Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 01/21/21 as of 01/22/21 01:00 EST ##
- *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
- ### Document Downloader Links ###
- #### Epoch 1 Document/Downloader links ####
- ```
- None Observed
- ```
- #### Epoch 2 Document/Downloader links ####
- ```
- http://2586097-2.web-hosting.es/images/qrXM9Zow0yfZPofu/
- http://ajath.ae/forum-ias/assets/global/plugins/bootbox/Q9ateaow97q3WNDWCtb7bivXaoRtTHZJUI6VujTsDiA2g/
- http://bielert.de/wp-content_old/8gSTXI4pZOATaDLWEVSuKq4bDiA8FRIu4VVnRsy9Ssl1uaBnMXWCrEE8DpEtaUGeJUMD/
- http://comotocarviolaorapido.com/unquality/kEX5pzsmEFr/
- http://confirm.bisiakintayo.com/wp-content/5jpofmmozacUKDbLEKzD6S6nQLKeEo1tdJ/
- http://digitize.aravind.global/cgi-bin/e3QCCn/
- http://dryaquelingrdo.softdesigns.org/wp-content/Rm7yv3assVd1HOEKNMMqX6i3IxWweXtvdDcoA5/
- http://ec2-15-206-128-255.ap-south-1.compute.amazonaws.com/wp-includes/dt8TFJqvvShcT0pSLkqLumSDPavZ9zKzEfz77d/
- http://flipamas.com/shio-hk-gkr1f/j7y9Xe4PkIn0joRDeZ0DcYy2q9bSsr7pXo9FF1xNccBPl6PxmS/
- http://gaurance.com/peppery/fKdi/
- http://goodnesspharmacy.in/blogs/fihqvgjr43nmp5mt6bd32aj7ymimuspne/
- http://grupofloridablanca.es/anterior/TVBCsBdXirh0kZ57VInarzVVmGRDDgzGSLLK9kdLGwBSYWvQLJVmnIEM/
- http://hcldindia.com/php/a1WAJk41PdQTM32aBZNT8yzcwL91x55fKgZHbsHTNEiv4FzAZLDyZLDtb/
- http://hqdecig.com/cgi-bin/sNI8w3FSSB44IaVmzSS2nv0oD6EiIXLq6/
- http://junoboat.be/cgi-bin/jpxPEE95T1VbBn/
- http://jzsubao.com/application/UXltCk58c1XrrCu4Xj7eqJLdCpnNln/
- http://mmsnegocios.com.br/wp-includes/xfhyzEyLilyhjG7YqyIzNza3vK2TaKi8AOSU5gLzaN/
- http://movartemusic.com/wp-admin/KxPuFj09V77nrVkj6S7VS/
- http://mvm368.com/wp-admin/w3ujGAnMFlitMY4ky0ccDmecu359zOzPWkZ6pad0G/
- http://mywonderfulpregnancy.com/blog/yT6uSk8X0/
- http://nafis24.com/wp-content/zJ3QQDV84IXAhPVyPx638DLfgrOhbZmJlYMn5CVzdMZ2JBsaElbHKEjTXOxt/
- http://nhipcauytevietnhat.com/efficiency-all-iuehb/BJug3jyhuyilWhCQs3YksSaqQW7tpyvmYpb91wTZdbluIo1EKoPE5VrBbcx8zHDAR9YT/
- http://photolinguist.com/wp-admin/hY1hDtbdpHRYygChX8RxFuyd1u03H9gqdGaKN4ehikaozqe/
- http://prodescsaude.com.br/wp-admin/brTy5dQqoWSZuiqboYW93gcxEkQAKW4HWqN0wKGxXrnyXF9I/
- http://propertybrokers.cl/cgi-bin/j4BdkyULiYCiswVfZwkJlYaH9L/
- http://qmh333.com/i/QWoxGKEAxpMOdFlrmQGtb1vXp2HyuiqQcatAdBXaZLJI1PwjmuseKJBGTGOCXaRJt8/
- http://shifa.sa/wp-admin/NbtxKRENMNlV3FEKqxJWawuks/
- http://solitaireclubs.com/frayedness/M3rZPu123OeKCdOa97cQB4l4Clf9qTIhP9iNZFegOwMrul2eQm9xUmaOOfREpXOfq2p/
- http://sspbrand.com/sdrangel-install-qdm2q/FynTewQiDCX6XxbXVjRojqMEU3yS/
- http://sub-g.com/wp-admin/pk7VSCtRc4vNosujpbaaCCfCeVcLGQwuR70h6jzsiEP6uWmfwwP4GftKRh8vVA/
- http://ucmasmauritius.com/admin/xdekfyevy1f3ffze8bz45oxbhzxp61o6eielyyyj5gjp/
- http://vocalriyaz.com/typically/2lY44b5ijlK5q06XNNk8xYxmzpIA2tJEtU/
- http://www.angelobruzzese.com/administrator/oy3o2YByTlpah8M/
- http://www.lohanamatching.com/archive/xhQHNgFb197ALjQrnmONpW0lnG6QKEs7lgNmvGp7FCIfffx3ubweAd0UAGFJNbPXg/
- http://www.photolinguist.com/wp-admin/hY1hDtbdpHRYygChX8RxFuyd1u03H9gqdGaKN4ehikaozqe/
- http://www.qmh333.com/i/QWoxGKEAxpMOdFlrmQGtb1vXp2HyuiqQcatAdBXaZLJI1PwjmuseKJBGTGOCXaRJt8/
- http://www.serviciomore.com/Sistema/XUL2/
- http://www.weinsteincounseling.com/wp-includes/NgTJ/
- https://benessereperfetto.com/i/fQE2T7bneVp8bdWxUYN5TFt64nPbU6sA4dFmsJdHpkNGnYO4T1vjASsdzUT3NFd9lnU/
- https://comotocarviolaorapido.com/unquality/kEX5pzsmEFr/
- https://digitize.aravind.global/cgi-bin/e3QCCn/
- https://grupofloridablanca.es/anterior/TVBCsBdXirh0kZ57VInarzVVmGRDDgzGSLLK9kdLGwBSYWvQLJVmnIEM/
- https://vocalriyaz.com/typically/2lY44b5ijlK5q06XNNk8xYxmzpIA2tJEtU/
- https://weinsteincounseling.com/wp-includes/NgTJ/
- https://www.bdshuang.cn/wp-includes/NotWCrKVIB2WFn4Rp62Ki34Op814y7gOBb0OSu8hC/
- https://www.weinsteincounseling.com/wp-includes/NgTJ/
- ```
- #### Epoch 3 Document/Downloader links ####
- ```
- None Observed
- ```
- ### Payloads per Epoch by Document ###
- ### Epoch 1 Payloads by Document SHA256 - All Times UTC/UTC+3Z ###
- ```
- Creation Time 2021:01:20 20:48:04/23:47:00Z (Attachment/Operation Zip Lock - Doc based - Red Dawn)
- SHA256:
- 01371fa05cb9655cead451fbcd5002105a22f5ba56d69a14c2dfd5f6339e78b3
- 0d14edfef37ad84ca2c67851dbec4ed2f2c5bee1e50afdc9f0e3e7a253b485e8
- 12499f3ab4a86ef07f3e35512eec9e0cca775d4908863187834e130ba2370845
- 1cd0d2aeadd9d8eb83bd1a08b3f4c7c8af47425837e8f3da57ee9e79f3642b4b
- 1fc8009811a2b02343fc0dbe659fe578a0f42454eb9ebd2b6f108f1f537304d6
- 221316fd4ecf32dcb06af77dae3f9fccf26a88829e77acf6d3f96a3225f12fa4
- 39dd0637ec1a0e409bde3f7d5564bc4b2fca354147f9c7ad32ae6304a95643d1
- 4483f0e59565160c5edb87f7eef7b2de70ac43d406bd63485778e07ef0d59f7f
- 51fd64693470a9ad150328ef0a2b5845ed94fe9a15b5c74577dd7731275dbb1f
- 56fd1a038ca3544d5ed57bd46884fc10539338fd3981f26aaf5e1aad10002b95
- 57b4115dd50b258da36a842c5e277f6bfb40144e3e37d73ba3dda4e2a063e2e6
- 5e934e888f338f5109382452f0426d23422308a72f1ea29804fe39bf06680d42
- 631aeb62d21a575e8ca4b680dad85ea7adaf5582a05046a7d7d2f3dbbf9ad356
- 66bbf866b922d161d54fd4fae2d2f449407523723c870b14dfb3ea0f916c8818
- 8b0237a5c474d5f1b1023f2ef86af7bb471dfa11f5c1a96df41ce76dc9cbf006
- a2e337f860a9c3a1fe061c742838959408e1c559ebd6ca136fb9b6c883f5c586
- aed16d598bfac0757f5a97e7a0df35bf36d4bfc35ffb199a8374cc71d6a774c7
- b145199e3358a054ec1977f07a4be7a2644db93f46dbc0bc4fda594bc7f90f74
- b5b02e6f73fe5942b8bc64a62c74fc988d2e0c931b1227becf463c33069ba041
- c316997b40dd3840f3da94dbd543898beccccf19961252d73f72550b4bf3e198
- ca7a197a4aa3ca00397dd2e74a494ca30e0c21b90d9489a3713a01ac80c72a12
- d301b119d7e8f10a43809a30ac6c9c218d74b78bf84d84fa7c0bacbbc8ca3b7f
- dcd040470964c4963ccb4169a795c1f7eb02f22ad21bdec128a0f12ffd37aa58
- ef057bd5ad2a5de868373ed48432b29bf7e72ca25067d8c1e420d9b60e196967
- http://yahyalisayam.com/sys-cache/tAsw/
- http://casinos-hub.com/s/ZQhDyLF/
- http://deoditas.com/n/FUEyoG/
- http://mts2019-002-site9.gtempurl.com/wp-content/E/
- https://ocean4gamers.com/wp-content/GAuYf/
- http://academiaprogreso.com/cgi-bin/Z5/
- https://newtop.one/responsives/z/
- ```
- ### Epoch 2 Payloads by Document SHA256 - All Times UTC/UTC+3Z ###
- ```
- Creation Time 2021:01:20 20:40:15/23:40:00Z (Attachment/URL - Doc based - Red Dawn)
- SHA256:
- 019f04b6b435d65725a7fea600c318e96d64c945fbf8ad3ee2f67d05900a27cb
- 0852348c68997bc5f4ee1ad2fce794f15198b36f41818a23b69e787f4cece095
- 0f0061b80732fc11150a67c1807a75989ce897eb2be6e22d425c4b41f88f98ee
- 101b256c68bda370bc6e6d2bb174494911b42079e76fcc63b34f0900288c3f26
- 11e1780e215a952185315253632033b1e42e269f59252e80ccc002e7ed15c086
- 141fff422c09e0667d14fb353c2b716e5942f8e592bf7e4c8627c33cca4deac9
- 1599e10bc74eeb7b67c71bbfc12008d0f8bc8c3457297d017e2c633457a5800f
- 17130511b6b91858676f6df0392ecb7db5aa7d5782038832dfdb68cdfb6717e2
- 17420055c7c1b85137e8f5e78a7eab811ae1b4f00b33ce05590e19399286fe2f
- 1849ce13b6b8587273a6ba9558bd63b59ccef9a7c8b25c01c14253a34da481c6
- 1ade51b62019cdf1df087f2ebf35d2d5fe4aa1bc5a03d76324ff346bfe5d7953
- 1b2b0f6f229f819f49cefa1af565aa4e83bf8b1f9df047bebfa9143dbebbb349
- 1c781faa1f4f2e3a4757766943a18d7b1c16ce4e695382b723a36dc9a52d8331
- 1df953e34823f8351e1702bcda5b4b75887620f2ce403968f4cb0524e89bfa65
- 1fa18e851ad74226caf71eaca19ccba3ba2b1457521c4a4fbe6ba07fb3008333
- 22daf06e652ce12909ea87e481c5c12a9ce86142fd53aa1e375b79263dbc45a9
- 25de934bcde3cc43d82f74d2bda58507044de10d1fb36d7b1fe4ed52fa26ac52
- 2a4e442727def25a8ce8ddc73ffa52be640dd1f1016dbc26e3157f361936aa88
- 2b74e583a0148f1e5f2c91424947740e520cd67c66c78bc6a20c22fbc34b83d6
- 2d75bc655ee87200243a8c0f383323e49eb31a7b0cc6f86e4376c41f83e0f542
- 2f36085ea2e5a9e6a5d22b533c206be9bb1d3c71ee4c910ae165e54b053c0ec3
- 32167ecf841806dea1958fe7d8c1fb145323fd98c3412b55fce4e0680f3f8ae8
- 34f009842068cfd83b7b0048deb0698f8647a41889d562c9314a7b4665c073be
- 3602f8e737829acb355fceaf51908fe8a199a2ae44099cedd08d3cb298fc8b53
- 38dd4edef2de2088eb63ab88c4213512a1b0bc748d115d2ed16ac1c5c2cf27b7
- 3a0235b5137c1d8dffa67e97c6dbe13cfc7117e3c62dfee05d8897acdea83b5c
- 3c51fccc79c2f87f8d8d80b1aaadf991da9bbc425797a5c252e4bb779b3e55f7
- 3d27524fc5a80d20ae3567440ebdea86883b5cd1cf599ca8afc8ae80c41ae31b
- 3f5a613e83e83e91a8b9a8f676535284c8e0f817019b55845e157d8b436ac03a
- 4121d45c89baa331a26e0dd4c638c04a81fd89a98b09675d3e1cb3c0a57c80df
- 4142cfc2bb8a067a21c0439bef1d08e1742025b00b3cb1c9619ff7bf0a2b42d6
- 45c2215141817c9d7e320947f1f94ef7ec92d3351de8ac3798a7e306b34f5de5
- 462f5d61dfa9c9938d8d78f06e90df29e4037d7a20edbb20da7d9ed0d69a4b02
- 46512d0921fb5626d9080c7f3930e3b4ffb9cd15bf20c8554f150e7ff47b951e
- 465766cf4d4152c6b11a68b68646dfb8266ab7cdf4b9ce2660feab1aacd32294
- 4994c3de88be1e554fa1b922de43a5f18a5f007c949399d53aa6a8e9687659d9
- 4ba19977d7051012b6f22a72868e1c909438f6eca3e725dde0816c11f5d7f262
- 4cadad6fe9f001e7d45a39b6a54af137aa2cc08f465010ecb7539156ed88d384
- 4fbc5117af26fd60f03e2660f74b6b18cfb88d2badad4394939838a779bec2d7
- 50b410f2af280b1a288a0f94bae66b4db4278e307b1461a93a231a2ca715cb53
- 5194a406cd4f741d308341f531f690bf966b451f01de1fbfbb604dbefee7c8ef
- 51d0ab773047ebaac512a5d397e79534ac5b266afd4ee691d6356a8bd7fe4b11
- 51fae18ca6515a9154913bc82e245a72308b832eb47b5785a21beb0f0a34b07e
- 54385e84d22e522ecf660abd63e8cdc132b0ad766af8d7c589b13f7be5371c2d
- 57c0a7e0c8c758419617cbb0493789572ffd9bad491e5e98ecb0754de052efe3
- 58087e36eb939fe42f9ecafa00c3ba4002c238182b406a45db0ffa7ae6e83398
- 5a17dee61b79152ce451f560a17603b291bd0934b4c0bdb69a3328fca8b36771
- 5a43f6cf21f15f541f3c485ea237f724e3c72ea59d91e44092103cae63a01bf6
- 5eb0bd0ee37f979306d609872b652c8d2ab52e48f95b37ec05fad18504277dbe
- 5f73dcc09f5d4ac5219b105e1083dda4baca6637aaaaee7ffb27691684f4968e
- 64a17440d41fd8eae4685249c345b5022f4e690183200645ff1e6f7f804159be
- 6666bd131bccf0a6bf3973a274445780cd1216aa9260c08d10a079c9ea58cd44
- 66840e0ecc45de6d60dfd40a9a510bc1664f4121d4e66b498fa33e3b1cf2ae31
- 6696dcee2f90b0c3f0614d8197a15ce194e31f0940e923dd5f9bb95fb42fa479
- 69c319f6ceb4941cc2152d633b509323f22dc33994ebf516db8304e2c5409a62
- 734760f1587fe2caa03e721fc7f70c74e90517fae7f02f75ca4cf60cfa2c947c
- 75d4b326ca471055fba9d3e4dfbb994e191135130d15f7f1e75fa6a8346bf89d
- 7a20adc14eedee96591f3f10da2623860f3adfb5c70d6603bad7802045e11c81
- 7b84f2501e9b8aaa56422e3bbd5742f0e1ef38d318c28d689ed5662e85a65cfd
- 80f688c0b9fb7d3277bddc7d43c06d13ddb6a1658247870d0287de8c157e0bec
- 8529a3bea5066aa6c825c3e7f27e7c014eccc2f265ac844787e13aa77048fc38
- 885bec24ff3ff31176e787f7b53f03563bd32498a8dbe78cf0f8c7e933abe619
- 8ab4622f9baca8db727f2fbf8f473144938729d286d1a320633fff3fc0897ae7
- 8c51b7b434f7213aa019ae0600d85e225e98502f1971bda3990bbdd16e3b897c
- 8c9e3c8b6589995ae77125707441a518cd80dcf62a2c59e0d4b53a2bbef0576b
- 8d7efeeb6526c1ce01dd7d5a75a5f9c22d9ef5dec9e19d6504cc1d073cf8c864
- 9005833203499e17fc8dc75a6082bd9762dc6acd404ae5dc6b0fba27fa9e1c7a
- 90512c0b5b5ffe54f12e39016dd9e8673631e0eecee9a8c44b2f3f9a90cc9b18
- 920fac5b7032800366dc97b32e8ecde37c1432a99f3e2eac1d3d36ff62ad85f1
- 92479f2f51bca6692c4c3d53b3f9a49bf1d5aeab01a98e9a2feb0d6d68ef6343
- 943f25050a280f1b3fc1154ce8740d31f30935391a7f7e9cd1cb0152f46ff099
- 9567a3e4acbb781baa119cbbd1863def630fd858a58d6658e360d30614b82082
- 9675b2f426b45cf771be7405a1b50bb1f2625f5be481848e4df2fa7419fc36ac
- 96c0946b5c6a8d77fa253d70c944ac5e78a5a0cfc0e22ebbc27b44a8550cec6d
- a1adbad4bcb1cff2e45b7b7e7be4838dbf2133df86b768c9a1d9fa056b5b5d39
- a1da083793734c0f30c084d2576c41c2c1eddedfa5adcc5b7f86ebdd2765aa2c
- a27a067570f7050895722c7148589fd30eb44e4d77e2dab8d884271e0235664a
- a58be0e3ba5abd6441bef2a7efcdffa251f5f396685642160a2508363b75395f
- aa07564ad9fe421b07c24a624f3fbf68f5f4080fd16a61bbbdccef53d89e138e
- b0b540ad237698caeabe4f0eb6faa0869a39484393d922cd298e23b304562845
- b5b3fb90ae6803eaf1c36f587b978d687b19cc72399a51128388be7d421599b5
- b77758a7936af2b7c6b3df9fc45475ca411a9cfaae447bd97a2ab3b8d60aa160
- ba3aa81154976cc9bdd719ecce4a925b513892f51cf40a1f511d77d1c180f1de
- c01ace5e5093f9c57d7a89fecdcec19a4c90762c99e748b4956b17a8e8f272cc
- c08b3f7c06d7b77801575fd05c9242aa9c5f8ad17788390c0f15fceead07002f
- c4f94c6960792fe6e062b42c6c149482152a96588a9a5b9c3f7c4a35c974ac50
- c817fecaa0572cdffb222f4e40d2d2f64fed46d86c042e8cfd9cc3b597489912
- c81d0f1555b356115f9478fb3e1a082fe834f56fa4361077081cc7c399d5bdea
- c84de615620cd1a69411f262b2f431ac07909b7705e43c1a97d80f5bfdc3ea33
- cc9a98243c5e282cbde25cdda1b4510e22afc3a444e07d97c8c9ffef7ff45463
- cfeb8617b6934ecd6b5a4bbdfa12bb62a323bedd9f43b8e11352618ecfa75b43
- ddca7d6d22b741be7ae7ed5e884bf7bdf3e0a17ba7cc4093ca1744bdcece2fbc
- e020a38883c31af6494ccd2106bfb598dff9865f94994ae3bc9a3e40d1aea2bd
- e4cb0eb0b65af11f26a5b0a66600e1ea942175dbac4014967d689880158e2a0b
- edf31b7e2675b612cb3930814615f228a9fff1dc8613ed5e47d9e98418ee99ff
- efefc84243ccc08a0c004247847a2e7c55dc7559eaf302919c40085ff83f5c4c
- f19f01987b42d9be03048f6897f0ae6dd4265c93cf2b1e055b28e5354113a2d2
- f1b16a95d60e942f2ca4724096a5a078f74d16d045da8ebf4cbd11d1fcb25322
- f582def432e13ece8b95e4ef399332f18cc093c85db59f4f4f0ce822447b465a
- fe4636a4066b3525d7bc3a58f2a3ac8c430e3bb88f0e975869c95e7cdc91aa5c
- fef516c40db60794e220e323bd96e2a26f5808d97ac911e2bd4afc4b0cd756bc
- http://trendmoversdubai.com/cgi-bin/B73/
- http://dryaquelingrdo.com/wp-content/SI/
- http://bardiastore.com/wp-admin/A1283/
- http://oxycode.net/wp-admin/x/
- http://fabulousstylz.net/248152296/TpI/
- http://abdo-alyemeni.com/wp-admin/seG6/
- http://giteslacolombiere.com/wp-admin/FV/
- ```
- ### Epoch 3 Payloads by Document SHA256 - All Times UTC/UTC+3Z ###
- ```
- Creation Time 2021:01:21 07:44:00 (Attachment only - Doc based - MSWord DE)
- SHA256:
- 2e35f527f530f946ff80f1e983383e4efb0f6ac4db9ee86afd62ab2c4c8d0bc3
- 30d2821cdf2bf71b2cbebeeea62050b671fe2d2053c676ca0c179ac76ea0897a
- 3d46b079f5238c90674ec0a6cb9f7db058654d925a84b221953a1c4df66be2fc
- 3ec6cd2e078f8bc684bf9291c9c3a94121c8dafbde12613fcd4d31a79b20896c
- 40b1f6d11c783c7b956cf5c25c4e0ec814cacf3b6bf274629ccb3dda1eea4e38
- 6104a677cd91068a59589c7b7a22b124ad53c9a32d59fac2f5691b54c5edf76b
- 67682838e0745ae535a83f9b7cf159acd72b214b3f75504be7f039f1497cf3a5
- 69078beff40f7e13c4f71385d4039a64a3b3a485471a9d66964598187a18f4ee
- 6f661eac8a44521833b364bd90572b21e7f1f98f0e3dce76f39109344cd52781
- 8c437fe63f766f9e3fc81515a78f55caf53d1701ba1f3b1191978a51dcfc659d
- 8c585397f372deb0c609b0acf6fe42452987214ad519df1b254c5c666df4afaa
- 90c294bc4b8267cdc9bc44d0fed58ea36be306dbd259c2d17fd419cebb63b988
- 9d3c537b888df0dbb49acc5106f05dca2abe82347b16d881cf27cebfbe4a24aa
- a85ad93c17e5f0ce36ec448853a63cb83ee0ee976603ac159ce5e96cd8e67e13
- aaf1f1f2174b0f98e67a51c9cde1021a6a7b39bef0558e6bfa17ac3b6cc1a788
- ba9c99e45d906de7f03eea1788b4b034cda29476bb44e4cb24aacb37cdfd75c7
- bbbdfca7dbe699780b0c92e88758f189c2aba0619c985872f0b74fb9dd332db4
- c0e87e1eaacac3b758604d6729c480f75d14530a617ddb22c5fac6bbd456022d
- c643452b495218e12d0d7a502b386741511c531aef89de79febe1b9265d079d5
- d7336746eecdc0562c91122e680344012a3759caebf0995117083bf712d0e75d
- ef287a1865d74b80b3e9129f49c81b8d975b05d1d2c872f16cada5757a8ff71b
- f219b5744489e2e5b9255c15976bf1c5971d1581f29be8524ede0536ca95b982
- f6817a1e79d2b8d13c6aa3308b265f8c18e6c331e04273898957c38acefab001
- http://deshbangla71news.com/wp-content/5M/
- https://bookkeepingdoctor.co.uk/s/1EU/
- http://www.peritidiparte.org/administrator/XSboAD33/
- https://lubdeco.com/rocketlike/1IqoSgDG/
- https://vallerconstrutora.com.br/wp-content/uploads/vDIi0eYzz/
- http://www.bikemyday.se/wp-includes/FdM/
- Creation Time 2021:01:21 07:19:00 (Attachment only - Doc based - iOS Enable Editing)
- SHA256:
- 0af5e4550ed0d07e9620819827203ca4a29afc43478e9074bdaa38e589a376f7
- 0b06de02de18d7db163a215d2be87483e43d545698e9e200b311d06571e97ad0
- 134736b98536f6f81da8506f38c313a05012896efe558942fa20863e21d88512
- 1a0f24545657f749035796c8407b580d9172fa60a6faea7c22faef8069d6aee2
- 1b13bccb232b6912206990f6e6d9edefed8c700881036157d63bdec10c185072
- 1bab1464c3e8f00b40b4b57b0ea79569d451f1e22c42bd630426d02fbda163bb
- 1e3065dffd5f002516433e4b581bcdc393b1a6c7a55adb4bc342909d555daec9
- 21a8e60bc2a6c47e608d46360cefda71e3a573dd1153a72bf06f7b2f9e464db9
- 225afa90ab5bba24458f97714b131bf842e5b3c8b094f35c1903b07ca4247651
- 28b7f1e4319f06e850021dcdb710af17c990eb18d356d295f28c7a49962a4194
- 2c63fff7b74ac7cfe1cfce171597a813816d90303db17c4e35d412bd11b10d12
- 2f2d38359888c33e6281957c9c695658ff2a21ccbd4deb1a64c4b45e948403c3
- 3ad299664e07b6aa08b944e6fb9f251c63def0fb05c017fc2136752c08572c8e
- 41b919b6cdbbddf1a3736c6f7a778f34532049ed44d623021a7fe3a62bb27b5d
- 41f0460f8a8e8219b3c9ac1deea29dff53d8b8f47ef9482a22760a9f37021e19
- 434b04fbceafd7baec4fc16d5322b9178337ecef64e8faa1c7d7a7eb2c813e39
- 464e228e72bfc9069edea2955b05063322b9516c46c9ad791f04cbac403c23a6
- 5698dc134f384956b2b7a990a7ff5496f80f42544156ef63e8cff61d7ceb3672
- 5b03d5fd4cb9b6b892b0aa131b8ffa0867b2113ab898fc5a6a47ffc876f884dd
- 5f63e101eb1c98af52149bedd0ffab1054e633dd0ffd6abefb0ad182c039d08c
- 6275898c718a79e422a08d5da48d560cf39d6e32b91646872420f9f89f5575d9
- 662906ec7c3d0f4ceb68de2216b2a03287b325f5c8d83724425aede6686cb8b1
- 706505b21fa17afbce6600e7c3310f017d6638e39664afc2262caad5ea251dcf
- 71263a5644afd276319429a472a59a7c404c1c3b479b7271612ed313a7ae56eb
- 74343a001171626962a999b1ebc2459791e6201f8575b041385aca073d46e187
- 78ef9bebe5b116baba76e5e3c00e335f910aae60c4ba7c5e44accbdfd7d97296
- 7997dc297f9c7f2d47c512632eb6df6b7e4cbb7774fae3dce66b7308d735ddbb
- 7a64eb019fea594521934f69102ce58f7b624a29138c0c86a1ca59f7f7f439d2
- 7f48d8712e04dfae0411d4563e6b817a9429ca151c71169b54d1a55fc49d289c
- 80d98ff256d38ba20e2d70f04c287d7adf58d069253ed30d68bbf1329e1e173e
- 81eab559ab78c380c94f071e82a5ebfb858c52a64767305ab185151136f356af
- 81f2ba7fd695aeccb81089e2eef8feb88e6dd460a95bdffb4c43ec226e4ffbdc
- 825941622149533a9bc0cfbcc6ddd1f4ac0e4277eacd318026b69d3d8a07a1cd
- 896881860d73c4e57f15cb7a022eece87ffcfea2d3b3461fcb50ad2ac26fdcbe
- 8ef02c1c0bc8471a6a38e18c5bf500758c3ef4e9620d2a17ba74368d6d4a9663
- 8fe63ab9654b72a4c55b3f06dcdd730da8682db8344ad0573511f784ca74af39
- 917ed80030b193ca95cc7a2218becdbbf9e158e94af47022d03d0877c7274327
- 935f0ece155c156660b1d165cb311a37af8740d7107fa9b9d2d61da00f407237
- 941d2dc007e614f0830e1584c83077f2b6fe394d0d92e4eb47fdb29813646529
- a146c432463710e2a1d26e89beb818797c3f530e9e138e13f43ae94c5d94a47e
- a37e48736b39e8b39dcaa0384df8eb2864f9f9801119609b200f5022a3521f5b
- a62a6abf3a03ed16093f50945dd98fa4d93fb8d9c5a63194ac552eff23d3f806
- af03373bd3a06747f1486f247881d21782ec84cf7a5125c650c8f089edf280ef
- b1bfffa19f20994eb06b7be3216bd7f9b0ed7df2a7ff305b037df356b0aeea3c
- b28b852286ecaa470a365c799492b65cde4ea7cf0fdd47964a3ab67b3d99d29d
- b58b67e34d79622087f8d980c1e2dcbaf19fbbad264a236e2ec3af5ccc351a1d
- b89ea255c1499ba1d5f75219d7fff2fdd00ce9ab61ce36ba4498f59461c1c1bd
- c801cfb380a7740a1fe7a2601a40f3a4fe78814ff4a27ac14b5d5fc22951c398
- c9e142202bfdefe0dc3901dd9133e4723a5109914aedda93e4b1f01db20c318c
- c9f449c178b91a5423d5bb9343b220293fd18eb4f10bc3e024349e8c5aeec531
- d12582ce53e9e687237bf288e5ac6085e9d4059c0103b82bc6993cca5122706d
- d14751bd579250a629a94a873857d557724a26dee8af6acb53f466402d98a0ec
- d2eaa9bed0a34fb09e3e100269d6adc98f380e7aae68de4978926ddfaeb7177a
- d4060d6c007d54ba0b2dc8ec8ea755ecb9adde6e6606ef0e90b347a1755a95c9
- d4654bc9163aba681c6f8b4a4038e8aa312369dc3b027cd50dd104077029a233
- dacb9722a67ae684a2d4df3ed97d79892c842e0bb9648bc012fefa64613287cd
- ef5d46380da37e1c4b4c2666d3252391e3c67cb04d1cf3a5163516a840635768
- ef5dfc99729e1117bf153c9f3eb19cfd49ff042ccec9942e44ba067d43fc78b7
- f188af4cc381f08181f38fcef77fccad9de49698b8f1bdf42e0a5719bad82101
- f78841380bd3349588f17fb4efe705fe4ff5d93e035f45cbc660fa167486618f
- http://amojo.org/p/Mx/
- https://topflighttrading.org/wp-includes/WbDnukw/
- http://www.exerzitien.jetzt/nfs-heat-n0ght/MsQfotaKfq/
- http://www.yugan.cool/v/vSFJCCG9oV/
- http://ook7.com/b/pbd1/
- http://www.caglayansrc.com/content/tPGhhnTHa/
- https://senturketicaret.com/wp-admin/KAFiShfSh/
- Creation Time 2021:01:20 23:50:00/02:50:00Z (Attachment/Operation Zip Lock - Doc based - Microsoft Office JP)
- SHA256:
- 01f788b5f7bb3bbad3ce0a03b00cf8a2f0f52d772b98747d8aa4d9651da96802
- 0221652be4ffefd65aa23ce9d452c4597283a51954657958ee9c6bd842edf28b
- 06e1ea9e70155d62272aced093ee2e86c8aed2eef991b939bcd2425099715d6b
- 070ec276cbd81dc85e351d4c8d20a5ac5584cb294455df59ecc70061df8b83bf
- 0df1c21cca1994d79eeb014e76fdc83811cbe9895596db8d18872299fffbd9e6
- 153308b87fb8e24ae2092592382578744ac78a7b9ffb8dc14733e8ddc5d681b8
- 155f1f398a98882fe53838090b9ceab79d25d500a296f3705e1ee6d751f8233c
- 1c765ce586c08b7b2da1292d8237338d85549aefb35560f70d4eac26385251eb
- 1d5f5373532659a5361731578ae5b4a16fa9559a7f5ccde01d97f3cb992c1264
- 226a31dfb999386b11034c6d0e2624c950a049bcd0118d1dad7e4b88868daf68
- 254c650c17112b2e21abfebe397308e23fb6e75ff4618a7ba787d33a542efd9e
- 27dcce2620a7e2feda1b81c316fd6174c0cfbb8c222816bfe02ae0c090843909
- 288101f4ce6b3fa92d96b3b649c29ca68d1bb4779cb94507eca45517fc45f253
- 2d316065dc5c2921494e0683006ccffa2d71d670df05abdffbaded9cf5f34dce
- 37b42fba700f3848c57dfddd793c1cd069cd0677db573dfa31e31d907138527f
- 37b6b75459a5bd8fac35859a743678b573544dab4efc68365462272a10b6a3e0
- 3b5bace71c0eb73e46b8dcd34fde14bd558469d86f29a0c9c11cac97754ea42f
- 3d0f6d79f1a745bdb2b3b15bc177a764cabd05e437932d1670804e8dab6b0717
- 41d77a556f7aa55c918d2cd1faabdc88b3531d06ee91927a89690ea468fc6651
- 5376daf10aa7b453a39509112f587f1cacf15046fc4e8c8608512d30c63e5b5c
- 5f338e4a44cd65f14ba106cbfbcc34915c98b0bb5be2f6cf25d4ca1890902d2f
- 624ce1e4f0484a475e0de892dd9c05099a611c68d96b4ec8d8c4b19d317b447b
- 63889be761623f8452fbf9b80a3039e1e3c6ae5fa183a567630a41f9d6fa3bec
- 63c22b2dae6959bb93457cc3c7b7c49d60935de2882ef5bf18701815ac58c27d
- 6c67f327340649ddc6fc4595802dd1d76e0e72a7674b2fbcf1605f41e3172a25
- 70c6542380105f986b6fbe8db06240d10784ae0dec933b8c96c2d4345bd3332f
- 720cdc8ce45e358827737ba652d843ddaa309f149fc55412424fa7c227687d84
- 77e12c6b12db756a2433500373c71cc72517e9aadbff8ee4acafe0700799bd27
- 7c830942161821207b4250db9bd850f821c0f4c649f30b2c86cd9cc1620024b3
- 802a3e51440f59664a59f8d2eeabf0e22eabba16b37588b852194afee647d893
- 8a8b0db6174bb381555b705408741c10c6673661a1cac67b6013a3b53d858175
- 925b2a07ad4954cced1982221d6066371f1eccff393778322606cf4da2e67cc7
- 94529038458de6a51b9778a21b4ec80e2976d46eb9875a779cd322de468f3784
- 9acdc53bd80e3f0e66ec216a360a9a84b6ee857d6150bcfa3a8b32ce47889a42
- a00f1ae9cdb86a862e6b5e31a9724996debf25cbb79d959b18c2b7e99e7f538a
- a825fb1bb5b131aa31a2b39422a630bc203144ae2013629db9aee3237e72a675
- acf2fedc39b894109ec8632295d882f67232e8ebec9f039cd0ebc9ba6ef9d694
- b3bf0aeadf5d0b5b1c4005b38fb94ec07bc8304c1db76b96ac7c557b3d3bd150
- b5ebb1e24ed5627bda15d9b12be3a48b2eb0782adf1abfbf37f409b8cada11b2
- b6ca26bea7d16858d73e4bdd15be6853132b15d689acf10cc56b3e7af901898d
- ba9a95912003dde054b0ce0083eb3d70458b137c42f000c8c15f286b6399696e
- bc0a70ef61527afd12a3231b6013399e4f85f61a438473a5c21b38eaa91c1a4d
- c33e6c2f2e76179450b1b7dc2d7103f55545ec3222e2d5478e45274c6ed484c4
- c4b193e8409f40d5b266eaee5bcf3527f7b8285508db2fc2cb4fdf35ac721ccb
- c87e8a8570312a7177112ee5e498343640207f7426e389f530f07c2a881f3f0b
- cdc529a15f3b60d0337d6e509d4d10bf0f209ab336b615afed44d5a14e810a11
- dd74817150db2cf6293c896dedc81736eaa7306ebda9f057540946bacb213a6e
- dfee4c079343a53a64ab1de25ab1619734de94350c5685822a2d5cefbc25e021
- e17df6f325bb2324c8b567200cd06d09e5a1dde458da8465fe59b8c5f2e548f5
- e752958330a230d8d4d0ea7a0c6f779fd2ac3a93247b2403af7eb9857b8b0be4
- http://gethumvee.com/improvisate/HVTtdmsZ/
- http://arch.nqu.edu.tw/wordpress/w7F/
- http://hindumedia.in/microsporous/P7m/
- http://pageshare.net/sales/tzV/
- http://bgmtechnologies.com/4131325866/sg/
- http://popperandshow.com/248152296/ccXqKYPqQ/
- Creation Time 2021:01:20 23:40:33/02:40:00Z (Attachment/Operation Zip Lock - Doc based - Red Dawn)
- SHA256:
- 0b5a4e3fe03c6d0e941a31efc0cf48c347032dcaf71b46c33fc5c69165f40101
- 0bf5d964aab27c296140eea991dc2930edfc2413ba2dd9f234c8f013582cbea5
- 0d792a683c8b846f5c861021cd747f350ca05e0347636c846030fd32059264d6
- 0eea618cc82378132a9c3b442c9ef1abe28161d76c105bb0a70032cb9f6aa234
- 11bbce75a57404dd69e8757724c49bc93aafbb68168ef9c45a80e4fa9426ed20
- 1634c3e101b529b09e48ae97fe5890304ad26522b72a1d18d740e34de0f9236d
- 173ab076156893e04b600ad7717cf82b92c426e43ef21efbab61f7dc672ff99c
- 17964f3ea8a48faf47c8b9b8b74c0cbdbfeb1a93a6f44ea0fae2f17ce2387f56
- 21b866f28bd630880920b98b2c4d3e3308e8d9e2a3c9a06f2509c6f037b65f4a
- 2234119eb693616638348e5227cd7f2749dc861206049951f51a6dcaaa8e81be
- 228c96ee31273a1f3656655cb2ed0a8dd2d41be771c378e7527eac902482d893
- 2503046433a325a10ab20bd59e9a4efcf1b12b82d778c32d847edd42ad51efd8
- 26c099532d94a77e26f83f5531204787aa910da4368e39ffed47fa7302dc29b1
- 2f5c32d4c3ac7a74ba64d628accfbdff8199d13afd0c28a9f73e586a8a6d3f19
- 339afdb81c2bc095fea4514a348ba4eeea95bf936abb03f8cbb63376bcb94791
- 36a43991d2172741277048f9f5d34381153295c83b4067220108c4a258b06cc0
- 396897e88e4d4b7263d3be2fe1a69a6920127a12de4d92d38f16bc0ea8c942a1
- 397d1920702dd054071f9b2aafcb06751e6ae2153a83de4d9bcdd68db3f9ec7e
- 3d0ac48d0d054760fc6e63d8bfd8fb0bbb38092ecb36b62044b78929cbcface2
- 3eb9e176a4f055c0df53d13c27f11ebc9563171e9993ffe8fd7cad685e5504f5
- 402e298e853baaa3933de1b42c78d70504edafb4ca25dd8d6cd8b9683da6cd2d
- 44bd3c8be142f523fcaa91f034431c593819e0e9384679bfbe1a6f843a6c1a60
- 45c9a1eb8278ac3abb6a031de3d4f5bd5e0d990fc2d49375cba8f3bddf6435b8
- 477535eb02d4958493d023461957325e6dd12a8c4f4305342e6564af7d3b9b4f
- 4cd44cdbff23dcd7616ffb0b668e46216e45dc7d0eda11c48f7b8a146adaa996
- 54d6dff4339f776f5b6bad0fc8a168928b7336ce638dd1576d61d1dffbc86474
- 55c2cb88518688af417b377e71590d01044d2acfe570d2e0d3ec56632c0e24a0
- 582bc06c8f0edc48a05bb272eb4aff78f511c3e179ac97bab1e6331306e26e69
- 595d25e6d68a830df2d8e93737429f4fad819c3f906a6a1824ed5f9da09607ce
- 59a4555653af5f498b93c9ee4b1debd859669b230290dad030ee179f9e77746c
- 5ca0613874c16033d0ec39679423d9d157dee9d9e0bd4be7f6941ee9f919c2a6
- 65dc2002fb0f91d9be4feb1bcbfeec6697b22189d2d91cbd7558835997d7c2b1
- 69dd5fb75dc2610d98248e0c38d9fc339e48d0691aad4cef4fbb7684092da986
- 6d0d0a45fc31ed64566835adae108fa95913191f93daa9821b51e5cd6f5881de
- 6e34d369a82d743a15a4f65cdf3c9e52baa3e9738e10f648a9079d7263b7cd5f
- 6f121a9b20b7853f629ee11fc5da2a482ca049fc77ba017d6ba544dc265108b4
- 71498601ff85399ad3676388fa572d327e5b1c48a609b9e83d2d6b413d13fb21
- 73158cb5e2de266e93c79c9095d763cc352f7069e841addef99216aa22a148a8
- 743b0489a94f04569f1dd9ea1c62d1d5d6ce22b642369e87f974b3635990edb8
- 749dcc8969bfc2bb81e42b172a8b147784f164d36bbc9092584fe7f6b8f0ad6a
- 7a5736b415f46ff15a4dd28f0bf5b4bd599232459a61730fd76c991929d2df1e
- 7c9b081ddbfa4fd10614034d47af6bef513730323cf1706a948b6d9a0e15e9d3
- 7ceb64138d0aed2bd2d577f86deaa4ac356aca9970cb30f3d63e0e6a71a3bc91
- 7dfa4920e28f7fb29741d69a81451679a71d986b167f9236227390b0cdd2b5ad
- 8aab700f77b2535f70f37e401c9895070b235d4cd42ef9a3b7ce80c66f1f9df9
- 8bcf096341e3fafd83472907abcfde3d88952d8a0d5f87e00ec0dfeafadb4ffb
- 8be7196a87ea469d76b41a2d4047a6d0bc089bad47e8488d065a5ad0a78e93e0
- 8c92b3a13f8b1ca9a86662a862e16609a8fac26b945e5edc9ecbf3e95f617fa6
- 8d580f6dc4db54cdb9c6816494ee1435f832d2ce7273844c492a60110692fdd5
- 903a62541cf48024d80e35f88118eb69c094a036d189f44a4e3f63bb74c30fa8
- 90d77719d08d3ad70381ec1e2e7f0cd71ea4c97e6db43cbdc89d2e70ae5a0495
- 93d9b9ef3a764961ccdc9c1d2b547146936be2836dafc32b6b8b933379fa6ff4
- 9b9fc831d6ff86208f1d89415441ce857893b263e8e81a0eb32dc48cac7df18e
- 9d015227e01c755ff0ab2461f2545a868347142db7c800b1c2f3be6058ca7476
- 9d4526097c1ee1f09a4686716b6004b29507650b094fd964d60a8c74c154f814
- 9e2508b307de65723b5b85ef3be57580986adf811282f20647f34cff0d57e6b6
- a206fc0992fb50ce750f2c5158639df993cfcfe914cf54b0068874cc167a00f3
- a369f5566b8d0e89c2dea529ca8f61a1d364f058565ae4f0ef4e2d7220ef47fd
- a399368d46277cd5ee3d27f8c3e8af36a446f0f27877bea4730eb242ad4e236e
- a6e39f77401a5a7542e70c81ea61ad215ef32902c003895a8c4688dbbb788e01
- a74f258d610a8eb129daa86330adea4287acfaa282513cedcc4ead68110e873f
- ab31abf2f9189ccd5f942bc1c1c574581a5194f1d1c443b685be54b43fcf5fcc
- abc83c82a8f40cc71284039e4dcef87dcd5b119a82e25a7c33c05aa632d3e63d
- ad0b6dd421685f909f16be33bf5816f2ebe17522645afc8e0a4552137155a433
- ae9c3309618d3e90593705b88cae07e77e1fef98c2c7e52b1d6aaa99adc5a8f2
- aed21df8594d6189cd7cba747b4b09e4ff7a5acc14db197fdff7f4be64723504
- aff01b9b3ef4f05717dc522b57d09e2ba5c263bdef45d02b06f7454b7cf5f580
- b2de95f9cba002fd980b4edb6ca033c5c200f4f1cea9d7a7315cfa4801e514e0
- b5506683cb1e1d55e47e35fbdbeb8760bb3ca0f73719c26ed2cbbab0cedcc873
- b6dd4c6240e649cd7bdc5c0cfdf9bfccb77cecaebfbe8f8f94ce158c3e8c1e2b
- b806e0a8b6db012fe95669ee9aa7257ecd92286bc461a4a97b343ae1e3d46b09
- bdc24af2bece5e111721e5863451be2cd91bd4c418ec654aa4b5bfbbc7cd0012
- bf2ba280c87637a042f03203f1e286a5e7ab2421b9977c97fbc7c63e9f081917
- c6ecd16d5625c4d2c4a76e38386b35c25833cd1501f12a0e384ca2880fa5dd31
- c887c92f3a9860134acceafb0b30e0b9186c21499eece549958dc14bc4b8ada6
- ce3fb07ff799753b81a24cd7128a000edd1c5f20e62d6c51f62500680659ff6f
- cee84c7d8a3e80a93cc950b4b7e6d38c7fb20b6fa961745b505b14594ff893a9
- d17647b8781a30c19a7018292f2270312b78c8d4a71f939a81d76057508472dd
- d8380eb41d8a88b493035b22488f78e0ce891121ac954ee3993fa83f0cc86757
- dc2484f36eb1e42d80b73178c8fa8e2a04b43c3aa20610d72f6985473ae455f2
- df4557c199a3a85466d9b3957b9784a91945cfa72dbf0d9b93498d8deda59b99
- e0b6b52aed804d6e8c0bf1b5385151b5ce683342f11e2c5346a7e76cf66b61c0
- e4367e25641d14d72513444bdf356bed3afae2627987392a3f0c911a502e56b0
- e7e446a291cff824fa8b33d5902fe15a5a68388438c99d65593429611354059e
- e7e63d0f315c142b17c8dc7c000ced73a6c85f9e3dcbea7e57a8d3c43d57b5f4
- e9f14eed2a55488aa606e538b81e095a45f1f9ad203a778d1c1161884b2516d7
- ed7c9be895128fa9f7df701cc90e46000a3a731247d3c85b74a9383512df79d3
- f0cdfe8360aabb3a67dc793229564bda06d0e551a652b4293e598b725a6ed173
- f3526e4ecf20be32573b9abb752ca2bb1f7d5d4b0e84a66ee06fa387193821bd
- f46d48e4d16c808d66222aa8aa5a80fd9e256e4cb5318422c2380291cd4fc1b6
- f4e29eda3caaafeae6d1a3a5d0be1aa3d4e023ff9547ad0676a278b1c1ae8c85
- f992e81daf8901402de20ced8f8625d868cc4fdbb5b8e6ef6257c358a98afa7c
- fd899674a12cacc2530a3908c104fba671523317b2f551ad6dc4b1137ca5a79a
- fe370014a10684e3777bf31f22eb0ef6f119876dd1cf034e5016b7cde382e240
- feabea18b0a534e69bbfeeb89d77289c4439745343a79c2301abb6ddd4188f35
- ff411679d332cc200a80a0cc3d8690853e797890ef26136bcae90a6b574ccc38
- http://qingniatouzi.com/wp-includes/Z4TFME0/
- http://chenqiaorong007.com/wp-content/inh1Q4eFMT/
- http://bestcartdeal.com/wp-content/U12BbGPx2v/
- https://hredoybangladesh.com/3948708181/l7/
- https://washcolsc.com/wp-admin/gRIWZ/
- https://aqnym.top/wp-login/9ZvtYaLyhg/
- ```
- ## C2's Per Epoch ##
- ### Epoch 1 C2s ###
- ```
- 181.10.46.92:80
- 2.58.16.88:8080
- 206.189.232.2:8080
- 178.250.54.208:8080
- 167.71.148.58:443
- 202.134.4.210:7080
- 187.162.248.237:80
- 78.206.229.130:80
- 85.214.26.7:8080
- 5.196.35.138:7080
- 1.226.84.243:8080
- 110.39.162.2:443
- 185.183.16.47:80
- 152.231.89.226:80
- 138.97.60.141:7080
- 94.176.234.118:443
- 46.101.58.37:8080
- 93.146.143.191:80
- 70.32.84.74:8080
- 137.74.106.111:7080
- 80.15.100.37:80
- 68.183.190.199:8080
- 154.127.113.242:80
- 70.32.115.157:8080
- 12.163.208.58:80
- 31.27.59.105:80
- 110.39.160.38:443
- 68.183.170.114:8080
- 87.106.46.107:8080
- 105.209.235.113:8080
- 185.94.252.27:443
- 209.236.123.42:8080
- 60.93.23.51:80
- 186.177.174.163:80
- 177.85.167.10:80
- 111.67.12.221:8080
- 191.241.233.198:80
- 149.202.72.142:7080
- 12.162.84.2:8080
- 217.13.106.14:8080
- 197.232.36.108:80
- 192.232.229.53:4143
- 143.0.85.206:7080
- 177.23.7.151:80
- 213.52.74.198:80
- 51.255.165.160:8080
- 181.30.61.163:443
- 93.149.120.214:80
- 212.71.237.140:8080
- 51.15.7.145:80
- 190.247.139.101:80
- 188.135.15.49:80
- 155.186.9.160:80
- 91.233.197.70:80
- 95.76.153.115:80
- 46.43.2.95:8080
- 152.169.22.67:80
- 138.197.99.250:8080
- 104.131.41.185:8080
- 211.215.18.93:8080
- 81.215.230.173:443
- 152.170.79.100:80
- 190.114.254.163:8080
- 190.251.216.100:80
- 201.241.127.190:80
- 82.208.146.142:7080
- 172.245.248.239:8080
- 190.64.88.186:443
- 192.175.111.212:7080
- 50.28.51.143:8080
- 81.17.93.134:80
- 202.79.24.136:443
- 190.24.243.186:80
- 190.162.232.138:80
- 62.84.75.50:80
- 190.210.246.253:80
- 190.45.24.210:80
- 172.104.169.32:8080
- 82.48.39.246:80
- 188.225.32.231:7080
- 45.16.226.117:443
- 178.211.45.66:8080
- 138.97.60.140:8080
- 122.201.23.45:443
- 170.81.48.2:80
- 81.214.253.80:443
- 80.249.176.206:80
- 83.169.21.32:7080
- 46.105.114.137:8080
- 83.144.109.70:80
- 191.223.36.170:80
- 200.75.39.254:80
- 201.185.69.28:443
- ```
- #### Epoch 1 - Spam C2s ####
- ```
- 165.22.93.5:8080
- 128.199.220.70:8080
- 54.38.143.246:7080
- 5.56.132.177:8080
- 54.36.185.63:80
- ```
- #### Epoch 1 - Stealer C2s ####
- ```
- 37.187.195.209:443
- 167.71.4.0:8080
- 165.22.246.219:8080
- 45.55.82.2:8080
- 88.217.172.165:8080
- 162.144.212.120:8080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
- uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
- 6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
- ```
- ### Epoch 2 C2s ###
- ```
- 12.175.220.98:80
- 162.241.204.233:8080
- 50.116.111.59:8080
- 172.86.188.251:8080
- 139.99.158.11:443
- 66.57.108.14:443
- 75.177.207.146:80
- 194.190.67.75:80
- 50.245.107.73:443
- 173.70.61.180:80
- 85.105.205.77:8080
- 104.131.11.150:443
- 62.75.141.82:80
- 70.92.118.112:80
- 194.4.58.192:7080
- 120.150.60.189:80
- 24.231.88.85:80
- 78.24.219.147:8080
- 110.142.236.207:80
- 119.59.116.21:8080
- 144.217.7.207:7080
- 95.213.236.64:8080
- 46.105.131.79:8080
- 176.111.60.55:8080
- 174.118.202.24:443
- 94.23.237.171:443
- 138.68.87.218:443
- 110.145.101.66:443
- 134.209.144.106:443
- 74.208.45.104:8080
- 24.178.90.49:80
- 172.125.40.123:80
- 157.245.99.39:8080
- 118.83.154.64:443
- 202.134.4.211:8080
- 121.124.124.40:7080
- 172.104.97.173:8080
- 110.145.11.73:80
- 172.105.13.66:443
- 168.235.67.138:7080
- 78.188.225.105:80
- 59.21.235.119:80
- 185.94.252.104:443
- 24.179.13.119:80
- 49.205.182.134:80
- 51.89.36.180:443
- 115.21.224.117:80
- 202.134.4.216:8080
- 190.251.200.206:80
- 78.189.148.42:80
- 220.245.198.194:80
- 85.105.111.166:80
- 5.39.91.110:7080
- 203.153.216.189:7080
- 93.146.48.84:80
- 181.165.68.127:80
- 70.183.211.3:80
- 47.144.21.37:80
- 167.114.153.111:8080
- 75.109.111.18:80
- 24.69.65.8:8080
- 188.165.214.98:8080
- 187.161.206.24:80
- 74.58.215.226:80
- 74.128.121.17:80
- 24.164.79.147:8080
- 139.59.60.244:8080
- 136.244.110.184:8080
- 2.58.16.89:8080
- 79.137.83.50:443
- 139.162.60.124:8080
- 89.216.122.92:80
- 188.219.31.12:80
- 190.103.228.24:80
- 109.74.5.95:8080
- 87.106.139.101:8080
- 78.182.254.231:80
- 74.40.205.197:443
- 89.106.251.163:80
- 69.49.88.46:80
- 62.171.142.179:8080
- 217.20.166.178:7080
- 161.0.153.60:80
- 37.187.72.193:8080
- 190.240.194.77:443
- 5.2.212.254:80
- 200.116.145.225:443
- 98.109.133.80:80
- 75.113.193.72:80
- 115.94.207.99:443
- 109.116.245.80:80
- 123.176.25.234:80
- 120.150.218.241:443
- 50.91.114.38:80
- 180.222.161.85:80
- 186.74.215.34:80
- 95.9.5.93:80
- 64.207.182.168:8080
- 197.211.245.21:80
- 61.19.246.238:443
- 37.139.21.175:8080
- 181.171.209.241:443
- 185.201.9.197:8080
- 71.72.196.159:80
- 41.185.28.84:8080
- ```
- #### Epoch 2 - Spam C2s ####
- ```
- 165.227.170.254:7080
- 195.181.215.65:8080
- 167.114.122.37:80
- 137.74.119.116:8080
- 51.38.237.230:8080
- 219.94.242.134:8080
- 217.160.19.232:8080
- 95.215.46.191:8080
- ```
- #### Epoch 2 - Stealer C2s ####
- ```
- 167.99.105.11:8080
- 51.255.40.241:443
- 78.47.87.196:8080
- 159.65.222.75:8080
- 195.14.0.12:8080
- 87.106.225.180:8080
- 198.144.158.120:443
- 151.236.60.57:8080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
- Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
- fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
- ```
- ### Epoch 3 C2s ###
- ```
- 132.248.38.158:80
- 203.157.152.9:7080
- 157.245.145.87:443
- 110.37.224.243:80
- 70.32.89.105:8080
- 185.142.236.163:443
- 192.241.220.183:8080
- 91.83.93.103:443
- 54.38.143.245:8080
- 192.210.217.94:8080
- 37.205.9.252:7080
- 78.90.78.210:80
- 182.73.7.59:8080
- 163.53.204.180:443
- 91.75.75.46:80
- 172.104.46.84:8080
- 161.49.84.2:80
- 27.78.27.110:443
- 203.160.167.243:80
- 109.99.146.210:8080
- 120.51.34.254:80
- 203.56.191.129:8080
- 183.91.3.63:80
- 37.46.129.215:8080
- 188.226.165.170:8080
- 116.202.10.123:8080
- 223.17.215.76:80
- 198.20.228.9:8080
- 185.208.226.142:8080
- 68.133.75.203:8080
- 192.163.221.191:8080
- 46.105.131.68:8080
- 8.4.9.137:8080
- 2.82.75.215:80
- 178.62.254.156:8080
- 110.172.180.180:8080
- 175.103.38.146:80
- 201.212.61.66:80
- 190.19.169.69:443
- 143.95.101.72:8080
- 91.93.3.85:8080
- 139.59.12.63:8080
- 46.32.229.152:8080
- 195.159.28.244:8080
- 58.27.215.3:8080
- 202.29.237.113:8080
- 5.79.70.250:8080
- 103.93.220.182:80
- 75.127.14.170:8080
- 201.193.160.196:80
- 139.5.101.203:80
- 186.96.170.61:80
- 49.206.16.156:80
- 178.254.36.182:8080
- 157.7.164.178:8081
- 172.96.190.154:8080
- 172.193.14.201:80
- 203.153.216.178:7080
- 2.58.16.86:8080
- 186.146.229.172:80
- 117.2.139.117:443
- 113.161.176.235:80
- 190.85.46.52:7080
- 180.148.4.130:8080
- 50.116.78.109:8080
- 152.32.75.74:443
- 162.144.145.58:8080
- 74.208.173.91:8080
- 122.116.104.238:8443
- 178.33.167.120:8080
- 103.80.51.61:8080
- 65.32.168.171:80
- 190.18.184.113:80
- 24.230.124.78:80
- 103.229.73.17:8080
- 179.233.3.89:80
- 88.58.209.2:80
- 82.78.179.117:443
- 115.79.195.246:80
- 190.107.118.125:80
- 188.166.220.180:7080
- 79.133.6.236:8080
- 139.59.61.215:443
- 195.201.56.70:8080
- 201.163.74.204:80
- ```
- #### Epoch 3 - Spam C2s ####
- ```
- 162.214.68.171:8080
- 159.65.140.182:80
- 118.163.97.19:8080
- 37.48.84.223:8080
- 82.118.225.196:7080
- ```
- #### Epoch 3 - Stealer C2s ####
- ```
- 45.230.228.26:443
- 82.145.43.153:8080
- 195.159.28.229:7080
- 104.236.52.89:8080
- ```
- #### Current Epoch 3 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
- cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
- l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
- ```
- ## Credits and Notes Section ##
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
- because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
- this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- ### What is Epoch 1, Epoch 2 and Epoch 3? ###
- ```
- (Updated 10/25/20)
- We get a lot of questions about Epoch 1-3 and what they really mean. These are different botnets of Emotet with different
- infrastructure supporting them. I called them Epochs because they seemed to follow a different timeline and timescale of releases
- for updates. They do not share C2 infrastructure and they can behave independently. In general these are
- the rules governing to Emotet's Botnets/Epochs:
- 1. All C2 combos are hard coded in a list of up to 127 C2 combos in a given Epoch's loader. These Tier 1 C2s are never shared
- between Epochs. E1-E2-E3 will all have a unique list of IPs/Ports(Combos) per Epoch. (Usually updated once per day)
- 2. Module C2s are also unique per Epoch and usually are former C2 Combos that were published in the loader but now are used for
- the special purpose of the module for that Epoch. (Usually updated once per week)
- 3. All Epochs have a unique RSA Public key that is used to communicate and decode messages from the C2 infrastructure. These are
- listed in the daily reports. Using CAPE's excellent Emotet Extraction module you can easily find what Epoch a sample is from.
- 4. All Epochs will use a unique location for distribution downloads. You will never see the same directory on the same compromised
- distro tier 1 host used for a different botnet. e.g. host A may be used for distributing Emotet E1 loaders in directory /wp-fail/X/
- and you may also see E2 documents hosted out of /wp-sucks/Y/. You will never see E1-E3 use the root of X or Y again for another
- distro job to host loaders or docs for another botnet. (Note: a given distro directory will usually become abandoned and stop
- hashbusting after 48-72 hours from inception.)
- 5. Spam from each Epoch will be used to add new bots to that Epoch. While there have been very rare exceptions or maybe even mistakes
- on the distro side, Epoch 1 spam will be used to create more Epoch 1 bots, Epoch 2 spam will be used to create more Epoch 2 bots and Epoch
- 3 spam will be used to create more Epoch 3 bots.
- 6. Macro Documents from a given Epoch will always contain 5-8 URLs(Quintet,Sextet,Septet,Octet)as of 10/25/20 that download the loader for
- that same Epoch.(There have been very rare exceptions to this rule but in general this is the TTP.)
- 7. Macro Documents from a given Epoch will have the same Creation Time for a given Quintet of URLs. This allows for quick identification
- of the origin of the document per Epoch. When the Creation Time metadata changes for a document, there is almost always a new quintet
- of loader URLs.
- 8. Malspam Templates are usually unique to a given Botnet/Epoch. They may later be shared to the other Botnet/Epoch but at the time of
- the run, they are usually run on a single botnet. Example would be the Ransomware one from Friday 1/17/20 that was only on E3.
- 9. Bot can be transferred from Epoch to Epoch and we have seen this over time. Normally it is done by dropping an EXE from another
- Epoch deliberately for the C2 update.
- 10. Macro Document Creation times usually change on Epoch 2 first and then shortly there after change on E1 and E3. We believe E2 is
- really the primary botnet for Ivan/Emotet and they put changes on this botnet first.
- ```
- ### Community Lists/Samples ###
- ```
- (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
- ```
- ### Credits ###
- ```
- Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
- Doc DL URLs - @devnullnoop, @executemalware, @zbetcheckin, Anonymous
- C2 info/RSA Keys - @hatching_io, @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @executemalware, Anonymous
- Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @malware_traffic, @executemalware, @Paladin3161, @bomccss, Anonymous, @JAMESWT_MHT
- @reecdeep, @waga_tw
- Spam Templates - @devnullnoop, @lazyactivist192, @proofpoint, Anonymous :)
- We would like to thank the parts of the community that explicitly request to NOT be listed here. You know who you are! :)
- Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk, @dms1899, @myrtus0x0 for creating scripts/servers/
- infrastructure and helping out with this!
- Very special thanks to @hatching_io, @proofpoint, @unpacme, @herrcore, @seanmw, @Binary_Defense, @lazyactivist192, @capesandbox,
- @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel,
- @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software at no charge to this cause!
- ```
- ### Daily Log ###
- ```
- This report was gathered by @JRoosen and @ps66uk:
- @JRoosen here - Well something broke on the backend for Ivan it looks like and while things looked good on E3 in the morning UTC time, it quickly
- unraveled for the tools over at EmotetHQ. Whatever happened, we saw hashbusting break on all 3 botnets and the next binary they probably were
- going to hashbust did not come down. Also, it seemed like Ivan had issues getting the spam cannons to fire after this point also or maybe felt
- it was just not worth it to try since distro for the DLLs was not hashbusting. Whatever the, short day for us with little to cover. We saw E1
- stop spamming around 05:00UTC and E2 was even earlier near 03:00UTC. E3 was more robust and had even 2 more docs with a special DE German
- based office template being used again as it was run in tandem with the iOS based template in English. All of this stopped around 08:30UTC.
- We saw activity today which seemed like maybe the botnet was still trying to spam but it was primarily on E2. Even at the time of this
- report, still nothing is spamming.
- ```
- #### Emotet Domain Bucket ####
- ```
- Created a pastebin of all domains used from 08/14/20+: This is sorta like the Emotet Hashbucket but it is all domains used
- for distro by Emotet either Doc or Exe downloads. They are piled together and deduped for your blocking on your DNS platform of
- choice. CAUTION - Use at your own risk! While every effort is made to make this data valid, there is always a chance for a mistake,
- or one of these compromised sites actually being legitimately being used.
- 171 recorded domains today used in Emotet distro. 141 of those were determined to be unique.
- The previous total was 10,630 unique domains and this brings us up to 10,771 domains used since 8/14/20.
- UPDATE (2021/01/20): For some silly reason, pastebin won't let me update the previous post here anymore so this is now frozen in time:
- https://pastebin.com/raw/u8avFVD6
- Therefore the new home of this content is here:
- https://paste.cryptolaemus.com/dbucket/
- Note: They started to use enough IPs that I figured I would just keep them in the list here because they are being used in URLs directly
- versus the FQDN (if one even exists).
- Over time you can see a lot of reuse with these domains at a rate of at least 1/2 per day. New domains seem to slow down by Thursday
- and Friday there is a lot of reuse! If you need a reason to justify blocking these domains once they are used for Emotet, here it is.
- ```
- #### Emotet Hash Bucket ####
- ```
- Updated bucket today for 2021/01/12+ until the end of 2021/01/20 which includes loader hashes from the 14th/15th. Total hashes are now
- 24,734 and this means we added another 12,489 hashes today.
- Bucket for 2021/01/12+:
- https://pastebin.com/raw/0w79H0B5
- Note - Everytime it gets close to 64k hashes, pastebin seems to have issues dealing with it.
- We are also looking for a better solution to this rather than Pastebin. Stay tuned.
- ```
- ### General News ###
- ```
- News in general and by region:
- Basically we have a few reports from early in the morning of some spamming and then subsequent reports of the lack of spam all day. :)
- Update on the Sekoia.FR incident with an Emotet Infection:
- https://twitter.com/sekoia_fr/status/1352245726697414656
- @ffforward once again had one of the earliest reports this morning and we concur that E3 was heavy until it went tits up.
- https://twitter.com/ffforward/status/1352161123206909953
- CL:
- https://twitter.com/CSIRTGOB/status/1352378186273701889
- DE:
- https://twitter.com/neoxmorpheus1/status/1352387173128036352
- DK:
- https://twitter.com/ffforward/status/1352216560493096962
- ES:
- This one is interesting because it is #Mekotio but is similar to Emotet:
- https://twitter.com/dgarcianet/status/1352235429160955904
- IT:
- https://twitter.com/VirITeXplorer/status/1352169065046040576
- https://twitter.com/nicolaferrini/status/1352327110262546433
- JP:
- https://twitter.com/abel1ma/status/1352123122363768834
- https://twitter.com/abel1ma/status/1352144654418939905
- https://twitter.com/bomccss/status/1352282113605660673
- https://twitter.com/bomccss/status/1352398894018088960
- https://twitter.com/gorimpthon/status/1352213861449957379
- https://twitter.com/satontonton/status/1352200872483201025
- NZ:
- https://twitter.com/phage_nz/status/1352486750011023364
- US:
- https://twitter.com/malware_traffic/status/1352252367929008128
- https://twitter.com/ScarletSharkSec/status/1352264786747281412
- https://twitter.com/ScarletSharkSec/status/1352271976769986562
- ```
- ### Drops Report ###
- ```
- IQTZ (IcedID/Qakbot/Trickbot/Zloader)
- IcedID/BokBot - Not heard of any dropping yet from Emotet.
- Qakbot - Not heard of any dropping yet from Emotet.
- Trickbot - We only heard of reports of gtag mor1 being dropped. Once again Brad over at @malware_traffic posted his excellent notes:
- https://twitter.com/malware_traffic/status/1352312552601038850
- Zloader - Not heard of any dropping yet from Emotet.
- ```
- ### Email Template Report ###
- ```
- E3 was basically attachments only and a little bit of operation ZipLock before it died around 08:30UTC.
- Update on Operation Zip Lock 2021/01/12
- I am sure by now you have all seen the captcha based Emotet Operation Zip Lock (password protected ZIP). We broke that story yesterday
- concerning this new tactic but it seems to have been used with only a few templates for reply chain type emails and wasnt very dynamic.
- Most of them seemed to be the samples I saw actually had the same password of "28ivw" or "k4ez". This behavior was only seen on E3 but
- was a significant portion of the spam on E3 for both the 12th and the 13th. We believe this was an attempt to throw another curveball
- at our automation to break open these files and report the payloads ASAP. Also as noted in the news, it seemed to be a curveball for
- other detection/defense systems for mail scanning. This was likely a test run before Ivan changes over the code to be more dynamic.
- Well played Ivan but in this way you also made them easier to identify with the crappy captcha. We will watch for new versions
- of this behavior and advise appropriately.
- Update on Operation Zip Lock 2021/01/05:
- All three of the botnets saw some Operation Zip Lock action too but E1 was all password protected ZIPs all day. We also started to see
- some new wording in the spam templates and @Slayelele reported this to us also. Usually the Italian version of the Emotet malspam would
- give the password with the phrase "Password archivio: [0-9]{3,5}" but we started to see today a different format of the following:
- ___________
- File di archivio allegato all'email:
- Parola d'ordine: 82999
- ___________
- File di archivio allegato all'email:
- Parola d'ordine: NCPUCAXTVB
- ___________
- Indeed even the English type of these Operation Zip Lock types of malspam were showing up with newer passwords and wording:
- Examples:
- ___________
- Archive file attached to email: Invoice Oc09269510.zip
- Password: AOLNYE
- ___________
- Zip file attached to email: Report J279304187/05-01-2021.zip
- Password: 821YR1VALX
- ___________
- These new variants were seen on E3. I will work on more REGEX for these and publish later.
- As promised here are some facts we have gathered on Operation Zip Lock: (Most of this was the same today 12/21/20+)
- Operation Zip Lock is essentially password protected zips being attached to Emotet Malspam in some of the templates that are
- used to spam Emotet. This tactic has evolved over time but was seen starting in at least the first half of 2019. In general,
- these are usually only some of the attachment based malspams at any given time. Here are some general facts about this template:
- 1. By far, this tactic is used to target Japan and most often on E3. (at least until mid this Sept)
- 2. We are seeing templates in at least Dutch/English/French/German/Italian/Japanese
- 3. The passwords in the Japanese templates are usually enclosed in brackets and is alphanumeric via the following regex: [0-9a-zA-Z]{6,10}
- 4. The passwords in the English Templates are usually just numeric from what we have seen with the following regex [0-9]{3,5}
- 5. The passwords are in the body of the emails and have been seen with the following phrasing before it:
- Japanese Examples:
- "=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89=EF=BC=9A[GGE60fmI]" - This is the more complex series with [0-9a-zA-Z]{5,10}
- "=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89=EF=BC=9AUIzBZxV5v" - seeing some now without brackets [0-9a-zA-Z]{5,10}
- "=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89: 13948" - This series has a regex that is pure numbers [0-9]{3,5}
- Italian Example: - From @JAMESWT_MHT https://twitter.com/JAMESWT_MHT/status/1308725036606533637
- "Password Archivo: 0231" - This series has a regex that is pure numbers [0-9]{3,5}
- Another Italian example from @jcgarciagamero https://twitter.com/jcgarciagamero/status/1309406482467901443
- "Password Archivo: 5375"
- German Example: - From @neoxmorpheus1 https://twitter.com/neoxmorpheus1/status/1308881983511109633
- "Passwort: aLybP7nqNb" - This is the more complex series with [0-9a-zA-Z]{5,10}
- French Examples:
- "Mot de passe: 4397809869" - This is the more complex series with [0-9a-zA-Z]{5,10}
- "Mot de passe: 7447"
- English Examples:
- "Archive pass: 8578" - This series has a regex that is pure numbers [0-9]{3,5}
- Encrypted zip file attached to email:
- "The password for the document is LQWMFXu" -This is the more complex series with [0-9a-zA-Z]{5,10}
- "The file is password protected - p6z88n0K" -This is the more complex series with [0-9a-zA-Z]{5,10}
- "Password: th5cs3rHf"
- "Password for ZIP:"
- "Zip file attached to email: Very urgent information from 24-09-2020.zip"
- 6. The password is reused for many users and is static in groups.
- 7. These are seen on E1-E3 as of last week but this has primarily been used on E3 and E2.
- 8. One other thing to note is that the documents that are inside of the ZIP are not different (other than hashbusted) for the same ones on
- that epoch's spam at a given time. That is to say they will be the same creation/modification time in the metadata and also the same septet of
- payloads in the macro.
- 9. On 09/23/20 - ~9%-12% of total emails sent on E1/E2/E3 had attachments that were .zip.
- 10. The file names vary widely and I would not be confident to block just on this alone. I have seen just form.zip to GER-2984537-DOCUMENT-09
- -23-20.zip and everything in between.
- 11. We heard and seen numerous incidents where the password was wrong and just didn't work.
- ___________
- Paul's Boutique of Documents:
- includes distro and urlhaus report time
- E* Created Primary_Domain Distro Urlhaus Template
- E1
- E2
- E3 2021:01:21 07:19:00 amojo.org 07:36 ios_enable_editing
- E3 2021:01:21 07:44:00 deshbangla71news.com 08:54 msword_de
- ---
- notes
- See tweets for examples, we almost always provide samples in those tweets.
- ```
- ### Link Regex Report ###
- ```
- (These are experimental, use at your own risk.)
- (Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
- this does not help.)
- Update(2021-01-20)- I am going to refresh this once we get more URLs and cut it down some to cover the new E2 URLs.
- New 2020/10/27 new stuff today and I tried to take a stab at it but it is ugly. They work but have not been tested for problems and FP. Use
- at your own risk! I have this in a large rule with a layered allowed list exceptions so I recommend it deployed with something like that.
- IMPORTANT: Make sure to make these one line because carriage returns were added to break them up so it doesnt break RSS. Also you may or may
- not want to use (\"|\n) at the end depending on what you see.
- ```
- #### E1 New ####
- ```
- https?:\/\/.+?\/(([0-9]{1,2})|acanthite|addons|admin|.+\_ANTIGO|app(s?|\-krog)|arq|aspnet_client|assets|attachments?|avisos|blockman|.+\-button|carchi|
- categoryl|.+\_chat|cgi-bin|codepay|complainingness|.+\.com|.+\-connection|content|COPYRIGHT|css|cuim|customerl|.+-data|Document(ation)?|(docs?|DOCS?)|
- .+\-designs|engl|eleicao|.+codeofethics|esp|eTrac|example|extensionl|fal|feedback|(FILE|file)|fill|filterl|fonts?|framework|.+\-forms?|generationman|
- gennew|.+\-handle|hotelinfo|images|.+\-images|img|INC|index(ing)?|.+_files|install-package|invoice|js|.+\.link|.+login|LLC|lm|logo|mas|military|music|
- network|.+\.net|novy|OCT|Overview|Pages|paclm|parts_service|piwigo|plugins|.+\-power|powershell-get|processing|property|.+Proxy|public|public_html
- |(R|r)eport(s|ing)?|Sandbox|Scan|securityl|sites?|sitepages?|sys-cache|teachers?|test|uploads?|.+\-unblocked|unpredictable|vendor|wordpress|wp.*
- |.+\-z71)\/([A-Za-z0-9]{4,18}\/)?(([A-Za-z0-9]{1,70})\/)(\"|\n)
- New from @aristoteles42 - (http(s)?:\/\/.+?\/(.+?\/)?){2}
- #1 aggressive - http(s)?\:\/\/[^\s]+\/http
- #2 less aggressive - \/http(s)?\:\/\/(attachments|browse|Documentation|docs|esp|eTrac|lm|paclm|Pages|parts_service|parts_service|public|
- Overview|Pages|Reporting|Scan|sites|[0-9A-Z]{3,13})\/
- ```
- #### E1 OLD ####
- ```
- @aristoteles42 E1 Regex #1:
- http(s)?:\/\/.+?\/((en|public|default|gallery|upgrade|uploads|download)|(((available|closed|common|individual|multifunctional|open|personal|
- private|protected|test|verifiable)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))[-_]((area|array|box|disk|module|resource|section|sector|zone)|
- ([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))))\/(.+\/)?\s
- @aristoteles42 E1 Regex #2:
- http(s)?:\/\/.+\/(([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16})|(((additional|close|corporate|external|guarded|individual|interior|
- multifunctional|open|security|special|test|verifiable|verified)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))[-_]((area|box|cloud|forum|module|
- portal|profile|sector|space|warehouse)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))))\/.+?\/\s
- Karttoon's E1:
- (?:http(s)?:\/\/)?(?:[^\x2F]+\/)+(((available|open|closed?|common|multifunctional|personale?|speciali?|privat(e|a)|test|additional|security|
- inter(ior|nal|ni)|individuale?|verifi(ed|able|cabile)|guarded|external|protected|disponibile|corporate|multifunzionale|contestee|aggiuntiva|
- chiusi|disponibile|sicurezza|custodito|aperto|comune|verificato)[_-]([a-zA-Z0-9]{3,16}[_-][a-zA-Z0-9]{4,15})\/)|(([a-zA-Z0-9]{2,16}[_-][a-zA-
- Z0-9]{4,16})[_-](resource|content|box|disk|sector|modul(e|o)|array|cloud|warehouse|forum|space|portale?|profil(e|o)|zon(e|a)|area|marketing|
- spazio|allineamento|module|disco|settore|sezione|risorsa)\/)|((available|open|closed?|common|multifunctional|personale?|speciali?|privat(e|
- a)|test|additional|security|inter(ior|nal|ni)|individuale?|verifi(ed|able|cabile)|guarded|external|protected|disponibile|corporate|
- multifunzionale|contestee|aggiuntiva|chiusi|disponibile|sicurezza|custodito|aperto|comune|verificato)[_-](resource|content|box|disk|sector|
- modul(e|o)|array|cloud|warehouse|forum|space|portale?|profil(e|o)|zon(e|a)|area|marketing|spazio|allineamento|module|disco|settore|sezione|
- risorsa)\/)|([a-zA-Z0-9]{4,14}[_-][a-zA-Z0-9]{5,16}[_-][a-zA-Z0-9]{3,13}[_-][a-zA-Z0-9]{2,16}\/)){2}([a-zA-Z0-9]{3,16}[_-][a-zA-Z0-9]{3,14}|
- [a-zA-Z0-9]{9})(\/)$
- ```
- #### E2 New ####
- ```
- This is just a pared down E1 ver:
- https?:\/\/.+?\/(([0-9]{1,2})|acanthite|addons|admin|.+\_ANTIGO|app(s?|\-krog)|arq|aspnet_client|assets|avisos|.+\-button|carchi|categoryl|.+\_chat|
- cgi-bin|codepay|complainingness|.+\.com|.+\-connection|content|css|cuim|customerl|.+-data|.+\-designs|engl|eleicao|.+codeofethics|example|extensionl|
- fal|feedback|fill|filterl|fonts?|framework|.+\-forms?|generationman|gennew|.+\-handle|hotelinfo|.+\-images|img|index(ing)?|.+_files|install-package|
- invoice|js|.+\.link|.+login|logo|mas|military|music|network|.+\.net|novy|piwigo|plugins|.+\-power|powershell-get|processing|property|.+Proxy|
- public_html|reports?|Sandbox|sitepages?|sys-cache|teachers?|test|uploads?|.+\-unblocked|unpredictable|vendor|wordpress|wp.*|.+\-z71)\/
- ([a-z0-9]{4,18}\/)?(([A-Za-z0-9]{1,70})\/)(\"|\n)
- ```
- #### E2 OLD ####
- ```
- OLD:
- https?:\/\/.+?\/(addons|admin|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|
- lm|network|parts_service|payment|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|
- statement|swift|system|test|uploads|vendor|wp|wp-(admin|content|includes))\/([a-z0-9]{4,18}\/)?(([a-z0-9]{19,56})\/)?(\"|\n)
- https?:\/\/.+?\/(addons|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|lm|
- network|parts_service|payment|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|statement|swift|system|test|uploads|
- vendor|wp-(admin|content|includes))\/([a-z0-9]{4,18}\/)?(([a-z0-9]{5,15})\-([0-9]{2,9})\-([a-zA-Z0-9]{8,20})\/)?(\"|\n)
- https?:\/\/.+?\/(addons|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|lm|
- network|parts_service|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|statement|swift|system|test|uploads|wp-(admin|
- content|includes))\/([a-zA-Z0-9]{4,18}\/){0,2}?(([a-zA-Z0-9]{1,12})\-([0-9]{3,10})\-([0-9]{2,10})\-([a-zA-Z0-9]{4,12})\-([a-zA-Z0-9]
- {4,12})\/)?(\"|\n)
- TwpJ8d5vVZeLJM8u9K1ztUOVsR1Waxkk1Fp73jxGIo3HP3ndrB3pfg1pdtLW2LEEIhiWfN
- ```
- #### E3 New ####
- ```
- https?:\/\/.+?\/((.+\.com)|addons|admin|attachments|balance|bin|(_)?borders|browse|calendar|cgi-bin|css|dev|Document|Documentation|DOC|docs|
- dup-installer(\-)?|esp|eTrac|FILE|form|(inc|INC)|images|_installation|intro|invoice|index_files|journal|LLC|lm|momo|network|(oct|OCT)|open_zone|
- Overview|Pages|payment|paclm|photos|parts_service|photo|public|public_html|report|Reporting|Sales|Scan|sendlogin|sites|statement|swift|sys-cache|
- system|temp|test|turismo|uploads|WordPress(_02)?|wp|wp-(admin|content|includes))\/([0-9]{4,17}\/){0,2}?(([a-zA-Z]{2,12})|
- (([a-z0-9]{1,13})\-([0-9]{2,12})))\/(\"|\n)
- ```
- #### E3 OLD ####
- ```
- https?:\/\/.+?\/((.+\.com)|addons|admin|attachments|balance|bin|(_)?borders|browse|calendar|cgi-bin|css|dev|Document|Documentation|DOC|docs|
- dup-installer(\-)?|esp|eTrac|FILE|form|INC|images|_installation|intro|invoice|index_files|journal|LLC|lm|network|OCT|open_zone|Overview|
- Pages|paclm|photos|parts_service|public|public_html|report|Reporting|Sales|Scan|sites|statement|swift|sys-cache|system|temp|test|turismo|
- uploads|WordPress(_02)?|wp|wp-(admin|content|includes))\/([0-9]{4,17}\/){0,2}?(([a-zA-Z]{2,10})|(([a-z0-9]{1,13})\-([0-9]{2,12})))\/(\"|\n)
- https?:\/\/.+?\/(_old|ABOUT|AdminPanel|backup|calendar|captchacache|cgi-bin|cloud|cpnl|css|Documentation|engl?|fancybox|fonts|images|media|
- oauth|pub|report|Register|scripts|setup|sys-cache|test|tmp|tr|us|web|wp(scripts)?|wp-(admin|content|includes))\/([A-Za-z0-9\-]{2,7})\/(\"|\n)
- https?:\/\/.+?\/([A-Za-z0-9\-\_]{2,13})\/(([0-9a-z]{2,7}\-[0-9a-z]{2,7}\-[0-9a-z]{2,7}\/){1,2})(\"|\n)
- ```
- ### Loader Report ###
- ```
- Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
- _____________
- E1
- Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
- E2
- Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
- E3
- Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
- ---
- notes
- no new binaries :|
- bundle of exe: https://tria.ge/
- ---
- Notes:
- no change from yesterday.
- C2 Deltas:
- E1 now 93 combos, nil.
- E2 now 105 combos, nil.
- E3 now 85 combos, nil.
- ---
- ```
- #### E1 ####
- ```
- none
- ---
- ```
- #### E2 ####
- ```
- none
- ---
- ```
- #### E3 ####
- ```
- none
- ---
- ```
- ### Closing ###
- ```
- Will Ivan be able to get the botnet spamming again tomorrow? Will hashes be busted even though SSDEEP detects them all anyway?
- Will the Emotet tools change the crypter again because it doesn't work with the stupid hashbusting? Will the same silly 2 static
- craptcha images be used again for passwords? Inquiring minds want to know. Tune in tomorrow for the latest episode of
- "As the Vodka Bottle Empties"
- -TT
- ```
- #### SHA256s for Epoch 1 Loader EXEs ####
- ```
- none seen
- ```
- #### SHA256s for Epoch 2 Loader EXEs ####
- ```
- none seen
- ```
- #### SHA256s for Epoch 3 Loader EXEs ####
- ```
- none seen
- ```
- ### END ###
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement