API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/10/08

jroosen
Oct 8th, 2019
2,714
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.68 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 10/08/19 as of 10/09/19 00:00 EDT ##
  2. *Notes and Credits at the bottom.* Follow us on Twitter @cryptolaemus1 for more updates.
  3.  
  4. ### Document Downloader Links ###
  5.  
  6. #### Epoch 1 Document/Downloader links ####
  7. ```
  8. <none>
  9. ```
  10. #### Epoch 2 Document/Downloader links ####
  11. ```
  12. http://awgpf.org/wp-admin/LLC/dUDBARshweY/
  13. http://blog.safary.ma/fwl503/INC/vEVxmeCyUmCQtogaMolBfygoR/
  14. http://clients.siquiero.es/hizv5v9/paclm/afcse9eba1qsn_owbo6-69170965/
  15. http://ctni.co.uk/wp-admin/esp/bBItbZBcBQOoEwafxb/
  16. http://decorstyle.ig.com.br/wp-content/languages/Scan/za7w63pg79e_f4ia5-01669369/
  17. http://disdostum.com/blogs/lm/khtnAGvipOpDnzbCFMC/
  18. http://earthpillars360.org/vgok990sf/cavTByhbMbs/
  19. http://emilrozewski.pl/emilrozewski.pl/INC/o2i1pmac2kkr5bo5mx2nl2at4_6dc3fvvq-66548834332/
  20. http://gonouniversity.edu.bd/sociology/lm/InNCDfrRIDqnLjHrOFEhBGhRGFQsX/
  21. http://hurtowniatapet.pl/wp-admin/zqVHnvSXXoiFCasKkuFaUg/
  22. http://infraturkey.com/deletecomment/parts_service/daaMnHeDzR/
  23. http://ismashednc.com/cgi-bin/z551rm1hmrv373_e8hs2-7538061518636/
  24. http://kbkevolve.com/wp-admin/zjmxgadhuv4pnbzp7ynpdoik56795_gwb8z-673046389663526/
  25. http://nuevocorporativo.canal22.org.mx/wp-includes/s0r6nqec8g68xjnbfnttar7_t805e-24701676/
  26. http://ostadtarah.ir/wp-content/paclm/MpIiyqCdWrsLPjbMjiDqBhrZOq/
  27. http://overwatchboostpro.com/ynibgkd65jf/sites/2bmfkc0j7qe8_58yyhd4-3344823406/
  28. http://parscalc.ir/academy/RKWgiuSOZGpFVpIf/
  29. http://peruphone.com.pe/5hdf7b2/DOC/XGxZhPXkNKqiiGFnKeIH/
  30. http://taskforce1.net/wp-admin/paclm/b33w806gu34ln6s_o75jzedoh-7204931873/
  31. http://wizard.erabia.io/cl67i3t/Document/HcRzSepVgfWLviFFzMVzUFePbuvUH/
  32. http://www.bresbundles.com/hunwdgi/esp/vml11lb8y0nqu244jmd1ulfcj_533mn-795717924/
  33. http://www.earthpillars360.org/vgok990sf/cavTByhbMbs/
  34. http://www.elibdesign.co.il/wp-content/yKiXqyQZcygxYAAKT/
  35. http://www.endeavouronline.in/cgi-bin/3ag3ls9kvd4ot6j1njug1nq8k_2v9rsq9-5699212626798/
  36. http://www.goaribhs.edu.bd/wp-content/A3F9NVJS9BB3F/NMCmgnzScSetktYTdGLDfyPsqZEleA/
  37. http://www.lavinotecaonline.it/wc-logs/yHlKCeOlqUfc/
  38. http://www.omniaevents.co/wp-includes/LLC/im4r213qj3jgqq04kcp722irmm_n7331-313199097437/
  39. http://www.saleemibookdepot.com/hpkikf/LLC/fqj2uihuh9te8_bculdpib-726470310041/
  40. http://www.salviasorganic.com/license/INC/0fbsvvw1uzkhc8nf4x8hiqoa7obf_8flumf39v-3657734246364/
  41. http://www.sweetpeahaircollection.com/sssu/FILE/lnnet2pb1tnl5rl0onl4gy_8vehv5y-920842041/
  42. https://ctni.co.uk/wp-admin/esp/bBItbZBcBQOoEwafxb/
  43. https://ecklund.no/pdf/NS89IQMMUCSS/jFcOZtnMxKGeacejiwMwAlDzKeQNGa/
  44. https://iglogistics.in/sitemap/sites/ycfxuqsv_ay7m3lcrv-140179245879158/
  45. https://medias.chavassieux.fr/ithemes-security/63jgcgvb8jr68pcwazhl5h1smav79t_yyckjzwlc-316327566722032/
  46. https://milwaukeechinesetime.com/function.cheese/vHmHUDKXBfcgYtvnXicxWt/
  47. https://norbertwaszak.pl/tmp/LLC/BQpvwHGKCQDvKNpfIGhqse/
  48. https://parscalc.ir/academy/RKWgiuSOZGpFVpIf/
  49. https://roshanbhattarai.com.np/audio/LLC/0yxb1xel1ydl_nve0nvqu2-4052856905/
  50. https://www.bresbundles.com/hunwdgi/esp/vml11lb8y0nqu244jmd1ulfcj_533mn-795717924/
  51. https://www.earthpillars360.org/vgok990sf/cavTByhbMbs/
  52. https://www.elibdesign.co.il/wp-content/yKiXqyQZcygxYAAKT/
  53. https://www.kairod.com/wp-admin/2mnbyvwluikqcptooc6zgqi5x_n0iovu4-89107313/
  54. https://www.nxn.one/u3pgsx/lm/ja4cwgjfnn3d1pay5s2ltjk8_qije8-44560606469579/
  55. https://www.sweetpeahaircollection.com/sssu/FILE/lnnet2pb1tnl5rl0onl4gy_8vehv5y-920842041/
  56. https://www.zhycron.com.br/admin_ldown/paclm/TrZdUfcnfIvF/
  57. ```
  58. #### Epoch 3 Document/Downloader links ####
  59. ```
  60. <none>
  61. ```
  62.  
  63. ### Payloads per Epoch by Document ###
  64.  
  65. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  66. ```
  67. Creation Time 2019-10-08 21:38:00 (Attachment Only - Doc based - Product Notice)
  68. SHA256:
  69. c84664a344e771be41969912556336d2c897a4dd251d26eeacac6bc5fc319e65
  70. 2bb1527ada1ac7fce2025798130e3ac21a83e0ebb27e85d281d89a07f87e48ef
  71.  
  72. https://www.skullbali.com/bk.wp-content/311/
  73. https://aceontheroof.com/i0oni/gzx5550/
  74. https://aaplindia.com/harder.inc/odw8xth96/
  75. http://cheematransxpressinc.com/wp-includes/shm5djl4638/
  76. http://www.dgxbydamonique.com/fr4jt/cache/init.upper/h8914/
  77.  
  78. Creation Time 2019:10:08 18:28:00 (Attachment Only - Doc based - Product Notice)
  79. SHA256
  80. 76ef4c5e6b2d96ff9992ab0d9dd1c8d6c0e48c2f48e8ab5337244d7e4e398d59
  81. 4ba60a908543cc1f480f87434465c287ac01aa59fb8ee0624bb7afc95b40976c
  82. 4606cded1cd857878be98306ae150c475140628faf97043dad10b55109dae430
  83. 22786a80be851c33176da8bdcb875dba920504e746ab613b72e8d19df3b49207
  84. f77a7fc2633d5ce15948a5bd43728d4d81ee760683e04c0dabd853fccbe4064e
  85. 5a64821814566d26f15e3e0fd920cfc693f14c0d173ec9317365d9198a40b789
  86. 5f6d4bd72bb15c1a031d7222594711e4d5eeebd4a61fae15d2cbeb57bd60f42c
  87. e6dd9f9f3fde62281e294f157e382eb3ed5f991c011ec01f81d5b2a845d4a101
  88.  
  89. http://www.denedolls.com/wp-content/upgrade/oghujlu568/
  90. http://www.divinedollzco.com/wp-content/upgrade/sl3d205/
  91. http://www.exquisiteextensions.net/5kjc/cache/8so9319/
  92. http://www.reviewchamp.net/wp-admin/4394/
  93. https://fayedoudak.com/cgi-bin/2iz3/
  94.  
  95. Creation Time 2019:10:08 13:47:00 (Attachment Only - Doc based - Activation Wizard)
  96. SHA256
  97. 09e3f1ff1ec66936904a806cf06813299f6c384b992a602cacb705685f75a8ff
  98. dfb1e346662ac3ae6cb9e65f2f1a0fc1e5e3aa3a0ff21192f397da5a3b728546
  99. d1ef500a7b1aff742788631513009ca71d0906eb08727d97147d4c96008960b1
  100. 5117c58f361b830d502545c2077b8a29278338beedc2efc16ba4edb4523a4a0e
  101. 96e7ce575a722ebc6cf285358a0005416b9f505bd600d5379eb49a8df6e99cfc
  102. 8f9be82007620f3680a644ca679aa300ea74f521291ae234a64538b8cd2e3040
  103. 6ff109f90f476cdeffcfa71dd381b88e3185ebe748e780e73445927884c48c54
  104. e53f55229f9aee823651551b00003a8c59848c34f58b1280245bb5db39e9826a
  105. 9ff35a3741e7fb9f0474f526ef078b4ff15f99573e048750e7a9870925d2892c
  106. 004903745336e5147226d46758defdb972f22e307160a0196915b7b013c24e58
  107. e51373435a0f464a47bf3a4de14dfdaf827e226074bc20eac97f911be073b0a2
  108. 58d5550f324f0d5463564ccff185f054c30f0ab66942f7e7e3cdddde7faf1b82
  109. aaf885e5ed3829808e0835936ad42368ed03a628283650d1d72fa5151fecbf5e
  110. c12361239e6ff1a51e08bbf75e348de338134646a3a19ac3df69bd9a581578af
  111. 55e848d4e413c3d55c37d40bed6a313dbe5d7297f11f6104518de94a3295b021
  112.  
  113. http://suse-tietjen.com/wp-admin/u442/
  114. http://www.vanilla-extensions.com/wp-content/0hb3292/
  115. https://sahajanandmart.com/Android-RecyclerView-code-generator-master/hba97650/
  116. http://arabiasystems.bubaglobal.com/crm/f8i6/
  117. http://maolo.net/8qv20/73z86/
  118.  
  119. Creation Time 2019:10:08 09:55:00 (Attachment Only - Doc based - Product Notice)
  120. SHA256
  121. e61d2fe49874eb995cb47c51e4cb2ece281694a6fb721d7eefdd0d7732902b83
  122. 9f5bf3feba0b44c527e234b18589d307c224ce14b37633a3609e7eb02a20dd33
  123. 8933c0e6c9faa660545f4d5e100cb9fee10aa168f9421f3351709b593f2fe63d
  124. 387741d6c128b8f9d84a3590e0442d534632e52f5536999e15fe5a55422a9112
  125. 264f266fbaabca45472e491ae814d60fb580b10a9c88c9c15745913b50004c1e
  126. 9c7b267f9c013cefaefbaeea7fa1ea3303d605791dbe48d12f06b000ca6a491a
  127. a3144c9b86feaf93ac583c933262ba0bf0c8dc59b5bc09ac897d4bb57170bcf2
  128. 3539d8f2e173735561a612028e02612232317a7cdcce78b4677a6e4a3ba976c5
  129. 7e38ca829889fbf67f57d37930a2ae34b469c1c1464d3a865129f3b0242bac9e
  130. 042e0cf3fb053e052c8b7adfb2be6b96a313e006ed08a23eaf8ed1e80baec29f
  131.  
  132. https://retos-enformaherbal.com/wp-admin/ty8c0/
  133. https://georgereports.com/wp-includes/slus46762/
  134. http://scribo-cameroon.com/css/2f3142/
  135. http://junengmoju.xyz/wp-includes/m50168/
  136. http://anjietiyu.com/wp-content/d5256/
  137.  
  138. Creation Time 2019:10:08 06:22:00 (Attachment Only - Doc based - Protected View)
  139. SHA256
  140. b1b08b80e5eb2f08375f0c7a6cc814e2b500f1110f4a3ab6aa5ee859ff384271
  141. e9d96541c874cad22dcdb71431b313c386ec45672d54354a412b7d65c334b353
  142. 6c9b3ccaa6f5d490eb0e602cb85b6a1059bfa18118ad53031a279961480a9b10
  143. 93522f9d5dd7e4488ab0797c1d83f3aef283daecd2479ca2f66a88e40a43abf7
  144. 355044d564d0ec88045a81feda619cd7d76ceee25bb4ce1b13a1117fb6416d50
  145. 3ddb7a79bed76211b93491519a3473c8b84e6fb21777080f5f8c04c68c217078
  146. 101c4a5a34a58c6b7186893a04de32f8dd0165510889fa873ea3287c5ba72e9c
  147. 97dbd71dc62d6acbd0d1e41d9c82066dd0650e902e7d8fdf5626b9495847daae
  148. 86b3be02e700fddaf207643893e364f52a7619bc72e3c0a04df2ba1dbac6122f
  149. 4cc2c2c09d03571a111d7e1643eb4ec6540495ba83c738d0f9a1507bf0626597
  150. b9b2e4954a7904934d27d5792292a3f00694faa16494d3efc1062ffd0a532779
  151. 979223117d4ce4eacdc30a4e87c519b9a87a7507a307dcdcef2d0da5448325e5
  152. 091856924e5c1c3c2503b1560dc0255ef1d2c4fb17095225a6184d00525437ac
  153. 238f3102d47c8744f86edcd268c1c9fe260c9b5ff547872b2ce6d376f5ba8d88
  154. 9b87c9414666aeb43933db2208588bd8a3853a969a08b38e03f2674366be0af4
  155. 2ae0f71b14bdda233b42e00879c88c419c466002f634e576648053c63ed388f2
  156. 8012b3c9b6f181878b569add8cd98257486487eaca0f6cc92f4433ec73b61f12
  157. 4ab4140a716dd5553bd084ea24062d14948ed200ce794b58e886492e8aed43db
  158.  
  159. https://halloweendayquotess.com/wp-content/5o40y5w7760/
  160. https://pentechplumbing.com/wp-content/ovp35378/
  161. https://joangorchs.com/5tvk/gy6154/
  162. https://physicaltrainernearme.com/yabu/9xnjf4183/
  163. http://yensaogianguyen.com/wp-includes/rp802oi00/
  164.  
  165. Creation Time 2019:10:07 21:38:00 (Attachment Only - Doc based - Product Notice)
  166. SHA256
  167. 565accdaa30ecd3ee09cf5ffcfb28a941a35ad8b85b8a174478caf9fa02fca13
  168. 13c6abc718f08b6fa59813fc62dcc3c8eae62d89c430b5e8b80a2683da93e4ca
  169. 706d6c8d6a1c6a5a4b48f373fcf08b42900e0d19ec558a59778e7d7998ffaaec
  170. 55004ce3122e1c50902978e57a9ac04c211e1ac9ac5391daeccabc2a453817f2
  171. 67e4943ef8826325d01d6e076ab404f82769ebac651265087619b844803c7234
  172. c4898b54830c2fc8f6d19b1030f545826de52927dc0636e525a95ecf74c0ecf8
  173. b7d0a0a3e852bc0f35c3808ee61bb38e953a95bc599f1e8e9d99e6f54b078561
  174. 08d5cea1dae8c4c59758c50afd5bb3a15bf855bec29c3c9ba0c3818551306bb9
  175. 6a34d6c923698fb5d00d62cfc6278a5a8d5184b62c4d43bbb095f1d120982d92
  176. 2670be25f7b3dbd3412cf41188e844fb7eba1a12c472fd1b47c780c6b1801500
  177. 869e03adb7f76845e98af484c5ebea2977ae220b629d031d4bdd737c515d2f2d
  178. 902441cb72c2fe170c7d7e15b4357ffc7124245354272d4b9a33be1f63f26578
  179. 7b9df8530c0d7af5ba382179a31269ef2df7fbed52aa5ffe1321b9c869a3eda7
  180. 6ac7095c3d3064078e4a49f85da7ecb39cf358e4c3ebdcf257820caf883868f7
  181. 64d6c044ec17d331d20257ca8bafd35919ddce3e868c6feaf66a26c8724357a7
  182. 6cff812d845f1514d0827c1f4fd49524f668d362f5d94c23c15ca835a80016fa
  183. 78812d6432bfcadff5b05498870aaa3682aee7e7d6c094c8c4f7adcf67b1b676
  184. 9b6073ac8279fcbfdca106cfd26c07fbfa2b099d2ad20aa13b7b29d2bb51c99b
  185. 84c1559f749859f3ed107b45bbcfc30766721f2d9f8b60c2b89bf244800d30a5
  186. 4d04802476cc425554b3b058e96e9ae75e96837c0b54df54e9fdd4432aeb85fa
  187. fa8e0da0177dd895d75ff09dc95a5d607258bc18f29116d78beb3081c96cbbfb
  188. 5ac269a21b049768d69ba079d88ae0eb1aa2e21802a4f1c3194ef4fb1cd54c98
  189. e0ce302f51797ec57a1e7ffaa10989a92eb6578a75b572aa8c2f2dc4ddb6d798
  190. 4fa9fb02c767f4b548ad305e01fee44b837edc5d7a795048ad08baf3cc688697
  191. 1a2e298202890a73aa5296cf2889a2894faf4abfe73bde35c7bc0d46b7c22d73
  192. 7fec8a34bd9f20a430d7fb58239ff02c74d17f10020f1dbb7c818e86eb225d10
  193. ef8e90b64bc9e22c1867ca2f083c5f60eab18ca78af85895e2144260e9cda564
  194.  
  195. https://milanoplaces.com/wp-content/g50845/
  196. https://wolfoxcorp.com/wp-admin/fu942q6290/
  197. http://mbaplus.tabuzzco.com/wp-content/3v04/
  198. https://www.juriscoing.com/wp-includes/debv8rb82/
  199. https://childsupportattorneydirectory.com/wp-includes/5yg88/
  200. ```
  201. #### SHA256s for Epoch 1 Payload EXEs ####
  202. ```
  203. 6808bb2428b7b02a97ed9cbf170e1bf1e8e8202200354bb696da4a1f241b5d8f
  204. e0500e097c7d93b3f0d3d57bc239ef376f73e872f1d2971f2054ab36735439fe
  205. 5b65d3f6a6930d275e27e073896d642b7de3e4974d43b9086dcba15d11831bb7
  206. 666ce592dfd6f4265c7d5c56c48d44ad24f0aa5861b785a39ec63dedf97e716d
  207. 9811a33a497366e62bb30d5b08a2e755ac8b25e0a891412717b18c5a09e55bdd
  208. c8edebe8678c48c5fd79479f8db37557c755e0a456a351cf9479d1ff79079991
  209. 424d6e0da1f00ddc0bd604692e0a5e7d103f1276e11061bebdbbc046edd5846b
  210. d8c56552e6e122050cadb07cb9b62a61a21c69429462af3709bd78c5d6ab02d2
  211. c0960cf6d1496d13836548bd28c0e8fc05f2779cef4aa8de55afd735ab61e4d3
  212. adb5e93a390f70dd1b4d2cab64b5987e4698e9e11bd4fd03fdc5858ca82e3c9d
  213. 87cfbcb7d1bcc3936785ce717649c4de58e058b2626bc882610e74babb051a13
  214. e64d3e2fbc8e3f359a694973381e239e638a69e9dfe00f63eb62ff1c3d07d622
  215. 369ff8804c1fafc3bbbc80f030779d99f9d10719d0d0cf02d3eeb42c2d16ffcf
  216. 82ed33b3b862b93f1dc880fb4bc655ba24e36dcd59e20e508a077f5346d03d97
  217. ```
  218. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  219. ```
  220. Creation Time 2019:10:08 22:16:00 (URLs - Doc based - Activation Wizard)
  221. SHA256
  222. e87bb68914c0ef7b9f18211e433f91bc4a6c4d82eba8436d98dce32167ffc1f9
  223. 50d4d9c884c8c505660b74aea5b4b05dcaa370e2dc270d1b9f3dc59c899f297a
  224. 45a37122a13d5b02f5bd64ab60e1f9421381738c19fb4a13cb19b51b41a1f88b
  225. bf5d456a15fbe96b05e8feb12b535a70214f5bac3e56e96a20dfcac60b29d006
  226. 8b60b7de0518d45996047862812f6641abe43a34cc8c561668bb6259c45ca712
  227. 28abf284985f77c70b387fa760ed8854a0114b05f7de24a8fa97920808af0234
  228. 5885b3c1fec0db76b168afaa9338cfbf9a7f546adac07d2dec3dac0f8684b6af
  229. d1d4f66f4e00f1a78b7d3738cb268067cbb40d7cbb0f710c9f68596fe3dbaa6d
  230. 51583c7646007e7491706c652f15feb0219febdba42ff614beb0cb98a3ba3204
  231. e40f3ef25f436b682659426c4a0090784fba521b368fe0591f88e5bf65c4dba6
  232. 751c3b522de8f2045d9ce84096455e30ef73985f618e33e79a39f12284363f88
  233. 56b71d9545a14b080ab7eb2036a9b004d693f6190e4b616a2b2bee977152c24e
  234. 936259c6c919bd5f3271486b487fd320c443e047af82335b84bc6f533647efeb
  235. 8b9f82b44c7fec0426c9adddd0719466f867ac98a21fc5648d87d5df5e0bdb83
  236. 0665e059a85f577a38ca57b3328ffcfdd591eda4421aa857a5b9535e7710bc50
  237. 541db291479f192cd190e996437b706ee472b08871e4a89bf425a5f77e757054
  238. e428c1e1cacb0cca50c1eec571d89176ce6b4a630cc49e9adfb04e12eb45d31e
  239. d492595de7a67e6c46ff5ae335725a0553ad904a0534ed20bf29b67ece4e873a
  240. 4dcae0fae1cbb18f9c0b6c044f79a8d1b86b4343bed077c2c94a8896f7bf4bd8
  241. b66a93c6f054c3dd576b518846ea162c3b490b0214368b9530e4a0e4ac2f5867
  242. b64a15991bce0d746e47a8c7fd6cfca5dc81b323990801076870096762e1ed7d
  243. 3740c5c3a725f093c7895d056f6e09e817911f7d0a43f1ee67ed3d06f0a8ce6e
  244. 08c30c1f4782ddd30911fae1e23a29f115386454df794dd1ffdde226bacc3aaf
  245. 53b342834f0b0477b3cf000d45cb4363814e572a741c8f004377a5c88b8a9a41
  246. bb016b2097482bd176b2f7da455d474f5d9b791e3b8671e4a9c539b25aee45e5
  247. 7b0b8d45e3d779abc31f490bd2d955810bc6e10c057206ef0326e97057f84dad
  248. 9ac6f2c48c6b6c14edb941ee27e7ffdf436054f2d5351bb6b4285c0857259e85
  249. bc6df43e2f78abf8acae5e072b9dc69411ac1a0147b2b8730863d6f0ed3b9102
  250. 29c97acc2777eb6d00e02923cdb120fdaffd0f1f4adf2e58961b5034889d34be
  251. ee53338e4f0083d901a4f16494c53161604654842ef71caf59a7db986ac54d92
  252. b808bc7ca3d26aa8bb213695326842a4b5d26dfa9a8f3a46dfcc283a381c7b04
  253. 8bcb2e800ab8e95556dacc816bd7a0d59050b29b5cdc913a54bc8167d84abdb1
  254. d65945fb4473439916daee8b9a277aa3473b8183eecdd37da76b17b8aba61c64
  255. 6866dabfb8c2596e95a4b36b70b2d097a618810291c4f7c9faac83a9f5624bb2
  256. 23dcead775f62f66bc7033cbb68e30329e5fb095504d7d3a42a1b71453988308
  257. f10e99aae65c36b2a922124f399a2df8800ee000f723007633f809a0b98aa72d
  258. 9f8475b622b49ceaa4da6f78c4bf3722ffa560f251b3897af9931ac7a085fb2b
  259. 47e2c63ed46a89cf1e49c2e734d47761e31794629a6a60e9f3642590320c49a4
  260. 918ea7f950d3688dfcccf3e98140537aa69862f794caa147866381ff41290d3a
  261. 2246910bd51fa53ddad6f2e71b323c1223010656a848293539028cee0b738433
  262.  
  263. http://www.bundlesbyb.com/tracker/wem3_yldu7bdho-3397265/
  264. http://www.crookedchristicraddick.com/b6lco8b/fjJlPxAE/
  265. http://flyadriatic.co.nz/wp-content/upgrade/kNNrBpkb/
  266. http://boomenergyng.com/ejtvcw8t/nnqryau_eicqc-2236624/
  267. https://flowerbodysports.com/wp-admin/LyKaednUE/
  268.  
  269. Creation Time 2019-10-08 19:09:00 (Attachment Only - Doc based - Activation Wizard)
  270. SHA256
  271. 5aaaa80d5d41587dd1f10f00fe87284a2dafb4e223a4b938d8798ae46b762f8c
  272. 2246910bd51fa53ddad6f2e71b323c1223010656a848293539028cee0b738433
  273. dc1327d8f801351e82553ff8b6b62d0f5b3da21290a9351fb82d758636ba4f52
  274. a97f0bbbc6396be92690461a19325e3910635ecad17e7392de525cd7ba9e3fc4
  275. 5860d6611e227a16a33bc88ceca0b0229f8589b2529494c20b37c662fbbf5616
  276.  
  277. https://1greatrealestatesales.com/therobinhoodfoundation/5f3tn_ty5y3o-150740682/
  278. http://www.medyumsuleymansikayet.com/yhofles/UUEakcVW/
  279. https://www.stonergirldiary.com/wp-content/t2ukj28t_6v9999efvl-0/
  280. https://abcconcreteinc.com/delete_assoc/fuedRytyy/
  281. https://sandbox.iamrobertv.com/ynibgkd65jf/STaOjpfGj/
  282. ```
  283. #### SHA256s for Epoch 2 Payload EXEs ####
  284. ```
  285. 0819a3cd3245e1348b0044b9fbc03d7a63449b0454a10baa8dd83c604adf718d
  286. 108dc570ca53f3c58723bd9ccc4a9ea521e2f160d658c5ce09fa6ddc4e87afda
  287. e3f941f1ac56fd58b6a11081aa33e46d27e7795438511f71a92e73b96f464ae6
  288. 308b8072ffc142d8aeb9e53d05f7c0a77da0ccc9cefbcf306794afaf70775fe8
  289. daf460173fb28788aff06ec8e766d4d58f39819b870ecfc7c9061c8a4cd3504d
  290. ae694cb80da86747b4cd4209dfea162635679c00fe6bf81c5d4a9ea15df18fdb
  291. ```
  292. #### Epoch 3 Payloads by Document SHA256 - All Times UTC ####
  293. ```
  294. Creation Time 2019:10:08 21:22:00 (Attachment Only - Doc based - Activation Wizard)
  295. SHA256
  296. 47e9b5a0b1186463980089bc086fa67a825ec11f6f59c9f41c3e7baab4f3d59f
  297. 16e1a596042ee81b42006b1198e32c03506e8f803cf9faa576f8c2c128a63587
  298.  
  299. https://quantumneurology.com/c9wpulh/jzb28h8-nb0rnw46-3014549325/
  300. https://www.xuperweb.com/og6pj/nekIilY/
  301. https://www.openwaterswimli.com/roawk/9qjxjxwea-lruswyx-465183521/
  302. http://www.evextensions.com/wp-content/upgrade/ruyjko/
  303. http://www.diamondegy.com/wp-includes/wuksdgxg9n-pcm-6870/
  304.  
  305. Creation Time 2019:10:08 16:53:00 (Attachment Only - Doc based - Activation Wizard)
  306. SHA256
  307. cbb1c0fe8eb8c62315dbb98a8928337ac2a0fbd7b5a8fe34276c495c7b4e3bac
  308. 4bd47a3fe4b9ed8dd19eefa7e7c2e6f35dc48cb004f8cffd17469185dc63538b
  309.  
  310. https://www.noblesproperties.com/calendar/FmjmLwf/
  311. http://astrametals.com/wp-content/ewhsu4nj-kxd9cd4z-2535853371/
  312. https://skilmu.com/wp-admin/qQWxrLq/
  313. http://ladariusgreen.com/eb2hb/qx7nvp-cba-24081725/
  314. http://www.virtuoushairline.org/h7vz/NRUGvE/
  315.  
  316. Creation Time 2019:10:07 16:32:00 (Attachment Only - unknown)
  317. SHA256
  318. a09c02fe7eac9a93e0b67d403ffdf0ce39d24e5f1aeaced29d7c0030035d95e5
  319. a624f2d4a130fab943d60aea67fa267a4002f7eba584513c3f17fbf6145e799e
  320. e805ac98059d49d8e928cc242e38e6d75ab1d2f658d8670a547abec4af1b8563
  321. 37c8e34625de1e16090384e7a2aefe70a5c72228b5526388e988a7eda062af79
  322. 564ea749c21d8184f1273c13da96ac855ef4d34ee9b4c4c10b03498df5b4a47e
  323. 7ef172a6242c7d49f2f013f9b118876e6aab08ea3043fb4d8cce78d9c7e40f97
  324. 7c99358a9100df75f9bab44700b907a5d04a1040814d15a221b0490ab5e55eb0
  325. c6faeaaecc0caef3d1e70a88ee3390db1d6992d80676be1266856848f9c746a1
  326.  
  327. http://maisvisitados.com.br/pedido-online/arm-pn8-90/
  328. http://www.anhjenda.net/rocw8hy/adxa51-5l50l7tfl-923/
  329. http://hometownflooringwf.com/birthday_popup/14sm2euha-9ynnd7-0791/
  330. http://lapakmanis.com/wp-content/KnjtZj/
  331. https://www.copiermatica.com/sox62c/ZTGZhF/
  332.  
  333. Creation Time 2019:10:08 11:03:00 (Attachment Only - Doc based - Product Notice)
  334. SHA256
  335. d092ea1ded448999687361e02a30cd8060cc8970871302d3ae27aa33a5d1aafc
  336. 72702e08e450ec04669ce011a8c94c5dda6690029f6a9e0f4bda95eb30b523ef
  337. caacfce1118ab1d01e3e2b27470d478d7cb24f11ee440da096345e8649bcb9b0
  338. 5cd30545f2fe2c32715a66f53e53ec4e9eab131ef0a5510ec03baca0bc113897
  339. 8f5dec209c1b35ac62146d7461cf603933d354baa0e337a9a8ed991664fb3648
  340. 34beea5d8ab46644a7002cbcb2e4dd9292d9048472c8769b517c306b6bd7eee1
  341. f159fe22161c6ce50576ef49507f950d73d68af8e5dd5d6b1b287e695fe5ec4a
  342.  
  343. http://toofancom.com.np/wp-admin/UniRvomr/
  344. http://goldindustry.tech/wp-includes/ram2ul0he-5p8w-3956122/
  345. https://rotaract3131.org/wp-admin/kHOUYts/
  346. https://gogogo.id/wwsli/l09zna98-0mcw5s-684431/
  347. https://www.petrousortho.com/wp-content/kixdl16gj-hx62-31/
  348.  
  349. Creation Time 2019:10:08 06:25:00 (Attachment Only - Doc based - Protected View)
  350. SHA256
  351. 5b830f40fa91c4a5d758b1e4ac3ac1f53e52030e6f87cb41b240855bf8d1a0de
  352. e0281d0e78469cb6bc4cb7aa65e2d03270e647a1d31000ad4f0f38ddeeee56ae
  353. ad7d49202a57894b8722f40ab8d1f08cfe1319dae9d25d291ebf12847207e5b8
  354. 66d6e4e702bad99756ee00f70b15f0d5d8a48e4e84da55f1536def122afc4a06
  355. 5bdc00a98cad2ce7a716d23541c0032f5504398205f68627787d523b68094943
  356. 9601ff9783e82b35c9d1270c85a3ea40de9c6094bfc8d40772776bf64b5da62e
  357. 659edeee1cf29107bc0fcb9f74c86902fb1f29035f4f2f72f78f661f043e9cbe
  358. 0063bc99652c2bebd67f84fd38d1ef31336ede37464a5a00e6f062114a1ad0e8
  359. f734575992b721dd2628a8df8912373ca0fe17e72b698e5f3c1a2e2a735736d6
  360. 306689d97a54a67570f2ff225172bfcde4cc3b232bde6ef6f8714607e1917846
  361.  
  362. https://norbertwaszak.pl/tmp/4atc-8hp2m48nye-47/
  363. https://nguoibeo.info/wp-admin/fr6zuhw8-c7x3edchvw-939375125/
  364. http://www.farmersmarket.qa/eshop/22q8-4cqz7itsj-313/
  365. https://www.myparacord.at/wp-admin/hoqrn61-ivix-8688459/
  366. http://immiagents.co.uk/wp-admin/fib8h7vpqm-3pv2nc-22895734/
  367.  
  368. Creation Time 2019:10:07 21:56:00 (Attachment Only - Doc based - Product Notice)
  369. SHA256
  370. b8cd4285febf2be2ba385bbcf69b629299aa5a97606edaaaa929c3fd0f30b44f
  371. b2d00e681b29e78f2ec7387bb77040c78109b55ff475b9a0883bb39001bdb822
  372. 844f41933b244a53013c52575b5dd1b29f40df434d15ff26c3830eafc2c575aa
  373. 369e2614a5288d1af155340d92ac95c8bc42405af0da861b7d7413a0f1451515
  374. 15c992538dc03d9d02bac40bc85cf65f2fb3dca2fbb95779f38d83ae1f687877
  375. ca36a62c69a7b65545db0fddd1c5a98ea4c43dd8baba14f8f4166482221f6cb6
  376. 70d090bbf43b17e1e34ebdb7e1a6ec08021a1fc56fc2dc755bdeb3ea0472e77a
  377. 4ad5049359b145a16d869330f03987655181cbcdbcef0a81618e2f9591c6b788
  378. ac83cc5243edcdd36d11019eddd643da5232be08b5d87a98bbd85a6c1d4e7fb8
  379. e062443063649ca2d9f377843e89448a1f927e7f46e3331cdb5d6a4f58ca3498
  380. c8b915fdc5b9e9a3151f68c0d017de6dea06207c1918af54eafa5f75abb841e7
  381.  
  382. https://roskillhairandbeauty.co.nz/cgi-bin/DuTLRwv/
  383. https://amiworld.co/wp-admin/yISGyosZ/
  384. https://pharmonline.space/fulnfkk89/phGDtDK/
  385. http://embalagemparadoce.com.br/wp-content/YILCbSs/
  386. http://www.fernandaeberhardt.com.br/cgi-bin/0dt5i43uo-09jzhg9-196884589/
  387. ```
  388. #### SHA256s for Epoch 3 Payload EXEs ####
  389. ```
  390. 694a164eb59921f83961b5ce41a706ac730d912210eb4c2e1fc77edd2744c175
  391. fb6bba0d6f9cf2158f770451f1fbda37d1b48b5e999f930c4be0184d9d3b35ac
  392. 995e6803e886ed5ec0affcf26803bb6cb4157953a2f3f9d43768b7a3430a414d
  393. a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2
  394. ef69021e812d47672a5e4d551b0f601102c4c5d5b470e3ca875c82fd0f02bb0f
  395. 130ab31bff278089bef2ca2b4d45c2f25dc34f564a2e64ce95f2dd040f83a508
  396. ```
  397. ### C2's Per Epoch ###
  398.  
  399. #### Epoch 1 C2s ####
  400. ```
  401. 103.31.232.93:443
  402. 109.104.79.48:8080
  403. 109.169.86.13:8080
  404. 113.170.129.113:443
  405. 114.79.134.129:443
  406. 119.159.150.176:443
  407. 119.59.124.163:8080
  408. 119.92.51.40:8080
  409. 123.168.4.66:22
  410. 138.68.106.4:7080
  411. 139.5.237.27:443
  412. 142.93.82.57:8080
  413. 149.62.173.247:8080
  414. 151.80.142.33:80
  415. 159.203.204.126:8080
  416. 170.84.133.72:7080
  417. 170.84.133.72:8443
  418. 178.249.187.151:8080
  419. 178.79.163.131:8080
  420. 181.188.149.134:80
  421. 181.29.101.13:8080
  422. 181.36.42.205:443
  423. 182.188.39.68:80
  424. 183.82.97.25:80
  425. 184.69.214.94:20
  426. 185.187.198.10:8080
  427. 185.86.148.222:8080
  428. 186.0.95.172:80
  429. 186.1.41.111:443
  430. 186.83.133.253:8080
  431. 187.188.166.192:80
  432. 189.160.49.234:8443
  433. 189.166.68.89:443
  434. 190.1.37.125:443
  435. 190.10.194.42:8080
  436. 190.104.253.234:990
  437. 190.158.19.141:80
  438. 190.221.50.210:8080
  439. 190.230.60.129:80
  440. 190.230.60.129:8080
  441. 190.38.14.52:80
  442. 190.85.152.186:8080
  443. 200.51.94.251:143
  444. 200.57.102.71:8443
  445. 200.58.171.51:80
  446. 201.163.74.202:443
  447. 201.183.247.58:443
  448. 201.184.65.229:80
  449. 201.199.93.30:443
  450. 203.25.159.3:8080
  451. 212.71.237.140:8080
  452. 217.199.160.224:8080
  453. 46.101.212.195:8080
  454. 46.163.144.228:80
  455. 46.28.111.142:7080
  456. 46.29.183.211:8080
  457. 46.41.151.103:8080
  458. 5.1.86.195:8080
  459. 5.196.35.138:7080
  460. 5.77.13.70:80
  461. 50.28.51.143:8080
  462. 51.15.8.192:8080
  463. 62.75.143.100:7080
  464. 62.75.160.178:8080
  465. 68.169.49.14:7080
  466. 68.183.170.114:8080
  467. 68.183.190.199:8080
  468. 69.162.169.173:8080
  469. 71.244.60.230:7080
  470. 71.244.60.231:7080
  471. 76.69.29.42:80
  472. 77.245.101.134:8080
  473. 77.55.211.77:8080
  474. 78.189.76.2:50000
  475. 79.129.0.173:8080
  476. 79.143.182.254:8080
  477. 80.240.141.141:7080
  478. 80.85.87.122:8080
  479. 81.169.140.14:443
  480. 81.213.215.216:50000
  481. 86.42.166.147:80
  482. 87.106.77.40:7080
  483. 88.250.223.190:8080
  484. 89.188.124.145:443
  485. 91.205.215.57:7080
  486. 91.83.93.124:7080
  487. ```
  488. #### Epoch 1 - Spam C2s ####
  489. ```
  490. 37.187.5.82:8080
  491. 45.55.82.2:8080
  492. 185.94.252.27:8080
  493. ```
  494. #### Epoch 1 - Stealer C2s ####
  495. ```
  496. 75.127.72.18:8080
  497. 190.115.18.139:8080
  498. 66.228.32.31:443
  499. ```
  500. #### Current Epoch 1 RSA Public Key ####
  501. ```
  502. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
  503. KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
  504. h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
  505. ```
  506. #### Epoch 2 C2s ####
  507. ```
  508. 101.187.237.217:20
  509. 103.255.150.84:80
  510. 103.97.95.218:143
  511. 104.131.11.150:8080
  512. 104.236.246.93:8080
  513. 115.78.95.230:443
  514. 124.240.198.66:80
  515. 136.243.177.26:8080
  516. 138.201.140.110:8080
  517. 142.44.162.209:8080
  518. 144.139.247.220:80
  519. 149.167.86.174:990
  520. 149.202.153.252:8080
  521. 152.89.236.214:8080
  522. 159.65.25.128:8080
  523. 169.239.182.217:8080
  524. 173.212.203.26:8080
  525. 178.254.6.27:7080
  526. 178.79.161.166:443
  527. 179.32.19.219:22
  528. 181.143.194.138:443
  529. 181.143.53.227:21
  530. 181.31.213.158:8080
  531. 182.176.106.43:995
  532. 182.176.132.213:8090
  533. 182.76.6.2:8080
  534. 185.94.252.13:443
  535. 186.4.172.5:20
  536. 186.4.172.5:443
  537. 186.4.172.5:8080
  538. 186.75.241.230:80
  539. 188.166.253.46:8080
  540. 189.209.217.49:80
  541. 190.106.97.230:443
  542. 190.108.228.48:990
  543. 190.145.67.134:8090
  544. 190.18.146.70:80
  545. 190.186.203.55:80
  546. 190.211.207.11:443
  547. 190.226.44.20:21
  548. 190.228.72.244:53
  549. 190.53.135.159:21
  550. 192.254.173.31:8080
  551. 199.19.237.192:80
  552. 200.71.148.138:8080
  553. 201.251.43.69:8080
  554. 206.189.98.125:8080
  555. 211.63.71.72:8080
  556. 212.71.234.16:8080
  557. 217.145.83.44:80
  558. 217.160.182.191:8080
  559. 222.214.218.192:8080
  560. 24.51.106.145:21
  561. 27.147.163.188:8080
  562. 27.4.80.183:443
  563. 31.12.67.62:7080
  564. 31.172.240.91:8080
  565. 37.157.194.134:443
  566. 41.220.119.246:80
  567. 45.123.3.54:443
  568. 45.33.49.124:443
  569. 45.79.188.67:8080
  570. 46.105.131.87:80
  571. 47.41.213.2:22
  572. 5.196.74.210:8080
  573. 62.75.187.192:8080
  574. 63.142.253.122:8080
  575. 67.225.229.55:8080
  576. 78.24.219.147:8080
  577. 80.11.163.139:21
  578. 80.11.163.139:443
  579. 80.79.23.144:443
  580. 83.136.245.190:8080
  581. 85.104.59.244:20
  582. 85.106.1.166:50000
  583. 85.54.169.141:8080
  584. 86.98.25.30:53
  585. 87.106.136.232:8080
  586. 87.106.139.101:8080
  587. 87.230.19.21:8080
  588. 88.156.97.210:80
  589. 91.121.116.137:443
  590. 91.205.215.66:8080
  591. 92.222.216.44:8080
  592. 92.233.128.13:143
  593. 94.192.225.46:80
  594. 94.205.247.10:80
  595. 95.128.43.213:8080
  596. ```
  597. #### Epoch 2 - Spam C2s ####
  598. ```
  599. 46.105.131.69:443
  600. 185.187.198.4:8080
  601. 46.228.205.245:4143
  602. ```
  603. #### Epoch 2 - Stealer C2s ####
  604. ```
  605. 209.141.41.136:8080
  606. 46.29.183.210:8080
  607. 198.58.112.7:443
  608. 185.42.221.78:443
  609. ```
  610. #### Current Epoch 2 RSA Public Key ####
  611. ```
  612. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
  613. PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
  614. AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
  615. ```
  616. #### Epoch 3 C2s ####
  617. ```
  618. 101.187.237.217:20
  619. 103.255.150.84:80
  620. 103.97.95.218:143
  621. 104.131.11.150:8080
  622. 104.236.246.93:8080
  623. 115.78.95.230:443
  624. 124.240.198.66:80
  625. 136.243.177.26:8080
  626. 138.201.140.110:8080
  627. 142.44.162.209:8080
  628. 144.139.247.220:80
  629. 149.167.86.174:990
  630. 149.202.153.252:8080
  631. 152.89.236.214:8080
  632. 159.65.25.128:8080
  633. 169.239.182.217:8080
  634. 173.212.203.26:8080
  635. 178.254.6.27:7080
  636. 178.79.161.166:443
  637. 179.32.19.219:22
  638. 181.143.194.138:443
  639. 181.143.53.227:21
  640. 181.31.213.158:8080
  641. 182.176.106.43:995
  642. 182.176.132.213:8090
  643. 182.76.6.2:8080
  644. 185.94.252.13:443
  645. 186.4.172.5:20
  646. 186.4.172.5:443
  647. 186.4.172.5:8080
  648. 186.75.241.230:80
  649. 188.166.253.46:8080
  650. 189.209.217.49:80
  651. 190.106.97.230:443
  652. 190.108.228.48:990
  653. 190.145.67.134:8090
  654. 190.18.146.70:80
  655. 190.186.203.55:80
  656. 190.211.207.11:443
  657. ```
  658. #### Epoch 3 - Spam C2s ####
  659. ```
  660. 185.187.198.5
  661. 41.185.29.128:8080
  662. ```
  663. #### Epoch 3 - Stealer C2s ####
  664. ```
  665. 198.46.150.196:7080
  666. 178.32.255.133:443
  667. ```
  668. #### Current Epoch 3 RSA Public Key ####
  669. ```
  670. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
  671. 4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
  672. iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
  673. ```
  674. #### Credits and Notes Section ####
  675. ```
  676.  
  677. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
  678. because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
  679. this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  680. https://pastebin.com/u/jroosen
  681.  
  682. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  683. I am providing them for your benefit in case you want to parse them to be sure.
  684.  
  685. ```
  686. #### What is Epoch 1, Epoch 2 and Epoch 3? ####
  687. ```
  688.  
  689. (09/17/19)
  690. With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
  691.  
  692. ```
  693. #### Community Lists/Samples ####
  694. ```
  695.  
  696. https://twitter.com/dms1899/status/1181415428779847680
  697. https://twitter.com/P3pperP0tts/status/1181489101406691329
  698.  
  699. https://pastebin.com/YRFuXAYZ - @Paladin3161
  700.  
  701. feed of module hashes
  702. https://twitter.com/EmotetIndian
  703.  
  704. (sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
  705. ```
  706. #### Credits ####
  707. ```
  708. Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
  709.  
  710. Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
  711.  
  712. C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
  713.  
  714. Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, @abuse_ch, Anonymous :)
  715.  
  716. Spam Templates - @devnullnoop, @lazyactivist192
  717.  
  718. Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  719. helping out with this!
  720.  
  721. Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
  722. https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
  723. @0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
  724. at no charge to this cause!
  725.  
  726. ```
  727. ### Daily Log 10/08/19 ###
  728. ```
  729.  
  730. @jroosen here and I am back and struggling to get back up to speed with all that has changed since I left. @ps66uk and the rest of the
  731. team did a great job filling in and we will hopefully make this more of a tag team effort going forward. Here are some notes from @ps66uk
  732. from earlier: "E2 C2 were not responding this morning (since ~2019/10/07 19:00 UTC) but kickedin around 19:00 today. After an initial DOC
  733. only run, URLs were seen again." In fact, I noticed that there was a transition to links on E2 even before the 19:09 series switched to the
  734. 22:16 version. @ps66uk did most of this post and the work on it so thank him. :)
  735.  
  736. ```
  737. #### General News ####
  738. ```
  739.  
  740. @luca-nagy released the slides from her emotet presentation:
  741. https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Nagy.pdf
  742.  
  743. ```
  744. #### Drops Report ####
  745. ```
  746.  
  747. Not a lot out there today on this. I assume Trickbot of the gtag: mor* variety but unknown. The amount of Dreambot has been interesting
  748. also. Hope to see more on what people share soon now that I am back in the office.
  749.  
  750.  
  751. ```
  752. #### Email Template Report ####
  753. ```
  754.  
  755. I noticed in the past few weeks there has been almost entirely attachment malspam and rarely any links. When we do see links,
  756. we see them on E2 and no other botnets. It is curious why they feel this is a better tactic as anything with a macro attachment is likely
  757. getting blocked in the filter by default. Oh well. Also, I noticed I have been getting malspam finally again but most of it was German
  758. based the past few weeks while I was out. Additionally, I saw some reply chain type emails constantly using the same basis subject with different
  759. senders. Once you see the reply chain type email, you may as well block that subject if you can because I literally got a dozen emails based on
  760. that subject. Again, I don't understand this method but there must be some reason behind it or bug that is causing it to mainly stick to one
  761. chain of emails. I did get a few other reply chain ones but they were usually only a single attempt in contrast.
  762.  
  763. DOC releases:
  764. E1 ModifyDate: 2019:10:07 21:38:00 CreateDate: 2019:10:07 21:38:00 milanoplaces.com
  765. E2
  766. E3 ModifyDate: 2019:10:07 21:56:00 CreateDate: 2019:10:07 21:56:00 roskillhairandbeauty.co.nz
  767.  
  768. E1 ModifyDate: 2019:10:08 06:22:00 CreateDate: 2019:10:08 06:22:00 halloweendayquotess.com
  769. E2
  770. E3 ModifyDate: 2019:10:08 06:25:00 CreateDate: 2019:10:08 06:25:00 norbertwaszak.pl
  771.  
  772. E1 ModifyDate: 2019:10:08 09:55:00 CreateDate: 2019:10:08 09:55:00 retos-enformaherbal.com
  773. E2
  774. E3 ModifyDate: 2019:10:08 11:03:00 CreateDate: 2019:10:08 11:03:00 toofancom.com.np
  775.  
  776. E1 ModifyDate: 2019:10:08 13:47:00 CreateDate: 2019:10:08 13:47:00 suse-tietjen.com
  777. E2
  778. E3
  779.  
  780. E1 ModifyDate: 2019:10:08 18:28:00 CreateDate: 2019:10:08 18:28:00 www.denedolls.com
  781. E2 ModifyDate: 2019:10:08 19:09:00 CreateDate: 2019:10:08 19:09:00 1greatrealestatesales.com
  782. E3 ModifyDate: 2019:10:08 16:53:00 CreateDate: 2019:10:08 16:53:00 www.noblesproperties.com
  783.  
  784. E1 ModifyDate: 2019:10:08 21:38:00 CreateDate: 2019:10:08 21:38:00 www.skullbali.com
  785. E2 ModifyDate: 2019:10:08 22:16:00 CreateDate: 2019:10:08 22:16:00 www.bundlesbyb.com
  786. E3 ModifyDate: 2019:10:08 21:22:00 CreateDate: 2019:10:08 21:22:00 quantumneurology.com
  787.  
  788. ```
  789. #### Link Regex Report ####
  790. ```
  791.  
  792. Seems like only E2 is doing links. I am going to make some regex tomorrow as it seems like some of the old patterns are there again.
  793.  
  794. ```
  795. #### Payloads Report ####
  796. ```
  797. process list - executable names are built from these based on client characteristics
  798. engine,finish,magnify,resapi,query,skip,wubi,svcs,router,crypto,backup,hans,xcl,con,edition,
  799. wide,loada,themes,syc,pink,tran,khmer,chx,excel,foot,wce,allow,play,publish,fwdr,prep,mspterm,
  800. nop,define,chore,shlp,maker,proc,cap,top,tablet,sizes,without,pen,dasmrc,move,cmp,rebrand,
  801. pixel,after,sms,minimum,umx,cpls,tangent,resw,class,colors,generic,license,mferror,kds,keydef,cable
  802.  
  803. EXE releases:
  804. E1 - 9 drops between 06:00 and 07:30, 4 drops between 08:30 and 20:15
  805. E2 - 5 drops between 06:00 and 20:15
  806. E3 - 5 drops between 06:00 and 20:15
  807. ```
  808. #### C2 Report ####
  809. ```
  810. 86 combos on E1
  811. 88 combos on E2
  812. 39 combos on E3
  813.  
  814. E2 C2 all went silent 2019:10:07 19:00 UTC, back up ~2019:10:08 19:00 UTC
  815. I found this interesting when it went down and seemed like the back end was dead.
  816.  
  817. ```
  818.  
  819. #### Closing ####
  820.  
  821. ```
  822.  
  823. I am really grateful that the Cryptolaemus guys were able to work on these reports while I was gone. I want to especially thank @ps66uk
  824. for all of his time spent on these. Hopefully everyone is finding them valuable still and remember we are always open to suggestions.
  825. It was nice to have a vacation but now it is time to get back to work, TT. - @JRoosen
  826.  
  827. ```
  828. #### Sandbox 10/08/19 ####
  829.  
  830. ```
  831.  
  832. E1
  833. https://capesandbox.com/submit/status/2504/
  834.  
  835.  
  836. E2
  837. https://capesandbox.com/submit/status/2502/
  838.  
  839.  
  840. E3
  841. https://capesandbox.com/submit/status/2500/
  842.  
  843. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!