Emotet Malware RSA Key/Naming Change 2019/11/07

1. #Emotet Malware RSA Key Change 2019/11/07 - Updated 1530 EST:
2.  
3. RSA keys changed on all 3 botnets at approximately 1930UTC.
4. e1:
5. -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB -----END PUBLIC KEY-----
6. e2:
7. -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6 bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB -----END PUBLIC KEY-----
8. e3:
9. -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY 7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB -----END PUBLIC KEY-----
10.  
11. At this time we noticed the EXE naming convention changed too. The new names will be 2 of any of the following list of words:
12. “FileNames”: “delete,band,ipsm,sspi,div,rdp,whole,dir,privacy,make,watched,pano,which,goto,wnd,rep,ceip,date,render,bag,vsc,vsa,mouse,counter,tech,wheel,ranker,iterate,store,sum,package,timeout,idebug,junos,site,trc,url,coffee,poller,remote,gapa,changes,duck,ppl,tlogcm,tlb,cube,hexa,vol,paint,star,nav,grp,avatar,center,cipher,brm,resize,markup,pausea,loan,emboss,vsperf,teal"