Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 05/27/19 as of 05/28/19 01:00 BST ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/27/19 ####
- ```
- <none>
- ```
- #### Epoch 2 Document/Downloader links seen for 05/27/19 ####
- ```
- http://4gstartup.com/wp-content/EcDShrgXVzeaLHBJCOvU/
- http://9adhity.com/wp-includes/Scan/lRdGqCxAIrblhWESpHJPhgiMfXAtF/
- http://aamihr.com/31gy/eyf7u6-zhnup-jlhmdu/
- http://agendaportalvialuz.com/toolso/esp/UVhjSwRhmYVfz/
- http://albaniadancesport.org/wp-content/Dok/rWQHTbUYAeEsjhwrrTe/
- http://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
- http://alitekinture.com/wp-includes/s7k3kh-4u4w7-uemc/
- http://amazing-hive.com/wp/soyhQYLjmVOQbK/
- http://azademomeni.com/wp-includes/dof2qr-phob4g-rfskn/
- http://babaldi.com/wp-admin/vxyotqAtXAwbIe/
- http://bccparis.com/wp-admin/qgf8n-b5kzd1-fury/
- http://bk18.vn/en/DOK/08pzhnws66s08gbalrn6_2tcbz-2122403090641/
- http://blog.appnova.com.br/wp-includes/DOK/YKapwAYMQitjn/
- http://bonespecialistsinmangalore.com/b228ac/parts_service/zeKZGHvhqOlxvjUfJygx/
- http://buildinitaly.com/domina/o6d1f-lbtes-holaau/
- http://c30machado.com.br/wp-content/fb57-tteb8ym-tneb/
- http://chicagolocalmarketing.com/cgi-bin/wnicd-l5r1u9-npwkh/
- http://chiolacostruzioni.com/cgi-bin/0wai-mtfi7l-askvo/
- http://coinhealthchain.com/wp-content/uploads/06yjjn7kdl6l3xplgsz_ty3r336-304299399/
- http://completervnc.com/wp-content/ymoin-u42vzb1-sdjlzmr/
- http://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
- http://cosuckhoelacotatca.net/minhan/IkjKWSOUwiJHOlKRAFnNRfQk/
- http://cuijunxing.cn/wp-content/opuxfo4w52dxan_2kc3kikf7-121850386/
- http://cuppa.pw/cgi-bin/DOC/nko4p1i6pz8n9icohfnugu_jqjsl6-040530923/
- http://dangdepdaxinh.com.vn/dangdepdaxinh.com.vn/LLC/ORqoiFwFdlG/
- http://darelyateem.org/themeforest-15019939-alone-charity-multipurpose-nonprofit-wordpress-theme/eprs-e3i2g-tcfnp/
- http://dehydrated.sk/cgi-bin/sb1iokk-orl1dl-mypjs/
- http://diamondbuilding.ir/wordpress/scofx-cvaqk-rjoqh/
- http://dorsacel.ir/hgtu/o39uim-72lwtdh-bohpef/
- http://drevodomtrnava.sk/calendar/Scan/yocok97cqnxi4_qzlmu-7196932503349/
- http://duneeventos.com.br/errors/parts_service/w6t6qaiz2ao5hdeihro85b7v9ygg_j8gzk8-0877668373841/
- http://edgingprofile.com/wp-content/Pages/vclRwfiuWAlpd/
- http://eiba-center.com/test/lm/OaFHHlsTmxnbQGWuvHzB/
- http://escuelahygge.com/wp-admin/PZhsuipgoselHFtHoHJgeOmLEfrC/
- http://evoroof.ca/wp-admin/FILE/cuttvcid9_1qyz9zd6u7-654236407228552/
- http://excellentceramic.com.bd/wp-admin/FILE/39s6ehvlsjbm_2rgd9ksu5-80904262/
- http://exclusiveprofessional.es/limpia/xuwfzt-x8h5rq4-qornws/
- http://exitex.ir/wp-includes/kqgglk-mpn14c-gqpouhx/
- http://gamesbeginner.com/wp-includes/0dv2t-fp31q-eflz/
- http://glugaz.com/wp-content/Dok/c6p92o69r4mvpn8_ca5x1-17553174168899/
- http://goodchristianmusicapps.com/fmk3/5waz3n-xi5ul6-rfohbzs/
- http://hayphet.net/upload/esp/hJoZssutpyHvLLJLyfzpmbGHc/
- http://hennfort.com.br/install/INC/x500k2dhhhbwj3nce7_m2azj32-120971439204/
- http://hpardb.in/wp-includes/Pages/IRbHlHidEB/
- http://jespositobuilders.com/cgi-bin/gyirk-1ifhrm8-saxk/
- http://jidovietnam.com/wp-content/INF/bzxr94dhp6rjepv6voxg9896_4uqc882-41329293458537/
- http://juice-dairy.com/wp-snapshots/esp/SKYosMhiUfKLYVDlG/
- http://khambenhxahoihanoi.net/wp-includes/eygGQMXm/
- http://kiaristore.com/wp-includes/Pages/XtrNaHJIxzthfaBmsBn/
- http://kihoku.or.jp/wp-content/uploads/2019/esp/NYHbJzbZqfXvKMWZcInRZSYiPh/
- http://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
- http://laboralegal.cl/wp-admin/8ycb-7i9zz-xuak/
- http://lacvietland.com.vn/wp-includes/ldgc7ix-6i0100-hujxrgp/
- http://leplateau.edu.vn/wp-admin/lm/CTVGxZjmd/
- http://leplateau.edu.vn/wp-admin/YSyJnDPQrT/
- http://lifeed.de/wp-content/1kfkpauhyaf2yd1nwuwaf5qi_v9srucd-660134982176753/
- http://linhviet.com.vn/wp-includes/parts_service/aUfWTZqEDJIP/
- http://losethetietour.com/loseadmin/k8gzn62-mqdrst-vuvla/
- http://maisgym.pt/wp-includes/FILE/g23oabnx0jy_btnrqhf-66878754808/
- http://medyalogg.com/wp-content/ai1wm-backups/6rrxg-9wtfibb-rerxue/
- http://mettaanand.org/wp-content/sh9b0-lq00ib2-pter/
- http://miazen.ca/wp-admin/paclm/kRwyqqHS/
- http://miff.in/media/0qm4oiueyca943tcx0p6_9wsd9s5-58679980857319/
- http://mitsubishioto.com/us/jia1bh4-u7ypk91-gblhvsy/
- http://moldremovaldir.com/best/LLC/qVqrFqOLodvXfqu/
- http://moneycomputing.com/eebd/esp/QIbgHKbS/
- http://mpc-tashfarm.uz/wp-admin/vvzbry-wjcfp-mwnnli/
- http://musicaparalaintegracion.org/wp-admin/zpgymbg-obdbf86-vkfumx/
- http://myanmodamini.es/test/DANE/bfjanvjzx9jr9hwmyp_n1kg6pd456-572762923/
- http://mybionano.com.my/wp-content/tlfost-g0z7jp6-rzxe/
- http://ncoimbra.pt/31e0/xNFUQMwLjMFwjXKMPbWr/
- http://noithatvietsang.com/wp-admin/paclm/dx21b8ky4if32bsm33ge_6yu9abf-752139119288865/
- http://observatoriodagastronomia.com.br/wp-admin/DOC/MHcAEqBDMskWKIMMzLnLyVxomhgRSF/
- http://ofoghmedia.ir/wp-admin/10ia-qrc01mq-nzcxud/
- http://okotect.hu/wp-includes/v37i-nbezypb-zqrmm/
- http://olavarria.gov.ar/libroolavarria/vrm9-cxviupl-iibwyp/
- http://olavarria.gov.ar/libroolavarria/ybgko-408txdb-pxlgyue/
- http://oneandlong.com/lib/0ceag5v-54dlheg-erzwec/
- http://onepointlead.co.uk/wp-content/sites/UrbnLwMJzvVPezk/
- http://onlinetech-eg.com/wp-content/Scan/zGAvHgAfywXtxcNRO/
- http://paratoys.ca/wp-admin/djhs-fhtxyq7-hhma/
- http://pastliferegressiontraining.com/wp-admin/9qrb-fgxoye6-qxwkc/
- http://pazarcheto.com/wp-content/LLC/MTJdRFOaitlxNOsJLcR/
- http://plantasemsintropia.pt/wp-admin/zgpZjKHIHHRMEvIwyrxo/
- http://pleikutour.com/wp-content/oy1pvk-ffdpjq0-lkck/
- http://premiera.ks.ua/wp-admin/bdhjhs-67gnq-lfhztb/
- http://probright.com.kz/wp-admin/Document/8by83mzxt4khf37wbts69gch_93ufqgb-63345467/
- http://puebaweb.es/jacpublicidad.com/tiCbJgyGXBclYCRc/
- http://pyneappl.com/wp-admin/gwtpmig-513ir1r-bbut/
- http://qgproducoes.com.br/wp-content/kKFNpQGTDxQbIESKNKOMYfYxibU/
- http://radiocristianalatamat.com/images/NkjWzloy/
- http://radioexitosamorropefm.com/cgi-bin/bfv5m0ev19rwchzr0_pzn5g74tz-02210026680/
- http://radioplatonic.in/wp-includes/u7fc-vozs9af-ddljql/
- http://rentacarzagreb.hr/cgi-bin/PLIK/sExDZJumYItjOOkH/
- http://ring-lights.com/wp-admin/Dok/mxklxCphRhXwTHHosOBtnPfY/
- http://ruposhi.com.bd/wp-includes/lszbg-5gjdav-nhsvy/
- http://sanabeltours.com/wp-content/plugins/Pages/mehaqni5qa784z692jgd328f_5nbnk-197306416228165/
- http://sboverseasonline.com/wp-content/DOC/lWYtcNdjJRmHdaGMKwJdRmzb/
- http://shivodhayaayurvedaclinic.in/images/paclm/adpgdlHEqfvxzSQSsPlrLn/
- http://shubharatna.com/wp-includes/jnpnea-4kqcc-mexjx/
- http://sinlygwan.com.my/wp-content/uploads/paclm/EIhvRizHpqbUzExvNzMs/
- http://sivayo.com/temp/Dane/zy3c819gt1spfn0p_fwguyv3e-284956729/
- http://sjz97.com/wp-content/icyqrrKIxOYmFZRPXnVYFchH/
- http://skipthecarts.com/wp-admin/4bij6-nze2ck-ioeyn/
- http://slate23.com/slate/x3er-xu1tr-eafu/
- http://squarebzness.com/wp-admin/f9w02o-tbqglh-dvkh/
- http://startupbentre.com/wp-includes/XHRuIOzYOWtzbfQGxEjGtvb/
- http://stealth7.ru/srdb/parts_service/0gnr3qr2skoc_wc2aldr7y-135360693431855/
- http://streamers.gq/wp-admin/esp/OjmARJJsPQKSoHiG/
- http://supervisor07.com/online.services/ufeg8zcqjqd2g5ihnhr4qujj_j8z8uiers3-9998816732233/
- http://swastikhometutors.com/wp-admin/b7nxxt-emit7x7-djyzas/
- http://swsociety.in/mlm.swsociety.in/c2j4v-7skx580-vmuy/
- http://tampacigarroller.com/backup_310708/INF/dCrEFlMR/
- http://techesign.com/wp-content/Scan/FzKuhBOJCzty/
- http://termoexpert.it/wp-includes/sites/d5si3ubd66ibnxa9q4te66v5x3_anm7r2w92-488687709/
- http://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
- http://tmp.aoc.kiev.ua/wp-admin/d08gz-74s9ii-nsoxk/
- http://tomaszzgiet.com/wp-content/lm/z8b8wdhwk3_zcncv8-21142307690/
- http://tow.co.il/wp-content/INF/SnItxhJVMWz/
- http://trackingvehicles.com.au/wp-admin/sites/rIUCgpvCNQXi/
- http://twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
- http://ufukturpcan.com/blogs/tgcuujs-32uae-yrxg/
- http://universidadvalle.mx/wp-includes/Pages/q4acky06cg95sm076k_aa5bxb-18808866/
- http://usio.com.br/wp-admin/qqklf0-o35ps-hdgho/
- http://valedomelfm.com.br/api/wp-content/uploads/xngrhu-258v82y-rwethzi/
- http://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
- http://vinatuoi.com/wp-admin/2150b-yr0dj-jdznehl/
- http://virtualfellow.com/advances/ulmy-tj6w4-atyda/
- http://wargog.com/dubaja/7yofmt12abw5aysw24l21_qol0985y0-96067607644055/
- http://webfinans.site/dii459o/paclm/o31h7rwjq3dv3yksiaude9_sumngt0mj8-06505197276/
- http://winnersystems.pe/wp-content/DOC/KOtDEhCASNkpVwOFsrowmea/
- http://woocommerce-pos.openswatch.com/wp-content/uploads/esp/lvexmwglehk533gjc078aayor808y_a8cjvpa-12062376287/
- http://www.agromundi.com.br/agromundi/PLIK/pyCcKgLrTkKvHXPibtDQQgwRTP/
- http://www.arifhajj.umrahsoftware.co.uk/ukt7/DOC/DAvRGdEHJesw/
- http://www.hospitalitynews.it/r/Plik/c5uhht2lnixr2yr73w2d7u7qwz43_np4e6y42sq-6541773004946/
- http://www.maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
- http://www.nrbeautysalon.ir/15ov/7xr8rv-v8hok-vlwc/
- http://xtremegroup.com.pk/wp-admin/nlqb-0hgcm9-cavgf/
- http://xulynguonnuoc.vn/wp-content/Scan/IrFnLmDIzIvZUqcCHIZJJyxqFKhJ/
- http://yingxiaoshi.com/wp-includes/Pages/f6g8uidw9c19xn1_0nfnj-266537909430448/
- http://yourdreamsconnectors.in/bd86ed/0e3uqnu6wpj7i3yob_1vth70hx89-255338451/
- https://30euros.eu/cache/Pages/mHKmbocLkHVpjrOdx/
- https://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
- https://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
- https://btrav.biz/btrav.biz/sites/NnfaxxOyhb/
- https://cicimum.com/wordpress/Scan/POKjdJTgTmLeVukwMStv/
- https://connectingthechange.com.au/wp-admin/ul8i169at68cvy1qpq1cyrnc_byf6m0u-24772763363/
- https://daylesfordbarbers.com.au/wp-content/Scan/d3oksyjpiel_hqqgdfh-7776351180551/
- https://donghethietbi.com/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
- https://dtbcreation.com.my/db4c/3ohq7l-yophdr-kkhxvr/
- https://epaperbox.com.br/wp-includes/Dane/86lye99590_pzeem-855702386968/
- https://gameviet.ga/bscw/parts_service/YFAwzsjbXBtALwhG/
- https://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
- https://hirawin.com/wp-admin/sites/DLWCHOPbgnDAteVHZlHjrUKOhWoCm/
- https://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
- https://maykop-news.ru/wp-content/paclm/ag2tknctbs2bb2thhsc4lim9n5zm_kpa0lj-508963173/
- https://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
- https://remontkrsk.ru/connectors/EWrHkzuIylnxxjnjhcWDKntrzIEtm/
- https://siteyap.tk/wordpress/FILE/ksPNshyopA/
- https://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
- https://spinningreels.site/wp-admin/6xsqu7-ia5910-lbrvtzn/
- https://studiomenoli.com.br/wp-includes/c4jd-oaue1t-wgkjdpz/
- https://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
- https://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
- https://vitinhlongphat.com/wp-admin/ech4h-gvw81s-psdo/
- https://www.hospitalitynews.it/r/Plik/c5uhht2lnixr2yr73w2d7u7qwz43_np4e6y42sq-6541773004946/
- https://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
- https://xfgcs120.com/wp-admin/ohRreQbZfFoS/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019:05:27 19:49:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
- SHA256:
- e4cd26fa1a226d442f97af9c72c5ae2522e09d12a54c948ab47768feda72ae7d
- http://uppisl.com/wp-admin/x60/
- http://etcnursery.com/wp-includes/9nte5/
- http://adeptacademy.com/wp-content/0774/
- http://kaledineeglute.xyz/wp-admin/risat95535/
- http://wbf-hp.archi-edge.com/zzuz/v93kfk8145/
- Creation Time 2019:05:27 15:47:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
- SHA256:
- 6f19a79a7b37f10b80862c56cdc133bc7c06a5e4f56562a625e0cdce5b185981
- 73e7765117a7e38a712104244e908f67e0b3394b3bb6c4761efd0bb6cd119bd6
- 51c6986f220ab7e9f98de68e50a623bbc09f934d03db174a9a769ad1815da483
- 790484f25518b41d77a6cedc9e93c75946ac8ac1ae93b0e9ebf8b4e4296ce259
- 70fdbdeb942321c65faabb720cd9d0b12acd919187b85955c3df7e62faaad8dd
- http://websapp.jic-shop.com/wp-content/uploads/7ahj35/
- http://www.4musicnews.com/wp-content/7c1487/
- http://worktemp.xyz/abc/dd1753/
- http://www.chinaipl.com/7htr/3355/
- http://www.antoinevachon.com/jeux/zkan8610/
- Creation Time 2019:05:27 06:41:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
- SHA256:
- f3e370982fc3003d10a94c83b15708b7813caf50fe1183b169d6e21b7235c167
- f83076eff70331bb43898d41bf3244e78ead1239bc418dbb949a3b7f9dd7ea3a
- e4da92272dddbbf3a1f4305b4cc8af03e85901e1e9ab989194382ce5db935341
- d978acde3f8554e96f10c48f9bf6e1c466eacb57d1b5ac87e1b35312f786e4b6
- 2335ed397fd5097f765a2235202950dee2218d25484d58cf43acdf3c601b7391
- 6f04fa7270ce581ad03b84ea5e8366f6527d4e1982dc6a52878a400606e2bd2d
- http://www.pnbtasarim.com/cgi-bin/somv25921/
- http://www.ri-magazine.com/ri/l798/
- http://www.grupodreyer.com/o3ao/7m0bj64/
- http://www.adacan.net/cgi-bin/ln882/
- http://veridiacommunity.com/js/gqf2b52216/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/27/19 ####
- ```
- fcc80605c565b76da51c84133778be6e810d46e018b2f16eafbdafaf12c880e8
- ff60d8d52a2def36356bfe2bac29c1a379abf2616346dbe719b34ac5afa783c8
- bcf4e6fd784475aef28e0b1d6b399c067062d1b1d43ac5c6b845f856080b3c86
- 00025b6b4727f8630be66e51fb905aa294b42521051f6c1c39f6ce5f4cd47565
- 298699b5800847a45cf740ddf79d9ca1789fea1357640c590caad955b89cfa36
- a64deae5ca3a7789777f80c20e69f5c7470167eeeaa4b136a52efa16ca81342e
- 20f4f1c5a3e262f4367643a8fab915f38883e343eda937a1374efbd522b520aa
- 34fd6c3136ae2d8fcbaa4de740bd85da4cfc254e6a927347e2dfbccd3faf90c5
- b28d23f8b28423d3a02a1a45e2eead585aa529aa18536140d1fdc3e2a6684b45
- 795f879c81880a5495bc0be5094bb8751e5c6866dd11cbcafec8999e3d898c6d
- 0e11e41ac695ae56e610f2f93655ed149e9a2535b56b237b7e93d166febda6dd
- c92e6adbc949f95db02754016ae34439a7656b925fb5b03434cbc6823814552f
- 2982b23f87e166f149e559d97d181c47110fdb05d3623fd57cfa7d107b815583
- c00919157f054a3c554ca78e9ee0b202fc80ed8bd1a742ed8fd219a7f39423b5
- dd5efe7b076a3cdd00448f84fa660a271d6e3594d32b608bfa758329e355ec50
- f1a2838aa9f2a307d981ee00d4d807ca1e88b71a9dcfbbef3d20aed42791a760
- e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f
- 3a8c1da3a66c4418eac04b492e97725ec5ba62142c2b5ef1e8d2781f00888437
- d7223776ed392657ade990c0d81381cb1ae22e4ecbcd6973ec78ed304b5fa0b8
- 41790bc8b7fe069697072805a6e6d154bb97a4609b9f362c0fa087fdc5376b60
- 74804cdb9e5e5cd377380ae54c4f5cd3bda459c418b73eb6b3a30295f3634325
- 6a09861a73a09fece1ef58de678dae2a27edac4b346e1b4d2178716cf9310146
- 708baad02440648bea381fdb1b42833d6d7725d7bb9ab952227cb57eb073be87
- 5c50b35462e0ab808d13c5e046a1a032604fceaf58c6d4b21c1a492be8681358
- b7e4e03269661e6496c068c30444438f9f9c7e7e77291988b3afaf5e22c7783a
- 5034683d786cd39e32409fc75b33027c11a9237051f27dbee5c4930211a9eeb0
- 6e1d7da594c697c1fc67e4ceb174f23b4b8b158bddb23da0eb74d2200d7623aa
- aabf8ee1310709a4825711ba1b4ba004ac83124121e35fe262c00acaa41a6bcf
- 0ef7cce69fb78a49c928dfefab6ca7f52f078df92f2a724ccb449baa148a4426
- d98f6a850fff5d03d0892939cde19ef09b7af56e88999c5ba646ff1c1d9a2031
- 7dc6f2f8607e7ae518edcbefc50c9e3a19cd262a69c7c97e7c6c2ecd6a4f4b12
- b6f727926b2f07a17dea91aaf512c9c9b1a34c137f9fed31b11f80936014a2bf
- 8755a25da8bbcbe7a1810d708c5fe80984774fd88a61a601e5e33248c44ef3a0
- 2c9097c97f2c23b51dde87e35f2609ebef07406752d74c6a7c622b89ab18b6f3
- 27b4f68554ec7e7ea4c2b031fbe677b5bc4bb339d78b0e1a1b19aac2ef44884f
- 7fadd6ad906b68179c5ae2d37e9150c009217f6d522909c4a44794e62abbe75a
- 7e26f4f85edea3adf5728f8529381bf707a27d1ed36ac5ab94c014ef1e00962b
- b7a7ed03a6c7177f0427c30594bcfbcb3fe942934dd8dbc768c7f116d6d60083
- dff619682e9dc27e5c8c2d0f955be7b92c055355aa9a2af3e35adb112022c5ea
- 70883b3b5d8d8654e77572cb1292a0f55a555b28f32d97f872aa43308060ad3f
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- (may be one more to find)
- Creation Time 2019:05:27 15:38:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 03b4b72d445400b2949040734d9c54d166f0425a8c0bebcd1e9db852b423a895
- 3cfee608c7a0462921b726ad6ad354f6a877407d3a5e32270ca69a0caba57365
- a8b8c873950e6c2615cb249ecc1a51e141b576da0e6143b651463b133a1c7ed1
- b1b1b740c51d7f714a6534611b2e59d5671b5b2bf73bf521f375b5e7df704a2c
- 40965451e9e2cd1496aa7e3cee53c2e9ab33fd02e04b71f473c828d5975cf077
- c925200e40719b836afa8c119d94d6bd959e6bd1ddf7837584b99b8121b49040
- 859485efdd16118053fdb7c13a1381f30f7342a784e4eb2cfb1f66e1b6aae334
- 7cacd2caf280062b40a774b10fe861f82db96b3fa8752d23f67a9273416eef6e
- 0554578d280256208cc44331f9aecaea0ab7713e68492553977410b08695df39
- f4658848d980d8efceb5f66d31cd8926f8f156061c74c955d85b1a4703b31dcf
- 12417c1365e17923a61f8a21c0108f6c9efb6270d8c8e6a3659d54680a97ae42
- 5491eca0548f4f368e5dd145df6a93d17054f4ea71b679edef818f3e26f099d8
- a1388eeacb0b44488677c6adab024d3f96e2e41b3b8a325b7f98848dd33e9c58
- 74185f248967da80ae7eb665a251579a84936e85681f2bcc429b002fe2bc9647
- 39c4fbeb234f5bd113344696d4ddbfd0cd3007a9266640d021e4ff9adabcee3b
- 7ac01a2513900f2f6b1fc682298da80c4beaa3f6ccd8a222a609c9ec89d695dd
- 98b624c79bf5552446c9e0241b89f693c268929187ebac9bc40963b2b850fb3a
- 935ddcbd92ec61f8b1dd1c3b853fa51ed9c7c1e7b1a04174ab25b86f2dc50e01
- 1ed1602ea1af7845f3f981bd7953f8640b3b615695617d9f7bd87b1c98515322
- 531b37cab352ea56ea07f93e299167115743780d7aa79cc4595629fa56832ae3
- 114eace580ad8009777bcecaaca92ac9af6e232ed821fa34c37894df50d0293c
- 8356bf86ea562f80b898c97241bb50d9ea52cc16ceb07f3811defaa78916eba8
- fc4a4f69de0b12dbd4de3d761feb484fdfdfdfd24dbece53f82cdc792927f570
- bcde63f96a75b2cfc6d3bcfef4ed7525aeca0068f6d557bab9a83afb0bffe8e8
- 4d0786e4a9d4ede81e7b78b9f934733b425bd3a632f09761e862963fa28da141
- 09d649ce5560881a60f584be1b6490b9d41f58763938c4489a5ab53ca109b022
- bbfc17d1da9e176e272cf9f2851805602848558891eb6c92ffb4f95f9bf53b98
- b9e80841c620edb2686e9c6acfe5cef329789beed9c326292a44fd92d9ce28c7
- cbd17a5f8adc4ae155ed7d306ebca5d0d66f463f3524ba14cc40adb5869b40a6
- da59942fac850aa9c538d99fc82e25801bfe2768b5487c18b1755acdce90718f
- 3cc4943c605fc0416b10f298b7e40b65b46acab50ce70b5331429ddbedc0fd1c
- 0c2705b5a4225f6ff518d502ef1ae5f0b3e5d74e2474997889ec8078223c7cec
- 473ab84d50d08338bc6d850c6bfa91b45deb53936dd0db67e316796cfbd46754
- 90e2b3ba11baec3e4962b209b5792fc229359e507ddb0891f6deacab1192c3df
- df37c03814de75d32cdf22df70a65a593c5771e1e6f81a39536a9a0799c47e78
- 0abf484ee8b0b1aae29704169e646da53e47fd568b236ac10e0814bcb3ed7381
- c56457de94f8a586da53521a0c5b3f2f27fbb953e73e889fbcb37b67658cc89e
- e3671346f0893307424aaf9f2537a00e6654c0963074cdcdc2d0e6aaa9a1302b
- 77eb7784743dd59d18d2911e5d3aaf87d78c084798654118c4caa6ea42874942
- 670fd133e0975ca5d463eda1bdcd99ccb7c72e0b2132bc0941e5fe210b87e5af
- 43886b673ad0e42b69e05d3ae01c390873e4b2fb5d83f2679db8dd71bbf7d48f
- 48af38d2f68eaf7c22402bb203a38ca23b4f60b74beb8297c7105fa8b9a3ac39
- 771fc2612cd088d71adaca601de9b5c686ed55fa4181130b712e8913e671c597
- 064c548d9db042d104a17e15a7b841e4232bbf7e295404017bfaebeac55ce0a4
- 3ebef98e7a895fd22aea7d9ead05249f10e9e5ebd6463a65d1c42ed612bb544d
- 52561419815102d187d4b838469eb183617f9fc8a5923880c3a3b58297fc3084
- bd355186a8fcbcf829f5d9fb2e926300d5a5b7018504aa8847a72deda0b39b13
- 79df0228d0168fb2e004b78152a32c1ca9b58bc36778043917abd89cf36d1a9a
- http://nhaxequanghuy.com/wp-admin/bf1xuo8j_4gbtn1bk-6/
- http://gratitudedesign.com/cgi-bin/xeeyXOxp/
- http://remowork.ru/wp-admin/jUckPzosKH/
- http://staalshop.eu/wp-includes/biuy6mldo8_epdxwzp447-1/
- http://kdengenharia.com.br/apagar/wlfLzYMdT/
- Creation Time 2019:05:27 10:29:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 5e6aec923802f5d97c09dcca8f0a95bd3b5c301826622b2271aa077151cac533
- 59ccac693e5aea666961d1899414a296b959ab3f74df297c0f45d79db076e4e9
- 98c4a79a4d8120a36af2f74fcb3c735636906ddce8174a43aeb45f5577e1659e
- 710b38de99354a682dcfe99b226b64d5c67277eecc1ef11b5d848eff25fadb02
- d71a68c695606033fc748a677215dac3a29cae8e0b81c9ee19cca957f739205a
- 4156ffd58e3cb17d1e1c3b983fdda845678c84ea0650d08fe6546ac616dac47f
- d59e48fd8426dcd162cb95e71230fecc20df21d231be324ab816ead752215cee
- efac2b5ee865abccee7fc6a3b727a35887492be09de9d13f617cc5d538833afd
- 53725e3d133d91ca229ef082ff88d7e76241559df3e07ce911b394896a472244
- 82ecda6c1b91e89f906d37a3ac4e3140c0e9fbaaa310ec2581f875ca0bbf31aa
- 03a11a226a71abc429d23f4f068f8856162a9a9f3c775a9ea1870dee2d3f6351
- 8e2d9d50fdffe20eff4a4c94e6e92e95ba959c32bc62a6f970d4dea9d27086c7
- a8b8304de67af2841b795ba8dc2cc89b460fb928f3f02544b0772e6f1fcec83a
- e846dc5e0e751ca7a6cda1f4677360a64a507e84839672e4743262dec88dcc91
- 1f1c3cd2e4aa3bb60b602a8d7e708e488c0930822f7613f94022d541be099b27
- a95afd3e0f6521206710bdbabe08477986e7480c86160dd827dc19608e0ae091
- f7a076d70fa9d56974121e53f579c0d4ee39fc2c3df31a5127c261a7b02fb3a6
- 724de8542c60f5a7bd75d381d927d5388932b7c9dd6abc76e65f619ebefb60ad
- b6fb464190b4ecdd104a61edddb0fa2f9e3ae372f8225c7eca366c060ea5e245
- a06ae3f997733314fdae133b4ab2382a189c58945fc80458f0f2607d62fdbc1a
- 942062e30a4a4212bbc5f5cca6307d11b9340f58ae1739e43159867e44adb843
- fa951d071c06bc4a8e8a5bf711939d52c14623c11a7e2df9af8220972415fcec
- http://royalini.com/cgi-bin/TcyUCFXgNh/
- http://consultordeviagens.com/errors/wGIkLEQS/
- http://donghomynghe.com/wp-admin/YLLlgzztGH/
- http://989coworking.com/staging/QJgccUiXBC/
- https://tendailytrends.com/wp-content/kp1mjz4asm_sn7mhfc7b-6/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/27/19 ####
- ```
- c8ed35150b59091469ecec975bcaa414fe65eadf7e906315309a94698cd4f092
- 1904ee1b8741251b25af3b2c8bc670eda5b4487eed2c64ab2dc276f948f1a4fd
- 3c50d6b0b895ab9a067b5f31acf714f6370940e025e82a224953a1c3fad7eb9f
- ed768d0c17eda2523d9f4eb90e6412b993eae5a077a66bc20ca0f62729bd1e54
- e3a5eaad665002698c192ff54343222ac5f8a59187894a7e2c90d662ed056bcf
- a106c58d48538acb73e82f7f89fe0b0ef4240e0febad282167d836a99cb1c0c4
- f72bdb6178b3d0a954f7d1c6b5522400c31261a7e88ed98258c48f9d0889bcba
- 04e3523352e7bb0cd062c92567ba1a5e007d7f57ddaf05099320dc85e2efe3c5
- 214452317db4c4030c73abdd481428b807abfa64d576df5d3e5462cb1a21cb34
- 2675c6854375ed687fba6cde29f4059a2a0cfb317d49e4fe937e237304dd8e9f
- a0b68acb34d1230f6bfc593d6bdf77ed63a4fd99cefa99f8b0e922b28d158da0
- d9abce9bf4d921eef738f160ef8880392d09170e4ab5ff3d53787ec2085db066
- adfd1f299ecdec02859b5e7064c61f844a08c22feaf450bbf219d4bf32d603c5
- 5ab4f35a8c7a809a02492b43e09ba743f95dea7adaffe76f275399196b5ef196
- c466ddea8b0d601bdf9fff32c2654906cb170b24fab7c9b2debe5e28f86d1969
- 986346074ff5a59460361c05e8caa83ddf80c8eb8dd0643354a4f2fe0dc204e7
- 50b23e02d7855447fdd6829f209ff41a85eb365141b1d02b4702c7975cb4feb8
- 0da95462ba08d46d0dde75678478c7a4434308450579e60ad773a0bb6029aa3b
- b94a2ff462640049ac63450966baec4b4bb5e42be29d24c0c0c09236d6f734e9
- 7d23baced33218d2979c532a43bf195a8a7bf62ef61945fc5bfc6761a50b1694
- ccc164d0e67519f78f73322a67a8ccaca44dd45cc826d58ef7600654c626b221
- a7640a088e6b6ce4f62c23ac5e22d7f58b32df7fe766c3dded7ce1a5e24c7c63
- e9978febf15a51f9fda377ae1a2764348aacb3e696a4746180959ea84021a2f0
- cf439a06ff7fd49f1a4550dede6b78bd3aa1b086bb8a22c5057b055fbf362085
- ed5e9bdcf0fec06ab7751dbcd2f87d921df7a17f5c9bcd67a1813204e6968c41
- 2166d7ba2b885ac27695f079371d9f6446986671b58623706538f1eb1432639b
- 83c3c860fa7953141b14253d6a0fcc85e074f01ee87408333c8f63b320129027
- f64cd6f64b1d995b9bfbafa23fa422861f57b4d974c8d35b3d5a99598bb90169
- be0dec191616c742586cb1b2f9efd2a78b119ed57aa893ccbaa49f471c30385f
- 7ab6ae41ffecdf52400f7636e7e5bb301f75661ed4436c8c082a478a4d7bb9de
- f1120b41be8ff98366450fdbfc98029f95d6ba2a4e4deb4c87de899288946ac3
- 6b96a053d1c1ad3190e89c56ad586dae97b45d64aae66682a4d09c69c404eb93
- 9cd5a6c52ba1bdd91584320262e5f37eec957ac44064cff899b52f8892c0f185
- 5d8217e640c64f046cc2a740e0d24bbdeddba964224bc9964ff5d26790841499
- 43c8d8d70317847bdee0239f676f381e845fe4d4c38e9d151620501cd7ed08da
- cab58ddee254cc5c2b4967c7d4a393a43226978f710e5dc8cc012736751062ae
- b769f354ed76304c12179858709d633b7ae0a4356647431d4df3e0a7d3f7024e
- 1cd8431c2643561ac4ec6367c00184b68e2fd37130c8a2e82dfd381f88ffd4cf
- de21dd58687536b8ad0fb67a5d858233c8ea4a88273c31b0b6701ff638d38aeb
- 5933feb57b13f434b2e2cc0210e64867a0bc58dd2911316f95d0f349d993013b
- 9c9b1af4641643e30f846ceedfcbeff0a08655b39a9ef1e1df8774cc54954583
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 104.236.151.95:7080
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 110.93.196.197:80
- 111.67.12.221:8080
- 159.203.204.126:8080
- 159.65.241.220:8080
- 179.40.105.76:80
- 181.141.87.122:80
- 181.143.101.18:8080
- 181.15.177.100:443
- 181.15.180.140:80
- 181.15.243.22:80
- 181.16.127.226:443
- 181.164.227.212:80
- 181.198.67.178:20
- 181.29.101.13:80
- 181.36.42.205:443
- 181.39.134.122:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.138.56.183:443
- 186.23.146.42:80
- 186.71.75.2:80
- 186.86.177.193:80
- 187.178.9.19:20
- 187.188.166.192:80
- 187.242.204.142:80
- 189.196.140.187:80
- 190.113.233.4:7080
- 190.117.206.153:443
- 190.147.12.71:443
- 190.246.166.217:80
- 190.252.229.53:80
- 190.97.10.198:80
- 191.97.116.232:443
- 196.6.112.70:443
- 200.107.105.16:465
- 200.28.131.215:443
- 200.32.61.210:8080
- 200.57.102.71:8443
- 200.58.171.51:80
- 200.80.198.34:80
- 201.212.24.6:443
- 201.251.229.37:80
- 203.25.159.3:8080
- 205.186.154.130:80
- 216.98.148.136:4143
- 217.113.27.158:443
- 217.199.175.216:8080
- 217.92.171.167:53
- 218.161.88.253:8080
- 219.74.237.49:443
- 23.254.203.51:8080
- 23.92.22.225:7080
- 31.179.135.186:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.32.158.232:7080
- 45.73.124.235:8080
- 46.21.105.59:8080
- 46.249.204.99:8080
- 5.153.252.228:8080
- 5.79.119.1:8080
- 62.192.227.125:80
- 62.75.143.100:7080
- 66.209.69.165:443
- 69.163.33.82:8080
- 70.44.163.160:80
- 70.44.163.160:443
- 70.44.163.160:8080
- 71.244.60.231:8080
- 72.47.248.48:8080
- 79.143.182.254:8080
- 80.0.106.83:80
- 81.100.95.22:443
- 81.143.213.156:7080
- 81.183.213.36:80
- 81.213.215.216:50000
- 85.132.96.242:80
- 86.18.105.123:443
- 86.42.166.147:80
- 86.6.188.121:80
- 87.246.58.59:80
- 89.134.144.41:8080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- 61.92.159.208:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.11.83.52:443
- 104.131.11.150:8080
- 104.236.99.225:8080
- 117.218.17.6:990
- 120.150.236.64:20
- 136.243.177.26:8080
- 138.201.140.110:8080
- 144.139.247.220:80
- 147.135.210.39:8080
- 159.65.25.128:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 174.136.14.100:8080
- 174.96.5.251:465
- 175.100.138.82:22
- 177.242.202.30:8080
- 177.242.214.30:80
- 177.246.193.139:20
- 178.152.78.149:20
- 178.62.37.188:443
- 178.63.50.54:8080
- 178.79.161.166:443
- 179.32.19.219:22
- 181.129.30.82:80
- 182.176.132.213:8090
- 182.176.94.236:20
- 183.82.100.135:80
- 183.82.110.170:53
- 186.113.19.171:80
- 186.4.167.166:80
- 186.4.234.27:443
- 187.163.180.243:22
- 187.177.154.167:990
- 187.189.195.208:8443
- 187.235.244.9:443
- 189.209.217.49:80
- 190.145.67.134:8090
- 190.25.255.98:443
- 190.25.255.98:80
- 190.72.136.214:465
- 191.92.69.115:80
- 195.242.117.231:8080
- 199.19.237.192:80
- 200.21.90.6:80
- 200.85.46.122:80
- 201.199.89.223:8443
- 201.220.152.101:80
- 201.238.152.20:465
- 211.248.17.209:443
- 211.63.71.72:8080
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 24.139.205.186:8080
- 31.172.240.91:8080
- 39.61.34.254:7080
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 46.101.142.115:8080
- 46.105.131.87:80
- 47.41.213.2:22
- 5.67.205.99:80
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.9.168.7:443
- 58.9.168.7:990
- 59.103.164.174:80
- 60.48.253.12:20
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 69.45.19.145:8080
- 71.244.60.230:8080
- 76.86.20.103:80
- 78.186.5.109:443
- 78.188.7.213:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 87.106.136.232:8080
- 87.106.139.101:8080
- 87.230.19.21:8080
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.76.200.114:8080
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- <not updated>
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- https://paste.cryptolaemus.com
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-27-19 ####
- ```
- No emails for me today :| - late start to distribution, and a new executable naming convention
- A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
- General News:
- https://twitter.com/decalage2/status/1132900273175891968
- REVIEW:
- If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
- to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
- https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
- or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
- I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
- You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
- https://twitter.com/JayTHL/status/1126204098670411779
- Email Template Report:
- Generic templates on the most part, the usual body text listed below.
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- - The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- "Load instructions attached"
- "A printer friendly attachment is now included with each email."
- "Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns
- E1
- *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
- https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
- E2
- https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
- These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
- Payloads Report:
- Late start, ~10:30
- E1 - attachment only, no URLs found; observed DOC hashes (12) drawn from anyrun and hybridanalysis. Additional French DOC names in afternoon.
- E2 - 167 URLs in two EXE sets, the final set may be attachment only. Additional German DOC names in morning.
- There is a new EXE naming convention. Possible parts:
- ideu,free,capture,tenant,watson,peekat,english,asptlb,shim,netserv,ait,camera,alaska,begin,magnify,cpp,dmrc,intl,enable,vcr,violet,reviews,number,loopa,tcg,ratings,resize,sitka,prime,namesof,dso,summary,routing,alabama,loan,manual,chapp,cvt,wfd,proc,mdmmct,iptb,unmute,gdi,draw,wnv,fnc,show,contact,spc,wlansvc,classic,msra,sharp,align,diff,lev,dist,ias,edit,black,jpn,svcguid,cntl
- RSA keys unchanged
- New module with as yet unknown functionality observed.
- C2 Report:
- C2 from E1 EXE gave 90 unique combos in total. - recorded above
- C2 from E2 EXE gave 86 unique combos in total. - recorded above
- Closing:
- <>
- TT
- ```
- #### Sandbox 05/27/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- E1
- https://app.any.run/tasks/fe5706c1-37f3-40a0-85e7-687f0cb3e560
- ```
- E2
- https://app.any.run/tasks/4971e1b6-b33a-4674-88ea-e285d614d558
- ```
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement