API tools faq
paste
Advertisement
ps66uk

#Emotet Malware IoCs 2019/05/27

ps66uk
May 27th, 2019
3,175
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 38.07 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ## Emotet Malware Document links/IOCs for 05/27/19 as of 05/28/19 01:00 BST ##
  3. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  4.  
  5.  
  6. #### Epoch 1 Document/Downloader links seen for 05/27/19 ####
  7. ```
  8.  
  9. <none>
  10.  
  11. ```
  12. #### Epoch 2 Document/Downloader links seen for 05/27/19 ####
  13. ```
  14.  
  15. http://4gstartup.com/wp-content/EcDShrgXVzeaLHBJCOvU/
  16. http://9adhity.com/wp-includes/Scan/lRdGqCxAIrblhWESpHJPhgiMfXAtF/
  17. http://aamihr.com/31gy/eyf7u6-zhnup-jlhmdu/
  18. http://agendaportalvialuz.com/toolso/esp/UVhjSwRhmYVfz/
  19. http://albaniadancesport.org/wp-content/Dok/rWQHTbUYAeEsjhwrrTe/
  20. http://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
  21. http://alitekinture.com/wp-includes/s7k3kh-4u4w7-uemc/
  22. http://amazing-hive.com/wp/soyhQYLjmVOQbK/
  23. http://azademomeni.com/wp-includes/dof2qr-phob4g-rfskn/
  24. http://babaldi.com/wp-admin/vxyotqAtXAwbIe/
  25. http://bccparis.com/wp-admin/qgf8n-b5kzd1-fury/
  26. http://bk18.vn/en/DOK/08pzhnws66s08gbalrn6_2tcbz-2122403090641/
  27. http://blog.appnova.com.br/wp-includes/DOK/YKapwAYMQitjn/
  28. http://bonespecialistsinmangalore.com/b228ac/parts_service/zeKZGHvhqOlxvjUfJygx/
  29. http://buildinitaly.com/domina/o6d1f-lbtes-holaau/
  30. http://c30machado.com.br/wp-content/fb57-tteb8ym-tneb/
  31. http://chicagolocalmarketing.com/cgi-bin/wnicd-l5r1u9-npwkh/
  32. http://chiolacostruzioni.com/cgi-bin/0wai-mtfi7l-askvo/
  33. http://coinhealthchain.com/wp-content/uploads/06yjjn7kdl6l3xplgsz_ty3r336-304299399/
  34. http://completervnc.com/wp-content/ymoin-u42vzb1-sdjlzmr/
  35. http://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
  36. http://cosuckhoelacotatca.net/minhan/IkjKWSOUwiJHOlKRAFnNRfQk/
  37. http://cuijunxing.cn/wp-content/opuxfo4w52dxan_2kc3kikf7-121850386/
  38. http://cuppa.pw/cgi-bin/DOC/nko4p1i6pz8n9icohfnugu_jqjsl6-040530923/
  39. http://dangdepdaxinh.com.vn/dangdepdaxinh.com.vn/LLC/ORqoiFwFdlG/
  40. http://darelyateem.org/themeforest-15019939-alone-charity-multipurpose-nonprofit-wordpress-theme/eprs-e3i2g-tcfnp/
  41. http://dehydrated.sk/cgi-bin/sb1iokk-orl1dl-mypjs/
  42. http://diamondbuilding.ir/wordpress/scofx-cvaqk-rjoqh/
  43. http://dorsacel.ir/hgtu/o39uim-72lwtdh-bohpef/
  44. http://drevodomtrnava.sk/calendar/Scan/yocok97cqnxi4_qzlmu-7196932503349/
  45. http://duneeventos.com.br/errors/parts_service/w6t6qaiz2ao5hdeihro85b7v9ygg_j8gzk8-0877668373841/
  46. http://edgingprofile.com/wp-content/Pages/vclRwfiuWAlpd/
  47. http://eiba-center.com/test/lm/OaFHHlsTmxnbQGWuvHzB/
  48. http://escuelahygge.com/wp-admin/PZhsuipgoselHFtHoHJgeOmLEfrC/
  49. http://evoroof.ca/wp-admin/FILE/cuttvcid9_1qyz9zd6u7-654236407228552/
  50. http://excellentceramic.com.bd/wp-admin/FILE/39s6ehvlsjbm_2rgd9ksu5-80904262/
  51. http://exclusiveprofessional.es/limpia/xuwfzt-x8h5rq4-qornws/
  52. http://exitex.ir/wp-includes/kqgglk-mpn14c-gqpouhx/
  53. http://gamesbeginner.com/wp-includes/0dv2t-fp31q-eflz/
  54. http://glugaz.com/wp-content/Dok/c6p92o69r4mvpn8_ca5x1-17553174168899/
  55. http://goodchristianmusicapps.com/fmk3/5waz3n-xi5ul6-rfohbzs/
  56. http://hayphet.net/upload/esp/hJoZssutpyHvLLJLyfzpmbGHc/
  57. http://hennfort.com.br/install/INC/x500k2dhhhbwj3nce7_m2azj32-120971439204/
  58. http://hpardb.in/wp-includes/Pages/IRbHlHidEB/
  59. http://jespositobuilders.com/cgi-bin/gyirk-1ifhrm8-saxk/
  60. http://jidovietnam.com/wp-content/INF/bzxr94dhp6rjepv6voxg9896_4uqc882-41329293458537/
  61. http://juice-dairy.com/wp-snapshots/esp/SKYosMhiUfKLYVDlG/
  62. http://khambenhxahoihanoi.net/wp-includes/eygGQMXm/
  63. http://kiaristore.com/wp-includes/Pages/XtrNaHJIxzthfaBmsBn/
  64. http://kihoku.or.jp/wp-content/uploads/2019/esp/NYHbJzbZqfXvKMWZcInRZSYiPh/
  65. http://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
  66. http://laboralegal.cl/wp-admin/8ycb-7i9zz-xuak/
  67. http://lacvietland.com.vn/wp-includes/ldgc7ix-6i0100-hujxrgp/
  68. http://leplateau.edu.vn/wp-admin/lm/CTVGxZjmd/
  69. http://leplateau.edu.vn/wp-admin/YSyJnDPQrT/
  70. http://lifeed.de/wp-content/1kfkpauhyaf2yd1nwuwaf5qi_v9srucd-660134982176753/
  71. http://linhviet.com.vn/wp-includes/parts_service/aUfWTZqEDJIP/
  72. http://losethetietour.com/loseadmin/k8gzn62-mqdrst-vuvla/
  73. http://maisgym.pt/wp-includes/FILE/g23oabnx0jy_btnrqhf-66878754808/
  74. http://medyalogg.com/wp-content/ai1wm-backups/6rrxg-9wtfibb-rerxue/
  75. http://mettaanand.org/wp-content/sh9b0-lq00ib2-pter/
  76. http://miazen.ca/wp-admin/paclm/kRwyqqHS/
  77. http://miff.in/media/0qm4oiueyca943tcx0p6_9wsd9s5-58679980857319/
  78. http://mitsubishioto.com/us/jia1bh4-u7ypk91-gblhvsy/
  79. http://moldremovaldir.com/best/LLC/qVqrFqOLodvXfqu/
  80. http://moneycomputing.com/eebd/esp/QIbgHKbS/
  81. http://mpc-tashfarm.uz/wp-admin/vvzbry-wjcfp-mwnnli/
  82. http://musicaparalaintegracion.org/wp-admin/zpgymbg-obdbf86-vkfumx/
  83. http://myanmodamini.es/test/DANE/bfjanvjzx9jr9hwmyp_n1kg6pd456-572762923/
  84. http://mybionano.com.my/wp-content/tlfost-g0z7jp6-rzxe/
  85. http://ncoimbra.pt/31e0/xNFUQMwLjMFwjXKMPbWr/
  86. http://noithatvietsang.com/wp-admin/paclm/dx21b8ky4if32bsm33ge_6yu9abf-752139119288865/
  87. http://observatoriodagastronomia.com.br/wp-admin/DOC/MHcAEqBDMskWKIMMzLnLyVxomhgRSF/
  88. http://ofoghmedia.ir/wp-admin/10ia-qrc01mq-nzcxud/
  89. http://okotect.hu/wp-includes/v37i-nbezypb-zqrmm/
  90. http://olavarria.gov.ar/libroolavarria/vrm9-cxviupl-iibwyp/
  91. http://olavarria.gov.ar/libroolavarria/ybgko-408txdb-pxlgyue/
  92. http://oneandlong.com/lib/0ceag5v-54dlheg-erzwec/
  93. http://onepointlead.co.uk/wp-content/sites/UrbnLwMJzvVPezk/
  94. http://onlinetech-eg.com/wp-content/Scan/zGAvHgAfywXtxcNRO/
  95. http://paratoys.ca/wp-admin/djhs-fhtxyq7-hhma/
  96. http://pastliferegressiontraining.com/wp-admin/9qrb-fgxoye6-qxwkc/
  97. http://pazarcheto.com/wp-content/LLC/MTJdRFOaitlxNOsJLcR/
  98. http://plantasemsintropia.pt/wp-admin/zgpZjKHIHHRMEvIwyrxo/
  99. http://pleikutour.com/wp-content/oy1pvk-ffdpjq0-lkck/
  100. http://premiera.ks.ua/wp-admin/bdhjhs-67gnq-lfhztb/
  101. http://probright.com.kz/wp-admin/Document/8by83mzxt4khf37wbts69gch_93ufqgb-63345467/
  102. http://puebaweb.es/jacpublicidad.com/tiCbJgyGXBclYCRc/
  103. http://pyneappl.com/wp-admin/gwtpmig-513ir1r-bbut/
  104. http://qgproducoes.com.br/wp-content/kKFNpQGTDxQbIESKNKOMYfYxibU/
  105. http://radiocristianalatamat.com/images/NkjWzloy/
  106. http://radioexitosamorropefm.com/cgi-bin/bfv5m0ev19rwchzr0_pzn5g74tz-02210026680/
  107. http://radioplatonic.in/wp-includes/u7fc-vozs9af-ddljql/
  108. http://rentacarzagreb.hr/cgi-bin/PLIK/sExDZJumYItjOOkH/
  109. http://ring-lights.com/wp-admin/Dok/mxklxCphRhXwTHHosOBtnPfY/
  110. http://ruposhi.com.bd/wp-includes/lszbg-5gjdav-nhsvy/
  111. http://sanabeltours.com/wp-content/plugins/Pages/mehaqni5qa784z692jgd328f_5nbnk-197306416228165/
  112. http://sboverseasonline.com/wp-content/DOC/lWYtcNdjJRmHdaGMKwJdRmzb/
  113. http://shivodhayaayurvedaclinic.in/images/paclm/adpgdlHEqfvxzSQSsPlrLn/
  114. http://shubharatna.com/wp-includes/jnpnea-4kqcc-mexjx/
  115. http://sinlygwan.com.my/wp-content/uploads/paclm/EIhvRizHpqbUzExvNzMs/
  116. http://sivayo.com/temp/Dane/zy3c819gt1spfn0p_fwguyv3e-284956729/
  117. http://sjz97.com/wp-content/icyqrrKIxOYmFZRPXnVYFchH/
  118. http://skipthecarts.com/wp-admin/4bij6-nze2ck-ioeyn/
  119. http://slate23.com/slate/x3er-xu1tr-eafu/
  120. http://squarebzness.com/wp-admin/f9w02o-tbqglh-dvkh/
  121. http://startupbentre.com/wp-includes/XHRuIOzYOWtzbfQGxEjGtvb/
  122. http://stealth7.ru/srdb/parts_service/0gnr3qr2skoc_wc2aldr7y-135360693431855/
  123. http://streamers.gq/wp-admin/esp/OjmARJJsPQKSoHiG/
  124. http://supervisor07.com/online.services/ufeg8zcqjqd2g5ihnhr4qujj_j8z8uiers3-9998816732233/
  125. http://swastikhometutors.com/wp-admin/b7nxxt-emit7x7-djyzas/
  126. http://swsociety.in/mlm.swsociety.in/c2j4v-7skx580-vmuy/
  127. http://tampacigarroller.com/backup_310708/INF/dCrEFlMR/
  128. http://techesign.com/wp-content/Scan/FzKuhBOJCzty/
  129. http://termoexpert.it/wp-includes/sites/d5si3ubd66ibnxa9q4te66v5x3_anm7r2w92-488687709/
  130. http://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
  131. http://tmp.aoc.kiev.ua/wp-admin/d08gz-74s9ii-nsoxk/
  132. http://tomaszzgiet.com/wp-content/lm/z8b8wdhwk3_zcncv8-21142307690/
  133. http://tow.co.il/wp-content/INF/SnItxhJVMWz/
  134. http://trackingvehicles.com.au/wp-admin/sites/rIUCgpvCNQXi/
  135. http://twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  136. http://ufukturpcan.com/blogs/tgcuujs-32uae-yrxg/
  137. http://universidadvalle.mx/wp-includes/Pages/q4acky06cg95sm076k_aa5bxb-18808866/
  138. http://usio.com.br/wp-admin/qqklf0-o35ps-hdgho/
  139. http://valedomelfm.com.br/api/wp-content/uploads/xngrhu-258v82y-rwethzi/
  140. http://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
  141. http://vinatuoi.com/wp-admin/2150b-yr0dj-jdznehl/
  142. http://virtualfellow.com/advances/ulmy-tj6w4-atyda/
  143. http://wargog.com/dubaja/7yofmt12abw5aysw24l21_qol0985y0-96067607644055/
  144. http://webfinans.site/dii459o/paclm/o31h7rwjq3dv3yksiaude9_sumngt0mj8-06505197276/
  145. http://winnersystems.pe/wp-content/DOC/KOtDEhCASNkpVwOFsrowmea/
  146. http://woocommerce-pos.openswatch.com/wp-content/uploads/esp/lvexmwglehk533gjc078aayor808y_a8cjvpa-12062376287/
  147. http://www.agromundi.com.br/agromundi/PLIK/pyCcKgLrTkKvHXPibtDQQgwRTP/
  148. http://www.arifhajj.umrahsoftware.co.uk/ukt7/DOC/DAvRGdEHJesw/
  149. http://www.hospitalitynews.it/r/Plik/c5uhht2lnixr2yr73w2d7u7qwz43_np4e6y42sq-6541773004946/
  150. http://www.maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
  151. http://www.nrbeautysalon.ir/15ov/7xr8rv-v8hok-vlwc/
  152. http://xtremegroup.com.pk/wp-admin/nlqb-0hgcm9-cavgf/
  153. http://xulynguonnuoc.vn/wp-content/Scan/IrFnLmDIzIvZUqcCHIZJJyxqFKhJ/
  154. http://yingxiaoshi.com/wp-includes/Pages/f6g8uidw9c19xn1_0nfnj-266537909430448/
  155. http://yourdreamsconnectors.in/bd86ed/0e3uqnu6wpj7i3yob_1vth70hx89-255338451/
  156. https://30euros.eu/cache/Pages/mHKmbocLkHVpjrOdx/
  157. https://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
  158. https://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
  159. https://btrav.biz/btrav.biz/sites/NnfaxxOyhb/
  160. https://cicimum.com/wordpress/Scan/POKjdJTgTmLeVukwMStv/
  161. https://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
  162. https://daylesfordbarbers.com.au/wp-content/Scan/d3oksyjpiel_hqqgdfh-7776351180551/
  163. https://donghethietbi.com/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
  164. https://dtbcreation.com.my/db4c/3ohq7l-yophdr-kkhxvr/
  165. https://epaperbox.com.br/wp-includes/Dane/86lye99590_pzeem-855702386968/
  166. https://gameviet.ga/bscw/parts_service/YFAwzsjbXBtALwhG/
  167. https://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
  168. https://hirawin.com/wp-admin/sites/DLWCHOPbgnDAteVHZlHjrUKOhWoCm/
  169. https://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
  170. https://maykop-news.ru/wp-content/paclm/ag2tknctbs2bb2thhsc4lim9n5zm_kpa0lj-508963173/
  171. https://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
  172. https://remontkrsk.ru/connectors/EWrHkzuIylnxxjnjhcWDKntrzIEtm/
  173. https://siteyap.tk/wordpress/FILE/ksPNshyopA/
  174. https://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
  175. https://spinningreels.site/wp-admin/6xsqu7-ia5910-lbrvtzn/
  176. https://studiomenoli.com.br/wp-includes/c4jd-oaue1t-wgkjdpz/
  177. https://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
  178. https://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
  179. https://vitinhlongphat.com/wp-admin/ech4h-gvw81s-psdo/
  180. https://www.hospitalitynews.it/r/Plik/c5uhht2lnixr2yr73w2d7u7qwz43_np4e6y42sq-6541773004946/
  181. https://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  182. https://xfgcs120.com/wp-admin/ohRreQbZfFoS/
  183.  
  184.  
  185.  
  186. ```
  187. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  188. ```
  189.  
  190. Creation Time 2019:05:27 19:49:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  191. SHA256:
  192. e4cd26fa1a226d442f97af9c72c5ae2522e09d12a54c948ab47768feda72ae7d
  193.  
  194. http://uppisl.com/wp-admin/x60/
  195. http://etcnursery.com/wp-includes/9nte5/
  196. http://adeptacademy.com/wp-content/0774/
  197. http://kaledineeglute.xyz/wp-admin/risat95535/
  198. http://wbf-hp.archi-edge.com/zzuz/v93kfk8145/
  199.  
  200.  
  201. Creation Time 2019:05:27 15:47:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  202. SHA256:
  203. 6f19a79a7b37f10b80862c56cdc133bc7c06a5e4f56562a625e0cdce5b185981
  204. 73e7765117a7e38a712104244e908f67e0b3394b3bb6c4761efd0bb6cd119bd6
  205. 51c6986f220ab7e9f98de68e50a623bbc09f934d03db174a9a769ad1815da483
  206. 790484f25518b41d77a6cedc9e93c75946ac8ac1ae93b0e9ebf8b4e4296ce259
  207. 70fdbdeb942321c65faabb720cd9d0b12acd919187b85955c3df7e62faaad8dd
  208.  
  209. http://websapp.jic-shop.com/wp-content/uploads/7ahj35/
  210. http://www.4musicnews.com/wp-content/7c1487/
  211. http://worktemp.xyz/abc/dd1753/
  212. http://www.chinaipl.com/7htr/3355/
  213. http://www.antoinevachon.com/jeux/zkan8610/
  214.  
  215.  
  216. Creation Time 2019:05:27 06:41:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  217. SHA256:
  218. f3e370982fc3003d10a94c83b15708b7813caf50fe1183b169d6e21b7235c167
  219. f83076eff70331bb43898d41bf3244e78ead1239bc418dbb949a3b7f9dd7ea3a
  220. e4da92272dddbbf3a1f4305b4cc8af03e85901e1e9ab989194382ce5db935341
  221. d978acde3f8554e96f10c48f9bf6e1c466eacb57d1b5ac87e1b35312f786e4b6
  222. 2335ed397fd5097f765a2235202950dee2218d25484d58cf43acdf3c601b7391
  223. 6f04fa7270ce581ad03b84ea5e8366f6527d4e1982dc6a52878a400606e2bd2d
  224.  
  225. http://www.pnbtasarim.com/cgi-bin/somv25921/
  226. http://www.ri-magazine.com/ri/l798/
  227. http://www.grupodreyer.com/o3ao/7m0bj64/
  228. http://www.adacan.net/cgi-bin/ln882/
  229. http://veridiacommunity.com/js/gqf2b52216/
  230.  
  231.  
  232. ```
  233. #### SHA256s for Epoch 1 Payload EXEs seen on 05/27/19 ####
  234. ```
  235.  
  236. fcc80605c565b76da51c84133778be6e810d46e018b2f16eafbdafaf12c880e8
  237. ff60d8d52a2def36356bfe2bac29c1a379abf2616346dbe719b34ac5afa783c8
  238. bcf4e6fd784475aef28e0b1d6b399c067062d1b1d43ac5c6b845f856080b3c86
  239. 00025b6b4727f8630be66e51fb905aa294b42521051f6c1c39f6ce5f4cd47565
  240. 298699b5800847a45cf740ddf79d9ca1789fea1357640c590caad955b89cfa36
  241. a64deae5ca3a7789777f80c20e69f5c7470167eeeaa4b136a52efa16ca81342e
  242. 20f4f1c5a3e262f4367643a8fab915f38883e343eda937a1374efbd522b520aa
  243. 34fd6c3136ae2d8fcbaa4de740bd85da4cfc254e6a927347e2dfbccd3faf90c5
  244. b28d23f8b28423d3a02a1a45e2eead585aa529aa18536140d1fdc3e2a6684b45
  245. 795f879c81880a5495bc0be5094bb8751e5c6866dd11cbcafec8999e3d898c6d
  246. 0e11e41ac695ae56e610f2f93655ed149e9a2535b56b237b7e93d166febda6dd
  247. c92e6adbc949f95db02754016ae34439a7656b925fb5b03434cbc6823814552f
  248. 2982b23f87e166f149e559d97d181c47110fdb05d3623fd57cfa7d107b815583
  249. c00919157f054a3c554ca78e9ee0b202fc80ed8bd1a742ed8fd219a7f39423b5
  250. dd5efe7b076a3cdd00448f84fa660a271d6e3594d32b608bfa758329e355ec50
  251. f1a2838aa9f2a307d981ee00d4d807ca1e88b71a9dcfbbef3d20aed42791a760
  252. e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f
  253. 3a8c1da3a66c4418eac04b492e97725ec5ba62142c2b5ef1e8d2781f00888437
  254. d7223776ed392657ade990c0d81381cb1ae22e4ecbcd6973ec78ed304b5fa0b8
  255. 41790bc8b7fe069697072805a6e6d154bb97a4609b9f362c0fa087fdc5376b60
  256. 74804cdb9e5e5cd377380ae54c4f5cd3bda459c418b73eb6b3a30295f3634325
  257. 6a09861a73a09fece1ef58de678dae2a27edac4b346e1b4d2178716cf9310146
  258. 708baad02440648bea381fdb1b42833d6d7725d7bb9ab952227cb57eb073be87
  259. 5c50b35462e0ab808d13c5e046a1a032604fceaf58c6d4b21c1a492be8681358
  260. b7e4e03269661e6496c068c30444438f9f9c7e7e77291988b3afaf5e22c7783a
  261. 5034683d786cd39e32409fc75b33027c11a9237051f27dbee5c4930211a9eeb0
  262. 6e1d7da594c697c1fc67e4ceb174f23b4b8b158bddb23da0eb74d2200d7623aa
  263. aabf8ee1310709a4825711ba1b4ba004ac83124121e35fe262c00acaa41a6bcf
  264. 0ef7cce69fb78a49c928dfefab6ca7f52f078df92f2a724ccb449baa148a4426
  265. d98f6a850fff5d03d0892939cde19ef09b7af56e88999c5ba646ff1c1d9a2031
  266. 7dc6f2f8607e7ae518edcbefc50c9e3a19cd262a69c7c97e7c6c2ecd6a4f4b12
  267. b6f727926b2f07a17dea91aaf512c9c9b1a34c137f9fed31b11f80936014a2bf
  268. 8755a25da8bbcbe7a1810d708c5fe80984774fd88a61a601e5e33248c44ef3a0
  269. 2c9097c97f2c23b51dde87e35f2609ebef07406752d74c6a7c622b89ab18b6f3
  270. 27b4f68554ec7e7ea4c2b031fbe677b5bc4bb339d78b0e1a1b19aac2ef44884f
  271. 7fadd6ad906b68179c5ae2d37e9150c009217f6d522909c4a44794e62abbe75a
  272. 7e26f4f85edea3adf5728f8529381bf707a27d1ed36ac5ab94c014ef1e00962b
  273. b7a7ed03a6c7177f0427c30594bcfbcb3fe942934dd8dbc768c7f116d6d60083
  274. dff619682e9dc27e5c8c2d0f955be7b92c055355aa9a2af3e35adb112022c5ea
  275. 70883b3b5d8d8654e77572cb1292a0f55a555b28f32d97f872aa43308060ad3f
  276.  
  277.  
  278. ```
  279. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  280. ```
  281.  
  282. (may be one more to find)
  283.  
  284.  
  285. Creation Time 2019:05:27 15:38:00 (DOC Based - ENG - 365 Blue Box)
  286. SHA256:
  287. 03b4b72d445400b2949040734d9c54d166f0425a8c0bebcd1e9db852b423a895
  288. 3cfee608c7a0462921b726ad6ad354f6a877407d3a5e32270ca69a0caba57365
  289. a8b8c873950e6c2615cb249ecc1a51e141b576da0e6143b651463b133a1c7ed1
  290. b1b1b740c51d7f714a6534611b2e59d5671b5b2bf73bf521f375b5e7df704a2c
  291. 40965451e9e2cd1496aa7e3cee53c2e9ab33fd02e04b71f473c828d5975cf077
  292. c925200e40719b836afa8c119d94d6bd959e6bd1ddf7837584b99b8121b49040
  293. 859485efdd16118053fdb7c13a1381f30f7342a784e4eb2cfb1f66e1b6aae334
  294. 7cacd2caf280062b40a774b10fe861f82db96b3fa8752d23f67a9273416eef6e
  295. 0554578d280256208cc44331f9aecaea0ab7713e68492553977410b08695df39
  296. f4658848d980d8efceb5f66d31cd8926f8f156061c74c955d85b1a4703b31dcf
  297. 12417c1365e17923a61f8a21c0108f6c9efb6270d8c8e6a3659d54680a97ae42
  298. 5491eca0548f4f368e5dd145df6a93d17054f4ea71b679edef818f3e26f099d8
  299. a1388eeacb0b44488677c6adab024d3f96e2e41b3b8a325b7f98848dd33e9c58
  300. 74185f248967da80ae7eb665a251579a84936e85681f2bcc429b002fe2bc9647
  301. 39c4fbeb234f5bd113344696d4ddbfd0cd3007a9266640d021e4ff9adabcee3b
  302. 7ac01a2513900f2f6b1fc682298da80c4beaa3f6ccd8a222a609c9ec89d695dd
  303. 98b624c79bf5552446c9e0241b89f693c268929187ebac9bc40963b2b850fb3a
  304. 935ddcbd92ec61f8b1dd1c3b853fa51ed9c7c1e7b1a04174ab25b86f2dc50e01
  305. 1ed1602ea1af7845f3f981bd7953f8640b3b615695617d9f7bd87b1c98515322
  306. 531b37cab352ea56ea07f93e299167115743780d7aa79cc4595629fa56832ae3
  307. 114eace580ad8009777bcecaaca92ac9af6e232ed821fa34c37894df50d0293c
  308. 8356bf86ea562f80b898c97241bb50d9ea52cc16ceb07f3811defaa78916eba8
  309. fc4a4f69de0b12dbd4de3d761feb484fdfdfdfd24dbece53f82cdc792927f570
  310. bcde63f96a75b2cfc6d3bcfef4ed7525aeca0068f6d557bab9a83afb0bffe8e8
  311. 4d0786e4a9d4ede81e7b78b9f934733b425bd3a632f09761e862963fa28da141
  312. 09d649ce5560881a60f584be1b6490b9d41f58763938c4489a5ab53ca109b022
  313. bbfc17d1da9e176e272cf9f2851805602848558891eb6c92ffb4f95f9bf53b98
  314. b9e80841c620edb2686e9c6acfe5cef329789beed9c326292a44fd92d9ce28c7
  315. cbd17a5f8adc4ae155ed7d306ebca5d0d66f463f3524ba14cc40adb5869b40a6
  316. da59942fac850aa9c538d99fc82e25801bfe2768b5487c18b1755acdce90718f
  317. 3cc4943c605fc0416b10f298b7e40b65b46acab50ce70b5331429ddbedc0fd1c
  318. 0c2705b5a4225f6ff518d502ef1ae5f0b3e5d74e2474997889ec8078223c7cec
  319. 473ab84d50d08338bc6d850c6bfa91b45deb53936dd0db67e316796cfbd46754
  320. 90e2b3ba11baec3e4962b209b5792fc229359e507ddb0891f6deacab1192c3df
  321. df37c03814de75d32cdf22df70a65a593c5771e1e6f81a39536a9a0799c47e78
  322. 0abf484ee8b0b1aae29704169e646da53e47fd568b236ac10e0814bcb3ed7381
  323. c56457de94f8a586da53521a0c5b3f2f27fbb953e73e889fbcb37b67658cc89e
  324. e3671346f0893307424aaf9f2537a00e6654c0963074cdcdc2d0e6aaa9a1302b
  325. 77eb7784743dd59d18d2911e5d3aaf87d78c084798654118c4caa6ea42874942
  326. 670fd133e0975ca5d463eda1bdcd99ccb7c72e0b2132bc0941e5fe210b87e5af
  327. 43886b673ad0e42b69e05d3ae01c390873e4b2fb5d83f2679db8dd71bbf7d48f
  328. 48af38d2f68eaf7c22402bb203a38ca23b4f60b74beb8297c7105fa8b9a3ac39
  329. 771fc2612cd088d71adaca601de9b5c686ed55fa4181130b712e8913e671c597
  330. 064c548d9db042d104a17e15a7b841e4232bbf7e295404017bfaebeac55ce0a4
  331. 3ebef98e7a895fd22aea7d9ead05249f10e9e5ebd6463a65d1c42ed612bb544d
  332. 52561419815102d187d4b838469eb183617f9fc8a5923880c3a3b58297fc3084
  333. bd355186a8fcbcf829f5d9fb2e926300d5a5b7018504aa8847a72deda0b39b13
  334. 79df0228d0168fb2e004b78152a32c1ca9b58bc36778043917abd89cf36d1a9a
  335.  
  336. http://nhaxequanghuy.com/wp-admin/bf1xuo8j_4gbtn1bk-6/
  337. http://gratitudedesign.com/cgi-bin/xeeyXOxp/
  338. http://remowork.ru/wp-admin/jUckPzosKH/
  339. http://staalshop.eu/wp-includes/biuy6mldo8_epdxwzp447-1/
  340. http://kdengenharia.com.br/apagar/wlfLzYMdT/
  341.  
  342.  
  343. Creation Time 2019:05:27 10:29:00 (DOC Based - ENG - 365 Blue Box)
  344. SHA256:
  345. 5e6aec923802f5d97c09dcca8f0a95bd3b5c301826622b2271aa077151cac533
  346. 59ccac693e5aea666961d1899414a296b959ab3f74df297c0f45d79db076e4e9
  347. 98c4a79a4d8120a36af2f74fcb3c735636906ddce8174a43aeb45f5577e1659e
  348. 710b38de99354a682dcfe99b226b64d5c67277eecc1ef11b5d848eff25fadb02
  349. d71a68c695606033fc748a677215dac3a29cae8e0b81c9ee19cca957f739205a
  350. 4156ffd58e3cb17d1e1c3b983fdda845678c84ea0650d08fe6546ac616dac47f
  351. d59e48fd8426dcd162cb95e71230fecc20df21d231be324ab816ead752215cee
  352. efac2b5ee865abccee7fc6a3b727a35887492be09de9d13f617cc5d538833afd
  353. 53725e3d133d91ca229ef082ff88d7e76241559df3e07ce911b394896a472244
  354. 82ecda6c1b91e89f906d37a3ac4e3140c0e9fbaaa310ec2581f875ca0bbf31aa
  355. 03a11a226a71abc429d23f4f068f8856162a9a9f3c775a9ea1870dee2d3f6351
  356. 8e2d9d50fdffe20eff4a4c94e6e92e95ba959c32bc62a6f970d4dea9d27086c7
  357. a8b8304de67af2841b795ba8dc2cc89b460fb928f3f02544b0772e6f1fcec83a
  358. e846dc5e0e751ca7a6cda1f4677360a64a507e84839672e4743262dec88dcc91
  359. 1f1c3cd2e4aa3bb60b602a8d7e708e488c0930822f7613f94022d541be099b27
  360. a95afd3e0f6521206710bdbabe08477986e7480c86160dd827dc19608e0ae091
  361. f7a076d70fa9d56974121e53f579c0d4ee39fc2c3df31a5127c261a7b02fb3a6
  362. 724de8542c60f5a7bd75d381d927d5388932b7c9dd6abc76e65f619ebefb60ad
  363. b6fb464190b4ecdd104a61edddb0fa2f9e3ae372f8225c7eca366c060ea5e245
  364. a06ae3f997733314fdae133b4ab2382a189c58945fc80458f0f2607d62fdbc1a
  365. 942062e30a4a4212bbc5f5cca6307d11b9340f58ae1739e43159867e44adb843
  366. fa951d071c06bc4a8e8a5bf711939d52c14623c11a7e2df9af8220972415fcec
  367.  
  368. http://royalini.com/cgi-bin/TcyUCFXgNh/
  369. http://consultordeviagens.com/errors/wGIkLEQS/
  370. http://donghomynghe.com/wp-admin/YLLlgzztGH/
  371. http://989coworking.com/staging/QJgccUiXBC/
  372. https://tendailytrends.com/wp-content/kp1mjz4asm_sn7mhfc7b-6/
  373.  
  374.  
  375. ```
  376. #### SHA256s for Epoch 2 Payload EXEs seen on 05/27/19 ####
  377. ```
  378.  
  379. c8ed35150b59091469ecec975bcaa414fe65eadf7e906315309a94698cd4f092
  380. 1904ee1b8741251b25af3b2c8bc670eda5b4487eed2c64ab2dc276f948f1a4fd
  381. 3c50d6b0b895ab9a067b5f31acf714f6370940e025e82a224953a1c3fad7eb9f
  382. ed768d0c17eda2523d9f4eb90e6412b993eae5a077a66bc20ca0f62729bd1e54
  383. e3a5eaad665002698c192ff54343222ac5f8a59187894a7e2c90d662ed056bcf
  384. a106c58d48538acb73e82f7f89fe0b0ef4240e0febad282167d836a99cb1c0c4
  385. f72bdb6178b3d0a954f7d1c6b5522400c31261a7e88ed98258c48f9d0889bcba
  386. 04e3523352e7bb0cd062c92567ba1a5e007d7f57ddaf05099320dc85e2efe3c5
  387. 214452317db4c4030c73abdd481428b807abfa64d576df5d3e5462cb1a21cb34
  388. 2675c6854375ed687fba6cde29f4059a2a0cfb317d49e4fe937e237304dd8e9f
  389. a0b68acb34d1230f6bfc593d6bdf77ed63a4fd99cefa99f8b0e922b28d158da0
  390. d9abce9bf4d921eef738f160ef8880392d09170e4ab5ff3d53787ec2085db066
  391. adfd1f299ecdec02859b5e7064c61f844a08c22feaf450bbf219d4bf32d603c5
  392. 5ab4f35a8c7a809a02492b43e09ba743f95dea7adaffe76f275399196b5ef196
  393. c466ddea8b0d601bdf9fff32c2654906cb170b24fab7c9b2debe5e28f86d1969
  394. 986346074ff5a59460361c05e8caa83ddf80c8eb8dd0643354a4f2fe0dc204e7
  395. 50b23e02d7855447fdd6829f209ff41a85eb365141b1d02b4702c7975cb4feb8
  396. 0da95462ba08d46d0dde75678478c7a4434308450579e60ad773a0bb6029aa3b
  397. b94a2ff462640049ac63450966baec4b4bb5e42be29d24c0c0c09236d6f734e9
  398. 7d23baced33218d2979c532a43bf195a8a7bf62ef61945fc5bfc6761a50b1694
  399. ccc164d0e67519f78f73322a67a8ccaca44dd45cc826d58ef7600654c626b221
  400. a7640a088e6b6ce4f62c23ac5e22d7f58b32df7fe766c3dded7ce1a5e24c7c63
  401. e9978febf15a51f9fda377ae1a2764348aacb3e696a4746180959ea84021a2f0
  402. cf439a06ff7fd49f1a4550dede6b78bd3aa1b086bb8a22c5057b055fbf362085
  403. ed5e9bdcf0fec06ab7751dbcd2f87d921df7a17f5c9bcd67a1813204e6968c41
  404. 2166d7ba2b885ac27695f079371d9f6446986671b58623706538f1eb1432639b
  405. 83c3c860fa7953141b14253d6a0fcc85e074f01ee87408333c8f63b320129027
  406. f64cd6f64b1d995b9bfbafa23fa422861f57b4d974c8d35b3d5a99598bb90169
  407. be0dec191616c742586cb1b2f9efd2a78b119ed57aa893ccbaa49f471c30385f
  408. 7ab6ae41ffecdf52400f7636e7e5bb301f75661ed4436c8c082a478a4d7bb9de
  409. f1120b41be8ff98366450fdbfc98029f95d6ba2a4e4deb4c87de899288946ac3
  410. 6b96a053d1c1ad3190e89c56ad586dae97b45d64aae66682a4d09c69c404eb93
  411. 9cd5a6c52ba1bdd91584320262e5f37eec957ac44064cff899b52f8892c0f185
  412. 5d8217e640c64f046cc2a740e0d24bbdeddba964224bc9964ff5d26790841499
  413. 43c8d8d70317847bdee0239f676f381e845fe4d4c38e9d151620501cd7ed08da
  414. cab58ddee254cc5c2b4967c7d4a393a43226978f710e5dc8cc012736751062ae
  415. b769f354ed76304c12179858709d633b7ae0a4356647431d4df3e0a7d3f7024e
  416. 1cd8431c2643561ac4ec6367c00184b68e2fd37130c8a2e82dfd381f88ffd4cf
  417. de21dd58687536b8ad0fb67a5d858233c8ea4a88273c31b0b6701ff638d38aeb
  418. 5933feb57b13f434b2e2cc0210e64867a0bc58dd2911316f95d0f349d993013b
  419. 9c9b1af4641643e30f846ceedfcbeff0a08655b39a9ef1e1df8774cc54954583
  420.  
  421.  
  422. ```
  423. #### Epoch 1 C2s ####
  424. ```
  425.  
  426. 103.201.150.209:80
  427. 104.236.151.95:7080
  428. 105.224.171.102:80
  429. 109.104.79.48:8080
  430. 109.73.52.242:8080
  431. 110.93.196.197:80
  432. 111.67.12.221:8080
  433. 159.203.204.126:8080
  434. 159.65.241.220:8080
  435. 179.40.105.76:80
  436. 181.141.87.122:80
  437. 181.143.101.18:8080
  438. 181.15.177.100:443
  439. 181.15.180.140:80
  440. 181.15.243.22:80
  441. 181.16.127.226:443
  442. 181.164.227.212:80
  443. 181.198.67.178:20
  444. 181.29.101.13:80
  445. 181.36.42.205:443
  446. 181.39.134.122:80
  447. 185.129.93.140:80
  448. 185.86.148.222:8080
  449. 185.94.252.27:443
  450. 186.138.56.183:443
  451. 186.23.146.42:80
  452. 186.71.75.2:80
  453. 186.86.177.193:80
  454. 187.178.9.19:20
  455. 187.188.166.192:80
  456. 187.242.204.142:80
  457. 189.196.140.187:80
  458. 190.113.233.4:7080
  459. 190.117.206.153:443
  460. 190.147.12.71:443
  461. 190.246.166.217:80
  462. 190.252.229.53:80
  463. 190.97.10.198:80
  464. 191.97.116.232:443
  465. 196.6.112.70:443
  466. 200.107.105.16:465
  467. 200.28.131.215:443
  468. 200.32.61.210:8080
  469. 200.57.102.71:8443
  470. 200.58.171.51:80
  471. 200.80.198.34:80
  472. 201.212.24.6:443
  473. 201.251.229.37:80
  474. 203.25.159.3:8080
  475. 205.186.154.130:80
  476. 216.98.148.136:4143
  477. 217.113.27.158:443
  478. 217.199.175.216:8080
  479. 217.92.171.167:53
  480. 218.161.88.253:8080
  481. 219.74.237.49:443
  482. 23.254.203.51:8080
  483. 23.92.22.225:7080
  484. 31.179.135.186:80
  485. 37.59.1.74:8080
  486. 43.229.62.186:8080
  487. 45.32.158.232:7080
  488. 45.73.124.235:8080
  489. 46.21.105.59:8080
  490. 46.249.204.99:8080
  491. 5.153.252.228:8080
  492. 5.79.119.1:8080
  493. 62.192.227.125:80
  494. 62.75.143.100:7080
  495. 66.209.69.165:443
  496. 69.163.33.82:8080
  497. 70.44.163.160:80
  498. 70.44.163.160:443
  499. 70.44.163.160:8080
  500. 71.244.60.231:8080
  501. 72.47.248.48:8080
  502. 79.143.182.254:8080
  503. 80.0.106.83:80
  504. 81.100.95.22:443
  505. 81.143.213.156:7080
  506. 81.183.213.36:80
  507. 81.213.215.216:50000
  508. 85.132.96.242:80
  509. 86.18.105.123:443
  510. 86.42.166.147:80
  511. 86.6.188.121:80
  512. 87.246.58.59:80
  513. 89.134.144.41:8080
  514. 91.205.215.57:7080
  515. 91.83.93.124:7080
  516.  
  517.  
  518. ```
  519. #### Epoch 1 - Spam/Stealer C2s ####
  520. ```
  521.  
  522. 61.92.159.208:8080
  523. 104.236.185.25:8080
  524. 50.116.63.9:7080
  525.  
  526.  
  527. ```
  528. #### Current Epoch 1 RSA Public Key ####
  529. ```
  530.  
  531. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  532.  
  533.  
  534. ```
  535. #### Epoch 2 C2s ####
  536. ```
  537.  
  538. 103.11.83.52:443
  539. 104.131.11.150:8080
  540. 104.236.99.225:8080
  541. 117.218.17.6:990
  542. 120.150.236.64:20
  543. 136.243.177.26:8080
  544. 138.201.140.110:8080
  545. 144.139.247.220:80
  546. 147.135.210.39:8080
  547. 159.65.25.128:8080
  548. 162.243.125.212:8080
  549. 167.114.210.191:8080
  550. 169.239.182.217:8080
  551. 174.136.14.100:8080
  552. 174.96.5.251:465
  553. 175.100.138.82:22
  554. 177.242.202.30:8080
  555. 177.242.214.30:80
  556. 177.246.193.139:20
  557. 178.152.78.149:20
  558. 178.62.37.188:443
  559. 178.63.50.54:8080
  560. 178.79.161.166:443
  561. 179.32.19.219:22
  562. 181.129.30.82:80
  563. 182.176.132.213:8090
  564. 182.176.94.236:20
  565. 183.82.100.135:80
  566. 183.82.110.170:53
  567. 186.113.19.171:80
  568. 186.4.167.166:80
  569. 186.4.234.27:443
  570. 187.163.180.243:22
  571. 187.177.154.167:990
  572. 187.189.195.208:8443
  573. 187.235.244.9:443
  574. 189.209.217.49:80
  575. 190.145.67.134:8090
  576. 190.25.255.98:443
  577. 190.25.255.98:80
  578. 190.72.136.214:465
  579. 191.92.69.115:80
  580. 195.242.117.231:8080
  581. 199.19.237.192:80
  582. 200.21.90.6:80
  583. 200.85.46.122:80
  584. 201.199.89.223:8443
  585. 201.220.152.101:80
  586. 201.238.152.20:465
  587. 211.248.17.209:443
  588. 211.63.71.72:8080
  589. 216.98.148.156:8080
  590. 217.13.106.160:7080
  591. 222.214.218.136:4143
  592. 24.139.205.186:8080
  593. 31.172.240.91:8080
  594. 39.61.34.254:7080
  595. 41.220.119.246:80
  596. 45.123.3.54:443
  597. 45.33.49.124:443
  598. 46.101.142.115:8080
  599. 46.105.131.87:80
  600. 47.41.213.2:22
  601. 5.67.205.99:80
  602. 50.31.0.160:8080
  603. 50.99.132.7:465
  604. 58.9.168.7:443
  605. 58.9.168.7:990
  606. 59.103.164.174:80
  607. 60.48.253.12:20
  608. 62.75.187.192:8080
  609. 64.13.225.150:8080
  610. 66.84.11.168:8080
  611. 69.45.19.145:8080
  612. 71.244.60.230:8080
  613. 76.86.20.103:80
  614. 78.186.5.109:443
  615. 78.188.7.213:8090
  616. 84.241.10.111:53
  617. 85.104.59.244:20
  618. 87.106.136.232:8080
  619. 87.106.139.101:8080
  620. 87.230.19.21:8080
  621. 91.205.215.66:8080
  622. 92.154.101.154:50000
  623. 94.76.200.114:8080
  624. 95.128.43.213:8080
  625.  
  626.  
  627. ```
  628. #### Epoch 2 - Spam/Stealer C2s ####
  629. ```
  630.  
  631. <not updated>
  632. 198.58.114.91:4143
  633. 213.136.86.219:7080
  634. 91.205.215.10:7080
  635.  
  636.  
  637. ```
  638. #### Current Epoch 2 RSA Public Key ####
  639. ```
  640.  
  641. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  642.  
  643.  
  644. ```
  645. #### Credits and Notes Section ####
  646. ```
  647.  
  648. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  649. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  650. https://pastebin.com/u/jroosen
  651. https://paste.cryptolaemus.com
  652.  
  653. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  654. I am providing them for your benefit in case you want to parse them to be sure.
  655.  
  656. ```
  657. #### What is Epoch 1 and Epoch 2? ####
  658. ```
  659.  
  660. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  661.  
  662. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  663. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  664. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  665. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  666. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  667. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  668. time period.
  669. Here are some observations I have noted since I have been watching these botnets:
  670.  
  671. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  672. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  673. being delivered in maldocs on Epoch 2 at any one time.
  674. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  675. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  676. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  677. Monday morning/Sunday night.
  678. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  679. Epoch 2 may have a document hosted on host.tld/B.
  680. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  681. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  682. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  683. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  684. - C2s are never shared between Epochs/Botnets.
  685. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  686. via C2 to stay ahead of AV defs.
  687. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  688. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  689. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  690. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  691. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  692. spam template, word template, document type and even payload.
  693.  
  694. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  695.  
  696. ```
  697. #### Community Lists ####
  698. ```
  699.  
  700.  
  701.  
  702. ```
  703. #### Credits ####
  704. ```
  705. (OC from @JRoosen and/or combination work of the following)
  706.  
  707. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  708. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  709. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  710.  
  711. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  712. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  713.  
  714. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  715. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  716. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  717.  
  718. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  719.  
  720. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  721. helping out with this!
  722.  
  723. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  724. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  725. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  726.  
  727. ```
  728. #### Daily Log 05-27-19 ####
  729. ```
  730.  
  731. No emails for me today :| - late start to distribution, and a new executable naming convention
  732.  
  733. A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
  734.  
  735.  
  736. General News:
  737.  
  738. https://twitter.com/decalage2/status/1132900273175891968
  739.  
  740.  
  741. REVIEW:
  742. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  743. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  744. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  745. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  746. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  747. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  748. https://twitter.com/JayTHL/status/1126204098670411779
  749.  
  750. Email Template Report:
  751.  
  752. Generic templates on the most part, the usual body text listed below.
  753.  
  754. Review:
  755. What we know about the threaded templates/reply chain:(changes are marked with *)
  756.  
  757. - Emails are sourced from once (or still) compromised users all over the world.
  758. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  759. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  760. back as far as June 2018.
  761. - Now on E1 and E2.
  762. - Now seeing German based templates that are essentially the same thing but in German.
  763. - The injected reply is usually prefaced with the following:
  764. "Attached is your confidential docs."
  765. "Attached please find the wire transfer form."
  766. "Thank you for your help. Please see the attached."
  767. "Load instructions attached"
  768. "A printer friendly attachment is now included with each email."
  769. "Click on the attachment to open or save the printer friendly version of your report."
  770. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  771. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  772. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  773. - These templates are pretty limited in run and not very numerous.
  774.  
  775. Link Regex Report:
  776.  
  777. Regex directory patterns
  778.  
  779. E1
  780. *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
  781. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  782. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  783. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  784.  
  785. E2
  786. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  787. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  788. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  789.  
  790. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  791.  
  792. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
  793.  
  794.  
  795. Payloads Report:
  796.  
  797. Late start, ~10:30
  798. E1 - attachment only, no URLs found; observed DOC hashes (12) drawn from anyrun and hybridanalysis. Additional French DOC names in afternoon.
  799.  
  800. E2 - 167 URLs in two EXE sets, the final set may be attachment only. Additional German DOC names in morning.
  801.  
  802. There is a new EXE naming convention. Possible parts:
  803. ideu,free,capture,tenant,watson,peekat,english,asptlb,shim,netserv,ait,camera,alaska,begin,magnify,cpp,dmrc,intl,enable,vcr,violet,reviews,number,loopa,tcg,ratings,resize,sitka,prime,namesof,dso,summary,routing,alabama,loan,manual,chapp,cvt,wfd,proc,mdmmct,iptb,unmute,gdi,draw,wnv,fnc,show,contact,spc,wlansvc,classic,msra,sharp,align,diff,lev,dist,ias,edit,black,jpn,svcguid,cntl
  804.  
  805. RSA keys unchanged
  806.  
  807. New module with as yet unknown functionality observed.
  808.  
  809.  
  810. C2 Report:
  811.  
  812. C2 from E1 EXE gave 90 unique combos in total. - recorded above
  813. C2 from E2 EXE gave 86 unique combos in total. - recorded above
  814.  
  815.  
  816. Closing:
  817.  
  818. <>
  819.  
  820. TT
  821.  
  822. ```
  823. #### Sandbox 05/27/19 ####
  824. (all with fakenet and MITM unless spam/secondary infection)
  825. ```
  826.  
  827. E1
  828. https://app.any.run/tasks/fe5706c1-37f3-40a0-85e7-687f0cb3e560
  829.  
  830. ```
  831.  
  832. E2
  833. https://app.any.run/tasks/4971e1b6-b33a-4674-88ea-e285d614d558
  834.  
  835. ```
  836.  
  837.  
  838.  
  839. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!