API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 11/27/18

jroosen
Nov 27th, 2018
2,615
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 42.16 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 11/27/18 as of 11/27/18 23:45 EST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 11/27/18 ####
  5. ```
  6.  
  7. http://2015.howtoweb.co/EN/Clients_CyberMonday_Coupons/
  8. http://221b.com.ua/En/Clients_CM_Coupons/
  9. http://36scanniointeriors.com/En/CyberMonday/
  10. http://abinbev.dosemortelle.com/En/Coupons/
  11. http://acupuncturecanberra.com/EN/CyberMonday/
  12. http://adrite.com/EN/CyberMonday2018/
  13. http://afibclinicaltrial.heart-valve-surgery.com/EN/Coupons/
  14. http://aglayalegal.com/EN/CM2018-COUPONS/
  15. http://ajkerlist.com/EN/Coupons/
  16. http://alexzstroy.ru/En/CyberMonday2018/
  17. http://andishwaran.ir/EN/Clients_Coupons/
  18. http://animalrescueis.us/En/CM2018/
  19. http://antioch.riessgroup.com/En/Coupons/
  20. http://apunte.com.do/EN/CyberMonday/
  21. http://ard-drive.co.uk/En/CyberMonday2018/
  22. http://arjundhingra.com/En/CyberMonday/
  23. http://arteypartespa.cl/En/CM2018/
  24. http://ascestas.com.br/EN/CyberMonday/
  25. http://ashdodonline.info/EN/Clients_CM_Coupons/
  26. http://atox.fr/EN/Clients_Coupons/
  27. http://auladebajavision.com/En/Clients_CM_Coupons/
  28. http://avpvegetables.com/En/Coupons/
  29. http://az-serwer1817112.online.pro/En/Clients_Coupons/
  30. http://bacsise.vn/En/CM2018-COUPONS/
  31. http://ballroom22.ru/En/CM2018/
  32. http://barenaturalhealthandbeauty.com/EN/Clients_Coupons/
  33. http://bbscollege.org.in/EN/CyberMonday2018/
  34. http://belcorpisl.com/En/CM2018/
  35. http://bemsar.tevci.org/wp-content/EN/CM2018-COUPONS/
  36. http://benchover.cn/wp-admin/images/EN/Clients_CM_Coupons/
  37. http://binckom-ricoh-liege.be/En/Clients_CyberMonday_Coupons/
  38. http://bjgsm.org.in/En/CyberMonday2018/
  39. http://bladefitness.in/En/CM2018-COUPONS/
  40. http://click.expertsmeetings.org/ylcfea/YzONI8cS/
  41. http://c-on.dk/En/CM2018-COUPONS/
  42. http://conceptsacademy.co.in/wp-content/uploads/gppune/2018/En/CyberMonday/
  43. http://congresoce15.interlat.co/EN/Clients_CyberMonday_Coupons/
  44. http://congtyherbalife.com/wp-admin/images/EN/CyberMonday/
  45. http://cooprodusw.cluster005.ovh.net/EN/Coupons/
  46. http://crossroadplus.edu.vn/EN/CM2018-COUPONS/
  47. http://dannypodeus.de/En/CM2018/
  48. http://dcmkb.ru/En/CM2018/
  49. http://ddbuilding.com/En/CyberMonday/
  50. http://delaimmobilier.com/En/CM2018/
  51. http://draalexania.com.br/EN/CyberMonday2018/
  52. http://drhingorani.in/EN/Clients_CyberMonday_Coupons/
  53. http://eap.vn/En/Clients_CyberMonday_Coupons/
  54. http://ebayaffiliatewoocommerce.templategaga.com/En/Coupons/
  55. http://en.avtoprommarket.ru/EN/CyberMonday/
  56. http://en.worthfind.com/En/CyberMonday2018/
  57. http://ericleventhal.com/EN/CyberMonday2018/
  58. http://fractaldreams.com/En/Clients_CM_Coupons/
  59. http://gameclub.ut.ac.ir/En/CM2018/
  60. http://gueben.es/EN/CM2018/
  61. http://haganelectronics.rubickdesigns.com/En/CM2018-COUPONS/
  62. http://harvest.kovec.space/En/Clients_CyberMonday_Coupons/
  63. http://hdc.co.nz/EN/CyberMonday2018/
  64. http://hubgeorgia.com/EN/CyberMonday2018/
  65. http://iacp-od.org/EN/Clients_CyberMonday_Coupons/
  66. http://imabrifilms.com/En/Clients_CyberMonday_Coupons/
  67. http://ithubainternships.co.za/En/CyberMonday/
  68. http://kientrucviet24h.com/wp-admin/EN/Clients_CM_Coupons/
  69. http://leeericsmith.com/En/CM2018/
  70. http://levifca.com/En/Clients_CyberMonday_Coupons/
  71. http://lifestyle.peopleviewpoint.com/EN/Clients_CyberMonday_Coupons/
  72. http://livebeingfit.com/wp-content/cache/EN/CyberMonday/
  73. http://ludylegal.ru/EN/CyberMonday2018/
  74. http://maipiu.com.ar/EN/Coupon/
  75. http://maipiu.com.ar/EN/Coupons/
  76. http://maquettes.site/EN/Clients_CM_Coupons/
  77. http://mdc-chain.com/En/Coupons/
  78. http://mediniskarkasas.lt/En/Clients_CM_Coupons/
  79. http://mentoryourmind.org/EN/Coupons/
  80. http://miamijouvert.com/En/CyberMonday2018/
  81. http://mideacapitalholdings.com/En/Clients_Coupons/
  82. http://mint05.ph/En/Clients_CM_Coupons/
  83. http://munyonyowomenchidrensfoundation.org/EN/CM2018-COUPONS/
  84. http://nagoya-travellers-hostel.com/EN/CM2018-COUPONS/
  85. http://neilakessler.com/En/CyberMonday2018/
  86. http://neilscatering.com/En/CyberMonday/
  87. http://netsupmali.com/En/Clients_CM_Coupons/
  88. http://nolife.antonov.ooo/En/CyberMonday2018/
  89. http://onetouchbusiness.cl/En/Clients_CM_Coupons/
  90. http://pacosupply.com/En/Clients_CyberMonday_Coupons/
  91. http://paraisokids.com.mx/En/CM2018/
  92. http://parallel.university/wp-includes/En/Clients_CM_Coupons/
  93. http://peoplesfoundation.org.uk/EN/CM2018-COUPONS/
  94. http://prakritibandhu.org/EN/CyberMonday/
  95. http://pr-list.ru/EN/CyberMonday/
  96. http://projectushindi.org/En/CM2018-COUPONS/
  97. http://radio312.com/En/CyberMonday/
  98. http://s18501.p519.sites.pressdns.com/EN/CM2018/
  99. http://semasevin.com/EN/CM2018/
  100. http://site1.cybertechpp.com/En/Coupons/
  101. http://sotaynhadat.com.vn/En/CyberMonday/
  102. http://spb-sexhome.ru/En/Clients_Coupons/
  103. http://spectrapolis.com/En/CyberMonday/
  104. http://stonestruestory.org/EN/Clients_CM_Coupons/
  105. http://superpositionbooks.com/EN/Clients_Coupons/
  106. http://systematicsarl.com/En/CyberMonday2018/
  107. http://testlanguage.360designscubix.com/En/Clients_CM_Coupons/
  108. http://tracking.cmicgto.com.mx/tracking/click?d=04Zimls_ZE8Qp4Ip-DAWSyLsNxAbgsh7RnGX9Mr5uQKWNvyoEHcOqpuDzRHxkbx5-HY_Ijl3tGvVcOuBymiVmb-kt65Uw1i11GqtZPYv1Yb_mN8Ei40fnD3oA2BRnlahiT5m8UKfEVFG4pSEihuE9sk1/
  109. http://vaheracouncil.com/EN/Clients_Coupons/
  110. http://villacitronella.com/En/CyberMonday/
  111. http://vmphotograph.com/EN/CM2018/
  112. http://westnilepress.org/En/Clients_CM_Coupons/
  113. http://www.akt-ein.gr/EN/Coupons/
  114. http://www.atox.fr/EN/Clients_Coupons/
  115. http://www.binckom-ricoh-liege.be/En/Clients_CyberMonday_Coupons/
  116. http://www.biswasnetai.com/EN/CyberMonday2018/
  117. http://www.bomberospuertovaras.cl/En/CyberMonday/
  118. http://www.btmdistribution.co.za/EN/CM2018/
  119. http://www.conceptsacademy.co.in/wp-content/uploads/gppune/2018/En/CyberMonday/
  120. http://www.getrich.cash/EN/CM2018-COUPONS/
  121. http://www.hashaszade.com/EN/CyberMonday2018/
  122. http://www.iacp-od.org/EN/Clients_CyberMonday_Coupons/
  123. http://www.ithubainternships.co.za/En/CyberMonday/
  124. http://www.mideacapitalholdings.com/En/Clients_Coupons/
  125. http://www.peoplesfoundation.org.uk/EN/CM2018-COUPONS/
  126. http://www.sorigaming.com/site/cache/EN/CM2018-COUPONS/
  127. http://www.thietkewebwp.com/wp-content/uploads/EN/Coupons/
  128. http://www.vaheracouncil.com/EN/Clients_Coupons/
  129. http://www.weloveanimals.net/En/Clients_CM_Coupons/
  130. http://xn---74-5cdy7cbipke.xn--p1ai/En/Clients_CM_Coupons/
  131. http://zenatravelindo.com/En/Clients_Coupons/
  132. https://support.volkerstevin.ca/servlet/HdFileDownloadServlet?module=Request&ID=42450&KEY=5B648741-90E0-4BCE-9C76-DB7E9C378CC4&delete=false/
  133. https://u8363957.ct.sendgrid.net/wf/click?upn=dWZA44YigbY9-2F5JRbOFgkbjF7uDcUsR1ZIpOM1YeigalRTP-2F641AYSobVNRE-2FdvK_jnM7mWtP1mibjtTBvWAY6hi5ckdavKwIFAutFeZX4X6o4XM5xKsaTE60pR9Iay-2FNqvBgp4FKA0Gljv-2F2vry0Hd5qHW7iyC05yCHraUvo-2BKC8f-2BG1rtXjTqv7KGKF5Pc0ekHBlEhssIl6AsH-2FSV3fE3-2BEgQQF1H7Z-2F9fRfSuTJ-2FrS3yMDRZUa33z1TOigmOxSitVFCMTCM5fUhZdm-2F3TEEyFHMpJ-2BABykzNJgbEn6R7wkZcxyLoHUfwpq9lAetb4R/
  134. https://wpengine.zendesk.com/attachments/token/QiGBj5OV2VIK5lcGBzKwa3wzH/?name=LY7995522-693.doc/
  135.  
  136. ```
  137. #### Epoch 2 Document/Downloader links seen for 11/27/18 ####
  138. ```
  139.  
  140. http://2.moulding.z8.ru/6RXU/SEP/Personal/
  141. http://2d73.ru/wZfhpVBOos/SWIFT/IhreSparkasse/
  142. http://abby.opt7dev.com/files/Rechnungs-docs/Rechnungsanschrift/Rechnungszahlung-GYM-92-34893/
  143. http://abiaudio.ie/8422YVHOTAL/biz/US/
  144. http://agoralbe.com/ULbBajzzvxj/de_DE/Privatkunden/
  145. http://aigavicenza.it/8716923NSSJAZWK/WIRE/Commercial/
  146. http://amritcollege.org/78137AIOAMD/BIZ/Commercial/
  147. http://anora71.uz/38NIGPXOOF/SEP/Smallbusiness/
  148. http://anthonykdesign.com/621161FEY/PAY/US/
  149. http://aol.thewirawan.com/sites/Dokumente/FORM/Details-VKH-41-39728/
  150. http://arbenin.tk-studio.ru/815329IQQVJT/biz/Smallbusiness/
  151. http://arnor88.idv.tw/wp-admin/06OHLUKW/WIRE/Business/
  152. http://arpid.ru/837C/BIZ/Commercial/
  153. http://arsenal-rk.ru/846FNDC/PAY/US/
  154. http://asesoriastepual.cl/931UW/SWIFT/Business/
  155. http://auburnhomeinspectionohio.com/3734YEHMKLK/PAY/Business/
  156. http://avtoflot.by/1136834ZPMVEZK/WIRE/Personal/
  157. http://ayamgeprekidola.com/849191IK/biz/Business/
  158. http://azanias.com/0ZMGqy/SEP/Firmenkunden/
  159. http://azksg.ru/71D/BIZ/US/
  160. http://birbillingbarot.com/Nov2018/Rechnung/RECHNUNG/Details-HH-32-64539/
  161. http://blog.sefaireaider.com/rEYWh2qQ/SWIFT/Firmenkunden/
  162. http://blogs.ekgost.ru/61798LOUX/SEP/US/
  163. http://blueboxxinterior.com/75JT/identity/Commercial/
  164. http://bookyogatrip.com/66OF/SWIFT/Commercial/
  165. http://boxofgiggles.com/files/Scan/Zahlung/Rechnung-ZD-23-38364/
  166. http://buki.nsk.hr/4339JDOH/oamo/Commercial/
  167. http://cantorhotels.com/SgSXRZZXlOjvllJ673HZ/DE/200-Jahre/
  168. http://catairdrones.com/3015SFBCRQCB/identity/Personal/
  169. http://cbrbrokerage.com/UarfMuz/biz/Service-Center/
  170. http://ceciliaegypttours.com/8426Z/biz/Business/
  171. http://christmasatredeemer.org/70B/biz/US/
  172. http://cllinenrentals.com/666947N/BIZ/Smallbusiness/
  173. http://consumars.com/43251FTV/ACH/Commercial/
  174. http://cosmoservicios.cl/7441HNIE/WIRE/Commercial/
  175. http://crest.savestoo.com/8V/WIRE/Business/
  176. http://dkv.fikom.budiluhur.ac.id/default/gescanntes-Dokument/RECH/Ihre-Rechnung-vom-26.11.2018-FX-82-13182/
  177. http://dreamsfurnishers.com/ezJiLVAVxMGt84T/SEP/Service-Center/
  178. http://egyptmotours.com/9258VKRXLM/SEP/Commercial/
  179. http://expertessaywriting.co.uk/default/GER/DOC/Rechnung-MWQ-61-64013/
  180. http://fikes.almaata.ac.id/files/Rechnungs/DETAILS/Rechnungskorrektur-IVK-24-00994/
  181. http://firstclassflooring.ca/8253TM/com/Business/
  182. http://fruteriascapellan.com/440CN/PAY/Personal/
  183. http://ftk-toys.ru/2946FUICYO/WIRE/US/
  184. http://galos.ekoyazilim.com/13W/biz/Personal/
  185. http://gama-consulting.pl/72999GF/PAYMENT/Business/
  186. http://gemarlegno.it/4DEYGRLH/identity/Smallbusiness/
  187. http://hellodocumentary.com/hellosouthamerica.com/3HTMCKX/biz/Business/
  188. http://herbliebermancommunityleadershipaward.org/9OQ/oamo/Business/
  189. http://himachaldream.com/files/Rechnungskorrektur/FORM/Fakturierung-SD-32-93193/
  190. http://hkafle.com.np/5RZKZUJ/PAYMENT/Commercial/
  191. http://iforgiveyouanitabryant.com/tQuuM98QsFV5tABzA/biz/Privatkunden/
  192. http://imetrade.com/Icd8V3p9fLvw3g9vrLuI/SWIFT/IhreSparkasse/
  193. http://incrediblebirbilling.com/doc/gescanntes-Dokument/Zahlungserinnerung/Rech-VDA-62-10827/
  194. http://ismandanismanlik.com/administrator/75UFGCV/BIZ/Commercial/
  195. http://j9050082.bget.ru/qAiUjuPnU1ov4B4Fco2w/de/Firmenkunden/
  196. http://josephsaadeh.me/0702051TKF/PAYROLL/Personal/
  197. http://kevindcarr.com/0GXMPKI/BIZ/Personal/
  198. http://kijijibeach.com/25BGGGNUN/SEP/US/
  199. http://kvadrat-s.ru/4TFAWR/BIZ/Personal/
  200. http://leonart.lviv.ua/mV9hTeBpkJGxn97Jz/SEPA/Firmenkunden/
  201. http://lunixes.myjino.ru/41RUC/PAYMENT/US/
  202. http://medpatchrx.com/245PPS/BIZ/Personal/
  203. http://mfpvision.com/wp-admin/631NYBFN/SEP/Smallbusiness/
  204. http://micronems.com/cHNalGL3/SWIFT/Privatkunden/
  205. http://music-lingua.ru/VnKP53bitx/DE/IhreSparkasse/
  206. http://musthomes.com/5746ITHIPIM/com/Personal/
  207. http://naimalsadi.com/OOfWrXgcvsDGyfQ/DE/IhreSparkasse/
  208. http://nfbio.com/img/upload_Image/edm/pic_2/2DOQRI/SEP/US/
  209. http://nhakinh.net/11WME/oamo/Personal/
  210. http://northeastpiperestoration.com/Nov2018/DE/DOC/in-Rechnung-gestellt-WTC-95-98130/
  211. http://ogneuporzti.ru/759NA/PAY/Personal/
  212. http://opendatacities.com/4065FPAWY/ACH/US/
  213. http://parenting.ilmci.com/4809260UAEOGD/oamo/Commercial/
  214. http://parsianshop.co.uk/cgi-bin/8883TKO/ACH/Personal/
  215. http://pkptstkipnu.com/cpT8pC7U038Y4o/SWIFT/Service-Center/
  216. http://portalmegazap.com.br/124847XK/identity/Smallbusiness/
  217. http://portcdm.com/814610LEYAN/SWIFT/Smallbusiness/
  218. http://potens.ru/Cz8bWvoRWt/SWIFT/PrivateBanking/
  219. http://precisionmechanical.org/TxvUgBC3LySY3t3wn/de/200-Jahre/
  220. http://prestigecarrentals.puntacanahub.com/3702OTY/BIZ/Smallbusiness/
  221. http://proffice.com.pl/04UMSKW/PAYROLL/Smallbusiness/
  222. http://progettopersianas.com.br/4891173RASHZ/SWIFT/US/
  223. http://progettopersianas.com.br/7UTLgfQjQNdJKRj/biz/Service-Center/
  224. http://pzw-siewierz.pl/95BBQRREN/com/Commercial/
  225. http://rushdirect.net/0800FFF/biz/US/
  226. http://salvibroker.it/files/gescanntes-Dokument/Zahlung/Rechnung-QY-84-75815/
  227. http://sandbox.leadseven.com/default/Rechnungs/Rechnungszahlung/Zahlungserinnerung-vom-November-EL-72-66767/
  228. http://sexshop-amoraplatanado.com/04BBBI/PAYMENT/US/
  229. http://sharjahas.com/administrator/15RYDT/PAY/Commercial/
  230. http://shreeconstructions.co.in/737ZDAS/SEP/Smallbusiness/
  231. http://sindia.co.in/63c7Pol/SEP/PrivateBanking/
  232. http://site2.cybertechpp.com/8996INME/PAYMENT/Personal/
  233. http://societe-ui.com/67HNDXENE/com/Smallbusiness/
  234. http://soverial.fr/SZOVILU/de/Firmenkunden/
  235. http://stickerzone.eu/95143ZZDHLURQ/SWIFT/Business/
  236. http://student.spsbv.cz/giricova.el15b/wordpress/4766ABTDB/PAYMENT/Personal/
  237. http://studio2080.org/xTTXapGXGqX31WqCm/SEP/Service-Center/
  238. http://taarefeahlalbaitam.com/5075HHLT/SWIFT/Commercial/
  239. http://the-anchor-group.com/default/Rechnung/DOC-Dokument/RechnungScan-MXH-29-05546/
  240. http://totalcommunicationinc.com/wp-content/uploads/2016/A5yFOuW/biz/PrivateBanking/
  241. http://tyronestorm.com/default/GER/Rechnungszahlung/Erinnerung-an-die-Rechnungszahlung-LIL-27-42572/
  242. http://unionartgallery.ru/5338341RR/oamo/US/
  243. http://urbancityphotobooth.com/29CTTBYEEN/biz/Personal/
  244. http://uxconfbb.labbs.com.br/doc/de/Rechnungszahlung/Rechnung-BOT-64-44242/
  245. http://vendem.com.br/files/Rechnung/DOC-Dokument/Rechnungs-Details-KZ-92-43466/
  246. http://vinaaxis.vn/doc/Scan/Zahlungserinnerung/Rech-MCD-22-88515/
  247. http://visiontecph.com/WASXWQk/SEPA/Service-Center/
  248. http://worldcommunitymuseum.org/977JDKU/WIRE/Commercial/
  249. http://www.azksg.ru/71D/BIZ/US/
  250. http://www.brgsabz.com/doc/Rechnung/DETAILS/Erinnerung-an-die-Rechnungszahlung-GH-85-47560/
  251. http://www.doctortea.org/292634HYUCHR/com/Smallbusiness/
  252. http://www.dreamsfurnishers.com/ezJiLVAVxMGt84T/SEP/Service-Center/
  253. http://www.ematne.com.br/sites/Rech/DETAILS/Rechnung-scan-OB-54-50541/
  254. http://www.farmasiteam.com/3299947UK/identity/Commercial/
  255. http://www.iraflatow.com/files/DE/DETAILS/Fakturierung-PW-21-56018/
  256. http://www.klikcargo.com/8705GT/PAYMENT/Business/
  257. http://www.leadonstaffing.com/7MELDDDZ/oamo/Commercial/
  258. http://www.lendomstroy.com/0561IDUEYE/PAYMENT/Smallbusiness/
  259. http://www.mi2think.com/wp-admin/images/80ONFFQO/SWIFT/US/
  260. http://www.nowley-rus.ru/administrator/cache/47241VFPPJKZ/WIRE/Commercial/
  261. http://www.pigikappa.com/8668TPSK/SEP/Smallbusiness/
  262. http://www.potens.ru/Cz8bWvoRWt/SWIFT/PrivateBanking/
  263. http://www.progettopersianas.com.br/7UTLgfQjQNdJKRj/biz/Service-Center/
  264. http://www.rushdirect.net/0800FFF/biz/US/
  265. http://www.soverial.fr/SZOVILU/de/Firmenkunden/
  266. http://www.sptrans.net/348031FGGBLX/ACH/Commercial/
  267. http://xn--80aacosifc0adbrfcui8o1b.su/default/Rechnungs/Zahlungserinnerung/Rechnungskorrektur-DZ-20-56428/
  268. http://xn--80akackgdchp7bcf0au.xn--p1ai/1JjUme7T9ZRSblTjbI8/SEP/200-Jahre/
  269.  
  270.  
  271. ```
  272. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  273. ```
  274.  
  275. Creation Time 2018-11-27 21:08:00
  276. SHA256:
  277. 300fc2b61c49e0a32363aa74464f89d8c5636aa1cbbfa752b1cdec3c0cfeb816
  278. e52c18ac1fd448dffddb696c170222097e65376ce6a7bb54e561f04c9b7c7eab
  279. e8f48d2527f3dd6acef3a98fb1caf5b3146170a45677cfed21fd2d8431f57b09
  280. d8a4df5af5d0cf845d793ef34a2c8ebd5f9ad7fdf417d77eaf1223444ce4969f
  281. c41941d0dea00669a544d6c8d9b4b6d635162fb60f3f500b04062aa49379bcce
  282. 0da44be038d0321cf029dc1498af4b7c45ec709134ea83646f82c36b599febd1
  283. 177cd9593518d9a9c257bed944a382422b4084f54c3912232e5cff7540132de9
  284. 48a2e85819cadf1a9093587e2fa33aec6170a6525c5f69623aba71755a56f801
  285. c441432b6cd2caa6abc45b2aa35362a87c9134d85a0e27b3587c02aa19be2e7e
  286. 74cab6e5378c3f19642bbc98a382c27f0c9696ff2ed70e9b64ddf0acdc2e48e9
  287. 0cbacc766bd3e23b359ba2195e7af8b60a35c75067eb81bb35a59da2ffda7c49
  288. 0626106e0fcbc70f58fbb07aa60cb96a72a66baeec53c9acf933a75a5cadae43
  289. 3fb842cee5cb57a7573ff9d2712a5a20778e88f920599ee3caef3fdc8d011924
  290. 05cc4476eb3ba9ce333ab8d21cd7a79114c62ea73a6f902cc41084df1a08de2b
  291. 339a4a66f7a5911e64cc390a5ae26c9537dfc40d78bdbe7dff37e92d4ffde4b7
  292. 7b24036b97cb461e830dc8fcb1320f8039814ef71de7c896c84275555d1cec5b
  293. 5a61784703f89a6d3b662e1403362e5373165f1be16c4c59e1cd2e2492742266
  294. 83be53619de46b5c04fe3f0a6c75f8e29b6909508d8470fd0b256e46a9a1d660
  295. 53a41deded3141259effcc25aaa546b0eea67e0b551a92da6ea347b75a8be9dc
  296. a846f35f048ed28269b72cf0fb922d964599bfe05dba6c904517222fb2376046
  297. 290f717bb5f1fc7e777d8f7ec84d2783d06c5d3ef30d23d1715262db2af61fb2
  298. 272ddf34625066f8b27ac2de996c30b43223b9d83601337ce05b9ef703985fb8
  299. 29500fa224729900fdb264a63148b6b2a6723bebd3f333a38e60848df342815b
  300. 3273e36283f53d159a20ce1c0cb67733fb976fdf8fe1953130817c4fa9aa4323
  301. adcf6ec0875d89b2243661b4a87983ff23450fe1c120a97ffde3aca0e913e83b
  302. 2e38421d9ca923e82a7538194ac16c1211be621291bb5cda68ceb501b9568f84
  303. 766b4d1dd71d55fc39fc418fa0f5123ee0b891aabf8aa1434e11617b05e96a19
  304. 8ac1610f45da93c1f18076ba500334e9bf7eca2a4e1638f5a4fcbb0312b636fc
  305. 24f7fb2e9b12a1586ae3e579f948b70a0014c31b273707e92754830dc9f2180e
  306. a019afb388b3a48894b294960070f15e6db0fde2a3d2db94b4a0d3b2b3d7cade
  307. b310ab2f07f18a081e7a48e89655c3d330933b598d6f72e4206f02ac611b9522
  308.  
  309. http://akleigh.com/LmHBvqEv
  310. http://chakreerkhobor.com/zk82JspRS
  311. http://aldia.com.uy/541Ft1KEi
  312. http://abracosgratis.com.br/L69kgiz7sV
  313. http://arcticblog.nl/sjlLkeBL
  314.  
  315. Creation Time 2018-11-27 17:08:00
  316. SHA256:
  317. 6bc8ff6bc2a8bb47e9b714a16fd0bb50e54d0ca9b559aad67593ae22b6312bf4
  318. d8877e45fdb6357b8f130035d2fab9e823e0c558338758505dbe342a9cd1efe3
  319. 91eec7ce8e788d48b0069ce7174ed1989670d0440be94566777b3f6cd60f8d90
  320. d01e0c68f0e3c9733d45f9b29beace0c8c56f386f381282127110e20edf058dc
  321. ac816d07c14a4975a79ae55877f233772b94b4038fafafcc422bce5edb2a1f87
  322. fb3e6a1640aa96363d78cc7945cbf139dacf05dd11a2dce748dc7dcfe9702c48
  323. 3828685bd642c6c32f0751a071234e2dc7a0d18d76bef604eaa4a0e9cc5d89a4
  324. 33318fb24e9a0bd045103d44b31f72fbf39c00abe791e6d601ab62ae21da8814
  325. f586c8a528dc44265f6f65a940d823d33a1227387d5700159fabc620bb7dfd70
  326. dffaf92863b326b51f93ab31d534ee53bed9f28ada5da3ef444f19b06b45baba
  327. fe660f915e77996184d93602b23c8f5e3976575937b2ee2a0ca39d5e96057ed2
  328. 8f0e94f24a7f69427cc695db20a165f4c4b70f51919ca5cc128e28769f32bbc3
  329. 0a55bab7943f47607982b48691f0affd7a9c6b4bfa19010eb6de001a10e96fcf
  330. 27b4e5089cefbe45cef63d522a04575fab94c13808768a8e75e63674dda083ed
  331. b497788b01224a881d40f05b1a7ae94d3cc24fabe6be4faefa28d46c8c2adbb4
  332. 78db8c8f8daff7466ffc9c5e63984df421bf1d5519451fc24d198963414b9032
  333. c400daa426b8a4de575e1917faeb59143908e739591a17c5ad4b73124fca918f
  334. dcfaf56d1973d683b60b002626e4831c76852fb72316ad5fd9dd6f966ba5f7b9
  335. 031363d0da1eec1c5d3c62d067d7f2dfc58d9c73950b3ede8f2817549b621501
  336. 0536ab4c3baa84875beefec6bbe09a6ad1c17255c1de1ebfce37aed69de84a62
  337. 0e8980124f46e522e64cdd95d8da1c99151c095f67525e268ae5ce7bb17caba0
  338. 25541da7b13c7dd528d1c80cb3ba61d071f2b3d10754b776e7335e88b5a8089f
  339. 6614f15ae94a47f08b97b900ff4992627d26bdc48992c02fa76df90ba07bad22
  340.  
  341. http://ruslanberlin.com/m2tB9FDNej
  342. http://info-daily.boilerhouse.digital/MxPVLAAX
  343. http://andreaahumada.cl/sCEVt0F5z
  344. http://ctgb-a.portalserver.nl/CN7E4iL
  345. http://2reis.fr/wgkIDe1ax
  346.  
  347. Creation Time 2018-11-27 13:30:00
  348. SHA256:
  349. 5f5683d1b5115a1da64884c74e08067af10846dffbaceb3679d0d1d56471b4a3
  350. 094e8af9cea15d08d7324759c89d9d803680bffcaad9114486cb5db5d9c42b07
  351. e4f307c8fe2d776df216e35bb5f27edae2c8d4bd36a400d8698f3a3ad4f6c922
  352. 427c26f7cf39e9a159e37d65232b8fc8b5e588f138d35d52cd7a286d505a30c1
  353. 7d13b508b671f8ebdf515dff7781e7f567b0693ee659edff1324db90c4ed4cb0
  354. a1bc3d616b3400e8fcacbfe16efc8435334ad51d772cd862e93b24276160498c
  355. e18247caed44ec7fd8c298387caf16d3f253c11e3163d0d7d46920d85e5cd949
  356. 8484bbd101fb2025904dae575cdc636d4a44958bf1526eee80ee86edcb86ffa6
  357. b4c935555f1fda2ca77b716cf4decdb59e7ac3f6b153300577017f1689d05a8b
  358. ba76701fbd7fbd4fd52dc07d0a3bd11320332223c07667b79bd0d70842fcbc7e
  359. 895a3b6cc2799f681edde33cbbd1f0c7ba19010c89085030f6733771f75a7447
  360. cb263bbb1bbe499950fbd55bd5f8935c654cc284c16511058ff63775f05310a7
  361. be915b3f006feb84eb8cedc35b5fba2b390368380b6be135bb54c2cdf7ea8de4
  362. d9e35a497de7fca01cec40cd8eb8a6c984dd42e1f850634bad034593b2a03f95
  363. c6af8a3e1e5810ee815f17f9eb012401da611100643ff72435c00ecbac0473e7
  364. 6074ad8f9a52596aa42f2f27ffd0115e6fb03be4e7d6b11cac0a9fde5a11e211
  365. e0766cc43cc9802729263dc0453c64cbb0c2d616c5ec9a0cc7c13501ea09f199
  366. 6ced06577c7f10685b4635d978b31f68bda96bdec6cf691d29d08ad0b49584ed
  367.  
  368. http://31noble.com/VN9EbhOIl
  369. http://amdcspn.org/xnSTxdxjKT
  370. http://bakunthnathcollege.org.in/oID7y2YP
  371. http://aquarell.spb.ru/hsapPJPwc
  372. http://tmassets.com.bd/jaMFb8Ro
  373.  
  374.  
  375. Creation Time 2018-11-27 10:04:00
  376. SHA256:
  377. 8d86b6e69e38135289cf2696b43f012a3b186d70fe7d0fb7c86b8a92e7bf8283
  378. f56253a906074b2f40c32b182590049f4aa89644d9904f74021dc6a2333e17be
  379. 1c52db03729dfd87dd3204d07967f44d5f2451fe88d0ce91267bc199f99c2e24
  380. 8dd7a8e3c7c957c5b1f0fe3a358c46cdd930fba93ce68ba78e0300e6caa6fade
  381. 300fdf102f0bf1038b0ef68956e749d03f7dc808a4d8b8fe616ec11167651925
  382. 21c0938710b6876cd32cb3942a13824e5dfa2b6f69a991eaa561e7ff611a5fc4
  383. 1a2cbc33adc4b80318b8926e3e797d3eb4e227947bdc4dde311a39cc08dc447d
  384. f13a29119aa5d5df1a6f0fedd369501e3ab492d8563567a2504de58588ee755e
  385. 3186dc2f65bafee9420752229e7449a30114b3da7a98c7c92f2169c62d11b112
  386. ea2a97677ddba1c8128087676af16410119d74158bbf38be38fba62d9062f194
  387. 1450238a5480f613f1445131d738fec8232f92a180f6b3d998da5076730d3fa6
  388. 434857bf8af681807b98c6aa7e002b4c5ff43e25ab2e942abe92b0f2049503b8
  389. 23eb88fc57dc6f53be9a86c40e587061223147d9842861c2d8f8c231b54ed82c
  390. a8ca8116fce6808cf923e846f351d5596edfcfa1214e400f95df45b604810d31
  391. ec49ca7cc91f2bacab2b6f8121caf22e3099f50aca0007dd87388ba2c443d845
  392. a11849054b1683b2b8fb4a501093284be11c9fb212089cfb89cdeb0990731bd6
  393. 9989417ee80149bcb4a16e43b98ba99202fcbc1daf7a0dace9f56a996176f32e
  394. ddcadd519a969732fdefa5ffd470f7ba1eee02a92cd0fa80b13864406aaee0e7
  395. c1ffce63daa5b616e32cd4d5aa4d3c0bbae09d8cca1f4a01189f0e8f5b5c17f0
  396. e2a7f645f9f504ce7bcb57e14d3bcec4785f1f63ffd6c0053f1eb3d4f6812819
  397. a9815ebbe2e6780830fe9622c1897cbf4c7fde512d3672bc77fccb958655da64
  398. abf783b5546d7672cb471bd293bfb38e9972ab1cddf0c793938d8847bac68177
  399.  
  400. http://msconstruin.com/9JBTS8onb
  401. http://www.veranorock.at/NLvsvsa4
  402. http://stars-castle.ir/99qjLtBg
  403. http://www.floramatic.com/hvpdpLg
  404. http://myunlock.net/uAbaLX2r
  405.  
  406.  
  407. Creation Time 2018-11-26 19:28:00
  408. SHA256:
  409. f4aa05a0dd91fd7c481f3d68643970e4e3f97150c212260caf26471641a038c4
  410. 6b2f8119637bc55f0bd2b5916218a85f87bcd9bf9e8f2bfde0f3d2c2fb4065d4
  411. 79a64d33535eb6e0bf9046dd193a0f0281a69fa676ef305401eafd99fec3b03c
  412. 67408a9f0bbc9b6958bc45e113642bd82b718afc61dfad50d39cf9e09db8ca85
  413. be528e48e63a887906de49cb132133c90874d756d8ce6927fff9e6dced62c160
  414. e647a81937cfcf729b0a658fa43440b5bec328cfb95542da09be4a53244c74e6
  415. cfac87873ff1b24535fdbc933eee0440fb1e0d0e899169854deb827db4ad9bb8
  416. 5e07b03dc70a3d54e5df6af30f52efdc792948c0d7c43b894b357f001532e342
  417. 5f4800472342ee2ef2da4d44a30dd6088fb73ad8f92233e05792e77b0591e8a4
  418. 8e4010b829160deae7b2d1e92f19bf88ae1922f422de6a5c2fbf014e1b8f74b6
  419. 7a31fd6b9a2630c3397216fc20a74c21688bd159675b2648f782983bff8a22f9
  420. 0e72fa81d6bb20c557bb8c66d766a61d8c2ed10ba9a203223d00525321c51b78
  421. 547326fac93c3f94418b6b96a124ef35dfd58a3314ef7fc7a84047970ab2f30e
  422. 8bb8553a4d00fb609cc30bc1a8240d714e391fe1229e4cbb1e3887fbc1a099d8
  423. 13d326b36b1abde4400ccf7512333625139a4908ad180399290b18f928a62540
  424. 840cf46c664e06aa2fed80739269b8c0218a462ab981d71288c747670e5220ce
  425. db8c7b734216e3e20447a477896629487edd88c0ff2382d3d3abd264848ad5ff
  426. 2033b001b6dde1d53086c3f1f439625a0e6a8294434fd79bc1e570c5272c1bf0
  427. 9cbb8f9f069f5929944cf747e9f818659b4595230cb163c8968ca8cf17f8923c
  428. 96de6141a9c82a882360e47d5c6ef6b807d26fc45113229afea63cbd034e904d
  429. 99dff1bb04e77cc8480333fe43c64778817146043d3689245d53804a2a330c77
  430. c4a5b49953db7ea6ecea40fd8b9b274132c9a84837c27220d0305325bbf60236
  431. 676da3b2c5c1793c247c03d9af8fef41fb3e3f9a4fd6b3c434ff67a6b13f1a64
  432. 24ac352167bf496d5150bda1f38c24dca57caeb06840def6520a116518065c6f
  433. 15c30651671f5592ac0a3cef8556530094c9c7216d84aa72a12d915253936e6d
  434. b35e53479e43c1ff6059ea201a35bca80a327cce160c7d56da5ab8f48af6ccab
  435. cf0b19c0ff39058b6e8328ec5495258228feb654e5862636ad088699c7c16dfe
  436. 677cb9576c6e6e5b286ae5727a7afdd7518a79530eb44c9f757a1771545e7f3b
  437. 9ba785aed200e5be8ddc01cd7490cf77836dd3404e4804a510224f21e3345cbc
  438. 4fce0193f8c7fc25d57ea960a5471a3f35dbca44507b8f8d93020fb14ff94df9
  439. c2a4b9ab0fad962a150c940c03cc7ead290afb866cfcb25b86d011e52a3ef7ab
  440. 6c114f1e1a6dfe20b000396d704bfc01d56b22817274eefca4fdafce149c0ccc
  441. c0c7ce70fcacde9aaea7daa9cef72361c3c648c766ae65da3b4a480e26d4b339
  442.  
  443. http://borje.com/wordpress/LqrWxW6S
  444. http://www.meer.com.pk/BNcHza7
  445. http://forestbooks.cn/YanSDST0x
  446. http://www.topcleanservice.ch/32H29R14
  447. http://www.uwrouwdrukwerk.frl/kt9jsOBdj
  448.  
  449. ```
  450. #### SHA256s for Epoch 1 Payload EXEs seen on 11/27/18 ####
  451. ```
  452.  
  453. 4ec1ad3c19992f329bc92469697f92b368d76ce48f0dc7a18da25045cdeb1025
  454. ca4a35318e563422d1939d787f94af17e1d24e549cecf7ad20398ea44f64bc07
  455. 3dffc6fbd5f063f2fb4ad1c610d900ad92107f4832889b0fa413da470426a15e
  456. b66e79babaa49fa58aae643943e97932206e0999effbc9b2a4b2104c817a543e
  457. 67e96fdecc97f540ffa5fa517b7b89af7b29e14865b6d2e9135c7e0309f5db5b
  458. 8f96c1607acacaf5d4be55fc2a1eb6017f15fd68799c28d790d8953668df5af2
  459. 856fa813ba9c27bfcf89b8c3a985b1896934591926fed2b3f4c2c26270d59422
  460. dec86a68dd42493da4171a8f0e07621e51a5913a7329b1c9cc196d42094f5b32
  461. bf7b5e5a7474700a6dba1a75a8205230e1d1ef9a2ef9133fa1f60c58dfe2fcce
  462. d63a9cd4549922a29815c683def73c2daa1718aaed9c3c6cf9f17bea873051c9
  463. 4a1385a61deaac0a6f925609225fd4efc22c1331d41a43481f75f3b915e3025a
  464. 534f548ece76907c419b46606a295a0d5fa78d8af8ed223ab29559000ecb22aa
  465. a1accaefee8dafa67459faaee0ee7a9a3275b11fecd91e8ccad7f67da2f80e5d
  466. 4f6832098f621b0ff8d5b3076b547691f88fc3bb23bce448e42539fa3acd5bf6
  467. 35c588b7186ccbef2daa4e95aa01d3f1ddb924c54b51b0634acfe1eeef88e7e6
  468. 1f23cba6c8ec6894979a7cc12966203d6a44363464313f3980616455ab232707
  469. ad7e1c31d063a93f478f67b5e2545db43a3dc0b8b25eff74d2cba367f4c7e7a1
  470. f92a3d85910abfd999e5835cf67e0995520e5ebba55549655de677bae269cf0b
  471. b61235fc4eb69855412160a13b9cff5307527f094e7dd959965bb6bb751ad630
  472. 100fc87fbe2ed761c44a558148d19db28ac8a258ab8dcdb73c72091b35d0f249
  473. 2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7
  474. 9ead6c65681fc08d36019dc3f0564b0125695bfae66457381c708e1485ad53d4
  475.  
  476. ```
  477. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  478. ```
  479.  
  480. Creation Time 2018-11-27 17:01:00
  481. SHA256:
  482. 42d32d84ee67794599b5cf1fa39864e314df1068a37386bf6e8b03fa5a4309d1
  483. 490f590638bc3abee52350cd9c999940decf7e8a9329a10435856a74727c89cd
  484. 1d6caaedec0eb936a0a0ca2ecccf60a833adf36c632efb5314085189bbda5758
  485. 4fae63fbd304ee9e722e1ae5be2bcd10fab5e89048bb4e9a2a019af668393873
  486. 2b37b5e47da706e053501d97c52f4cf020223a25aa148fc5f6ee9b209cea32a5
  487. c72fd091e8a1d736c019d67277f221e67c198a4975cb38fa42e11ed8f363c677
  488. 5e1a10e89feee4d0acae4d84bf56fa4dca4b08fb990be542f5e1a1b148992e0a
  489. 2842fec235767549d1df2c3e0c716f8a6371e222387031a609b947ab701d7ed4
  490. d9c70e24df190f78ad02138c6ec144f6b19dd88513faa740d74f9e9bee62251a
  491. 83b514488902700acd567af94312d743cee6c69630c780e5b735e5e5a80162ac
  492. 86cebf5db4489a7aac05eea5b2f299a4319405510f1006bd54c79a66e187b169
  493. b3f648cfa4736a5e273a8b11f322cf7f17fcd90421179cd07e40f4f334a1747a
  494. b2f5a37d4ea9638e1ad645d7a0a0936f383131a62ed76ea8fafbcaeea1c574da
  495. 25a0e684e7007a063c606dbb52dfc87e2243f4959fb7f96770b9b529e3902dce
  496. 13bf6e3f85e2457d15440ba3e739666f02cec124a43c292e2ac24d2cbe8c62df
  497. 86ed14cfabe23cfb9e160108e174ebc0107bbdfddc02ef46ac3739cc9b7c1e7f
  498. c09d090f67b5f7e6032f938ee039b599461a6970380a1795efb576b85ceeb188
  499. fd2491d53848389b56902186f9da953a6b3e7417ab798f961a01b08f92952628
  500. eab50fd5d53a966d390dc698647856afce685e74b45239da94dd9fef8a456806
  501. 8d1e60485aa4019df8429bdee34462e4cdc367452a1dad79e77bbf3ef6f6ca11
  502. 0eef70dca634de1669e3823d33b62fc86fbcd24e925a69963de14af446a4b23e
  503. 0f688ecde35e41ae417b9f35b3b818482b451905b5422ba8e815d51046b312ea
  504. 2fd0577834eb44fce11a8b9e458c39e4499203964048199e71e9559a346dbdf7
  505. 73b32ee2c234cebc0e0dfbbbc5b9047401b03ac3c544b1f41c634fa8d0420694
  506. 7bb8acaddc34533a9ee5170f13d3f1da0998e7ee59c1c8fe1d7674292d8ec454
  507. 136f7832a69db40c08fa76e0eb22b86ec1470bf991667d42b6f059d1977ba467
  508. b43624a44d5abe60a49ab31e6c30ac170aed740ee21cb86417895378d57b4495
  509. 17f546227e662e7fd573e7cad5962f904b984b734d362073f1fb7083a35f6c43
  510. a77acfb1d000e0300fb39d24e2bd4eec5afcbe9444d9fd360cad3b429d5f7126
  511. 96178583300f32f613a60fd9a987aaf39286efadf3b0fdcaab786277e6cc1a8e
  512. 8e4fd6f6ff9329ff40fa1ed5bc07cc30cacd205e4d24eeaf82e2ee12929b98dc
  513. 649e881bc3d0d09ee5310b7cc87734c14965add759deaef600efeceecf89f754
  514. a75c0c2460123a283916e6d657c2cc1704e659762773278225266d68ed018d22
  515. bf3d3b7836a4342396d4f40076db332723d94676cc98b17046723c815ff02ca2
  516. 19e0fafe85713b355bffac9890ab1ac122e70d57628c068d6601b19a6e893cd4
  517. 764e34b44b7e5b5df83f7c0a000129b825885a84411d628c66f2484c41cd610b
  518. 6f556f659befb826825239cf2e045573a3963c8eed99fdfa7b006e084b8d658d
  519. 44469c59e556d1fc1d8cce07f6ad672fbdb98b2d84cbdd22071e854cc2b68dea
  520. 7289ac0eed4b26b5b63064e582fc04d8cdda1848e8db106265f472ebd917d3cf
  521. f95ce3e5c5a5b027d486622047f4f1424e4814644d7113bc58e1df61e03dd076
  522. a1948c523f6b337bea05ca4caad3c8f4a8c960c9166cefa2bca500f7c5e5e233
  523. 695766e9f8ee44c70968b26e333fbea58bc1ea972b58b79c0c779a6a9957c7e5
  524. 283979ccbe5833e270338156ccb03f384e3e738054c52d87b209d999ceb59883
  525. 9f49a36b2f03a0bd35ec3b89b0ececfa1b629fea62508bff30097e6a19161234
  526.  
  527. http://andrewdavis-ew.me.uk/4W
  528. http://vitaliberatatraining.com/w8INn1Y
  529. http://ekcconstruction.com.au/yscziIK
  530. http://autopartsnetwork.com.ua/t9
  531. http://avtopodbor-barnaul.ru/Y
  532.  
  533. Creation Time 2018-11-27 14:49:00
  534. SHA256:
  535. fbe4b7f02a28cde732828539797bddebbd710ea545f6411ed586201346f7ca2d
  536. a34b8c05311880bec79808e379db95c8c13e7d480605a23e425c2252a3654421
  537. 3d29cdcebe56746358bb9f9829ec2a0b715b6f8988d495f2a3073188426313ad
  538. 9214a28d716f42322afb2d18e8cdd06bf9f6e7623b8c0042287604df00da1f3d
  539. f543c2a160fb28c2622310e2af9542fd0dec4eced901027bb0b6cf6db1ab8a13
  540. 8fdf9347edac446a36902a15c2a02d0ba932ed2417d6c02b948a460b73b027a7
  541. 9f97de07fd386fd0f8a233d9af8345de5f17ad6ea5b91eab1ddefa829ea8fcaa
  542. 45a4950e4d4b2c0711838bf8ad979d2f9d3032aa3b95d13e02ee692439908b6a
  543. e06632eb9f8827aaa654ee01c5ed3f55565aae3cb3e5f63c007101774960aed9
  544. 92de4c577b4e29eaaff0ac1d7c42b98ce76d0cf553ab5b19369277eb53ddcb50
  545. c7493b03c31c28482cbb9468bd7f903d07905e5271755edbbf57ce892cec3aac
  546. 5600e0ab2d081033b228bd02e356a27cb85829c7b4bfc712ca70c9fff3044aaa
  547.  
  548. http://appschip.com/cppe1M
  549. http://advicematters.org/3ciG
  550. http://bbcollege.org.in/UFda
  551. http://amerpoint.nichost.ru/YPjEZy7
  552. http://admonpc-ayapel.com.co/fUu8
  553.  
  554. Creation Time 2018-11-27 11:59:00
  555. SHA256:
  556. f8937ad714dcbb1e6a0d925f97dac3885e0ca46f9e357dd797c49a23feca5eb6
  557. 0a268eedf916fd75ca54fc20487152722db3665117199289c64d714cddec409c
  558. 6e5ec818ae9b2f15ac6bd3bef1c2ac456b1e38e3554dfcfa970c93fa5ab85035
  559. 6fc0496f0b92374c976b56da6a0e3aa03bd960a04207a0354b0f2ba6c2654be9
  560. 20bcff6ea27009bc176406f2fc4f0a02c69c9cd5b77b06eb5fa496aeec6f8a17
  561. 873dd7a9925921bb9d9225594a7720f77ba84477e34aa75eed0340091d866cdf
  562. d0db035b3c3b4bd5723325f7b4915a3a11a3d09a9752b99e35abe031ff60231a
  563. 48eaf50bce1a0d7fd6187b7df5eef129ff65f168deea788af15417255c80d09f
  564. 1865a951f7b4f8686934f3c11e6c5a6f372471b98997c3b3a32d4d5d2689c490
  565. 76abc1b5e67c16d316bbe2ada013a00408fc56ba37d124de3d8b1960585ec27b
  566. 440db958ee26dc3126eba0d949c18c931d296ca619747620c9805b54f069c2b4
  567. 0a8fe9bd0bf00906214b8db52fb93fa58750a417a2e5020f1c00cdfcfecb91f9
  568. 96f338fb96ba1e6ccbb29e8ebea72665b0f4562a782fe02042efc25e63f8828a
  569. 3f720fa13882c16e0fa50aa0bbdde30065f45dad6581cbae2b97c5f6a3f9a16f
  570. 7499efc6757eea5040da0f7980060e8a0ec88dfc4e872af064b13e046ca47428
  571.  
  572. http://sphinx-tour.com/my1fugwV
  573. http://egyptecotours.com/Aaw5tZ
  574. http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I
  575. http://venturemeets.com/GeQdV4
  576. http://nowley-rus.ru/administrator/cache/tguHgQZ
  577.  
  578. Creation Time 2018-11-27 06:47:00
  579. SHA256:
  580. 81bbb38f942672ff97012e2da3c3ca9205aceed9b9c8875f2ba6feba66d901a9
  581. 0b94ade04ce778eeeec2ff124f6e777ed4b61ddfb269def02bd4313200d4f6c1
  582. 4c2772556323bbc74f23e33cc96425606b6baf7bb316bec336a80b6465ec10b6
  583. 71c3a9301f6a17361dd7e8ca4787ad74b9f6d69ab883a32473cf9177dc27c5d9
  584. 109161f1edaeb556e01e73b96f1e7fe5f645363568ed3846f6a839295abbd070
  585. 05ddb959cd1f4508bd795a9f791456fede9a03dc899605afb52dec5c0f07ecef
  586. efddf719f1a18de3f71ccbda54729ec5413fda3c63528e0763f5f9cc7dafbda0
  587. 26ab341382d9c09e31ec46d1aa31e0f7b9f77603713dd51d83c8fffd17a310a0
  588. b0f66d352861a91134052af78ba80038dbc67810e55d48ab4aba70ddf9072ce7
  589. ab61afdc9e2f6d34cdbc8c92add27c81f478477df7143400193c381b26a421f3
  590. 40e4bb012548bd6ab09dcb83342591f175e15d81e6f8a89f28e72cb2cd96113a
  591. b45c5d8cf10b636ab72a1e47e4585ee0657f52203a3a62630037e1d55f4a1ae2
  592. 8980deac9e10e78485d12eb01eb015e4d2090d6894a8eb88d01b5e44d98e3220
  593. 4a3131ce5f53471483366df932854feeb510d07d79f18837a431c1574db3878a
  594. 0a783e3493419140e45e615950dd4f1177c3999346732fdef0299bd6aecbe9d1
  595. b4d1b5299ef65cddc4ac0ac699be5cf62338131aa49e8ec817726305fc5ebd03
  596. 3400a9c6439c8bf579fb3d42f34656fd70ede163160110883a1276f1576b8eea
  597. de145f76eb74d272be45228dae90f148e9033e0aa89f81c5e7174f2582ca77a0
  598. f66d5278b550fb77c4f7cebe829c6816940a4b958c714e5b0eb6c0e6472effe5
  599. ad400689ca32e7e916dc92a45e44282cf7e863574f4994e6b5f00ab6b0a20c5d
  600. 708fc67a6a265170143cd0c57241eac8c9ce8fa418cd3fdd951ff98e1e05e61c
  601. 05fabd27c0df3e84e444ee775329250ce714d7c9143ba58db3d86c9d072e8af8
  602. 8230364855b16e663b89cd832d2c5fa8e1edf527b3686dcce1c3e9cb4980eead
  603. 93b8da7820e28bfc4d29cb8b73d6b4b9750c69a8700756558a7ea096b71f51da
  604. 78667a6b7f456d2cd76f96913fdb50c6e1aafef0dfbed4c0e51a5ad32436aef0
  605. 55f417683d9450ff325fa96d8789239ad2ef2011dc2dcee7befb457097615f79
  606. 68625404ca134c7a2ffd338d5c03e8e77d32363c8f68139f084cafeb1c92fbf2
  607.  
  608. http://unboxingtoycon.mx/WX2IrOV
  609. http://thereeloflife.com/TXA
  610. http://www.jordanhighvoltage.com/vGFa3u
  611. http://thelearningspace.com/m
  612. http://pegas56.ru/df
  613.  
  614. Creation Time 2018-11-26 19:43:00
  615. SHA256:
  616. ec08a6bec032b6a9b1a89619a29c0868f5cb64344a6907bb478ff3ce3491fa09
  617. b9d4c2d063f38d6368bae3f8c5d92bc75f930a2933fada45532b36719ed29873
  618. 9922e7d663028ce716708dd19da489f3c304c6ed65bce94f1966ea3268ae6a2e
  619. 38e7f423ed822e8f604943b9f0c4bf002cba50076d555a42d52cae4cfb1a293f
  620. f94410c6bf35791e20882eae49f6dbdccc1900a0b19c43b6a22d7a0055b50859
  621. b7a58fc3f15f3939ff431b5e8844bf570992f321f1faf0d1952b40867be30aba
  622. 5804e8961fd3996fe6f2b01a4a9f27fb2feb01f6413241bc0a566d48b8428e40
  623. 80422e863dbdfd8b2d887372010e0b4aa666015a03de6a49c7a7199cc751acd8
  624. 204fbd7f3ceb56c76b1ac86d1af8b54ff2ed8a7526d3de42690643f6a05f4758
  625. 5851b382dccd6c38a1e90ed1a86c186bb3adcbe02656be828ca82cbd11a36875
  626. 91a7ecab278c97ae6930aed7246de00b3ffc01386d3f5c003256e95be5f71fe1
  627. 7d2185ad3419349654da779da773ef295fdc499659f0a5b23e5b32a3033237be
  628. 70da07bad882f07291f30a4d5023e95e52d1e1df34c0f1242287e5105a5bf2f7
  629. be1c6c0a12ff5823c326c79753c1f37eab1961e3173c54e882dd6a49545faaaa
  630. da2fedaf859b75c67e5ab4c5c71515b194499bee114883969796f50e6947cc71
  631. 214f897a9272b18ddb925bac627d6b217d140fb0b031da16acd26c727494de4e
  632. 8bcba8b8e5af18a2aa6d6fa436d52128fcc2125eba0ee77d46cc567bfb206946
  633. b8b52733a51505fddc891f2d6381377ce2496791863a7b060ad3b8f00a2d858e
  634. f251b52cf19bdac1fdb9b5b8bdd7854104be02ea4e9c045dddf189bfc8208a06
  635. 7f2cf9738f7f4c22d7696af6b86f128ff89275ca948d1abde22c6ab9bf084752
  636. b33fe412dd45369f564a7c5535088cfe99fc37013f4f46eb857d61e2d9300c1e
  637. 7207030b6936e652ceb139f68bddc5ad76ae3cab73c91913f57ef51c7f19c541
  638. 8069b06d8dfad3fa6842f1d78c66831d2a1c37a2504b053c0ce0e89e834741bd
  639. 580e0d170a4579cdad91890053268a1a8c30ab1a9cad4bdcf3fb76a18a1d2b86
  640. 5a536798d68e92e2d9ce610583754d3c226f3a4ec0f1b15393080c987f889962
  641. 4759d93c1b7823881c1763a5ebdea8109e4945ab39f97576dcaed17196b079e4
  642. 8d44a4c2e926b790771f3979d0069848db3011ada4c89137b1fba5679c2f1fb4
  643. 4bddbceaa3ad55d3a7b3a990c4ddcfa4023f00c9dc657e350656dd3c9f9febbb
  644. 78e8789edd9aaf1b1ffa3e00f40849aca6f4da74ddc9fb919fe047f2415c3da2
  645. 362033f8360566b9b8ef93657abf4ec71d5123ed60103b34f59c8392ba4aad30
  646. 86ad49f1bdb744ab70c1819be939becf35f7334f6e7292f4894f33a9f5060489
  647. 9c9480fe5ac5c96ac2df4f7618340da5db14f9bceb487887d041ccd9360a57bc
  648. 59df4f10740804a089011e76c9d5d4badd0630a59163f946d3c2f1102ff7288c
  649. 82bc0ccf1568336d04705477395f6b19f4bf63b0c4cd74519eca2f1fab684faf
  650. 95aa54ae28d03dfd5aa471cbe5c71ef493a8c30cd7dbd287b595bafaf316417c
  651. 583cf14ba4ee3538e698812390fe567a4937542565326a1eceae1b272e36b062
  652. 3ee95d264ce1a145420f4f8f8e2f9a740dcc87a9dae802ed3ebda21c7aad218b
  653. 4d0fe2de4ece4a02c97727f1140547666d74a2ba9e374a0a59596d0eb1c3adf6
  654. 8edda94eb613f08998dd7bd88a1a5347355467c56c330b2fbd5d2cb650c58224
  655. b6bb3c6d9f7611dda1a0a73af205965c867bf97ab9806760227c110b1c10db39
  656.  
  657. http://rodtimberproducts.co.za/1To
  658. http://kaks.enko.ee/B
  659. http://ecampus.mk/Mjq4JATm
  660. http://142.ip-164-132-197.eu/P
  661. http://okna-43.ru/dmoidUy
  662.  
  663. ```
  664. #### SHA256s for Epoch 2 Payload EXEs seen on 11/27/18 ####
  665. ```
  666.  
  667. a1ea444e3ffb9408f6e7049d36f14b429cc62b2b221b5bdbffec1f6d330c8ef0
  668. d3d73984cfc1f9300234bc7a7870f97f8e48fc400c8744422357afe4eb1e7373
  669. 6fb9b93193ce451ff5d116404ca97d5ee746d4dc2e192857cd753e8b02690f12
  670. 775f7f8505cbd01d19cf9dc37862953aa226d750856ccee25d9a5c25f3ebe3c6
  671. 6f3fa9be445ddea4e9048df13790bf78d19830cc0bf0812ba048aefd1f845170
  672. 9a067d8df7747b04752c0b2b13b314afc63cebdedfd3c4e3250bd20a263af116
  673. 8521db3149ad5755155915581123a27c9d1f4b94cb154ffed445d67a8c81cfbc
  674. 85cae354944da5e43bcdcf4a676ef8e7fb8fbd2716a5823c626486539274f614
  675. 11cec7c2c7ad2ddbef55dfa115bba8024775f168d2c202248c0a6fe64992dc40
  676. 88c6fa7fffbe9557096021e970eefa283046db53b41eb351149967bb0e396164
  677. f26a96c0a444cd9cd56c2321be38775e35437c8355588d55f6e88691e9bea6e3
  678. 0f95af8877f0bdb2583755268f0324b4c2e428ab81e8eccc967056420b22dd30
  679. 6ad00dacd8c3ec135574b59f464e2cfb39e651c870962f410acdf13a4646fd7f
  680. 445f61c12ac879b849ff19a94f7e46b449bfae83f4130d6d2a5d78d3d02c7002
  681. 6c595643b7707f157a6d9c8d10fdd2f92986c582109ce6abe4a8b23e10c3a03a
  682. 1169c86a5bd3b8ad532e3db375b5d27fe826d4b803914eed184e67ed51b57411
  683. f9371ae0deb72c24ee3aa0ed112fc81f7a6d36f7a1d6a9b904585f39186adb85
  684. 27d427aadee0e362b72f541f3e236b136bef133169c6d1d345f214e186ca147d
  685. 4481910c9bed23fd18c12aa626dfc121efe25bbec3f501aa07a5437ec03c1361
  686. 7bfc939b79134068d5268a4345e75e83c4bb99acbca2c8540de9308a3cd150c0
  687. cec010bf6f4c93eddb613dcc20c7f4e4159cc25410f20bf5e91dec4129cbefc5
  688. c0fd7538e5eb627f64cbf7a065b618f131b07ddd195da2aea25ee8db52d0eefe
  689. b403e02bf02199caa81f5c8aaf32217371d8e2ff95163730421e80db11b1b21a
  690. 2b410f529970f826b63a1253c8770d259e25c35279abc10b0a1229ea75bb292b
  691.  
  692. ```
  693. #### Epoch 1 C2s ####
  694. ```
  695. (Port is 80 unless noted)
  696.  
  697. 107.11.23.236
  698. 128.92.54.20
  699. 133.242.208.183:8080
  700. 144.76.117.247:8080
  701. 159.65.76.245:443
  702. 165.227.213.173:8080
  703. 177.224.87.110:443
  704. 181.129.130.82:8080
  705. 181.193.115.50
  706. 181.60.228.203:8080
  707. 184.6.79.105:8443
  708. 186.20.225.65:8080
  709. 187.163.127.20
  710. 187.218.236.242
  711. 190.191.88.126
  712. 190.2.43.237:443
  713. 192.155.90.90:7080
  714. 198.199.185.25:443
  715. 200.58.78.77
  716. 201.145.151.91:8080
  717. 202.53.94.4
  718. 209.182.216.177:443
  719. 210.2.86.72:8080
  720. 210.2.86.94:8080
  721. 219.94.254.93:8080
  722. 23.254.203.51:8080
  723. 23.94.123.231:443
  724. 49.212.135.76:443
  725. 5.9.128.163:8080
  726. 50.74.56.147:8080
  727. 69.198.17.20:8080
  728. 75.161.71.124:990
  729. 79.129.42.122:990
  730. 81.18.134.18:8080
  731.  
  732. ```
  733. #### Spam/Stealer C2s ####
  734. ```
  735.  
  736. Pending
  737.  
  738. ```
  739. #### Epoch 2 C2s ####
  740. ```
  741. (Port is 80 unless noted)
  742.  
  743. 101.37.20.145:443
  744. 108.189.168.117
  745. 115.71.233.127:443
  746. 139.130.164.236
  747. 153.122.38.158:443
  748. 165.227.191.145:8080
  749. 169.0.126.23:8080
  750. 181.188.128.192
  751. 185.20.104.238:8080
  752. 186.4.128.45
  753. 192.141.209.252:990
  754. 198.0.36.237:50000
  755. 198.74.58.47:443
  756. 200.46.206.236:8080
  757. 200.85.110.240:8080
  758. 211.115.111.19:443
  759. 216.198.175.99:8080
  760. 217.13.106.160:7080
  761. 222.214.218.192:4143
  762. 24.193.15.39:443
  763. 27.100.25.77:443
  764. 45.123.3.54:443
  765. 46.163.76.187:8080
  766. 5.230.147.179:8080
  767. 5.35.242.34:7080
  768. 67.205.149.117:443
  769. 69.198.17.7:8080
  770. 74.115.246.21:443
  771. 75.74.153.103
  772. 75.74.153.103:443
  773. 77.30.225.123
  774. 81.7.10.106:7080
  775. 83.222.124.62:8080
  776. 84.200.106.120:8080
  777. 86.162.241.81:990
  778. 95.141.175.240:443
  779. 96.69.89.156:8080
  780. 98.142.208.27:443
  781.  
  782.  
  783. ```
  784. #### Epoch 2 - Spam/Stealer C2s ####
  785. ```
  786.  
  787. pending
  788.  
  789. ```
  790. #### Credits and Notes Section ####
  791. ```
  792. Updated 7/13/18
  793. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
  794.  
  795. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
  796.  
  797. UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
  798.  
  799. What is Epoch 1 and Epoch 2?
  800. Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
  801.  
  802. ```
  803. #### Community Lists ####
  804. ```
  805.  
  806. https://pastebin.com/xw1gq9ZA - @James_inthe_box
  807. https://pastebin.com/qxkk4Zq2 - @pollo290987
  808. https://pastebin.com/wPU4jPGE - @pollo290987
  809. https://pastebin.com/rXmekHZt - @ps66uk
  810. https://pastebin.com/j5VRFNHn - @executemalware
  811.  
  812. ```
  813. #### Credits ####
  814. ```
  815. (OC and combination work)
  816. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2
  817. C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic, @0xtadavie, @devnullnoop
  818. Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic, @Bitterman59, @devnullnoop, @executemalware, @Bauldini
  819. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop
  820.  
  821. Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
  822.  
  823. Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
  824.  
  825. ```
  826. #### Daily Log ####
  827. ```
  828.  
  829. The old orange and white background template is back as of about midday. So long blue and white tired junk. I am also seeing a lot of domains being used that begin with the letters A and B on Epoch1. Also they are still using CyberMonday as the ruse on Epoch1. Dear Vladivlostock, breaking news, that was yesterday and CyberMonday is over. :) Epoch 1 was also primarily distributed by links still. Epoch2 is still focusing on banks and German speaking users via attachments with a few links here and there. Coincidentally, both botnets had about 130 new URLs today for doc downloads and a consistent update period for quintets of payloads.
  830.  
  831. Till tomorrow.
  832.  
  833. ```
  834. #### Sandbox 11/27/18 ####
  835. (all with fakenet and MITM unless spam/secondary infection)
  836. ```
  837. Epoch 1 C2 run at 23:30 https://app.any.run/tasks/d0c61c24-803b-4dd2-bd86-04e17451de96
  838. ```
  839.  
  840. ```
  841. Epoch 2 C2 run at 23:38 https://app.any.run/tasks/9ffb4f26-4b76-4b32-98de-3533c1034c11
  842. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!