API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/05/01

jroosen
May 1st, 2019
2,592
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 57.05 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 05/01/19 as of 05/02/19 00:45 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 05/01/19 ####
  6. ```
  7.  
  8. http://199.com.vn/wp-includes/0s8rweczh_22mqot8ogd-004539243/
  9. http://acuscura.nl/wp-admin/trust.myaccount.docs.biz/
  10. http://adamsm.co.za/wp-includes/trust.myacc.send.net/
  11. http://alasisca.id/wp-includes/sec.myacc.resourses.biz/
  12. http://altituderh.ma/wp-admin/sec.myaccount.send.biz/
  13. http://aplaque.com/wp-content/verif.accs.resourses.net/
  14. http://arefhasan.com/wp-admin/verif.myacc.docs.net/
  15. http://asis.co.th/cisco-sg300/verif.myaccount.resourses.com/
  16. http://atakorpub.com/emailing2016/sec.accs.send.biz/
  17. http://autmont.com/vrgyd9u/secure.myacc.resourses.net/
  18. http://auto-ate.com/wp-includes/trust.accs.resourses.com/
  19. http://bizajans.com/engl/verif.accounts.send.com/
  20. http://chagosaz.ir/wp-snapshots/trust.myacc.docs.net/
  21. http://chunbuzx.com/wp-includes/sec.myacc.send.net/
  22. http://cnl.nu/tidningar/trust.myaccount.send.com/
  23. http://coine2c.com/wp-admin/sec.myaccount.resourses.biz/
  24. http://darkparticle.com/MEhN-kZCXSNC8Gr55qr3_cBNaPojw-RN/trust.myacc.resourses.net/
  25. http://del-san.co.uk/wp-content/sec.myaccount.send.biz/
  26. http://dep4mua.com/wc-logs/secure.myacc.send.net/
  27. http://dev-d.com/wp-includes/sec.accounts.send.biz/
  28. http://devoyage.co/walxz/secure.myaccount.docs.com/
  29. http://docoils.com/wp-admin/trust.accs.docs.com/
  30. http://dotb.vn/wp-admin/sec.myacc.resourses.net/
  31. http://dr-hadar.com/wp-content/trust.myacc.resourses.net/
  32. http://drleisch.at/euu24ly/KsIZFPXXAsdkztnVlRbyLUAUFGF/
  33. http://eatart.se/wp-admin/trust.accounts.send.com/
  34. http://eduswiss.com/wp-content/uploads/secure.myaccount.docs.net/
  35. http://eicemake.com/cgi-bin/trust.myacc.resourses.com/
  36. http://encuentraloshop.com/wp-admin/secure.myacc.docs.net/
  37. http://equip.tokyo/wp-admin/trust.myaccount.docs.biz/
  38. http://feedopt.com/wp-content/verif.myacc.docs.biz/
  39. http://filebr.com/9bl6jrd/trust.accounts.resourses.biz/
  40. http://finergas.it/wp-content/secure.accs.send.com/
  41. http://flash.ba/wp-content/trust.accounts.send.biz/
  42. http://ftwork.co.uk/old/sec.accounts.resourses.com/
  43. http://gce.com.vn/wp-admin/trust.accs.send.biz/
  44. http://geeyun.me/wp-admin/sec.accs.docs.net/
  45. http://geniudz.com/wp-admin/secure.myacc.docs.com/
  46. http://georgisil.ro/ltjv/secure.accs.send.net/
  47. http://giftoz.ru/jiy3/n5zg2fletpwq5kpod11urptkfnddx_ehwctnlpu-14149852756494/
  48. http://ginfoplus.com/wp-admin/trust.accs.resourses.biz/
  49. http://gjtsc.com/wp-content/uploads/sec.accs.docs.com/
  50. http://grasscutter.sakuraweb.com/wp-admin/trust.accs.send.biz/
  51. http://grinduarsenalas.lt/wp-content/verif.myaccount.resourses.biz/
  52. http://hajibakery.my/hrtpoa23kd/verif.myaccount.resourses.biz/
  53. http://highef.com/css/secure.accounts.docs.net/
  54. http://hormati.com/wp-admin/verif.myacc.send.biz/
  55. http://hsweert.nl/wp-admin/secure.myacc.docs.net/
  56. http://iddeia.org.br/wp-admin/sec.myaccount.resourses.biz/
  57. http://igome.org.mx/assets/JlMJbocezGELnLvwddXHgNQKHgi/
  58. http://ilhankoc.com/bzgxi/QUDqTuqOEnZ/
  59. http://institutohumanus.org.br/wp-includes/trust.accounts.send.net/
  60. http://in-uv.vn/cgi-bin/secure.accs.send.com/
  61. http://itafoam.com/wp-includes/verif.accs.resourses.net/
  62. http://jaf-taq.co.uk/new/e2nrxpggzss4fwp4u48fxu02y6p_xnqukcc-595923833219/
  63. http://jati.gov.bd/wp-admin/trust.myacc.resourses.biz/
  64. http://jokercorp.com/wp-includes/trust.accounts.send.com/
  65. http://just-bee.nl/wp-admin/trust.myaccount.send.com/
  66. http://krs-tech.com/wp-admin/sec.myaccount.send.com/
  67. http://lalalaco.com/vxaj/secure.accs.resourses.biz/
  68. http://magezi.net/css/verif.myacc.docs.net/
  69. http://marketingstrategy.co.za/cgi-bin/trust.accs.resourses.net/
  70. http://masholeh.web.id/wp-admin/trust.myacc.docs.net/
  71. http://mekosoft.vn/wp-content/uploads/sec.myaccount.resourses.com/
  72. http://missourisolarenergycontractors.info/qr7qxgl/verif.myaccount.send.com/
  73. http://ozganyapi.com/wordpress/secure.myaccount.docs.com/
  74. http://pcccthudo.vn/wp-content/uploads/2019/03/sec.myacc.docs.net/
  75. http://projectconsultingservices.in/calendar/secure.accounts.docs.com/
  76. http://qarardad.com/wp-admin/verif.accs.resourses.com/
  77. http://redcarpet.vn/wp-admin/verif.myacc.docs.com/
  78. http://redklee.com.ar/css/trust.accs.resourses.net/
  79. http://removeblackmold.info/wp-admin/sec.accs.resourses.net/
  80. http://school118.uz/wp-admin/sec.myaccount.resourses.biz/
  81. http://sooq.tn/g435goi/sec.myacc.send.biz/
  82. http://spitbraaihire.co.za/Scan/sec.myaccount.docs.net/
  83. http://spyguys.net/cgi-bin/sec.accounts.docs.biz/
  84. http://tera-ken.com/css/trust.myaccount.resourses.biz/
  85. http://toools.es/bankinter_/sec.accs.resourses.com/
  86. http://toshnet.com/cgi-bin/sec.accs.docs.net/
  87. http://try-kumagaya.net/4_19/trust.accs.resourses.com/
  88. http://turkandtaylor.com/wvw/sec.accounts.docs.com/
  89. http://twinbox.biz/HlAGS-YbC7afvsnwR4ytu_xrhstgsY-Ai/secure.myacc.send.com/
  90. http://uklidovka.eu/scripts_index/verif.myaccount.send.biz/
  91. http://unioneconsultoria.com.br/a5n3run/verif.accounts.resourses.com/
  92. http://unitedworks.info/test/sec.myaccount.resourses.net/
  93. http://upine.com/aju-daju/sec.myacc.docs.com/
  94. http://vicentinos.com.br/wp-content/ai1wm-backups/secure.accounts.resourses.net/
  95. http://vitasupermin.vn/wp-includes/trust.accounts.resourses.net/
  96. http://warah.com.ar/2PS/sec.accs.docs.biz/
  97. http://welcometothefuture.com/CT/secure.accounts.resourses.biz/
  98. http://www.aeffchens.de/wp-includes/sec.accs.docs.biz/
  99. http://www.igome.org.mx/assets/JlMJbocezGELnLvwddXHgNQKHgi/
  100. http://www.kampolis.eu/test/secure.accounts.docs.biz/
  101. https://abafer.com.br/ekmr/sec.accounts.resourses.biz/
  102. https://addlab.it/dev/winegate/wp-content/uploads/trust.accounts.resourses.com/
  103. https://dr-hadar.com/wp-content/trust.myacc.resourses.net/
  104. https://drleisch.at/euu24ly/KsIZFPXXAsdkztnVlRbyLUAUFGF/
  105. https://happyroad.vn/wp-admin/secure.myaccount.docs.biz/
  106. https://jcci-card.vn/wp-includes/trust.accounts.docs.net/
  107. https://kreatis.pl/sitefiles/trust.accs.resourses.com/
  108. https://lekkerland.es/wp-content/trust.accs.send.net/
  109. https://zakharova.website/wp-admin/secure.myacc.docs.biz/
  110.  
  111. ```
  112. #### Epoch 2 Document/Downloader links seen for 05/01/19 ####
  113. ```
  114.  
  115. http://0618.cn/wp-admin/FILE/saJi3anvi/
  116. http://7intero.ru/lixp/INC/BtZkpovqZ2IQ/
  117. http://8bdolce.co.kr/wp-content/uploads/Scan/hzZgljsqZWAhPpiRgfBdPBptTp/
  118. http://9933.az/wp-content/LLC/6ph2d3hy9cxmypxhxaq3n3mmln_nq505ig9cf-284464809/
  119. http://agatis.net/wp-admin/DOC/7Y4aHwZ0N/
  120. http://ageyoka.es/wp-includes/sites/xnw2mlwrj8wjveyrjuc05onss6vf_dxkfzyxw-95482952700/
  121. http://akeswari.org/wp-includes/Scan/NRgtuE0DmxEc/
  122. http://alpreco.ro/wp-includes/Scan/qme9yyhchfcn_6ok3sr-108976209/
  123. http://androappy.com/nrfqm/23jkct90jd44ggdfl76f_uhbd1-379456650337219/
  124. http://antonieta.es/wp-includes/parts_service/tWYUTOrqONYYLgTFgPFml/
  125. http://apkfall.com/wp-admin/Document/m5no3rrq739i_87lug-887005396907/
  126. http://apptecsa.com/img/FILE/7It4zmzZ/
  127. http://aurora.nl/cgi-bin/Scan/oablrz5sh3kez_g57m4u-46413329/
  128. http://autoseven.ro/wp-content/esp/QLWXanUjholwJuNjbkLetgSqOi/
  129. http://b4events.it/ggrmwpx/jfIvRPxgMES/
  130. http://bakakft.hu/wp-includes/Document/TVw9ZALag/
  131. http://bastari.net/2p5grkb/lm/cOstoqVRqUKsTDSWc/
  132. http://beyinvesinirhastaliklari.com/wp-content/LLC/XG2t770x0/
  133. http://brotechvn.com/wldcehb/FILE/u63iTUadlDN/
  134. http://canal8la.tv/wordpress/paclm/jQpnEVlti/
  135. http://cbctg.gov.bd/backup/LLC/eCiLfQCHV4CD/
  136. http://chinamyart.com/wp-content/LLC/tNJ16kafMGo/
  137. http://colormerun.vn/wp-admin/Pages/vumsbdgcjm17n8qtawde80lovhz_hd2dq07-777785434129/
  138. http://crypto300.com/ee4uija/KjctJocHnlxARSmERkYnqEPKm/
  139. http://csnserver.com/blog/LLC/jW3ugzijdPaL/
  140. http://datco.vn/cgi-bin/Document/IsPDIOnhPWzt/
  141. http://dcc.com.vn/wp-includes/Document/nyRkSGM8DbF/
  142. http://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
  143. http://dev.colombiafacil.com/aj966rj/Scan/8seis4jt_dvoaxymk55-270795321/
  144. http://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ/
  145. http://ditec.com.my/js/INC/1vvmgMySt2Xz/
  146. http://dj-joker.pl/etc/Scan/o7Zvz3HN/
  147. http://docu918.top/sbcr.ltd/LLC/sNV6TBPR/
  148. http://doufside.com/gmail_files/LLC/Qlj8ICZ4B/
  149. http://duffi.de/wp-admin/INC/q3umw2lvf0jme42mdv7_yiwb5773t-310569600916/
  150. http://dynamiko.in/wp-includes/INC/jrh2d53watteq1l8nlh4n8yanol_x0al19te-5034775643643/
  151. http://echut1.co.il/wp-includes/FILE/fWoY2yEJQQJV/
  152. http://eco-chem.hr/nj3h/LLC/JEroT2Oy3t/
  153. http://ec-p.ru/storage/LLC/TUbTlMFsr2D/
  154. http://ed-des.pp.ua/cgi-bin/lm/9xecdv18s587ro0iagcbqmmknz_b89asx66-1035865617/
  155. http://ejder.com.tr/iuLYqpe6E/Document/skMwrTWsxo/
  156. http://ekcasaute.ca/wp-content/7vdr32azuntij22mq4yl6ul7msiyw_pf15rr03-318842626767198/
  157. http://elitgaz.su/k1npbd6/Document/Kg578rLQf9kz/
  158. http://emarmelad.com/wp-admin/LLC/enGhRqabCE/
  159. http://emermia.org/wp-admin/Scan/ik0P3VFT/
  160. http://envina.edu.vn/weh2/rfs3bz5nw8crs78pr56w3_6it6mgck-4536566368/
  161. http://epiqflex.com/cgi-bin/paclm/ppLvTuYmqAhExBTTLcGBnGOK/
  162. http://epsarp.com/wp-content/sites/bHgZrPCbDbqAlDAYdnJSk/
  163. http://eterna.co.il/wp-content/INC/yqd1sn9uxp_98byj-936921475830/
  164. http://etizotera.com/wp-content/FILE/McYgar3X5B/
  165. http://evazamlak.ir/wordpress/Document/soeutxizlb4ulghbh2wkmbw_y8ntpe6s-12042212/
  166. http://ewomg.com/blogs/DOC/QHpryPqastqd/
  167. http://famille-sak.com/chouchane/LLC/Ag2jkpW5j/
  168. http://fasian.com.vn/wp-includes/l7qivj8vt61s_a54c4ub2do-507402877790120/
  169. http://finlan.co.il/wp-admin/DOC/MFbenvrKAZ/
  170. http://fuhafarm.com/backup/esp/iLCZjVKBDY/
  171. http://funkey.com.tw/wp-content/LLC/i4St9syIVp5D/
  172. http://gabriana.ro/wp-content/Scan/vzatY3C68Z/
  173. http://gaunga.com/qajg/Scan/ZiFnzbwFvyeK/
  174. http://glatech.ir/wbd47a1/paclm/6m9zv0snkzefi2oa7ys_bgsxzb5n-1732641113/
  175. http://goa.rocks/wp-includes/Scan/X0u306vm/
  176. http://hada-y.com/WWE/gbHPZTMobPbfhfMcFNTpSpyJVbS/
  177. http://hartabumi.com/wp-content/jmg1ld-8dfso7-fbsmfur/
  178. http://hcgdiet.club/zs7yjrw/Scan/TeA51KJiBo/
  179. http://hellocode.id/wp-includes/FILE/Tus5IFz5VyIl/
  180. http://hellosm.pe/wp-admin/Scan/3s6Bf9K7TEA/
  181. http://huyhoof.com/wp-admin/SrmfTpIZkZTDmA/
  182. http://hyboriansolutions.net/wp-includes/LLC/VYHVnnQ63r6N/
  183. http://icosi.com.vn/wp-admin/parts_service/ISpPTfiGVO/
  184. http://ihs.com.py/cgi-bin/LLC/XYWKgM1yEZ/
  185. http://imam.com.pk/7f80kef/FILE/QQBYc5Ot/
  186. http://imboni.org/wp-includes/INC/fghz3tbu33yn_k66ebx-54661321/
  187. http://imkacy.com/wp-content/uploads/INC/8hnT9KHEvjK/
  188. http://inam-o.com/old/jn9ad-mh8ww8-kuvlrnk/
  189. http://inayhijab.com/wp-includes/Text/LLC/xREzwM9x0/
  190. http://inbudget.pk/cgi-bin/8y4owvesd9adv1lndmyvc_ow5s4u5-86373036587784/
  191. http://industriy.ru/wp-admin/HiTSxowxQfIMzCblAUpjp/
  192. http://inpolpe.com/stock/Document/ofu14i5Xo/
  193. http://inttera.pt/eletricidade/LLC/IqLXOEbsPo/
  194. http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/
  195. http://isesyoyu.jp/about/LLC/mZ1wF5rYnD//
  196. http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/\/
  197. http://isopi.org/philanri-new/LLC/zlkhdng1l8zpljtyo2xk7l_vkxj1l0u4p-07994179619/
  198. http://itai-ziv.com/wp-content/LLC/0Oq6cCbn4499/
  199. http://jkedunews.com/wp-content/LLC/CEJjmc3t0b/
  200. http://johnsonlam.com/Dec2018/DOC/SdeoZqWZ/
  201. http://jorgeolivares.cl/correo/INC/XDsC23Zl/
  202. http://jpestates.pl/wp-snapshots/DOC/lcWEbLy5fve/
  203. http://jsantunes.pt/wp-content/uBmDOLnXXjORmjqjFQO/
  204. http://jugl.ro/cgi-bin/Document/4ckm032czbsgmcoey39j6i13lv_13lweu-53013366/
  205. http://junaryaphoto.com/wp-includes/esp/HlcyQHzMIebFxh/
  206. http://justagnes.pl/wp-content/DOC/HPCJqIdCvLroXpoDHIaMlrAATYWwnu/
  207. http://jyosouko.club/wp-admin/INC/1BnrP4Y0x/
  208. http://kajastech.com/ncej/INC/2n7jcAfLZNW/
  209. http://kalat.com.vn/wp-includes/INC/H8ehc4PiXX/
  210. http://karsers.ru/wp-admin/Scan/IdlmgQrxYEKVqz/
  211. http://kdooenzoo.nl/wp-admin/LLC/0vLPkliS/
  212. http://kozjak50.com/pmdi/FILE/mYy29bTJ/
  213. http://kuwana-vn.com/wp-admin/DOC/xnYybfJYsL/
  214. http://kviv-avto.ru/wp-admin/Scan/WWlvyhiEACMaKtsjJYMCVfAtL/
  215. http://lctavano.tk/wp-content/sites/uPfaaVVmhCLNO/
  216. http://letsbooks.com/wp-admin/7gsn9-vtnhk-qssaose/
  217. http://lohasun.com/wp-admin/Document/2ybL6bjsGkXa/
  218. http://lotussim.com/Scripts/Scan/UqKtVMyo94v/
  219. http://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
  220. http://mainbild.ru/wp-content/FILE/thDLqIBRPABu/
  221. http://mawrmarketing.co.uk/sandbox/Pages/dYRNyNVkr/
  222. http://mcclur.es/mccluresfuneralservices.co.uk/INC/aqoteHxHqbIMdpKdOqcxCKsPGwyni/
  223. http://mc-squared.biz/note2/Document/8nO0uIP51/
  224. http://medovica.com/vujgtlo/3wire4m9_n21bbe-2156816613610/
  225. http://milsta.lt/wp-includes/DOC/VCp2iBRPAW0A/
  226. http://mobilabmb.ro/wp-admin/Scan/aOeoCGqCk/
  227. http://motov8d.com/zxya/30s8-cda7yp-yqfmmrw/
  228. http://mountmice.com/wp-admin/includes/FILE/zKt47WG7//
  229. http://mountmice.com/wp-admin/includes/FILE/zKt47WG7/\/
  230. http://mtdc.com.my/csm/mtdc_tenant/uploadedImages/INC/ErfRjWbgc5K/
  231. http://mudra.vn/wp-includes/FILE/1LYeXAWyfwq/
  232. http://mywebnerd.com/moodle/FILE/yutO8Dt7rjw/
  233. http://naurangg.com/wp-includes/DOC/SecCXhu9z/
  234. http://new-idea.be/view-report-invoice-0000263/LLC/BV0uq0s9sUh/
  235. http://nhathongminhsp.vn/calendar/uwatf-bko7ta-yqbdut/
  236. http://odiseaintima.com/wp-content/INC/5ng4q854/
  237. http://oushode.com/wp-includes/p52qit8igtsbl1iu11q5x9og_ngj2jtxgt-26697814/
  238. http://oyunlist.com/wp-includes/FILE/E0dQF3BrjsK6/
  239. http://peaven.000webhostapp.com/wp-admin/FILE/EmConYIy/
  240. http://pekarkmv.ru/wp-admin/FILE/l6yZ3nrMYYcL/
  241. http://perezmyata.ru/wp-includes/DOC/j7CqpVRhUZx/
  242. http://pimpmybook.com/cgi-bin/Scan/nih9skgWs/
  243. http://pimpmywine.nl/wp-content/7av5a7i2qc3ehh4vy9r9hbflbl3n_a4buupt3k-603582007790/
  244. http://pmdigital.pl/wp-includes/INC/uLzXxBrWJB/
  245. http://pomohouse.com/wp-content/uybc0k-bejpu-zprjoc/
  246. http://portalsete.com.br/wp-admin/sites/fRjMOSbpWjI/
  247. http://pr.finet.hk/wp-content/uploads/lm/tJqbOIzpNnAojYjKfZZTHURdjYo/
  248. http://publisam.com/jQ2TrO/LLC/94qzExVQWak/
  249. http://pys.nl/euaj/LLC/zBa0gwgoWa/
  250. http://qa.frplive.tv/wp-admin/DOC/xiCEdnSYY/
  251. http://qybele.com/angel/LLC/r9CQHbOYiB/
  252. http://rayofhope.ga/owed/Pages/86py4n3c4gx07ngxh5c8_ikpqxck-9882622536566/
  253. http://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
  254. http://seorailsy.com/ww4w/Scan/RDRa5nyU/
  255. http://servyouth.org/wp-includes/udda-e1pdc-wern/
  256. http://sevensites.es/D1J/FILE/ZiyvqsVWdM32/
  257. http://shlud.com/wp-admin/FILE/PdOKxlLuvErxsJTYyOCFeHAueWmkM/
  258. http://strijkert.nl/download/519foq-wxu2j-kxpx/
  259. http://strijkert.nl/images/Scan/l9uv88kgjn8m2tbc4pc0a_vagbp1-30861241102713/
  260. http://tempatkebaikan.org/wp-content/FILE/FILE/7fHC23c2p5/
  261. http://tempatkebaikan.org/wp-content/LLC/ex7HJXPDf/
  262. http://terminalsystems.eu/css/INC/wsaaMiF87o/
  263. http://titancctv.com/img/f3q561kb_4hz9e-274656581165/
  264. http://tksb.net/DHL-tracking-1534878060/Scan/JQWgEI5u0Amg/
  265. http://tokeilaw.com/a8rg/Scan/el13WDVlhSm/
  266. http://toppprogramming.com/mail/sites/dgYVlVSsUkoSHnDBPQcQbr/
  267. http://tpc.hu/arlista/INC/zc8e7mbnfbyibeil6cpr40t2_egfrju-908915343535148/
  268. http://try1stgolf.com/ebay/DOC/BRyipBnKPUZBV/
  269. http://turisti.al/xh25ohq/Scan/Y8iVWntDUaaS/
  270. http://tys-yokohama.co.jp/FCKeditor/FILE/eWLmOWAEYCHONEaPUaoeFcFij/
  271. http://upwest.jp/baby/DOC/WL6nnpjr/
  272. http://urbanmad.com/wp-snapshots/FILE/ptPyzEKwifQYsP/
  273. http://uztea.uz/wp-admin/INC/exDvXpp6G/
  274. http://walstan.com/sites/pages/css/paclm/g45bv2e4cb2nj0moljf_lys6jqi-84198824370/
  275. http://webdesign2010.hu/FILE/sites/UOgCWAODyhCRmEJqljwrWc/
  276. http://wishmanmovie.com/wp-includes/Scan/o4uydsz1tp9asn5ey1l6uze0_btkkj-5107897940423/
  277. http://www.gcshell.com/wp-content/LLC/6odpjcuphxdaacktfvzgk_cksqy2i5-90154953392/
  278. http://www.glasspro.kz/wp-admin/INC/bwKy2DHbnGR/
  279. http://www.glasspro.kz/wp-admin/lm/ab0xacmyxgcr5oq1dmx_b8bwrxj5g-1248840572/
  280. http://www.onechampionship.cn/wp-content/uploads/Scan/95Iy5I8n0d/
  281. http://www.pomohouse.com/wp-content/uybc0k-bejpu-zprjoc/
  282. http://www.sriretail.com/api.Asia/DOC/A2dIjlhBsXp/
  283. http://yduckshop.com/ynibgkd65jf/LLC/CRstKvNx601e/
  284. http://yellow-fellow.pl/wp-admin/DOC/yeXC9yxjem/
  285. http://yucatan.ws/cgi-bin/DOC/5ELzR1tzjFq/
  286. https://ahuratech.com/wp-admin/Scan/5b4bixkcui5e91xis396c563d0y_bu40zk5-852284955204/
  287. https://catba.goodtour.vn/wp-content/plugins/adventure-tours-data-types/assets/fonts/DOC/fouVaiw5pTL/
  288. https://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
  289. https://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ/
  290. https://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ//
  291. https://drake.or.ke/wp-content/Document/INFqqpn9qJv5/
  292. https://eterna.co.il/wp-content/INC/yqd1sn9uxp_98byj-936921475830/
  293. https://finlan.co.il/wp-admin/DOC/MFbenvrKAZ/
  294. https://glatech.ir/wbd47a1/paclm/6m9zv0snkzefi2oa7ys_bgsxzb5n-1732641113/
  295. https://gnspa.cl/con/Scan/1KgnuzBjvNM/
  296. https://impactmed.ro/wp-admin/LLC/D0ne7VgIW/
  297. https://inayhijab.com/wp-includes/Text/LLC/xREzwM9x0/
  298. https://jvmahlow.de/wp-admin/Scan/td8nxrcnc9ntmco49_615sw-577633401958136/
  299. https://kozjak50.com/pmdi/FILE/mYy29bTJ/
  300. https://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
  301. https://metaloteka.eu/wp-admin/Document/C63uW6lJZeQR/
  302. https://motov8d.com/zxya/30s8-cda7yp-yqfmmrw/
  303. https://mountmice.com/wp-admin/includes/FILE/zKt47WG7/
  304. https://nangmuislinedep.com.vn/wp-content/ZmSxYGYcnVUbcIIct/
  305. https://portalsete.com.br/wp-admin/sites/fRjMOSbpWjI/
  306. https://projectconsultingservices.in/calendar/Scan/zKUskGfhV/
  307. https://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
  308. https://servyouth.org/wp-includes/udda-e1pdc-wern/
  309. https://tatsuo.io/uw0ldzo/FILE/bp92oyylmkllrs_cmtmevs-5106762849/
  310. https://tocgiajojo.com/wp-includes/SPZpqrnbLBRNIExvSjzbTmKC/
  311. https://www.gcshell.com/wp-content/LLC/6odpjcuphxdaacktfvzgk_cksqy2i5-90154953392/
  312. https://www.grussalg.dk/wp-content/languages/INC/3AUMQmOHY/
  313. https://www.letsbooks.com/wp-admin/paclm/WjRYxdrfwcbfSF/
  314. https://www.pinafore.club/wp-admin/yt648woftx81uua7nf_ja19ian-1005746630022/
  315. https://www.salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
  316. https://zerotosix.com/xclrqe/FILE/TkaQWUDxqVrFOGVxEwe/
  317.  
  318.  
  319. ```
  320. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  321. ```
  322.  
  323. Creation Time 2019-05-01 20:15 (From ZIP - JS Based - Fake Error)
  324. SHA256:
  325. b4be331a9a01e5ee347770bbd63e1aa54d07febc0e3a7daeb77d171b301a483a
  326.  
  327. http://dac-website.000webhostapp.com/wp-content/7876/
  328. http://audamusic.com/wp-admin/nt4v5zv04/
  329. https://apk5kmodz.com/azlp/k751/
  330. http://escoder.net/cgi-bin/u80800/
  331. http://puntoardg.com/ybsph/yXP/
  332.  
  333. Creation Time 2019-05-01 18:00 (From ZIP - JS Based - Fake Error)
  334. SHA256:
  335.  
  336. 0fc6d87b75d77b4b03fbf75d3d3573e26e8cf7a2abc72b7569d1af87d8249da6
  337.  
  338. http://www.kyans.com/wp-admin/1De3/
  339. http://gs.jsscxx.com/wp-admin/suLKR/
  340. http://m24news.com/cgi-bin/74U/
  341. http://librafans.com/wordpress/uOFjH/
  342. http://elmedpub.com/wt92lnq/h2nS6/
  343.  
  344.  
  345. Creation Time 2019-05-01 12:11:00 (From ZIP or Direct - DOC Based - ENG - 365 Blue Box)
  346. SHA256:
  347. c0c46dd6eda16de1374a06aac937e53b098e7fa939c5b608f1443985a801d433
  348. 5f401aefe65751c9e09131d50f1a6ea3f86f542552ecab2973a334a360357699
  349. 05c074ecb60a92bc5b436451c9a3e8bca4be0e5c3c0f797482c78756f2b17d82
  350. 3606c54dbaba863109929191dfda5771de069a4fdbdc6322ae75c549aeec3ddd
  351. 8444d472c64cef41e3a0b2f057c208b585b24d5a5db163ccd24cac2501e04ed1
  352. 567c4f99a489d6e26cdd76b719f290108f558cb49b7f5f7e2d84dc8929f7613b
  353. e22419b24abf50f5e0895a22b94034dcb8b4d29d89edbb20814947719bd0e20b
  354. 6c53c3f9f2d4a2371367019734bed40ff98401090a297b4856b9997df56168ff
  355. 91d7ef5f96cfa136c20a9d1254aa2e60e56e378acc1aa1b043fc45f799b2a8eb
  356. a96a5266998010dd24309a7cd7c1c9ef37099fb2c17c87c5810b2e0a31c6aeb9
  357. 20490be565895482d296a3f55e6cf4011b75e527a4da08d815900871e243ed8d
  358. acaa26d978decd75aae429b5e4feec5108f99a044c6d6a0d217272578343626c
  359. 46f93e1565d462f05fa4e0f7c7268c05b4b1321f9616f23236f24a4cb9e8e67b
  360. a79e58fe34d8635a83e7c907f2f32006bcb7c1c0f41861cd313d893ba9132216
  361. a02a2191727a82b7d41fbdc5b306028286419f25dcb05d8749d72d1c0e518553
  362. ddf24ca3ed31953b7c388bdafe3f90dd00ea82863ff4a89f43db08a2fbd84ae2
  363. 1bf9345b153b3d35023555563ca2e6c3e04ae0253da1d1f1eca99d0299094adf
  364. 852e62a35876c8ed552591964b889621a672b89c641a585f84f5b9f043f51f1e
  365. 0ba3dd8ed23e5e3827b381c218b8cc1f8140c779299e329ba5bb0fb7faea8e45
  366. 967b2314483abf6fa142677c178d54e443ecc8dfc897fbe9885e2ec7c4689075
  367. 7a36034052a169ed3149c16d119174f741ff875d806c351b89016b8f70f74626
  368. dca33598a6b10d02e7495f4990835c5ae4922289028b4cf26a79b3470f950f58
  369. 45b3a138f08570ca324abd24b4cc18fc7671a6b064817670f4c85c12cfc1218f
  370. 660b928230b19c27af5784470778ac88f5ff33a3159b3a85d6a95b4c2593b29f
  371. 966ed70f836eaf8783f1b62555c71f4aeabc4879e7c9e1bb42bd8fafc0b4c7f5
  372. 843b0c5e37a1e11aebec6c97996346842aba88173971d018521df9312f45e277
  373. a6b70c401b53646e2f7b91e72477ddde062bac2ac89039bd364ee6a7cebf521c
  374. 1a45ca3e584ceb8aebe05aedc7d069ef6ad504cc05a71a56ba1fef039f207655
  375. 018acc9efcccbee848293cdeb5bf2e6dfd4ca43c2421169de7d9f186a2b523cc
  376. 8f6d8f45244c4110485e886f1899ae734bf0723f34dc689b09c2940a99a3a4f7
  377.  
  378. https://montalegrense.graficosassociados.com/keywords/FOYo/
  379. http://webaphobia.com/images/72Ca/
  380. http://purimaro.com/1/ww/
  381. http://jpmtech.com/css/GOOvqd/
  382. http://118.89.215.166/wp-includes/l5/
  383.  
  384. Creation Time 2019-05-01 11:10 (From ZIP - JS Based - Fake Error)
  385. SHA256:
  386. 224bf0e4c51f2c159c8fe260da7a858a555d5225616add3e949aa580d1c2ab9f
  387.  
  388. http://havenfbc.com/wp-admin/x1d8e/
  389. http://best-baby-items.com/wp-content/Y1CH/
  390. http://huslerz.com/qxr7/mV0z/
  391. http://ikkan-art.com/crm/cron/modules/yeM/
  392. http://agipasesores.com/Circulares_archivos/y0800Y/
  393.  
  394. Creation Time 2019-05-01 09:40 (From ZIP - JS Based - Fake Error)
  395. SHA256:
  396. cef6e70651a2c312234466aff9e7e39769f6d1329bb5ac435a2db453e27d882b
  397.  
  398. http://havenfbc.com/wp-admin/x1d8e/
  399. http://best-baby-items.com/wp-content/Y1CH/
  400. http://huslerz.com/qxr7/mV0z/
  401. http://ikkan-art.com/crm/cron/modules/yeM/
  402. http://agipasesores.com/Circulares_archivos/y0800Y/
  403.  
  404. Creation Time 2019-05-01 08:35 (From ZIP - JS Based - Fake Error)
  405. SHA256:
  406. aeeb4d50eedd8fd602417c1d59e0d0b6b3d08c4d8045eae9b69e3b1777048062
  407.  
  408. http://havenfbc.com/wp-admin/x1d8e/
  409. http://best-baby-items.com/wp-content/Y1CH/
  410. http://huslerz.com/qxr7/mV0z/
  411. http://ikkan-art.com/crm/cron/modules/yeM/
  412. http://agipasesores.com/Circulares_archivos/y0800Y/
  413.  
  414. Creation Time 2019-04-30 21:50 (From ZIP - JS Based - Fake Error)
  415. SHA256:
  416. b0840f0a422e5b418f84a7e2a15d30bdec48404257a8b7bd95a36ee7d6806feb
  417.  
  418. http://goleta105.com/404_page_images/Xkg/
  419. http://www.iowaselectvbc.com/1bksryf/CpSX/
  420. http://goudappel.org/HendrikMGoudappel/P6TUk/
  421. http://encorestudios.org/verif.myacc.resourses.net/Qhfv/
  422. https://www.likepage.site/wp-content/eIRNx/
  423.  
  424. ```
  425. #### SHA256s for Epoch 1 Payload EXEs seen on 05/01/19 ####
  426. ```
  427.  
  428. 8761299b8ebb2aed97151601195f42ced376e2e0aa83f99f0bbcbb00158627b7
  429. bfa9f4346764ccf4f2b721cdb1ad12813907113071e7c4336cb0f68f12a04ec6
  430. 7836f573b55798a383cebaf58afc5e0a0eaf44d6d38567ad9684e1f6dfb8da6d
  431. f86f8c15124f65581a5f04d9a6440ccc3fb66498c782724d70e90ea1a972f92f
  432. eee540e958049bf14200c4004b53ae1431c2c74f1c74bd637235c04bc5aaa7af
  433. 83b6d73703298ede51f172f4350d372bee1c6a52969258f2fc352155c7a2a0d5
  434. a91ecfaebbc016bfbe95e0f12cd2ede116ebf1ee65fe72fd08e76621965061d2
  435. 9c7a2f48557de238a9a58c422460921ab5152b7d1895cfb1d5df35c60dd2a76c
  436. 92528cfa2b857a8b3b1b2d0047c237293d7df35d6e2bb87f3cd9f6bd43c4a38b
  437. 31bdb034a21e53461266572889f406bf4993b79e16edae178c0efcd53674277c
  438. df7a6381ff183a5ef0d0cdca6b8235cd7f45fe00a89895befbf6cca3a18198cd
  439. e52503af4ce2b4a6ca4558b750569e51f48c78a20d69bd18677a8f88e8767ab1
  440. aab08361a49990c79d9365c2e2d74779af3b7888fd5fd0ce060cddd4f89fa3f8
  441. d405b3d838ef70c34b578f12de4ce07d0af0433886da440c1b4f5ebb59b2fc6c
  442. 4f6ca87d069bd9098267bf186a7fe0db719479824993bda552b46015116f325c
  443. df8471d7149ad3b6fd7e8fb7541de710bba9d18296a8c5c47efc10b0f21ead05
  444. cda7aff0d24be7a5b282c1d0503426bad30f98af2adbf0cf0f6b39bb247c531c
  445. ca58477f814efa537cde461a433f5e3b4900df8c19c30c2feb59ace34d523153
  446. f4e5581ee0c9d708435206419260f8d478aa1bf82056b85b277c59da7a708e86
  447. d178303809f0e19c53a770d27a9f8c8aa74daaf896dcefb2ccc09c933a17dcf3
  448. b0af66343f536cf5b5f3f3aa7311779ebec5cbf9485e843b1d47ba9454a9cc5f
  449. cee42889fdbe04188000486e783db459272855339c68ee0567fb310ebadaf42b
  450. b39c8ee04a5a120383f78b3c56b2875ff9b153ebfb8bd6897f93e04e97d761dd
  451. 7b1980602de122dab23f96c1b3b37ca852ca500f0af6969e2803815445a16e82
  452. 1969227c1da28bee28df639c351bbae36a6735d44df8ddd8056e7dbf8ee2b720
  453. bc2d6921c23500597c74ec653c2e75dbe09a959793277edcc9137a68a48c82fa
  454. 52624fab1aa0deb4dfc51b05e6fd33fa2a5d384df7cdbebfcaadbc67fc6bc9ca
  455. fc8b6e6d117dd5b2e8a1c09f67466875686b03556031b3a4c5fc160ee097d7d1
  456. 73f3e100acdbb2a5f5e052ff2c601420c49617a78c5af9df3184b80a684f50db
  457. 4c62f6cdddee78b2ece7fe40ded66f01b7222ad0e43ede2d8207acc4f2fc1acb
  458. 939595e2f4f28aa2b197f542186ffa7991da605c88e11fbdaf6976adeb26043c
  459. 03ae027f5da19d9d7cf5c66dd74eafae7fc8e0b581d2c49163db86b03fbd4210
  460. 0490fe90236be3419f8d139130310f6ea1513564486532fb73c25cb301730cb5
  461. cfa5d9e71dc27f3a1a1917136fb903436ab09723c2b2ace6d11eedd1fa338ac1
  462. 9f9ede214a21709bad4f6867ef8b0d03fc6f9846c06b332d39262785a5ef09fa
  463. 5debcbbd38e34dbf9f5bcb28d1c210f1e6a11abb103dcfbc929fd782056bd3ec
  464. fc3466d528f3ab9af45e312aa80b35497b22a16ee733c4453cf91e55a1a65d9a
  465. e5d8aadbce59b0960dddf0d1481db1d5c6d3dc97b093938e37e82a0b5216053e
  466. 8de56b4116db08470175fa9725223dc9db0cff2e1519270e24983120bdbe9c01
  467. d4d305469137fef7948f438a08b751649b609d791106c276a47e389aee62b636
  468. 38a269fb1d85d3d82ec4e3685b39de9f1d6cc76152f92204c2142844f5116fde
  469. 73600cd0546dc22d24b13b6f04c3fab2d0c4542e59a3eb5a8129d55253fcc886
  470. 77c839efefc8b9808c5feadb024ef781f9c8cfeb0aac780ab75ed37f19862db5
  471. 554f011dae7a765227035e96cbbed8b8a7aa4e2b5278a90d2729a29edb26e699
  472. d1cc656d254e31f478b57dbb5aa14793a898454634563b54adcac8e5a9e16439
  473. 7321e7665289e52a9f3df5ad91ba1b8a8999fd188c927062dda32ec45c2e05be
  474. 3f226dc9ad84671d9a16acbe5c929cdd75fd344b1195ec6540b5adfd6b41529e
  475. 42a03bcd4a1bae8240ec67cdf3329fefa0aa557935e46615d5f187868ea7af4d
  476. 85b6af90e832fb63e89f08b4c88072cec50496e9744b493527b1da56abe8c12b
  477. 9fbeca3c1cfba9261dff82cb03a9f8c23a482e570ee473701dac2fbd9a95c7e4
  478. b2224689dcad89409f61de17385afc309bad960a29ad4536544060245d98a7ff
  479. 88942565248c48d23adccfd148a15b462d376f4bddc0f1a468c72bc1ba26087f
  480. 486ede4ecff9a951261af3d267072bf75a37e7812afd91dc4c30bf5535dede8b
  481. 01eb1c5278f657f3aab9520887c944b924f102bcc7a8e7fbd7cace404c7fab6e
  482. f7991d54db31a411d21ef1b6ef87490aa3828576eb59fbdefa57a3861d1c728c
  483. a6bf33f3357cde20576302a2262751790ea26bb9ef8d5c918fb482fc52069c60
  484. 716afe6930ac3f9a4116e78444cba599eab3a6e4801244b9c37af230c3bd8822
  485. 2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
  486. 4159d0ec8ea865a9e9ecb841a3072c017dbb7bc49c86c287b91e3b69598463ba
  487. f3b63d05db4989d717bc0f8dd66fe2080cdc0d13c8ded93030ae3b70026f5e26
  488. cda7a1f1dc730b202063b0c8e53b669ce109eaec61310f44f991dbbfc2ef8075
  489. 684c52e52cd712231a6e8abc3800253ab6cd9c43225b65f859a3f6a59b5ddbd5
  490. e779e6a998c4524f3965b44236e36b3424f99b92b2dbfb9fcfb0b9a08f07a0d4
  491. 0b1a79aa31dcebeef99b5b718cb6c2d1a357ace4f1f3c7a43a1f1bb397cad2b8
  492. d5c8ff4251f816bee710f7318fc6edc886099e8e737777f0ed396cc8cc88835c
  493. 33deafb6eaba894253ba1f03241012c3d1cd4cc9ae95af738811a2d009e394ee
  494. 80f992b1906e88d7356ac0e0ad51bf874b2757e0813f2d9eedadb292af0c61d5
  495. f9ce92b1847c8b8599b174fa208727927cde25bd1f3ed7d6e7878ba942764110
  496. bc9522f54fdb414c54ae1e0953e84b58e55bb5a2745e95da4f6269971d4e02b0
  497. c7709b8129559ad7ab29b49ce7474fb0ddffd5bdac106d4df71b5b144f1b21d6
  498. ee0e4a355ca653e2c2b0ab98a333423dfba30f7f84011d71fe3a6de482b35989
  499. a0cce57894f221b63c4d5a57f3249251010da5c365840f7b63e8e3b8ee3c10bc
  500. cb29f6b57381db527fe4c451f15f07d6cd23665ed59a2f9b4c82dc2939d84fd5
  501. 71a02cacdce2121c79f701a4c6a735dbf3fc3c96db15b4f43463471b51be8c0e
  502. 407514b4c9e300dcd589cde754ca91ff8bec7d23ff9e5e25a54d36cd83fd4509
  503. 131ca72a20ee4c1bd81246ec60a226712dfa6f0d0b6706b7b7c7c9a6f6ef5a5a
  504. b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73
  505. ed7c726f793ce2c8b679c3730f7f15744757c1ae463e3a19249a95729d3c1214
  506. 2cfc5cb39bcfebcefab1772f4c7c58a4162ab3a9f2f7b180c8b4c721d4e20b54
  507. d85efb8cddbc21306a86fd25c3cc5f893af158ad8b2ead2f64cced2f8db40a48
  508. 85693122856d52a63c474cfb1f84012b9637a1f6a614f8e3d2435b675f04a24e
  509. a47da23c782da2a70d4a865b9690b4b3ce0f63232bad2d050d38761cd4766759
  510. 2211e43983826aced3bb9c514603079efd7f363d57f5db4b8833318f8a3986dc
  511. adb4a91c13513c9e2bc6a139502a1ae0265a0e94195c9bd240f180aee007295e
  512. 409a994c65a86dd6bbbfd27d470bdbd1f77d2e4af3a348841c9d552e4f0712a8
  513. 5990ec4728c00a5250106c9b17ab2bc1e9691b569cc0fbd77aa8e67966fb176c
  514. 87e6ae3f4b2eb77e5766b0e59ce9c516ed1ef4ed86837034838b2ad92a33ef03
  515. 074e8d30a578ea78947686e728949f873c19a588bd7c6a6c0f6e637550d3681d
  516. 579a4af3185827ecdc55d33644325a0cd3b78f1d93b74c4fe0bf1c045f9bf770
  517. cb41db92f2c3b9afa422fc65a6df8e55d26fadac58077fa706bc5c40929c89cb
  518. da4f245fc6bcd12fa167e3dad3253390f5cf1e05f338eb2f600a192a0c9e5a34
  519. 4736223dc510d57d7c2efc4ec0819b0e02d0a2b677f47dfbfa0b74dd8a8c9b49
  520. 21072f249066bfba07cd60adf8e69ead8a61c6c788dbb5d4211037bd5994d1fe
  521. 90042c714cf8671807ad4290921c16abf0a59816c0ab4296a076a7b10ba46c00
  522. 1b922b6513f1bf4f943e8a805c499098078909be87ecdd76eb8bc36e0f2254b6
  523. 55aa1f8411bf39676667822d896113cd0ece717cd33681e3b8c2374f93c2c503
  524. 768f9ac2e34c329924c37e8eea52fbdaa52d6b7ea102bdeea5c4de83c9a44545
  525. 321566132df9b360ad1369b6de8fd53f5b5f65ee8a73c6a005fb5f6bfd9a311b
  526. 6e9de1c28136b64972d1d9db7db36cdcf18dcfc709d614deaaa88f7a1fc6e77f
  527. a6dca8aa15bda35ca66644d13001b34038352be03a015720c8b4f1d7a1897d4d
  528. 12f53950de8323c610cb7ceee7d9e86f686bd8c991866f51f7c3dac0f3b862d2
  529. 4c3fa7415786a48d1ec394fc7251d0986df68c33864be7f35231c36bc3cbddb1
  530. 8abef21b6b14c6055ddb3bc1b03ce17f821ac58cc7ece4f4e47dc91d1f89dfa6
  531. 0e35dbbf877d955048e24081578266b06b9d974e0d3303fdcb983157b9308ca1
  532. 953c39c126e8688290f832b85f4fbf232e9d4becce8a7b401b557ec0975318da
  533. 111dbe75b5748588679dcbbd5394ff84a289064337f28a592506ef59b673b0ea
  534. 563495968b838ec4e58f67a177e80b3eb6e7f83907b96c18d3641104be5f5d63
  535. ade3e848899c96d32c3a887c97511cbb48c1d34eef4f4d55a3aef8d99e6d46d5
  536. c963c95cb7e9c9fc7d0cbedeee39f601394e90d60233197d3c8101a371f2b819
  537. 89816ce9de51a13c4495fe2b3e8d6b485b352dd2597bec0a9f2a9a40cec05bb7
  538. 5a2f8e181d36726b67ef79d39c61e0a2686a9e299dda59fa7f7ba09067f36302
  539. 63b1b0237b6dab649df12992446651e40953d68c004af4792130d64acb5910da
  540. ac3294e2c0f1c250454f7d8e5dc18a4fd20f36772eb1978d8ed676389e6c77e9
  541. 45cc0b1432b193a9da5eacf18b2fe73fa0a7f50502b59a7d6f4833b315175f62
  542.  
  543. ```
  544. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  545. ```
  546.  
  547. Creation Time 2019-05-01 17:22:00 (DOC Based - ENG - 365 Blue Box)
  548. SHA256:
  549. 17f4ae8fba484e7fb87c16216ece4622556d70db4d807d8b0a4ac207eba7d015
  550. 1f7f4adf00079e629d57f4d60246bad091aaf746a26386323e414d5dfe9cf126
  551. 57f935a706180e4e617c73331cd0a57f8ae1fcaf0537e0fd11294aa0e20e0feb
  552. 8849cbdb89ef44865f23e8745eee176d529ca564c20c66da99aa5c04db555ec3
  553. d450310c315301ebd8307408f8a534d6fd108c8649bdf0557d2c375fd7feeac5
  554. e67b66b18eae119a39f810d45ea3987486699e4d7b83f2a43150fb4a865870e2
  555. 8c2940f2a0b9eeb17e9bbbb8c465085982bc20dbe2fd980c532eb87ca96f2090
  556. e5bdce92d2075dbb2d3f7601032665a77672b238c34b72edc5af8dbc0ecd7912
  557. e39ace0837155e85d59f5059bfe202ba3de02a88c848a6067c9965cadb79c5ae
  558. d0cfa6322bfd78d66cbe8513075fb57b181eb60560ed6558c707d38110fc9c95
  559. 22b56c3fff64cc6ccc21bcd5ac8a4ce68a75b19d7586475acbb445a45144e401
  560. 677e0cc93380965dc2a1f323cf07e84848fcd41950daf4158e244113536896ac
  561. a2fcae9f16ba8a88c03ba2fa986fa6f148dbaeac41f94546467a81b9846ae9df
  562. 4208aa9b2a8e40195be3444efc9bc9cd2accf732b249c921025207feb62a0970
  563. f65dddc5f054d91554fe20e60a06c22d0a8a6cdd6555ba5c7098e06150c66ec7
  564. 6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
  565. 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
  566. 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
  567. 895e4424f07b9de1284d596c17b8e10dac11fade371885fb4e8d9c73bd2721ce
  568. 314285230457396f78090f46f2faeff452e0f80e97f1b8fcc3371298cad19557
  569. 438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
  570. b4acd9d62915cecb1ba384e9ef86b7b9b26f38f0c0ee405ba3b4a396b44b56a9
  571. bb393d58b6809fff86d32f6a6b5f3af0de4ecdc371a6454ecd9fd2e47f55e59b
  572. af6b2d8591fc986c0fcb199d2526efc8e0089ace577fdbb925a7334ba5eab4ca
  573. c0d56c06f445e3284464894bb9855dac7036a7f5e0da7183ad31c6d0c2477db2
  574. 1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
  575. 51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
  576. e12f25d5aacd3c073171d6f5613fcca942c7cf9cec4cedbed74acb9dbee513de
  577. f28f62f33ff6ea0d8d9708e54142e83603afe0bcdcf1206bca2f2dfa00e05b0c
  578. 8e56b9601576954a6830441430cdbf339831df28e8b6a4c29fa76471d83594ce
  579. fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
  580. fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
  581. 899845fe4fe39f97c37bde716b7ba0b19169ea817e93cfae5d7e3cdeed7fc639
  582. 811f6ec9cc7105d1b81e5352a0b9f90df420a293afc43ba91507952e7cb49f72
  583. 571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
  584. 64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
  585. f0f7cfb434c2a3922d011186c1bfeeebf9cf5444b33cf90104ae09407bb65e06
  586. f9aa8059e3a7418a2e686036ca8198cde4ba026f1d0b05ba2a32774825fb71a8
  587. 72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
  588. 404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
  589. 394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
  590. f485bbf5f58215b48cf1d3435a75007749edb2a502238899c462b7f8b47c410e
  591. 3b338a2b75997eba6f9666aaea6f422da3e38754657f4be7f7e0e9967c479a63
  592. fa4963b59046a924250a2c0d7599ae98fec4d4d0ba1cdf8de575a7438c570563
  593. 897c6162e1f5089706797ca8cc5e75026d5bbc7707bac7271767e378815e514a
  594. 9af59ed0cd1f739a62f9e8f478b2d237913d0949d9ca7b0202a8d22115323f94
  595. 9c51bcdb82373007744c0dd18a11c06decaa000f48880f23f1bf9a335e5af053
  596. 60fef10a83e873748b44cf932f3e0fa0a0d891f414e591696daeefc00f0d01c9
  597. fef5c94f160ac594834251f184900922b8b802d3b8460c3dd75f74e895e7fee9
  598. fd0666be8043c1d58b39868e5236856bd32f80fdeb994081e9a1c59974fe101b
  599. dc49d2d7421719050d62368d665c84629bb08d6874ade0bb8940f133b619d9ae
  600. 854cdddb19feff91dc4b4fba1ec91452c996a460cd5bd9ea2ff6e88f8c20f66c
  601.  
  602. http://depobusa.com/foamorder/tObUfzBc/
  603. https://www.plvan.com/wp-content/vPTKWuAOUoglbXLQxJufgAVZbW/
  604. http://hsb.pw/e5t9/zbqlHAhTtRZd/
  605. http://mestand.com/wp-content/akMmnMBbAPswO/
  606. http://jobstud.ru/wp-includes/QIUEwMypGbuDbhAaEimcRofGNckbVn/
  607.  
  608. Creation Time 2019-05-01 12:06:00 (DOC Based - ENG - 365 Blue Box)
  609. SHA256:
  610. 3f832fc27ebcc0391c302aedbc3f8d3dfe7473679d5d9aa0176f9623d4306d68
  611. 910b14995ebda512edc5a456f5734c520e941fe385519c5683586a237e455321
  612. 930cace84e8704d5385df2db7557c7d3b2a183de3ffad0d3a51291745b4f9f39
  613. 2ade167cc02b318750feb789c0476581e4f2e0864c3a51fd65bd74c25534a74e
  614. 3f90bc319f969145e499fa90a32a81f0fed988320b255b0febc18befca735484
  615. bf1f3da22c4f30cc57b35533a010fccdb5e77ea6e8f4a5179004feeecbb55e57
  616. 1a6641086b78035d6c9ba38c7199aac02d37dafbadf96059a81b6f4c35e49f84
  617. 7416ebc5373fd8a3ec9ece1dff46c15699738491d703b47f20ae4de8c59bcef0
  618. e8c5d544a7c4f929fc3c3422dc0dfd03d2e3ab6ff8e4153f5ea104d35d1b82ce
  619. da7420285c3586a66c0bf6aaf85c928149799cbf9392ce8e0d1aaad2edf438ee
  620. ed12cccf232d6e24b35f114e6c8c3e2fa856a5bcc7ea2c64cd17774aedb83f7b
  621. 68e686c3f2b87d3169766ffe4bba021a8acd7648ca38c6c75be829a864558ecb
  622. 61e933a06b4a2af4239c378c84211b2ff1baab4effe6b5bf044ac4f2d3371c32
  623. 224d99639dbb488494e23f7fd8a60c75630ffc694a3114a6d4f596da2062fbe0
  624. 908ea859520fb4206c9b71577394d447dcb9794d42c86c98df0f0b8fa94f8547
  625. 42981d37b50801d5cdc23d5d9f0a1e0e20f3787e24c4d20f606d2250ce5bf804
  626. 49b5e70a242f984eadee49435aac4371ca3cb65b02b2f6fbcbfcbfbd9d985782
  627. 58c44d575aa6041c0d0e87372288f96804c1fa141ee903a67f668e73cb690dec
  628. 8622f027a26a79a5d3b23c82121b573150d9e10d2b2c7a0a0270df1e2e807cb4
  629. db1c99298b5e34e6f10a5e054febbbbb8ebf940b4cacdcd1b1f4bf542d7da41d
  630. 6f926261cf70832a6f3332c727eb674da29212109a968a25cab4cb92fced7694
  631.  
  632. https://protemin.com/wp-includes/Zx_S/
  633. https://moda-blog.com/wp-includes/PZ_BY/
  634. http://chenrenxu.com/wp-content/KH_z/
  635. http://globalent.pk/cgi-bin/5_ml/
  636. http://eismv.org/wp-content/2_A/
  637.  
  638.  
  639. Creation Time 2019-05-01 09:35 (From ZIP - JS Based - Fake Error)
  640. SHA256:
  641. 0920828ff5b7ceb1d38a80e3f89e8d5a3cce36bfec0d134df331abcd5acccd38
  642.  
  643. https://hatmem.com/wp-content/v_6h/
  644. http://icv.edu.au/wp-includes/RH_Xw/
  645. http://driveless.pt/wp-content/PB_D/
  646. http://egd.jp/wp-admin/e_H/
  647. http://gynet.com.ng/wp-content/Ch_BG/
  648.  
  649. Creation Time 2019-04-30 19:05 (From ZIP - JS Based - Fake Error)
  650. SHA256:
  651. ebd4f543086e069e533320c4c4793117a0684cc46315c929067483a56c8fc478
  652.  
  653. http://sanko1.co.jp/lp/cJ_du/
  654. http://sftereza.ro/administrator/Z_K/
  655. http://shot.co.kr/yupdduk717/g_3/
  656. http://shawktech.com/shawktech.com/p_Wz/
  657. http://nobibiusa.com/yxbd/Op_u/
  658.  
  659. ```
  660. #### SHA256s for Epoch 2 Payload EXEs seen on 05/01/19 ####
  661. ```
  662.  
  663. b2ee80cb05e8f2eeeeb74c34e2ec8f890280ec2c990ccf4eb7df93f078986be6
  664. cc7f943b05fa5d7d63caa25e9f7b4bd883d1f43759e5d085269d1c0b3e9f9969
  665. 1d693a22cc447fd8714588c01364959a21a5c587a5e2276ea583fdadf3e429c3
  666. 7629bd60ebf2d6c60e861c463c1eca3e4a3d9e719934010ea560028b304c47f9
  667. bb02369d86e4a2bce443593034a8b6a19ee3b6e8922dbadfb7cef932ccaa477e
  668. 5f821d407f467b41cb684f2c6c20720bccd018df9e2ade2bb28f7807604eb56d
  669. 1f6f2e26941bb8ff267e6cc416897e0a82e0ca51f7309fc1c270804affe7a184
  670. 70ceba71b954e7ff05486128f6c30cdc80d3bd5d0c2ce45b1e84e864058d445e
  671. 7b639b186ad249f6b15128cf690a03de01a5433a47a9b64741a34f91b41e69bc
  672. a4b95d1dc696609c60762117f6085c8e243d1df8c9c78288cb0243647b1c078b
  673. aa7d2395211f278a1c226f1065984709ccb59dcb8c52001ee48c5fb10a7487c5
  674. 3411468ee9eb35659adededab22c3326b1dd2b2b8f5e94ec15ac70c8ebafeac3
  675. badb29a24f2914acb6472775407ef2fd23ff8939b82d5f9461c48bd4a5cece96
  676. 3b30615e85c2da16535d622a1ec5b0d5ccd15b728337f12ab57a0515110396b4
  677. 150fdb67ea0e24a30555dde8040d7e649dc965a808e01c05761e79b0b50e1014
  678. b8ade66da207a86ec77cb5496f1b907d3efbe6ecca45eedc3f0a797336abe232
  679. 1fa3bf29fb4aa0ca4bafb0325bee60b916102e1dc41e8bbaad80b675d3ec546c
  680. 48c90a4b61691d91824d9a0b977e05feebb1e2c1ace4dbb53ed63475aeec34d0
  681. dc35e88bd93d9a45023ffdd08fe3b867db5a93088a857b155807c5849840f546
  682. a1e4576d8cfbafcf57aadec3c18b743b93df793fab989c13b159a5038f540f27
  683. 26d0b40e801745d4259f418ffcf1b07b80e1c25c3a85bb71b6602751076e1e4d
  684. 3e3f3da7ec1f70fa97caa86d56d1351cc1cfcfdb2ba75c68bf407a78e562462a
  685. 9aadce4f7de8584e42dad1058d8306c497fa997e7b33aecb738e193289c8983b
  686. 6624a70b16431f046db28a1f6092a89d4e510e9da6593da0b0ebdda57f72e6ab
  687. 1274fa7ec04ee16c4bae87828023b8b2aa26973371eeb7987e0dd1d82fe76faf
  688. 323967a0466216ba81afa736ebb34173f3d2a24e91e4d6d28a3cd53e234c21de
  689. 69ee6439a04af4c494d9c99dc5b0cc3b964e9af74f3211d4c3dd8272cc14162a
  690. 3d568c3db59c550db254d8780683acef2c1e0c5a8782f9f4c76215133bdc52dc
  691. 2e7eae369116761735414a466e45c1a2b255795e14c098fedeef2db04489c0cc
  692. 66252a0e2a416307c52eef926fd72627e2d627138be6656f6115e58dd145f062
  693. b9456e9046c5e008ea7394c7f8634fb38285a9a141775751f06adaa39b9f017e
  694. 3a8cc2406b25d9a14ca521a891fd6137a477c2ed72fcbcbae429b680965804cf
  695. b1a0043b475e725178ba4018775e793e1f45e079cf6cb6f22737cfe7fdcb0bb6
  696. 901085cc0ff46482fa0bf3df88dc4651391ea7b3daf301cb0b45048c637ac699
  697. 37d722e738120fc26676f78098e85e4436523eeb26ba6e166bb176d2947aafc7
  698. 55ef9ddff5ee938594dcd2f78498e9caa58c6fd7edd5087e81f7f80453f12fbf
  699. c54f985f6eeb405e038dd4c3d161b256f0209a9f63d7d83f14835363d5389838
  700. 474fd0ef330a98329ab5a77c454cd36e23ac1489feb59c7d1187c4fa5ad91d2f
  701. d150a9165a4b511f6b4b828f2a8c5cb1f3481740c8e25e8289ba9b117a0b225a
  702. 5f8a7c44a80bafbdebde42b34d51c2ce6aa2073ac2c55dfc92e559087695f18d
  703. 561b430a0e6fbecbf5a5ebdd9f955c10121312b702e92651d8c82f14e5c52017
  704. 94971eb9924fc4158e66d4a6ab16d190264a3ff45fdcad0f7694cc0cf6e30d22
  705. 939d1079b5e68046bc483b73ea2b607f183c356f1c4f8c0e97bc067678e656af
  706. 75a7f7dd8e45cb44abc7096d277f073b4652aeaf88c0aa6353b398195f3b0d8f
  707. 927e453cbdc34a64bb6ac5b2e307939883898cda0d08a5a2a618b61659a55e76
  708. 4c7ce5aa5ba12b2b6b8a2f0596657100170b4348b16a864ad300ec90f7f74349
  709. 34622e45aa0d4bc678df1429b180653c51e163de483064b15e5971b5aea8baba
  710. d53f72785f645c5029e8c9289fb4d6db549662ff2b9ea324a4b4004b7fca3f57
  711. 3e8d02c59d81342d13f69b0e0ae1e0972e49e3ae2f5fcd7c920f185db5b20a91
  712. adefe56cdbb830f3c1505cd6546fc59fdb285175d0a50dc8c742bb3924d1f27a
  713. c933e6a30d5951cb5943b5f2996f441bccdfacc4fd4a035b92a99b8202e1fc01
  714. dcec41043e9866580ae5d29a1ae7a992a29a8b06d6f552a414478d53007ebd6c
  715. 5005e73af04f7d1619f11ddc2b5657b20e6533a60f62df30256698b2b0b21c1a
  716. 04f7dabc8a78426db8b15ec93878bf1e1cf0bc5b25e00f06a64a08031d3a86fc
  717. e998cbbc21badc970c1c530e1841a2ba384dc59689b9abfff2ea033be99fae30
  718. 8b90a4fc2facead1c71323f5addce373cbb043985bdae943db55a330532f452c
  719. 3904137e130dee1e240244f78ce56df08194dd1c7c5384f4965897bad48a664d
  720. 87005ace32816cc97648700aff06385ce4eb7213e1524b5277243818786cdb4c
  721. bfd18dc8c489813c1d65485a5bced0eb03334d4e284dd01c7a06fb4c8b7c338d
  722. 8417fad607151b0c6899555076bef64a086ff93dffb0a2a5a85ecb9579740df0
  723. 73b68bbf952e6e281bc7798abccc508f01377dfb6c88356c771485c0b50d41d7
  724. 01a26c224df94b3d9cdcb4683c8ba6fead0ff47de748c6eb63fc14cb03744ad3
  725. 4e4d1b08a75e20afb13470b6db6149caa2bf617a7694645ff11f16aeaab19528
  726. d715092d0768706bbdf4e99cfe2c43fc50892ad0bca0bab3380a6843f29db959
  727. a038940c725ae65c713d61f36f9e939b2d407d0fa46d7f85e77003770a280263
  728. de2d9a0f156a070b9fa0c5b87166d936e2bcdb483bc8e289a1a3436218741a78
  729. d9532f0d8bbf03d6789cad84c7568d25066a6fedf3475df807b7539a098ba0ac
  730. 77218a0c66a00ab033d89060de3605b0fa309f01ed7038980494a249eb0b886f
  731. c46dbecadb62cdd7a3df99b4b77d1cde501cd074f09b9740e8752ad847296973
  732. 687f28d8fa2f0058f4e87f260a06ef84e983bca27efd12dd660dd3fcbf599eed
  733. cd1e9f21a53ca7eeacfd875aede685a78d4d0450cccad0bd85bfb7eb12a80a9f
  734. f1bb57ae0b13ad85dae1477415447ccc702e59fa8caa16be7e4a9dfa1476c68c
  735. 8fed4e6662af05d39b16376999c8f5f2c2bc802f2699e8a197adc89c64b6abe6
  736. cc343a4245c9d5c7bc8248a88ab529a2c6246bbc38a8f1d0c3c9c1e10dc14045
  737. 65db1126d8cadd61bb4b0e04a4d4b301781d3edf0d9df4283b6509507bb72ba9
  738. 793e5cca2f9bb94fd534b36b888d98659a8ec9237ba97536041e91ccc81cea52
  739. eb9a92a030262e20aa1ccdac98d01dd8a9c7a2cf570073e00d24e120d9d037ea
  740. b603a86b754527ed24c4618e9fc9459e42cc5ced95bad7b68d782e508477dcfb
  741. 7be28da7fa028d13c25b021a3276f3b27df00c856163f3656ae735f502543d7d
  742. 05a5a79ff1829ab1f06b328092f0ddc00463489f4773c2eacaca8b11e82f5d17
  743. b6c00ef0ff0574d348f8d819511c134057f7689c769e0868bf154a4510f12817
  744. 7d8b2427a737cd1a3c1b9489684bead8902b72f3a1fe614ce273a81b4fab7045
  745. a9b0aa162825c49747dd10f44e3acfa17e291b07621e3bfd85b37c448e426f2c
  746. ca4bddf038eb1f05e9ea9785260d344303408cdd33aa7b9ef69de1042aba8804
  747. beff581a3dcf2d2abbc92a9131251507036fc017dfdf3bc5d74b0f8b9e96570e
  748. 51e7fdc595507e24b9d0c460f5b6fab2f2ba6675db98d3bdecfe01ecc50a8e19
  749. 6482e697724413b307182474059c35354edb372f85939a4ae71b0b2c5e29147e
  750. 83cb93d45e6a690aa0ba8cfe27d269f3190e037d768686467b5cbde3c4e0654d
  751. 4dcfcd5e3f0da01f669dce29cd6e417703d939a55a5a14effc5f3302c78c2561
  752. a2af79374daca830e984ea59c1bf644e9c69708d7df839cb9103cfb6d15f7e1b
  753. 5a7d4f723baf896f9a517941554e08851ace8ded68c3677ab067ecc1d0caabbf
  754. fa0f2cfdecef9296c42861b4cba847147ff64b798b68beddc06d54e4567be1a2
  755. 043191a6bf7cfa30f330531426223cd83418c2a05bf16258d81e5d61db2427a0
  756. 04648a2348ba6ad6349572cf36bb5ee498a36e6c2fe5bcabc83dac8ec26c99a3
  757. 1870b386fc5b7bf2b89f407325806c9ededa3285aaf50bee1e17043577d780a3
  758. 697532eef1d5f157a16efcc5be206043919f3844c17c5f8d3a9ff990c6f153df
  759. 96594444dbada56b286e03448f33dede63bc5bedfa44221a45da811195e36fae
  760. e61b92dca757c1a8ddc2e585a236f8f0242fd1878f552fea59a8a2f1bec1df56
  761. 356a994530076924eda30e72ec8f2920dbd3789af889f4ade17cfc0f9bcd3e64
  762. 0d7b524b68de328b71bd4aaf264e7aa8758979fc4441f869bfbe0a600a100adb
  763. 7afb16e3da243d7f4343118d12ea0dec00ff6d9223462cbf464f36e34febd80b
  764. de107ca5e1e4d91ad2ef67ebabb6cb90564aa87727b99daf3d2ea8f5fa73d50c
  765. de41699ed2764b9ebcd051b8a47e433cf246af9103541a88ac2bbe704e1a8352
  766. ce9ac3c35886bc7fb2a10e66b5774796ccfbc9189b6c7b5b95c46c78d1af2eeb
  767. a6ccfff49a934bc1046e5e1ba7effb53abcfc355a67b78f76486d5b14d4a5df9
  768. 74bd4f139de8ca014c29d61380e6fcdc9949946fc97881a3812807c933476383
  769. 65ce9c180eeb4250f8d9b31fbc5920e41293885c4685e7b5b2fc156843daa4a4
  770. ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7
  771. 39339326e9dfdf25361dee2e855aaf59fb05924b77cdbacddbf054c9fa913974
  772. a1874895c2052945922bfc9a9adb17290046e03dbb47c2d5e10b9a59c0d58fe3
  773.  
  774.  
  775. ```
  776. #### Epoch 1 C2s ####
  777. ```
  778.  
  779. 103.201.150.209:80
  780. 103.213.212.42:443
  781. 107.159.94.183:8080
  782. 109.104.79.48:8080
  783. 109.73.52.242:8080
  784. 115.132.227.247:443
  785. 139.59.19.157:80
  786. 144.76.117.247:8080
  787. 159.69.211.211:8080
  788. 165.227.213.173:8080
  789. 175.107.200.27:443
  790. 176.58.93.123:8080
  791. 181.142.29.90:80
  792. 181.199.151.19:80
  793. 181.29.101.13:80
  794. 181.30.126.66:80
  795. 181.37.126.2:80
  796. 185.86.148.222:8080
  797. 185.94.252.249:443
  798. 185.94.252.27:443
  799. 186.139.160.193:8080
  800. 186.71.54.77:20
  801. 187.188.166.192:80
  802. 189.196.140.187:80
  803. 189.205.185.71:465
  804. 189.213.208.168:21
  805. 190.117.206.153:443
  806. 190.147.116.32:21
  807. 190.171.230.41:80
  808. 190.180.52.146:20
  809. 190.85.206.228:80
  810. 192.155.90.90:7080
  811. 192.163.199.254:8080
  812. 196.6.112.70:443
  813. 200.107.105.16:465
  814. 200.114.142.40:8080
  815. 200.28.131.215:443
  816. 200.45.57.96:143
  817. 200.58.171.51:80
  818. 201.203.99.129:8080
  819. 210.2.86.72:8080
  820. 213.172.88.13:80
  821. 219.94.254.93:8080
  822. 222.104.222.145:443
  823. 23.254.203.51:8080
  824. 24.150.44.53:80
  825. 37.59.1.74:8080
  826. 43.229.62.186:8080
  827. 45.33.35.103:8080
  828. 5.9.128.163:8080
  829. 51.255.50.164:8080
  830. 62.75.143.100:7080
  831. 66.209.69.165:443
  832. 66.228.45.129:8080
  833. 69.163.33.82:8080
  834. 72.47.248.48:8080
  835. 77.82.85.35:8080
  836. 81.3.6.78:7080
  837. 82.226.163.9:80
  838. 85.132.96.242:80
  839. 91.205.215.57:7080
  840.  
  841.  
  842. ```
  843. #### Epoch 1 - Spam/Stealer C2s ####
  844. ```
  845.  
  846. 31.172.86.183:8080
  847. 104.236.185.25:8080
  848. 50.116.63.9:7080
  849.  
  850. ```
  851. #### Current Epoch 1 RSA Public Key ####
  852. ```
  853.  
  854.  
  855. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  856.  
  857. ```
  858. #### Epoch 2 C2s ####
  859. ```
  860.  
  861. 103.255.150.84:80
  862. 103.53.44.20:80
  863. 109.194.50.231:80
  864. 119.15.153.237:80
  865. 119.155.153.14:21
  866. 119.93.243.2:50000
  867. 124.123.42.93:80
  868. 133.242.156.30:7080
  869. 136.243.117.85:8080
  870. 138.201.140.110:8080
  871. 144.202.9.18:8080
  872. 147.135.210.39:8080
  873. 149.167.86.174:990
  874. 149.255.56.242:8080
  875. 162.243.125.212:8080
  876. 167.114.210.191:8080
  877. 173.255.196.209:8080
  878. 174.93.130.148:8443
  879. 175.100.138.82:22
  880. 176.63.173.71:995
  881. 177.230.108.144:22
  882. 177.242.214.30:80
  883. 178.152.78.149:20
  884. 178.62.37.188:443
  885. 178.79.161.166:443
  886. 179.14.2.75:21
  887. 180.150.87.75:22
  888. 181.39.51.243:993
  889. 182.176.132.213:8090
  890. 182.188.47.206:990
  891. 183.82.110.170:53
  892. 186.4.234.27:443
  893. 186.85.38.31:443
  894. 187.189.195.208:8443
  895. 189.134.78.42:50000
  896. 190.112.228.47:443
  897. 190.193.18.37:20
  898. 2.50.4.159:443
  899. 2.50.52.255:20
  900. 201.220.152.101:80
  901. 208.78.100.202:8080
  902. 211.63.71.72:8080
  903. 212.22.215.140:80
  904. 213.14.166.152:990
  905. 216.98.148.156:8080
  906. 217.13.106.160:7080
  907. 217.199.175.217:8080
  908. 37.211.38.50:80
  909. 41.169.20.147:143
  910. 41.220.119.246:80
  911. 45.123.3.54:443
  912. 45.33.49.124:443
  913. 5.230.147.179:8080
  914. 50.31.0.160:8080
  915. 50.99.132.7:465
  916. 58.65.211.99:50000
  917. 58.9.168.7:990
  918. 59.103.164.174:80
  919. 62.75.187.192:8080
  920. 64.13.225.150:8080
  921. 67.205.149.117:8080
  922. 69.198.17.7:8080
  923. 69.45.19.145:8080
  924. 69.45.19.252:8080
  925. 75.177.169.225:80
  926. 77.56.253.112:80
  927. 78.100.187.118:80
  928. 78.186.5.109:443
  929. 78.188.7.213:8090
  930. 83.110.155.238:8090
  931. 84.241.10.111:53
  932. 85.104.59.244:20
  933. 86.99.35.122:20
  934. 87.106.139.101:8080
  935. 91.205.215.66:8080
  936. 92.154.101.154:50000
  937. 94.130.35.140:443
  938. 94.76.200.114:8080
  939. 95.128.43.213:8080
  940.  
  941. ```
  942. #### Epoch 2 - Spam/Stealer C2s ####
  943. ```
  944.  
  945. 198.58.114.91:4143
  946. 213.136.86.219:7080
  947. 91.205.215.10:7080
  948.  
  949. ```
  950. #### Current Epoch 2 RSA Public Key ####
  951. ```
  952.  
  953. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  954.  
  955. ```
  956. #### Credits and Notes Section ####
  957. ```
  958.  
  959. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  960. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  961. https://pastebin.com/u/jroosen
  962.  
  963. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  964. I am providing them for your benefit in case you want to parse them to be sure.
  965.  
  966. ```
  967. #### What is Epoch 1 and Epoch 2? ####
  968. ```
  969.  
  970. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  971.  
  972. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  973. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  974. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  975. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  976. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  977. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  978. time period.
  979. Here are some observations I have noted since I have been watching these botnets:
  980.  
  981. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  982. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  983. being delivered in maldocs on Epoch 2 at any one time.
  984. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  985. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  986. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  987. Monday morning/Sunday night.
  988. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  989. Epoch 2 may have a document hosted on host.tld/B.
  990. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  991. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  992. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  993. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  994. - C2s are never shared between Epochs/Botnets.
  995. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  996. via C2 to stay ahead of AV defs.
  997. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  998. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  999. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  1000. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  1001. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  1002. spam template, word template, document type and even payload.
  1003.  
  1004. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  1005.  
  1006. ```
  1007. #### Community Lists ####
  1008. ```
  1009.  
  1010. https://pastebin.com/nS6FBEDJ - @Jan0fficial
  1011. https://pastebin.com/Xd6M9J7G - @ps66uk
  1012. https://otx.alienvault.com/pulse/5cc9fa2541698480d8b9c914/ - @SecSome
  1013.  
  1014.  
  1015. ```
  1016. #### Credits ####
  1017. ```
  1018. (OC from @JRoosen and/or combination work of the following)
  1019.  
  1020. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  1021. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  1022. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  1023.  
  1024. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  1025. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  1026.  
  1027. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  1028. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  1029. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  1030.  
  1031. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  1032.  
  1033. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  1034. helping out with this!
  1035.  
  1036. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  1037. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  1038. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  1039.  
  1040. ```
  1041. #### Daily Log 05-01-19 ####
  1042. ```
  1043.  
  1044. General News:
  1045.  
  1046. New Regex patterns below for E1 and E2. Moderate amounts of spam for most people. Once again, very little malspam for me
  1047. with only 1 older generic template from E2. I am not complaining though and the less they spam me, the more I am winning
  1048. the battle. However, other people are getting decent volumes of spam and @ps66uk had 30 malspams. Quite a selection of
  1049. attachments/JS/DOC and ZIPs in relatively even amounts. It looks like attachments were pretty prevalent today which would
  1050. match what we see in the link counts. See @ps66uk's notes here:
  1051.  
  1052. In other news:
  1053.  
  1054. Brad @malware_traffic had posted some pcaps of infection with Emotet E1 that proceed to Trickbot rather quickly. A few
  1055. other members of the community also mentioned seeing this pattern today.
  1056. Brad's notes are here:
  1057. https://twitter.com/malware_traffic/status/1123661316655276038
  1058. https://www.malware-traffic-analysis.net/2019/05/01/index2.html
  1059.  
  1060. I forgot to include the new document template in the notes yesterday but I did attach it here later for everyone to see:
  1061. https://twitter.com/JRoosen/status/1123457018558337024
  1062. I am calling it the Navy Blue/White Letter DOC template.
  1063.  
  1064. @JayTHL gave a nice summary of the URLs seen yesterday in our report:
  1065. https://twitter.com/JayTHL/status/1123581349066170369
  1066.  
  1067. Email Template Report:
  1068.  
  1069. I only received the one generic malspam as previously mentioned but @ps66uk had a good writeup of what he saw today
  1070. in his post here:
  1071.  
  1072. https://twitter.com/ps66uk/status/1123683670831898627
  1073. https://pastebin.com/Xd6M9J7G
  1074.  
  1075. Important to note that @ps66uk did see 3 more reply chain emails in the at list of mostly attachment based messages.
  1076. From looking at the data I can tell he got messages from E1 and E2.
  1077.  
  1078. @HerbieZimmerman also saw attachments and posted here about it with a template:
  1079. https://twitter.com/HerbieZimmerman/status/1123604529319165952
  1080.  
  1081. @executemalware also saw attachments but as DOC files:
  1082. https://twitter.com/executemalware/status/1123584370634366976
  1083. https://pastebin.com/1NiyRDYk
  1084.  
  1085. Review:
  1086. What we know about the threaded templates/reply chain:(changes are marked with *)
  1087.  
  1088. - Emails are sourced from once (or still) compromised users all over the world.
  1089. - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  1090. to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
  1091. back as far as June 2018.
  1092. - Now on E1 and E2.
  1093. - Now seeing German based templates that are essentially the same thing but in German.
  1094. *- The injected reply is usually prefaced with the following:
  1095. "Attached is your confidential docs."
  1096. "Attached please find the wire transfer form."
  1097. "Thank you for your help. Please see the attached."
  1098. *"Load instructions attached"
  1099. *"A printer friendly attachment is now included with each email."
  1100. *"Click on the attachment to open or save the printer friendly version of your report."
  1101. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  1102. - Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
  1103. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  1104. - These templates are pretty limited in run and not very numerous.
  1105.  
  1106. Link Regex Report:
  1107.  
  1108. Regex directory patterns - The following patterns were seen active today. Note the * next to the ones coming back
  1109. or that are new. Also the new patterns showing up today on BOTH E1 and E2. It seemed to stick more to E2 though
  1110. so I am not sure what that was about. This seems to cover them well:
  1111.  
  1112. E1
  1113. \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-59\-]){6,7}\/
  1114. *https?:\/\/.+?\/(sec|secure|trust|verif).(accs|accounts|myacc|myaccount).(docs|resourses|send).(biz|com|net)\/
  1115. *https?:\/\/.+?\/(assets|esp|lm|paclm|Pages|parts_service|sites|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{9,27})\/
  1116.  
  1117. E2
  1118. *https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  1119. *https?:\/\/.+?\/(assets|esp|lm|paclm|Pages|parts_service|sites|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{9,27})\/
  1120. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  1121. https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
  1122.  
  1123. These Regex patterns are to be used experimentally and at your own risk but they caught 99%+ of what I saw in link malspam.
  1124.  
  1125. Payloads Report:
  1126.  
  1127. Still seeing E1 and E2 going back and forth between the new and old loader. The current state of things is:
  1128.  
  1129. E1 Distro: old loader.
  1130. E1 C2: old loader.
  1131. E2 Distro: old loader.
  1132. E2 C2: New loader.
  1133.  
  1134. Everything on E1 was ZIP/JS or ZIP/DOC today except for a small point in time in the middle of the day were it was straight
  1135. DOCs. They were the DOCs in ZIPs previously though. :) E1 seems to testing ZIPs for attachments/links with the old loader
  1136. to see how effective it is. Seems like a lot of attachments came from E1 today.
  1137.  
  1138. E2 was basically straight DOCs all day with the new loader in C2. I assume they are testing the new loader on E2 and some
  1139. of the new Regexes above to see what infection rates are compared to E1.
  1140.  
  1141. C2 Report:
  1142.  
  1143. C2s DID change for E1 and increased from 57 to 61 combos in total. - recorded above
  1144. C2s DID change for E2 and increased from 74 to 79 combos in total. - recorded above
  1145.  
  1146. Closing:
  1147.  
  1148. The new Regex patterns were interesting today but I hardly noticed because of the lower spam volumes in my personal environment.
  1149. I was thinking that Ivan had some tricks up his sleeve but I think it was just another empty vodka bottle.
  1150.  
  1151. TT
  1152.  
  1153. ```
  1154. #### Sandbox 05/01/19 ####
  1155. (all with fakenet and MITM unless spam/secondary infection)
  1156. ```
  1157.  
  1158. Epoch 1 C2 run on 2019-05-02 at 01:00 UTC - https://cape.contextis.com/analysis/70865/
  1159.  
  1160. ```
  1161.  
  1162. ```
  1163.  
  1164. Epoch 2 C2 run on 2019-05-02 at 01:00 UTC - https://cape.contextis.com/analysis/70864/
  1165.  
  1166. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!