racco42, @Jan0fficial
  887.  
  888. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
  889. @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
  890. @OguzhanTopgul, @HerbieZimmerman
  891.  
  892. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  893.  
  894. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with this!
  895.  
  896. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  897. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
  898. and @Virustotal for providing services/software no charge to this cause!
  899.  
  900. ```
  901. #### Daily Log ####
  902. ```
  903.  
  904. Back in the crosshairs here today with a good 180 malspams getting to my domain.
  905.  
  906. Once again we saw a new tactic targeting Germany in the early morning. Today it was an Sparkasse banking ruse. This was covered by CERT-Bund:
  907.  
  908. https://twitter.com/certbund/status/1100378578276020224
  909.  
  910.  
  911. For me the malspam started at about 09:00 EST and was more of the Send Inc that was seen yesterday with the same type of subjects:
  912.  
  913. (Encryption Email) Re: Open Invoice from Full Spoofed Name
  914. [Encryption Email] Re: Week invoice from Full Spoofed Name
  915. [Encryption Message] Re: Last invoice RH334277
  916. (Encryption Message) Re: Invoice due
  917. [Secure Email] Re: Reminder : invoice from Full Spoofed Name
  918. [Secure Email] Re: Correct invoice G8535926
  919. (Secure Email) Re: Open Invoice from Full Spoofed Name A12345
  920. [Secure Email] Re: Last invoice from Full Spoofed Name G41282
  921. [Secure Email] Re: New Invoice U35126
  922. (Secure Message) Re: Correct invoice WO23579
  923. (Secure Message) Re: New Invoice
  924. [Secure Message] Re: Invoice from Full Spoofed Name
  925.  
  926.  
  927. Some of them were showing as being from:
  928.  
  929. secure [secure@sendinc.net]
  930. secure_message [secure_message@sendinc.net]
  931.  
  932. And others showing as being from the Spoofed Name used.
  933.  
  934. Most of the email was received from 09:00 to 09:45 EST and I saw nothing else until 18:00. The 18:00 run was your typical
  935. ACH Billing crap. Everything was done by 19:00 EST.
  936.  
  937. The docs went back to XMLs on both epochs today and E2 had only 3 quintets where it normally has 4 or more so this was odd.
  938.  
  939. E1 C2s did not change and stayed at 47 combos as it was yesterday. - Recorded above.
  940. E2 C2s changed and combos increased to 52 from 51 yesterday. - Recorded above.
  941.  
  942. The keys have not changed.
  943.  
  944. I am starting to run out of time to do this as I do have a dayjob and have stuff to do. This is why I made the poll up here:
  945. https://twitter.com/Cryptolaemus1/status/1100282263416258560
  946. If you have time vote on it and/or comment.
  947.  
  948. Time for sleep.
  949.  
  950. ```
  951. #### Sandbox 02/26/19 ####
  952. (all with fakenet and MITM unless spam/secondary infection)
  953. ```
  954.  
  955. Epoch 1 C2 run on 2019-02-27 at 04:00 UTC - https://cape.contextis.com/analysis/40469/
  956.  
  957. ```
  958.  
  959. ```
  960.  
  961. Epoch 2 C2 run on 2019-02-27 at 04:00 UTC - https://cape.contextis.com/analysis/40468/
  962.  
  963.  
  964. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!