API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/04/19-22

jroosen
Apr 22nd, 2019
1,976
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 47.59 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 04/19-22/19 as of 04/22/19 23:45 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 04/19-22/19 ####
  6. ```
  7.  
  8. http://68.183.44.49/wp-includes/lSEuC-XSliN2NFFs1LuD1_JFNHgoVIj-vW4/
  9. http://68.183.44.49/wp-includes/TYuu-OB2aFgpgmD1gpPL_TsGIKtlA-cv/
  10. http://7uptheme.com/wordpress/JygG-Z3B8oufu3l3clk3_HMEThTWf-2T/
  11. http://advancetentandawning.ca/wp-includes/XNUi-NcDF9HkhiNssiV_ngtjikDB-i5/
  12. http://alliance-founex.ch/wp-admin/xCsta-84D0OcarPN2ZSle_fsoFBjBy-Iax/
  13. http://al-othman.sa/wp-admin/reXE-PsdCfBwQH8deRDe_HMvCeimGX-f9/
  14. http://amangola-dgp.org/wp-includes/HpEtX-VC11guFEcFzPa0d_tXEdNqubB-xIn/
  15. http://animalclub.co/wp-content/yLPog-COdHR9AgcZ6qOw_AxkMQalAl-N6a/
  16. http://ansegiyim.ml/wp-admin/vDju-cy9OZTOrNhuMuI_nbyISYGo-RK/
  17. http://apotheca.com.ph/wp-snapshots/gPlKk-XDfwMMox2Ui9cK_RwfWHlNwf-gd/
  18. http://arrowandheart.com.au/wp-admin/bkCQ-iXMXX6TpVs5VNQo_yisSFHkVL-oz/
  19. http://atlasmuhendislik.net/wordpress/cphC-74BmE14vY7k5d5_nzDAJzBjR-S3A/
  20. http://bergenia.in/wp-content/BVrEM-OpvVXzeNslDvXh_eyyhVlVa-Ix/
  21. http://bintec.pe/wp-admin/sAkH-rhm0HBkDbTQdii4_SSBlRHGa-Fvc/
  22. http://blomstertorget.omdtest.se/wp-admin/bQfEO-bWhb8bTivpCL0iq_hXnOutCb-zPj/
  23. http://bostonseafarms.com/images/aous-d4NxSsxmPBUT3S_HntmDnUf-5G9/
  24. http://bryanwfields.com/image/sjQy-zu1ro8vpEJ9W82_WBOUxAUgS-uh/
  25. http://capaxinfiniti.ml/wp-includes/rqok-EZhDQULc6qm5im_yPyKpBgz-1Z/
  26. http://carryoncaroline.com/wp-content/Vcoj-vMJyzGjJlDYgGG_ILmDRtkY-Wo/
  27. http://cbaindustries.com/wp-content/DjXN-zsNJNfEtK12Ukg_eWWcwwDK-cN/
  28. http://cfarchitecture.be/cgi-bin/vfMI-9zpmrDT4Z4N677_QshCbwxl-Lm/
  29. http://cielecka.pl/ilum.pl/QyiAW-peU7AssFTut78o_vOGDKvqm-3M/
  30. http://click4ship.com/Phreedom/GLXcC-M0Pn7e1AEgBifcJ_xTHmQjMH-Lct/
  31. http://colnbrookbaptistchapel.co.uk/administrator/ggbe-g8CqRIJhG4LtkT5_rQLNQnhN-R4O/
  32. http://comparato.com.br/wp-admin/JpPT-xokemJB7jlwoRh_NdiiMeTdt-9f/
  33. http://condominiocariocarj.com.br/wp-includes/VhTt-LylhTpV3HTxPE8_IrVOCkJBp-slG/
  34. http://condotelphuquoc-grandworld.xyz/faqapig/iWXvg-zEdR2gYVRmYwsU_fWGkIJmS-wR/
  35. http://congresopex.com/cgi-bin/jwRgD-jfiMMrNliPC50r_SYwYqBXnr-RPF/
  36. http://corpsaude.com.br/wp-includes/iBQZ-lh0rlAzFl8gvXY_IzyaljQN-eZT/
  37. http://curious-njp.com/afterglow/qDPac-3zb0YGbeXdX2iC_neGemcnj-KVi/
  38. http://delmundo.com/cgi-bin/tYMvk-R4wPRXwLgET9yl5_tqyMfYuC-gJF/
  39. http://desertunit.org/cgi-bin/XSAIP-BnoooGAQ6Nffanh_TQOnvzSD-9m/
  40. http://disbain.es/wp-includes/TkBbY-loxRKhT0pHodho_updAhbIl-il/
  41. http://drwilsoncaicedo.com/cgi-bin/uouPm-iT6ksIaKV61oqD_YomlbQkdr-Gm/
  42. http://eastendselfstorage.com.au/wp-admin/hUERI-KaL62DABBHYbufb_jRMvgzsp-pa/
  43. http://ellikqalatumani.uz/dmewfh0/FwsjB-UImRWtUah5rJmb2_LktEvhPNL-Mf/
  44. http://escoladeprosperidade.com/wp-content/GpjW-mXUUaOoBT6DbVDY_oqAMrjSZk-TN/
  45. http://estetikelit.se/wp-includes/EsJW-RyBaIby7U92AGT_xVPQckGE-NGF/
  46. http://estudioparallax.com/cgi-bin/PCYj-XEPsBvN7dESwEl_qhKyhrEu-3oa/
  47. http://focusedlearning.org/cgi-bin/EMxCK-5ikCeCwwO15o8sS_KyGzYoaz-TOb/
  48. http://gamemechanics.com/twitch/VrPb-rtXO0pdlCXToWCP_PglRUDNjb-vSG/
  49. http://ghostdesigners.com.br/senna/vUfb-C5rrF5GSM34OOl_guMotwmxD-jQn/
  50. http://gocmuahang.com/NeuGlow/OvLW-KbF1629GujZMYOG_AoAlwMau-tWv/
  51. http://healthbrute.com/cgi-bin/TPeeF-pe0eBJkwfWOhrXL_boSBatojm-Qd/
  52. http://iabcampinas.org.br/wp-content/igmCq-2h0B8IqbrqKZ2x_uCSkJkbME-7Z8/
  53. http://ic-1.de/wp-admin/cdZOe-xsWynhSonJCOKo_fuVJptFK-pBl/
  54. http://ikumiyoshimatsu.com/cgi-bin/onxs-RLCrZ8oLCQB73sc_YJwbOkmyh-C9/
  55. http://imagine8ni.com/wp-includes/QIci-VZ818adl76JzBJ_CKFvQlZx-wCt/
  56. http://indieliferadio.com/scripts_index/DRSCR-tI4WYt2gFohZf0C_EerSpbCYI-QM/
  57. http://isapa.kz/wp-content/ojRoJ-YuUBPJthPhuOfVD_CkzqudUgs-EoI/
  58. http://ishkk.com/wp-admin/eRSe-hzWLo3xJgAOV0N_WgsbSJude-hz/
  59. http://its.ecnet.jp/logs/IpNz-hBsiMPsNxdz0bgp_UGOhhReY-12q/
  60. http://its.ecnet.jp/logs/lwvc-sCilerXLiFkn4gB_oLmbhnLnx-b4j/
  61. http://jbmshows.com/wp-includes/HiGnw-MvrFN1wKvkPrZWv_wqPLQoTtd-sp/
  62. http://jnanoday.in/wp-content/yDAyg-StctzLlDZn1d0x6_ZnHVbfkDS-vC/
  63. http://jointhegoodcampaign.com/XgzxR-s10yqIJNY7O7Qn_iuuplDxh-U6w/
  64. http://jumperborne.nl/webanalyze/rtIFJ-9zyWJfoASTOK5J_LGjRJvbr-HMV/
  65. http://karacasmad.com.br/wp-content/MJGS-PwVS1R08guy1K0x_RYAYkmYx-GFp/
  66. http://klex.com.my/landing/ViGai-G2ji9Wqz5D3yBUr_NSfVULZSH-ogb/
  67. http://kli-marathon.nl/cgi-bin/WVIOx-AXzJ4Tb4Ga3Uadm_XIZVIFqO-KZb/
  68. http://kokenmetfilip.be/kok/NANjV-fNpbYX4xHnspQhC_saJHTtSm-XAq/
  69. http://lacivert.net/cgi-bin/xHLIS-1QQuHkK8hYifPS_xSsgvzlZ-si/
  70. http://lasverapaces.com/ControlPaquetes/Itdo-MlKTxrwnfhm8SA7_uAUROwsf-t5/
  71. http://licenciadoaventuras.com/wp-admin/eHeGn-WjHRI8N2XBCI56_MpcPoQdOu-CY9/
  72. http://liderpallet.com.ua/wp-content/WuWH-0pQoJr5o2azEcj_BybcPyULN-08h/
  73. http://linuxlivre.com/cgi-bin/Mbea-KUfqyuCcWx0xTi_yTGKIVLB-i7W/
  74. http://lorigamble.com/wp-admin/uvJVj-MO4FPwmyR8iOMM_lQbFYePjt-otO/
  75. http://malanlouw.com/cftp/tTxp-RzmNwdNiUKrXrj_zemuHbpr-uGX/
  76. http://mapasturisticos.tur.br/wp-admin/zHeM-t8fUkQBLi8juAZ_roBvtuEtY-Vsz/
  77. http://marginkey.com/wp-admin/tIrG-FQxmXcac0LwV24z_qjDVCEcFD-kZ/
  78. http://markelliotson.com/css/bfdO-kvHCzSPkzVyXscc_ijhQGbzA-Wy9/
  79. http://medyamaxafrica.info/wp-admin/VEUH-KFbpDQYS7JR47jf_NZLPCAktI-rOv/
  80. http://mejiadigital.net/fnBGJ-RNKOzYItfBUJsg_JpAZkIOG-ffG/xMnr-kMrCmdOaAl7FA3_kUALIlTG-UWf/
  81. http://metajive.com/work/mTURd-SRsWGXXyrULLDM_HNPbtxLP-AN/
  82. http://milanilabitare.com/wp-includes/cFErV-kDqpBZrvT5IziPf_onDSHpKo-vB/
  83. http://mirrorstage.org/wp-admin/YEuvI-47HFVsojSrI7nC_DVyVfJGad-VI/
  84. http://mktf.mx/ctg/BgpYf-am5qI1rxZyPo9i4_FAXsQDzS-xgw/
  85. http://mlmsoftware.asia/cgi-bin/CubBr-KuF2gYQWyqDnIy7_hDlWTbMD-sa8/
  86. http://mochastudio.cl/ynibgkd65jf/aseE-GCxR5ln4NcNflD_jIhNrIneH-mI/
  87. http://mohamadfala.com/mohamadandelham.com/zKhs-wMkWnhVzzHmNhJ_waxzpGVH-hQ9/
  88. http://municipalityofraqqa.com/wp-content/VNGm-Y8YccKsSKgJ8qq_JqtvpnFf-mD/
  89. http://mybigoilyfamily.com/vrjq0aa/IBIG-1KgCd1xCaXDntof_KXnBmfPXF-Jpk/
  90. http://mywhiteboards.blogsale.net/ynibgkd65jf/mqlUH-ian5Sa8DvtQEAaS_IEUYUHkW-hJ/
  91. http://netcomp.lizave.store/blogs/ecoac-vMKUWH0Z03sDlSq_dJdUnSiWt-7z/
  92. http://newlifestylehome.com/wp-content/uTsJt-hpZuWI0S3LLvcye_MdPkhzNig-IR/
  93. http://noach.nl/stadswandelingporto.nl/WeuIe-0nolcjuM2KRGqT0_ojhiMQqf-ZEa/
  94. http://nolimit.no/_derived/WKoO-9o73OdWtBGk2Gl3_XgHWGBmck-hq/
  95. http://ntad.vn/gm931mo/DUHP-LhC4EeRQRbivrL2_aaxoXoYt-rQ/
  96. http://omnieventos.com.br/INC/EsLo-aAKdxCfI8qIReoe_eqFjAYEtJ-bq/
  97. http://ondasurena.com/facebook/jwzH-eeLNk6CIlor4bT_uSKsUHwWZ-SSu/
  98. http://opportunitiesontheweb.tk/g7ezsyi/qxKC-TmDFrUg4hTYQjq9_FuzaNxGD-Vc/
  99. http://palhacatururuca.pt/235laow/VZqwB-AUALWZuBn3PPci_hpCtDTTKY-cXK/
  100. http://papagreybeard.us/Templates/sAgw-zNT0lNXBwccYEJ_OBgnmUKa-tDN/
  101. http://profes2015.inf.unibz.it/wp-includes/FjOK-LM0IdgQyDgTmNv_htOESmKFm-P9o/
  102. http://rahulraj.co.in/wp-content/uPRa-qTnHrzJHzB0jwZ_NtTAJFHte-cAl/
  103. http://rinconadarolandovera.com/calendar/yRZq-KweOFhLnjD4HNq_PTxZUdHJH-irr/
  104. http://s2s-architect.com/tmp/EwqN-EKWvcKIDExHopj7_zCYrQbHud-G2a/
  105. http://sabkasath.pk/wp-includes/dshOg-Q8tQXJLUUF9hRzX_TPCDtszGK-Vk/
  106. http://sblegalpartners.com/wp-includes/UZpB-b4wDsaEX4DBkUl_ZpHsaaSVh-wn/
  107. http://sercommunity.com/wp-content/bkVXK-F2pjFepyYCsSR6v_TdIcSDUVE-tOe/
  108. http://seyrbook.com/assets/Yffhy-yUxkblStb9GMo1x_cGJmFTjwc-wvz/
  109. http://shahrenarmafzar.com/wp-includes/VMIaX-1fSMeRapDqjOmG1_CAzCeQwu-64/
  110. http://silikwaliners.com/wp-includes/yNqdr-OhRo5nv49CNyRcG_kiAIynCwP-Vf/
  111. http://sinext.net/cgi-bin/FzxD-WPNadXQoPctcg72_XmOZgsTZ-f3c/
  112. http://slvwindoor.in/images/FZvxd-2TLJ6lc0DsRHC0_hiZSjDsr-AgO/
  113. http://spalatoriehotel.ro/iow6whl/nWaZh-NLLcUr4cUJAQUTs_KotYzGCpv-FSc/
  114. http://stephenjosephs.com/gucci2014/wbNl-glhhV7Wh8FqNgrI_PhMBPFwW-9X/
  115. http://taltus.co.uk/BVOS-25Do8i2t9ZT5b0_SRNLhMWe-kq/
  116. http://the1.uz/gbrry/hOMEC-GR4gMFlPUUkoQA_TfyedGVY-U3/
  117. http://thetechbycaseyard.com/wp-content/myevI-8Pk6qff6n4ulCE_wWcKFWdh-dj/
  118. http://thirdeye.org.tw/wp-content/xBkQ-ogGpKLzN6v2C4o_YQoFhUTbn-Fk/
  119. http://tobacang.site/wp-content/reXF-xVGKSsDwTciWZZ_JVUUwJuC-8It/
  120. http://vastralaya.shop/ynibgkd65jf/RCmC-447TVxio29I35yf_vvpIGNbPy-jd5/
  121. http://vejovis.site/images/dtXOx-9H3wkcohMo3XTq1_njSElUTOz-Hbo/
  122. http://victimsawareness.com/upload/DGilf-Ma3iQ5rbzkiG6Fb_oDzQokUXW-NVt/
  123. http://vivelaaventura.cl/imgcentros/UNVq-kVpzTlO6MAyYwvZ_jwkuRwYzy-C0/
  124. http://viwma.org/cli/OXBi-BJXNrQxB3okl7I_qGuumUUH-bP/
  125. http://webspinnermedia.com/journal/TeHT-K4aXCuYZHKvDzH_LaLVKcVEJ-lyw/
  126. http://wizzmovies.org/wp-includes/Xxbi-gXeQ6TW2evzZP0_QLdGFVFw-wB/
  127. http://worldhover.com/wp-content/odpEK-BrRLNC61HWr1SiJ_LMbyYvmR-Ulo/
  128. http://www.178zb.com/avcupkl/KBlhe-WVCWFhodD9BBflj_lbrcsBpH-dB/
  129. http://www.bluboxphotography.in/wp-admin/RUNZ-KkdyfZMWWOmhQC_LhCMlQYxK-J43/
  130. http://www.bossesgetlabeled.com/agmmshv/WtPK-GeCC0BIOhJd6NJt_lYapOMYgQ-Rs9/
  131. http://www.citytelecomcentre.com/cgi-bin/QXzzT-WG7qg2v0HM55aS9_TrMSrRRLV-U7/
  132. http://www.frenchhplum.com/wp-content/NZWz-3jlnfDAsj7bm2zk_dLoBHWjBE-w5/
  133. http://www.marcinmarciniec.pl/wp-content/wNewd-u8HQ4opr4znWPzL_UYwTVkmY-Dw2/
  134. http://www.michelebiancucci.it/ynibgkd65jf/cYEq-5d3BsF7CrXaju7O_TpARfmhc-4C/
  135. http://www.mipnovic.org/ima/OhTO-9v1x3XdqbXYScuE_LBTFvpDD-K1/
  136. http://www.ml-moto.biz/wp-includes/vpYa-HiCpT3u6MCK567E_alTzKKdv-py/
  137. http://www.queenannehair.com/wp-content/hbaux-ac7toO9LWTjxtF_IGEzFKvqk-bq/
  138. http://www.sanshe.in/wp-content/mBiW-tIUWIaPKdZcl4D_RedrKrzN-80/
  139. http://www.schoolw3c.com/wp-admin/SLhA-5S3FY84433YvGG_kcRbWtFp-5if/
  140. http://www.seductivestrands.com/mxm1zsu/ZdNEp-Y1IIKc664P0EKK_YdtlQXLKo-dG/
  141. http://www.unicorn-hairextensions.com/vycj5s3/yVcJQ-vfU4D669EajBFi_rFudYaTNi-8KT/
  142. http://www.uslayboutique.com/wp-content/eMXQr-Ust6OJoclMsAvl_dExEETHe-uAh/
  143. http://www.virtuoushairline.org/8zqijve/nEtHy-GMUxZZdRHgrWjga_LJMNnkml-Wz/
  144. http://xaviermicronesia.org/cgi-bin/wKLCq-zIngiMcd4TTQDC_dFmDQjCvA-AIM/
  145. http://ynpybacocv.gq/wp-content/whvr-1MnoQdQ7qZmvTnh_VQZqrWTio-hO/
  146. http://youngsichoi90.com/cgi-bin/Rzla-fXTkawAp1xzUk8_SIgwoFBG-x9/
  147. https://computerschoolhost.com/wp-admin/HAEuk-f7pSlNmoAgJxLQ_KfYvpfVv-MIF/
  148. https://hostworld.dk/wp-includes/oLDPf-xUvd0cIFfvYppl3_BXOJvCBg-Sru/
  149. https://joysight.ga/wp-content/ZqWS-NS85wHTdIY9N5Ay_pbBWLepX-he/
  150. https://mansanz.es/banuelos.mansanz.es/zjiXj-xAok8S8Mcami6Rw_VLwLvjmOk-yAc/
  151. https://maxfiro.net/wp-content/cACav-ajWxYYGqi938Qxo_vTWnGDlx-nW/
  152. https://mybigoilyfamily.com/vrjq0aa/IBIG-1KgCd1xCaXDntof_KXnBmfPXF-Jpk/
  153. https://ntad.vn/gm931mo/DUHP-LhC4EeRQRbivrL2_aaxoXoYt-rQ/
  154. https://office910.com/acmailer/pnJa-Hj0ByEkAA6k7jG4_KMgvLHOMn-KAk/
  155. https://office910.com/acmailer/VdJGJ-tHWCv8qgUZ3cjy_SDmRHaHF-TS/
  156. https://sandygroundvacations.com/wesm1py/RfQZ-EJaz7bVufJ5ubN_NaMFMvJD-uG5/
  157. https://sblegalpartners.com/wp-includes/UZpB-b4wDsaEX4DBkUl_ZpHsaaSVh-wn/
  158. https://sulovshop.com/wp-admin/YgCO-w0Mr3uD8XLkWM9_pWtgeokGH-AF/
  159. https://tobacang.site/wp-content/reXF-xVGKSsDwTciWZZ_JVUUwJuC-8It/
  160. https://vastralaya.shop/ynibgkd65jf/RCmC-447TVxio29I35yf_vvpIGNbPy-jd5/
  161. https://whalefinance.io/wp-admin/tJiWO-vLwjkfF53XpvrMv_exPdpQxbB-eE6/
  162. https://wholesale.promirrors.com/wp-includes/fvOT-Eduymn368wsvW1_uxVfpIUfl-X9/
  163. https://www.bossesgetlabeled.com/agmmshv/WtPK-GeCC0BIOhJd6NJt_lYapOMYgQ-Rs9/
  164. https://www.frenchhplum.com/wp-content/NZWz-3jlnfDAsj7bm2zk_dLoBHWjBE-w5/
  165. https://www.queenannehair.com/wp-content/hbaux-ac7toO9LWTjxtF_IGEzFKvqk-bq/
  166. https://www.seductivestrands.com/mxm1zsu/ZdNEp-Y1IIKc664P0EKK_YdtlQXLKo-dG/
  167. https://www.unicorn-hairextensions.com/vycj5s3/yVcJQ-vfU4D669EajBFi_rFudYaTNi-8KT/
  168. https://www.uslayboutique.com/wp-content/eMXQr-Ust6OJoclMsAvl_dExEETHe-uAh/
  169. https://www.virtuoushairline.org/8zqijve/nEtHy-GMUxZZdRHgrWjga_LJMNnkml-Wz/
  170.  
  171.  
  172. ```
  173. #### Epoch 2 Document/Downloader links seen for 04/19-22/19 ####
  174. ```
  175.  
  176. http://adimoni.com/wp-includes/Scan/mMbB3yX6H/
  177. http://aksioma-as.com.ua/ru/FILE/Ts4w1wbW8uEb/
  178. http://apartdelpinar.com.ar/admin/FILE/0ZCbTZJdeEEm/
  179. http://aqua.dewinterlaura.be/wp-snapshots/FILE/zexK2htunWvo/
  180. http://artistic4417.com/tis/INC/eMdWShvpeTn/
  181. http://avalonsciences.com/wp-includes/FILE/JZmNte1D/
  182. http://battremark.nu/wp-admin/Document/JMrlTXRmMD4/
  183. http://belwearcollections.com/backup-1544295441-wp-admin/LLC/w7T0TX8PPDT/
  184. http://caggroup.org/wp-includes/INC/wwzFmvh0/
  185. http://chopperbarn.be/webshop/DOC/JGZIDh6Dfktj/
  186. http://cl005-t07.ovh/wp-content/Document/RuBIWEjzyTK/
  187. http://clinica-amecae.com/wp-admin/Document/85z3vwl4EGTQ/
  188. http://crystalclearimprint.com/cgi-bin/INC/LQjKmi73StaJ/
  189. http://datasavvydesign.com/powerbi/FILE/nD0m8sdva9/
  190. http://dentmobile29.testact.a2hosted.com/h7he2gr/INC/f2WFOOP3dNA/
  191. http://docesnico.com.br/Document/Document/fcP552si/
  192. http://drlinopediatra.com/wp-includes/FILE/qbnyhl1Kko/
  193. http://elsiah.com/cgi-bin/INC/9826nLiKPUx/
  194. http://feelimagen.com/js/INC/emhCPGaT1/
  195. http://fruktengroskafi.no/wp-includes/DOC/hcRXipvO/
  196. http://g2ds.co/wp-content/LLC/vOta9TadT/
  197. http://hypebeasttee.com/cache/Document/f9I32dWeuQcb/
  198. http://iceco.cl/cgi-bin/Document/APCYA95Q/
  199. http://inbeon.com/sites/Document/VD3B0SjH/
  200. http://inputmedia.no/wp-admin/LLC/dnypSLvK/
  201. http://korinislaw.com/wp-content/DOC/Qfk4tX6sfR/
  202. http://kursy-bhp-sieradz.pl/pub/INC/jtyppngtuK/
  203. http://lasso.vn/kppupag/LLC/LLC/dzJRyMdlu1AP/
  204. http://lauraetguillaume.corsica/wp-content/INC/n4uyNzlQ/
  205. http://lifelinecreditrepair.ca/cgi-bin/LLC/wCG0aMkDEv/
  206. http://lisaraeswan.com/dreamparty.ca/LLC/ISk5TgaEbb/
  207. http://lotuspolymers.com/wp-includes/Scan/FMpDoBJIBz6B/
  208. http://lotussim.com/Scripts/INC/IZzrsvoMeM/
  209. http://luxurychauffeurlondon.com/wp-admin/LLC/JvmQ7wGx/
  210. http://lysico.ca/wp-content/LLC/IeXphYUkv/
  211. http://mamatransport.com/000/Scan/2cSjfpmyqG/
  212. http://manorviews.co.nz/cgi-bin/Document/mSuBr2wlY/
  213. http://marcofama.it/tmp/Scan/jM9LPnf9Cz/
  214. http://marosalud.com/wp-content/INC/TvRJWYsW9/
  215. http://mateada.com.br/conteudo/Scan/bDiTa7FbEv/
  216. http://mazzottadj.com/stats/INC/2ci7GK9Yb/
  217. http://mehpriclagos.org/wp-content/INC/76qDvjmA7yfl/
  218. http://michaelmurphy.com/view/INC/h2BddITX1/
  219. http://millenoil.com/modules/smarty/sysplugins/DOC/mRi0fGjB/
  220. http://miokon.com/qubexe.miokon.com/DOC/9RBLXpCp/
  221. http://mkw.ba/mkw/Scan/1Lp4jhG135/
  222. http://moneynowllc.com/cgi-bin/Document/FV33zBMGR/
  223. http://moolo.pl/pub/INC/Rkw4RGtmAx/
  224. http://mutfak.ca/wp-includes/Document/nUphhO9v/
  225. http://myelitesystem.com/wp-admin/DOC/q0pdX0Zqp/
  226. http://mywebnerd.com/moodle/Scan/R6uLMDFo/
  227. http://ngobito.net/samaki/DOC/aVLiLFU6/
  228. http://novaland.cl/wp-admin/LLC/fLxfcENXp/
  229. http://nsrosamistica.com.br/doc/FILE/KmX00dZwwNi/
  230. http://okberitaviral.com/wp-content/Document/rYM2c9PipBN/
  231. http://onestin.ro/wpThumbnails/INC/d1vvyEgr/
  232. http://oscooil.com/oldwordpress/LLC/yo23hnn85S7/
  233. http://ozkayalar.com/admin836cnxhpb/FILE/XGFqIwuSGSim/
  234. http://palmsuayresort.com/wp-content/DOC/YsqkYMQPxsLp/
  235. http://perfecthi.com/wp-content/INC/YtErmq29E/
  236. http://petroelectromech.in/wp-includes/DOC/EocU4f7ER/
  237. http://popmktg.com.py/wp-admin/Document/dDczM3ecB8/
  238. http://profhamidronagh.site/wp-admin/DOC/wUbhe9Q8ZM9T/
  239. http://psicologiagrupal.cl/wp-admin/Document/RmzptR0Aqc/
  240. http://quercuscontracts.co.uk/wp-includes/LLC/Z72xZdV51I/
  241. http://radwa.0mr.net/wp-content/FILE/me8uQdXOq/
  242. http://rapidcreditrepair.ca/wp-includes/FILE/RaxKBeEy/
  243. http://revivafotografiaescolar.com/wp-content/FILE/cZMEzRsyH/
  244. http://rfpcimentos.pt/cgi-bin/LLC/xMXJKbGz/
  245. http://riseofwolf.com/demonew/wp-admin/Scan/KSNxIr5VgeCN/
  246. http://sebvietnam.vn/gxfwcez/LLC/Nn6rBZs5ES/
  247. http://seorailsy.com/ww4w/LLC/Bz6P0yz4/
  248. http://shopiqtoys.com/wp-includes/INC/fx59BVvz/
  249. http://smxaduana.ec/wp-content/DOC/aTmOqqFxSg/
  250. http://sonthuyit.com/assets/Document/d1umWD0C/
  251. http://spaziooral.com.br/wp-admin/Document/slDvXhuIbIXc/
  252. http://sprinklage.be/wp-admin/FILE/StjMsRZQUr/
  253. http://sumuktida.ru/wp-admin/Scan/9K32ymmue/
  254. http://tancini.pizza/wp-admin/FILE/drxTUMEcsV/
  255. http://techcityhobbies.com/cgi-bin/FILE/a9NjGPNbF0/
  256. http://thatavilellaoficial.com.br/spmuuhl/DOC/gTBbIz1GGBw7/
  257. http://topsystemautomacao.com.br/Produtos/FILE/XDnSQMQctklT/
  258. http://travelsitesbyme.com/wp-content/LLC/xlhLgWUki/
  259. http://union3d.com.br/twitter/Document/1KprAfdWOkME/
  260. http://vapegrandcru.com/themes/FILE/OkFiCXY4Q/
  261. http://vertuar.com/Logo/INC/Fn48NBB4LC/
  262. http://watelet.be/wp-includes/FILE/mhNzetvTus/
  263. http://whistledownfarm.com/dev/DOC/Escq81d9jF/
  264. http://woodstocktimbers.com/wp-admin/DOC/IXza4a8D/
  265. http://wpdemo.sleeplesshacker.com/wp-includes/Document/XrgbvGGI8FvC/
  266. http://zanjhrhhyh.cf/wp-content/INC/rzGleesyMN/
  267. https://avalonsciences.com/wp-includes/FILE/JZmNte1D/
  268. https://dolanmbakboyo.com/wp-admin/INC/oRN3UUKd9M/
  269. https://lasso.vn/kppupag/Document/jx8A7mBmeX6n/
  270. https://lasso.vn/kppupag/LLC/LLC/dzJRyMdlu1AP/
  271. https://megfigyel.hu/gaba/Document/e1nnEyWp/
  272. https://riseofwolf.com/demonew/wp-admin/Scan/KSNxIr5VgeCN/
  273. https://thingstodoinjogja.asia/wp-includes/Scan/lSKrx7e7kq/
  274. https://wallbenordic.se/nyhetsbrev/FILE/L6pFd3yI5fV/
  275.  
  276. ```
  277. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  278. ```
  279.  
  280. Creation Time 2019-04-22 19:25 (JS Based - Fake Error)
  281. SHA256:
  282. 79270d1e30b8e29e99db95c42e8d33801b27624fe09b05d51f4dd5c0a945d987
  283.  
  284. http://www.ahosep.com/wp-admin/Cu4oJ/
  285. http://www.veryplushhair.com/wp-content/HJtW-uphj19AdL727Yo5_svcWyoja-se/uCN7/
  286. http://raorizwan.com/mail.nexitsystems.com/fSTj/
  287. http://www.tophaat.com/abacus/aQda/
  288. http://momtomomdonation.com/dbau/v23J/
  289.  
  290. Creation Time 2019-04-22 10:25:00 (DOC Based - ENG - 365 Blue Box)
  291. SHA256:
  292. 0992c1ffaa650b07969cf3dd10b69914163a1d384962591a1614886dce6d73f0
  293. 8d79dd6fb63bef8ef519d2c4339c27392b7dbf459004fd5942bbc425f24b4f9d
  294. fbbd8ed9227f00b9d1c149b61d42896a97be4175d61ac6a1cdfedb4777e14bfc
  295. e7c30e1d477a0e0aea2af37e95eaaf00ab04f4a070935922dbdadd3fc6fc2129
  296. 5d6e2fe1716821b79346068fbc428450cf7544fa320e8a0a97ad208745d1ec3c
  297. 9b4857d525a4a4684abc18441f138fc6f0a0fc29420de07e5a0b8da94117c494
  298. f66c9c29d6d40fe28578cd2046a54b261897c42b513388f77510b52226394d8a
  299. 039c7ea99a16c0ca02110c9b224a243cb10ee0605c68d6e7e6f9404f1cb43100
  300. dbd17f0d2ba859119b21aa1f5b1099a94c5d67acc659f5962fd22db0aa5a3f87
  301. a819d54be584b20d238cbfbe15ae9bcf752f1d28dd3a01e3f8b5ebee7b65124a
  302. 252397f7d0d4b66ee657f3fa2d5c5cf0da3cf4f4463a473929f81160e1d5faa1
  303. 0405ec2332f0a1f5a7f3534dc275c9fd95f4a7fe4ad856b7e07b5eaf59b10f12
  304. e8eca48d05ce1247f043fd916e71dc199c622a60e3b1b88180b970a1d02cc950
  305. d4afabef3c2d286b6d1b02a68dbd9310d918f832fc9c5be717b8f36577f8e77a
  306. 1ecfe0e89a380160df4b62d4b56321bfad3624ea07334f4271b9b3a0de323fdf
  307. 97ec98bb0661fb192eac75f8e184d56dd2ce8395cf1b7420ed2975f372cca267
  308. 42c76634b3baf9017b152bfd49863669f3aaa5423f084bc4fde730587e07d8fe
  309. f9040ee5eae4d90ca146f823155b5800daa835186b426e23237ed0d8066219c4
  310. d2aeb122db568427ae7ed2aaa160b8f4008bce0a10a0524e2d7a2e69c9232454
  311. c2c3d7e6e279d271edcc78b072b24e0ada5c0f4a83e997a33ed26953bc951f23
  312. 01664c310c364946846933f45a9db25326db7133275446e38e7eccd56f2b80b4
  313. 2cdc8b8fa281a4b2ab63a8f8098a71dc05d50dc06858cb0ae701487608bda79f
  314. bf4f44397b89e0103a1422962049db2e6935ee3b89575131baf195aab69c41ed
  315. 185d2c002d778f0fec20cd7a6cb749d19577b95839be3cb7af13916e6870a7ef
  316. 748968b90d8f84cec298ea1edb0cf037a4eb580b8c0dbcb10f3252f520a3b5a6
  317. 3fa5e87f6b8331816fb77091303df6c30a124c8359cdee61127a05353c561961
  318. 1f2acd076d0c1aaf5832d9c30ca76cd469562fd79625b308714e87e029379052
  319. 37317c48991a92e9deb17122cc64e572e9dac5402cf89aa47db8866ba9ea93e0
  320. 7d5f2a044fc3fff1aa2053a86da81068c53c12ed8b9ad4b2adf7693a73e134b4
  321. fbdb3849d492018ba7d16c5c6a8ea20a567acdd8344dbd1073fa3d87431ade03
  322. 4832624b2bbc3d9a98ecea0d2e9ae0db57f90d6cc314a7fddc86521edd7bd979
  323. 36f6d388163e171682f7db2863a8beab9698e47c5f296ecba905fc12fc62ce55
  324. fa1fcaa9e848f0fe7302707f9ce791aea55dc3c279f396d7458806f3a7c5c5c1
  325. 500e41605b772679750255bfae4e6c369051ff64ca3aceae7e1d32c859529f1d
  326. 3a7ffb42c1efcb1051c943eb003185a2db8199422d0bea7cedba2ff09471b2e0
  327. 72ed3a9c6fd10623b6c1f50b914f04fb6c0561a1a68d17ea6b63c93803d5e847
  328. 6607379b8569f822a40b28a56ad74a79476693bcecb16e30e98a475ab345160a
  329. 8284710f69f25d748299231f7764e53fc963049bd46fd0aed36146868d8e3df3
  330. a791c7c95cb9310ab719abebc47c63424ffaab3ea180ff71ea369f33c1c1061c
  331. e612189b3cb2e404edcbda550faf2a17f3e3e516fdbda870cf58f2a6526b5ae0
  332.  
  333. http://dudumb.com/wp-content/xc/
  334. http://stevenrgerst.com/articles/qons/
  335. http://zmeyerz.com/homepage_files/Hd4R/
  336. http://mifida-myanmar.com/5owqblv/c6hl/
  337. http://onedollerstore.com/cgi-bin/VLbM/
  338.  
  339. Creation Time 2019-04-19 19:35 (JS Based - Fake Error)
  340. SHA256:
  341. 474b7f305055ff40e7d644828c8bb5b3b19bdc17a8a6054c88ce7489a80314f3
  342.  
  343. http://www.jubileesvirginhair.com/wp-content/upgrade/2PWW/
  344. http://danpanahon.com/dan/Ss2r/
  345. http://www.kizlardunyasi.com/wp-content/plugins/--gotmls/images/mQm4/
  346. https://business-insight.aptoilab.com/wp-content/km7TI/
  347. https://ecigcanadazone.com/test/zvSvE/
  348.  
  349.  
  350. Creation Time 2019-04-18 19:35 (JS Based - Fake Error)
  351. SHA256:
  352. da6a4f6736fdc27c2450111f86b6c1d87ef69cd8544465381870accb54f1d852
  353.  
  354. http://ritikavasudev.com/wp-content/xsNSC/
  355. http://estasporviajar.com/afiliados/yC/
  356. http://erlcomm.com/BNzC-VgDgOLD9aPylaRI_sdwzsBjeN-XK/SXZ/
  357. http://richardcorneliusonline.com/1/66SR/
  358. http://schaferandschaferlaw.com/bin/v7kj/
  359.  
  360. ```
  361. #### SHA256s for Epoch 1 Payload EXEs seen on 04/19-22/19 ####
  362. ```
  363.  
  364. a716fb303dee550318cc2158267b219fcbc26b048d7daed9ab9b9ea17aac1ce7
  365. 77f5c4a34fee54488ee47fc1d0659991ee2202746f1e81b9cd2ed26a043b29ed
  366. 6aa6f9e1701cad374913a47dc19836bda943fec40c5b7176f55a5f12570410b7
  367. f5153cd7d2e9c07ebc6fa99fb3766df773a19fe0e78e4eefc4c6cb8d88e377b7
  368. 6ee432614412d49598e7cb980b73af4f44794ba627272a6ae333e6d74e6d8e5a
  369. 845165a511a471a4eafed236dbce07508961d6bbeef3b57a4857a437157c7542
  370. 6f3cdb35a2b6ed36dd94d563559a5ecacc1df1ae8c05b9c4af2999642c107b41
  371. 59ca3646d625e3afb53eca5fd9a0d17033b61b25f33ef1e01b192cd9dfb531e5
  372. 2dfce275fad0dc249c47a19860072b4a9de0bde6440bf6a9d454ea8d682a7d24
  373. b765510fc176643637f367902464385a82b7ff79a6308d998b3ea56796faa703
  374. e5ab04e074fdb3ed08f0eeda274331a9a4023b41f4eedea22471965659728102
  375. 7e37649a0551e4875b5b74bc80cfe5d302a914a66fd0dec2598b8f0cb296f032
  376. 37d628cc76a421be55874c67f012711d56555e439d4b57ab5c4076034f01197c
  377. 3d06f452fd2073bf061ce5586b4997e84381e8afb8c65e8d4108deab6e0ea49f
  378. f6f355409e9f8d1868d6af15e3e4885837d6d2e9e990e93a66757aeddd1ba1f7
  379. 6a8dbbf53727f534110eae73f947a5cd932304de9a0d8ff5f875609f18f33d2e
  380. b291e3b6b7664c3d0373528f4aecc3c55d9a7a0dd90372b389d070b9c5abdd93
  381. 5efe6e5cd6db4c802c46dd635050728bcbb507fa0a25f12035dfed02c5a4e2af
  382. 468070ffb4c63e8f66aa13f3fbfea642f9856d86b0c36595666b408c8b582bef
  383. 10fa3b5a79cbd3b62d3cb6133c2aca2efab50013f1038254cfe6ff6e38d6c680
  384. c9a38fbd05046487fbdf976fbb426fede64bc302b957d5f2fd1e22b8867261e4
  385. 42cba1ed6f5341d174343fde220adb83d812c626677349fed811963d1c220a03
  386. 1b6aa692ba88e13ddec659e9c601d305146fba99e16181467cdfe49c7b109918
  387. 8563ecda0a46762d82674a0381e1bc99b8518cbb54691ad0b294c44a5e2074a0
  388.  
  389. ```
  390. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  391. ```
  392.  
  393. Creation Time 2019-04-22 23:20 (From ZIP - JS Based - Fake Error)
  394. SHA256:
  395. 5d89c4cb4860ea6552e5045a8c845fd5574ab20e6b186f5f5b3001faab57d558
  396.  
  397. http://insurgentguy.com/wp-admin/y_I/
  398. http://vitallita.com/wp-includes/N_2/
  399. http://eiamheng.com/EES/F_bi/
  400. http://himatika.mipa.uns.ac.id/wp-content/O4_Hx/
  401. http://patriclonghi.com/blog/pN_T/
  402.  
  403. Creation Time 2019-04-22 18:10 (From ZIP - JS Based - Fake Error)
  404. SHA256:
  405. e15a5e03f167ea3dbbdfbb2bc51d03da28d2558df96ab1f2cb50d25dbf528f56
  406.  
  407. https://bgcnal.com/newsite__/pw_C/
  408. https://untouchablebook.com/wp-content/U_fA/
  409. http://roupeirodemoda.com/cgi-bin/De_S/
  410. http://alamdarinternational.com/wp-includes/6_qA/
  411. http://surebreaks.com/importbuddy/0_zl/
  412.  
  413. Creation Time 2019-04-22 12:12:00
  414. SHA256:
  415. faad0b9dc2743da10b1a3ee1dcb85fe2a93cf3d2433e9fa3965a3eda7372c3f9
  416. db7cbc4ead41072949737d16d2d1b68d1187a231827ed5cabb0010acab9ed274
  417. 9dc61237288f3407e9f04701982e9ebb6936df3bc7fb824e790cc70e0157bf3c
  418. 8614ce6730dfae218b015f628c4ae3bf273fa6f3372d9ff91761beae7e0b0d64
  419. 24c9b5f4946f0f3caf3aab3794791e0c887a5720d5455889a2a527231e5a143d
  420. f447315dcb887c1ed5eed2e7fd5b5a05083623f43a146669d75a0476c6d5f376
  421. e28cc5ae6ab4f5f5be41757a13070a27fb3892e4ce119e44fd501c5c48c44f19
  422. ecf10f8ffdefb9d190c0973ce77e089111bdf6a126b2c4618f6d53826ca98a44
  423. 7cf24e2002e85c0dc380e823602476fdff0f417ce49704352e082726a3538eb6
  424. fa6766ab122549b00374ca667d558030a2d91895fb2f6e8f5f84d109e862136f
  425. 2c26b2b165ab0b007df135403b184dcfde902584122a22d8652868f76c9fc9b7
  426. e50a6c104f226840ef430978a8c872f6db7cbe442e3c215cdc099a8a5a42830c
  427. e02a29bb77cfb32dfc8107918bc1b749ae36aa3f01a2c0449d90a725369e8f2c
  428. aa9ac962a32c73a89d231d40bfd3c7d18d3466c61454ddbd88c9a40863048b3b
  429. 55f85c97abc8306a73236ac63826fc9c962735a5d8e4aee533d3d4be0fb5ee49
  430. 1206a9fafd785b3bf26cae3f0e1b6ed6b4594edb542ceb0629b61d6694f9139e
  431. faca8a8dbaa5a266026ca17a4a34fad3f993d75b1b85a18dd0abb9842a00bafa
  432. d36f09ccb6b2c51e852a91ce6a4066c2679d7c03949c33cc2be30b07eb8c7e46
  433. a99b9659ac36b9ae82e809d63782c7c25c5c6ca263fdb88354d7aa000e9ec905
  434. 3aadc948a114e1fd3627dd68130e745c44dd4d93165578f7e08ee4cdaa87eccc
  435. c196755220adb75a6d4192d9fd8c69cff2814b8c4b5925435abc652d873f0746
  436. aa65d760bc141a623c50388c8d2582c78030cada708bd9a7881ee89160cd79ec
  437. aa0a3634c7551a545328ef0a527acb013e5d0a3e84d0401de468ed984e425f2c
  438. 8fb820171af804733d8574ed2ebf099a14fa993bd9397f3910e64999c4e03f77
  439. 341dc0b90f7b6cebe8340d283f2546aa09359885f02b7405561a2d17f30c62b8
  440. 881f7231ace64c2570edc74a6e76b822889645af7ce5e7fa0c5e738c2f7038e5
  441. f2658298993befe68ffddf813e2960379f308c9ef754f9fe28d04de1accc58be
  442. 5a50f6e354df55b854ff99b0094818fcf74a0ad4557447792c2e964f6c81bc1a
  443. 4a2d11f97e33782b155896574eef3bf8dab19a19cfa189c675badc30f51c9d98
  444.  
  445. http://growa.seojohor.com/wp-admin/5_5g/
  446. http://cl-closeprotection.fr/wp-admin/DT_uN/
  447. http://vuesducap.fr/wp/UE_3L/
  448. http://bees11congress.com/wp-content/3_2/
  449. http://qpondhk.com/wp-content/LW_Kr/
  450.  
  451. Creation Time 2019-04-18 21:25 (From ZIP - JS Based - Fake Error)
  452. SHA256:
  453. 79c6cc4ed2307ad107c2b7018b2ce8ed6887f85c1034c6c04766c255c1932d06
  454.  
  455. http://johnstranovsky.com/96t8b-z2ns7-galcijo/H_p/
  456. http://kbnsa.com/_OLDNEW/o_lk/
  457. http://arjanlame.com/cgi-bin/eA_w/
  458. http://reckon.sk/e107_admin/LP_Rl/
  459. http://projekthd.com/pub/j_y/
  460.  
  461. ```
  462. #### SHA256s for Epoch 2 Payload EXEs seen on 04/19-22/19 ####
  463. ```
  464.  
  465. 9be8e489c2c33668a9ed18e99a39f40e68e7815380b8a012806bc93a8e6b27c2
  466. b903fe25f91ba94f05cd8cdcdecee0be90832071740bf39489a2c0a887779013
  467. 5f063d883e2f2c2431fe083060ccf19c0e6dbe471b2408635dcca3872cbc5ba4
  468. 2d19efafed6115c95e37fcb00e2e4b8ab915911bc94c21eb8dcffe3b77479d58
  469. bd343e10e6e5f31e1cf933056fb1d2b1e736975af42a3353072206f72db6b850
  470. d0c039699bcea0923c883f0b18a331cbd6ae606be71165cfa4e0b98291089a83
  471. 307a0a0183bcc045fac6414cedb372f46dd1c39dae39e7a7ac6f2ff43b26c74d
  472. 5b6186fa6a707140877e35bd85fa471fed39cb89095be7c2c3cd053713d79734
  473. b261516c9fdf39a9962ccbb7d5d55b62394acd18942e69fc514fb3ee95596a0a
  474. 3f35934a965979ddc049255aaa589291cb1aae6d92fbf12ebd4e39b25ab68ecc
  475. 596b2b3acbd78743ec4a18dd7b15fe069b625a552ac3889828143e6a46fc2899
  476. d21bc6c21faa20328188ad98e4243787261b7ee04b3f48fa6a2d19ce7379389f
  477. aee218db0f1932c2e6e1a961d46fb1aa4b2a55265809a0be9b13d6b214a80e67
  478. 90aa2ea5ccbaab214a5c4521318d3f9093540d43e2b1204a2b5f9e86a1adee43
  479. fcc4ad0d86f56041337bf70943620f99eb608f48731fb7673671820fb64c04d1
  480. 6f337ee6a196fb1e87f3869da5596e900680667341634a15de489708977b2792
  481. 1d0150e8b4f72981b0480941f3899ee9b884abf7243d46e293d70fb597e24490
  482. 3eeb5c2f4c53a1c5e3ca5616949470d344d691873474ba1c47afa897912289eb
  483. e8cf5ab84e10df84ca0ec5eb6a5046d0008933cf776b87391339bbcce02cbe8d
  484. 9a53ced33decf87ab51e53ffe3b1f216917d9ffcce5acae2534e9f743e8984b4
  485. c5bf12ab5326e8db3daed306aebe52379e7e4d1a0d9eab0d593ad43fe2135551
  486. 9317cdd2435f8981f5dd8636dcbe002bf2970139e6b1e17b029d8a31c3fd8a7a
  487. f8a04d60811de8c189938a2f8a1ccd151312b391a5aae723ba05c0bc6d0cf659
  488. a4ea37ba4948c0a99924e1ebe38e3938678a76fee362512a2d76432ee7d4a189
  489. cb3da725c5203ad4003902f619550043f6f194271d8cb6d0da44c5958a652945
  490. 87232bc79e1560620dcdfa1cdf278f65b7e8bec746a61174d0a72752b0b0d91e
  491. 795e8d479f6d3c8de3899f9bc45b4232201ca11dfc87e8c90024eaf59c718e4e
  492. 7bf8af43558e683d4da97e4c1b73216255453066fd1807470d19ebdb3a739a1a
  493. 87cc3832d4f49684f235bb2d69095f075ea79e55e1a586d1bf524eb4db8f33f3
  494. 2abab96b0ff95ae3214aa0ea84e91848aebe7baac2f1d046f63c7ded505b46b3
  495. f2a746ce8f3b4b0524a31b1c8fd93b015580e9dc287a7a909c66fdb3bdb9fd17
  496. 4a9b146897840ca146f4c5fa6635bc748876038e0ea95acf380aed89e0c00380
  497. a679d4730065cc54551e9ac6b9df80132f64a2a247f2c6cde6bd29e4bc7df64b
  498. d34eb44fdf88e85b7403b31159a88e41c5225c3405dda165d6b0fc5ab3feb857
  499. d035320154b4ee4c6dc5dd3f31610f0719365481c28202bd83c17fbf65fa079f
  500. a279e702bbb4f6c205d56b3f6abdc92c759fd5dad3cc87bad73821611e0470e3
  501. afb5919fa26bb21e247a345fd1953398f0bba092c032663f2c1026e0ba4f71c6
  502. 35fc84318eebf040b5dcb3c497fbd4bc15b299fbe8a2c05f72380e69abfaa6d0
  503. 13f841fc385ae841063e17dbd6a3f14dae3aab77d54e4ed02acbfe93af284cfa
  504. efd5ff14d8efcd638842f3d423a9ee997097b01de13e7b2a068a3be2b17e9d89
  505. af08e159fa63cea44f17910d58ab9c1ca1f5b7d6c6bfaf39d361508f83718d7c
  506. cab0703c8cd931c8a5920593f4e1ec819b107f5edc8e681112eea9ec137dc22d
  507. 57e33d6541e41793431e134a66b94990997e346302774038ebad5414a0873e8a
  508. 5e1d8b9fd8d5fe0e8685cba1f53f77786e0cca8b635e919eb90bb5643f28fd87
  509. cea0f69dcf2f9db38841bd8b4457f07beb26e8f30a15fd6d00cc3b4868c21b79
  510. 82fe495a50f72d4add81f714ac5d685f6741ad8bd42269190ca05199e63a51ef
  511. b7cd956c1362b178b81b2365a1dc807d3d5b298001602c549564de2af9ba8b6f
  512. 7a9b04866e3dc8b2c1f322ca055faa63e71de84be2d89aed551c4ef06d5de532
  513. 59768f570a42836ac75a66554f3b99ffd91fe2cc67b4c491c76faa40482f11ae
  514. b5197fbbcdcccc572a9e8e888b62cdadb905c25b592827280bdb71991d2880df
  515. 0d486362b6327a248752ba66488cb14a2a46a46ee56d4a37f0b7c06e582b0296
  516. da84c8eaa4479533849490068578eb263f96c04a7772431c3611f073532ca925
  517. cc6eafbc3de8cc7ef088c3141e8e925e557149dfc89ea8db836e21d34a487578
  518. 4dee7d78824fcf4032c91e490cbbd3d28219b5f67cf9a15986ca846963fa4750
  519. 5ed7ca0ebb0fcbe1a8fe19fd185db39d5d200d178b4a708b37af696f6abd65d7
  520. 14e3ae350ce1af5ac215d35d7a2cb90d86e606ad43f5f744137d403ea3416c93
  521. a38d421cf1dba2a85ff6210e17dd79103522904af422633fc03c1c976ced3685
  522. 82ef0eac6fae53c67f6567cd5abe447657377d102e43f5ddae588378b4c266f7
  523. 5c3e3c817af9df85d5691b349aa318784fccf4d7020545abe2c93d30e9082463
  524. e8014f7737df33cd25e1cf6d872f013c04222126d756412724a7039fef5b6559
  525. d6fbf50978e689e075762d6400d2af99a73c71229af88f8e4419d4f7b67dcf68
  526. b3b4489bfc24a70f679eed5ac39b891c54c7f5a4f20557af49fcb2940d23ce46
  527. 2413efdd41afff478ad0c3cdedc93657a549a6418f663037d28106cd2a9f6cee
  528. fe0883ae278a2ed528dc39f32abbac99ad8e6acd6ad29d44f606b522a64b6d11
  529. fc73a56b9e4226a178eea6db821e78a1bcb3a63aca510211aefc5e4ddd41725e
  530. e4f41b0c4cda171bc4e1366d80a781fcc61ba76b17110d428062a154157fda4d
  531. 508ae04ac5591304fe7627d98dc35ad833915936473c3d7721be2259641cb4a6
  532. e1f8809b45ada5940be43dda06f73213caf9a501181f017ccf61452141b2d9a7
  533. b07ac66fd5e5b18db106557f3b89ba752c74b5b25e07844889d2674b02fb2265
  534. 6de85d2f23979363921bde9843eb8c51765131a3fba93a4d77917d0f85727f97
  535. 6425418047a6a69aaf858fa9f4aa5bed754154c526eb0657e4b7eaa4d12f2bff
  536. 6de13931eb0a25890f339f92f0b954944c1c6126e7bc7daa77e10b4d79a0a1cf
  537. c6749dacedb9dc9393f26fe74f4d18cfd71433cc505096379fb9597e9dfa3347
  538. 761f94b6ceafc071d9e742c612313f5b6a4ecdbe6fa01e17e275b9dc746067f5
  539. 304191edc268051a196a820a737d7bb35829426a426a2779e321f7b02495fb0b
  540. 7f89758ffbea53eacfc5a1c338d595395e185ea3c93b0fe7262c0dc11be83aa6
  541. 9c914ff662028e8cf4ff824144c6b6ef212e2ec3efc35be8533580d0ba6daa51
  542. 0ddaef3262be12b8a36e95706a5cbf31419d0058db554b347978e88cb5811be3
  543. f0bf3ba9f46f6e738dce18de893f8e687f7fab5447072bd63b62bb5a66f9c084
  544. 9a9f0b5aa735964dcb7f7c3c6ef5ae7ce545b7ee65e6f660c1cf1ec881d777fb
  545. 663a7678d0cf04a2bb69414500c6a80bea0a85760d6b7c931a10f52c9c39efd6
  546. 04b191d0b23629057b6ffedc2e5608d07104716fb0e7235ad1b646c9ede0f09d
  547. 0a80a8276761f0956665dec55e87d0078cc0a1b8c95e649b2b2ecd05160f1257
  548. a3f7446c7138afa2383e2ffbecaf3d0d190ad6c3bb11cd87c01d3ce3fdc5e6cd
  549. c623eb052df6e6698f31beb30aef0f8989ee612dd05b3e49291ba369b12266bf
  550. 9509c9cf8e02a2398549d657888b44d88f1b9c94ba01f990101a9fed6cb4c354
  551. fecec4e44330029a2a0cee215e44771cb179c1f4305f1e987cd5ea013e340c25
  552. 65455dc2e6d95c0d93543935313e988d7a02613f4426cfca37c91148c1705cbe
  553. 97f6c90580897a23b4d315f55dc5d7842e2363e4dfc98d85c461ca3889b1bd7f
  554. 20f184c1a49a7b6a87b6402952f17e919c07c846a1508bf4115d58aa4847ab38
  555. e4afb21699a788e67bdec51ac87942742bfe4c1099dded0e00808c3b6bcfbf36
  556. 075992599bd0776fa362c559c9ea4d2a1b338e1650e665e7102098ff3b9a67ed
  557. fee718b3c08e2a756864a0575745ae05a228e33fba71b5137d25e4cd636faae2
  558. f6c505c3108a547ecf087fbf050b45981b02beb2889615970b016f138ebec194
  559. 23fc353f4d9b1d628a397cd263babec5a0ba533452be8f2f18843d1ae1eef72a
  560. 2c1ef80f4d904dae20e0889a098f9cd56719aafa769768f51041114249f4bebd
  561. df64894f9c5abf1b1b3694b52500a2ec36b6d2849909f761d8f75657d2d23e6b
  562. e199374f49128d066e7dbc80c9f0d2ac2be2395dbd40585578b41d816ae8790b
  563. 27cd0608fd184d133b6601b2813b87a34ce5c53763c030abafd5f639b443da7b
  564. d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86
  565. 9cf320071b2c2a718575e5eca7ece66ec3a85b84a8b7e932656cac98265f6902
  566. 235af927ceeb13aa994e49fdfe97c8a651513aa148130db304daf73fe5fed45a
  567. d74c0fe80929c0b42a753633723e0fd96a3758f12591eb54f2a73a858054d657
  568. 4aa0d416787264f62a642e716f6497fd12d05b7aab09f6c048185af4bb8835b2
  569. 01825a40ea12894c4d72bcf168d38e329a06e5a6a798911e08ab07580238814a
  570. afcc001a8a38614d62612b68a8fa28422e34556ffe94ffe1f0ff573e22f1be2d
  571. 8c4bd825e22ef7598734daad0d6c99607b44981987b276e32911d9116ab173fb
  572. af9d20112fe0c70fd621badc3a9d5947cdc2892f044bb928854d47447bd2338b
  573. 0b5a6070bc9af148b1446a94778eb25decb4651859fc5dac12812f79d41064ae
  574. 29857970c804f328e8b48cf93860dc2746f47351f3386afda61d0e57d9e67090
  575. cd21efc97e094dd0e03191056e571d600bdaf6c9c750560c1f0934dd2cf30b3b
  576. a3f7664451fba95ff734f75331eba03e45f12ff2f7c079cd8301585ae5baf507
  577. 5876dcb625dfad76c439af6801789e6e6e178443956177a8915a9d0158ec5ef1
  578. f2899955a9b359550a71ce73036feb4d909e36a4d75690f8710c8beb67cdc4b0
  579. 65cf3943adaaca669e5fffbbdab59d010f2c38296879ac38030f06d9e3d06e97
  580. b65a6db447d4242e1d84f74625e8354ea95cec85f7c9b410747dc31d00370b57
  581. f011eab57fb84846940f90d2757480f2d9d20505be4f4398cc889fa10b48a1ff
  582. f80e92e1672ccb1dcf58236b2f4c6ecd20d0f5835025675d3bd858e44e69cf42
  583. 4ce83e1fb95652f713d6b61d10d206b5196775bd74eeda04653d76e2e9f59f29
  584. 24790f6f166c701006ba9af4274fab72aa724cf3fab3238af33d49a72ecd7d78
  585. 026a8a9ee9b2d5b373544a0d8d73e3a5a437436d27c4883d19e1eed808c3d370
  586.  
  587. ```
  588. #### Epoch 1 C2s ####
  589. ```
  590.  
  591. 107.159.94.183:8080
  592. 109.104.79.48:8080
  593. 109.73.52.242:8080
  594. 138.68.139.199:443
  595. 139.59.19.157:80
  596. 144.76.117.247:8080
  597. 152.168.82.167:80
  598. 154.120.228.126:8080
  599. 165.227.213.173:8080
  600. 175.107.200.27:443
  601. 176.58.93.123:8080
  602. 181.29.101.13:80
  603. 181.29.186.65:80
  604. 181.30.126.66:80
  605. 181.37.126.2:80
  606. 185.86.148.222:8080
  607. 186.139.160.193:8080
  608. 187.188.166.192:80
  609. 189.205.185.71:465
  610. 189.225.119.52:990
  611. 190.117.206.153:443
  612. 190.16.29.63:443
  613. 190.171.230.41:80
  614. 192.155.90.90:7080
  615. 192.163.199.254:8080
  616. 196.6.112.70:443
  617. 197.248.67.226:8080
  618. 197.91.152.93:80
  619. 200.107.105.16:465
  620. 200.114.142.40:8080
  621. 200.28.131.215:443
  622. 210.2.86.72:8080
  623. 213.172.88.13:80
  624. 219.94.254.93:8080
  625. 23.254.203.51:8080
  626. 43.229.62.186:8080
  627. 45.118.216.70:80
  628. 45.33.35.103:8080
  629. 5.9.128.163:8080
  630. 51.255.50.164:8080
  631. 62.75.143.100:7080
  632. 65.49.60.163:443
  633. 66.209.69.165:443
  634. 66.228.45.129:8080
  635. 69.163.33.82:8080
  636. 72.47.248.48:8080
  637. 77.44.16.54:465
  638. 77.82.85.35:8080
  639. 82.226.163.9:80
  640. 88.215.2.29:80
  641. 89.211.193.18:80
  642. 91.205.215.57:7080
  643. 92.48.118.27:8080
  644. 99.243.127.236:80
  645.  
  646.  
  647. ```
  648. #### Epoch 1 - Spam/Stealer C2s ####
  649. ```
  650.  
  651. 31.172.86.183:8080
  652. 104.236.185.25:8080
  653. 50.116.63.9:7080
  654.  
  655. ```
  656. #### Current Epoch 1 RSA Public Key ####
  657. ```
  658.  
  659. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  660.  
  661. ```
  662. #### Epoch 2 C2s ####
  663. ```
  664.  
  665. 106.51.37.192:80
  666. 119.93.243.2:50000
  667. 124.123.42.93:80
  668. 133.242.156.30:7080
  669. 136.243.117.85:8080
  670. 138.201.140.110:8080
  671. 139.216.191.234:20
  672. 144.202.9.18:8080
  673. 147.135.210.39:8080
  674. 149.255.56.242:8080
  675. 162.243.125.212:8080
  676. 167.114.210.191:8080
  677. 173.255.196.209:8080
  678. 173.255.250.241:443
  679. 174.93.130.148:8443
  680. 175.100.138.82:22
  681. 177.230.108.144:22
  682. 177.231.157.189:53
  683. 177.242.214.30:80
  684. 178.62.37.188:443
  685. 178.79.161.166:443
  686. 180.150.87.75:22
  687. 186.4.234.27:443
  688. 187.189.195.208:8443
  689. 190.112.228.47:443
  690. 195.99.230.208:80
  691. 2.50.52.255:20
  692. 201.220.152.101:80
  693. 208.78.100.202:8080
  694. 211.63.71.72:8080
  695. 212.22.215.140:80
  696. 213.14.166.152:990
  697. 216.98.148.156:8080
  698. 217.13.106.160:7080
  699. 31.163.99.231:80
  700. 45.123.3.54:443
  701. 45.249.156.10:8090
  702. 45.33.49.124:443
  703. 5.230.147.179:8080
  704. 50.101.180.172:7080
  705. 50.31.0.160:8080
  706. 58.65.211.99:50000
  707. 58.9.168.7:990
  708. 62.75.187.192:8080
  709. 64.13.225.150:8080
  710. 67.205.149.117:8080
  711. 68.229.130.39:80
  712. 69.198.17.7:8080
  713. 69.45.19.145:8080
  714. 70.116.68.186:80
  715. 71.78.158.190:80
  716. 77.56.253.112:80
  717. 78.100.187.118:80
  718. 78.149.210.116:22
  719. 78.186.5.109:443
  720. 82.0.19.40:80
  721. 83.110.155.238:8090
  722. 84.241.10.111:53
  723. 85.104.59.244:20
  724. 86.136.28.152:8080
  725. 87.106.139.101:8080
  726. 91.205.215.66:8080
  727. 94.130.35.140:443
  728. 94.76.200.114:8080
  729. 95.128.43.213:8080
  730.  
  731.  
  732. ```
  733. #### Epoch 2 - Spam/Stealer C2s ####
  734. ```
  735.  
  736. 198.58.114.91:4143
  737. 213.136.86.219:7080
  738. 91.205.215.10:7080
  739.  
  740. ```
  741. #### Current Epoch 2 RSA Public Key ####
  742. ```
  743.  
  744. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  745.  
  746. ```
  747. #### Credits and Notes Section ####
  748. ```
  749.  
  750. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  751. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  752. https://pastebin.com/u/jroosen
  753.  
  754. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  755. I am providing them for your benefit in case you want to parse them to be sure.
  756.  
  757. ```
  758. #### What is Epoch 1 and Epoch 2? ####
  759. ```
  760.  
  761. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  762.  
  763. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  764. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  765. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  766. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  767. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  768. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  769. time period.
  770. Here are some observations I have noted since I have been watching these botnets:
  771.  
  772. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  773. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  774. being delivered in maldocs on Epoch 2 at any one time.
  775. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  776. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  777. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  778. Monday morning/Sunday night.
  779. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  780. Epoch 2 may have a document hosted on host.tld/B.
  781. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  782. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  783. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  784. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  785. - C2s are never shared between Epochs/Botnets.
  786. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  787. via C2 to stay ahead of AV defs.
  788. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  789. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  790. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  791. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  792. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  793. spam template, word template, document type and even payload.
  794.  
  795. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  796.  
  797. ```
  798. #### Community Lists ####
  799. ```
  800.  
  801.  
  802. https://otx.alienvault.com/pulse/5cbe1dc2c41a2b04db2a6c52/ - @SecSome
  803. https://pastebin.com/mtzCAvrX - @pollo290987
  804.  
  805.  
  806. ```
  807. #### Credits ####
  808. ```
  809. (OC from @JRoosen and/or combination work of the following)
  810.  
  811. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  812. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  813. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  814.  
  815. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  816. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial
  817.  
  818. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  819. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  820. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman
  821.  
  822. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  823.  
  824. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  825. helping out with this!
  826.  
  827. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  828. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  829. @urlscanio and @Virustotal for providing services/software no charge to this cause!
  830.  
  831. ```
  832. #### Daily Log 04-19-22-19 ####
  833. ```
  834.  
  835. General News:
  836.  
  837. Friday and this weekend were very quiet in Emotet land. It looked like they were going for a break on Friday when nothing really
  838. showed up on either E1 or E2. E1 had a single quintet Friday and E2 had basically no activity. Distro and C2 EXE updates were down
  839. on Friday and essentially all weekend. They only came up today around 08:00 UTC. I wonder how many bots were cleaned because of
  840. that outage. Marcus also saw this happen over the weekend and commented on it here:
  841.  
  842. https://twitter.com/MalwareTechBlog/status/1120397548550787074
  843.  
  844. In other news:
  845.  
  846. @raashidbhatt released a nice writeup on the C2 protocol for Emotet:
  847. https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol
  848.  
  849. Email Template Report:
  850.  
  851. I received about 3 malspams today and 0 on Friday and the weekend. The 2 today were generic and 1 was a reply chain message
  852. to previous inquiry chain from October 19th 2018.
  853.  
  854. The generic messages were the following:
  855.  
  856. ____________________________________
  857. EXAMPLE #1
  858. From: "SpoofedOrgName - Commercial Account Manager" <pablo.chavez@camplastics.com>
  859. To: "Victim" <Victim@victims.tld>
  860. Subject: Past Due Invoices
  861.  
  862. <html>
  863. <body>
  864. =0DPayroll reports are attached to this e-mail.
  865.  
  866. <br>
  867. <a href=3D"http://tancini.pizza/wp-admin/FILE/drxTUMEcsV/">http://spoofedorg.=
  868. tld/files/95073516206/SpoofedOrgName_568009619743_Apr_22_2019.doc</a>
  869. <br>
  870. <br>
  871. <br>
  872. <b>Spoofed Org</b>
  873. <br>commercial@spoofedorg.tld
  874. </body></html>
  875. ____________________________________
  876. EXAMPLE #2
  877.  
  878. From: "SpoofedOrg" <hackedaccount@some.tld>
  879. To: "Victims Full Name" <victim@victims.tld>
  880. Subject: Fwd: ACH form
  881.  
  882. <html>
  883. <body>
  884. =0DPlease see attached for SpoofedOrg.
  885. <br>A printer friendly attachment is now included with each email.<br>Click=
  886. on the attachment to open or save the printer friendly version of your rep=
  887. ort.
  888. <br>
  889. <a href=3D"http://elsiah.com/cgi-bin/INC/9826nLiKPUx/">http://SpoofedOrg.tld=
  890. /doc/16332818642/spoofedorg_695094687455_Apr_22_2019.doc</a>
  891. <br>
  892. <br>
  893. <br>
  894. <b>SpoofedOrg</b>
  895. <br>billing@spoofedorg.tld
  896. </body></html>
  897. ____________________________________
  898.  
  899. The first example seems to confuse Invoices and Payroll... *Shrug*
  900.  
  901. The reply chain had a new introduction phrase of the following:
  902.  
  903. "Thank you for your help. Please see the attached." Pretty innocuous but worth noting.
  904.  
  905. Review:
  906. What we know about the threaded templates:(changes are marked with *)
  907.  
  908. - Emails are sourced from once (or still) compromised users all over the world.
  909. - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  910. to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
  911. back as far as June 2018.
  912. - Now on E1 and E2.
  913. - Now seeing German based templates that are essentially the same thing but in German.
  914. *- The injected reply is usually prefaced with the following:
  915. "Attached is your confidential docs."
  916. "Attached please find the wire transfer form."
  917. *"Thank you for your help. Please see the attached."
  918. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  919. - Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
  920. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  921. - These templates are pretty limited in run and not very numerous.
  922.  
  923. Link Regex Report:
  924.  
  925. Regex directory patterns - New Regex for E2 noted by * is seen again today.
  926.  
  927. E1 \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/
  928. E1 and E2 - https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  929. E2 -https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  930. *E2 - https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
  931.  
  932. Payloads Report:
  933.  
  934. E1 had 2 quintets and today and 1 Friday. This is a pretty weak showing and demonstrates the problems they have been having. 1 lonely JS
  935. Direct download on Friday. This morning was all DOCs and links starting around 09:00UTC. At about 19:25 it switched to direct download
  936. JS files from a link.
  937. Entirely link based stage 2 downloads seen.
  938.  
  939. E1 binaries are now updating in distro and C2 again as of 08:00UTC today. E1 is only hash busting at a rate of 1 per 30/35minutes.
  940. C2 is updating every 2 hours.
  941.  
  942. E2 had 3 quintets today and nothing on Friday or over the weekend. E2 started the morning as documents just like E1 but then moved to
  943. hash busted ZIP/JS files. It is currently still doing hash busted ZIP/JS files.
  944. Reminder-
  945. The JS files are constant hashes though with the typical names like the following:
  946. Document_50421214155US_Apr_19_2019.js
  947. DOC_868171038199US_Apr_19_2019.js
  948. FILE_22488234010US_Apr_19_2019.js
  949. INC_6077246262US_Apr_19_2019.js
  950. LLC_28795416000US_Apr_19_2019.js
  951. Scan_7472621182US_Apr_19_2019.js
  952. This first part is always the same as the directory from the new regex above.
  953.  
  954. E2 binaries have started updating every 10 minutes or so again.
  955.  
  956. C2 Report:
  957.  
  958. C2s DID change for E1 and but decreased from 55 to 54 combos in total. - recorded above
  959. C2s DID change for E2 and increased from 62 to 65 combos in total. - recorded above
  960.  
  961. Closing:
  962.  
  963.  
  964. Unfortunately, we did not get a break and Ivan is being stubborn with wanting to fight back despite Orthodox Easter being this coming
  965. weekend. We will see what he has in his sack of tricks for the rest of this week. I am sure tomorrow will be interesting after a
  966. weaker showing today. TT
  967.  
  968. ```
  969. #### Sandbox 04/19-22/19 ####
  970. (all with fakenet and MITM unless spam/secondary infection)
  971. ```
  972.  
  973. Epoch 1 C2 run on 2019-04-23 at 02:30 UTC - https://app.any.run/tasks/6291782e-59f1-4b1d-a1d8-7ddaeb67f670
  974.  
  975. ```
  976.  
  977. ```
  978.  
  979. Epoch 2 C2 run on 2019-04-23 at 02:30 UTC - https://app.any.run/tasks/282892eb-c2b9-47d7-8cfe-800c5a87f42c
  980.  
  981. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!