API tools faq
paste
jroosen

Emotet Malware IoCs 2019/04/04

jroosen
Apr 5th, 2019
2,671
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 49.70 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 04/04/19 as of 04/05/19 03:00 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 04/04/19 ####
  6. ```
  7.  
  8. http://140.143.20.115/hgnxlto/verif.myacc.resourses.biz/
  9. http://174.138.92.136/wp-content/uploads/sec.accounts.docs.biz/
  10. http://242annonces.com/apps/secure.myaccount.resourses.net/
  11. http://35.185.96.190/wordpress/secure.myaccount.docs.com/
  12. http://45.32.230.13/khabwwo/secure.accounts.resourses.biz/
  13. http://47.75.114.21:83/wp-includes/secure.accs.resourses.com/
  14. http://94.191.48.164/hf9tasw/secure.accs.resourses.net/
  15. http://adultsikishikayeleri.com/tp9oayq/trust.accounts.resourses.biz/
  16. http://africanmango.info/wp-includes/verif.myacc.resourses.com/
  17. http://allgraf.cl/external/verif.myaccount.send.biz/
  18. http://altop10.com/wp-includes/trust.accs.docs.biz/
  19. http://am3web.com.br/verif.myacc.resourses.biz/
  20. http://arse.co.uk/yeti12/trust.myacc.send.biz/
  21. http://aspiringfilms.com/cgi-bin/sec.myacc.docs.biz/
  22. http://aupa.xyz/wp-includes/trust.accounts.resourses.net/
  23. http://belamater.com.br/wp-includes/verif.accounts.docs.net/
  24. http://berith.nl/wp-content/secure.myacc.send.com/
  25. http://bf2.kreatywnet.pl/owa/sec.myaccount.resourses.biz/
  26. http://bkarakas.ztml.k12.tr/animasyon/trust.myacc.send.biz/
  27. http://bobvr.com/sendinc/verif.accs.resourses.biz/
  28. http://cddvd.kz/cgi-bin/sec.myaccount.resourses.net/
  29. http://chanoki.co.jp/Library/secure.myaccount.send.com/
  30. http://chemicalvalues.com/styleso/trust.myaccount.resourses.net/
  31. http://cigan.sk/fm/trust.accs.docs.net/
  32. http://creativaperu.com/sistemas/bodas/images/empresas/banners/secure.myaccount.send.net/
  33. http://csnserver.com/blog/trust.accs.docs.biz/
  34. http://ctm-catalogo.it/cgi-bin/secure.accounts.resourses.net/
  35. http://cyborginformatica.com.ar/_notes/secure.accounts.docs.net/
  36. http://cyzic.co.kr/widgets/trust.myacc.docs.com/
  37. http://datagambar.club/xerox/secure.accs.resourses.net/
  38. http://diaocngaynay.vn/diaocngaynay/secure.myaccount.send.net/
  39. http://dorsetsubmariners.org.uk/admin/gallery/gall_images/sec.accs.docs.net/
  40. http://dracos.fr/Scripts/secure.myaccount.send.com/
  41. http://dragonsknot.com/cgi-bin/trust.accs.docs.net/
  42. http://dramitinos.gr/images/verif.myaccount.resourses.com/
  43. http://easternmobility.com/js/secure.myacc.docs.biz/
  44. http://eiamheng.com/aspnet_client/system_web/sec.accs.docs.net/
  45. http://eiamheng.com/aspnet_client/verif.accounts.docs.net/
  46. http://elgrande.com.hk/xxx_zip/verif.myacc.send.net/
  47. http://erica.id.au/scripts_index/verif.accounts.send.biz/
  48. http://feryalalbastaki.com/kukuvno/verif.accounts.docs.com/
  49. http://fishingcan.com/wp-admin/verif.accs.docs.biz/
  50. http://frtirerecycle.com/images/sec.myaccount.resourses.biz/
  51. http://gabbargarage.com/lakw7z7/secure.myaccount.resourses.com/
  52. http://gadgetglob.com/wp-content/secure.myacc.send.com/
  53. http://gamemechanics.com/dbtest/trust.myacc.send.net/
  54. http://g-and-f.co.jp/photobox15/sec.accs.resourses.biz/
  55. http://ghostdesigners.com.br/bin/verif.myaccount.resourses.net/
  56. http://gifftekstil.com/wp-admin/verif.myaccount.docs.biz/
  57. http://gkpaarl.org.za/language/secure.myacc.send.biz/
  58. http://golfer.de/advertpro/secure.myaccount.send.com/
  59. http://gosmi.net/download/sec.accounts.send.net/
  60. http://healthwiseonline.com.au/wp-admin/secure.accs.send.biz/
  61. http://iais.ac.id/wp-content/trust.myaccount.send.net/
  62. http://ispel.com.pl/cgi-bin/trust.accounts.docs.net/
  63. http://jenthornton.co.uk/wp-includes/sec.accounts.send.com/
  64. http://joanna.joehajjar.com/5zkrg31/secure.accounts.send.net/
  65. http://legalservicesplc.org/qinvf6a/secure.myaccount.send.biz/
  66. http://legalservicesplc.org/qinvf6a/secure.myaccount.send.com/
  67. http://li-jones.co.uk/css/secure.myacc.docs.net/
  68. http://lswssoftware.co.uk/Accounts/secure.accounts.docs.net/trust.myaccount.resourses.biz/
  69. http://madhava.co.id/wp-admin/verif.myacc.docs.biz/
  70. http://madonnaball.com/wp-content/secure.accounts.docs.biz/
  71. http://media-crew.net/bao/verif.myacc.docs.com/
  72. http://mmtt.co.nz/wp-includes/sec.accounts.docs.net/
  73. http://mouaysha.com/cgi-bin/verif.myaccount.resourses.com/
  74. http://myphamsachnhatban.vn/wp-snapshots/trust.accs.send.biz/
  75. http://namellus.com/wp-admin/trust.accounts.send.com/
  76. http://netimoveis.me/wp-content/sec.accs.send.biz/
  77. http://newsmafia.in/fj2xlpr/sec.myaccount.send.com/
  78. http://nexusinfor.com/img/sec.accounts.docs.net/
  79. http://nhatrangtropicana.com/wp-content/sec.accs.resourses.com/
  80. http://noithattunglam.com/wp-admin/sec.accs.resourses.net/
  81. http://nownowsales.com/wp-admin/secure.accounts.resourses.biz/
  82. http://obelsvej.dk/forum/sec.myacc.docs.com/
  83. http://pathwaymbs.com/wp-includes/sec.accs.send.biz/
  84. http://pennasliotar.com/wp-content/secure.accounts.send.biz/
  85. http://pepper.builders/wp-content/secure.accounts.docs.biz/
  86. http://potterspots.com/cgi-bin/sec.myacc.docs.biz/
  87. http://readnow.ml/wp-includes/trust.accs.docs.com/
  88. http://revistadaybynight.com.br/sac/trust.accs.resourses.com/
  89. http://sandovalgraphics.com/webalizer/sec.myacc.docs.com/
  90. http://shahedrahman.com/Backup/trust.accs.send.biz/
  91. http://sriretail.com/api.Asia/verif.accs.send.biz/
  92. http://stegwee.eu/aanbieding/secure.accounts.docs.net/
  93. http://streamsfilms.com/wp-content/secure.accounts.send.biz/
  94. http://studiopryzmat.pl/cgi-bin/trust.myaccount.docs.com/
  95. http://symbiflo.com/PJ2015/sec.myacc.send.net/
  96. http://taxiinspector.com.au/poker-platform.com/trust.myaccount.resourses.biz/
  97. http://teamincbenefits.com/wp-content/sec.accounts.docs.com/
  98. http://tengu.cf/wp-includes/secure.accs.docs.biz/
  99. http://terminalsystems.eu/css/verif.accounts.docs.com/
  100. http://thepropertystore.co.nz/cgi-bin/sec.myaccount.resourses.biz/
  101. http://thinking.co.th/styles/verif.myacc.send.com/
  102. http://timehalik.tk/ofp/trust.myacc.docs.net/
  103. http://tomiauto.com/sec.myaccount.resourses.com/secure.myacc.resourses.net/
  104. http://tongdaigroup.com/bill/sec.myacc.resourses.biz/
  105. http://tripaxi.com/All/secure.myacc.send.biz/
  106. http://tristanrineer.com/sec.accs.docs.biz/verif.myaccount.docs.net/
  107. http://tsk-winery.com/wp-includes/trust.myacc.send.net/
  108. http://unifreiospecas.com.br/mi8umll/sec.myaccount.docs.net/
  109. http://urbaniak.waw.pl/wp-includes/trust.accounts.resourses.com/
  110. http://urcmyk.com/eeg/trust.accs.resourses.biz/
  111. http://valentindiehl.de/writers/sec.accounts.send.com/
  112. http://vanspronsen.com/test/trust.accs.docs.net/
  113. http://vcube-vvp.com/cgi-bin/sec.myaccount.send.biz/
  114. http://web-feel.fr/wp-content/sec.myacc.docs.net/
  115. http://woocommerce-19591-66491-179337.cloudwaysapps.com/khabwwo/secure.accounts.resourses.biz/
  116. http://worldclasstrans.com/doc/sec.myacc.docs.biz/
  117. http://www.ambleaction.my/cgi-bin/trust.accounts.send.com/
  118. http://www.arse.co.uk/yeti12/trust.myacc.send.biz/
  119. http://www.chanoki.co.jp/Library/secure.myaccount.send.com/
  120. http://www.gifftekstil.com/VsJz/trust.myaccount.docs.com/
  121. http://www.gifftekstil.com/wp-admin/verif.myaccount.docs.biz/
  122. http://www.janelanyon.com/flpuekj/secure.myaccount.resourses.com/
  123. http://www.madonnaball.com/wp-content/secure.accounts.docs.biz/
  124. http://www.promo-snap.com/wp-content/sec.myacc.send.com/
  125. http://www.sriretail.com/api.Asia/verif.accs.send.biz/
  126. http://www.urcmyk.com/eeg/trust.accs.resourses.biz/
  127. http://www.web-feel.fr/wp-content/sec.myacc.docs.net/
  128. http://xn--dammkrret-z2a.se/wp-admin/trust.accounts.resourses.biz/
  129. http://yourcreative.co.uk/img/verif.myacc.docs.com/
  130. https://abi.com.vn/BaoMat/verif.accs.resourses.net/
  131. https://altop10.com/wp-includes/trust.accs.docs.biz/
  132. https://bitmyjob.gr/css/sec.myaccount.send.com/
  133. https://datagambar.club/xerox/secure.accs.resourses.net/
  134. https://gadgetglob.com/wp-content/secure.myacc.send.com/
  135. https://legalservicesplc.org/qinvf6a/secure.myaccount.send.biz/
  136. https://legalservicesplc.org/qinvf6a/secure.myaccount.send.com/
  137. https://mmtt.co.nz/wp-includes/sec.accounts.docs.net/
  138. https://netimoveis.me/wp-content/sec.accs.send.biz/
  139. https://stelliers.cn/demo/trust.accounts.send.com/
  140. https://streamsfilms.com/wp-content/secure.accounts.send.biz/
  141. https://teamincbenefits.com/wp-content/sec.accounts.docs.com/
  142. https://www.madonnaball.com/wp-content/secure.accounts.docs.biz/
  143. https://www.netimoveis.me/wp-content/sec.accs.send.biz/
  144. https://www.promo-snap.com/wp-content/sec.myacc.send.com/
  145.  
  146. ```
  147. #### Epoch 2 Document/Downloader links seen for 04/04/19 ####
  148. ```
  149.  
  150. Seen only in attachments
  151.  
  152. ```
  153. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  154. ```
  155.  
  156. Creation Time 2019-04-05 05:46:00 (DOC Based - ENG - Upgrade Blue Box)
  157. SHA256:
  158. dda9dc159876d3ee1d46041fd8ee1582a650d3ff723180b8d5381d830a589cd5
  159. d95f4752f660891ce00a4f5321e8c251fda9a6f382b0fdf0fde184fe185d3d1d
  160. 8bc92f88c849b501857e48ccde5749456072e5b1eda4c5b29c9979f6841b8152
  161.  
  162. http://monodoze.com/wp-content/SSlWN/
  163. http://smartelecttronix.com/wp-includes/pHtVW/
  164. http://puntoprecisoapp.com/ypb/C3p/
  165. http://tomsnyder.net/Factures/ed/
  166. http://themauritiustour.com/9fuc5ls/oPkA/
  167.  
  168.  
  169. Creation Time 2019-04-04 20:04:00 (DOC Based - ENG - Upgrade Blue Box)
  170. SHA256:
  171. e154f0206b4a58a057bafe70d360b2c69236761050765845e497c40767ff76e1
  172. d4fead67c10dee90c6c469d07f875d4d8dbb8e8f90ddb5ec9262a2dca9ec7df6
  173. 0408becd58f7df5ea7d13fd4246c49c5776ec8cb415fb611356fba8b0f33beb5
  174. b66e8427fdb72abea4cd4ac9ab9d3cf814970e15c721e32b73c5998c8c352153
  175. 2686901e81c268f00d8212d1d2dfcdaf9f4761767056c243e1dd525ae427ecee
  176. 0f316e8e353fbc53222c2f30f5c3af6d3ef24496e8f97f4f750560f427ea8bb9
  177. 4daf94d52448f6f8750f7c5f6c853546fcbc947a320ce844c8cc5395b0a6835d
  178. 172d8215589e5d609adbe463c149f938c493cac93b5824a5e5d681dc36a627d5
  179. b1b87e67ff24610924d66b7d4c8c10a84bef9458bf50114370f8c0933fff1721
  180. 3268b77e1605974dfce5c0b1ed9d6e9c471d4f9dab21d7b93302d18c7e5bbdeb
  181. a541c80bbd73e2922b6afe87809adb05976a42d40f24c6186f4f3297cb9e3dc8
  182. 1a02fecf5439f8e71000a649e670d1e7370a0bf0ff7947d41de8d8e9186ba93d
  183. 4695c3b7bda90eadcc0c9a285ce30ba363cd908f4f7638b973b36e5936fbaf4d
  184. c259bc61a1fe6dce817115f146d16f34dd0cbeab4b41c7ae77f4eefd0164793b
  185. 66a571ce0de4e6169da0fd8bcab922312798fff3c9632c090b8ab12b64767325
  186. 99d28e01bf8c73ce748f3145fffa31df32bc1706265d73b57aaa2cc37feeb691
  187. 373810f03a6c34a616a7e97c7d68b11376b82e703ea9508e7dd66a09663ffca8
  188. 6647d213c52d26299195575ecde00002e5420b89ddfb390bf3bcdcdeb2c8921f
  189. 717a84434e391b96e54406e72719cd23c08839a444946febb73630e14d2f8197
  190. f82ca7479aa1b3b8d7f744d6dbf053bbe4c916ff2fdae3d44bcae0c03eae5a10
  191. 5ba16d607842d55eb43437b39d143058b27c26a20400b5f58e894e015331c04d
  192. a4501780843530ae416386da60acddf20be6c9e3276ec452e92585d128147a3e
  193. 56fd0b2da378faf7fe3ce2d3e70b89faf910be25dda006c62f5f4545e7385282
  194. d1ac2f200f28c35a6f1b145a38186d22f9e1f63fd3d46d624bdb9d7f13feb5d7
  195. 5bc40b231da1ccc4039a1cb427dc7aadf4446d860662b9287eef8c4779a11541
  196. 23cdf06a9c77129459ab6c648a8e7f4e06a62ffc240c5ef0ffd4947ce64e09e7
  197. 4f05c308b154285f28e75dd62e09e17a1946dab106137e9f233ffa0a7832326e
  198. 0e213917e0ce85655eedb2e145c4391bd7cfa9ef6e7562cc2d50687d252615c5
  199. 9adfcc92b47bdf671b1c05af952f9ee9c169b6f25a89a4f796921e2a3e6f39ed
  200. 16bbf35a00abf1139083fb20b112177a359d3bd2c9140cbd76bc33201ce29773
  201. e4410d509dc8f2c5e77a52c6a70b1bcab8407c3875f92b2ba63088c1d71b70d5
  202. 3d03ee4a0675e72f81d44ec0033ae7bf2928dce83d528c1d7d32bf41b801761b
  203. 414a49304d83f6ffa9e6eed39db9a9045f697c2a330214acb5021cd6a77057be
  204. 12aceb6275694181738acfe2044c38996c149474b04a32a3f847d3ad4042e635
  205. 10efd7a5a2b53095bea62651d7717ddc8b2cf0ebacc4020e6a55409dc0f64940
  206. 064e6b92bb7710607cc2d4b2c3efe92537d536d644eef234e045f8625b5d3852
  207. 75f89ffea271c5702e1bda705877e46caa521d963673da41971e0dcfe29189a2
  208. b333704153bff91625f2552600acb5821138cabc33e62f64c371d26cb59a00d4
  209. 6d06f562e239ce17e693d1be04d7877cc0b571c3e437904f4d016dc03dc82f09
  210. 0d0a14bd0570f163554d320a4045dc572f93d46eeaed181524a230a333a4e8e0
  211.  
  212. http://www.urcmyk.com/eeg/Gmbx/
  213. http://vidaepicaoficial.com/tn8fcp5/qRCX/
  214. http://bellemaisonvintage.com/js/qPL/
  215. http://akashicinsights.com/aspnet_client/XqZM/
  216. http://antoninferla.com/OLD_SITE_BACKUP/progress/e5yW/
  217.  
  218. Creation Time 2019-04-04 13:07:00 (DOC Based - ENG - 365 Blue Box)
  219. SHA256:
  220. 710ac9aeeb51422cbff394e3630abab3e8ad85e6d1d0e932cb10130db6e79075
  221. 59adbd6240171bba20471e539c3a2e91120dd97b9edd217a9fdb7053b886ba7e
  222. 9b9651dc0112e2ba7cc5288eed3f4bdbe71fb0105381f80435ef368a9ad3a59f
  223. ad7d34784a3b96adabb54b0642b459ecd4a6ab84fd9ade2d0dca372ed9a29d85
  224. 54b418582326d31054cfbe536da6b62c2ed7cfce390a68e0c5d98c3c40f22feb
  225. 399aa38b9110c77b6f3feb6a89b2cdd8677981b3947fa2934f74bb4e8b456a7e
  226. 01a2dd504ac511be692a10e944b19cc4a81448bbbb8c2bc69c6b591f8776b9b6
  227. e172516cf582875c1dee8636b2f87411840b9109ea616bd4e5c47bbfdd941587
  228. 23cdf606be8187d45aa9d20a057ce87db9d4242ff90b37c002d5cb2043f0d52a
  229. de34a7ceed9e8fb38488de2668943f9d919136078e1f50e8e725a5b08e4ded79
  230. cef1428d3b11dbf2ac83f5790a4baa05adb992e6861fa412ec493b3d14e870c0
  231. ee710f17d15928642589af60d8549aadf07bb2f176c424e1e30637c89eec8118
  232. b905c8f16693b4853b49389f3d8fb026ecccc762a8826b928126c076fc5ded54
  233. 2316d39ff29dd1387ea963301f06a8cc3922ab3a2fc95a97a06ba75d9c2d5f91
  234. 43ac704feb7b367512a66ea5df784848e67dfb1446fa157a78248961f32384a9
  235. 0864739f3ac20ca9b3b09451f1a3e3ffcce5a2a198b8d3dd74f0811ee67db617
  236. 90a4e610c6609297a82973d3720d5799a5be401f6c5d7bc9315834681d0fe5b0
  237. a7da8032e8085979621886b18b941f4443d09229ac72ebbf9e88206c976efd0d
  238. 89e04b5ea53e135d734ac7824e2e299adbd1b0b11504ab3ff927807dc494ba4a
  239. d870af41e629caa5a054e1f1fc2cdbc99a95f4e546aa88d8e670d8321680ddbb
  240. 6ccfba1b4a5671c0163d84bbcb4820bfa78f90f3fcacd5d3f928655e9f70ba14
  241. 776891210280d5f26643d98b198283cac87ea90b5d96994fe98573e6a7cad3f2
  242. 091464224063def0964b715743baf881119b0a56f01191242325dd58950e7dec
  243. 965d23ba8ac8ce5d651495fcfff3152bc26eef2e541fb5be55f32ccc6f881634
  244. 585378dffc9633aae783b387cb1beb885b6ecf5e889c7d1846223139271ac134
  245. 10ac09044801a9316e13af7ca607df4f4928083da7bc55177681159a1f2c8eb6
  246. 3369aed4f4033a34058dec164b892af1587e09834abcdf3ff1de143ec07ec9b6
  247. 6a7e164d5ebcffe81798e83978fcbed312ab51e604c09c50b234064ab16b84f7
  248. 6a3f65d0592861c995ddcdd479a5d7c43e747316b68b1655b2c9b945c270172e
  249. 66f581ee8196dcf34d1f17598b887573ba0a7365e8236836d170c6efe06b8cb0
  250. 14343b02a60cf70dd987db3756a2100f0d6d26e752796ee7f0b70440ba5a4732
  251. 9fd0151a31095758eb8da235dd66397571260801ae7a220efb1565603a60633a
  252.  
  253. http://adilabtech.com/newweb/O8T/
  254. http://ersanenglish.com/backup/un/
  255. http://doshirisington.com/newsletter/JtZ/
  256. http://eurocasinolive.com/test/cb9G/
  257. http://bayboratek.com/28032019yedek/Kk6Y/
  258.  
  259.  
  260. Creation Time 2019-04-04 07:41:00 (DOC Based - ENG - Upgrade Blue Box)
  261. SHA256:
  262. 8161dda3e7eb088ba152dba2b0e4e33a6d1d75e6cd051ef6608d6dc587b78d1e
  263. b9209e841f4124e6a5e29ab955457848464f08d8d04af1d36e3849811e8d6fee
  264. 9a3e51b14a878a308168971957ddcd027caf98c12290da547c7a3c795cff39ba
  265. 75cb4cc9720cfd86d33de6a4853736d5cc207229d67921a529b312ddc27136a3
  266. 1557dd396a25760c32897f0b46b8334b68e47ae096def9ef04c0a2c94c8fc4a1
  267. 608f1e7a163ee4bfcfe72e001bc92a6b81acd898349e58af508ffd67d016cb6e
  268. bcbf20bcc6a5b272023cb6de504cf163df4c841b9de4bb84a321ea000691d8f2
  269. 372337f06774c48340ddb041c6a0415235049648109d3d88a57c2f74b7605511
  270. 7a02d355dbcd7187fcbca30930da1b6e06f840cae706c8a58fb2f8dfdb9364a4
  271. a400e7d21ac337cb3314ae4b915a4fead38c24110d38d39402b5221f33c51aa9
  272. 244393ee78dd9b2d61e380d2c3cbf423dd8fd3cdacaacf166b3ff0fc73c42e7d
  273. f7987d2e74fb5a1dd20e477e1853c2f800cb9df89a99dc172ad8b03b3da020c3
  274. cf6b69ce9cd6ac009d4aca31bad22c41de159d0461e713845233fa2cafac55b1
  275. 70205a997c7f45f73a739e3bca30eeb77fee3e34c4fdf6d550c628be87493a68
  276. 8aab3e6aacd1ed85655e4fdc54dfb28210d8dd5920e51bd9a6edb89291eb06a9
  277. f47cf655028e2d8b1b1c693023bda4d52ae45719cde3a8da27732e53fca40ec6
  278. 1b502141c82b1a198aace955961f47c51017f5c1da46e2a72f6f73eba47fecbb
  279. 846de79ac0303f0d112488d628f7ab3a7dafaf485b48fa2e86f227b72d6a3b1f
  280. 20f91ba72b23055af90dbe56a8ce1d856e9f7a5747861f7dce96401daaa08027
  281. bbded6b759d5a858193bb0f20491f4ee28adb6391b0385acd6209e3d69cb695a
  282. 2bc85560bf9dd14e7013cee1de0d62c8c505005b81fdd4531a0233e60cc4719a
  283. 9a0357e8be12e8ff1c62d5aa997a3b980fca09804ffe50adba85143f700ba4e6
  284. 600b2bfd26922e12966211534999376b74538716e713233197b686d726f395f6
  285. 16c43b195a311de923fea3c767c1ab05731621ce1a8b7d67dc68896a13ff56a6
  286. d1e1020f26ddc8c35f4b8c38e71b1a1d4a07c8a5092c0d2a88196bc12cd40ce1
  287. dd77d24c9cefdd14af00800085d62270027c341319fac07ed9571565be959d86
  288.  
  289. http://hadiyaacoub.com/wp-content/uploads/2019/6AP0/
  290. http://grillitrestaurant.com/wp-content/uploads/aSdX/
  291. http://cabinet-lgp.com/wp-content/d0yv/
  292. http://fcbarcelonasocks.com/maps/aumT/
  293. http://designkoktail.com/wp-includes/ZT/
  294.  
  295. Creation Time 2019-04-03 21:02:00 (DOC Based - ENG - Upgrade Blue Box)
  296. SHA256:
  297. e28a3f7f664601b483134a91e119bb156ed20942b2d24a075a427fa21f183000
  298. a677aa9b7510a52a28d0e03a40e2ce79666477621c7d858b718cfa65be4d29d4
  299. 82946b88ca5ac3f8550ac34847d53dcdffba0c8a34ff62d3dea2afc182fe2440
  300. 8f9df0ebee05361cfa1215427e7c0ec9320293d2045b5d5e1f4ce2476256484b
  301. 13ffc59fa86288c408cec9b7834fce147cdfd462064e3bc605df8d42ed398e1e
  302. 7af8906e615fa16dbc9068ceab0bf4633d9b957c851f62b3d7c82c95fd68ca20
  303. cf486ca9e28ebbcf38709886c240ba203c3ca596d8c86e92efd1ad9b1c47d025
  304. 72c1db1cb5edccebd0b4145f49357ad68e5f570843ecaf001dec81bbfd8ff178
  305. 6bb130e2a4ba1eb216e26f22ee0fadd247da2e64b6e11848362a7f5747e16237
  306. 506463901ec3d2b35c46d3440da8d3e1f87a42abf077bbd9b1b95a18225c8f71
  307. da7ea362dcfaa616cf2a12ecb73daa9f6087f5a135a0ac13a2d5119a86d780e2
  308. 50f394e9b9ca8ab7439bc459b21ef08a5c3654ca49b459d113b10e05785dddc5
  309. f47cf466eea61b2d0283056f22060a4646012146f6b29a5c76cdb67df36cfcad
  310. 7bf4a8381c111375255df214d14d009db98caa63201a82637d1a32c352681b09
  311. 91afcbd38278ce562d89502a7e3e2daa8c90bf13ff2d490ee70bac8f24233bd5
  312. 5abbce43733a9d23195776eae8ec8a27233ed72ebf8bcda12a384b38053e585e
  313. 3b27c9a4b443660f21426d9a1430a068c210f6fc757ba017f0db5143f7239dcb
  314. 9ff4c1dd44b1b9325305b092d494a3ae2ea0382b039aeb3d9ef12da894212556
  315. 23066135096bd5c5ad5e2cd13981b2091379c2df73679b465a108eb92c99cffc
  316. 38edd270739223f96a36cc1d218b873758b1ad41f9f528e753aa79acd64fdff6
  317. 62f22bcc833a5cbc03ab078a2f67c782087f2fec344502b8b4261218fc898ace
  318. f1b1dbb226dec92d179a1e42170a630f04adcb82c199437a5172a41a86ee7e62
  319. 5fe724058139a4f7805c6887d489e15b0800f6b64d676a88531deee736457aa5
  320. 02a856b38e7c32e7387f663af577ca0e854e1f2d8d8363697a7b9ce410b3a0ba
  321. 0cd2dc09ea71e8051659ed0499960124d9fd6a0ec00699d74b0b94acf30a08b8
  322. 1232e66429c4b02677cc0839b9bb8011f3643b53d904641a2c5d14dade5e1f71
  323. db9deefe8f744ebab340c76e7a86ed02660977fcf176bb99d50e672561ff2dfa
  324. 8793144bd36b01ff56228ab7714f0b66d8d99c60b009fa5740a21828efd2b38e
  325. c546488c5f0a56ea6063a375ef7ea194df3020e92b724ac5f1bc14e7ea4ed9a5
  326. 5c98ef277b22eea991a7d7cf2f1e98213949247e6d451c6c8a7bb4467fe69869
  327. 0effc9bcdae3a1f1eb8f1d08f2b01645ffd8874837e2dce3673b0201eb04b840
  328. b83fcebd64496356242238dc45665aa3f96373f3514ec29c72facc5d140edb5d
  329. 084cbedb8279ae7de89ec5aad45dac178d988ef2a95ca66c1d4ca01f4e878123
  330. e02539b1a6600b2f408ed5987c9440f63e8508e0a27cfd27c398dc05720974db
  331. fa2ee431e53cc46b3df21d065d45f13009d9be52a92c4bed4d011bf55304eaec
  332. b5f6d5e337fea754bedd12a8eaaf39413cf39a65e406d21406d5606ae8142f2f
  333. b931fc4b2118df5f33d9ccfe4c89555c15a8b53693b0b3728edb8cc1758ffe07
  334. 05f0bb601080ba05a5f5023e3c35ee49d4bfe40a09924c4fca3e0ce0c58dc075
  335. c57f69a1a40c66d76e6a858e0077c93fc2f7524e200889a71ddef057918f05b0
  336. 66fae3eb56aa085c40dcf7654478c3aad5920549570ea215759f478698e6efe8
  337.  
  338. http://thaddeusarmstrong.com/wp-content/wRx/
  339. http://122.180.29.167/landx-test/wp-content/aj/
  340. http://47.104.205.183/wp-content/i7J7/
  341. http://fumicolcali.com/wblev-6pox5-vpckk/kWFS/
  342. http://johnstranovsky.com/96t8b-z2ns7-galcijo/wF53m/
  343.  
  344. ```
  345. #### SHA256s for Epoch 1 Payload EXEs seen on 04/04/19 ####
  346. ```
  347.  
  348. f09976afaabc6be141b6d1652a54770f946f532811544ab96825e305fc0cdc9f
  349. d1ed72b37746595d81df3f92f2d1787ca92f7d8b17204fd7be43b4dc4e065667
  350. 40c35ebfb55d50563add462d56f4f52947ef0368e60087b79515acf9aae96e95
  351. 8a39355987dfe1be463b4a816f977b308bd86d9739963beccecf939a85289117
  352. c21ffd9ce84244dd691f1e8badf480c62e0811be6c9ae32ade297fb56d9d0df7
  353. 0cd63331a62cd57fb91451dc2f737035489ed64cd2407cbc11f5beab49410683
  354. 1a805c50d3172a766063f6a4178803c3bd612c61f1100a0bb743f95f7e1de787
  355. 0429ed95ae28838e034e4797fe88bc6d95f3cdfd795f5297c7f1eb96b9491af2
  356. 2d607c7147dc4e12e47a9e27e8424861da22841124796a48be9ac1539c4e98aa
  357. dc7652e5e8303ae4895391f7299b1c2f335ce0bdeb611066a6f02e6d8b55518c
  358. 631276864254605f8e472b7e75c5a257dddecfbc63aceb089bc2fe360355737d
  359. 902af4d2161c131f278d3fa32a5d428184ee7cba2e4cc72709cc7778f4b98356 = QBot
  360. 0b85c21b65aa51875a29db7a20a32f6245dd3a5fb345202698fd7e36d8d43262
  361. f9667c6704f86b61e57ebc597885a8bcbec44d0ca3ec7b8df8b7d23497ab51b6
  362. 04dac31530b210c07b0fcf9dbaf2366ab2fe628761ac852c49ba24f3a0b12917
  363. ed80647cd025f1a7245e039ea60f72315c8f0e2aa55eb9831c6b86bf4e711ab5
  364. 7da50faea0f60b730dc0a998a0a58f6f8579981e3d6b8f402dbb514e87d6247c
  365. 4dd971afea2515689da1fc23198f63006c8434ae4fe943dea4160b29f85112cd
  366. f2ca53583565132a83f37ca757db244dffd15521551e1ae6dbd7293d2fd96e0a
  367. b773636d26c80b1685357b9cefdb72f24d285ae2da1de8abd4cb2a00f4cb3dd3
  368. df5ca11af2ebc6cef9e939c388bd5b938087deea0b1fcb9eb05a3b9d95365919
  369. e0273528010e70f38bcc1d05bfc36b0e6565b461589b5f218d649620dad98fb0
  370. 5df61d59e75accc83e92243e2699af9d02cda9237f119f2eceaa2e4c8ddb134a
  371. aaa07a98ed955810acb919f5090df5b386dbd3db9fd722c480f4db1a69a87c00
  372. 74d6a65999caac543df55e16fa8a12c2578c30128668950b5e4f250b2fd184a8
  373. 604ccb18532e1f3ad4c8b0b673f71dbd7d001930fb331e3c3783b025793159ac
  374. e31cb99aa41e8e2683476111d72e43e6cdcdfcdf1c5132f3bed4ea2c10372ea2
  375. a4603b558766e9f23e0d9941222073f14364aac6881a73aee489bf9c04a907f7
  376. 7ea23731155a9f66e10b233e4507e757c76fc9347e41f196d8d5b80a9d0331e8
  377. dda4ec82989c2319377385f8a77add77a7f71bfe4d5074fe12dd336e3de2d71c
  378. 4226d9ee342abf6acc6e1adda00de5bb88d02fb8138253963f0a3b500df359ed
  379. 5ed3669d67bacd3646447575533b33a971e37cafac5b3b2ea5082e1d1b9aca13
  380. 12fa4a4f8b5e86dd5afb56cb95a2af080a1ec15e213d7e3de2f1069303b2c650
  381. 48e1cca7c810a7f89f2620893034f4463be35f72df4f93e97a200beed3aa651c
  382. f87fd0f5daffcaa42471e6f25d18575ac7dd2179ba43cb82a551a20de258cef8
  383. fdba69dc509def784dcb62044f130b63d309c3eff2e50dc5d621d95af2f2ef29
  384. 1e333e041f2f8102ea460716aa65939f624dcb9afb6c87d3a326deae0e3fed18
  385. 367bffaec62a8b1e1c5098e755530fdc57ba6034a895fb41b55e2fc8053ea5b5
  386. 68ed1eec3ac645bae311d999be61628b6f28bfcca05dcf91560893fe9a0870e4
  387. eed20eeb3f4e4725baa74fb7c4f3f3149dad133ff1fdf91c068b0e04670df7f3
  388. 052f89bf63eb31f2d234b18c68d27ff8fa5c19d890434bb05a5cc89801a7c71b
  389. acaaf9ef32403470568df9a9bcfc4ad250934e0cb624cbe443ecd7ca2f20a4de
  390. a647bf1be2dc884e4af50bbc172f85551c2d2f3aefd85d706f8bd582c140d8e4
  391. 4f7a763700840d2a028813adca179628cb71e1727e367aa9abcc4bc09a316aa0
  392. 92c14bf6f5ac875385022c55113e854f4212b346c77ca72cc429db64cda27b09
  393. edae93a836e53a629dd98066d86b0f661d354c8f32d1403ac68bdca8c278225b
  394. 9e5cb45b9ad212ce928ff0d2f213797685c0eb6c9f631a1cfe8067a5da6ef394
  395. 2771122d17286fdf7e13cc9839b11857986db3b9c90b4456781da059945f7788
  396. 2f68679814e1941dd42dc8c0d49621e202bf745aa897e973c10f1ce41128ef1e
  397. 6ab831b81903b7b424e7f79cc6ba4ea01d624acbb5d9799c49433bdbdddbda9c
  398. f757d73f8c0011d3fe837a33ef391c6dc3bfbc46e496e50f383f7de739035ed7
  399. 6003db8d577c9190ccf9964b54b1abb316fd70ed4dc907ff94ec78ef783f12fc
  400. 51028601906ca5dc05d734587de2d08736b0980561dfe0d57015e9fad8629b2f
  401. 986120a7015b4eca58b1a5cf5d7eb54207a7d15b673d7a4d0953a0ae912c2cb6
  402. c03407e47d3087c6703c85e7b6404db367590b09e3958359dd945ebc84ad1dda
  403. e020e84fdb3bbb3867ee34fa8bb74d695407fed6a51c931edf3aa901865b343d
  404. 5e6750fc44a680a85049ee4ad42ead4880c476fc2a4d41e35614633f19bf01e9
  405. 5c49d9c647a15ce82fb54140353561d1408148facfab93bf60029634ff2ae18c
  406. 1d8a22c0aa9df050120a081feca36070441aa8ec9a128372287f2cc22847cf03
  407. a42f796441d3649c66b24ff19dedc94b41a7c2f053bbf0db474e244f37915d1d
  408. 9f786b89210e01fb088da6b935624b170e38005fde0f14b54d387d3ae0afef79
  409. ca0f1d428b3bdb63a52ebcb6160ce267b0225399684dc8f3d7c3dc51063cbb62
  410. 1e797be1adfa66dd738ac024c48153803e2cfe49d60741dd916b646ab7966264
  411. 281e68ba5dc3d6f665266e9f0247c593a3a0dcce6ba3f2b943c166580acc49a4
  412. 6f129989e02b7c64206d4bd34c60c7df940a2261d4318884eb33427e234430da
  413. 934e8ceab25d0081c7b7b0ef5cea3499e0c7bc4d25f963c0a0d38293618e0440
  414. d02f31795d1b62ec15b14da09b1097ef23c3b4ece08476d517d035106cc46232
  415. 1e8df97fef108cafdb8f0b6e777de34ae9279a86c8f8b674446ad1352f042f5a
  416. 87c6c12c6917c14c169bbc2f366fa66cfd48d1c74770e412d56fe5f6f40af97e
  417. d77276b14ab55dac7f588c8d5c7a3ab86f51fae0aca5e786f70b03530fe75bea
  418. b8148717c3d31a7f92d6fe03636937224489bd462ff2696821ded729dec10321
  419. bed9f2f83be42ddb7117215b9f5b7792b707b5316bcbbb9ccbc2efeda0ea8fee
  420. 8c07b1387141962b5d1e4d28801258d15555ce5807e865b9e3eac82a74b0fc56
  421. 210a510618d9e82307e3296e71ad0ee4d33ea3688563d442544b8d21c1c62425
  422. 5a4844d30f726e9212096b175c40e161260e6afa6c0518057d73afc7860bd263
  423. 43904e9813222bed8584c2c002996c54b78884fb49d866fd899557aa59da7386
  424. 8530271b5f711acd025bcbb41a8ee9d8f06b44e9965fcaef0afe928af3b53648
  425. 9e90d7b7182326bf086d43071a9bf1a67e1673dd7ce1433f201266608d9beb51
  426. 656b2e50100a9d729d959df457b0b7dbd91dabd32ae055f28ecf73953ad5e84e
  427. a504ea29b7b574223e3d022bf87c69d9b07057135a9e692f363e9eb6578282df
  428. 2fe9c4262f6b79d4c2edcc2092d559e328b9867864068609b07bb686c0d02b7a
  429. 52f7b419b87454a43714539d51db93d9e0a6133f90a8051dba646d0a2187d091
  430. ea48a0f6b82ab57c7fa84d217c8b28924d4001ceacf728f35ffc42e625734803
  431. 07709734f4f0e119f199d766cb8f29bb1be9952f4ebb61970785aae8c86f2ae8
  432. 586baa468d69d51fc1285db51e74d8474e7170eaf1564eed5099464cf09d027f
  433. 57e8dd14d8655fe64360e108f555717e9b2eb0a40a21f5fbad7ce145d2e9ec78
  434. 756ae521f7403e3b03657874fa6ebef51d3a3b3cf27382ea7829a28e0f40adac
  435. ae88937976f2ddd171e5a69269625d18135563ca405672333ea0f652bc4c4858
  436. 12bc6429e6894090e17bd84339e50cbe00e224ba8d1d975974d2c38d95ad61b3
  437. 8df50962faa9f4cc582b7029c391977c94888da61d67b25ac2613828f6994165
  438. 4a246b13f50b0bafc9678e7b43403096c591e1e43fe8c5538405d3b567e435dd
  439. 00b560cfca86cde2d56a2f90ecb24c60b31771170cc49c46caea47ff9a398256
  440. ffe024bb24545e970ec93446b0fc06591554e4d14d7f19599819747d5c759c75
  441. 26c30ecbd6dc914fa8d0c484bbcbcd724a02b73fd3ebf7ac612fd43e67da7d8b
  442. fbce45bf8161ec905c87607ba1126c93d55c728d3ec1a321b3c339520ea5cc48
  443. de0a95aafc6e4ab915ce61be7f8a7c883644c9d8be0c1a8b1406da8747875f86
  444. 965ecdb93658964e0e986206a4b22caf5dc00e45029321fa27a1ba2b5dc19f27
  445. 5ec9700598a686a7e82a03e9b4a1c79741f8552cdbbfe1ee97604dbb3a827bdc
  446. b9b9b84e4d2d6eeef48cb78137f3edbc926716c26445277b3bee921a68bcf0bc
  447. 62371a6dd6bc450cc8912617b1bbbd4d343615b69a9790f0eb78c1ef35c9dd02
  448. 2865fc219f74741efa9ba29cf0a291189c15837069be875eecf9dc85fe503f86
  449. 1d8754f013dae30dda787083100a8ca751f3776a827f5f1349160e8aa9798296
  450. 00614ec3544d89753b77a3a25d8876022730f46f3c69b98d45bea9cffd20fdda
  451. 5cbfdb8880c4ff0a81049816ce2815cd26cfe8741ec4abb207df9f112c2c2edd
  452. d7c88afb406a8816ffc49aa4cd70bc1f9c9cf3da3c4818d3b875bb255d55d94c
  453. 1e94aae6c4a484402b1cc49b261864132b9a8429089975851f22a8b536cb4c02
  454. e72db44ddb5de6e6d51d12db942afa68423f8aa28a08dc30bcde4566369156ee
  455. cab8262908300dabfde4f71e4b18b81cb9e4f3bc7d32c47844c3c2a8ed02eaf4
  456. 01f0dd46bb0eaa08c2e7b45ecc12a850c15345a7cfd860477c49503cd60b09b7
  457. 3b02149f5678c56bf4ab98b27f5ab9b85a9301bcd1b14b95e5505e8271a4765b
  458. eab1cfaab63dd2eba4856bd4bd34f15526e3da5841092a84877b721d0d78fae9
  459. 60777e87fa3c6b961f02964a54d9cf8ae6904dfe5329c97614ad5d04a74d43ee
  460. a97a4e0b8a1da8c8ae5391c9f6a2ad941602b5cf168c3f7adbdbc8a721d1e610
  461. 1c8d998c525c70adae1d5abe60c84fbd688f703731793c3d3a4e736dba919029
  462. 435800170bc792e45714a5ac946daea0dd8784629023fad811f2a10400af7742
  463. 418076336f4af6b32efe73bedd4b7025ca9bbbed20d8ca9d4e6f2d67f05b8450
  464. b04aaa6d8143093bd86fddd36edf79ab21b5475f2592a84064fda9ff8b51fc8d
  465. b0db4a645bd103828392525fd140907161d34bce3aa8f059edb3d1b171e1778e
  466. 6a07042724bb2dcfbf8751ff346826230887a41d39fcadff2074c087903f1237
  467. 3e8195d276998585c06c5973c487f58f12273e58c509f2d4ca6c2499dea2dec4
  468. 17f295c3d196c1e407826c39db2bb37a92e776877a1cd5137aa509da564e78ce
  469. a0442947008c37e919ef17c6b043d52a21641117afe7164eac782ddc937760ed
  470. fc69773d67a80f1ebaef6573258a6a0fe25644fb0f44d50a50407b6f85454ad0
  471.  
  472. ```
  473. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  474. ```
  475.  
  476. Started to see direct EXEs loaders inside of .ZIPs from this point forward.
  477.  
  478. Creation Time 2019-04-04 13:14:00 (From Password Zip - DOC Based - ENG - 365 Blue Box)
  479. SHA256:
  480. 216cd2f680417fdffacbbb7a04c850d87456e4638d7c315f3079412fc2e5817b
  481. 901eed6819ff66cde8d4cc4e540aea48ef54bc707c9f2e18da49ef39e87a7b00
  482. fae5609b321853388a0aabe3dd1921232bf820c1cebaa3fa4ac114f6f8f52ee3
  483. 6f4dc36afe08484b4ce1eb8385dc0627cca0bd224684248ecb9a281324822dcf
  484. 50733431389bdf5bd603f6d3fe19915d4b87d0dad4a9713ab77d18e6d2f82a94
  485. aee52f8220f174a1d64eddf3b6ff56ef1fa810c5aa7e456a036c31ee1307cea8
  486. 6bdb7d21e696113693c4ce67db14986aee1b697c1cba125f2d573138b497edd6
  487. a7dff18a924c5092fa9a74fbc8929be8051ea9ad4cacafabdd68f0a66cf3b46b
  488. 1b1ca632993e5b0bb4d96c0a5511ecd8e2ff5fede9acfd9078dcee2ec658114c
  489. fdf5ae819c2ea1ddaebce884e2839e459fbd80ec980915669e6e8b9f54cc2602
  490. 08dc9029749f9d252a50212c9807b7550953710abf7946afd3b10ee4c12686e6
  491. 84d925b776924586029835071a95ce6e90ef445275baf4e0a544fcba7787ce73
  492. 648297432fb71397cac690912ba0d8eef9f41714b353d6db310e640af90daadb
  493. 0e4964f24857dad46bf4205e081ed0ebb26ff8ce8b3cb0a1bf0b32a4a09ebdd2
  494. 515eaaa1f7b9c4ecbb1b8caa937fd31dbf04be890470f17ab17ddcd93f1a5d24
  495. 9348810d21bee6d2627eb5e47da74bd3b52c92cb3c10b3afe36c57dad3c8d45b
  496. b9865f689cefa9d6076c2f38a76b48b7e83ce3c5975a8c06e189f99d2441dc54
  497. 89947bb408d60f4b3d7c0615cedacfbf1fe9ae194f852002f9a541cf9332a9a2
  498. 2c8661dea0cfc0f37bdbb6537bc1c9a6b1c4451a38187ebb90f4d2b7e45d0b48
  499.  
  500. https://dochoichobe.vn/vr3i44x/0_z/
  501. https://t-bot.io/0tqhfq9/vs_kD/
  502. http://acebbogota.org/wp-content/9_8x/
  503. http://blog.almeidaboer.adv.br/wp-admin/Wi_pR/
  504. http://lartetlamatiere.be/wp-content/Tt_L/
  505.  
  506. Creation Time 2019-04-04 08:03:00 (From Password Zip - DOC Based - ENG - 365 Blue Box)
  507. SHA256:
  508. e96c5349e91f27793185eb69a40692f710a755a8f8f5385f773a0916e21354f7
  509. 6fb21d001466b3c102fffcece20a9d29bf6c467bdbc1b6bca157036e0efe86bc
  510. 5aab075cd226dff5bda656b2b9823b5d5817ec980f1f455888b0f4727fadf1bb
  511. e8920688eca76f3d4b3a8f9c090f080c0e998cfa430884cfdc48438ebc64d3d6
  512.  
  513. https://inovatips.com/9yorcan/wb_fk/
  514. https://thetrendgift.com/dubf/m_Z/
  515. http://property-in-vietnam.com/cgi-bin/N_3s/
  516. http://quazar.sk/wp-includes/o_g9/
  517. http://hahawaii.org/wp-admin/qw_6/
  518.  
  519. Creation Time 2019-04-03 16:11:00 (From Password Zip - DOC Based - ENG - 365 Blue Box)
  520. SHA256:
  521. 1944959136488452820501c3a94c1d92103918ddf730900f10ee799abade7f1c
  522. b2c60886c2357e26e5102cd4b96d9232310254df13f9bcf573a8d3d9de7b0745
  523.  
  524. http://sapelelive.com/pure.api/P_zZ/
  525. https://zomorodluxury.ir/wp-admin/sV_c/
  526. https://codbility.com/dgitalcomposer.codbility.com/k6_M/
  527. http://love2wedmatrimonial.com/webfonts/mE_R/
  528. http://canacofactura.com.mx/factura_admin/z_u/
  529.  
  530. ```
  531. #### SHA256s for Epoch 2 Payload EXEs seen on 04/04/19 ####
  532. ```
  533.  
  534. 61d35071519c66923542e0906df6da7ed2adba21dbb1f65551277d428af2b65e
  535. f948d930d2b6482cc3d78f43155d46c06a5591bb8df3576c12c4f725c9eaac85
  536. 9cf98f8c1dc7c09f596a5db43c2ccd48a4524b52abc8556747a94cc6b71361ce
  537. 1bae2acdd6d0cf490d913575251cf3a899e5a75ede6a55d21dba1bf98e332fc7
  538. 9cd260095bdd10ff5d4601e5668f112dfe975ac9b456597a35d8d9968707c5cf
  539. f5af48ab407a755fafb39831228fb12432873ea73a1841323d8a1fc680c8b04f
  540. 902af4d2161c131f278d3fa32a5d428184ee7cba2e4cc72709cc7778f4b98356 = QBot
  541. ed9a15316827b19acf55249f746896bf55e50490b31d1c550c5a160feb645811
  542. 99886496b52cde3c1f3654f91a38bd9b1daf0181c329e9e1a31eb86b2fe0c957
  543. 1c9b0c1884af697afbaf94219fa96db7507a5f2e227c761d429bf6e93e054997
  544. b181b94c1951f6ba95776905d89348032eba2c2bdab5d297fd6e572ae847a1b3
  545. 611f9b0a7d2f0daa3243241efcbcbe85639c7ec8763c225c53f3d67d03b1403a
  546. 498706ac7aaf4d4cfdbccdbfa53768d4467b7c02e766fcc374453b13cb26b720
  547. 436f5ee6870710c9406265f931f2b948fb15b46c0f3c1a924a16879ac11224a7
  548. 5012f55baf856d15329c09c144238c7d772a5a256f5af75725b2de6227720029
  549. 6b41d4813ce24b736777aa4b9988f008e79c3f0fb1530d4e7016efff36a62a1a
  550. c6865d48006130d43e1c47f579d95280394d08edd8ae6355dfe5401c2662dbdf
  551. a2a2dc685f6aa012ec8367fee485e59a101c11b09d5cf8b357d50b45f44c37bd
  552. c1ceab5aea76ff37fb1838492b0487ff1a8b244755bc635584c02c59942935e9
  553. 594a78833017f3dbe4e57d791395b9132829b4aa22cdfa20cbb4c3b5f83d6d26
  554. def81b5bb8bffa9d5d8420ce94fb5fa0de750bda2ad9a1a6119a09cb3d4b5f95
  555. 01daabac2a7e0a60bf369a4ef3ea5e4649b1f5e54c78cc3aab2db4562cc84343
  556. 91fce066e2a4a050ae370666e358fa37b77e6331a8135bc40d824ade13223998
  557. b08ace3095fdfe677f3d537153a0897ce156d14765a524ccdf07cff3a5708bac
  558. 9b087a837c2d2c6ef6959d29f7f641c9151efebe7e1a2ce64a21fb98948f0217
  559. 24d2fded992d87c59b2a96bbc1d56eaeb9ff362c960bc05713b4e82d6684f8be
  560. 683f55dc2e3b20cd13ae0bd5ac2ca623d8ff71476cf7049b0ccb37e06e8c4546
  561. e9a3829fd333d13627ffdf7e3b8a3dc04cc2a82ea4b9ec620c4e22f32acad712
  562. 9f4ad6e810e719cf3177e26493b76a149b21dedcac71a558f85a3e203a1b2e4c
  563. 648ad62ccc1c1caac96cfed3e54689b5f2a48216ffcec0e22f323b83c2536173
  564. 901d7110765b8ae0abd91632b618c8d054b163fb191eb5c7f883fe472a25b963
  565. c8bc9290cd2e696aa951eb5aca15f25488965ca810345a1e61ce9389b14fde4b
  566. c94c434daec9c98165ac62b785c48291e832bb76b936682fd70ae39cd095e6a8
  567. fb22f709fba709dee40052f691ad88a80969d2eeea03257c9b7f00e21bbdcaab
  568. 4da372e079270387af9226ca5e3225e9bfe7bb25924332cfadf4f5a3be9d5b95
  569. 5ee284375c931c932c7fefbea521318659937347ae5a4b73719a5a5212a155a5
  570. 6b08cad33ae6b1a1b4aa0bacece4705b4a0d85a02f2c4c289de1e22a6e5d7d30
  571. 7ebc5946d1d873b4bcafe680501f4161ff15226dbdae6ece2878d456b15854d5
  572. 11d261a3b133368bf4b9ed58563670ea3c0f166a2763444d4d89eaa9c4248fe6
  573. cbd93f1a42118cba2cf56b31d899b2b59a0a95d07d3eb6f58b78047767ddb1d5
  574. 2be593ed614b6ca439ef6116c4f56cad3cb5c244735eb3f2acd389ea3f4c96d5
  575. 515f04cc1edf2125752032263efb6317065bc2a34d3ec030246e26b17e5cd1d0
  576. 0fdfd0fbddfbf3cf7beccba9629f79af9312d4f8d53a019c82d81f1093c2c0f4
  577. b6984654365ee238bb4900c30f87fda2ef39bde3f53064d95efcaea8a81b38a7
  578. 0313710b233c385c62b4720bdd4bb4cf1fe2ba5148545b7ec66c6ad419e898a7
  579. 0ba6132102baac6aeb27f6f52c94bfb37131e8b0628f28afc8318c8dbe28eadd
  580. b52f21f8b0dda2b7ab0366d90fd62e1c67dc674e45edc719b0b32814afe32427
  581. 60f1d7287d5d911de3e4042bf9c2d0f9d417b801fdfdb792955016c13cd95288
  582. ea37d83eb080d649ab384069a2e19f3476f202894ba25e994e724a22f7b9f571
  583. 955e31b5aa2c8f194b3ba490180db722adde321aa0351a3dd937a6ce52be6211
  584. 2c8b031fc13cf88042f17b8c1c5473a8f88c6b68dff6d7b10221c9d7d5ecbe17
  585. 025fe4adf4ea6571286201c2ce432e158957afa74bc9fc129c5e9f1e027f070d
  586. 60e0b23454d1f072d2ce80a5994109302f1dd5b0b412459c9fe915e80cf315e2
  587. 2c4b999b12c05864b4693714e28bda17960fdc19805b975cdd87fb4c27b6f52a
  588. b05bb73a8c2ddfb50852adc9b1c965f3d93e4b1fd7f953d7d69c6d5ff76c5dcc
  589. a378c5263740f270511ac19a42ee69a24363b19041a49574444e78cffb9579b5
  590. 3adf0d836eeaa60d68adfe8089970f57e7896d87fbee453aa7b56c977fbb6fe8
  591. 125116d6cb64c040fb7bc3d324ca9d64c1e54edc66f4a06ec4521115ac031c52
  592. 4cfe7c745ef0f1be479aebaf0da6014adbb37bebfa315818cf47ea025fd38644
  593. 859ad94a9315c179b545058422260cae3e76377f7c1b5b83d75da1e6a56b8679
  594. 0d8f1304a0aa063722b8b7f0b6efecebdaf78e40e001ceaf4049e065e41b063c
  595. 6a4317473ec9c2a2e4e4e13597807664f10f1add84e639e866374f0c1700a4e0
  596. 75af0bea9c9e47eb19a64097682184b9bd5178ae29265c8b37dea68c1e3e0749
  597. 4ccc528d3b534589ed7e3c5b90a7390583a04d04a0763bc464ea9d24169e2667
  598. f3145425b6885063d9dbdf3ecba3d432b58519d4e88a538314a7010591ac1116
  599. d9c013b53cbe010d383b3d8c9b0f158eca9356040de30f2a2586d3bbf4c134bb
  600. 0a023479b3a7cda20083bc9bd8951f88218ec0cd61b46438e7c2196867928602
  601. cd3a7bfa9781c54444314c43157ba443f520e2217fde01b83017dd0baddfc79a
  602. 13481df6d8cb89c15ccfc117942760d2208fddf15045f65625b0858d29087a3f
  603. 0da45c86148f71274952df06f4881f10fba9c9630dc51aae039cc92f6aa574e2
  604. 967384d0b2554b418ac5448ddc59f089c2f17d46e7d763c67ab041b26655594b
  605. 4babe0ec41e15cf5cfd5c2adc45b542a83b3f1684eac5dae7a30c86f19fe1936
  606. 3b814ee9dff852254fc893941f687292208ba9e6107ee56c79f89c5f625bf74e
  607. 668354bf878e5282b86546a6c525e69c5380c0df9cf307668c2b919186599141
  608. 3d8dbbb95fc8475b82f22d6cc8f8dd36ad1e4eea999848114fac124ad97dde3b
  609. 8dea12dd4b5eed5c996f666ff35764173571b05cbd2d24d289d85a5c777f9afa
  610. d0adf8403599eb908a8cc259225a2c7fba53ab00b2a2218c57fd11f18954c087
  611. d11531feda0cc3bfa659fc72b3b0a0766316615fc2e20018d740772b02a65cd3
  612. 9e17ac6638b451f5c24f131f1e253fb5f151d354f3aca7d459bce773d6246a6b
  613. d3a88b5addaa2096450c2eaf1290bf6d4029210390465f1580e4fff911ab9b5f
  614. bc6f1142c469ae5ba62e2066e62ff4b1f3e651ecc74f76a5a3ffce387b533cf2
  615. 5768d8294c09ed6661a7cb5d26ab2e78e35bbcdcdb17b2f7506019015d3b0391
  616. 8aff52c8eb376f1f791f1060ad946a640e4e51867c80bee33966c3c749050140
  617. 89a00ae3cc5d0c750e19008844efa659691a72e758d694a45bb69da701ad33dc
  618. d01907025b4481f6cd71a27bcc585b5f0678a6bcda98a003a419ac07a050cb59
  619. eb49ef9667148c56973caaf47c2ef8aa16d5d7737887e1a5d1d2bc6ae7d0e724
  620. de951eb9a1da75163a848a7f69d3144e105c6fa85a69735d07b9805bdfb7b213
  621. ed0026a6157a1504b93f22611d58bea1e37824bb0f3b0ef114184cb5d8b4996f
  622. fc8a074e481491f046a1134afc8e399af414bf9db9512859f248a7527dcc1a90
  623. f9a4e140929c7b723869f0e5657f2028987df0ecc27598ab6622cde13dcde798
  624. aab35b8ff3519b4bddda9fbe49c68a5a7e87ec854c2a7fdc87308b0ffcf838f5
  625. c3e57bc1739d629b3f7b16edb090ffa9ab14820ab78b3d804431499da9041244
  626. ed65d71d08873fe36408735993e06b5fbbfd4d520fccd77bff33c32c7e82059d
  627. 37697722c861b56ae460e89d0c533d35f46661e749b734ae49dc03fd8e268e64
  628. 02bc1975a9e97fb55a1dea100d954150ec9a1963d86f041e6ebcd3b79945c6dc
  629. bdf300cb6a8efe083b2367cfbb24cac20bc85b92b7beac5c486bb3cb0cb31442
  630. 91cf6cf1831463490d54c523df139fc7df190a3fb689704aa767714037133be3
  631. d431e0237ff42b807b5187e0d8a1b9797732fc4f9fb4e32b23f5b4aa38b61c54
  632. c96b36a0908d7dbe2296f8d2fff3038b6e511f3b37680d57b1ed64b2b66ed054
  633. 6742a0c7bd590dc11e7ca48f4b32492edcbfeea3c0669020262462209298151b
  634. 4507afcca4074055f58d51ea6c49dd648664d8f5fc53df7d13950db2767d4569
  635. c0e4d96edf5013225d42003f0eae80824a04fcda997d9a8fc2d0343f79f9abd5
  636. e8939c6929d74f0d3a51544675a0fe2f3fbf35fcd497d39faf918f6383b9ac3c
  637. c9fdddc5121451efd90faee0e372bf16cd3bb458eee59de25de74447d0832fcb
  638. 0d434c99a5c683be54d1e8bc9efa31f66d913445b101ec2c1085661bf13b5951
  639. 4e4954b42b1a2a530360fde1d82146ed6409b71911d41a5c8fbf3d6f5e10d6e2
  640. 003a6b51e1438f5795eb9e624531ff78db93c518c4d561d39486d7c1d2fa9016
  641. 1d938bee70738f6849f41c5d6eaea7b7c54d62497ec46c76b29a1cd2f992a54a
  642. 465bc11b62acf0932c1dff5d8b12c2dd046efaaf0165f7715b1032e0721ed793
  643. 65d0c6474fef3fd36f16f85c757093d8a08e43f88651f1910b310a2a16a93a4f
  644. 187948e1a03492307fb158c4c25de8fe207188db8c7d8630b7c9dfc3f39d5b65
  645. 22169c9ace9e9bd7570638a8fd8d17cdcea6d21a4160f3a7810eeb28f1fa56f2
  646. 5140074b7ae8158014567699e0f2ee3d147fd50c6c093a8a83a1b2f8fdb0cd1b
  647. f21705e27c28cfbe1f280e4074128551294425d6577d6fd911d65072b92d8a72
  648. c1df61dea2953d75304191baf998edcfe0474c2deec49506ab3136a537a49fbd
  649. bc794ccc47669a1a0975c62ec1bb649de4ef096c51700f4e8e85dd63505c9b19
  650. efb204b05817183a30862eef9e3959226eeac3867de36ee687bc0c60667bfe6f
  651. c6e06f438312482f53e6212dda7549a5e63fe4e626c3b64bb7350bb8bad673fb
  652. 80c687d0e3f029e35facd9b9da473941892ff170bcf4c8a15463d3bca0cbe221
  653. 961bb30eee6e0a127ac184d7d91c77f49fa5bd41267549794acabac0228dc028
  654. 6b8d502b790e71ff974aae509859bfc31ebeca1a10f42d0d956e40b0f47152fe
  655. 5e95d8293474d755412544937ffae5c99e7d2073fc6f3504912a454f2840fe7a
  656. 7ec12a7c83a537abc193cf5e27fa26f113cad5a76ead1fd14f1fecc3588f8026
  657. 5480fe9f29ce01a1bb909b45c77991e16b958aca71166a965f036dff4abaef1c
  658. b59036d31c14b835fbe20e0c409479a08ab605e25cfe9865fccbd132fd5936a9
  659. aa4ae06286b7932529389721446012ec1a68a3ed83c13ebe197d91e60b1a59f4
  660. 22ec144811c416721052ada148f69a2f2ce8eaf5b41bb8f1dfd881410747b68c
  661. c88c1fe476a34b0ca1eccaee913165754591de1f43170315fff4d11b90ee25fb
  662. dcaa2130e68e12a620db6930e78c2d213d8a429006bdedc9aff0816ad033a8d4
  663.  
  664. ```
  665. #### Epoch 1 C2s ####
  666. ```
  667.  
  668. 104.2.2.153:8080
  669. 109.104.79.48:8080
  670. 109.73.52.242:8080
  671. 110.169.107.239:443
  672. 115.74.214.134:443
  673. 136.49.87.106:80
  674. 138.68.139.199:443
  675. 139.59.19.157:80
  676. 144.76.117.247:8080
  677. 154.120.228.126:8080
  678. 165.227.213.173:8080
  679. 176.58.93.123:8080
  680. 181.16.4.180:80
  681. 181.170.93.38:8080
  682. 181.44.231.127:443
  683. 184.160.113.4:993
  684. 185.86.148.222:8080
  685. 186.139.160.193:8080
  686. 187.153.103.175:443
  687. 187.189.210.143:80
  688. 190.0.32.206:8080
  689. 190.104.229.114:8090
  690. 190.117.206.153:443
  691. 190.117.82.103:443
  692. 192.155.90.90:7080
  693. 192.163.199.254:8080
  694. 197.248.67.226:8080
  695. 200.114.142.40:8080
  696. 200.125.190.126:8080
  697. 201.165.102.49:443
  698. 208.180.246.147:80
  699. 209.159.244.240:443
  700. 210.2.86.72:8080
  701. 219.94.254.93:8080
  702. 23.254.203.51:8080
  703. 43.229.62.186:8080
  704. 5.9.128.163:8080
  705. 51.255.50.164:8080
  706. 62.75.143.100:7080
  707. 66.209.69.165:443
  708. 67.241.81.253:8443
  709. 68.191.37.107:80
  710. 69.163.33.82:8080
  711. 71.11.157.249:80
  712. 72.47.248.48:8080
  713. 74.36.4.206:80
  714. 82.226.163.9:80
  715. 89.188.124.145:443
  716. 89.211.193.18:80
  717. 91.205.215.57:7080
  718. 92.48.118.27:8080
  719. 99.243.127.236:80
  720.  
  721. ```
  722. #### Spam/Stealer C2s ####
  723. ```
  724.  
  725. 31.172.86.183:8080
  726. 104.236.185.25:8080
  727. 50.116.63.9:7080
  728.  
  729. ```
  730. #### Current Epoch 1 RSA Public Key ####
  731. ```
  732.  
  733. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  734.  
  735. ```
  736. #### Epoch 2 C2s ####
  737. ```
  738.  
  739. 104.236.135.119:8080
  740. 105.225.191.133:80
  741. 133.242.156.30:7080
  742. 138.201.140.110:8080
  743. 147.135.210.39:8080
  744. 162.243.125.212:8080
  745. 167.114.210.191:8080
  746. 173.255.196.209:8080
  747. 173.255.250.241:443
  748. 174.93.130.148:8443
  749. 175.100.138.82:22
  750. 178.62.37.188:443
  751. 179.8.124.11:443
  752. 181.39.51.243:993
  753. 186.4.234.27:443
  754. 187.189.195.208:8443
  755. 187.198.57.250:7080
  756. 187.228.144.250:143
  757. 188.51.153.187:993
  758. 189.156.223.10:20
  759. 189.186.208.24:8443
  760. 190.161.186.116:80
  761. 190.230.219.95:20
  762. 192.186.96.125:8080
  763. 197.88.12.80:53
  764. 200.126.225.56:8080
  765. 201.110.165.146:8443
  766. 201.138.11.223:8080
  767. 201.220.152.101:80
  768. 203.210.237.200:993
  769. 208.78.100.202:8080
  770. 211.63.71.72:8080
  771. 212.122.71.196:995
  772. 217.13.106.160:7080
  773. 217.165.84.16:7080
  774. 24.63.218.229:80
  775. 45.123.3.54:443
  776. 45.33.49.124:443
  777. 5.230.147.179:8080
  778. 50.31.0.160:8080
  779. 60.49.36.149:50000
  780. 61.2.56.167:80
  781. 62.75.187.192:8080
  782. 63.77.201.245:443
  783. 64.13.225.150:8080
  784. 67.205.149.117:443
  785. 69.198.17.7:8080
  786. 70.57.82.196:80
  787. 73.217.113.111:80
  788. 78.186.5.109:443
  789. 83.110.216.26:8443
  790. 83.222.124.62:8080
  791. 85.104.184.242:8080
  792. 85.104.59.244:20
  793. 87.106.139.101:8080
  794. 87.106.210.123:80
  795. 88.254.240.194:80
  796. 91.92.191.134:8080
  797. 94.76.200.114:8080
  798. 95.128.43.213:8080
  799.  
  800. ```
  801. #### Epoch 2 - Spam/Stealer C2s ####
  802. ```
  803.  
  804. 198.58.114.91:4143
  805. 213.136.86.219:7080
  806. 91.205.215.10:7080
  807.  
  808. ```
  809. #### Current Epoch 2 RSA Public Key ####
  810. ```
  811.  
  812. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  813.  
  814. ```
  815. #### Credits and Notes Section ####
  816. ```
  817. Updated 7/13/18
  818. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  819. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  820. https://pastebin.com/u/jroosen
  821.  
  822. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  823. I am providing them for your benefit in case you want to parse them to be sure.
  824.  
  825. ```
  826. #### What is Epoch 1 and Epoch 2? ####
  827. ```
  828.  
  829. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  830.  
  831. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  832. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  833. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  834. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  835. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  836. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  837. time period.
  838. Here are some observations I have noted since I have been watching these botnets:
  839.  
  840. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  841. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  842. being delivered in maldocs on Epoch 2 at any one time.
  843. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  844. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  845. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  846. Monday morning/Sunday night.
  847. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  848. Epoch 2 may have a document hosted on host.tld/B.
  849. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  850. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  851. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  852. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  853. - C2s are never shared between Epochs/Botnets.
  854. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  855. via C2 to stay ahead of AV defs.
  856. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  857. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  858. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  859. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  860. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  861. spam template, word template, document type and even payload.
  862.  
  863. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  864.  
  865. ```
  866. #### Community Lists ####
  867. ```
  868.  
  869. https://pastebin.com/8vzRxU8a - @pollo290987
  870. https://pastebin.com/Xec3Ap5d - @malware_traffic
  871. https://otx.alienvault.com/pulse/5ca667449e861d095c554699/ - @SecSome
  872.  
  873. ```
  874. #### Credits ####
  875. ```
  876. (OC from @JRoosen and/or combination work of the following)
  877.  
  878. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  879. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42,
  880. @papa_anniekey, @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  881.  
  882. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  883. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial
  884.  
  885. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  886. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  887. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman
  888.  
  889. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  890.  
  891. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  892. helping out with this!
  893.  
  894. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  895. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  896. @urlscanio and @Virustotal for providing services/software no charge to this cause!
  897.  
  898. ```
  899. #### Daily Log ####
  900. ```
  901.  
  902. Today was interesting for multiple reasons. I am now getting Operation Zip Lock spam on both botnets. That is to say I am getting
  903. password protected ZIP files with .doc files in them. I even started to see password protected .ZIP files that had EXEs in them
  904. at the end of the day from E2. The distro on E2 seems to have shutdown and document directories are not updating. However the
  905. document evolution was tracable until about 16:00 when I started to see the EXEs directly in the ZIPs. The EXEs seemed to be
  906. previously used E2 droppers that were once on the distro directories for payloads from macros. Clearly E2 is a testbed right now
  907. and E1 is doing the same crap it always had with Pass protected(ZipLocked).ZIP/DOCs added in for fun. However, there still was a
  908. clear chain of DOCs on E1 and on the distro directories.
  909.  
  910. The return of QBot Direct Load:
  911.  
  912. At 18:45UTC, I noticed that there was a common hash dropped in the distro dirs on both botnets.
  913.  
  914.  
  915. 902af4d2161c131f278d3fa32a5d428184ee7cba2e4cc72709cc7778f4b98356
  916.  
  917. https://www.virustotal.com/#/file/902af4d2161c131f278d3fa32a5d428184ee7cba2e4cc72709cc7778f4b98356/detection
  918.  
  919. At 548KB, this was larger than the other executables that were showing up lately and seemed very much like it was a
  920. direct load. Running it in Any.Run, it quickly became clear this was Qakbot again and we were experiencing a direct load
  921. from the payload directories from the VBA macros. This happened on the 30th of January this year also. To be honest I am not
  922. sure if this was an accident and the operator screwed up loading the wrong package or if it was delibrate.
  923.  
  924. This hash stayed live on both botnet's distro for maybe 35-40 minutes and then we went back to Emotet main EXEs. By 19:25UTC
  925. everything was back to "normal" or as normal as it can be of late. Hashes stopped updating on payload distro directories around
  926. 20:30 UTC.
  927.  
  928. More notes and info I posted about this here:
  929.  
  930. https://twitter.com/JRoosen/status/1113912634162728966
  931.  
  932. To me, the interesting thing is that the ZIPLocked EXEs came just after Qakbot was taken down in about 1 hour.
  933. "Nyet, wrong package Ivan!!"
  934.  
  935. Reminder about Operation ZIP Lock:
  936. It seems like they are only attempting to use the password ruse on direct attachment .zip files in the spam templates.
  937. I am not sure how you could do anything else honestly because the link based spam templates would need to lock
  938. URLs to specific passworded .zip files or the .zips risk changing later on when the message is read.
  939.  
  940. All in all, operation Zip Lock is a bit underwhelming and easily blocked at the mail gateway by just blocking passworded
  941. .zip attachments. You are doing that aren't you?? :)
  942.  
  943. I also posted more about Operation Zip Lock in Twitter in response to Brad:
  944. https://twitter.com/malware_traffic/status/1113805807433474050
  945.  
  946. C2s did NOT change for E1 and remained at 52 combos in total. - recorded above
  947. C2s DID change for E2 and increased to 62 from 56 combos in total. - recorded above
  948.  
  949. At least tomorrow is Friday. TT
  950.  
  951. ```
  952. #### Sandbox 04/04/19 ####
  953. (all with fakenet and MITM unless spam/secondary infection)
  954. ```
  955.  
  956. Epoch 1 C2 run on 2019-04-05 at 04:00 UTC - https://cape.contextis.com/analysis/61660/
  957.  
  958. ```
  959.  
  960. ```
  961.  
  962. Epoch 2 C2 run on 2019-04-05 at 04:00 UTC - https://cape.contextis.com/analysis/61665/
  963.  
  964. ```
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!