API tools faq
paste
Advertisement
jroosen

Emotet Malware Document links/IOCs for 01/21/21

jroosen
Jan 21st, 2021
18,236
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 61.85 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 01/21/21 as of 01/22/21 01:00 EST ##
  2. *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
  3.  
  4. ### Document Downloader Links ###
  5.  
  6. #### Epoch 1 Document/Downloader links ####
  7. ```
  8. None Observed
  9. ```
  10. #### Epoch 2 Document/Downloader links ####
  11. ```
  12. http://2586097-2.web-hosting.es/images/qrXM9Zow0yfZPofu/
  13. http://ajath.ae/forum-ias/assets/global/plugins/bootbox/Q9ateaow97q3WNDWCtb7bivXaoRtTHZJUI6VujTsDiA2g/
  14. http://bielert.de/wp-content_old/8gSTXI4pZOATaDLWEVSuKq4bDiA8FRIu4VVnRsy9Ssl1uaBnMXWCrEE8DpEtaUGeJUMD/
  15. http://comotocarviolaorapido.com/unquality/kEX5pzsmEFr/
  16. http://confirm.bisiakintayo.com/wp-content/5jpofmmozacUKDbLEKzD6S6nQLKeEo1tdJ/
  17. http://digitize.aravind.global/cgi-bin/e3QCCn/
  18. http://dryaquelingrdo.softdesigns.org/wp-content/Rm7yv3assVd1HOEKNMMqX6i3IxWweXtvdDcoA5/
  19. http://ec2-15-206-128-255.ap-south-1.compute.amazonaws.com/wp-includes/dt8TFJqvvShcT0pSLkqLumSDPavZ9zKzEfz77d/
  20. http://flipamas.com/shio-hk-gkr1f/j7y9Xe4PkIn0joRDeZ0DcYy2q9bSsr7pXo9FF1xNccBPl6PxmS/
  21. http://gaurance.com/peppery/fKdi/
  22. http://goodnesspharmacy.in/blogs/fihqvgjr43nmp5mt6bd32aj7ymimuspne/
  23. http://grupofloridablanca.es/anterior/TVBCsBdXirh0kZ57VInarzVVmGRDDgzGSLLK9kdLGwBSYWvQLJVmnIEM/
  24. http://hcldindia.com/php/a1WAJk41PdQTM32aBZNT8yzcwL91x55fKgZHbsHTNEiv4FzAZLDyZLDtb/
  25. http://hqdecig.com/cgi-bin/sNI8w3FSSB44IaVmzSS2nv0oD6EiIXLq6/
  26. http://junoboat.be/cgi-bin/jpxPEE95T1VbBn/
  27. http://jzsubao.com/application/UXltCk58c1XrrCu4Xj7eqJLdCpnNln/
  28. http://mmsnegocios.com.br/wp-includes/xfhyzEyLilyhjG7YqyIzNza3vK2TaKi8AOSU5gLzaN/
  29. http://movartemusic.com/wp-admin/KxPuFj09V77nrVkj6S7VS/
  30. http://mvm368.com/wp-admin/w3ujGAnMFlitMY4ky0ccDmecu359zOzPWkZ6pad0G/
  31. http://mywonderfulpregnancy.com/blog/yT6uSk8X0/
  32. http://nafis24.com/wp-content/zJ3QQDV84IXAhPVyPx638DLfgrOhbZmJlYMn5CVzdMZ2JBsaElbHKEjTXOxt/
  33. http://nhipcauytevietnhat.com/efficiency-all-iuehb/BJug3jyhuyilWhCQs3YksSaqQW7tpyvmYpb91wTZdbluIo1EKoPE5VrBbcx8zHDAR9YT/
  34. http://photolinguist.com/wp-admin/hY1hDtbdpHRYygChX8RxFuyd1u03H9gqdGaKN4ehikaozqe/
  35. http://prodescsaude.com.br/wp-admin/brTy5dQqoWSZuiqboYW93gcxEkQAKW4HWqN0wKGxXrnyXF9I/
  36. http://propertybrokers.cl/cgi-bin/j4BdkyULiYCiswVfZwkJlYaH9L/
  37. http://qmh333.com/i/QWoxGKEAxpMOdFlrmQGtb1vXp2HyuiqQcatAdBXaZLJI1PwjmuseKJBGTGOCXaRJt8/
  38. http://shifa.sa/wp-admin/NbtxKRENMNlV3FEKqxJWawuks/
  39. http://solitaireclubs.com/frayedness/M3rZPu123OeKCdOa97cQB4l4Clf9qTIhP9iNZFegOwMrul2eQm9xUmaOOfREpXOfq2p/
  40. http://sspbrand.com/sdrangel-install-qdm2q/FynTewQiDCX6XxbXVjRojqMEU3yS/
  41. http://sub-g.com/wp-admin/pk7VSCtRc4vNosujpbaaCCfCeVcLGQwuR70h6jzsiEP6uWmfwwP4GftKRh8vVA/
  42. http://ucmasmauritius.com/admin/xdekfyevy1f3ffze8bz45oxbhzxp61o6eielyyyj5gjp/
  43. http://vocalriyaz.com/typically/2lY44b5ijlK5q06XNNk8xYxmzpIA2tJEtU/
  44. http://www.angelobruzzese.com/administrator/oy3o2YByTlpah8M/
  45. http://www.lohanamatching.com/archive/xhQHNgFb197ALjQrnmONpW0lnG6QKEs7lgNmvGp7FCIfffx3ubweAd0UAGFJNbPXg/
  46. http://www.photolinguist.com/wp-admin/hY1hDtbdpHRYygChX8RxFuyd1u03H9gqdGaKN4ehikaozqe/
  47. http://www.qmh333.com/i/QWoxGKEAxpMOdFlrmQGtb1vXp2HyuiqQcatAdBXaZLJI1PwjmuseKJBGTGOCXaRJt8/
  48. http://www.serviciomore.com/Sistema/XUL2/
  49. http://www.weinsteincounseling.com/wp-includes/NgTJ/
  50. https://benessereperfetto.com/i/fQE2T7bneVp8bdWxUYN5TFt64nPbU6sA4dFmsJdHpkNGnYO4T1vjASsdzUT3NFd9lnU/
  51. https://comotocarviolaorapido.com/unquality/kEX5pzsmEFr/
  52. https://digitize.aravind.global/cgi-bin/e3QCCn/
  53. https://grupofloridablanca.es/anterior/TVBCsBdXirh0kZ57VInarzVVmGRDDgzGSLLK9kdLGwBSYWvQLJVmnIEM/
  54. https://vocalriyaz.com/typically/2lY44b5ijlK5q06XNNk8xYxmzpIA2tJEtU/
  55. https://weinsteincounseling.com/wp-includes/NgTJ/
  56. https://www.bdshuang.cn/wp-includes/NotWCrKVIB2WFn4Rp62Ki34Op814y7gOBb0OSu8hC/
  57. https://www.weinsteincounseling.com/wp-includes/NgTJ/
  58. ```
  59. #### Epoch 3 Document/Downloader links ####
  60. ```
  61. None Observed
  62. ```
  63. ### Payloads per Epoch by Document ###
  64.  
  65. ### Epoch 1 Payloads by Document SHA256 - All Times UTC/UTC+3Z ###
  66. ```
  67. Creation Time 2021:01:20 20:48:04/23:47:00Z (Attachment/Operation Zip Lock - Doc based - Red Dawn)
  68. SHA256:
  69. 01371fa05cb9655cead451fbcd5002105a22f5ba56d69a14c2dfd5f6339e78b3
  70. 0d14edfef37ad84ca2c67851dbec4ed2f2c5bee1e50afdc9f0e3e7a253b485e8
  71. 12499f3ab4a86ef07f3e35512eec9e0cca775d4908863187834e130ba2370845
  72. 1cd0d2aeadd9d8eb83bd1a08b3f4c7c8af47425837e8f3da57ee9e79f3642b4b
  73. 1fc8009811a2b02343fc0dbe659fe578a0f42454eb9ebd2b6f108f1f537304d6
  74. 221316fd4ecf32dcb06af77dae3f9fccf26a88829e77acf6d3f96a3225f12fa4
  75. 39dd0637ec1a0e409bde3f7d5564bc4b2fca354147f9c7ad32ae6304a95643d1
  76. 4483f0e59565160c5edb87f7eef7b2de70ac43d406bd63485778e07ef0d59f7f
  77. 51fd64693470a9ad150328ef0a2b5845ed94fe9a15b5c74577dd7731275dbb1f
  78. 56fd1a038ca3544d5ed57bd46884fc10539338fd3981f26aaf5e1aad10002b95
  79. 57b4115dd50b258da36a842c5e277f6bfb40144e3e37d73ba3dda4e2a063e2e6
  80. 5e934e888f338f5109382452f0426d23422308a72f1ea29804fe39bf06680d42
  81. 631aeb62d21a575e8ca4b680dad85ea7adaf5582a05046a7d7d2f3dbbf9ad356
  82. 66bbf866b922d161d54fd4fae2d2f449407523723c870b14dfb3ea0f916c8818
  83. 8b0237a5c474d5f1b1023f2ef86af7bb471dfa11f5c1a96df41ce76dc9cbf006
  84. a2e337f860a9c3a1fe061c742838959408e1c559ebd6ca136fb9b6c883f5c586
  85. aed16d598bfac0757f5a97e7a0df35bf36d4bfc35ffb199a8374cc71d6a774c7
  86. b145199e3358a054ec1977f07a4be7a2644db93f46dbc0bc4fda594bc7f90f74
  87. b5b02e6f73fe5942b8bc64a62c74fc988d2e0c931b1227becf463c33069ba041
  88. c316997b40dd3840f3da94dbd543898beccccf19961252d73f72550b4bf3e198
  89. ca7a197a4aa3ca00397dd2e74a494ca30e0c21b90d9489a3713a01ac80c72a12
  90. d301b119d7e8f10a43809a30ac6c9c218d74b78bf84d84fa7c0bacbbc8ca3b7f
  91. dcd040470964c4963ccb4169a795c1f7eb02f22ad21bdec128a0f12ffd37aa58
  92. ef057bd5ad2a5de868373ed48432b29bf7e72ca25067d8c1e420d9b60e196967
  93.  
  94. http://yahyalisayam.com/sys-cache/tAsw/
  95. http://casinos-hub.com/s/ZQhDyLF/
  96. http://deoditas.com/n/FUEyoG/
  97. http://mts2019-002-site9.gtempurl.com/wp-content/E/
  98. https://ocean4gamers.com/wp-content/GAuYf/
  99. http://academiaprogreso.com/cgi-bin/Z5/
  100. https://newtop.one/responsives/z/
  101. ```
  102. ### Epoch 2 Payloads by Document SHA256 - All Times UTC/UTC+3Z ###
  103. ```
  104. Creation Time 2021:01:20 20:40:15/23:40:00Z (Attachment/URL - Doc based - Red Dawn)
  105. SHA256:
  106. 019f04b6b435d65725a7fea600c318e96d64c945fbf8ad3ee2f67d05900a27cb
  107. 0852348c68997bc5f4ee1ad2fce794f15198b36f41818a23b69e787f4cece095
  108. 0f0061b80732fc11150a67c1807a75989ce897eb2be6e22d425c4b41f88f98ee
  109. 101b256c68bda370bc6e6d2bb174494911b42079e76fcc63b34f0900288c3f26
  110. 11e1780e215a952185315253632033b1e42e269f59252e80ccc002e7ed15c086
  111. 141fff422c09e0667d14fb353c2b716e5942f8e592bf7e4c8627c33cca4deac9
  112. 1599e10bc74eeb7b67c71bbfc12008d0f8bc8c3457297d017e2c633457a5800f
  113. 17130511b6b91858676f6df0392ecb7db5aa7d5782038832dfdb68cdfb6717e2
  114. 17420055c7c1b85137e8f5e78a7eab811ae1b4f00b33ce05590e19399286fe2f
  115. 1849ce13b6b8587273a6ba9558bd63b59ccef9a7c8b25c01c14253a34da481c6
  116. 1ade51b62019cdf1df087f2ebf35d2d5fe4aa1bc5a03d76324ff346bfe5d7953
  117. 1b2b0f6f229f819f49cefa1af565aa4e83bf8b1f9df047bebfa9143dbebbb349
  118. 1c781faa1f4f2e3a4757766943a18d7b1c16ce4e695382b723a36dc9a52d8331
  119. 1df953e34823f8351e1702bcda5b4b75887620f2ce403968f4cb0524e89bfa65
  120. 1fa18e851ad74226caf71eaca19ccba3ba2b1457521c4a4fbe6ba07fb3008333
  121. 22daf06e652ce12909ea87e481c5c12a9ce86142fd53aa1e375b79263dbc45a9
  122. 25de934bcde3cc43d82f74d2bda58507044de10d1fb36d7b1fe4ed52fa26ac52
  123. 2a4e442727def25a8ce8ddc73ffa52be640dd1f1016dbc26e3157f361936aa88
  124. 2b74e583a0148f1e5f2c91424947740e520cd67c66c78bc6a20c22fbc34b83d6
  125. 2d75bc655ee87200243a8c0f383323e49eb31a7b0cc6f86e4376c41f83e0f542
  126. 2f36085ea2e5a9e6a5d22b533c206be9bb1d3c71ee4c910ae165e54b053c0ec3
  127. 32167ecf841806dea1958fe7d8c1fb145323fd98c3412b55fce4e0680f3f8ae8
  128. 34f009842068cfd83b7b0048deb0698f8647a41889d562c9314a7b4665c073be
  129. 3602f8e737829acb355fceaf51908fe8a199a2ae44099cedd08d3cb298fc8b53
  130. 38dd4edef2de2088eb63ab88c4213512a1b0bc748d115d2ed16ac1c5c2cf27b7
  131. 3a0235b5137c1d8dffa67e97c6dbe13cfc7117e3c62dfee05d8897acdea83b5c
  132. 3c51fccc79c2f87f8d8d80b1aaadf991da9bbc425797a5c252e4bb779b3e55f7
  133. 3d27524fc5a80d20ae3567440ebdea86883b5cd1cf599ca8afc8ae80c41ae31b
  134. 3f5a613e83e83e91a8b9a8f676535284c8e0f817019b55845e157d8b436ac03a
  135. 4121d45c89baa331a26e0dd4c638c04a81fd89a98b09675d3e1cb3c0a57c80df
  136. 4142cfc2bb8a067a21c0439bef1d08e1742025b00b3cb1c9619ff7bf0a2b42d6
  137. 45c2215141817c9d7e320947f1f94ef7ec92d3351de8ac3798a7e306b34f5de5
  138. 462f5d61dfa9c9938d8d78f06e90df29e4037d7a20edbb20da7d9ed0d69a4b02
  139. 46512d0921fb5626d9080c7f3930e3b4ffb9cd15bf20c8554f150e7ff47b951e
  140. 465766cf4d4152c6b11a68b68646dfb8266ab7cdf4b9ce2660feab1aacd32294
  141. 4994c3de88be1e554fa1b922de43a5f18a5f007c949399d53aa6a8e9687659d9
  142. 4ba19977d7051012b6f22a72868e1c909438f6eca3e725dde0816c11f5d7f262
  143. 4cadad6fe9f001e7d45a39b6a54af137aa2cc08f465010ecb7539156ed88d384
  144. 4fbc5117af26fd60f03e2660f74b6b18cfb88d2badad4394939838a779bec2d7
  145. 50b410f2af280b1a288a0f94bae66b4db4278e307b1461a93a231a2ca715cb53
  146. 5194a406cd4f741d308341f531f690bf966b451f01de1fbfbb604dbefee7c8ef
  147. 51d0ab773047ebaac512a5d397e79534ac5b266afd4ee691d6356a8bd7fe4b11
  148. 51fae18ca6515a9154913bc82e245a72308b832eb47b5785a21beb0f0a34b07e
  149. 54385e84d22e522ecf660abd63e8cdc132b0ad766af8d7c589b13f7be5371c2d
  150. 57c0a7e0c8c758419617cbb0493789572ffd9bad491e5e98ecb0754de052efe3
  151. 58087e36eb939fe42f9ecafa00c3ba4002c238182b406a45db0ffa7ae6e83398
  152. 5a17dee61b79152ce451f560a17603b291bd0934b4c0bdb69a3328fca8b36771
  153. 5a43f6cf21f15f541f3c485ea237f724e3c72ea59d91e44092103cae63a01bf6
  154. 5eb0bd0ee37f979306d609872b652c8d2ab52e48f95b37ec05fad18504277dbe
  155. 5f73dcc09f5d4ac5219b105e1083dda4baca6637aaaaee7ffb27691684f4968e
  156. 64a17440d41fd8eae4685249c345b5022f4e690183200645ff1e6f7f804159be
  157. 6666bd131bccf0a6bf3973a274445780cd1216aa9260c08d10a079c9ea58cd44
  158. 66840e0ecc45de6d60dfd40a9a510bc1664f4121d4e66b498fa33e3b1cf2ae31
  159. 6696dcee2f90b0c3f0614d8197a15ce194e31f0940e923dd5f9bb95fb42fa479
  160. 69c319f6ceb4941cc2152d633b509323f22dc33994ebf516db8304e2c5409a62
  161. 734760f1587fe2caa03e721fc7f70c74e90517fae7f02f75ca4cf60cfa2c947c
  162. 75d4b326ca471055fba9d3e4dfbb994e191135130d15f7f1e75fa6a8346bf89d
  163. 7a20adc14eedee96591f3f10da2623860f3adfb5c70d6603bad7802045e11c81
  164. 7b84f2501e9b8aaa56422e3bbd5742f0e1ef38d318c28d689ed5662e85a65cfd
  165. 80f688c0b9fb7d3277bddc7d43c06d13ddb6a1658247870d0287de8c157e0bec
  166. 8529a3bea5066aa6c825c3e7f27e7c014eccc2f265ac844787e13aa77048fc38
  167. 885bec24ff3ff31176e787f7b53f03563bd32498a8dbe78cf0f8c7e933abe619
  168. 8ab4622f9baca8db727f2fbf8f473144938729d286d1a320633fff3fc0897ae7
  169. 8c51b7b434f7213aa019ae0600d85e225e98502f1971bda3990bbdd16e3b897c
  170. 8c9e3c8b6589995ae77125707441a518cd80dcf62a2c59e0d4b53a2bbef0576b
  171. 8d7efeeb6526c1ce01dd7d5a75a5f9c22d9ef5dec9e19d6504cc1d073cf8c864
  172. 9005833203499e17fc8dc75a6082bd9762dc6acd404ae5dc6b0fba27fa9e1c7a
  173. 90512c0b5b5ffe54f12e39016dd9e8673631e0eecee9a8c44b2f3f9a90cc9b18
  174. 920fac5b7032800366dc97b32e8ecde37c1432a99f3e2eac1d3d36ff62ad85f1
  175. 92479f2f51bca6692c4c3d53b3f9a49bf1d5aeab01a98e9a2feb0d6d68ef6343
  176. 943f25050a280f1b3fc1154ce8740d31f30935391a7f7e9cd1cb0152f46ff099
  177. 9567a3e4acbb781baa119cbbd1863def630fd858a58d6658e360d30614b82082
  178. 9675b2f426b45cf771be7405a1b50bb1f2625f5be481848e4df2fa7419fc36ac
  179. 96c0946b5c6a8d77fa253d70c944ac5e78a5a0cfc0e22ebbc27b44a8550cec6d
  180. a1adbad4bcb1cff2e45b7b7e7be4838dbf2133df86b768c9a1d9fa056b5b5d39
  181. a1da083793734c0f30c084d2576c41c2c1eddedfa5adcc5b7f86ebdd2765aa2c
  182. a27a067570f7050895722c7148589fd30eb44e4d77e2dab8d884271e0235664a
  183. a58be0e3ba5abd6441bef2a7efcdffa251f5f396685642160a2508363b75395f
  184. aa07564ad9fe421b07c24a624f3fbf68f5f4080fd16a61bbbdccef53d89e138e
  185. b0b540ad237698caeabe4f0eb6faa0869a39484393d922cd298e23b304562845
  186. b5b3fb90ae6803eaf1c36f587b978d687b19cc72399a51128388be7d421599b5
  187. b77758a7936af2b7c6b3df9fc45475ca411a9cfaae447bd97a2ab3b8d60aa160
  188. ba3aa81154976cc9bdd719ecce4a925b513892f51cf40a1f511d77d1c180f1de
  189. c01ace5e5093f9c57d7a89fecdcec19a4c90762c99e748b4956b17a8e8f272cc
  190. c08b3f7c06d7b77801575fd05c9242aa9c5f8ad17788390c0f15fceead07002f
  191. c4f94c6960792fe6e062b42c6c149482152a96588a9a5b9c3f7c4a35c974ac50
  192. c817fecaa0572cdffb222f4e40d2d2f64fed46d86c042e8cfd9cc3b597489912
  193. c81d0f1555b356115f9478fb3e1a082fe834f56fa4361077081cc7c399d5bdea
  194. c84de615620cd1a69411f262b2f431ac07909b7705e43c1a97d80f5bfdc3ea33
  195. cc9a98243c5e282cbde25cdda1b4510e22afc3a444e07d97c8c9ffef7ff45463
  196. cfeb8617b6934ecd6b5a4bbdfa12bb62a323bedd9f43b8e11352618ecfa75b43
  197. ddca7d6d22b741be7ae7ed5e884bf7bdf3e0a17ba7cc4093ca1744bdcece2fbc
  198. e020a38883c31af6494ccd2106bfb598dff9865f94994ae3bc9a3e40d1aea2bd
  199. e4cb0eb0b65af11f26a5b0a66600e1ea942175dbac4014967d689880158e2a0b
  200. edf31b7e2675b612cb3930814615f228a9fff1dc8613ed5e47d9e98418ee99ff
  201. efefc84243ccc08a0c004247847a2e7c55dc7559eaf302919c40085ff83f5c4c
  202. f19f01987b42d9be03048f6897f0ae6dd4265c93cf2b1e055b28e5354113a2d2
  203. f1b16a95d60e942f2ca4724096a5a078f74d16d045da8ebf4cbd11d1fcb25322
  204. f582def432e13ece8b95e4ef399332f18cc093c85db59f4f4f0ce822447b465a
  205. fe4636a4066b3525d7bc3a58f2a3ac8c430e3bb88f0e975869c95e7cdc91aa5c
  206. fef516c40db60794e220e323bd96e2a26f5808d97ac911e2bd4afc4b0cd756bc
  207.  
  208. http://trendmoversdubai.com/cgi-bin/B73/
  209. http://dryaquelingrdo.com/wp-content/SI/
  210. http://bardiastore.com/wp-admin/A1283/
  211. http://oxycode.net/wp-admin/x/
  212. http://fabulousstylz.net/248152296/TpI/
  213. http://abdo-alyemeni.com/wp-admin/seG6/
  214. http://giteslacolombiere.com/wp-admin/FV/
  215. ```
  216. ### Epoch 3 Payloads by Document SHA256 - All Times UTC/UTC+3Z ###
  217. ```
  218. Creation Time 2021:01:21 07:44:00 (Attachment only - Doc based - MSWord DE)
  219. SHA256:
  220. 2e35f527f530f946ff80f1e983383e4efb0f6ac4db9ee86afd62ab2c4c8d0bc3
  221. 30d2821cdf2bf71b2cbebeeea62050b671fe2d2053c676ca0c179ac76ea0897a
  222. 3d46b079f5238c90674ec0a6cb9f7db058654d925a84b221953a1c4df66be2fc
  223. 3ec6cd2e078f8bc684bf9291c9c3a94121c8dafbde12613fcd4d31a79b20896c
  224. 40b1f6d11c783c7b956cf5c25c4e0ec814cacf3b6bf274629ccb3dda1eea4e38
  225. 6104a677cd91068a59589c7b7a22b124ad53c9a32d59fac2f5691b54c5edf76b
  226. 67682838e0745ae535a83f9b7cf159acd72b214b3f75504be7f039f1497cf3a5
  227. 69078beff40f7e13c4f71385d4039a64a3b3a485471a9d66964598187a18f4ee
  228. 6f661eac8a44521833b364bd90572b21e7f1f98f0e3dce76f39109344cd52781
  229. 8c437fe63f766f9e3fc81515a78f55caf53d1701ba1f3b1191978a51dcfc659d
  230. 8c585397f372deb0c609b0acf6fe42452987214ad519df1b254c5c666df4afaa
  231. 90c294bc4b8267cdc9bc44d0fed58ea36be306dbd259c2d17fd419cebb63b988
  232. 9d3c537b888df0dbb49acc5106f05dca2abe82347b16d881cf27cebfbe4a24aa
  233. a85ad93c17e5f0ce36ec448853a63cb83ee0ee976603ac159ce5e96cd8e67e13
  234. aaf1f1f2174b0f98e67a51c9cde1021a6a7b39bef0558e6bfa17ac3b6cc1a788
  235. ba9c99e45d906de7f03eea1788b4b034cda29476bb44e4cb24aacb37cdfd75c7
  236. bbbdfca7dbe699780b0c92e88758f189c2aba0619c985872f0b74fb9dd332db4
  237. c0e87e1eaacac3b758604d6729c480f75d14530a617ddb22c5fac6bbd456022d
  238. c643452b495218e12d0d7a502b386741511c531aef89de79febe1b9265d079d5
  239. d7336746eecdc0562c91122e680344012a3759caebf0995117083bf712d0e75d
  240. ef287a1865d74b80b3e9129f49c81b8d975b05d1d2c872f16cada5757a8ff71b
  241. f219b5744489e2e5b9255c15976bf1c5971d1581f29be8524ede0536ca95b982
  242. f6817a1e79d2b8d13c6aa3308b265f8c18e6c331e04273898957c38acefab001
  243.  
  244. http://deshbangla71news.com/wp-content/5M/
  245. https://bookkeepingdoctor.co.uk/s/1EU/
  246. http://www.peritidiparte.org/administrator/XSboAD33/
  247. https://lubdeco.com/rocketlike/1IqoSgDG/
  248. https://vallerconstrutora.com.br/wp-content/uploads/vDIi0eYzz/
  249. http://www.bikemyday.se/wp-includes/FdM/
  250.  
  251. Creation Time 2021:01:21 07:19:00 (Attachment only - Doc based - iOS Enable Editing)
  252. SHA256:
  253. 0af5e4550ed0d07e9620819827203ca4a29afc43478e9074bdaa38e589a376f7
  254. 0b06de02de18d7db163a215d2be87483e43d545698e9e200b311d06571e97ad0
  255. 134736b98536f6f81da8506f38c313a05012896efe558942fa20863e21d88512
  256. 1a0f24545657f749035796c8407b580d9172fa60a6faea7c22faef8069d6aee2
  257. 1b13bccb232b6912206990f6e6d9edefed8c700881036157d63bdec10c185072
  258. 1bab1464c3e8f00b40b4b57b0ea79569d451f1e22c42bd630426d02fbda163bb
  259. 1e3065dffd5f002516433e4b581bcdc393b1a6c7a55adb4bc342909d555daec9
  260. 21a8e60bc2a6c47e608d46360cefda71e3a573dd1153a72bf06f7b2f9e464db9
  261. 225afa90ab5bba24458f97714b131bf842e5b3c8b094f35c1903b07ca4247651
  262. 28b7f1e4319f06e850021dcdb710af17c990eb18d356d295f28c7a49962a4194
  263. 2c63fff7b74ac7cfe1cfce171597a813816d90303db17c4e35d412bd11b10d12
  264. 2f2d38359888c33e6281957c9c695658ff2a21ccbd4deb1a64c4b45e948403c3
  265. 3ad299664e07b6aa08b944e6fb9f251c63def0fb05c017fc2136752c08572c8e
  266. 41b919b6cdbbddf1a3736c6f7a778f34532049ed44d623021a7fe3a62bb27b5d
  267. 41f0460f8a8e8219b3c9ac1deea29dff53d8b8f47ef9482a22760a9f37021e19
  268. 434b04fbceafd7baec4fc16d5322b9178337ecef64e8faa1c7d7a7eb2c813e39
  269. 464e228e72bfc9069edea2955b05063322b9516c46c9ad791f04cbac403c23a6
  270. 5698dc134f384956b2b7a990a7ff5496f80f42544156ef63e8cff61d7ceb3672
  271. 5b03d5fd4cb9b6b892b0aa131b8ffa0867b2113ab898fc5a6a47ffc876f884dd
  272. 5f63e101eb1c98af52149bedd0ffab1054e633dd0ffd6abefb0ad182c039d08c
  273. 6275898c718a79e422a08d5da48d560cf39d6e32b91646872420f9f89f5575d9
  274. 662906ec7c3d0f4ceb68de2216b2a03287b325f5c8d83724425aede6686cb8b1
  275. 706505b21fa17afbce6600e7c3310f017d6638e39664afc2262caad5ea251dcf
  276. 71263a5644afd276319429a472a59a7c404c1c3b479b7271612ed313a7ae56eb
  277. 74343a001171626962a999b1ebc2459791e6201f8575b041385aca073d46e187
  278. 78ef9bebe5b116baba76e5e3c00e335f910aae60c4ba7c5e44accbdfd7d97296
  279. 7997dc297f9c7f2d47c512632eb6df6b7e4cbb7774fae3dce66b7308d735ddbb
  280. 7a64eb019fea594521934f69102ce58f7b624a29138c0c86a1ca59f7f7f439d2
  281. 7f48d8712e04dfae0411d4563e6b817a9429ca151c71169b54d1a55fc49d289c
  282. 80d98ff256d38ba20e2d70f04c287d7adf58d069253ed30d68bbf1329e1e173e
  283. 81eab559ab78c380c94f071e82a5ebfb858c52a64767305ab185151136f356af
  284. 81f2ba7fd695aeccb81089e2eef8feb88e6dd460a95bdffb4c43ec226e4ffbdc
  285. 825941622149533a9bc0cfbcc6ddd1f4ac0e4277eacd318026b69d3d8a07a1cd
  286. 896881860d73c4e57f15cb7a022eece87ffcfea2d3b3461fcb50ad2ac26fdcbe
  287. 8ef02c1c0bc8471a6a38e18c5bf500758c3ef4e9620d2a17ba74368d6d4a9663
  288. 8fe63ab9654b72a4c55b3f06dcdd730da8682db8344ad0573511f784ca74af39
  289. 917ed80030b193ca95cc7a2218becdbbf9e158e94af47022d03d0877c7274327
  290. 935f0ece155c156660b1d165cb311a37af8740d7107fa9b9d2d61da00f407237
  291. 941d2dc007e614f0830e1584c83077f2b6fe394d0d92e4eb47fdb29813646529
  292. a146c432463710e2a1d26e89beb818797c3f530e9e138e13f43ae94c5d94a47e
  293. a37e48736b39e8b39dcaa0384df8eb2864f9f9801119609b200f5022a3521f5b
  294. a62a6abf3a03ed16093f50945dd98fa4d93fb8d9c5a63194ac552eff23d3f806
  295. af03373bd3a06747f1486f247881d21782ec84cf7a5125c650c8f089edf280ef
  296. b1bfffa19f20994eb06b7be3216bd7f9b0ed7df2a7ff305b037df356b0aeea3c
  297. b28b852286ecaa470a365c799492b65cde4ea7cf0fdd47964a3ab67b3d99d29d
  298. b58b67e34d79622087f8d980c1e2dcbaf19fbbad264a236e2ec3af5ccc351a1d
  299. b89ea255c1499ba1d5f75219d7fff2fdd00ce9ab61ce36ba4498f59461c1c1bd
  300. c801cfb380a7740a1fe7a2601a40f3a4fe78814ff4a27ac14b5d5fc22951c398
  301. c9e142202bfdefe0dc3901dd9133e4723a5109914aedda93e4b1f01db20c318c
  302. c9f449c178b91a5423d5bb9343b220293fd18eb4f10bc3e024349e8c5aeec531
  303. d12582ce53e9e687237bf288e5ac6085e9d4059c0103b82bc6993cca5122706d
  304. d14751bd579250a629a94a873857d557724a26dee8af6acb53f466402d98a0ec
  305. d2eaa9bed0a34fb09e3e100269d6adc98f380e7aae68de4978926ddfaeb7177a
  306. d4060d6c007d54ba0b2dc8ec8ea755ecb9adde6e6606ef0e90b347a1755a95c9
  307. d4654bc9163aba681c6f8b4a4038e8aa312369dc3b027cd50dd104077029a233
  308. dacb9722a67ae684a2d4df3ed97d79892c842e0bb9648bc012fefa64613287cd
  309. ef5d46380da37e1c4b4c2666d3252391e3c67cb04d1cf3a5163516a840635768
  310. ef5dfc99729e1117bf153c9f3eb19cfd49ff042ccec9942e44ba067d43fc78b7
  311. f188af4cc381f08181f38fcef77fccad9de49698b8f1bdf42e0a5719bad82101
  312. f78841380bd3349588f17fb4efe705fe4ff5d93e035f45cbc660fa167486618f
  313.  
  314. http://amojo.org/p/Mx/
  315. https://topflighttrading.org/wp-includes/WbDnukw/
  316. http://www.exerzitien.jetzt/nfs-heat-n0ght/MsQfotaKfq/
  317. http://www.yugan.cool/v/vSFJCCG9oV/
  318. http://ook7.com/b/pbd1/
  319. http://www.caglayansrc.com/content/tPGhhnTHa/
  320. https://senturketicaret.com/wp-admin/KAFiShfSh/
  321.  
  322. Creation Time 2021:01:20 23:50:00/02:50:00Z (Attachment/Operation Zip Lock - Doc based - Microsoft Office JP)
  323. SHA256:
  324. 01f788b5f7bb3bbad3ce0a03b00cf8a2f0f52d772b98747d8aa4d9651da96802
  325. 0221652be4ffefd65aa23ce9d452c4597283a51954657958ee9c6bd842edf28b
  326. 06e1ea9e70155d62272aced093ee2e86c8aed2eef991b939bcd2425099715d6b
  327. 070ec276cbd81dc85e351d4c8d20a5ac5584cb294455df59ecc70061df8b83bf
  328. 0df1c21cca1994d79eeb014e76fdc83811cbe9895596db8d18872299fffbd9e6
  329. 153308b87fb8e24ae2092592382578744ac78a7b9ffb8dc14733e8ddc5d681b8
  330. 155f1f398a98882fe53838090b9ceab79d25d500a296f3705e1ee6d751f8233c
  331. 1c765ce586c08b7b2da1292d8237338d85549aefb35560f70d4eac26385251eb
  332. 1d5f5373532659a5361731578ae5b4a16fa9559a7f5ccde01d97f3cb992c1264
  333. 226a31dfb999386b11034c6d0e2624c950a049bcd0118d1dad7e4b88868daf68
  334. 254c650c17112b2e21abfebe397308e23fb6e75ff4618a7ba787d33a542efd9e
  335. 27dcce2620a7e2feda1b81c316fd6174c0cfbb8c222816bfe02ae0c090843909
  336. 288101f4ce6b3fa92d96b3b649c29ca68d1bb4779cb94507eca45517fc45f253
  337. 2d316065dc5c2921494e0683006ccffa2d71d670df05abdffbaded9cf5f34dce
  338. 37b42fba700f3848c57dfddd793c1cd069cd0677db573dfa31e31d907138527f
  339. 37b6b75459a5bd8fac35859a743678b573544dab4efc68365462272a10b6a3e0
  340. 3b5bace71c0eb73e46b8dcd34fde14bd558469d86f29a0c9c11cac97754ea42f
  341. 3d0f6d79f1a745bdb2b3b15bc177a764cabd05e437932d1670804e8dab6b0717
  342. 41d77a556f7aa55c918d2cd1faabdc88b3531d06ee91927a89690ea468fc6651
  343. 5376daf10aa7b453a39509112f587f1cacf15046fc4e8c8608512d30c63e5b5c
  344. 5f338e4a44cd65f14ba106cbfbcc34915c98b0bb5be2f6cf25d4ca1890902d2f
  345. 624ce1e4f0484a475e0de892dd9c05099a611c68d96b4ec8d8c4b19d317b447b
  346. 63889be761623f8452fbf9b80a3039e1e3c6ae5fa183a567630a41f9d6fa3bec
  347. 63c22b2dae6959bb93457cc3c7b7c49d60935de2882ef5bf18701815ac58c27d
  348. 6c67f327340649ddc6fc4595802dd1d76e0e72a7674b2fbcf1605f41e3172a25
  349. 70c6542380105f986b6fbe8db06240d10784ae0dec933b8c96c2d4345bd3332f
  350. 720cdc8ce45e358827737ba652d843ddaa309f149fc55412424fa7c227687d84
  351. 77e12c6b12db756a2433500373c71cc72517e9aadbff8ee4acafe0700799bd27
  352. 7c830942161821207b4250db9bd850f821c0f4c649f30b2c86cd9cc1620024b3
  353. 802a3e51440f59664a59f8d2eeabf0e22eabba16b37588b852194afee647d893
  354. 8a8b0db6174bb381555b705408741c10c6673661a1cac67b6013a3b53d858175
  355. 925b2a07ad4954cced1982221d6066371f1eccff393778322606cf4da2e67cc7
  356. 94529038458de6a51b9778a21b4ec80e2976d46eb9875a779cd322de468f3784
  357. 9acdc53bd80e3f0e66ec216a360a9a84b6ee857d6150bcfa3a8b32ce47889a42
  358. a00f1ae9cdb86a862e6b5e31a9724996debf25cbb79d959b18c2b7e99e7f538a
  359. a825fb1bb5b131aa31a2b39422a630bc203144ae2013629db9aee3237e72a675
  360. acf2fedc39b894109ec8632295d882f67232e8ebec9f039cd0ebc9ba6ef9d694
  361. b3bf0aeadf5d0b5b1c4005b38fb94ec07bc8304c1db76b96ac7c557b3d3bd150
  362. b5ebb1e24ed5627bda15d9b12be3a48b2eb0782adf1abfbf37f409b8cada11b2
  363. b6ca26bea7d16858d73e4bdd15be6853132b15d689acf10cc56b3e7af901898d
  364. ba9a95912003dde054b0ce0083eb3d70458b137c42f000c8c15f286b6399696e
  365. bc0a70ef61527afd12a3231b6013399e4f85f61a438473a5c21b38eaa91c1a4d
  366. c33e6c2f2e76179450b1b7dc2d7103f55545ec3222e2d5478e45274c6ed484c4
  367. c4b193e8409f40d5b266eaee5bcf3527f7b8285508db2fc2cb4fdf35ac721ccb
  368. c87e8a8570312a7177112ee5e498343640207f7426e389f530f07c2a881f3f0b
  369. cdc529a15f3b60d0337d6e509d4d10bf0f209ab336b615afed44d5a14e810a11
  370. dd74817150db2cf6293c896dedc81736eaa7306ebda9f057540946bacb213a6e
  371. dfee4c079343a53a64ab1de25ab1619734de94350c5685822a2d5cefbc25e021
  372. e17df6f325bb2324c8b567200cd06d09e5a1dde458da8465fe59b8c5f2e548f5
  373. e752958330a230d8d4d0ea7a0c6f779fd2ac3a93247b2403af7eb9857b8b0be4
  374.  
  375. http://gethumvee.com/improvisate/HVTtdmsZ/
  376. http://arch.nqu.edu.tw/wordpress/w7F/
  377. http://hindumedia.in/microsporous/P7m/
  378. http://pageshare.net/sales/tzV/
  379. http://bgmtechnologies.com/4131325866/sg/
  380. http://popperandshow.com/248152296/ccXqKYPqQ/
  381.  
  382. Creation Time 2021:01:20 23:40:33/02:40:00Z (Attachment/Operation Zip Lock - Doc based - Red Dawn)
  383. SHA256:
  384. 0b5a4e3fe03c6d0e941a31efc0cf48c347032dcaf71b46c33fc5c69165f40101
  385. 0bf5d964aab27c296140eea991dc2930edfc2413ba2dd9f234c8f013582cbea5
  386. 0d792a683c8b846f5c861021cd747f350ca05e0347636c846030fd32059264d6
  387. 0eea618cc82378132a9c3b442c9ef1abe28161d76c105bb0a70032cb9f6aa234
  388. 11bbce75a57404dd69e8757724c49bc93aafbb68168ef9c45a80e4fa9426ed20
  389. 1634c3e101b529b09e48ae97fe5890304ad26522b72a1d18d740e34de0f9236d
  390. 173ab076156893e04b600ad7717cf82b92c426e43ef21efbab61f7dc672ff99c
  391. 17964f3ea8a48faf47c8b9b8b74c0cbdbfeb1a93a6f44ea0fae2f17ce2387f56
  392. 21b866f28bd630880920b98b2c4d3e3308e8d9e2a3c9a06f2509c6f037b65f4a
  393. 2234119eb693616638348e5227cd7f2749dc861206049951f51a6dcaaa8e81be
  394. 228c96ee31273a1f3656655cb2ed0a8dd2d41be771c378e7527eac902482d893
  395. 2503046433a325a10ab20bd59e9a4efcf1b12b82d778c32d847edd42ad51efd8
  396. 26c099532d94a77e26f83f5531204787aa910da4368e39ffed47fa7302dc29b1
  397. 2f5c32d4c3ac7a74ba64d628accfbdff8199d13afd0c28a9f73e586a8a6d3f19
  398. 339afdb81c2bc095fea4514a348ba4eeea95bf936abb03f8cbb63376bcb94791
  399. 36a43991d2172741277048f9f5d34381153295c83b4067220108c4a258b06cc0
  400. 396897e88e4d4b7263d3be2fe1a69a6920127a12de4d92d38f16bc0ea8c942a1
  401. 397d1920702dd054071f9b2aafcb06751e6ae2153a83de4d9bcdd68db3f9ec7e
  402. 3d0ac48d0d054760fc6e63d8bfd8fb0bbb38092ecb36b62044b78929cbcface2
  403. 3eb9e176a4f055c0df53d13c27f11ebc9563171e9993ffe8fd7cad685e5504f5
  404. 402e298e853baaa3933de1b42c78d70504edafb4ca25dd8d6cd8b9683da6cd2d
  405. 44bd3c8be142f523fcaa91f034431c593819e0e9384679bfbe1a6f843a6c1a60
  406. 45c9a1eb8278ac3abb6a031de3d4f5bd5e0d990fc2d49375cba8f3bddf6435b8
  407. 477535eb02d4958493d023461957325e6dd12a8c4f4305342e6564af7d3b9b4f
  408. 4cd44cdbff23dcd7616ffb0b668e46216e45dc7d0eda11c48f7b8a146adaa996
  409. 54d6dff4339f776f5b6bad0fc8a168928b7336ce638dd1576d61d1dffbc86474
  410. 55c2cb88518688af417b377e71590d01044d2acfe570d2e0d3ec56632c0e24a0
  411. 582bc06c8f0edc48a05bb272eb4aff78f511c3e179ac97bab1e6331306e26e69
  412. 595d25e6d68a830df2d8e93737429f4fad819c3f906a6a1824ed5f9da09607ce
  413. 59a4555653af5f498b93c9ee4b1debd859669b230290dad030ee179f9e77746c
  414. 5ca0613874c16033d0ec39679423d9d157dee9d9e0bd4be7f6941ee9f919c2a6
  415. 65dc2002fb0f91d9be4feb1bcbfeec6697b22189d2d91cbd7558835997d7c2b1
  416. 69dd5fb75dc2610d98248e0c38d9fc339e48d0691aad4cef4fbb7684092da986
  417. 6d0d0a45fc31ed64566835adae108fa95913191f93daa9821b51e5cd6f5881de
  418. 6e34d369a82d743a15a4f65cdf3c9e52baa3e9738e10f648a9079d7263b7cd5f
  419. 6f121a9b20b7853f629ee11fc5da2a482ca049fc77ba017d6ba544dc265108b4
  420. 71498601ff85399ad3676388fa572d327e5b1c48a609b9e83d2d6b413d13fb21
  421. 73158cb5e2de266e93c79c9095d763cc352f7069e841addef99216aa22a148a8
  422. 743b0489a94f04569f1dd9ea1c62d1d5d6ce22b642369e87f974b3635990edb8
  423. 749dcc8969bfc2bb81e42b172a8b147784f164d36bbc9092584fe7f6b8f0ad6a
  424. 7a5736b415f46ff15a4dd28f0bf5b4bd599232459a61730fd76c991929d2df1e
  425. 7c9b081ddbfa4fd10614034d47af6bef513730323cf1706a948b6d9a0e15e9d3
  426. 7ceb64138d0aed2bd2d577f86deaa4ac356aca9970cb30f3d63e0e6a71a3bc91
  427. 7dfa4920e28f7fb29741d69a81451679a71d986b167f9236227390b0cdd2b5ad
  428. 8aab700f77b2535f70f37e401c9895070b235d4cd42ef9a3b7ce80c66f1f9df9
  429. 8bcf096341e3fafd83472907abcfde3d88952d8a0d5f87e00ec0dfeafadb4ffb
  430. 8be7196a87ea469d76b41a2d4047a6d0bc089bad47e8488d065a5ad0a78e93e0
  431. 8c92b3a13f8b1ca9a86662a862e16609a8fac26b945e5edc9ecbf3e95f617fa6
  432. 8d580f6dc4db54cdb9c6816494ee1435f832d2ce7273844c492a60110692fdd5
  433. 903a62541cf48024d80e35f88118eb69c094a036d189f44a4e3f63bb74c30fa8
  434. 90d77719d08d3ad70381ec1e2e7f0cd71ea4c97e6db43cbdc89d2e70ae5a0495
  435. 93d9b9ef3a764961ccdc9c1d2b547146936be2836dafc32b6b8b933379fa6ff4
  436. 9b9fc831d6ff86208f1d89415441ce857893b263e8e81a0eb32dc48cac7df18e
  437. 9d015227e01c755ff0ab2461f2545a868347142db7c800b1c2f3be6058ca7476
  438. 9d4526097c1ee1f09a4686716b6004b29507650b094fd964d60a8c74c154f814
  439. 9e2508b307de65723b5b85ef3be57580986adf811282f20647f34cff0d57e6b6
  440. a206fc0992fb50ce750f2c5158639df993cfcfe914cf54b0068874cc167a00f3
  441. a369f5566b8d0e89c2dea529ca8f61a1d364f058565ae4f0ef4e2d7220ef47fd
  442. a399368d46277cd5ee3d27f8c3e8af36a446f0f27877bea4730eb242ad4e236e
  443. a6e39f77401a5a7542e70c81ea61ad215ef32902c003895a8c4688dbbb788e01
  444. a74f258d610a8eb129daa86330adea4287acfaa282513cedcc4ead68110e873f
  445. ab31abf2f9189ccd5f942bc1c1c574581a5194f1d1c443b685be54b43fcf5fcc
  446. abc83c82a8f40cc71284039e4dcef87dcd5b119a82e25a7c33c05aa632d3e63d
  447. ad0b6dd421685f909f16be33bf5816f2ebe17522645afc8e0a4552137155a433
  448. ae9c3309618d3e90593705b88cae07e77e1fef98c2c7e52b1d6aaa99adc5a8f2
  449. aed21df8594d6189cd7cba747b4b09e4ff7a5acc14db197fdff7f4be64723504
  450. aff01b9b3ef4f05717dc522b57d09e2ba5c263bdef45d02b06f7454b7cf5f580
  451. b2de95f9cba002fd980b4edb6ca033c5c200f4f1cea9d7a7315cfa4801e514e0
  452. b5506683cb1e1d55e47e35fbdbeb8760bb3ca0f73719c26ed2cbbab0cedcc873
  453. b6dd4c6240e649cd7bdc5c0cfdf9bfccb77cecaebfbe8f8f94ce158c3e8c1e2b
  454. b806e0a8b6db012fe95669ee9aa7257ecd92286bc461a4a97b343ae1e3d46b09
  455. bdc24af2bece5e111721e5863451be2cd91bd4c418ec654aa4b5bfbbc7cd0012
  456. bf2ba280c87637a042f03203f1e286a5e7ab2421b9977c97fbc7c63e9f081917
  457. c6ecd16d5625c4d2c4a76e38386b35c25833cd1501f12a0e384ca2880fa5dd31
  458. c887c92f3a9860134acceafb0b30e0b9186c21499eece549958dc14bc4b8ada6
  459. ce3fb07ff799753b81a24cd7128a000edd1c5f20e62d6c51f62500680659ff6f
  460. cee84c7d8a3e80a93cc950b4b7e6d38c7fb20b6fa961745b505b14594ff893a9
  461. d17647b8781a30c19a7018292f2270312b78c8d4a71f939a81d76057508472dd
  462. d8380eb41d8a88b493035b22488f78e0ce891121ac954ee3993fa83f0cc86757
  463. dc2484f36eb1e42d80b73178c8fa8e2a04b43c3aa20610d72f6985473ae455f2
  464. df4557c199a3a85466d9b3957b9784a91945cfa72dbf0d9b93498d8deda59b99
  465. e0b6b52aed804d6e8c0bf1b5385151b5ce683342f11e2c5346a7e76cf66b61c0
  466. e4367e25641d14d72513444bdf356bed3afae2627987392a3f0c911a502e56b0
  467. e7e446a291cff824fa8b33d5902fe15a5a68388438c99d65593429611354059e
  468. e7e63d0f315c142b17c8dc7c000ced73a6c85f9e3dcbea7e57a8d3c43d57b5f4
  469. e9f14eed2a55488aa606e538b81e095a45f1f9ad203a778d1c1161884b2516d7
  470. ed7c9be895128fa9f7df701cc90e46000a3a731247d3c85b74a9383512df79d3
  471. f0cdfe8360aabb3a67dc793229564bda06d0e551a652b4293e598b725a6ed173
  472. f3526e4ecf20be32573b9abb752ca2bb1f7d5d4b0e84a66ee06fa387193821bd
  473. f46d48e4d16c808d66222aa8aa5a80fd9e256e4cb5318422c2380291cd4fc1b6
  474. f4e29eda3caaafeae6d1a3a5d0be1aa3d4e023ff9547ad0676a278b1c1ae8c85
  475. f992e81daf8901402de20ced8f8625d868cc4fdbb5b8e6ef6257c358a98afa7c
  476. fd899674a12cacc2530a3908c104fba671523317b2f551ad6dc4b1137ca5a79a
  477. fe370014a10684e3777bf31f22eb0ef6f119876dd1cf034e5016b7cde382e240
  478. feabea18b0a534e69bbfeeb89d77289c4439745343a79c2301abb6ddd4188f35
  479. ff411679d332cc200a80a0cc3d8690853e797890ef26136bcae90a6b574ccc38
  480.  
  481. http://qingniatouzi.com/wp-includes/Z4TFME0/
  482. http://chenqiaorong007.com/wp-content/inh1Q4eFMT/
  483. http://bestcartdeal.com/wp-content/U12BbGPx2v/
  484. https://hredoybangladesh.com/3948708181/l7/
  485. https://washcolsc.com/wp-admin/gRIWZ/
  486. https://aqnym.top/wp-login/9ZvtYaLyhg/
  487. ```
  488. ## C2's Per Epoch ##
  489.  
  490. ### Epoch 1 C2s ###
  491. ```
  492. 181.10.46.92:80
  493. 2.58.16.88:8080
  494. 206.189.232.2:8080
  495. 178.250.54.208:8080
  496. 167.71.148.58:443
  497. 202.134.4.210:7080
  498. 187.162.248.237:80
  499. 78.206.229.130:80
  500. 85.214.26.7:8080
  501. 5.196.35.138:7080
  502. 1.226.84.243:8080
  503. 110.39.162.2:443
  504. 185.183.16.47:80
  505. 152.231.89.226:80
  506. 138.97.60.141:7080
  507. 94.176.234.118:443
  508. 46.101.58.37:8080
  509. 93.146.143.191:80
  510. 70.32.84.74:8080
  511. 137.74.106.111:7080
  512. 80.15.100.37:80
  513. 68.183.190.199:8080
  514. 154.127.113.242:80
  515. 70.32.115.157:8080
  516. 12.163.208.58:80
  517. 31.27.59.105:80
  518. 110.39.160.38:443
  519. 68.183.170.114:8080
  520. 87.106.46.107:8080
  521. 105.209.235.113:8080
  522. 185.94.252.27:443
  523. 209.236.123.42:8080
  524. 60.93.23.51:80
  525. 186.177.174.163:80
  526. 177.85.167.10:80
  527. 111.67.12.221:8080
  528. 191.241.233.198:80
  529. 149.202.72.142:7080
  530. 12.162.84.2:8080
  531. 217.13.106.14:8080
  532. 197.232.36.108:80
  533. 192.232.229.53:4143
  534. 143.0.85.206:7080
  535. 177.23.7.151:80
  536. 213.52.74.198:80
  537. 51.255.165.160:8080
  538. 181.30.61.163:443
  539. 93.149.120.214:80
  540. 212.71.237.140:8080
  541. 51.15.7.145:80
  542. 190.247.139.101:80
  543. 188.135.15.49:80
  544. 155.186.9.160:80
  545. 91.233.197.70:80
  546. 95.76.153.115:80
  547. 46.43.2.95:8080
  548. 152.169.22.67:80
  549. 138.197.99.250:8080
  550. 104.131.41.185:8080
  551. 211.215.18.93:8080
  552. 81.215.230.173:443
  553. 152.170.79.100:80
  554. 190.114.254.163:8080
  555. 190.251.216.100:80
  556. 201.241.127.190:80
  557. 82.208.146.142:7080
  558. 172.245.248.239:8080
  559. 190.64.88.186:443
  560. 192.175.111.212:7080
  561. 50.28.51.143:8080
  562. 81.17.93.134:80
  563. 202.79.24.136:443
  564. 190.24.243.186:80
  565. 190.162.232.138:80
  566. 62.84.75.50:80
  567. 190.210.246.253:80
  568. 190.45.24.210:80
  569. 172.104.169.32:8080
  570. 82.48.39.246:80
  571. 188.225.32.231:7080
  572. 45.16.226.117:443
  573. 178.211.45.66:8080
  574. 138.97.60.140:8080
  575. 122.201.23.45:443
  576. 170.81.48.2:80
  577. 81.214.253.80:443
  578. 80.249.176.206:80
  579. 83.169.21.32:7080
  580. 46.105.114.137:8080
  581. 83.144.109.70:80
  582. 191.223.36.170:80
  583. 200.75.39.254:80
  584. 201.185.69.28:443
  585. ```
  586. #### Epoch 1 - Spam C2s ####
  587. ```
  588. 165.22.93.5:8080
  589. 128.199.220.70:8080
  590. 54.38.143.246:7080
  591. 5.56.132.177:8080
  592. 54.36.185.63:80
  593. ```
  594. #### Epoch 1 - Stealer C2s ####
  595. ```
  596. 37.187.195.209:443
  597. 167.71.4.0:8080
  598. 165.22.246.219:8080
  599. 45.55.82.2:8080
  600. 88.217.172.165:8080
  601. 162.144.212.120:8080
  602. ```
  603. #### Current Epoch 1 RSA Public Key ####
  604. ```
  605. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
  606. uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
  607. 6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
  608. ```
  609. ### Epoch 2 C2s ###
  610. ```
  611. 12.175.220.98:80
  612. 162.241.204.233:8080
  613. 50.116.111.59:8080
  614. 172.86.188.251:8080
  615. 139.99.158.11:443
  616. 66.57.108.14:443
  617. 75.177.207.146:80
  618. 194.190.67.75:80
  619. 50.245.107.73:443
  620. 173.70.61.180:80
  621. 85.105.205.77:8080
  622. 104.131.11.150:443
  623. 62.75.141.82:80
  624. 70.92.118.112:80
  625. 194.4.58.192:7080
  626. 120.150.60.189:80
  627. 24.231.88.85:80
  628. 78.24.219.147:8080
  629. 110.142.236.207:80
  630. 119.59.116.21:8080
  631. 144.217.7.207:7080
  632. 95.213.236.64:8080
  633. 46.105.131.79:8080
  634. 176.111.60.55:8080
  635. 174.118.202.24:443
  636. 94.23.237.171:443
  637. 138.68.87.218:443
  638. 110.145.101.66:443
  639. 134.209.144.106:443
  640. 74.208.45.104:8080
  641. 24.178.90.49:80
  642. 172.125.40.123:80
  643. 157.245.99.39:8080
  644. 118.83.154.64:443
  645. 202.134.4.211:8080
  646. 121.124.124.40:7080
  647. 172.104.97.173:8080
  648. 110.145.11.73:80
  649. 172.105.13.66:443
  650. 168.235.67.138:7080
  651. 78.188.225.105:80
  652. 59.21.235.119:80
  653. 185.94.252.104:443
  654. 24.179.13.119:80
  655. 49.205.182.134:80
  656. 51.89.36.180:443
  657. 115.21.224.117:80
  658. 202.134.4.216:8080
  659. 190.251.200.206:80
  660. 78.189.148.42:80
  661. 220.245.198.194:80
  662. 85.105.111.166:80
  663. 5.39.91.110:7080
  664. 203.153.216.189:7080
  665. 93.146.48.84:80
  666. 181.165.68.127:80
  667. 70.183.211.3:80
  668. 47.144.21.37:80
  669. 167.114.153.111:8080
  670. 75.109.111.18:80
  671. 24.69.65.8:8080
  672. 188.165.214.98:8080
  673. 187.161.206.24:80
  674. 74.58.215.226:80
  675. 74.128.121.17:80
  676. 24.164.79.147:8080
  677. 139.59.60.244:8080
  678. 136.244.110.184:8080
  679. 2.58.16.89:8080
  680. 79.137.83.50:443
  681. 139.162.60.124:8080
  682. 89.216.122.92:80
  683. 188.219.31.12:80
  684. 190.103.228.24:80
  685. 109.74.5.95:8080
  686. 87.106.139.101:8080
  687. 78.182.254.231:80
  688. 74.40.205.197:443
  689. 89.106.251.163:80
  690. 69.49.88.46:80
  691. 62.171.142.179:8080
  692. 217.20.166.178:7080
  693. 161.0.153.60:80
  694. 37.187.72.193:8080
  695. 190.240.194.77:443
  696. 5.2.212.254:80
  697. 200.116.145.225:443
  698. 98.109.133.80:80
  699. 75.113.193.72:80
  700. 115.94.207.99:443
  701. 109.116.245.80:80
  702. 123.176.25.234:80
  703. 120.150.218.241:443
  704. 50.91.114.38:80
  705. 180.222.161.85:80
  706. 186.74.215.34:80
  707. 95.9.5.93:80
  708. 64.207.182.168:8080
  709. 197.211.245.21:80
  710. 61.19.246.238:443
  711. 37.139.21.175:8080
  712. 181.171.209.241:443
  713. 185.201.9.197:8080
  714. 71.72.196.159:80
  715. 41.185.28.84:8080
  716. ```
  717. #### Epoch 2 - Spam C2s ####
  718. ```
  719. 165.227.170.254:7080
  720. 195.181.215.65:8080
  721. 167.114.122.37:80
  722. 137.74.119.116:8080
  723. 51.38.237.230:8080
  724. 219.94.242.134:8080
  725. 217.160.19.232:8080
  726. 95.215.46.191:8080
  727. ```
  728. #### Epoch 2 - Stealer C2s ####
  729. ```
  730. 167.99.105.11:8080
  731. 51.255.40.241:443
  732. 78.47.87.196:8080
  733. 159.65.222.75:8080
  734. 195.14.0.12:8080
  735. 87.106.225.180:8080
  736. 198.144.158.120:443
  737. 151.236.60.57:8080
  738. ```
  739. #### Current Epoch 2 RSA Public Key ####
  740. ```
  741. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
  742. Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
  743. fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
  744. ```
  745. ### Epoch 3 C2s ###
  746. ```
  747. 132.248.38.158:80
  748. 203.157.152.9:7080
  749. 157.245.145.87:443
  750. 110.37.224.243:80
  751. 70.32.89.105:8080
  752. 185.142.236.163:443
  753. 192.241.220.183:8080
  754. 91.83.93.103:443
  755. 54.38.143.245:8080
  756. 192.210.217.94:8080
  757. 37.205.9.252:7080
  758. 78.90.78.210:80
  759. 182.73.7.59:8080
  760. 163.53.204.180:443
  761. 91.75.75.46:80
  762. 172.104.46.84:8080
  763. 161.49.84.2:80
  764. 27.78.27.110:443
  765. 203.160.167.243:80
  766. 109.99.146.210:8080
  767. 120.51.34.254:80
  768. 203.56.191.129:8080
  769. 183.91.3.63:80
  770. 37.46.129.215:8080
  771. 188.226.165.170:8080
  772. 116.202.10.123:8080
  773. 223.17.215.76:80
  774. 198.20.228.9:8080
  775. 185.208.226.142:8080
  776. 68.133.75.203:8080
  777. 192.163.221.191:8080
  778. 46.105.131.68:8080
  779. 8.4.9.137:8080
  780. 2.82.75.215:80
  781. 178.62.254.156:8080
  782. 110.172.180.180:8080
  783. 175.103.38.146:80
  784. 201.212.61.66:80
  785. 190.19.169.69:443
  786. 143.95.101.72:8080
  787. 91.93.3.85:8080
  788. 139.59.12.63:8080
  789. 46.32.229.152:8080
  790. 195.159.28.244:8080
  791. 58.27.215.3:8080
  792. 202.29.237.113:8080
  793. 5.79.70.250:8080
  794. 103.93.220.182:80
  795. 75.127.14.170:8080
  796. 201.193.160.196:80
  797. 139.5.101.203:80
  798. 186.96.170.61:80
  799. 49.206.16.156:80
  800. 178.254.36.182:8080
  801. 157.7.164.178:8081
  802. 172.96.190.154:8080
  803. 172.193.14.201:80
  804. 203.153.216.178:7080
  805. 2.58.16.86:8080
  806. 186.146.229.172:80
  807. 117.2.139.117:443
  808. 113.161.176.235:80
  809. 190.85.46.52:7080
  810. 180.148.4.130:8080
  811. 50.116.78.109:8080
  812. 152.32.75.74:443
  813. 162.144.145.58:8080
  814. 74.208.173.91:8080
  815. 122.116.104.238:8443
  816. 178.33.167.120:8080
  817. 103.80.51.61:8080
  818. 65.32.168.171:80
  819. 190.18.184.113:80
  820. 24.230.124.78:80
  821. 103.229.73.17:8080
  822. 179.233.3.89:80
  823. 88.58.209.2:80
  824. 82.78.179.117:443
  825. 115.79.195.246:80
  826. 190.107.118.125:80
  827. 188.166.220.180:7080
  828. 79.133.6.236:8080
  829. 139.59.61.215:443
  830. 195.201.56.70:8080
  831. 201.163.74.204:80
  832. ```
  833. #### Epoch 3 - Spam C2s ####
  834. ```
  835. 162.214.68.171:8080
  836. 159.65.140.182:80
  837. 118.163.97.19:8080
  838. 37.48.84.223:8080
  839. 82.118.225.196:7080
  840. ```
  841. #### Epoch 3 - Stealer C2s ####
  842. ```
  843. 45.230.228.26:443
  844. 82.145.43.153:8080
  845. 195.159.28.229:7080
  846. 104.236.52.89:8080
  847. ```
  848. #### Current Epoch 3 RSA Public Key ####
  849. ```
  850. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
  851. cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
  852. l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
  853. ```
  854. ## Credits and Notes Section ##
  855. ```
  856. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
  857. because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
  858. this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  859. https://pastebin.com/u/jroosen
  860.  
  861. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  862. I am providing them for your benefit in case you want to parse them to be sure.
  863. ```
  864. ### What is Epoch 1, Epoch 2 and Epoch 3? ###
  865. ```
  866. (Updated 10/25/20)
  867.  
  868. We get a lot of questions about Epoch 1-3 and what they really mean. These are different botnets of Emotet with different
  869. infrastructure supporting them. I called them Epochs because they seemed to follow a different timeline and timescale of releases
  870. for updates. They do not share C2 infrastructure and they can behave independently. In general these are
  871. the rules governing to Emotet's Botnets/Epochs:
  872.  
  873. 1. All C2 combos are hard coded in a list of up to 127 C2 combos in a given Epoch's loader. These Tier 1 C2s are never shared
  874. between Epochs. E1-E2-E3 will all have a unique list of IPs/Ports(Combos) per Epoch. (Usually updated once per day)
  875.  
  876. 2. Module C2s are also unique per Epoch and usually are former C2 Combos that were published in the loader but now are used for
  877. the special purpose of the module for that Epoch. (Usually updated once per week)
  878.  
  879. 3. All Epochs have a unique RSA Public key that is used to communicate and decode messages from the C2 infrastructure. These are
  880. listed in the daily reports. Using CAPE's excellent Emotet Extraction module you can easily find what Epoch a sample is from.
  881.  
  882. 4. All Epochs will use a unique location for distribution downloads. You will never see the same directory on the same compromised
  883. distro tier 1 host used for a different botnet. e.g. host A may be used for distributing Emotet E1 loaders in directory /wp-fail/X/
  884. and you may also see E2 documents hosted out of /wp-sucks/Y/. You will never see E1-E3 use the root of X or Y again for another
  885. distro job to host loaders or docs for another botnet. (Note: a given distro directory will usually become abandoned and stop
  886. hashbusting after 48-72 hours from inception.)
  887.  
  888. 5. Spam from each Epoch will be used to add new bots to that Epoch. While there have been very rare exceptions or maybe even mistakes
  889. on the distro side, Epoch 1 spam will be used to create more Epoch 1 bots, Epoch 2 spam will be used to create more Epoch 2 bots and Epoch
  890. 3 spam will be used to create more Epoch 3 bots.
  891.  
  892. 6. Macro Documents from a given Epoch will always contain 5-8 URLs(Quintet,Sextet,Septet,Octet)as of 10/25/20 that download the loader for
  893. that same Epoch.(There have been very rare exceptions to this rule but in general this is the TTP.)
  894.  
  895. 7. Macro Documents from a given Epoch will have the same Creation Time for a given Quintet of URLs. This allows for quick identification
  896. of the origin of the document per Epoch. When the Creation Time metadata changes for a document, there is almost always a new quintet
  897. of loader URLs.
  898.  
  899. 8. Malspam Templates are usually unique to a given Botnet/Epoch. They may later be shared to the other Botnet/Epoch but at the time of
  900. the run, they are usually run on a single botnet. Example would be the Ransomware one from Friday 1/17/20 that was only on E3.
  901.  
  902. 9. Bot can be transferred from Epoch to Epoch and we have seen this over time. Normally it is done by dropping an EXE from another
  903. Epoch deliberately for the C2 update.
  904.  
  905. 10. Macro Document Creation times usually change on Epoch 2 first and then shortly there after change on E1 and E3. We believe E2 is
  906. really the primary botnet for Ivan/Emotet and they put changes on this botnet first.
  907.  
  908. ```
  909. ### Community Lists/Samples ###
  910. ```
  911.  
  912. (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
  913. ```
  914. ### Credits ###
  915. ```
  916. Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
  917.  
  918. Doc DL URLs - @devnullnoop, @executemalware, @zbetcheckin, Anonymous
  919.  
  920. C2 info/RSA Keys - @hatching_io, @CapeSandbox, @unixronin, @devnullnoop, @MalwareTechBlog, @lazyactivist192, @executemalware, Anonymous
  921.  
  922. Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @malware_traffic, @executemalware, @Paladin3161, @bomccss, Anonymous, @JAMESWT_MHT
  923. @reecdeep, @waga_tw
  924.  
  925. Spam Templates - @devnullnoop, @lazyactivist192, @proofpoint, Anonymous :)
  926.  
  927. We would like to thank the parts of the community that explicitly request to NOT be listed here. You know who you are! :)
  928. Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk, @dms1899, @myrtus0x0 for creating scripts/servers/
  929. infrastructure and helping out with this!
  930.  
  931. Very special thanks to @hatching_io, @proofpoint, @unpacme, @herrcore, @seanmw, @Binary_Defense, @lazyactivist192, @capesandbox,
  932. @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel,
  933. @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic, @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch,
  934. @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software at no charge to this cause!
  935. ```
  936. ### Daily Log ###
  937. ```
  938. This report was gathered by @JRoosen and @ps66uk:
  939.  
  940. @JRoosen here - Well something broke on the backend for Ivan it looks like and while things looked good on E3 in the morning UTC time, it quickly
  941. unraveled for the tools over at EmotetHQ. Whatever happened, we saw hashbusting break on all 3 botnets and the next binary they probably were
  942. going to hashbust did not come down. Also, it seemed like Ivan had issues getting the spam cannons to fire after this point also or maybe felt
  943. it was just not worth it to try since distro for the DLLs was not hashbusting. Whatever the, short day for us with little to cover. We saw E1
  944. stop spamming around 05:00UTC and E2 was even earlier near 03:00UTC. E3 was more robust and had even 2 more docs with a special DE German
  945. based office template being used again as it was run in tandem with the iOS based template in English. All of this stopped around 08:30UTC.
  946. We saw activity today which seemed like maybe the botnet was still trying to spam but it was primarily on E2. Even at the time of this
  947. report, still nothing is spamming.
  948.  
  949. ```
  950. #### Emotet Domain Bucket ####
  951. ```
  952. Created a pastebin of all domains used from 08/14/20+: This is sorta like the Emotet Hashbucket but it is all domains used
  953. for distro by Emotet either Doc or Exe downloads. They are piled together and deduped for your blocking on your DNS platform of
  954. choice. CAUTION - Use at your own risk! While every effort is made to make this data valid, there is always a chance for a mistake,
  955. or one of these compromised sites actually being legitimately being used.
  956.  
  957. 171 recorded domains today used in Emotet distro. 141 of those were determined to be unique.
  958. The previous total was 10,630 unique domains and this brings us up to 10,771 domains used since 8/14/20.
  959.  
  960. UPDATE (2021/01/20): For some silly reason, pastebin won't let me update the previous post here anymore so this is now frozen in time:
  961. https://pastebin.com/raw/u8avFVD6
  962.  
  963. Therefore the new home of this content is here:
  964. https://paste.cryptolaemus.com/dbucket/
  965.  
  966. Note: They started to use enough IPs that I figured I would just keep them in the list here because they are being used in URLs directly
  967. versus the FQDN (if one even exists).
  968. Over time you can see a lot of reuse with these domains at a rate of at least 1/2 per day. New domains seem to slow down by Thursday
  969. and Friday there is a lot of reuse! If you need a reason to justify blocking these domains once they are used for Emotet, here it is.
  970. ```
  971. #### Emotet Hash Bucket ####
  972. ```
  973. Updated bucket today for 2021/01/12+ until the end of 2021/01/20 which includes loader hashes from the 14th/15th. Total hashes are now
  974. 24,734 and this means we added another 12,489 hashes today.
  975.  
  976. Bucket for 2021/01/12+:
  977. https://pastebin.com/raw/0w79H0B5
  978.  
  979. Note - Everytime it gets close to 64k hashes, pastebin seems to have issues dealing with it.
  980. We are also looking for a better solution to this rather than Pastebin. Stay tuned.
  981. ```
  982. ### General News ###
  983. ```
  984. News in general and by region:
  985.  
  986. Basically we have a few reports from early in the morning of some spamming and then subsequent reports of the lack of spam all day. :)
  987.  
  988. Update on the Sekoia.FR incident with an Emotet Infection:
  989. https://twitter.com/sekoia_fr/status/1352245726697414656
  990.  
  991. @ffforward once again had one of the earliest reports this morning and we concur that E3 was heavy until it went tits up.
  992. https://twitter.com/ffforward/status/1352161123206909953
  993.  
  994. CL:
  995. https://twitter.com/CSIRTGOB/status/1352378186273701889
  996.  
  997. DE:
  998. https://twitter.com/neoxmorpheus1/status/1352387173128036352
  999.  
  1000. DK:
  1001. https://twitter.com/ffforward/status/1352216560493096962
  1002.  
  1003. ES:
  1004. This one is interesting because it is #Mekotio but is similar to Emotet:
  1005. https://twitter.com/dgarcianet/status/1352235429160955904
  1006.  
  1007. IT:
  1008. https://twitter.com/VirITeXplorer/status/1352169065046040576
  1009. https://twitter.com/nicolaferrini/status/1352327110262546433
  1010.  
  1011. JP:
  1012. https://twitter.com/abel1ma/status/1352123122363768834
  1013. https://twitter.com/abel1ma/status/1352144654418939905
  1014. https://twitter.com/bomccss/status/1352282113605660673
  1015. https://twitter.com/bomccss/status/1352398894018088960
  1016. https://twitter.com/gorimpthon/status/1352213861449957379
  1017. https://twitter.com/satontonton/status/1352200872483201025
  1018.  
  1019. NZ:
  1020. https://twitter.com/phage_nz/status/1352486750011023364
  1021.  
  1022. US:
  1023. https://twitter.com/malware_traffic/status/1352252367929008128
  1024. https://twitter.com/ScarletSharkSec/status/1352264786747281412
  1025. https://twitter.com/ScarletSharkSec/status/1352271976769986562
  1026. ```
  1027. ### Drops Report ###
  1028. ```
  1029. IQTZ (IcedID/Qakbot/Trickbot/Zloader)
  1030.  
  1031. IcedID/BokBot - Not heard of any dropping yet from Emotet.
  1032.  
  1033. Qakbot - Not heard of any dropping yet from Emotet.
  1034.  
  1035. Trickbot - We only heard of reports of gtag mor1 being dropped. Once again Brad over at @malware_traffic posted his excellent notes:
  1036. https://twitter.com/malware_traffic/status/1352312552601038850
  1037.  
  1038. Zloader - Not heard of any dropping yet from Emotet.
  1039. ```
  1040. ### Email Template Report ###
  1041. ```
  1042. E3 was basically attachments only and a little bit of operation ZipLock before it died around 08:30UTC.
  1043.  
  1044. Update on Operation Zip Lock 2021/01/12
  1045.  
  1046. I am sure by now you have all seen the captcha based Emotet Operation Zip Lock (password protected ZIP). We broke that story yesterday
  1047. concerning this new tactic but it seems to have been used with only a few templates for reply chain type emails and wasnt very dynamic.
  1048. Most of them seemed to be the samples I saw actually had the same password of "28ivw" or "k4ez". This behavior was only seen on E3 but
  1049. was a significant portion of the spam on E3 for both the 12th and the 13th. We believe this was an attempt to throw another curveball
  1050. at our automation to break open these files and report the payloads ASAP. Also as noted in the news, it seemed to be a curveball for
  1051. other detection/defense systems for mail scanning. This was likely a test run before Ivan changes over the code to be more dynamic.
  1052. Well played Ivan but in this way you also made them easier to identify with the crappy captcha. We will watch for new versions
  1053. of this behavior and advise appropriately.
  1054.  
  1055. Update on Operation Zip Lock 2021/01/05:
  1056.  
  1057. All three of the botnets saw some Operation Zip Lock action too but E1 was all password protected ZIPs all day. We also started to see
  1058. some new wording in the spam templates and @Slayelele reported this to us also. Usually the Italian version of the Emotet malspam would
  1059. give the password with the phrase "Password archivio: [0-9]{3,5}" but we started to see today a different format of the following:
  1060. ___________
  1061. File di archivio allegato all'email:
  1062. Parola d'ordine: 82999
  1063. ___________
  1064. File di archivio allegato all'email:
  1065. Parola d'ordine: NCPUCAXTVB
  1066. ___________
  1067.  
  1068. Indeed even the English type of these Operation Zip Lock types of malspam were showing up with newer passwords and wording:
  1069.  
  1070. Examples:
  1071. ___________
  1072. Archive file attached to email: Invoice Oc09269510.zip
  1073. Password: AOLNYE
  1074. ___________
  1075. Zip file attached to email: Report J279304187/05-01-2021.zip
  1076. Password: 821YR1VALX
  1077. ___________
  1078. These new variants were seen on E3. I will work on more REGEX for these and publish later.
  1079.  
  1080.  
  1081. As promised here are some facts we have gathered on Operation Zip Lock: (Most of this was the same today 12/21/20+)
  1082.  
  1083. Operation Zip Lock is essentially password protected zips being attached to Emotet Malspam in some of the templates that are
  1084. used to spam Emotet. This tactic has evolved over time but was seen starting in at least the first half of 2019. In general,
  1085. these are usually only some of the attachment based malspams at any given time. Here are some general facts about this template:
  1086.  
  1087. 1. By far, this tactic is used to target Japan and most often on E3. (at least until mid this Sept)
  1088.  
  1089. 2. We are seeing templates in at least Dutch/English/French/German/Italian/Japanese
  1090.  
  1091. 3. The passwords in the Japanese templates are usually enclosed in brackets and is alphanumeric via the following regex: [0-9a-zA-Z]{6,10}
  1092.  
  1093. 4. The passwords in the English Templates are usually just numeric from what we have seen with the following regex [0-9]{3,5}
  1094.  
  1095. 5. The passwords are in the body of the emails and have been seen with the following phrasing before it:
  1096.  
  1097. Japanese Examples:
  1098. "=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89=EF=BC=9A[GGE60fmI]" - This is the more complex series with [0-9a-zA-Z]{5,10}
  1099. "=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89=EF=BC=9AUIzBZxV5v" - seeing some now without brackets [0-9a-zA-Z]{5,10}
  1100. "=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89: 13948" - This series has a regex that is pure numbers [0-9]{3,5}
  1101.  
  1102. Italian Example: - From @JAMESWT_MHT https://twitter.com/JAMESWT_MHT/status/1308725036606533637
  1103. "Password Archivo: 0231" - This series has a regex that is pure numbers [0-9]{3,5}
  1104. Another Italian example from @jcgarciagamero https://twitter.com/jcgarciagamero/status/1309406482467901443
  1105. "Password Archivo: 5375"
  1106.  
  1107. German Example: - From @neoxmorpheus1 https://twitter.com/neoxmorpheus1/status/1308881983511109633
  1108. "Passwort: aLybP7nqNb" - This is the more complex series with [0-9a-zA-Z]{5,10}
  1109.  
  1110. French Examples:
  1111. "Mot de passe: 4397809869" - This is the more complex series with [0-9a-zA-Z]{5,10}
  1112. "Mot de passe: 7447"
  1113.  
  1114. English Examples:
  1115. "Archive pass: 8578" - This series has a regex that is pure numbers [0-9]{3,5}
  1116. Encrypted zip file attached to email:
  1117. "The password for the document is LQWMFXu" -This is the more complex series with [0-9a-zA-Z]{5,10}
  1118. "The file is password protected - p6z88n0K" -This is the more complex series with [0-9a-zA-Z]{5,10}
  1119. "Password: th5cs3rHf"
  1120. "Password for ZIP:"
  1121. "Zip file attached to email: Very urgent information from 24-09-2020.zip"
  1122.  
  1123. 6. The password is reused for many users and is static in groups.
  1124.  
  1125. 7. These are seen on E1-E3 as of last week but this has primarily been used on E3 and E2.
  1126.  
  1127. 8. One other thing to note is that the documents that are inside of the ZIP are not different (other than hashbusted) for the same ones on
  1128. that epoch's spam at a given time. That is to say they will be the same creation/modification time in the metadata and also the same septet of
  1129. payloads in the macro.
  1130.  
  1131. 9. On 09/23/20 - ~9%-12% of total emails sent on E1/E2/E3 had attachments that were .zip.
  1132.  
  1133. 10. The file names vary widely and I would not be confident to block just on this alone. I have seen just form.zip to GER-2984537-DOCUMENT-09
  1134. -23-20.zip and everything in between.
  1135.  
  1136. 11. We heard and seen numerous incidents where the password was wrong and just didn't work.
  1137. ___________
  1138.  
  1139. Paul's Boutique of Documents:
  1140. includes distro and urlhaus report time
  1141.  
  1142. E* Created Primary_Domain Distro Urlhaus Template
  1143.  
  1144. E1
  1145. E2
  1146. E3 2021:01:21 07:19:00 amojo.org 07:36 ios_enable_editing
  1147. E3 2021:01:21 07:44:00 deshbangla71news.com 08:54 msword_de
  1148.  
  1149. ---
  1150. notes
  1151.  
  1152. See tweets for examples, we almost always provide samples in those tweets.
  1153.  
  1154. ```
  1155. ### Link Regex Report ###
  1156. ```
  1157. (These are experimental, use at your own risk.)
  1158. (Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
  1159. this does not help.)
  1160.  
  1161. Update(2021-01-20)- I am going to refresh this once we get more URLs and cut it down some to cover the new E2 URLs.
  1162.  
  1163. New 2020/10/27 new stuff today and I tried to take a stab at it but it is ugly. They work but have not been tested for problems and FP. Use
  1164. at your own risk! I have this in a large rule with a layered allowed list exceptions so I recommend it deployed with something like that.
  1165.  
  1166. IMPORTANT: Make sure to make these one line because carriage returns were added to break them up so it doesnt break RSS. Also you may or may
  1167. not want to use (\"|\n) at the end depending on what you see.
  1168.  
  1169. ```
  1170. #### E1 New ####
  1171. ```
  1172. https?:\/\/.+?\/(([0-9]{1,2})|acanthite|addons|admin|.+\_ANTIGO|app(s?|\-krog)|arq|aspnet_client|assets|attachments?|avisos|blockman|.+\-button|carchi|
  1173. categoryl|.+\_chat|cgi-bin|codepay|complainingness|.+\.com|.+\-connection|content|COPYRIGHT|css|cuim|customerl|.+-data|Document(ation)?|(docs?|DOCS?)|
  1174. .+\-designs|engl|eleicao|.+codeofethics|esp|eTrac|example|extensionl|fal|feedback|(FILE|file)|fill|filterl|fonts?|framework|.+\-forms?|generationman|
  1175. gennew|.+\-handle|hotelinfo|images|.+\-images|img|INC|index(ing)?|.+_files|install-package|invoice|js|.+\.link|.+login|LLC|lm|logo|mas|military|music|
  1176. network|.+\.net|novy|OCT|Overview|Pages|paclm|parts_service|piwigo|plugins|.+\-power|powershell-get|processing|property|.+Proxy|public|public_html
  1177. |(R|r)eport(s|ing)?|Sandbox|Scan|securityl|sites?|sitepages?|sys-cache|teachers?|test|uploads?|.+\-unblocked|unpredictable|vendor|wordpress|wp.*
  1178. |.+\-z71)\/([A-Za-z0-9]{4,18}\/)?(([A-Za-z0-9]{1,70})\/)(\"|\n)
  1179.  
  1180. New from @aristoteles42 - (http(s)?:\/\/.+?\/(.+?\/)?){2}
  1181. #1 aggressive - http(s)?\:\/\/[^\s]+\/http
  1182. #2 less aggressive - \/http(s)?\:\/\/(attachments|browse|Documentation|docs|esp|eTrac|lm|paclm|Pages|parts_service|parts_service|public|
  1183. Overview|Pages|Reporting|Scan|sites|[0-9A-Z]{3,13})\/
  1184.  
  1185. ```
  1186. #### E1 OLD ####
  1187. ```
  1188. @aristoteles42 E1 Regex #1:
  1189. http(s)?:\/\/.+?\/((en|public|default|gallery|upgrade|uploads|download)|(((available|closed|common|individual|multifunctional|open|personal|
  1190. private|protected|test|verifiable)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))[-_]((area|array|box|disk|module|resource|section|sector|zone)|
  1191. ([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))))\/(.+\/)?\s
  1192.  
  1193. @aristoteles42 E1 Regex #2:
  1194. http(s)?:\/\/.+\/(([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16})|(((additional|close|corporate|external|guarded|individual|interior|
  1195. multifunctional|open|security|special|test|verifiable|verified)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))[-_]((area|box|cloud|forum|module|
  1196. portal|profile|sector|space|warehouse)|([a-zA-Z0-9]{3,16}[-_][a-zA-Z0-9]{3,16}))))\/.+?\/\s
  1197.  
  1198. Karttoon's E1:
  1199. (?:http(s)?:\/\/)?(?:[^\x2F]+\/)+(((available|open|closed?|common|multifunctional|personale?|speciali?|privat(e|a)|test|additional|security|
  1200. inter(ior|nal|ni)|individuale?|verifi(ed|able|cabile)|guarded|external|protected|disponibile|corporate|multifunzionale|contestee|aggiuntiva|
  1201. chiusi|disponibile|sicurezza|custodito|aperto|comune|verificato)[_-]([a-zA-Z0-9]{3,16}[_-][a-zA-Z0-9]{4,15})\/)|(([a-zA-Z0-9]{2,16}[_-][a-zA-
  1202. Z0-9]{4,16})[_-](resource|content|box|disk|sector|modul(e|o)|array|cloud|warehouse|forum|space|portale?|profil(e|o)|zon(e|a)|area|marketing|
  1203. spazio|allineamento|module|disco|settore|sezione|risorsa)\/)|((available|open|closed?|common|multifunctional|personale?|speciali?|privat(e|
  1204. a)|test|additional|security|inter(ior|nal|ni)|individuale?|verifi(ed|able|cabile)|guarded|external|protected|disponibile|corporate|
  1205. multifunzionale|contestee|aggiuntiva|chiusi|disponibile|sicurezza|custodito|aperto|comune|verificato)[_-](resource|content|box|disk|sector|
  1206. modul(e|o)|array|cloud|warehouse|forum|space|portale?|profil(e|o)|zon(e|a)|area|marketing|spazio|allineamento|module|disco|settore|sezione|
  1207. risorsa)\/)|([a-zA-Z0-9]{4,14}[_-][a-zA-Z0-9]{5,16}[_-][a-zA-Z0-9]{3,13}[_-][a-zA-Z0-9]{2,16}\/)){2}([a-zA-Z0-9]{3,16}[_-][a-zA-Z0-9]{3,14}|
  1208. [a-zA-Z0-9]{9})(\/)$
  1209. ```
  1210. #### E2 New ####
  1211. ```
  1212. This is just a pared down E1 ver:
  1213.  
  1214. https?:\/\/.+?\/(([0-9]{1,2})|acanthite|addons|admin|.+\_ANTIGO|app(s?|\-krog)|arq|aspnet_client|assets|avisos|.+\-button|carchi|categoryl|.+\_chat|
  1215. cgi-bin|codepay|complainingness|.+\.com|.+\-connection|content|css|cuim|customerl|.+-data|.+\-designs|engl|eleicao|.+codeofethics|example|extensionl|
  1216. fal|feedback|fill|filterl|fonts?|framework|.+\-forms?|generationman|gennew|.+\-handle|hotelinfo|.+\-images|img|index(ing)?|.+_files|install-package|
  1217. invoice|js|.+\.link|.+login|logo|mas|military|music|network|.+\.net|novy|piwigo|plugins|.+\-power|powershell-get|processing|property|.+Proxy|
  1218. public_html|reports?|Sandbox|sitepages?|sys-cache|teachers?|test|uploads?|.+\-unblocked|unpredictable|vendor|wordpress|wp.*|.+\-z71)\/
  1219. ([a-z0-9]{4,18}\/)?(([A-Za-z0-9]{1,70})\/)(\"|\n)
  1220.  
  1221. ```
  1222. #### E2 OLD ####
  1223. ```
  1224.  
  1225. OLD:
  1226. https?:\/\/.+?\/(addons|admin|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|
  1227. lm|network|parts_service|payment|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|
  1228. statement|swift|system|test|uploads|vendor|wp|wp-(admin|content|includes))\/([a-z0-9]{4,18}\/)?(([a-z0-9]{19,56})\/)?(\"|\n)
  1229.  
  1230. https?:\/\/.+?\/(addons|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|lm|
  1231. network|parts_service|payment|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|statement|swift|system|test|uploads|
  1232. vendor|wp-(admin|content|includes))\/([a-z0-9]{4,18}\/)?(([a-z0-9]{5,15})\-([0-9]{2,9})\-([a-zA-Z0-9]{8,20})\/)?(\"|\n)
  1233.  
  1234. https?:\/\/.+?\/(addons|attachments|balance|browse|calendar|Document|Documentation|DOC|docs|esp|eTrac|FILE|INC|invoice|index_files|LLC|lm|
  1235. network|parts_service|OCT|Overview|Pages|paclm|public|public_html|report|Reporting|Scan|sites|statement|swift|system|test|uploads|wp-(admin|
  1236. content|includes))\/([a-zA-Z0-9]{4,18}\/){0,2}?(([a-zA-Z0-9]{1,12})\-([0-9]{3,10})\-([0-9]{2,10})\-([a-zA-Z0-9]{4,12})\-([a-zA-Z0-9]
  1237. {4,12})\/)?(\"|\n)
  1238. TwpJ8d5vVZeLJM8u9K1ztUOVsR1Waxkk1Fp73jxGIo3HP3ndrB3pfg1pdtLW2LEEIhiWfN
  1239. ```
  1240. #### E3 New ####
  1241. ```
  1242.  
  1243. https?:\/\/.+?\/((.+\.com)|addons|admin|attachments|balance|bin|(_)?borders|browse|calendar|cgi-bin|css|dev|Document|Documentation|DOC|docs|
  1244. dup-installer(\-)?|esp|eTrac|FILE|form|(inc|INC)|images|_installation|intro|invoice|index_files|journal|LLC|lm|momo|network|(oct|OCT)|open_zone|
  1245. Overview|Pages|payment|paclm|photos|parts_service|photo|public|public_html|report|Reporting|Sales|Scan|sendlogin|sites|statement|swift|sys-cache|
  1246. system|temp|test|turismo|uploads|WordPress(_02)?|wp|wp-(admin|content|includes))\/([0-9]{4,17}\/){0,2}?(([a-zA-Z]{2,12})|
  1247. (([a-z0-9]{1,13})\-([0-9]{2,12})))\/(\"|\n)
  1248.  
  1249. ```
  1250. #### E3 OLD ####
  1251. ```
  1252.  
  1253. https?:\/\/.+?\/((.+\.com)|addons|admin|attachments|balance|bin|(_)?borders|browse|calendar|cgi-bin|css|dev|Document|Documentation|DOC|docs|
  1254. dup-installer(\-)?|esp|eTrac|FILE|form|INC|images|_installation|intro|invoice|index_files|journal|LLC|lm|network|OCT|open_zone|Overview|
  1255. Pages|paclm|photos|parts_service|public|public_html|report|Reporting|Sales|Scan|sites|statement|swift|sys-cache|system|temp|test|turismo|
  1256. uploads|WordPress(_02)?|wp|wp-(admin|content|includes))\/([0-9]{4,17}\/){0,2}?(([a-zA-Z]{2,10})|(([a-z0-9]{1,13})\-([0-9]{2,12})))\/(\"|\n)
  1257.  
  1258. https?:\/\/.+?\/(_old|ABOUT|AdminPanel|backup|calendar|captchacache|cgi-bin|cloud|cpnl|css|Documentation|engl?|fancybox|fonts|images|media|
  1259. oauth|pub|report|Register|scripts|setup|sys-cache|test|tmp|tr|us|web|wp(scripts)?|wp-(admin|content|includes))\/([A-Za-z0-9\-]{2,7})\/(\"|\n)
  1260.  
  1261. https?:\/\/.+?\/([A-Za-z0-9\-\_]{2,13})\/(([0-9a-z]{2,7}\-[0-9a-z]{2,7}\-[0-9a-z]{2,7}\/){1,2})(\"|\n)
  1262.  
  1263. ```
  1264. ### Loader Report ###
  1265. ```
  1266. Payloads and C2 report has been combined into this section and it is now known as the Loader Report.
  1267. _____________
  1268. E1
  1269. Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
  1270.  
  1271.  
  1272. E2
  1273. Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
  1274.  
  1275.  
  1276. E3
  1277. Distro_UTC Bytes Compile SHA256 CAPE Triage IP_1 hashes
  1278.  
  1279.  
  1280. ---
  1281. notes
  1282. no new binaries :|
  1283.  
  1284. bundle of exe: https://tria.ge/
  1285.  
  1286. ---
  1287. Notes:
  1288.  
  1289. no change from yesterday.
  1290.  
  1291. C2 Deltas:
  1292. E1 now 93 combos, nil.
  1293. E2 now 105 combos, nil.
  1294. E3 now 85 combos, nil.
  1295.  
  1296. ---
  1297. ```
  1298. #### E1 ####
  1299. ```
  1300. none
  1301. ---
  1302. ```
  1303. #### E2 ####
  1304. ```
  1305. none
  1306. ---
  1307. ```
  1308. #### E3 ####
  1309. ```
  1310. none
  1311. ---
  1312. ```
  1313. ### Closing ###
  1314. ```
  1315. Will Ivan be able to get the botnet spamming again tomorrow? Will hashes be busted even though SSDEEP detects them all anyway?
  1316. Will the Emotet tools change the crypter again because it doesn't work with the stupid hashbusting? Will the same silly 2 static
  1317. craptcha images be used again for passwords? Inquiring minds want to know. Tune in tomorrow for the latest episode of
  1318. "As the Vodka Bottle Empties"
  1319.  
  1320. -TT
  1321. ```
  1322. #### SHA256s for Epoch 1 Loader EXEs ####
  1323. ```
  1324. none seen
  1325. ```
  1326. #### SHA256s for Epoch 2 Loader EXEs ####
  1327. ```
  1328. none seen
  1329. ```
  1330. #### SHA256s for Epoch 3 Loader EXEs ####
  1331. ```
  1332. none seen
  1333. ```
  1334. ### END ###
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!