API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 11/09/18

jroosen
Nov 9th, 2018
1,884
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.11 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 11/09/18 as of 11/09/18 20:30 EST ##
  2. *Notes and Credits now at the bottom* Follow me on twitter @jroosen for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 11/09/18 ####
  5. ```
  6.  
  7. http://184.154.53.181/porto_demo_new/var/session/En_us/Clients_transactions/11_18/
  8. http://agentlinkapp.com/wp-content/uploads/EN_US/Transactions-details/112018/
  9. http://akuda.cl/En_us/Clients_Messages/2018-11/
  10. http://apcngassociation.com/EN_US/Messages/2018-11/
  11. http://aspcindia.com/EN_US/Transactions-details/112018/
  12. http://automotive.bg/wp-content/EN_US/Clients_Messages/2018-11/
  13. http://azatamartik.org/En_us/Transaction_details/2018-11/
  14. http://bahiacreativa.com/En_us/Messages/11_18/
  15. http://bemakeup.ru/EN_US/Clients/2018-11/
  16. http://bengal.pt/En_us/Clients_transactions/11_18/
  17. http://bizimbag.com/EN_US/Transactions-details/11_18/
  18. http://bnb95.co.nz/US/ACH/11_18/
  19. http://bo2.co.id/US/Transaction_details/11_18/
  20. http://bolumutluturizm.com/US/Clients_information/2018-11/
  21. http://casashavana.com/En_us/Attachments/112018/
  22. http://casinogiftsdirect.com/En_us/Attachments/2018-11/
  23. http://c-dole.com/En_us/Clients_Messages/112018/
  24. http://cet-agro.com.br/En_us/Attachments/11_18/
  25. http://cevahirogludoner.com/566LRATUVMZ/EN_US/Clients/2018-11/
  26. http://chstarkeco.com/En_us/Clients/11_18/
  27. http://cidadeempreendedora.org.br/wp-content/upgrade/US/Payments/11_18/
  28. http://cohencreates.com/En_us/Details/112018/
  29. http://colexpresscargo.com/US/Messages/112018/
  30. http://conceptsacademy.co.in/wp-content/uploads/2018/US/Clients_transactions/2018-11/
  31. http://conci.pt/EN_US/Clients_transactions/112018/
  32. http://craniofacialhealth.com/En_us/Transaction_details/112018/
  33. http://cuberdonbooks.com/US/Clients_information/11_18/
  34. http://custommedia-wp.nl/En_us/Transactions/112018/
  35. http://dattiec.net/3832X/US/Transactions-details/2018-11/
  36. http://deliyiz.net/wp-admin/images/US/Transactions/11_18/
  37. http://demo.wearemedia.us/asc/EN_US/Details/2018-11/
  38. http://destinosdelsol.com/EN_US/ACH/11_18/
  39. http://dingesgang.com/En_us/Clients_information/112018/
  40. http://einfach-text.de/En_us/ACH/11_18/
  41. http://ethiccert.com/8004784PXIUFAZ/EN_US/Clients/112018/
  42. http://fenlabenergy.com/En_us/Transaction_details/112018/
  43. http://fglab.com.br/US/Details/112018/
  44. http://fleetwoodrvpark.com/US/Attachments/11_18/
  45. http://forzavoila.net/En_us/Clients_information/11_18/
  46. http://friv10friv100.com/En_us/Clients_information/112018/
  47. http://girltalkza.co.za/US/Clients_Messages/112018/
  48. http://gi-site.com/En_us/Clients_transactions/2018-11/
  49. http://glcdevelopersapp-env.kanjpmbfka.us-east-2.elasticbeanstalk.com/US/Documents/112018/
  50. http://golroom.ir/EN_US/Clients_information/112018/
  51. http://gomus.com.br/sonsdobrasil/US/Clients_Messages/11_18/
  52. http://grandtour.com.ge/EN_US/Clients_information/112018/
  53. http://gsverwelius.nl/En_us/Transactions/11_18/
  54. http://hdc.co.nz/EN_US/Messages/112018/
  55. http://hectorcordova.com/US/Clients_Messages/2018-11/
  56. http://helpingblogger.com/En_us/Clients_information/11_18/
  57. http://inhoanchinh.com/EN_US/Clients_Messages/2018-11/
  58. http://inpiniti.com/backup/xe/US/Information/2018-11/
  59. http://iphonelock.ir/US/ACH/2018-11/
  60. http://irparnian.ir/administrator/En_us/Attachments/2018-11/
  61. http://jovive.es/US/Documents/112018/
  62. http://karyailmiah.stks.ac.id/wp-admin/EN_US/Clients_Messages/2018-11/
  63. http://keymailuk.com/US/Clients_Messages/2018-11/
  64. http://klausnerlaw.com/EN_US/Payments/2018-11/
  65. http://komedhold.com/wp-content/En_us/Payments/11_18/
  66. http://korczak.wielun.pl/US/ACH/112018/
  67. http://lasnaro.com/US/Clients/2018-11/
  68. http://learn.jerryxu.cn/En_us/ACH/2018-11/
  69. http://librafans.com/US/Transaction_details/2018-11/
  70. http://madadgarparivaar.com/En_us/Transactions-details/11_18/
  71. http://madonnadellaneveonline.com/US/Documents/2018-11/
  72. http://mangos.ir/wp-content/En_us/Documents/2018-11/
  73. http://masterdireccionyliderazgo.webs.uvigo.es/EN_US/Documents/112018/
  74. http://microsoft-in-tune.co.uk/En_us/Information/11_18/
  75. http://miltosmakridis.com/US/Payments/11_18/
  76. http://muschelsaal-bielefeld.com/US/Transactions/2018-11/
  77. http://nabta.live/EN_US/Transactions-details/112018/
  78. http://natuhemp.net/En_us/Transactions-details/2018-11/
  79. http://nirkz.com/connectors/system/US/Documents/2018-11/
  80. http://notehashtom.ir/wp-admin/En_us/Attachments/2018-11/
  81. http://nutdelden.nl/EN_US/Attachments/2018-11/
  82. http://nutrilatina.com.br/En_us/Transactions/11_18/
  83. http://omnigroupcapital.com/EN_US/Documents/112018/
  84. http://oviajante.pt/US/Attachments/11_18/
  85. http://parquetman.ge/wp-admin/En_us/Clients_Messages/11_18/
  86. http://peconashville.com/En_us/Documents/11_18/
  87. http://pornbeam.com/En_us/Clients_transactions/2018-11/
  88. http://raidking.com/EN_US/Payments/112018/
  89. http://restaurant-intim-brasov.ro/EN_US/Transaction_details/2018-11/
  90. http://shevruh.com.ua/En_us/Transaction_details/112018/
  91. http://skygoji.evicxixi.com/En_us/Clients/11_18/
  92. http://smartcare.com.tr/smartcarecoaching/En_us/Transactions/112018/
  93. http://souqchatbot.com/En_us/Messages/112018/
  94. http://starbrightautodetail.com/En_us/Clients_information/112018/
  95. http://techdux.xyz/rlbkj2kd/En_us/Transaction_details/11_18/
  96. http://techstarpetro.com/US/ACH/112018/
  97. http://test1.nitrashop.com/EN_US/Clients_Messages/112018/
  98. http://touchandlearn.pt/wp-content/uploads/US/Details/11_18/
  99. http://trailblazersuganda.org/En_us/Details/112018/
  100. http://vivanatal.com.br/En_us/Transactions/2018-11/
  101. http://waraboo.com/US/Documents/2018-11/
  102. http://www.agentlinkapp.com/wp-content/uploads/EN_US/Transactions-details/112018/
  103. http://www.ammey.in/En_us/ACH/11_18/
  104. http://www.angelhealingspa.com/US/Clients_transactions/2018-11/
  105. http://www.brownfields.fr/US/Messages/112018/
  106. http://www.bullet-time.su/video/En_us/Information/112018/
  107. http://www.casinogiftsdirect.com/En_us/Attachments/2018-11/
  108. http://www.conceptsacademy.co.in/wp-content/uploads/2018/US/Clients_transactions/2018-11/
  109. http://www.coolxengineering.com/EN_US/Payments/11_18/
  110. http://www.helpingblogger.com/En_us/Clients_information/11_18/
  111. http://www.iclikoftesiparisalinir.com/US/Details/11_18/
  112. http://www.jovive.es/US/Documents/112018/
  113. http://www.madonnadellaneveonline.com/US/Documents/2018-11/
  114. http://www.maim.at/En_us/Clients/112018/
  115. http://www.norraphotographer.com/En_us/Clients/11_18/
  116. http://www.oviajante.pt/US/Attachments/11_18/
  117. http://www.setembroamarelo.org.br/En_us/Information/112018/
  118. http://www.thestorageshoppe-hongkong.com/En_us/Documents/2018-11/
  119. http://www.tudosobreseguros.org.br/wp-content/_uploads/EN_US/Attachments/11_18/
  120. http://xn----0tbgbflc.xn--p1ai/EN_US/Transactions-details/11_18/
  121. https://u6826365.ct.sendgrid.net/wf/click?upn=o2KzEYxFaEgOi2ecSkFWgvzXgmkNmkeyjO0SvMcDUvknTi-2FJmZKaz5v4p6NaW4rTLgDBjn4q4rnjAQwD9-2BXh5w-3D-3D_DBq1DHZH8ABB7Um1RBEksxABnDaeYCRKYqOCdw5X-2F-2FHGpWOZGh7JDp0JntE6sNr3iNzD4Wvc4B8Z5ccc-2FEUCPII6I8bqOUVsdpTh0t3KpSiwqF5cU-2B25Kjkxzsm-2FvAqrvPLBWAD1lryNzvsicPGviTeJj76wSavlGu2hOFIxJHm4d-2BwfNpUCMf9bUi9ukJCFGnvOOTd9taXFNeqpgG8PkUoW6nIozE4JHGpAuE48mK8-3D/
  122. https://waraboo.com/US/Documents/2018-11/
  123.  
  124. ```
  125. #### Epoch 2 Document/Downloader links seen for 11/09/18 ####
  126. ```
  127.  
  128. http://18.188.218.228/upload/319PnZk7GutdSz5xxT/de_DE/Firmenkunden/
  129. http://18.219.13.62/G4yDVqR4TTLI/biz/200-Jahre/
  130. http://35.167.6.44/71578FPC/com/Commercial/
  131. http://afan.xin/2610121O/HvqD0Tg0pfDIx6EjC/SEP/200-Jahre/
  132. http://altaredlife.com/6564E/BIZ/Commercial/
  133. http://ardakankala.com/738598DIIIFO/ACH/Business/
  134. http://astro-icsa.ru/FILE/US_us/Invoice/
  135. http://ballparkbroadcasting.com/261R/BIZ/Smallbusiness/
  136. http://bawalisharif.com/doc/En/Invoices-Overdue/
  137. http://bebechas.com/INFO/US/Paid-Invoice-Credit-Card-Receipt/
  138. http://berger.aero/assets/components/gallery/cache/658047FALMJ/biz/Personal/
  139. http://besttravels.live/4223683Y/oamo/Smallbusiness/
  140. http://bezrukfamily.ru/upload/VriQHkgdl/07TAEN/PAY/Business/
  141. http://bihanirealty.com/wp-content/uploads/0171349CNEP/SWIFT/US/
  142. http://bobfeick.com/8090961CZUSVO/PAYMENT/Commercial/
  143. http://bolumutluturizm.com/INFO/US_us/566-47-624093-213-566-47-624093-619/
  144. http://camdentownunlimited.demo.uxloft.com/DOC/En_us/Overdue-payment/
  145. http://canetafixa.com.br/newsletter/EN_en/Invoice-for-you/
  146. http://canguakho.net/Download/En_us/Invoice-for-l/k-11/07/2018/
  147. http://cemul.com.br/30695Z/WIRE/Business/
  148. http://chandrima.webhibe.com/517671JU/ACH/Personal/
  149. http://cidadeempreendedora.org.br/wp-content/upgrade/11MGJM/SWIFT/US/
  150. http://djwesz.nl/wp-admin/3NG/PAYROLL/US/
  151. http://dshshare.ca/24784AH/biz/Commercial/
  152. http://easterbrookhauling.com/91BOYI/oamo/US/
  153. http://emilyxu.com/5AFBW/BIZ/Smallbusiness/
  154. http://esinseyrek.com/Corporation/US_us/Outstanding-Invoices/
  155. http://fantastika.in.ua/BR14GfgUp/SEPA/Service-Center/
  156. http://fenicerosa.com/xerox/En/Inv-35516-PO-9O377749/
  157. http://forestbooks.cn/68839QM/ACH/Commercial/
  158. http://futuregarage.com.br/files/US_us/Invoice/
  159. http://ghiendocbao.com/Nov2018/US/Summit-Companies-Invoice-04850651/
  160. http://grille-tech.com/irTZxa/DE/Privatkunden/
  161. http://hakimpasatour.com/wp-admin/533EY/oamo/Smallbusiness/
  162. http://hellodocumentary.com/doc/EN_en/Invoices-Overdue/
  163. http://hotelpleasantstay.com/4061GXJ/oamo/Commercial/
  164. http://iepedacitodecielo.edu.co/2ZWQWL/PAY/Personal/
  165. http://imish.ru/973815XWDCVEXE/PAYROLL/Smallbusiness/
  166. http://investicon.in/wp-content/plugins/workfence/5ORQLVCLX/biz/US/
  167. http://itmt.edu.ng/42767LSXMF/SEP/US/
  168. http://juegosaleo.com/sites/EN_en/Open-Past-Due-Orders/
  169. http://marathon-boats.com/Corporation/EN_en/Summit-Companies-Invoice-00186995/
  170. http://meleyrodri.com/5YKRKE/com/Commercial/
  171. http://microsoft-intune2016.co.uk/1Q/PAYROLL/Smallbusiness/
  172. http://mint05.ph/5VCIFIJ/WIRE/Personal/
  173. http://mironovka-school.ru/doc/US/Outstanding-Invoices)/
  174. http://mironovka-school.ru/doc/US/Outstanding-Invoices/
  175. http://nikbox.ru/Reke5kkZjha/de_DE/Privatkunden/
  176. http://plco.my/v1/wp-content/uploads/2015/5938KNLMO/ACH/Business/
  177. http://prekesbiurui.lt/DOC/En_us/Invoice-for-y/u-11/08/2018/
  178. http://prva-gradanska-posmrtna-pripomoc.hr/54LURWM/oamo/Personal/
  179. http://raeesp.com/4827GWQCGH/com/Commercial/
  180. http://robshop.lt/5QGOXCWXK/biz/US/
  181. http://samdog.ru/6SVN/identity/US/
  182. http://seadi2.hospedagemdesites.ws/Document/En_us/186-11-789737-486-186-11-789737-929/
  183. http://seegeesolutions.com/Document/EN_en/Invoice-for-you/
  184. http://sharpdeanne.com/newsletter/En/Past-Due-Invoices/
  185. http://shop.irpointcenter.com/23289HBKXSWO/com/Commercial/
  186. http://stefanobaldini.net/components/DOC/EN_en/Past-Due-Invoices/
  187. http://swiftsgroup.com/LLC/En/Outstanding-Invoices/
  188. http://test.vic-pro.com/xerox/US_us/Sales-Invoice/
  189. http://timlinger.com/4095658F/biz/Personal/
  190. http://tntnation.com/2530719EPPNL/SWIFT/US/
  191. http://toronto.rogersupfront.com/kyJzuMtkAWLT9/biz/PrivateBanking/
  192. http://visiontomotion.com/LMS/question/engine/upgrade/HEu6VwUOv/biz/Firmenkunden/
  193. http://willbcn.com/Corporation/En/Invoice/
  194. http://www.247computersale.com/872RLSFNQ/oamo/US/
  195. http://www.aforttablecleaning.com/403ASBTKWS/WIRE/Smallbusiness/
  196. http://www.andradevdp.com/9267VHDJQUB/PAYMENT/Smallbusiness/
  197. http://www.blubrezzahotel.com/xflri3kf/6STFQLADP/SWIFT/US/
  198. http://www.bzdvip.com/yRewI1wbu/DE/Service-Center/
  199. http://www.cursosmedicos.com.br/7385PJNZUAKB/PAYROLL/Personal/
  200. http://www.ddyatirim.com/9168FDQFA/ACH/Smallbusiness/
  201. http://www.emark4sudan.com/DOC/EN_en/Paid-Invoice/
  202. http://www.espaceurbain.com/2700838EOGU/PAY/Business/
  203. http://www.fire42.com/777MQ/SWIFT/Business/
  204. http://www.haraldweinbrecht.com/newsletter/EN_en/Invoices-Overdue/
  205. http://www.hotelpleasantstay.com/4061GXJ/oamo/Commercial/
  206. http://www.nga.no/hqFjqeyKW/SWIFT/200-Jahre/
  207. http://www.spiritexecutive.com/0X/oamo/Smallbusiness/
  208. http://www.transimperial.ru/671VJSAK/oamo/Business/
  209. http://yogahuongthaogovap.com/DOC/En_us/Open-Past-Due-Orders/
  210. http://youtabart.com/038FLZCCUO/ACH/Smallbusiness/
  211.  
  212.  
  213.  
  214. ```
  215. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  216. ```
  217.  
  218. Creation Time 2018-11-09 18:07:00
  219. SHA256:
  220. e575e7efe1f1c2189b0025724cd0c80a8acddf8ad3ee04f164b70d10ef83d775
  221. c60a396da8a15b041b850f54e80cf4432664406c6cb918f1511e81cbf5f45b55
  222. 2a6f5b16270c746dc621181648f046351cd4bd530619aa1a7d22d87b31690f1a
  223. f3ab41e8eebf32bb1b014c11c6b71a64c82b59913f212a1bef752876cbb6cd8d
  224. 61ac14386e8fb3fba567170423b6e4158cba55c9f8b707a3a0e0b94b8faf5c5f
  225. 092a4d2638cd50d4290e30875dc0769fa1219573be4f615b3c4b5305baf8b589
  226. 09e1282c6be3bcbff501ab61fafd5b2781f3466cbdda64e286e411524bbbe6c0
  227. e87652f1eeaf4496ff576ae06ec66feb42e1d8c3cba5cf5175ac04f4ca54862c
  228. 411eccdac0a23ed022ec8d9206efccac918d6596a2c7bd421a9dfa4da6c602de
  229. a7784acee6777868e3d3555385efd6878a8a974ab3bdd1796cb4a4da328ef603
  230. ed88d61390f8b51cda145e7f36802456f297e1df16a7803e933fbbcdf08ec630
  231. d47ba3cea7d409cd559a3cb23fb0983f07038de80f962a524b2ee8ca4039e335
  232. 3bb1ebde30c0794930024aa5b71e2d4337673286bda99ee255dd893895a813b6
  233. aebe05677da5435e100109e49957ec683928dcae691967674f0abf7bae621198
  234. e4dc7c3d436b7322c5fc187309e00c88ec489634d7c0b6a46076bf9a18943f38
  235. c5341933a665c348d38b9c9ebec287c91415b3e394cfdafa0b225caf246acad0
  236. 78dabb6827653439c6834f24802c396712b4c1288d409d909a897c69b466c0cd
  237. 754d508c6b6734a9816b7a65b65c85de9749353f92507edb7565c2d74a9891c0
  238. 8df14e82f725030a9f600a52590e785dadac72a798370ce97cdb9ae797f245b9
  239. f0610a8edcb9b5c65adc14a5dd599cec787300de7f0f32f88018ebbc8f13dea5
  240. bacd0feab2312a783f219045ef46024d70574472d1c889f15fce0cbf770cea3c
  241.  
  242. http://cine80.co.kr/wvw/qhKE5rlkR
  243. http://listyourhomes.ca/o5qDsWBe
  244. http://hire-van.com/6dusyh9w3
  245. http://icxturkey.com/nE2YMAjUK
  246. http://spolarich.com/vlJ2o3k2h7
  247.  
  248.  
  249. Creation Time 2018-11-09 13:06:00
  250. SHA256:
  251. 02ed455630207e7d6f6fcd205d5f041f7721d474e39ae6c95194952b23e63cdf
  252. dd394aa94d9cf38ae05b4dd7692a1af655958a33b5ac55e5fbd10bdb85a709a5
  253. 552ce2c560d03c20f4cb71f8ab7ddfb86c2847e8129e8a09e885b1f0b51080cb
  254. 206f1c4fee4c4c4fb1344234c7723a95525c10be2f225072b39c9663975c1fae
  255. fd2d35545bd7e6d6bbd51b742fc7f71baa16cb2aefd56a90da6b912199ea10f9
  256. 50c676adf299edbde321c0096e99083e08e1ae91df7366335ee39bcdfe0b3eb6
  257. 41a904f0fbccb3384f0cac45c44dd11428abb34f6c3280ec24b8c9cdc180c2b9
  258. a369090e792f8e13b096f4d461c1b6407d8de0fa5d088f45fb24db38a8f72767
  259. d207d1043348768094e636fdb28bf8b4e1e49cff3196360d5317aa168fa396f9
  260. b71815756b88a2e0c9c7b004e107b895ead2eff1d73e3a4b5d7d4b1eb12c7225
  261. f07be30c7f7158311ebad7481f2a5cc2e3f2a97a80b68882f727a0ece5356668
  262. 6bd4b3f2072f67bb90832835c91a977dead10682a2a5f76b17993c73782179c0
  263. 7f52604743302a60f667bbcaddc4dc372a602862f41bf7a741f3676ebb3cbc6b
  264. 6e7475b559f466986e6b33ff0c54896e3d85b3e6f7c04b75ca719433672eb1a4
  265. 39942a00f9a77d75652b1c3911efdad8d8ff9f7c4f2b645418c54c5bb5074e32
  266. 9c1468cf0ec8794f7a75fb8537e1a42e24436bcf63298792eb62ff55ee517f38
  267. 9f874949de45411ab799b437564babfb14560b13383b8feb6dfad4944cf0a79d
  268. 18d8a6f6bd307d67250eaccc4cc7b82f660a1923f6163c58666b969a5be18cd3
  269. a2c5e9d10bb33c41a6fe675a5bda1be2f36b28e89f0af1cbaba6dce14f1d9dee
  270.  
  271. http://uc-olimp.ru/r7nv7Do
  272. http://kpg.ru/EjsaGtbK
  273. http://mitimingiecocamp.com/Nl249zmBbv
  274. http://acryplast.ru/9FezrVftG
  275. http://lomtic.com/PIjYc2I
  276.  
  277. Creation Time 2018-11-09 09:56:00
  278. SHA256:
  279. 51e118fd8891ab90a1160c03cf71bdd93e1bcc724f3e8ee119ad78642d943799
  280. d928ccae074c7691e2c754f0202504660ceb9476fb1be784080c85d7555407b3
  281. d2b20efd72668025b8e1cf8e744bbcfca24921417df3e324b97bf5e968e849a0
  282. 07a7c52ca6ea5eef6bb39239c98e8100b4694d140b2283e25b48e786c24f2e0f
  283. d327d338bfa8d2f01b7a0ea5da8ebc629b805f213373e77b992d22ac035ad986
  284. b5f735f88844bb08c0d60606240e261544c5a538255b6cbab0896b37a0ae4d3f
  285. ba582d3578f14646617e19847cd2f2cb340f24d210131ad60048b4f15548a16b
  286. 2f5d608a178096f68016d48328e4621e98d16611509d4b7ca31b65f0e70ab42f
  287. bee74b8a216dc1c57af4c7f50b12a8ce33d0c05c64c8057d7f7999f298cadefc
  288. 0b15a15c61725f6f8f8981dc8ae068752de11018877c161bc578669fbdf65a61
  289. 4a455e0a53007d2bc3092d2ed1ba66ca53993255f154100d6e4675822aeff947
  290. a4d420b57a6a78d801ec6dc6418c12b85035c500462766e14d3f53da1e0a0158
  291.  
  292. http://localbusinesspromotion.co.uk/wAxxlqBS5
  293. http://westchestersewerrepair.com/JhF95qhnEp
  294. http://tecnoelectrica.cl/F0A8dKNXfi
  295. http://easteregghunt.ca/IYe49SyS
  296. http://mackandthird.com/mydFt4OV
  297.  
  298. Creation Time 2018-11-08 23:11:00
  299. SHA256:
  300.  
  301. dc5ec3b2cd77da307738fe6d7b128b18a907c6fdd1eaeaff37e82533bf1b9e06
  302. ad43b5f73a5e60aa96c9d8751a74e6ec534ef84393e6e3200111c6615db7af2e
  303. 4d6927b417a8efaf2cb713ed67d524318991a3d7a2b8ce7010c7558c5c701ded
  304. 637b72725d419a1afec9619d03cd15e424a29d737b1226c7c7935ed71f878924
  305. 434295c8f871093b5eef62b3cc3fc3df2a2752c847b423eb214526268ede2c41
  306. 5df034d742c3765221858a12fa99009ce4121b0cb3f3275afe628e7c0943b528
  307. b4be38fc534ef4fb7ede3956026e8e68545202132c18452088c40e738240ecfd
  308. ebe18d6eff9cb1f094f0ceb23fba370f2c0dfbfee2909c64f61a4b267d0f2cf1
  309. 1c5da1e4809ff8083068b5495aae2c0c8fe2cf4b85ee7b18fa7ba06579509e21
  310. af2b3dd1afe2b337ea192b9443f4368cc8c6e488d9913fe1ac64ac55e9bb49c8
  311. fec120e1fbd22ff09cffbf55b472fe5d7e3712117070bfca62f785cad97b8fc1
  312. 741a12b3a2bc48ae7b429ea0bd15addea3580700b4402707cafe7dcab5d10b8b
  313. cdc79aef87d547d7797c8f1950754c7943dc6da4d91604a1e43cb7f32346be73
  314. 9c334e42e759c5ca54e8e3dd100002e6373c5f1c46e2abbe5f8b3d5294e9df5f
  315. b1a7833aa54186a9830358bbaabf16337021cc40a3c8e11625ab6e31dc8fbb9a
  316. 12e9b711e546c9c1d12719740e48e599fd299db60f21126abbcf1b0495cb80cb
  317. 82b1abd7e5004000bba19ae59e34eecae7ffc4b81c8d5db5695d3709ed97aa51
  318. 39999a843ca14921a44574da6e583ac796b4ecc132ae849a8ec08ece13aaeb6a
  319. 44bcdc56cd842e5375efc46de3024992c8b06cfb0cfaa661d898f2ee869b821b
  320. 003591243133d77d308b2aeabaa396dbb8287c60fecf6a7645771e10317d9e5f
  321. 59da97b68f8450c3e6bd14d0bdeaecfa32d61f4bcab48ad90565f94014d49527
  322. 77e3a5bc43e8f7337819165120eaaf4c01a63184f206e61a897e5a5330f6a035
  323. 10c1f5f9baabc6450aec3bcf979ac18a8cc16f9bb1b3eaa56bb7138714497130
  324. 2c1a1c2c47668064bafc2a37db3a60527068813f5865dffce44d80858d32a3e4
  325. 647421be22e4d004dedb97dddc6408ebd475d102963c7f40992fab3b5e56dd9d
  326. 6eb5a3263f2a962c9fc10e8fe64b5cea55f625e0fc72fcbe3077315e95cd2ac3
  327. c9f588732f8250f3640df3a5b1dd41aba6847c56718f425856a289b0680bd10c
  328. cad49daaa3ca3d7bd46b472723c5cb9b19006dd13303e2aaad0231295ec5a650
  329. eee7617113d4a7d6efd12c71027618c908f47aa4e4e96b19f4c1805c166fe876
  330. 68e5cf10c297a7862c047d35228f9121d32a9d7012c9df0aa015e496e3fa434c
  331. c994b1ee2952fcf4c11a83a3031b16ef939ef2b6ff8d002ab9dd8174e43d7b6f
  332. 8481620269d137b8bd05d6808d7f84072fff396f4acb2f445b2685d4ea1c20cd
  333. 12e9a9a645d810f2e198087ce972da09caa2cb228e0f7032593aac587127cac2
  334. 9f6882af874f9b46d28a1b37955a42ac69e5b74bb5f4e3a7af85db7397a0a504
  335. ae4df3f30e27acd583ddd6a02daccb1d807212f369007de06dfecbadb35dd064
  336.  
  337. http://gbsbrows.com/JZLqJd4
  338. http://www.sastudio.co/GgGV3mOVlN
  339. http://xn----etbgbwdhbuf3am6n.xn--p1ai/OYRECjhJU
  340. http://evelin.ru/fgARtN6g
  341. http://priscawrites.com/tS6M2ffhC
  342.  
  343.  
  344. ```
  345. #### SHA256s for Epoch 1 Payload EXEs seen on 11/09/18 ####
  346. ```
  347.  
  348. c0568df972d8f1190b87e964653a7c91d1c43cc0a458542b2222b2b06c4ad1e7
  349. 2a5926fb2c08e0180e74c4e0df617a9bc9a39d2a9d6e6f91201125423e5ab9f5
  350. 3589850c8d3dc8c51102b96afa51ec5785bfd879fa41b19e5ca6d08f93b861a9
  351. d07965433e1bfe9502b2d392a8bccfbb15b3f62744a40453865f364b0737820e
  352. 0319cf516cbb4cad107a89e2cb4871af94644c6c7a3dc6ffbe0dc272c50ed20e
  353. 401e27c0cbff5a170bfcbb60aa0b1e9485430b3b6ba21cdaa79da6c426babed6
  354. 015cfdf52a615127558f9c8b95d7b0b32f26bf621adcfe624be04b1020e7e46a
  355. 5158fee23282da7ebf0d536ce9ad6ad71d4357d0d3751cd07dac206a365d66b4
  356. db04c89d578d8796007591e2f9c5c0b306fdbf13351232bad8c9fa2acd08e050
  357. bf7ca367cdb98a785e232d93580c79d79f8e09ab61dc3e61e87f9bd9b4026038
  358. 9ff551c66e520652a8f1e1ea832a1e361b9a4d877acf1c4fb6001366fbc2ef3d
  359. 487434c91a40357b2b9e8b8888f6523e77e6dcdd108a4eed89cadce8de0b123a
  360.  
  361. ```
  362. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  363. ```
  364.  
  365. Creation Time 2018-11-09 18:52:00
  366. SHA256:
  367. 7e2d23d535b635620e24f4abf1017c536413f77ca8546493a2b9ae25f11f86eb
  368. c7b873f47121ae24b337de9306be4c80d2a6fbac23b14e6a695d0b50edba0cb7
  369. af161af031a1e5984bea359097dc06aaa0b8fc335b7451ec2dda60ad3e3f2f3d
  370. 01e850c472afd03b8855f4b8a44715df7fd402284a620e89056ace9ccaf89317
  371. 32fa3beb69c70126e8b45276e8e7e13194d1b7e6407958bbb560ac0be3a94e1e
  372. d749daf6d0ed6d955787d059ae1d580a0e8975d8dea0bd666635cb3b4b859d49
  373. c3868b64ecf539e28b8804e2faa4f91756d3d1d9ec46695253422fefa346a924
  374. 7fd8c48fbd029f40fb5b536d24d059fc37788aa2f2b93b5b5a7b49221d61f5ae
  375. 148a38244907c004618b5a212ef9a21f10ecb68ea8ae3c30a2bcd4a33f83eca7
  376. 9803d459845d0c4968e8b717cf9345da56ba8c15d16eada35701d43a9134d89d
  377. 9988c4bbb8322e6e7371a313ee3940a396588381022f75344d02b78edbd5a331
  378. 4e142e3a6aadf1564f3ab92fccbe5ef3055f48f6dc0946fa5f67acc4d696b7fc
  379. 41b799e51f36ec8737f53173e27c0ff5ba9b167df0fc1e474956373808bfa72f
  380. 4b6c410f19b0aaf157167476564aa47d55f0503428ecc53f4229781a36d82737
  381. 99c52c18e6812d56b4766477e7d228a9005f4c20ab4336ac297f3c267f35a3d2
  382. 613e1d5d00c2a221ff43d4a6599736275c7b70bbd8046fa3c8674a47952bf0ba
  383. 98b203a052aa0e7d018ea8cf5936d0c82fb7bfc759b97fb49f085232db5b996c
  384. 8fc87d3eca17358f80bceada2227d139aad685ad0874af2beb5ea897cec61d45
  385. eded1980695bbcbbfb137a944752dfd7f3c89311e8b2b748abde96b4c28c240f
  386. f1d0a88d3502a917ad8dd9fb365438681cb25b67a1f4570d924a1a927504175f
  387. e734827369a818fecf638043f51a21f7825160213983b90561db2222ccbcdb8b
  388. caf792cb34bef4fffe1cbb21f7cdd268772c6174f1a84507a60858e8bd32a07e
  389. f6db8b732e8ec59b1ea982878f9ac9671c82ec6c224f973f299cdfba4f058af3
  390. 005dd718153018dc308c9ddf9e8b539dda41db1b07be284bad5adda272bebc9c
  391. 18d275e6a111d57526605000b1f370ee3e6bc22ef1cb2c9622c565e81c60a9d2
  392. eb0f200eee9ea5371278ed9a03d9b3ff643dc9d046531f8fcf1c7c53233c8051
  393. 24db39195a2185eb8f504fc8d2c445b9219c041c2285b2c2e13ec20258300acf
  394. f998d64130c771c729dddb768306109547298ae7268b2155a7b2f528fe773374
  395. 848ff9c6222e3252ccab94e45a93361572224ea3a4139fd647518c1185fdf2bf
  396.  
  397. http://www.coronatec.com.br/wp-content/W
  398. http://inpolitics.ro/66e
  399. http://trackprint.ru/zxNBPM
  400. http://moscowvorota.ru/7
  401. http://dkv.fikom.budiluhur.ac.id/TSFMf
  402.  
  403.  
  404. Creation Time 2018-11-09 16:27:00
  405. SHA256:
  406. 1aebfb780136439c31d8ae0cfd38945c7d66665a65b7b7aad5e4926ed5827c73
  407. 9a277530f9772af8103792b4eae0607d6403b03f87e7effc0d0c797edfba2162
  408. 7fce4b5faacc3b91b85751701283657bb9482de41f53cd2342ec727865d748b6
  409. 9c0bf5617ef6a3ee5f9a753fbaa7e270ab1aa6f35fd3f2ba5d6dc8fe9b7fc586
  410. 2af0c7f15b2f0626648b4331c1d0925f1959b5d58d83076b115ab3a0148aecc4
  411. bafe1dd3161a8ef8c0a25ded70336cc6108c26030590a01b38e61c2f7abdd95b
  412. c283616a96516c69b09172597a7c6add79e8c9e7db87f7cf524a6493126642d9
  413. 184d154b7350b9bb470d8b1119d2f92720d6b9f735f3f7aaeb601661927cd956
  414. 3d956e3909a691e52d29b9369bc4556013c9997b4dccbc237cfcc36272f76ba6
  415. 776818d152d0535b8f78f5d5d44be8cf5e69b641182761e7c3009c1c466e0add
  416. 60c17dc600c05fc34a7ac198d6ae84f56c45f10dbddbb2f03420e7b0201d40f1
  417. 7db80a0daf75d9f25b0488cbf9684071c7fa55b9f526d05ca16c4139591b0000
  418. 5f01d5ce28cd0f4d4daf8cc1748e3597d1f09c239194223f5226df7bafe472e7
  419. b8648bd7f07ca294a6b1813598125b4da904b08dd6915920708c31a5db6a65d9
  420.  
  421. http://ers-technologies.com/NVJRl
  422. http://www.rockwalljobs.com/OQQmLbNv
  423. http://brownboxbooks.cz/CutIlUfT
  424. http://breezetrvl.com/iMi
  425. http://luxusnysperk.sk/gCyuKy
  426.  
  427. Creation Time 2018-11-09 11:37:00
  428. SHA256:
  429. 676610f32bdae1726f6f244ca4e0bc2bbcb421e3404ac2e4fc0ece009a590f07
  430. 6775d1adeb6e369cce722e0adf240f2fa55cfa04c04bf338eb705e9fb9bbda91
  431. 350ec37cc10ca6e5a97015ffff87506403c27f2149c9fcddb3e35982aa5f6372
  432. 1f65add65f744000d740459d977f11a50e7b97a3ac28ca17042d60f1d1efc514
  433. 4199c2898fbd362f1a2137db0cad1e9567fbf129c886ee7d5371c3ffa18ec564
  434. ee7d3da4db52476053d779ac2767579b6c1daafb3c79a617a5a5f108fd7243fd
  435. 9c6289f4437632097d9f07991437e8a31569dcc612077084b261f954a4314a4e
  436. 54b3c60f7fc303d4422d6c76eaf4502fa9d69d0f12d34e18620ffb03e50c2699
  437. c0cdad652c8a20af3c2cfe9448967fae0a5d693a5a95eda42762c0009fa171a6
  438. 72a7075b8decd17a1b4780ea442f5df6804f4a28ba3eecd1087b496387f57ed3
  439. aedb3c16d7b8ab40802b0bad03df904b6d05279996e75f364487bf96ad48a64c
  440. 8c48eb91c6f32db18c3462b7f39ed376dbd93694933ab68b83407701316dec49
  441. 93f5190961d11b48824ad0564f5a21ce4cbe1e1237d2a71348ffcc51ccd57f77
  442. 5c5d2e17e36020eb14b1c952c31f71186fbd8372ed32765e20d2f7c0df36faf1
  443. a8d0a54d290ed4edddcc377b76ef243b13852889d9cf9f07d2f827d22649d3a1
  444. 82c1ec61a9a238f49238d8977023ee1bf9b811fd9e3b107ec71595ba060f9d33
  445. 58b8ae91f730220ede1021f834a47133ab50aad2dce470b82d9bf9e3b67d1b14
  446. 7bb9b2d3805dc91dc61ecd79ebaf09eed53ae5b5e909c2db1d30c078ab6d235c
  447. 2f675c31e758a9611d680399380c9c3e052aee1b3c4a045627ea4ae072850dc6
  448. 69e6cc1cc28dffd3eafe4815b3bda851aabec3209fbc64602d46abc39336eff1
  449. 5e9cb93cb3e284b20d72aa87c29e64b48a285e0e58762899e36f992bab6d15cf
  450. fb546088ad6eb07ea65e647b9da823e217d6b6b03e1138124a403ac386179ac9
  451. 1d199cb4bfd090a6a39b8720a55c70d332ef70c0f705d41323283d579d6f8ebd
  452. c3fd234cb3ebfc5ee8dcddc4782064146094a0aa5e406a58c6f7daaba9e46f5a
  453. 2d45ae872e98ecc6252dccb8523b5d596adf079e6c99d4fd4ae434f559e80d7b
  454. 1c784cc70cdae9ffe5836773b61e1d674e21c2427d288bf68654d2816b701d39
  455.  
  456. http://weplayacademia.com.br/yvVz8k
  457. http://aulbros.com/6
  458. http://mgc.org.au/jx
  459. http://gtalarm.hu/r7u
  460. http://www.sphm.co.in/K6Rz
  461.  
  462. Creation Time 2018-11-08 20:38:00
  463. SHA256:
  464. b2132ab94f9caa8d2a9a78d8bd70ecda3d2918d60f275f0c6008e2bf5273e372
  465. 7a7a96dea01318105b9ca22bb0e951f9475c1d0573fcbeabc33e10fd1ab56c41
  466. 3677d37591f1a59159148433597d62de74c57d7705efd49dc0d6b6eb479f0e79
  467. 6bd4f428ceef7432754a8eafe29818dedb0368e80b69c51ad6d05b06c3836830
  468. 4c51155d3a2f690a4ea359c7cebe8dc24fd45d489031ae7f8ff6f5249fa5d888
  469. 4dabe4dc761d6059e45192eb921df2985d074e745f10a458fe00748b6b4c9626
  470. 2603874b99d565b0fd36e308ee2c1d8de9ada18b33885f4f432d5fff4e79a5a9
  471. 9e6b715349a99e708f06bd5b5d0a765742e28f489717fda7290a1c6672d9895d
  472. ce2cbaf245772ffd96d1f26f1100a47191ec6465c31649189888f55be406b3ca
  473. 974bb04266ebb7d31802ff9ac60d5428899a7baddaab4bcca4c29e55f1791b07
  474. a5ebce2fa96c3fe9c6a34697dbbe25ed83a21550478d77660994d759e2c77c98
  475. e478be33954e73025e22a39ddfafabcd38f20d95b52e601d0d2156d2328e3e59
  476. 0fe82daf5749199f74f3f6085a6749fa2e91d0ba1323d33c59fa4ab0bc82c23a
  477. 3329277ebc13bc45cd40c28b51e83c382eb36598a931f9861d7b1ecf402a8a2d
  478. a02b1b73c586228031f394dee8e4fe338f2c1a08ed57e16168d095903d3b8e64
  479. 638490afb37f15f79dc33a1ff2f5b81026ccc021d61cbc585aeef5df54175d75
  480. ace08d522b61d893ee9bbfbb1a8477b66042de77c8ec82061993972054670004
  481. 4d6da5e8af73d60e45a0bdb8484eb0d241dad34207104c868d5e7b153d591661
  482. 826061b8c0ceac3eeb5124e019fedf53f55ecef351736b82a6930137b4b74bab
  483. ae81a753323c0f9879a3f01a81fd3d1a5cf034241327430b999d99b55373f678
  484. 788f2664d8d90cc23b7b0f987112fdd80c54de4ba9566a5714392b7fe0208fe9
  485. 55424d3137121477ae8e4b62fc854986e55e79c1560691cf27a2f9a42163d6b3
  486. b4da28a1621ea5876ecc11ece53f9ff98547b8869a6c9ee7d067d5f9e40050ef
  487. ed4e49dfa9693a493270dc8c7e43e74764a4b8d73e5784ac84644d983d97dcf1
  488. 644a3adea5693680ca5d217ceac61a9362cb1dc851c3c1a121c886bf777bf97b
  489. ff75dbd9b1ca0614fa39637d69651e9397605569bc30d243e8a417df8fbe4573
  490. 4abdb5fd9bed9c55ed62f4364d3f98217fddbed8ff5a5f0a5952068c8dec0392
  491. 65dd0a961c79c34ce6bbd6a9433a44f3a44550de1d3f53af91c06b45918e090a
  492. 6977d4ede9f6b977fc508bbe6ba2c8c016041e85df7b6344394685cfa99fec87
  493. f450368e25cb33035db9b9f53b6616876a3cbba23b2ffed79db86a53e9d0f7d9
  494. 703f619bb48b60b91ac18d8ba1c1f3f420c12da675a24c012913573ed4825235
  495. 501eed07ad571ab363ec2f2a8db1cfde8ce5e76eef5e0ea9691c139fc73d4073
  496. 16d47699c91fc66ad6350f03502f7c9b15dba5874ce8b441b1a5322f82a4033d
  497. 2f555628139a56bb01e32db231776cc6b9491d4c06b71b8e8f9ab1fbe7c673f1
  498. 30231749d01e4d16fb6f17e1c183cc84e935d3333240ce72d77745b38d5df307
  499. bb907b5c67f138a7ead1754218d4b61eccf3101d9b7a609b83bbb945303047ac
  500. 8779752ac01fa0d3b348b00da3bf361911b99a2838f960226e84f260acefb599
  501. 97b006e48fc5f35ec402eccd38df13fff9f9ed20818f94659534066ed793a272
  502. c731aead9936d12073ef929d67a653e5c59fdcc8f309d8b0db4e5b93ebf9f7a6
  503. c34f4ec745ba8d3db5f00f7b08df0406c50e69d7aaf3fa61f197e54207ba4ea9
  504. 9ab9f92ab6ba6aad05e39eed466cda84b56c209df92805f4b3ad823228390739
  505. 644a3adea5693680ca5d217ceac61a9362cb1dc851c3c1a121c886bf777bf97b
  506. d9425a1610eb04f4ba2d32411720a55ed8320512ecf5fe22a018c070c036b21c
  507. afb0c782a106e9f6f765ba8e9ac9de942fe5a02a2eebb686764552024c8c8e66
  508. de297da302bc78c159b7b3567718274dff764e3754a9be3722832548868a942b
  509. 29e6629b29e8bb933b7bea30c8a822514d6ecf0e319011f7f994de1e7213ff9a
  510.  
  511. http://ipuclascolinas.com/8x6SFxw7
  512. http://spurpromo.com/b9eYIWM
  513. http://www.secretariaextension.unt.edu.ar/wp-content/bK
  514. http://tellytadka.net/waOaTDz
  515. http://elom.su/v
  516.  
  517.  
  518. ```
  519. #### SHA256s for Epoch 2 Payload EXEs seen on 11/09/18 ####
  520. ```
  521.  
  522. be2031651fe7d2b573cd5f083f3b661ce28346e9c078a8497574f96307739263
  523. fc1bd3d6c8ff54898faf957b3da7959e7fc9c17d5d19047ce59cd886aa86c9a2
  524. 62b9ce5605454260773d1dc35f57886658b7fde7f75a0229c63de0c3518a68ce
  525. c99753ddfcba80ec89bab83c59f074322cecdea193fdd3adeebcbd4e21d3d4e6
  526. a921fd5974bfcc9b7133e30ef3ba72bb85f1eb02ded26f52a7d1bed576a6de93
  527. 43ef00b152c732b21f2a9014c1eaf79dbfe371ef02b131b757b8e8f3539f1b33
  528. 045c113512d10564863cb217785d6ca4a81e42f7e4b5dc925d15c18065ea47ee
  529. a616b6993de830c16c15d2e41744b0b70b91a812e79259d4e01d11ba03de0d9c
  530. c65ba197bd4af6cf717a92e2c50ae9b84538232604fd9b5c18a5c32d9651ba74
  531. a7a4bec0a3c9b6539ea826c03eea01d4dc41300ec798b43e5ae08da7f2c12d7f
  532. 2806d454cd5c4565ddf2c2de001121c6dcd99fb56c2a4f0a663abc20c436ea74
  533. a67915345f7a32e7c40c51469a983ae18b731a658c04e370f2674ce8246c32dd
  534.  
  535. ```
  536. #### Epoch 1 C2s ####
  537. ```
  538. (Port is 80 unless noted)
  539.  
  540. 104.5.49.54:8443
  541. 107.10.139.119:443
  542. 118.69.186.155:8080
  543. 133.242.208.183:8080
  544. 139.59.242.76:8080
  545. 148.69.94.166:50000
  546. 159.65.76.245:443
  547. 165.227.213.173:8080
  548. 181.229.155.11
  549. 181.27.126.228:990
  550. 186.15.60.167:443
  551. 187.163.174.149:8080
  552. 187.163.49.123:8090
  553. 187.207.72.201:443
  554. 189.130.50.85
  555. 192.155.90.90:7080
  556. 198.199.185.25:443
  557. 207.255.59.231:443
  558. 210.2.86.72:8080
  559. 210.2.86.94:8080
  560. 216.176.21.143
  561. 216.251.1.1
  562. 23.254.203.51:8080
  563. 37.120.175.15
  564. 49.212.135.76:443
  565. 5.32.65.50:8080
  566. 5.9.128.163:8080
  567. 50.21.147.8:8090
  568. 67.237.41.34:8443
  569. 69.198.17.20:8080
  570. 70.60.50.60:8080
  571. 77.44.98.67:8080
  572. 96.246.206.16
  573.  
  574. ```
  575. #### Spam/Stealer C2s ####
  576. ```
  577.  
  578. Pending
  579.  
  580. ```
  581. #### Epoch 2 C2s ####
  582. ```
  583. (Port is 80 unless noted)
  584.  
  585. 105.247.100.215:7080
  586. 115.71.233.127:443
  587. 120.150.206.156
  588. 139.162.151.141:8080
  589. 153.122.38.158:443
  590. 172.248.199.224:990
  591. 173.34.90.245:443
  592. 200.194.26.234:443
  593. 206.174.187.58
  594. 208.180.149.228
  595. 211.115.111.19:443
  596. 217.13.106.160:7080
  597. 217.174.206.181:443
  598. 222.214.218.192:4143
  599. 24.206.17.102:8080
  600. 24.67.53.23
  601. 41.215.127.30:990
  602. 45.123.3.54:443
  603. 46.163.76.187:8080
  604. 5.230.147.179:8080
  605. 64.183.104.2
  606. 67.205.149.117:443
  607. 67.43.253.189:8080
  608. 69.198.17.7:8080
  609. 69.8.25.109:443
  610. 70.77.68.255
  611. 72.26.54.182:8080
  612. 72.84.82.20
  613. 73.57.148.230:443
  614. 78.47.182.42:8080
  615. 79.78.142.70:8080
  616. 81.7.10.106:7080
  617. 83.222.124.62:8080
  618. 84.200.106.120:8080
  619. 86.98.71.86:7080
  620. 93.109.229.250:8080
  621. 95.141.175.240:443
  622. 98.142.208.27:443
  623.  
  624. ```
  625. #### Epoch 2 - Spam/Stealer C2s ####
  626. ```
  627.  
  628. Pending
  629.  
  630. ```
  631. #### Credits and Notes Section ####
  632. ```
  633. Updated 7/13/18
  634. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
  635.  
  636. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
  637.  
  638. UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
  639.  
  640. What is Epoch 1 and Epoch 2?
  641. Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
  642.  
  643. ```
  644. #### Community Lists ####
  645. ```
  646.  
  647. https://pastebin.com/YXqGDFsR - @James_inthe_box
  648. - @ps66uk
  649. - @pollo290987
  650.  
  651. https://pastebin.com/XeX8P4Cp - @SaurabhSha15 Spam templates
  652. https://pastebin.com/DDXm3CTK - @SaurabhSha15 Spam templates
  653. https://pastebin.com/m57e0mHf - @SaurabhSha15 Spam templates
  654. https://pastebin.com/8GbWqcL7 - @SaurabhSha15 Spam templates
  655. https://pastebin.com/TqSkGD66 - @SaurabhSha15 Spam templates
  656. https://pastebin.com/8MwuJXzk - @SaurabhSha15 Spam templates
  657.  
  658.  
  659. ```
  660. #### Credits ####
  661. ```
  662. (OC and combination work)
  663. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie, @Bitterman59
  664. C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic, @0xtadavie
  665. Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic, @Bitterman59
  666. Spam Templates - @0xtadavie, @SaurabhSha15
  667.  
  668. Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
  669.  
  670. Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
  671.  
  672. ```
  673. #### Daily Log ####
  674. ```
  675.  
  676. They keep changing the macro and trying to throw people off in the maldocs. Spamming really slowed down today and I got less than 24 malspams delivered. E2 is now sending PDFs with links inside when it was primarily E1 doing it earlier in the week.
  677.  
  678. ```
  679. #### Sandbox 11/09/18 ####
  680. (all with fakenet and MITM unless spam/secondary infection)
  681. ```
  682.  
  683. ```
  684. Epoch 1 C2 Run at 19:47 EST https://app.any.run/tasks/250bde99-0091-4f5b-9106-45591029013a
  685.  
  686. Epoch 2 C2 Run at 19:57 EST https://app.any.run/tasks/d62dbe16-fdd9-40c4-af85-e40d9b33c95b
  687.  
  688.  
  689. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!