Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 05/01/19 as of 05/02/19 00:45 EDT ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/01/19 ####
- ```
- http://199.com.vn/wp-includes/0s8rweczh_22mqot8ogd-004539243/
- http://acuscura.nl/wp-admin/trust.myaccount.docs.biz/
- http://adamsm.co.za/wp-includes/trust.myacc.send.net/
- http://alasisca.id/wp-includes/sec.myacc.resourses.biz/
- http://altituderh.ma/wp-admin/sec.myaccount.send.biz/
- http://aplaque.com/wp-content/verif.accs.resourses.net/
- http://arefhasan.com/wp-admin/verif.myacc.docs.net/
- http://asis.co.th/cisco-sg300/verif.myaccount.resourses.com/
- http://atakorpub.com/emailing2016/sec.accs.send.biz/
- http://autmont.com/vrgyd9u/secure.myacc.resourses.net/
- http://auto-ate.com/wp-includes/trust.accs.resourses.com/
- http://bizajans.com/engl/verif.accounts.send.com/
- http://chagosaz.ir/wp-snapshots/trust.myacc.docs.net/
- http://chunbuzx.com/wp-includes/sec.myacc.send.net/
- http://cnl.nu/tidningar/trust.myaccount.send.com/
- http://coine2c.com/wp-admin/sec.myaccount.resourses.biz/
- http://darkparticle.com/MEhN-kZCXSNC8Gr55qr3_cBNaPojw-RN/trust.myacc.resourses.net/
- http://del-san.co.uk/wp-content/sec.myaccount.send.biz/
- http://dep4mua.com/wc-logs/secure.myacc.send.net/
- http://dev-d.com/wp-includes/sec.accounts.send.biz/
- http://devoyage.co/walxz/secure.myaccount.docs.com/
- http://docoils.com/wp-admin/trust.accs.docs.com/
- http://dotb.vn/wp-admin/sec.myacc.resourses.net/
- http://dr-hadar.com/wp-content/trust.myacc.resourses.net/
- http://drleisch.at/euu24ly/KsIZFPXXAsdkztnVlRbyLUAUFGF/
- http://eatart.se/wp-admin/trust.accounts.send.com/
- http://eduswiss.com/wp-content/uploads/secure.myaccount.docs.net/
- http://eicemake.com/cgi-bin/trust.myacc.resourses.com/
- http://encuentraloshop.com/wp-admin/secure.myacc.docs.net/
- http://equip.tokyo/wp-admin/trust.myaccount.docs.biz/
- http://feedopt.com/wp-content/verif.myacc.docs.biz/
- http://filebr.com/9bl6jrd/trust.accounts.resourses.biz/
- http://finergas.it/wp-content/secure.accs.send.com/
- http://flash.ba/wp-content/trust.accounts.send.biz/
- http://ftwork.co.uk/old/sec.accounts.resourses.com/
- http://gce.com.vn/wp-admin/trust.accs.send.biz/
- http://geeyun.me/wp-admin/sec.accs.docs.net/
- http://geniudz.com/wp-admin/secure.myacc.docs.com/
- http://georgisil.ro/ltjv/secure.accs.send.net/
- http://giftoz.ru/jiy3/n5zg2fletpwq5kpod11urptkfnddx_ehwctnlpu-14149852756494/
- http://ginfoplus.com/wp-admin/trust.accs.resourses.biz/
- http://gjtsc.com/wp-content/uploads/sec.accs.docs.com/
- http://grasscutter.sakuraweb.com/wp-admin/trust.accs.send.biz/
- http://grinduarsenalas.lt/wp-content/verif.myaccount.resourses.biz/
- http://hajibakery.my/hrtpoa23kd/verif.myaccount.resourses.biz/
- http://highef.com/css/secure.accounts.docs.net/
- http://hormati.com/wp-admin/verif.myacc.send.biz/
- http://hsweert.nl/wp-admin/secure.myacc.docs.net/
- http://iddeia.org.br/wp-admin/sec.myaccount.resourses.biz/
- http://igome.org.mx/assets/JlMJbocezGELnLvwddXHgNQKHgi/
- http://ilhankoc.com/bzgxi/QUDqTuqOEnZ/
- http://institutohumanus.org.br/wp-includes/trust.accounts.send.net/
- http://in-uv.vn/cgi-bin/secure.accs.send.com/
- http://itafoam.com/wp-includes/verif.accs.resourses.net/
- http://jaf-taq.co.uk/new/e2nrxpggzss4fwp4u48fxu02y6p_xnqukcc-595923833219/
- http://jati.gov.bd/wp-admin/trust.myacc.resourses.biz/
- http://jokercorp.com/wp-includes/trust.accounts.send.com/
- http://just-bee.nl/wp-admin/trust.myaccount.send.com/
- http://krs-tech.com/wp-admin/sec.myaccount.send.com/
- http://lalalaco.com/vxaj/secure.accs.resourses.biz/
- http://magezi.net/css/verif.myacc.docs.net/
- http://marketingstrategy.co.za/cgi-bin/trust.accs.resourses.net/
- http://masholeh.web.id/wp-admin/trust.myacc.docs.net/
- http://mekosoft.vn/wp-content/uploads/sec.myaccount.resourses.com/
- http://missourisolarenergycontractors.info/qr7qxgl/verif.myaccount.send.com/
- http://ozganyapi.com/wordpress/secure.myaccount.docs.com/
- http://pcccthudo.vn/wp-content/uploads/2019/03/sec.myacc.docs.net/
- http://projectconsultingservices.in/calendar/secure.accounts.docs.com/
- http://qarardad.com/wp-admin/verif.accs.resourses.com/
- http://redcarpet.vn/wp-admin/verif.myacc.docs.com/
- http://redklee.com.ar/css/trust.accs.resourses.net/
- http://removeblackmold.info/wp-admin/sec.accs.resourses.net/
- http://school118.uz/wp-admin/sec.myaccount.resourses.biz/
- http://sooq.tn/g435goi/sec.myacc.send.biz/
- http://spitbraaihire.co.za/Scan/sec.myaccount.docs.net/
- http://spyguys.net/cgi-bin/sec.accounts.docs.biz/
- http://tera-ken.com/css/trust.myaccount.resourses.biz/
- http://toools.es/bankinter_/sec.accs.resourses.com/
- http://toshnet.com/cgi-bin/sec.accs.docs.net/
- http://try-kumagaya.net/4_19/trust.accs.resourses.com/
- http://turkandtaylor.com/wvw/sec.accounts.docs.com/
- http://twinbox.biz/HlAGS-YbC7afvsnwR4ytu_xrhstgsY-Ai/secure.myacc.send.com/
- http://uklidovka.eu/scripts_index/verif.myaccount.send.biz/
- http://unioneconsultoria.com.br/a5n3run/verif.accounts.resourses.com/
- http://unitedworks.info/test/sec.myaccount.resourses.net/
- http://upine.com/aju-daju/sec.myacc.docs.com/
- http://vicentinos.com.br/wp-content/ai1wm-backups/secure.accounts.resourses.net/
- http://vitasupermin.vn/wp-includes/trust.accounts.resourses.net/
- http://warah.com.ar/2PS/sec.accs.docs.biz/
- http://welcometothefuture.com/CT/secure.accounts.resourses.biz/
- http://www.aeffchens.de/wp-includes/sec.accs.docs.biz/
- http://www.igome.org.mx/assets/JlMJbocezGELnLvwddXHgNQKHgi/
- http://www.kampolis.eu/test/secure.accounts.docs.biz/
- https://abafer.com.br/ekmr/sec.accounts.resourses.biz/
- https://addlab.it/dev/winegate/wp-content/uploads/trust.accounts.resourses.com/
- https://dr-hadar.com/wp-content/trust.myacc.resourses.net/
- https://drleisch.at/euu24ly/KsIZFPXXAsdkztnVlRbyLUAUFGF/
- https://happyroad.vn/wp-admin/secure.myaccount.docs.biz/
- https://jcci-card.vn/wp-includes/trust.accounts.docs.net/
- https://kreatis.pl/sitefiles/trust.accs.resourses.com/
- https://lekkerland.es/wp-content/trust.accs.send.net/
- https://zakharova.website/wp-admin/secure.myacc.docs.biz/
- ```
- #### Epoch 2 Document/Downloader links seen for 05/01/19 ####
- ```
- http://0618.cn/wp-admin/FILE/saJi3anvi/
- http://7intero.ru/lixp/INC/BtZkpovqZ2IQ/
- http://8bdolce.co.kr/wp-content/uploads/Scan/hzZgljsqZWAhPpiRgfBdPBptTp/
- http://9933.az/wp-content/LLC/6ph2d3hy9cxmypxhxaq3n3mmln_nq505ig9cf-284464809/
- http://agatis.net/wp-admin/DOC/7Y4aHwZ0N/
- http://ageyoka.es/wp-includes/sites/xnw2mlwrj8wjveyrjuc05onss6vf_dxkfzyxw-95482952700/
- http://akeswari.org/wp-includes/Scan/NRgtuE0DmxEc/
- http://alpreco.ro/wp-includes/Scan/qme9yyhchfcn_6ok3sr-108976209/
- http://androappy.com/nrfqm/23jkct90jd44ggdfl76f_uhbd1-379456650337219/
- http://antonieta.es/wp-includes/parts_service/tWYUTOrqONYYLgTFgPFml/
- http://apkfall.com/wp-admin/Document/m5no3rrq739i_87lug-887005396907/
- http://apptecsa.com/img/FILE/7It4zmzZ/
- http://aurora.nl/cgi-bin/Scan/oablrz5sh3kez_g57m4u-46413329/
- http://autoseven.ro/wp-content/esp/QLWXanUjholwJuNjbkLetgSqOi/
- http://b4events.it/ggrmwpx/jfIvRPxgMES/
- http://bakakft.hu/wp-includes/Document/TVw9ZALag/
- http://bastari.net/2p5grkb/lm/cOstoqVRqUKsTDSWc/
- http://beyinvesinirhastaliklari.com/wp-content/LLC/XG2t770x0/
- http://brotechvn.com/wldcehb/FILE/u63iTUadlDN/
- http://canal8la.tv/wordpress/paclm/jQpnEVlti/
- http://cbctg.gov.bd/backup/LLC/eCiLfQCHV4CD/
- http://chinamyart.com/wp-content/LLC/tNJ16kafMGo/
- http://colormerun.vn/wp-admin/Pages/vumsbdgcjm17n8qtawde80lovhz_hd2dq07-777785434129/
- http://crypto300.com/ee4uija/KjctJocHnlxARSmERkYnqEPKm/
- http://csnserver.com/blog/LLC/jW3ugzijdPaL/
- http://datco.vn/cgi-bin/Document/IsPDIOnhPWzt/
- http://dcc.com.vn/wp-includes/Document/nyRkSGM8DbF/
- http://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
- http://dev.colombiafacil.com/aj966rj/Scan/8seis4jt_dvoaxymk55-270795321/
- http://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ/
- http://ditec.com.my/js/INC/1vvmgMySt2Xz/
- http://dj-joker.pl/etc/Scan/o7Zvz3HN/
- http://docu918.top/sbcr.ltd/LLC/sNV6TBPR/
- http://doufside.com/gmail_files/LLC/Qlj8ICZ4B/
- http://duffi.de/wp-admin/INC/q3umw2lvf0jme42mdv7_yiwb5773t-310569600916/
- http://dynamiko.in/wp-includes/INC/jrh2d53watteq1l8nlh4n8yanol_x0al19te-5034775643643/
- http://echut1.co.il/wp-includes/FILE/fWoY2yEJQQJV/
- http://eco-chem.hr/nj3h/LLC/JEroT2Oy3t/
- http://ec-p.ru/storage/LLC/TUbTlMFsr2D/
- http://ed-des.pp.ua/cgi-bin/lm/9xecdv18s587ro0iagcbqmmknz_b89asx66-1035865617/
- http://ejder.com.tr/iuLYqpe6E/Document/skMwrTWsxo/
- http://ekcasaute.ca/wp-content/7vdr32azuntij22mq4yl6ul7msiyw_pf15rr03-318842626767198/
- http://elitgaz.su/k1npbd6/Document/Kg578rLQf9kz/
- http://emarmelad.com/wp-admin/LLC/enGhRqabCE/
- http://emermia.org/wp-admin/Scan/ik0P3VFT/
- http://envina.edu.vn/weh2/rfs3bz5nw8crs78pr56w3_6it6mgck-4536566368/
- http://epiqflex.com/cgi-bin/paclm/ppLvTuYmqAhExBTTLcGBnGOK/
- http://epsarp.com/wp-content/sites/bHgZrPCbDbqAlDAYdnJSk/
- http://eterna.co.il/wp-content/INC/yqd1sn9uxp_98byj-936921475830/
- http://etizotera.com/wp-content/FILE/McYgar3X5B/
- http://evazamlak.ir/wordpress/Document/soeutxizlb4ulghbh2wkmbw_y8ntpe6s-12042212/
- http://ewomg.com/blogs/DOC/QHpryPqastqd/
- http://famille-sak.com/chouchane/LLC/Ag2jkpW5j/
- http://fasian.com.vn/wp-includes/l7qivj8vt61s_a54c4ub2do-507402877790120/
- http://finlan.co.il/wp-admin/DOC/MFbenvrKAZ/
- http://fuhafarm.com/backup/esp/iLCZjVKBDY/
- http://funkey.com.tw/wp-content/LLC/i4St9syIVp5D/
- http://gabriana.ro/wp-content/Scan/vzatY3C68Z/
- http://gaunga.com/qajg/Scan/ZiFnzbwFvyeK/
- http://glatech.ir/wbd47a1/paclm/6m9zv0snkzefi2oa7ys_bgsxzb5n-1732641113/
- http://goa.rocks/wp-includes/Scan/X0u306vm/
- http://hada-y.com/WWE/gbHPZTMobPbfhfMcFNTpSpyJVbS/
- http://hartabumi.com/wp-content/jmg1ld-8dfso7-fbsmfur/
- http://hcgdiet.club/zs7yjrw/Scan/TeA51KJiBo/
- http://hellocode.id/wp-includes/FILE/Tus5IFz5VyIl/
- http://hellosm.pe/wp-admin/Scan/3s6Bf9K7TEA/
- http://huyhoof.com/wp-admin/SrmfTpIZkZTDmA/
- http://hyboriansolutions.net/wp-includes/LLC/VYHVnnQ63r6N/
- http://icosi.com.vn/wp-admin/parts_service/ISpPTfiGVO/
- http://ihs.com.py/cgi-bin/LLC/XYWKgM1yEZ/
- http://imam.com.pk/7f80kef/FILE/QQBYc5Ot/
- http://imboni.org/wp-includes/INC/fghz3tbu33yn_k66ebx-54661321/
- http://imkacy.com/wp-content/uploads/INC/8hnT9KHEvjK/
- http://inam-o.com/old/jn9ad-mh8ww8-kuvlrnk/
- http://inayhijab.com/wp-includes/Text/LLC/xREzwM9x0/
- http://inbudget.pk/cgi-bin/8y4owvesd9adv1lndmyvc_ow5s4u5-86373036587784/
- http://industriy.ru/wp-admin/HiTSxowxQfIMzCblAUpjp/
- http://inpolpe.com/stock/Document/ofu14i5Xo/
- http://inttera.pt/eletricidade/LLC/IqLXOEbsPo/
- http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/
- http://isesyoyu.jp/about/LLC/mZ1wF5rYnD//
- http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/\/
- http://isopi.org/philanri-new/LLC/zlkhdng1l8zpljtyo2xk7l_vkxj1l0u4p-07994179619/
- http://itai-ziv.com/wp-content/LLC/0Oq6cCbn4499/
- http://jkedunews.com/wp-content/LLC/CEJjmc3t0b/
- http://johnsonlam.com/Dec2018/DOC/SdeoZqWZ/
- http://jorgeolivares.cl/correo/INC/XDsC23Zl/
- http://jpestates.pl/wp-snapshots/DOC/lcWEbLy5fve/
- http://jsantunes.pt/wp-content/uBmDOLnXXjORmjqjFQO/
- http://jugl.ro/cgi-bin/Document/4ckm032czbsgmcoey39j6i13lv_13lweu-53013366/
- http://junaryaphoto.com/wp-includes/esp/HlcyQHzMIebFxh/
- http://justagnes.pl/wp-content/DOC/HPCJqIdCvLroXpoDHIaMlrAATYWwnu/
- http://jyosouko.club/wp-admin/INC/1BnrP4Y0x/
- http://kajastech.com/ncej/INC/2n7jcAfLZNW/
- http://kalat.com.vn/wp-includes/INC/H8ehc4PiXX/
- http://karsers.ru/wp-admin/Scan/IdlmgQrxYEKVqz/
- http://kdooenzoo.nl/wp-admin/LLC/0vLPkliS/
- http://kozjak50.com/pmdi/FILE/mYy29bTJ/
- http://kuwana-vn.com/wp-admin/DOC/xnYybfJYsL/
- http://kviv-avto.ru/wp-admin/Scan/WWlvyhiEACMaKtsjJYMCVfAtL/
- http://lctavano.tk/wp-content/sites/uPfaaVVmhCLNO/
- http://letsbooks.com/wp-admin/7gsn9-vtnhk-qssaose/
- http://lohasun.com/wp-admin/Document/2ybL6bjsGkXa/
- http://lotussim.com/Scripts/Scan/UqKtVMyo94v/
- http://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
- http://mainbild.ru/wp-content/FILE/thDLqIBRPABu/
- http://mawrmarketing.co.uk/sandbox/Pages/dYRNyNVkr/
- http://mcclur.es/mccluresfuneralservices.co.uk/INC/aqoteHxHqbIMdpKdOqcxCKsPGwyni/
- http://mc-squared.biz/note2/Document/8nO0uIP51/
- http://medovica.com/vujgtlo/3wire4m9_n21bbe-2156816613610/
- http://milsta.lt/wp-includes/DOC/VCp2iBRPAW0A/
- http://mobilabmb.ro/wp-admin/Scan/aOeoCGqCk/
- http://motov8d.com/zxya/30s8-cda7yp-yqfmmrw/
- http://mountmice.com/wp-admin/includes/FILE/zKt47WG7//
- http://mountmice.com/wp-admin/includes/FILE/zKt47WG7/\/
- http://mtdc.com.my/csm/mtdc_tenant/uploadedImages/INC/ErfRjWbgc5K/
- http://mudra.vn/wp-includes/FILE/1LYeXAWyfwq/
- http://mywebnerd.com/moodle/FILE/yutO8Dt7rjw/
- http://naurangg.com/wp-includes/DOC/SecCXhu9z/
- http://new-idea.be/view-report-invoice-0000263/LLC/BV0uq0s9sUh/
- http://nhathongminhsp.vn/calendar/uwatf-bko7ta-yqbdut/
- http://odiseaintima.com/wp-content/INC/5ng4q854/
- http://oushode.com/wp-includes/p52qit8igtsbl1iu11q5x9og_ngj2jtxgt-26697814/
- http://oyunlist.com/wp-includes/FILE/E0dQF3BrjsK6/
- http://peaven.000webhostapp.com/wp-admin/FILE/EmConYIy/
- http://pekarkmv.ru/wp-admin/FILE/l6yZ3nrMYYcL/
- http://perezmyata.ru/wp-includes/DOC/j7CqpVRhUZx/
- http://pimpmybook.com/cgi-bin/Scan/nih9skgWs/
- http://pimpmywine.nl/wp-content/7av5a7i2qc3ehh4vy9r9hbflbl3n_a4buupt3k-603582007790/
- http://pmdigital.pl/wp-includes/INC/uLzXxBrWJB/
- http://pomohouse.com/wp-content/uybc0k-bejpu-zprjoc/
- http://portalsete.com.br/wp-admin/sites/fRjMOSbpWjI/
- http://pr.finet.hk/wp-content/uploads/lm/tJqbOIzpNnAojYjKfZZTHURdjYo/
- http://publisam.com/jQ2TrO/LLC/94qzExVQWak/
- http://pys.nl/euaj/LLC/zBa0gwgoWa/
- http://qa.frplive.tv/wp-admin/DOC/xiCEdnSYY/
- http://qybele.com/angel/LLC/r9CQHbOYiB/
- http://rayofhope.ga/owed/Pages/86py4n3c4gx07ngxh5c8_ikpqxck-9882622536566/
- http://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
- http://seorailsy.com/ww4w/Scan/RDRa5nyU/
- http://servyouth.org/wp-includes/udda-e1pdc-wern/
- http://sevensites.es/D1J/FILE/ZiyvqsVWdM32/
- http://shlud.com/wp-admin/FILE/PdOKxlLuvErxsJTYyOCFeHAueWmkM/
- http://strijkert.nl/download/519foq-wxu2j-kxpx/
- http://strijkert.nl/images/Scan/l9uv88kgjn8m2tbc4pc0a_vagbp1-30861241102713/
- http://tempatkebaikan.org/wp-content/FILE/FILE/7fHC23c2p5/
- http://tempatkebaikan.org/wp-content/LLC/ex7HJXPDf/
- http://terminalsystems.eu/css/INC/wsaaMiF87o/
- http://titancctv.com/img/f3q561kb_4hz9e-274656581165/
- http://tksb.net/DHL-tracking-1534878060/Scan/JQWgEI5u0Amg/
- http://tokeilaw.com/a8rg/Scan/el13WDVlhSm/
- http://toppprogramming.com/mail/sites/dgYVlVSsUkoSHnDBPQcQbr/
- http://tpc.hu/arlista/INC/zc8e7mbnfbyibeil6cpr40t2_egfrju-908915343535148/
- http://try1stgolf.com/ebay/DOC/BRyipBnKPUZBV/
- http://turisti.al/xh25ohq/Scan/Y8iVWntDUaaS/
- http://tys-yokohama.co.jp/FCKeditor/FILE/eWLmOWAEYCHONEaPUaoeFcFij/
- http://upwest.jp/baby/DOC/WL6nnpjr/
- http://urbanmad.com/wp-snapshots/FILE/ptPyzEKwifQYsP/
- http://uztea.uz/wp-admin/INC/exDvXpp6G/
- http://walstan.com/sites/pages/css/paclm/g45bv2e4cb2nj0moljf_lys6jqi-84198824370/
- http://webdesign2010.hu/FILE/sites/UOgCWAODyhCRmEJqljwrWc/
- http://wishmanmovie.com/wp-includes/Scan/o4uydsz1tp9asn5ey1l6uze0_btkkj-5107897940423/
- http://www.gcshell.com/wp-content/LLC/6odpjcuphxdaacktfvzgk_cksqy2i5-90154953392/
- http://www.glasspro.kz/wp-admin/INC/bwKy2DHbnGR/
- http://www.glasspro.kz/wp-admin/lm/ab0xacmyxgcr5oq1dmx_b8bwrxj5g-1248840572/
- http://www.onechampionship.cn/wp-content/uploads/Scan/95Iy5I8n0d/
- http://www.pomohouse.com/wp-content/uybc0k-bejpu-zprjoc/
- http://www.sriretail.com/api.Asia/DOC/A2dIjlhBsXp/
- http://yduckshop.com/ynibgkd65jf/LLC/CRstKvNx601e/
- http://yellow-fellow.pl/wp-admin/DOC/yeXC9yxjem/
- http://yucatan.ws/cgi-bin/DOC/5ELzR1tzjFq/
- https://ahuratech.com/wp-admin/Scan/5b4bixkcui5e91xis396c563d0y_bu40zk5-852284955204/
- https://catba.goodtour.vn/wp-content/plugins/adventure-tours-data-types/assets/fonts/DOC/fouVaiw5pTL/
- https://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
- https://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ/
- https://diskominfo.sibolgakota.go.id/wp-content/Document/p7kVHQfQ//
- https://drake.or.ke/wp-content/Document/INFqqpn9qJv5/
- https://eterna.co.il/wp-content/INC/yqd1sn9uxp_98byj-936921475830/
- https://finlan.co.il/wp-admin/DOC/MFbenvrKAZ/
- https://glatech.ir/wbd47a1/paclm/6m9zv0snkzefi2oa7ys_bgsxzb5n-1732641113/
- https://gnspa.cl/con/Scan/1KgnuzBjvNM/
- https://impactmed.ro/wp-admin/LLC/D0ne7VgIW/
- https://inayhijab.com/wp-includes/Text/LLC/xREzwM9x0/
- https://jvmahlow.de/wp-admin/Scan/td8nxrcnc9ntmco49_615sw-577633401958136/
- https://kozjak50.com/pmdi/FILE/mYy29bTJ/
- https://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
- https://metaloteka.eu/wp-admin/Document/C63uW6lJZeQR/
- https://motov8d.com/zxya/30s8-cda7yp-yqfmmrw/
- https://mountmice.com/wp-admin/includes/FILE/zKt47WG7/
- https://nangmuislinedep.com.vn/wp-content/ZmSxYGYcnVUbcIIct/
- https://portalsete.com.br/wp-admin/sites/fRjMOSbpWjI/
- https://projectconsultingservices.in/calendar/Scan/zKUskGfhV/
- https://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
- https://servyouth.org/wp-includes/udda-e1pdc-wern/
- https://tatsuo.io/uw0ldzo/FILE/bp92oyylmkllrs_cmtmevs-5106762849/
- https://tocgiajojo.com/wp-includes/SPZpqrnbLBRNIExvSjzbTmKC/
- https://www.gcshell.com/wp-content/LLC/6odpjcuphxdaacktfvzgk_cksqy2i5-90154953392/
- https://www.grussalg.dk/wp-content/languages/INC/3AUMQmOHY/
- https://www.letsbooks.com/wp-admin/paclm/WjRYxdrfwcbfSF/
- https://www.pinafore.club/wp-admin/yt648woftx81uua7nf_ja19ian-1005746630022/
- https://www.salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
- https://zerotosix.com/xclrqe/FILE/TkaQWUDxqVrFOGVxEwe/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-01 20:15 (From ZIP - JS Based - Fake Error)
- SHA256:
- b4be331a9a01e5ee347770bbd63e1aa54d07febc0e3a7daeb77d171b301a483a
- http://dac-website.000webhostapp.com/wp-content/7876/
- http://audamusic.com/wp-admin/nt4v5zv04/
- https://apk5kmodz.com/azlp/k751/
- http://escoder.net/cgi-bin/u80800/
- http://puntoardg.com/ybsph/yXP/
- Creation Time 2019-05-01 18:00 (From ZIP - JS Based - Fake Error)
- SHA256:
- 0fc6d87b75d77b4b03fbf75d3d3573e26e8cf7a2abc72b7569d1af87d8249da6
- http://www.kyans.com/wp-admin/1De3/
- http://gs.jsscxx.com/wp-admin/suLKR/
- http://m24news.com/cgi-bin/74U/
- http://librafans.com/wordpress/uOFjH/
- http://elmedpub.com/wt92lnq/h2nS6/
- Creation Time 2019-05-01 12:11:00 (From ZIP or Direct - DOC Based - ENG - 365 Blue Box)
- SHA256:
- c0c46dd6eda16de1374a06aac937e53b098e7fa939c5b608f1443985a801d433
- 5f401aefe65751c9e09131d50f1a6ea3f86f542552ecab2973a334a360357699
- 05c074ecb60a92bc5b436451c9a3e8bca4be0e5c3c0f797482c78756f2b17d82
- 3606c54dbaba863109929191dfda5771de069a4fdbdc6322ae75c549aeec3ddd
- 8444d472c64cef41e3a0b2f057c208b585b24d5a5db163ccd24cac2501e04ed1
- 567c4f99a489d6e26cdd76b719f290108f558cb49b7f5f7e2d84dc8929f7613b
- e22419b24abf50f5e0895a22b94034dcb8b4d29d89edbb20814947719bd0e20b
- 6c53c3f9f2d4a2371367019734bed40ff98401090a297b4856b9997df56168ff
- 91d7ef5f96cfa136c20a9d1254aa2e60e56e378acc1aa1b043fc45f799b2a8eb
- a96a5266998010dd24309a7cd7c1c9ef37099fb2c17c87c5810b2e0a31c6aeb9
- 20490be565895482d296a3f55e6cf4011b75e527a4da08d815900871e243ed8d
- acaa26d978decd75aae429b5e4feec5108f99a044c6d6a0d217272578343626c
- 46f93e1565d462f05fa4e0f7c7268c05b4b1321f9616f23236f24a4cb9e8e67b
- a79e58fe34d8635a83e7c907f2f32006bcb7c1c0f41861cd313d893ba9132216
- a02a2191727a82b7d41fbdc5b306028286419f25dcb05d8749d72d1c0e518553
- ddf24ca3ed31953b7c388bdafe3f90dd00ea82863ff4a89f43db08a2fbd84ae2
- 1bf9345b153b3d35023555563ca2e6c3e04ae0253da1d1f1eca99d0299094adf
- 852e62a35876c8ed552591964b889621a672b89c641a585f84f5b9f043f51f1e
- 0ba3dd8ed23e5e3827b381c218b8cc1f8140c779299e329ba5bb0fb7faea8e45
- 967b2314483abf6fa142677c178d54e443ecc8dfc897fbe9885e2ec7c4689075
- 7a36034052a169ed3149c16d119174f741ff875d806c351b89016b8f70f74626
- dca33598a6b10d02e7495f4990835c5ae4922289028b4cf26a79b3470f950f58
- 45b3a138f08570ca324abd24b4cc18fc7671a6b064817670f4c85c12cfc1218f
- 660b928230b19c27af5784470778ac88f5ff33a3159b3a85d6a95b4c2593b29f
- 966ed70f836eaf8783f1b62555c71f4aeabc4879e7c9e1bb42bd8fafc0b4c7f5
- 843b0c5e37a1e11aebec6c97996346842aba88173971d018521df9312f45e277
- a6b70c401b53646e2f7b91e72477ddde062bac2ac89039bd364ee6a7cebf521c
- 1a45ca3e584ceb8aebe05aedc7d069ef6ad504cc05a71a56ba1fef039f207655
- 018acc9efcccbee848293cdeb5bf2e6dfd4ca43c2421169de7d9f186a2b523cc
- 8f6d8f45244c4110485e886f1899ae734bf0723f34dc689b09c2940a99a3a4f7
- https://montalegrense.graficosassociados.com/keywords/FOYo/
- http://webaphobia.com/images/72Ca/
- http://purimaro.com/1/ww/
- http://jpmtech.com/css/GOOvqd/
- http://118.89.215.166/wp-includes/l5/
- Creation Time 2019-05-01 11:10 (From ZIP - JS Based - Fake Error)
- SHA256:
- 224bf0e4c51f2c159c8fe260da7a858a555d5225616add3e949aa580d1c2ab9f
- http://havenfbc.com/wp-admin/x1d8e/
- http://best-baby-items.com/wp-content/Y1CH/
- http://huslerz.com/qxr7/mV0z/
- http://ikkan-art.com/crm/cron/modules/yeM/
- http://agipasesores.com/Circulares_archivos/y0800Y/
- Creation Time 2019-05-01 09:40 (From ZIP - JS Based - Fake Error)
- SHA256:
- cef6e70651a2c312234466aff9e7e39769f6d1329bb5ac435a2db453e27d882b
- http://havenfbc.com/wp-admin/x1d8e/
- http://best-baby-items.com/wp-content/Y1CH/
- http://huslerz.com/qxr7/mV0z/
- http://ikkan-art.com/crm/cron/modules/yeM/
- http://agipasesores.com/Circulares_archivos/y0800Y/
- Creation Time 2019-05-01 08:35 (From ZIP - JS Based - Fake Error)
- SHA256:
- aeeb4d50eedd8fd602417c1d59e0d0b6b3d08c4d8045eae9b69e3b1777048062
- http://havenfbc.com/wp-admin/x1d8e/
- http://best-baby-items.com/wp-content/Y1CH/
- http://huslerz.com/qxr7/mV0z/
- http://ikkan-art.com/crm/cron/modules/yeM/
- http://agipasesores.com/Circulares_archivos/y0800Y/
- Creation Time 2019-04-30 21:50 (From ZIP - JS Based - Fake Error)
- SHA256:
- b0840f0a422e5b418f84a7e2a15d30bdec48404257a8b7bd95a36ee7d6806feb
- http://goleta105.com/404_page_images/Xkg/
- http://www.iowaselectvbc.com/1bksryf/CpSX/
- http://goudappel.org/HendrikMGoudappel/P6TUk/
- http://encorestudios.org/verif.myacc.resourses.net/Qhfv/
- https://www.likepage.site/wp-content/eIRNx/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/01/19 ####
- ```
- 8761299b8ebb2aed97151601195f42ced376e2e0aa83f99f0bbcbb00158627b7
- bfa9f4346764ccf4f2b721cdb1ad12813907113071e7c4336cb0f68f12a04ec6
- 7836f573b55798a383cebaf58afc5e0a0eaf44d6d38567ad9684e1f6dfb8da6d
- f86f8c15124f65581a5f04d9a6440ccc3fb66498c782724d70e90ea1a972f92f
- eee540e958049bf14200c4004b53ae1431c2c74f1c74bd637235c04bc5aaa7af
- 83b6d73703298ede51f172f4350d372bee1c6a52969258f2fc352155c7a2a0d5
- a91ecfaebbc016bfbe95e0f12cd2ede116ebf1ee65fe72fd08e76621965061d2
- 9c7a2f48557de238a9a58c422460921ab5152b7d1895cfb1d5df35c60dd2a76c
- 92528cfa2b857a8b3b1b2d0047c237293d7df35d6e2bb87f3cd9f6bd43c4a38b
- 31bdb034a21e53461266572889f406bf4993b79e16edae178c0efcd53674277c
- df7a6381ff183a5ef0d0cdca6b8235cd7f45fe00a89895befbf6cca3a18198cd
- e52503af4ce2b4a6ca4558b750569e51f48c78a20d69bd18677a8f88e8767ab1
- aab08361a49990c79d9365c2e2d74779af3b7888fd5fd0ce060cddd4f89fa3f8
- d405b3d838ef70c34b578f12de4ce07d0af0433886da440c1b4f5ebb59b2fc6c
- 4f6ca87d069bd9098267bf186a7fe0db719479824993bda552b46015116f325c
- df8471d7149ad3b6fd7e8fb7541de710bba9d18296a8c5c47efc10b0f21ead05
- cda7aff0d24be7a5b282c1d0503426bad30f98af2adbf0cf0f6b39bb247c531c
- ca58477f814efa537cde461a433f5e3b4900df8c19c30c2feb59ace34d523153
- f4e5581ee0c9d708435206419260f8d478aa1bf82056b85b277c59da7a708e86
- d178303809f0e19c53a770d27a9f8c8aa74daaf896dcefb2ccc09c933a17dcf3
- b0af66343f536cf5b5f3f3aa7311779ebec5cbf9485e843b1d47ba9454a9cc5f
- cee42889fdbe04188000486e783db459272855339c68ee0567fb310ebadaf42b
- b39c8ee04a5a120383f78b3c56b2875ff9b153ebfb8bd6897f93e04e97d761dd
- 7b1980602de122dab23f96c1b3b37ca852ca500f0af6969e2803815445a16e82
- 1969227c1da28bee28df639c351bbae36a6735d44df8ddd8056e7dbf8ee2b720
- bc2d6921c23500597c74ec653c2e75dbe09a959793277edcc9137a68a48c82fa
- 52624fab1aa0deb4dfc51b05e6fd33fa2a5d384df7cdbebfcaadbc67fc6bc9ca
- fc8b6e6d117dd5b2e8a1c09f67466875686b03556031b3a4c5fc160ee097d7d1
- 73f3e100acdbb2a5f5e052ff2c601420c49617a78c5af9df3184b80a684f50db
- 4c62f6cdddee78b2ece7fe40ded66f01b7222ad0e43ede2d8207acc4f2fc1acb
- 939595e2f4f28aa2b197f542186ffa7991da605c88e11fbdaf6976adeb26043c
- 03ae027f5da19d9d7cf5c66dd74eafae7fc8e0b581d2c49163db86b03fbd4210
- 0490fe90236be3419f8d139130310f6ea1513564486532fb73c25cb301730cb5
- cfa5d9e71dc27f3a1a1917136fb903436ab09723c2b2ace6d11eedd1fa338ac1
- 9f9ede214a21709bad4f6867ef8b0d03fc6f9846c06b332d39262785a5ef09fa
- 5debcbbd38e34dbf9f5bcb28d1c210f1e6a11abb103dcfbc929fd782056bd3ec
- fc3466d528f3ab9af45e312aa80b35497b22a16ee733c4453cf91e55a1a65d9a
- e5d8aadbce59b0960dddf0d1481db1d5c6d3dc97b093938e37e82a0b5216053e
- 8de56b4116db08470175fa9725223dc9db0cff2e1519270e24983120bdbe9c01
- d4d305469137fef7948f438a08b751649b609d791106c276a47e389aee62b636
- 38a269fb1d85d3d82ec4e3685b39de9f1d6cc76152f92204c2142844f5116fde
- 73600cd0546dc22d24b13b6f04c3fab2d0c4542e59a3eb5a8129d55253fcc886
- 77c839efefc8b9808c5feadb024ef781f9c8cfeb0aac780ab75ed37f19862db5
- 554f011dae7a765227035e96cbbed8b8a7aa4e2b5278a90d2729a29edb26e699
- d1cc656d254e31f478b57dbb5aa14793a898454634563b54adcac8e5a9e16439
- 7321e7665289e52a9f3df5ad91ba1b8a8999fd188c927062dda32ec45c2e05be
- 3f226dc9ad84671d9a16acbe5c929cdd75fd344b1195ec6540b5adfd6b41529e
- 42a03bcd4a1bae8240ec67cdf3329fefa0aa557935e46615d5f187868ea7af4d
- 85b6af90e832fb63e89f08b4c88072cec50496e9744b493527b1da56abe8c12b
- 9fbeca3c1cfba9261dff82cb03a9f8c23a482e570ee473701dac2fbd9a95c7e4
- b2224689dcad89409f61de17385afc309bad960a29ad4536544060245d98a7ff
- 88942565248c48d23adccfd148a15b462d376f4bddc0f1a468c72bc1ba26087f
- 486ede4ecff9a951261af3d267072bf75a37e7812afd91dc4c30bf5535dede8b
- 01eb1c5278f657f3aab9520887c944b924f102bcc7a8e7fbd7cace404c7fab6e
- f7991d54db31a411d21ef1b6ef87490aa3828576eb59fbdefa57a3861d1c728c
- a6bf33f3357cde20576302a2262751790ea26bb9ef8d5c918fb482fc52069c60
- 716afe6930ac3f9a4116e78444cba599eab3a6e4801244b9c37af230c3bd8822
- 2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
- 4159d0ec8ea865a9e9ecb841a3072c017dbb7bc49c86c287b91e3b69598463ba
- f3b63d05db4989d717bc0f8dd66fe2080cdc0d13c8ded93030ae3b70026f5e26
- cda7a1f1dc730b202063b0c8e53b669ce109eaec61310f44f991dbbfc2ef8075
- 684c52e52cd712231a6e8abc3800253ab6cd9c43225b65f859a3f6a59b5ddbd5
- e779e6a998c4524f3965b44236e36b3424f99b92b2dbfb9fcfb0b9a08f07a0d4
- 0b1a79aa31dcebeef99b5b718cb6c2d1a357ace4f1f3c7a43a1f1bb397cad2b8
- d5c8ff4251f816bee710f7318fc6edc886099e8e737777f0ed396cc8cc88835c
- 33deafb6eaba894253ba1f03241012c3d1cd4cc9ae95af738811a2d009e394ee
- 80f992b1906e88d7356ac0e0ad51bf874b2757e0813f2d9eedadb292af0c61d5
- f9ce92b1847c8b8599b174fa208727927cde25bd1f3ed7d6e7878ba942764110
- bc9522f54fdb414c54ae1e0953e84b58e55bb5a2745e95da4f6269971d4e02b0
- c7709b8129559ad7ab29b49ce7474fb0ddffd5bdac106d4df71b5b144f1b21d6
- ee0e4a355ca653e2c2b0ab98a333423dfba30f7f84011d71fe3a6de482b35989
- a0cce57894f221b63c4d5a57f3249251010da5c365840f7b63e8e3b8ee3c10bc
- cb29f6b57381db527fe4c451f15f07d6cd23665ed59a2f9b4c82dc2939d84fd5
- 71a02cacdce2121c79f701a4c6a735dbf3fc3c96db15b4f43463471b51be8c0e
- 407514b4c9e300dcd589cde754ca91ff8bec7d23ff9e5e25a54d36cd83fd4509
- 131ca72a20ee4c1bd81246ec60a226712dfa6f0d0b6706b7b7c7c9a6f6ef5a5a
- b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73
- ed7c726f793ce2c8b679c3730f7f15744757c1ae463e3a19249a95729d3c1214
- 2cfc5cb39bcfebcefab1772f4c7c58a4162ab3a9f2f7b180c8b4c721d4e20b54
- d85efb8cddbc21306a86fd25c3cc5f893af158ad8b2ead2f64cced2f8db40a48
- 85693122856d52a63c474cfb1f84012b9637a1f6a614f8e3d2435b675f04a24e
- a47da23c782da2a70d4a865b9690b4b3ce0f63232bad2d050d38761cd4766759
- 2211e43983826aced3bb9c514603079efd7f363d57f5db4b8833318f8a3986dc
- adb4a91c13513c9e2bc6a139502a1ae0265a0e94195c9bd240f180aee007295e
- 409a994c65a86dd6bbbfd27d470bdbd1f77d2e4af3a348841c9d552e4f0712a8
- 5990ec4728c00a5250106c9b17ab2bc1e9691b569cc0fbd77aa8e67966fb176c
- 87e6ae3f4b2eb77e5766b0e59ce9c516ed1ef4ed86837034838b2ad92a33ef03
- 074e8d30a578ea78947686e728949f873c19a588bd7c6a6c0f6e637550d3681d
- 579a4af3185827ecdc55d33644325a0cd3b78f1d93b74c4fe0bf1c045f9bf770
- cb41db92f2c3b9afa422fc65a6df8e55d26fadac58077fa706bc5c40929c89cb
- da4f245fc6bcd12fa167e3dad3253390f5cf1e05f338eb2f600a192a0c9e5a34
- 4736223dc510d57d7c2efc4ec0819b0e02d0a2b677f47dfbfa0b74dd8a8c9b49
- 21072f249066bfba07cd60adf8e69ead8a61c6c788dbb5d4211037bd5994d1fe
- 90042c714cf8671807ad4290921c16abf0a59816c0ab4296a076a7b10ba46c00
- 1b922b6513f1bf4f943e8a805c499098078909be87ecdd76eb8bc36e0f2254b6
- 55aa1f8411bf39676667822d896113cd0ece717cd33681e3b8c2374f93c2c503
- 768f9ac2e34c329924c37e8eea52fbdaa52d6b7ea102bdeea5c4de83c9a44545
- 321566132df9b360ad1369b6de8fd53f5b5f65ee8a73c6a005fb5f6bfd9a311b
- 6e9de1c28136b64972d1d9db7db36cdcf18dcfc709d614deaaa88f7a1fc6e77f
- a6dca8aa15bda35ca66644d13001b34038352be03a015720c8b4f1d7a1897d4d
- 12f53950de8323c610cb7ceee7d9e86f686bd8c991866f51f7c3dac0f3b862d2
- 4c3fa7415786a48d1ec394fc7251d0986df68c33864be7f35231c36bc3cbddb1
- 8abef21b6b14c6055ddb3bc1b03ce17f821ac58cc7ece4f4e47dc91d1f89dfa6
- 0e35dbbf877d955048e24081578266b06b9d974e0d3303fdcb983157b9308ca1
- 953c39c126e8688290f832b85f4fbf232e9d4becce8a7b401b557ec0975318da
- 111dbe75b5748588679dcbbd5394ff84a289064337f28a592506ef59b673b0ea
- 563495968b838ec4e58f67a177e80b3eb6e7f83907b96c18d3641104be5f5d63
- ade3e848899c96d32c3a887c97511cbb48c1d34eef4f4d55a3aef8d99e6d46d5
- c963c95cb7e9c9fc7d0cbedeee39f601394e90d60233197d3c8101a371f2b819
- 89816ce9de51a13c4495fe2b3e8d6b485b352dd2597bec0a9f2a9a40cec05bb7
- 5a2f8e181d36726b67ef79d39c61e0a2686a9e299dda59fa7f7ba09067f36302
- 63b1b0237b6dab649df12992446651e40953d68c004af4792130d64acb5910da
- ac3294e2c0f1c250454f7d8e5dc18a4fd20f36772eb1978d8ed676389e6c77e9
- 45cc0b1432b193a9da5eacf18b2fe73fa0a7f50502b59a7d6f4833b315175f62
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-01 17:22:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 17f4ae8fba484e7fb87c16216ece4622556d70db4d807d8b0a4ac207eba7d015
- 1f7f4adf00079e629d57f4d60246bad091aaf746a26386323e414d5dfe9cf126
- 57f935a706180e4e617c73331cd0a57f8ae1fcaf0537e0fd11294aa0e20e0feb
- 8849cbdb89ef44865f23e8745eee176d529ca564c20c66da99aa5c04db555ec3
- d450310c315301ebd8307408f8a534d6fd108c8649bdf0557d2c375fd7feeac5
- e67b66b18eae119a39f810d45ea3987486699e4d7b83f2a43150fb4a865870e2
- 8c2940f2a0b9eeb17e9bbbb8c465085982bc20dbe2fd980c532eb87ca96f2090
- e5bdce92d2075dbb2d3f7601032665a77672b238c34b72edc5af8dbc0ecd7912
- e39ace0837155e85d59f5059bfe202ba3de02a88c848a6067c9965cadb79c5ae
- d0cfa6322bfd78d66cbe8513075fb57b181eb60560ed6558c707d38110fc9c95
- 22b56c3fff64cc6ccc21bcd5ac8a4ce68a75b19d7586475acbb445a45144e401
- 677e0cc93380965dc2a1f323cf07e84848fcd41950daf4158e244113536896ac
- a2fcae9f16ba8a88c03ba2fa986fa6f148dbaeac41f94546467a81b9846ae9df
- 4208aa9b2a8e40195be3444efc9bc9cd2accf732b249c921025207feb62a0970
- f65dddc5f054d91554fe20e60a06c22d0a8a6cdd6555ba5c7098e06150c66ec7
- 6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
- 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
- 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
- 895e4424f07b9de1284d596c17b8e10dac11fade371885fb4e8d9c73bd2721ce
- 314285230457396f78090f46f2faeff452e0f80e97f1b8fcc3371298cad19557
- 438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
- b4acd9d62915cecb1ba384e9ef86b7b9b26f38f0c0ee405ba3b4a396b44b56a9
- bb393d58b6809fff86d32f6a6b5f3af0de4ecdc371a6454ecd9fd2e47f55e59b
- af6b2d8591fc986c0fcb199d2526efc8e0089ace577fdbb925a7334ba5eab4ca
- c0d56c06f445e3284464894bb9855dac7036a7f5e0da7183ad31c6d0c2477db2
- 1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
- 51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
- e12f25d5aacd3c073171d6f5613fcca942c7cf9cec4cedbed74acb9dbee513de
- f28f62f33ff6ea0d8d9708e54142e83603afe0bcdcf1206bca2f2dfa00e05b0c
- 8e56b9601576954a6830441430cdbf339831df28e8b6a4c29fa76471d83594ce
- fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
- fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
- 899845fe4fe39f97c37bde716b7ba0b19169ea817e93cfae5d7e3cdeed7fc639
- 811f6ec9cc7105d1b81e5352a0b9f90df420a293afc43ba91507952e7cb49f72
- 571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
- 64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
- f0f7cfb434c2a3922d011186c1bfeeebf9cf5444b33cf90104ae09407bb65e06
- f9aa8059e3a7418a2e686036ca8198cde4ba026f1d0b05ba2a32774825fb71a8
- 72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
- 404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
- 394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
- f485bbf5f58215b48cf1d3435a75007749edb2a502238899c462b7f8b47c410e
- 3b338a2b75997eba6f9666aaea6f422da3e38754657f4be7f7e0e9967c479a63
- fa4963b59046a924250a2c0d7599ae98fec4d4d0ba1cdf8de575a7438c570563
- 897c6162e1f5089706797ca8cc5e75026d5bbc7707bac7271767e378815e514a
- 9af59ed0cd1f739a62f9e8f478b2d237913d0949d9ca7b0202a8d22115323f94
- 9c51bcdb82373007744c0dd18a11c06decaa000f48880f23f1bf9a335e5af053
- 60fef10a83e873748b44cf932f3e0fa0a0d891f414e591696daeefc00f0d01c9
- fef5c94f160ac594834251f184900922b8b802d3b8460c3dd75f74e895e7fee9
- fd0666be8043c1d58b39868e5236856bd32f80fdeb994081e9a1c59974fe101b
- dc49d2d7421719050d62368d665c84629bb08d6874ade0bb8940f133b619d9ae
- 854cdddb19feff91dc4b4fba1ec91452c996a460cd5bd9ea2ff6e88f8c20f66c
- http://depobusa.com/foamorder/tObUfzBc/
- https://www.plvan.com/wp-content/vPTKWuAOUoglbXLQxJufgAVZbW/
- http://hsb.pw/e5t9/zbqlHAhTtRZd/
- http://mestand.com/wp-content/akMmnMBbAPswO/
- http://jobstud.ru/wp-includes/QIUEwMypGbuDbhAaEimcRofGNckbVn/
- Creation Time 2019-05-01 12:06:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 3f832fc27ebcc0391c302aedbc3f8d3dfe7473679d5d9aa0176f9623d4306d68
- 910b14995ebda512edc5a456f5734c520e941fe385519c5683586a237e455321
- 930cace84e8704d5385df2db7557c7d3b2a183de3ffad0d3a51291745b4f9f39
- 2ade167cc02b318750feb789c0476581e4f2e0864c3a51fd65bd74c25534a74e
- 3f90bc319f969145e499fa90a32a81f0fed988320b255b0febc18befca735484
- bf1f3da22c4f30cc57b35533a010fccdb5e77ea6e8f4a5179004feeecbb55e57
- 1a6641086b78035d6c9ba38c7199aac02d37dafbadf96059a81b6f4c35e49f84
- 7416ebc5373fd8a3ec9ece1dff46c15699738491d703b47f20ae4de8c59bcef0
- e8c5d544a7c4f929fc3c3422dc0dfd03d2e3ab6ff8e4153f5ea104d35d1b82ce
- da7420285c3586a66c0bf6aaf85c928149799cbf9392ce8e0d1aaad2edf438ee
- ed12cccf232d6e24b35f114e6c8c3e2fa856a5bcc7ea2c64cd17774aedb83f7b
- 68e686c3f2b87d3169766ffe4bba021a8acd7648ca38c6c75be829a864558ecb
- 61e933a06b4a2af4239c378c84211b2ff1baab4effe6b5bf044ac4f2d3371c32
- 224d99639dbb488494e23f7fd8a60c75630ffc694a3114a6d4f596da2062fbe0
- 908ea859520fb4206c9b71577394d447dcb9794d42c86c98df0f0b8fa94f8547
- 42981d37b50801d5cdc23d5d9f0a1e0e20f3787e24c4d20f606d2250ce5bf804
- 49b5e70a242f984eadee49435aac4371ca3cb65b02b2f6fbcbfcbfbd9d985782
- 58c44d575aa6041c0d0e87372288f96804c1fa141ee903a67f668e73cb690dec
- 8622f027a26a79a5d3b23c82121b573150d9e10d2b2c7a0a0270df1e2e807cb4
- db1c99298b5e34e6f10a5e054febbbbb8ebf940b4cacdcd1b1f4bf542d7da41d
- 6f926261cf70832a6f3332c727eb674da29212109a968a25cab4cb92fced7694
- https://protemin.com/wp-includes/Zx_S/
- https://moda-blog.com/wp-includes/PZ_BY/
- http://chenrenxu.com/wp-content/KH_z/
- http://globalent.pk/cgi-bin/5_ml/
- http://eismv.org/wp-content/2_A/
- Creation Time 2019-05-01 09:35 (From ZIP - JS Based - Fake Error)
- SHA256:
- 0920828ff5b7ceb1d38a80e3f89e8d5a3cce36bfec0d134df331abcd5acccd38
- https://hatmem.com/wp-content/v_6h/
- http://icv.edu.au/wp-includes/RH_Xw/
- http://driveless.pt/wp-content/PB_D/
- http://egd.jp/wp-admin/e_H/
- http://gynet.com.ng/wp-content/Ch_BG/
- Creation Time 2019-04-30 19:05 (From ZIP - JS Based - Fake Error)
- SHA256:
- ebd4f543086e069e533320c4c4793117a0684cc46315c929067483a56c8fc478
- http://sanko1.co.jp/lp/cJ_du/
- http://sftereza.ro/administrator/Z_K/
- http://shot.co.kr/yupdduk717/g_3/
- http://shawktech.com/shawktech.com/p_Wz/
- http://nobibiusa.com/yxbd/Op_u/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/01/19 ####
- ```
- b2ee80cb05e8f2eeeeb74c34e2ec8f890280ec2c990ccf4eb7df93f078986be6
- cc7f943b05fa5d7d63caa25e9f7b4bd883d1f43759e5d085269d1c0b3e9f9969
- 1d693a22cc447fd8714588c01364959a21a5c587a5e2276ea583fdadf3e429c3
- 7629bd60ebf2d6c60e861c463c1eca3e4a3d9e719934010ea560028b304c47f9
- bb02369d86e4a2bce443593034a8b6a19ee3b6e8922dbadfb7cef932ccaa477e
- 5f821d407f467b41cb684f2c6c20720bccd018df9e2ade2bb28f7807604eb56d
- 1f6f2e26941bb8ff267e6cc416897e0a82e0ca51f7309fc1c270804affe7a184
- 70ceba71b954e7ff05486128f6c30cdc80d3bd5d0c2ce45b1e84e864058d445e
- 7b639b186ad249f6b15128cf690a03de01a5433a47a9b64741a34f91b41e69bc
- a4b95d1dc696609c60762117f6085c8e243d1df8c9c78288cb0243647b1c078b
- aa7d2395211f278a1c226f1065984709ccb59dcb8c52001ee48c5fb10a7487c5
- 3411468ee9eb35659adededab22c3326b1dd2b2b8f5e94ec15ac70c8ebafeac3
- badb29a24f2914acb6472775407ef2fd23ff8939b82d5f9461c48bd4a5cece96
- 3b30615e85c2da16535d622a1ec5b0d5ccd15b728337f12ab57a0515110396b4
- 150fdb67ea0e24a30555dde8040d7e649dc965a808e01c05761e79b0b50e1014
- b8ade66da207a86ec77cb5496f1b907d3efbe6ecca45eedc3f0a797336abe232
- 1fa3bf29fb4aa0ca4bafb0325bee60b916102e1dc41e8bbaad80b675d3ec546c
- 48c90a4b61691d91824d9a0b977e05feebb1e2c1ace4dbb53ed63475aeec34d0
- dc35e88bd93d9a45023ffdd08fe3b867db5a93088a857b155807c5849840f546
- a1e4576d8cfbafcf57aadec3c18b743b93df793fab989c13b159a5038f540f27
- 26d0b40e801745d4259f418ffcf1b07b80e1c25c3a85bb71b6602751076e1e4d
- 3e3f3da7ec1f70fa97caa86d56d1351cc1cfcfdb2ba75c68bf407a78e562462a
- 9aadce4f7de8584e42dad1058d8306c497fa997e7b33aecb738e193289c8983b
- 6624a70b16431f046db28a1f6092a89d4e510e9da6593da0b0ebdda57f72e6ab
- 1274fa7ec04ee16c4bae87828023b8b2aa26973371eeb7987e0dd1d82fe76faf
- 323967a0466216ba81afa736ebb34173f3d2a24e91e4d6d28a3cd53e234c21de
- 69ee6439a04af4c494d9c99dc5b0cc3b964e9af74f3211d4c3dd8272cc14162a
- 3d568c3db59c550db254d8780683acef2c1e0c5a8782f9f4c76215133bdc52dc
- 2e7eae369116761735414a466e45c1a2b255795e14c098fedeef2db04489c0cc
- 66252a0e2a416307c52eef926fd72627e2d627138be6656f6115e58dd145f062
- b9456e9046c5e008ea7394c7f8634fb38285a9a141775751f06adaa39b9f017e
- 3a8cc2406b25d9a14ca521a891fd6137a477c2ed72fcbcbae429b680965804cf
- b1a0043b475e725178ba4018775e793e1f45e079cf6cb6f22737cfe7fdcb0bb6
- 901085cc0ff46482fa0bf3df88dc4651391ea7b3daf301cb0b45048c637ac699
- 37d722e738120fc26676f78098e85e4436523eeb26ba6e166bb176d2947aafc7
- 55ef9ddff5ee938594dcd2f78498e9caa58c6fd7edd5087e81f7f80453f12fbf
- c54f985f6eeb405e038dd4c3d161b256f0209a9f63d7d83f14835363d5389838
- 474fd0ef330a98329ab5a77c454cd36e23ac1489feb59c7d1187c4fa5ad91d2f
- d150a9165a4b511f6b4b828f2a8c5cb1f3481740c8e25e8289ba9b117a0b225a
- 5f8a7c44a80bafbdebde42b34d51c2ce6aa2073ac2c55dfc92e559087695f18d
- 561b430a0e6fbecbf5a5ebdd9f955c10121312b702e92651d8c82f14e5c52017
- 94971eb9924fc4158e66d4a6ab16d190264a3ff45fdcad0f7694cc0cf6e30d22
- 939d1079b5e68046bc483b73ea2b607f183c356f1c4f8c0e97bc067678e656af
- 75a7f7dd8e45cb44abc7096d277f073b4652aeaf88c0aa6353b398195f3b0d8f
- 927e453cbdc34a64bb6ac5b2e307939883898cda0d08a5a2a618b61659a55e76
- 4c7ce5aa5ba12b2b6b8a2f0596657100170b4348b16a864ad300ec90f7f74349
- 34622e45aa0d4bc678df1429b180653c51e163de483064b15e5971b5aea8baba
- d53f72785f645c5029e8c9289fb4d6db549662ff2b9ea324a4b4004b7fca3f57
- 3e8d02c59d81342d13f69b0e0ae1e0972e49e3ae2f5fcd7c920f185db5b20a91
- adefe56cdbb830f3c1505cd6546fc59fdb285175d0a50dc8c742bb3924d1f27a
- c933e6a30d5951cb5943b5f2996f441bccdfacc4fd4a035b92a99b8202e1fc01
- dcec41043e9866580ae5d29a1ae7a992a29a8b06d6f552a414478d53007ebd6c
- 5005e73af04f7d1619f11ddc2b5657b20e6533a60f62df30256698b2b0b21c1a
- 04f7dabc8a78426db8b15ec93878bf1e1cf0bc5b25e00f06a64a08031d3a86fc
- e998cbbc21badc970c1c530e1841a2ba384dc59689b9abfff2ea033be99fae30
- 8b90a4fc2facead1c71323f5addce373cbb043985bdae943db55a330532f452c
- 3904137e130dee1e240244f78ce56df08194dd1c7c5384f4965897bad48a664d
- 87005ace32816cc97648700aff06385ce4eb7213e1524b5277243818786cdb4c
- bfd18dc8c489813c1d65485a5bced0eb03334d4e284dd01c7a06fb4c8b7c338d
- 8417fad607151b0c6899555076bef64a086ff93dffb0a2a5a85ecb9579740df0
- 73b68bbf952e6e281bc7798abccc508f01377dfb6c88356c771485c0b50d41d7
- 01a26c224df94b3d9cdcb4683c8ba6fead0ff47de748c6eb63fc14cb03744ad3
- 4e4d1b08a75e20afb13470b6db6149caa2bf617a7694645ff11f16aeaab19528
- d715092d0768706bbdf4e99cfe2c43fc50892ad0bca0bab3380a6843f29db959
- a038940c725ae65c713d61f36f9e939b2d407d0fa46d7f85e77003770a280263
- de2d9a0f156a070b9fa0c5b87166d936e2bcdb483bc8e289a1a3436218741a78
- d9532f0d8bbf03d6789cad84c7568d25066a6fedf3475df807b7539a098ba0ac
- 77218a0c66a00ab033d89060de3605b0fa309f01ed7038980494a249eb0b886f
- c46dbecadb62cdd7a3df99b4b77d1cde501cd074f09b9740e8752ad847296973
- 687f28d8fa2f0058f4e87f260a06ef84e983bca27efd12dd660dd3fcbf599eed
- cd1e9f21a53ca7eeacfd875aede685a78d4d0450cccad0bd85bfb7eb12a80a9f
- f1bb57ae0b13ad85dae1477415447ccc702e59fa8caa16be7e4a9dfa1476c68c
- 8fed4e6662af05d39b16376999c8f5f2c2bc802f2699e8a197adc89c64b6abe6
- cc343a4245c9d5c7bc8248a88ab529a2c6246bbc38a8f1d0c3c9c1e10dc14045
- 65db1126d8cadd61bb4b0e04a4d4b301781d3edf0d9df4283b6509507bb72ba9
- 793e5cca2f9bb94fd534b36b888d98659a8ec9237ba97536041e91ccc81cea52
- eb9a92a030262e20aa1ccdac98d01dd8a9c7a2cf570073e00d24e120d9d037ea
- b603a86b754527ed24c4618e9fc9459e42cc5ced95bad7b68d782e508477dcfb
- 7be28da7fa028d13c25b021a3276f3b27df00c856163f3656ae735f502543d7d
- 05a5a79ff1829ab1f06b328092f0ddc00463489f4773c2eacaca8b11e82f5d17
- b6c00ef0ff0574d348f8d819511c134057f7689c769e0868bf154a4510f12817
- 7d8b2427a737cd1a3c1b9489684bead8902b72f3a1fe614ce273a81b4fab7045
- a9b0aa162825c49747dd10f44e3acfa17e291b07621e3bfd85b37c448e426f2c
- ca4bddf038eb1f05e9ea9785260d344303408cdd33aa7b9ef69de1042aba8804
- beff581a3dcf2d2abbc92a9131251507036fc017dfdf3bc5d74b0f8b9e96570e
- 51e7fdc595507e24b9d0c460f5b6fab2f2ba6675db98d3bdecfe01ecc50a8e19
- 6482e697724413b307182474059c35354edb372f85939a4ae71b0b2c5e29147e
- 83cb93d45e6a690aa0ba8cfe27d269f3190e037d768686467b5cbde3c4e0654d
- 4dcfcd5e3f0da01f669dce29cd6e417703d939a55a5a14effc5f3302c78c2561
- a2af79374daca830e984ea59c1bf644e9c69708d7df839cb9103cfb6d15f7e1b
- 5a7d4f723baf896f9a517941554e08851ace8ded68c3677ab067ecc1d0caabbf
- fa0f2cfdecef9296c42861b4cba847147ff64b798b68beddc06d54e4567be1a2
- 043191a6bf7cfa30f330531426223cd83418c2a05bf16258d81e5d61db2427a0
- 04648a2348ba6ad6349572cf36bb5ee498a36e6c2fe5bcabc83dac8ec26c99a3
- 1870b386fc5b7bf2b89f407325806c9ededa3285aaf50bee1e17043577d780a3
- 697532eef1d5f157a16efcc5be206043919f3844c17c5f8d3a9ff990c6f153df
- 96594444dbada56b286e03448f33dede63bc5bedfa44221a45da811195e36fae
- e61b92dca757c1a8ddc2e585a236f8f0242fd1878f552fea59a8a2f1bec1df56
- 356a994530076924eda30e72ec8f2920dbd3789af889f4ade17cfc0f9bcd3e64
- 0d7b524b68de328b71bd4aaf264e7aa8758979fc4441f869bfbe0a600a100adb
- 7afb16e3da243d7f4343118d12ea0dec00ff6d9223462cbf464f36e34febd80b
- de107ca5e1e4d91ad2ef67ebabb6cb90564aa87727b99daf3d2ea8f5fa73d50c
- de41699ed2764b9ebcd051b8a47e433cf246af9103541a88ac2bbe704e1a8352
- ce9ac3c35886bc7fb2a10e66b5774796ccfbc9189b6c7b5b95c46c78d1af2eeb
- a6ccfff49a934bc1046e5e1ba7effb53abcfc355a67b78f76486d5b14d4a5df9
- 74bd4f139de8ca014c29d61380e6fcdc9949946fc97881a3812807c933476383
- 65ce9c180eeb4250f8d9b31fbc5920e41293885c4685e7b5b2fc156843daa4a4
- ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7
- 39339326e9dfdf25361dee2e855aaf59fb05924b77cdbacddbf054c9fa913974
- a1874895c2052945922bfc9a9adb17290046e03dbb47c2d5e10b9a59c0d58fe3
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 103.213.212.42:443
- 107.159.94.183:8080
- 109.104.79.48:8080
- 109.73.52.242:8080
- 115.132.227.247:443
- 139.59.19.157:80
- 144.76.117.247:8080
- 159.69.211.211:8080
- 165.227.213.173:8080
- 175.107.200.27:443
- 176.58.93.123:8080
- 181.142.29.90:80
- 181.199.151.19:80
- 181.29.101.13:80
- 181.30.126.66:80
- 181.37.126.2:80
- 185.86.148.222:8080
- 185.94.252.249:443
- 185.94.252.27:443
- 186.139.160.193:8080
- 186.71.54.77:20
- 187.188.166.192:80
- 189.196.140.187:80
- 189.205.185.71:465
- 189.213.208.168:21
- 190.117.206.153:443
- 190.147.116.32:21
- 190.171.230.41:80
- 190.180.52.146:20
- 190.85.206.228:80
- 192.155.90.90:7080
- 192.163.199.254:8080
- 196.6.112.70:443
- 200.107.105.16:465
- 200.114.142.40:8080
- 200.28.131.215:443
- 200.45.57.96:143
- 200.58.171.51:80
- 201.203.99.129:8080
- 210.2.86.72:8080
- 213.172.88.13:80
- 219.94.254.93:8080
- 222.104.222.145:443
- 23.254.203.51:8080
- 24.150.44.53:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.33.35.103:8080
- 5.9.128.163:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 66.209.69.165:443
- 66.228.45.129:8080
- 69.163.33.82:8080
- 72.47.248.48:8080
- 77.82.85.35:8080
- 81.3.6.78:7080
- 82.226.163.9:80
- 85.132.96.242:80
- 91.205.215.57:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- 31.172.86.183:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.255.150.84:80
- 103.53.44.20:80
- 109.194.50.231:80
- 119.15.153.237:80
- 119.155.153.14:21
- 119.93.243.2:50000
- 124.123.42.93:80
- 133.242.156.30:7080
- 136.243.117.85:8080
- 138.201.140.110:8080
- 144.202.9.18:8080
- 147.135.210.39:8080
- 149.167.86.174:990
- 149.255.56.242:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 173.255.196.209:8080
- 174.93.130.148:8443
- 175.100.138.82:22
- 176.63.173.71:995
- 177.230.108.144:22
- 177.242.214.30:80
- 178.152.78.149:20
- 178.62.37.188:443
- 178.79.161.166:443
- 179.14.2.75:21
- 180.150.87.75:22
- 181.39.51.243:993
- 182.176.132.213:8090
- 182.188.47.206:990
- 183.82.110.170:53
- 186.4.234.27:443
- 186.85.38.31:443
- 187.189.195.208:8443
- 189.134.78.42:50000
- 190.112.228.47:443
- 190.193.18.37:20
- 2.50.4.159:443
- 2.50.52.255:20
- 201.220.152.101:80
- 208.78.100.202:8080
- 211.63.71.72:8080
- 212.22.215.140:80
- 213.14.166.152:990
- 216.98.148.156:8080
- 217.13.106.160:7080
- 217.199.175.217:8080
- 37.211.38.50:80
- 41.169.20.147:143
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 5.230.147.179:8080
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.65.211.99:50000
- 58.9.168.7:990
- 59.103.164.174:80
- 62.75.187.192:8080
- 64.13.225.150:8080
- 67.205.149.117:8080
- 69.198.17.7:8080
- 69.45.19.145:8080
- 69.45.19.252:8080
- 75.177.169.225:80
- 77.56.253.112:80
- 78.100.187.118:80
- 78.186.5.109:443
- 78.188.7.213:8090
- 83.110.155.238:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 86.99.35.122:20
- 87.106.139.101:8080
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.130.35.140:443
- 94.76.200.114:8080
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/nS6FBEDJ - @Jan0fficial
- https://pastebin.com/Xd6M9J7G - @ps66uk
- https://otx.alienvault.com/pulse/5cc9fa2541698480d8b9c914/ - @SecSome
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-01-19 ####
- ```
- General News:
- New Regex patterns below for E1 and E2. Moderate amounts of spam for most people. Once again, very little malspam for me
- with only 1 older generic template from E2. I am not complaining though and the less they spam me, the more I am winning
- the battle. However, other people are getting decent volumes of spam and @ps66uk had 30 malspams. Quite a selection of
- attachments/JS/DOC and ZIPs in relatively even amounts. It looks like attachments were pretty prevalent today which would
- match what we see in the link counts. See @ps66uk's notes here:
- In other news:
- Brad @malware_traffic had posted some pcaps of infection with Emotet E1 that proceed to Trickbot rather quickly. A few
- other members of the community also mentioned seeing this pattern today.
- Brad's notes are here:
- https://twitter.com/malware_traffic/status/1123661316655276038
- https://www.malware-traffic-analysis.net/2019/05/01/index2.html
- I forgot to include the new document template in the notes yesterday but I did attach it here later for everyone to see:
- https://twitter.com/JRoosen/status/1123457018558337024
- I am calling it the Navy Blue/White Letter DOC template.
- @JayTHL gave a nice summary of the URLs seen yesterday in our report:
- https://twitter.com/JayTHL/status/1123581349066170369
- Email Template Report:
- I only received the one generic malspam as previously mentioned but @ps66uk had a good writeup of what he saw today
- in his post here:
- https://twitter.com/ps66uk/status/1123683670831898627
- https://pastebin.com/Xd6M9J7G
- Important to note that @ps66uk did see 3 more reply chain emails in the at list of mostly attachment based messages.
- From looking at the data I can tell he got messages from E1 and E2.
- @HerbieZimmerman also saw attachments and posted here about it with a template:
- https://twitter.com/HerbieZimmerman/status/1123604529319165952
- @executemalware also saw attachments but as DOC files:
- https://twitter.com/executemalware/status/1123584370634366976
- https://pastebin.com/1NiyRDYk
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- *- The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- *"Load instructions attached"
- *"A printer friendly attachment is now included with each email."
- *"Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns - The following patterns were seen active today. Note the * next to the ones coming back
- or that are new. Also the new patterns showing up today on BOTH E1 and E2. It seemed to stick more to E2 though
- so I am not sure what that was about. This seems to cover them well:
- E1
- \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-59\-]){6,7}\/
- *https?:\/\/.+?\/(sec|secure|trust|verif).(accs|accounts|myacc|myaccount).(docs|resourses|send).(biz|com|net)\/
- *https?:\/\/.+?\/(assets|esp|lm|paclm|Pages|parts_service|sites|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{9,27})\/
- E2
- *https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- *https?:\/\/.+?\/(assets|esp|lm|paclm|Pages|parts_service|sites|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{9,27})\/
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
- These Regex patterns are to be used experimentally and at your own risk but they caught 99%+ of what I saw in link malspam.
- Payloads Report:
- Still seeing E1 and E2 going back and forth between the new and old loader. The current state of things is:
- E1 Distro: old loader.
- E1 C2: old loader.
- E2 Distro: old loader.
- E2 C2: New loader.
- Everything on E1 was ZIP/JS or ZIP/DOC today except for a small point in time in the middle of the day were it was straight
- DOCs. They were the DOCs in ZIPs previously though. :) E1 seems to testing ZIPs for attachments/links with the old loader
- to see how effective it is. Seems like a lot of attachments came from E1 today.
- E2 was basically straight DOCs all day with the new loader in C2. I assume they are testing the new loader on E2 and some
- of the new Regexes above to see what infection rates are compared to E1.
- C2 Report:
- C2s DID change for E1 and increased from 57 to 61 combos in total. - recorded above
- C2s DID change for E2 and increased from 74 to 79 combos in total. - recorded above
- Closing:
- The new Regex patterns were interesting today but I hardly noticed because of the lower spam volumes in my personal environment.
- I was thinking that Ivan had some tricks up his sleeve but I think it was just another empty vodka bottle.
- TT
- ```
- #### Sandbox 05/01/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-05-02 at 01:00 UTC - https://cape.contextis.com/analysis/70865/
- ```
- ```
- Epoch 2 C2 run on 2019-05-02 at 01:00 UTC - https://cape.contextis.com/analysis/70864/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement