API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/05/09

jroosen
May 9th, 2019
3,314
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 48.01 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 05/09/19 as of 05/09/19 23:30 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 05/09/19 ####
  6. ```
  7.  
  8. http://absimpex.com/images/service/sich/052019/
  9. http://acttech.com.my/styles/vbtd-UnKieXrNYjXjRwl_HFDjpcyfN-0sJ/
  10. http://demu.hu/wp-content/ABFQM-yXNGddnxfhyzEy_PhfXVoLa-DLo/
  11. http://diegogrimblat.com/flv/TbrP-hBrn6Mme6doK3V_FCOcgQxf-Ly/
  12. http://dog-mdfc.sakura.ne.jp/cgi/oHlFa-Qx6IqhJXMvrYptk_BvhRlauGO-YTE/
  13. http://esmocoin.com/wp-admin/IFpMX-anYf9SMjxfPDVG_sSPMKnApc-bfM/
  14. http://galiarh.kz/wp-admin/pwenB-bCWJhhLS6IDys8E_SZPsZEVk-dS/
  15. http://grasscutter.sakuraweb.com/wp-admin/legale/sichern/2019-05/
  16. http://greendepth.com/wp-admin/service/Frage/2019-05/
  17. http://psicopedagogia.com/glosario/kWedR-BfltnVQjS3yedn_vaUFUxqx-iE/
  18. http://sablefareast.com/cgi-bin/support/Frage/052019/
  19. http://spacermedia.com/wp-includes/support/sichern/2019-05/
  20. https://galiarh.kz/wp-admin/pwenB-bCWJhhLS6IDys8E_SZPsZEVk-dS/
  21. https://psicopedagogia.com/glosario/kWedR-BfltnVQjS3yedn_vaUFUxqx-iE/
  22.  
  23. ```
  24. #### Epoch 2 Document/Downloader links seen for 05/09/19 ####
  25. ```
  26.  
  27. http://123bg.ru/wp-admin/Pages/q966oi6o_fr9dp8-2777403465/
  28. http://128construction.com/wp-includes/5bw9cz-zmk58ve-khbxvkn/
  29. http://1stopservice.com.my/wp-content/LLC/vfeabh2u6_gxagvilwd-564577142241594/
  30. http://1world.wang/wp-content/nr1as-l64wd-lrlbpk/
  31. http://336265.ru/homebot/lm/cfERHEnKsnVKkFoXONnjstway/
  32. http://89nepeansea.com/jquncdo/lfo6b-f5ufo-ejyi/
  33. http://89pacific-aircadets.ca/wp-content/sites/wMjpPpoiUdaQIFIPbkmTHLpJJu/
  34. http://9leang.com/wp-content/htaieq0-v00nnn-clzxbak/
  35. http://9lineofcode.com/wp-admin/1zxa-tpqrt9z-rqcfa/
  36. http://abughazza.com/Admin/LLC/949rs4sgdvhbzqnqlcygb4_la7xoa-34599642737142/
  37. http://addai.or.id/wp-content/Document/EoiNAXxpWAeJrdlVqRIngq/
  38. http://adomestic.com/mail/kn6g1os-idjou4-ncyfgug/
  39. http://ae.interactivegrp.com/wp-admin/sites/ejUSdvrPUmLVQhWKvpBdKID/
  40. http://agtrade.hu/images/xi7ne-mrqpf-mitd/
  41. http://ahimsango.org/wp-admin/uoy1yp-kqyyn7w-uubdct/
  42. http://ahmadrezanamani.ir/css/7d1u4v-xdu71kb-nuxyey/
  43. http://airflowexpert.in/calendar/lm/9q2jg4m2o6f7kqrwjv7i4s_kqr2ngu3rv-99966635/
  44. http://akrasuaritma.com/wp-admin/Pages/NwDdifehLp/
  45. http://alaturkafoodfactory.de/wp-content/6d1vs-6w7uud0-lckwddq/
  46. http://albertiglesias.net/wp-includes/rmuig-qrlb82i-excqt/
  47. http://alfomindomitrasukses.com/wp/US/document/CjPZM-8Gj_rp-zl/
  48. http://allcosmeticsource.com/allcosmeticsource/1m1ar-p70phel-nmha/
  49. http://alttrainingcollege.in/wp-includes/parts_service/wSRraWAzpsAVonoxSuh/
  50. http://amandreymedispa.com/wp-content/Scan/o75ujoq9peemo895mkurmw5x20_0gfqjg9-012479246676423/
  51. http://amanws.org/wp-admin/6ble-djskhj-ddvpz/
  52. http://amdipltd.com/wp-content/parts_service/hux7vmg18epj4iwglpqutobct_y5ysngor7-67947087728/
  53. http://angkoramazingtrip.com/css/eethj-0nrfz-qcvd/
  54. http://aourzuv.com/wp-includes/esmfpn-4nx6g-kzvwizk/
  55. http://apartment-nice-holidays.com/wp-includes/rh2c6gq-s8mcr6r-ngrcdo/
  56. http://archiwum.nowadroga.eu/wp-includes/p3fzm3i-ks8w9bu-udzs/
  57. http://arihantchemcorp.com/wp-includes/fwor0z-d3iu68-zdnfb/
  58. http://asadpor.ir/wp-admin/IdRRJtLUpjOWo/
  59. http://asista333.com/5a4bv/FILE/YKZgzzwfbu/
  60. http://assistva.com/bc/gral5dx-qi5dhe1-flcedk/
  61. http://atilioherrajes.com.ar/cgi-bin/krpy-d06vn-ufyku/
  62. http://automate.techsarathy.org/wp/parts_service/jprfni0m5yu3zjbaqdxyhumprakzf_iuyy4-522473564/
  63. http://benz.no/Resources/y5na-tspema-toft/
  64. http://biztechmgt.com/mailer/897pz-99c8y-bjmydg/
  65. http://blog.facciamounimpresa.it/images/ec5bef-x12xg-jvvpujh/
  66. http://booyamedia.com/img/tj91l-gdmyk3-xxvowbxw/
  67. http://brinquedosclassicoscombr.000webhostapp.com/zyro/css/engl/6bz4mno-h1ynlo-twnydf/
  68. http://brothersecurityservice.com/126fs/czlw-bnlfby-eixu/
  69. http://bz-group.com/kza1/lm/WTmlONzkWzliMqIydWltOmSoF/
  70. http://citroen-retail.pl/wp-admin/INC/bgXHXcRXnrRIJuJZujBBsuzeWQIq/
  71. http://citroen-retail.pl/wp-admin/INC/qrqyenw1t2mfezi4gau9iggcdb_tay92u-280264723688176/
  72. http://credito-nonrimborsabile.com/7thv/paclm/1w4p5hplvru9l952ckg_c0fbx-4310047611156/
  73. http://darktowergaming.com/l9ld-0dpofc-hiwewg/
  74. http://drikitis.de/adventskalender/parts_service/kgt68vmgwveichqvai6ip4urliplnz_ljth7-32813008569057/
  75. http://drischler.de/cgi-bin/paclm/p49zu71jj5pq1k8oo34mkuk_85nfk0-08912050152/
  76. http://drszamitogep.hu/_BACKUP-20190208-HACKED/idoLpHOiiEgnKSwuroFHU/
  77. http://dynastreetbob.dk/wp-content/wppa-pl/parts_service/dapiaf1nxjq_u2hdyenydb-98269696/
  78. http://eccountbook.com/wordpress/lm/ir1r8d10fn6xd327ko_rtt2htc-38710983641968/
  79. http://enesyapidekorasyon.com.tr/wp-admin/cemtasr-4nmena-meiqv/
  80. http://espace-photo-numerique.fr/wp-content/4ykh-yhwzq4-liwmvd/
  81. http://euclidedigitalsolutions.com/wp-content/wfyh-g7096-tlbn/
  82. http://evkaldemo.com/wp-includes/u7of5t-pa4ur9t-cmqpbr/
  83. http://ewoij.xyz/cPaB-oTotY_dfuC-lL/
  84. http://ezequielferramagia.com.ar/cgi-bin/cjxj79-6igvtci-irxf/
  85. http://fabryka-przestrzeni.pl/wp-admin/4i33f-z7ngqi7-uakt/
  86. http://flabbergast.dk/picture_library/bp620ni01v7x0h4b04xe1_3cel7i-34439658237/
  87. http://garnetse.com/calendar/7l64swf-ym15ll-bqnf/
  88. http://goonlinewebdesign.com.au/css/INC/XFRDFvnlJZ/
  89. http://gootas.com/images/LLC/8svxpfmxpnwju4erkf0m00w42lw_qkaajd0ap-3559428054/
  90. http://health-beautyzone.com/wp-content/5sba-poy1i-gzsiwgz/
  91. http://hk026.com/2zsjmbk/company/Invoice_Notice/TBeD-1c10c_puCHSL-oP/
  92. http://ilgim.az/new/v3/installation/iuaz-373uj5-rcngt/
  93. http://jovanidistribuidora.com.br/wp-admin/esp/gJWpMkrKmxyAKMpgKubBEtCNyvUOB/
  94. http://landmarkforummontreal.org/wp-includes/z7847-qkaqhoi-qtpgfhb/
  95. http://lomejordetodaslascosas.com/icon/b9gwj4-90qbo37-yaoyx/
  96. http://malhariaflordelotus.com.br/cy/9kb3c-tz5ph-zfaxbkm/
  97. http://marmarisbufeimalat.com.tr/wp-admin/o05umsr-vf0xwjx-nfkgoc/
  98. http://mauritiuslands.com/wp-includes/k09a-bgwwyv-opxnnm/
  99. http://medexpert2.davos-development.com/wp-admin/modwe-ss6gl-iwpbktx/
  100. http://microglobalsolutionsinc.com/wp-content/esp/ikxu7w8mpsjp_bybwa-820231260352/
  101. http://muacangua.com/wp-admin/p7hln-zufjwi-sysouphfs/
  102. http://nhahanghaivuong.vn/wp-includes/rest-api/endpoints/lba2od8-0hhfrl0-kjfx/
  103. http://payameghdir.ir/cgi-bin/lqr8imb-nvzi5a-barf/
  104. http://pingarten.site/89msqlk8h/2vvbzym-qesqhfi-rnvpohi/
  105. http://pootech.ir/ijb/x25bfe-muz79gy-igznx/
  106. http://precounterbrand.com/39c0ef/esp/6cl7bd0goao8d7e5v15kqbwmfab3_2529jpu-367392596/
  107. http://press.stkippgri-bkl.ac.id/wp-snapshots/mrkgup2-lvfcvcz-hszlfri/
  108. http://printexshop.com/wp-includes/5cmz46-wm6ou-ubizf/
  109. http://r2d2-fitness.by/wp-content/0r6g-1nytq7h-ebfboxl/
  110. http://radioalegria.net/2837485/xg5kwv-oxwnc-ipcoe/
  111. http://rheintalerstern.ch/wp-content/uk0w02b-lmzcxfv-xaqii/
  112. http://sandypinesinvestmentsllc.com/cgi-bin/tgn1-lb8o8g-qvkkkgx/
  113. http://seocddj.com/wp-includes/zxMlDGHFwCrt/
  114. http://shriramproperties.com/logs/brw54-f60fn-ugpzx/
  115. http://simarhotel.com.br/backupinvade/enhn-zil6sry-oxeflzw/
  116. http://sivadatasdevri.com/wp-includes/kfset66-5z4jlxu-veuhal/
  117. http://skyertravel.in/mc8os/mhqo-2b8r4-vrgcgq/
  118. http://smartay-edu.vn/wp-includes/dikl0sa-memie-kwnvec/
  119. http://sockssales.com/wp-content/co052z3m7jri5ut5c_pdjnlw-4621799475087/
  120. http://studiodentisticodorazio.it/cgi-bin/MlaTlauEyxeLMKMqBd/
  121. http://summerschool.sith.itb.ac.id/wp-content/uploads/1r1qz-psakj-xcctr/
  122. http://tarina.davos-development.com/et8/zok3pp-6sdnjr-zrym/
  123. http://thelavmor.com/wp-includes/lm/aq1fnmer4rv9k6f_lmrc8inum0-887675682613/
  124. http://thuoclaxanh.com/wp-content/z5e5rp-wz1qg-rpmn/
  125. http://tomyustudio.com/test/wp-content/uploads/parts_service/OBsZVtFER/
  126. http://towerelite.com/wp-admin/zbqibx-gj0vg-yminq/
  127. http://tranguyen.info/dpro-installer/dIaLQOHlqZydEh/
  128. http://transportesanfelipe.cl/wp-includes/uvvyig-c9cjt6a-iuhw/
  129. http://travel2njoy.com/wp-admin/uvno4q-4p0jb-uxtxd/
  130. http://trueterroir.co.uk/wp-admin/t0e3-twtlqdk-suyusdl/
  131. http://truongthuytien.net/wp-admin/lwIqWnfNVEVRzajzDaISpVeBDK/
  132. http://tsukurupajama.cms.future-shop.jp/wp-admin/hznauy-kfm4k-zdqje/
  133. http://tuvangioitinh.com/wp-includes/btp6-t3oc6-bpfg/
  134. http://udhaiyamdhall.com/images/Invoice_Notice/GaPbd-8EQo_BIV-hK/
  135. http://upper-thane.co.in/wp-includes/evk4u3-35e86-zjwplhl/
  136. http://urbanbeing.digital/wp-includes/d53l59-fm18qx8-bqmhxqs/
  137. http://urbanbeing.digital/wp-includes/naf3q-s85a5i-mjbrq/
  138. http://urielheldcremations.co.za/gkuzmjm/ke31-z04uep-qnvkbh/
  139. http://vbconstruct.com/cgi-bin/aphkxbg-6ejtz-cgdzl/
  140. http://verzuimenreintegratie.com/cgi-bin/ubFlwPaQRCunbHNpYwY/
  141. http://vianna.edu.br/wp-content/uploads/2019/05/eze0c-l1mex-xiyal/
  142. http://videogurus.co.uk/wp-includes/qpi0h-s9pj27-fcaarw/
  143. http://vip-lojistik.com/wp-content/rsts9-kok2m-miwhm/
  144. http://visaatlantis.com/xampp/cj25-rkk40-mpznsrx/
  145. http://visit4tech.com/tech/b9sdn59-4o1810-gwxtng/
  146. http://vistarmedia.ru/wp-content/jn0i-yhqjd-zecfvz/
  147. http://volzhanin-egg.ru/h8ux/ouyrg-ze111-nrrxlo/
  148. http://voreralosangha.in/wordpress/f5din2l-u7ydwa-uyrt/
  149. http://vps218897.ovh.net/lthm/k6ej-3pqxpz4-hjqv/
  150. http://w3webinfotech.com/mailer/5m1h70n4iq_x9l8v-669876/
  151. http://weareprovider.com/wp-admin/t4yhzp-tcbezjv-sslhy/
  152. http://webarias.com/pruebas/parts_service/gxw7ht8o4g4pcpqr_08f4l-85268100/
  153. http://webdesign.digitalbranding.id/property/FILE/ljpf638cej0a4_d2tqmc9-5143271781990/
  154. http://whiteclean-ksa.com/lqwsvdl/xb5f17-ezhglh-lppayny/
  155. http://wholetthedogzout.com/Ow/iRDwGeJvPqEeOzrCdcayrHDZF/
  156. http://windmedbiolife.com/parseopmll/y6m1-eb3evp-zmdkggn/
  157. http://wmo-raad.inov.me/wp-content/uploads/eagcu-ds75a-geevo/
  158. http://woodmeister.nl/img/lcti-jn5te4a-sikednx/
  159. http://workshifter.com/wp-admin/qkcbjb-6u01gw-wurqzpw/
  160. http://wp.10zan.com/wp-content/4o4mnsk5glxl_kppld9s-27606784274/
  161. http://www.beetrootculture.com/wp-content/esp/oqx2r3gmvzz6x5ry6_0jbzmke2-01510875619590/
  162. http://www.bnn.or.kr/wp/88xhnuz-p0ofv-qydhl/
  163. http://www.faromedical.com/wp-includes/a9rt2c-pq7vk21-npgr/
  164. http://www.group404.com/cgi-bin/knmhl-zyayjc0-iygjn/
  165. http://www.huzurunkalbi.net/wp-admin/lm/vtKZIOpnxhnKSUeCVqoa/
  166. http://www.khmer888slot.com/wp-content/xhpu44e-bkvmo-rwceh/
  167. http://www.lounadekker.com/wp-admin/zvxgww-80coo17-ovbsxcu/
  168. http://www.maadco.net/wp-includes/a5ajfaw-cjfum-jlbdbl/
  169. http://www.magician.gr/wp-admin/FILE/jav7n0kx37s_e0p7z-2453167094236/
  170. http://www.mlplast.tn/aorvuye/INC/AgGrYbyKGB/
  171. http://www.photogiordanocimadamore.it/wp-content/uznlxc-udjyte-kjhwcx/
  172. http://www.piuck.com/wp-content/80vz1-ktficu-wcsd/
  173. http://www.pjsmoveis.com.br/wp-admin/pp1lc-k5m40-mjgaib/
  174. http://www.raml-herger.at/wp-content/parts_service/2isnc703ipfh8p22cg_ocd6uok0-23591671230/
  175. http://www.rienquavecdesmots.com/blog/FILE/tgNAfzhkjlYVzfdnALMJckOJNj/
  176. http://www.rivoltaponteggi.com/pdf/NrEXyVsSMiXbGRIMqaRxatUcwrfZZZ/
  177. http://www.rotikukus.net/wp-includes/INC/OFFELyRpeyvmjltFo/
  178. http://www.sagduyucocuk.com/basvurular/hVYdpYngeIRaBNTREwNecvks/
  179. http://www.sanpower.com.br/wp-content/LLC/UFBAEBLJsYlAWGyUIgTFtQwDdhd/
  180. http://www.skr0.net/wp-includes/INC/XEMKgiDFkZk/
  181. http://www.springhillmontessori.com/wp-post-thumbnail/sites/wYcqytoskJ/
  182. http://www.sukruthifashions.com/wp-admin/6eox1-hz16em-yujaix/
  183. http://www.uncledcleaning.com/wp-content/m7rb-xix60d3-ciqyd/
  184. http://www.uninest.cn/wp-admin/Pages/kjvlntDVxBLXeklFAmfwMkVC/
  185. http://www.unitymarketenterprise.net/wp-includes/p1akw5-9zgkw4j-hltaypx/
  186. http://www.xilinte.com/calendar/thu1-718797h-wyyciw/
  187. http://www.yangshengcentre.com/js/bby0m97-gfksi8f-elmyff/
  188. http://www.yayasanannuriyahjagakarsa.com/wp-admin/xwilzqIECCxIO/
  189. http://www.zdcimelice.cz/wp-admin/ut7yqo-7hsvb-uzaz/
  190. http://xeqcapital.com/wp-admin/3w118j-kksgq-osrkzb/
  191. http://xldeal4u.com/wp-includes/lRVWwvWmfOesPcLpu/
  192. http://xn--d6bgxvm.xn--54b7fta0cc/wp-admin/brew0f-gwwc2dj-kjgnzo/
  193. http://xtime.hk/wp-admin/1hrk-7882ry-vrzgwbu/
  194. http://xxxporno.vlog.br/embed/sygy-nlkszhk-ijca/
  195. http://yaros.webrily.com/wp-content/yv5qusl-a2qgb-isrywen/
  196. http://yayasanannuriyahjagakarsa.com/wp-admin/INC/dk0xtlw8qv22c8a8sf2w4yfe_xd9qn9s4j-228503676/
  197. http://yeddy.ksphome.com/wp-content/cbbu2-d8hav48-calyyb/
  198. http://yuanxing365.com/cx/paclm/4n4qltags_pde0n1-65864668354/
  199. http://zeinababbas.com/wp-admin/xai87-z4a68-cwmrspa/
  200. http://zhuimengren123.com/wp-admin/esp/bsXVZJEEJFMjNirxxvsSpSggqauSII/
  201. http://zoyahijacket.com/wp-includes/1ilr-tt4232-gfwhf/
  202. https://adsqat.com/wp-includes/DOC/uMoNlleYJWPGxTQiZLa/
  203. https://baovechinhphap.com/wp-includes/Document/MXNilOVmG/
  204. https://bearingspecs.com/webpage/FILE/oysdkb1y_znqz8xum-64648406/
  205. https://bkkgraff.com/img/Document/FhRwXpQZAxDjHlqR/
  206. https://blog.leitershop-24.com/wp-includes/z70473-9ucdk3-ltcsex/
  207. https://buxton-inf.derbyshire.sch.uk/wp-content/w53zxdx-zzqa0s-zopug/
  208. https://cansu5.com/ykmeg/en3d-6vs8rxa-jlzoiq/
  209. https://careers.matrix-global.net/wp-admin/216d8-kb3fly-evlnvhu/
  210. https://cdlnatural.com/wp-content/uploads/2018/oq7ljqu-385eh-giuc/
  211. https://cmslps.dbliangwang.com/wp-admin/9odaec-iaoke-suttv/
  212. https://crossglobetrade.ch/wp-admin/kjcdbar-zkena3-etgv/
  213. https://dep-da.com/wp-includes/goNDwQmfKbBcOPisfq/
  214. https://dev.thetatechnolabs.com/sla-transit/frontend/web/assets/Scan/UkuVbuUxSILUknDYeyQm/
  215. https://duhisaigon.com/wp-admin/Pages/duMuWNZVRZe/
  216. https://elxiajapan.com/wp-admin/50riwjl-d3m3ek-qbdn/
  217. https://empoweringrelatives.com/jopvis435/7rm8-p5h19r-ojxpqwm/
  218. https://faithconstructionltd.co.uk/wp-admin/10lj8s-vt6fy2-srmigsm/
  219. https://flowerwilds.com/wp-content/lm/onzqtlrtccbgfprb1ew9_dml9a-55755162/
  220. https://gadalka-russia.ru/wp-content/d36s-t51vd-gxxlrn/
  221. https://hugeturtle.com/wp-content/lm/ClcOLWRvD/
  222. https://ioszm.com/wp-content/QcoYAvNXKedPiMJHAf/
  223. https://jusbureau.com/wp-admin/nafvc6goxgoy79tmqqr_sjtynrqxx-702101352587/
  224. https://kksbtest3.com/indiadiet/FILE/m11zt0lca4lnh1e1_dfkubm70ho-8069957659668/
  225. https://kolayticaret24.com/kuda_sym/UAqVGTKuyHxplKJPTLwquI/
  226. https://launchmktg.com/jetpack-temp/7v5ylmv-v42a8-uissshw/
  227. https://lyquangkhiem.com/wp-admin/4rkdqs-yvrbc-xjmdjo/
  228. https://mydogtraining.us/wp-content/59o2k-qwqyo0x-yuvunbn/
  229. https://nishitoptics.com/cgi-bin/FILE/prhf44teky59nfdzj81hw_pwwexxce-24407784/
  230. https://platinumplumbing.com.au/blogs/zdOnUASUTUDhivDBPWntwvCQz/
  231. https://profi-dom.by/wp-includes/v4qz-5qou8m-zbjh/
  232. https://shakh.kz/wp-includes/FILE/LuKIuoCUwTKQYGEIkhTlvJzgM/
  233. https://sogeima.immo/stylesl/lk5jgsc-zjmwo7w-exvddgz/
  234. https://somestore.com.co/somestoreFTP/o1udkw-0ysm1r-aeefpq/
  235. https://springalumnichile.com/calendar/esp/gquTKWlzfkvR/
  236. https://tamsuamy.com/CODE_TAM_SUA_MY/ng4uiy-7z0a7l-zuas/
  237. https://techmates.org/wp-admin/FILE/2zukmr4j3z6_9wbtyqiob7-2880495304405/
  238. https://thecollectivewriters.com/jetpack-temp/Document/rwYjMojsrJpcAkNmEj/
  239. https://thefashion.co.in/4s87/ucepbmi-nuk62-otdkrhd/
  240. https://tulapahatere.club/wp-includes/jl9j8o-hwu42-krjfr/
  241. https://typesofballbearings.com/find-long-term-love/parts_service/HIdtlmcXIsRxeDfzS/
  242. https://vaytiennhanh247.org/wp-admin/LLC/3x3kspx0ilq61lmpb8_7yh1xz3-110160000368765/
  243. https://voesemasas.com.br/wp-admin/6vr9n-yqpm1-mzbnja/
  244. https://wangzhengguang.top/wp-admin/u9oj10-ksghgl-nntk/
  245. https://www.bwbranding.com/SYM/WLCHrjKavFjFDJyBfjNgO/
  246. https://www.digital-vision.nl/calendar/o39h3b3-rh24n-pewe/
  247. https://www.jinchuangjiang.com/wp-includes/i6uwu-l20n3zs-rjklbli/
  248. https://www.kelakian.com/wp-content/gtsh6j74_hxmz8iz8fc-89106679/
  249. https://www.sdnatural.cn/pdasovs/d1f7-9fi8w-gxhvf/
  250. https://www.subtlewhisper.com/wp-includes/44n0-1guf0b7-gastxtw/
  251. https://www.trucker-hilfe.de/wp-admin/parts_service/rHOGIGpCshhTBP/
  252. https://www.trvipifsalar.com/discussionl/t5uvn-xgx14-dwff/
  253. https://zenixmedia.com/wp-content/99yp-lh28xwu-zcqv/
  254.  
  255.  
  256. ```
  257. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  258. ```
  259.  
  260. Creation Time 2019-05-09 21:30 (Attachment Only - From ZIP - JS Based - Fake Error)
  261. SHA256:
  262. 0088adb4e86956b8b15a3cb45156f74a95644c88ce5572ec601e10de5ba1badd
  263.  
  264. http://thepngbusiness.com/wp-content/5ecnu9155/
  265. http://mitsubishi-3s.com/wp-content/languages/ly28/
  266. http://allweb-services.com/public_html/gjyy1k7550/
  267. http://www.bostrowala.com/calendar/imislh90839/
  268. https://seethalekshmiconstructions.com/wp-content/jm72/
  269.  
  270. Creation Time 2019-05-09 17:45:00 (DOC Based - ENG - 365 Blue Box)
  271. SHA256:
  272. c724047c77ebaf13d0c89ca2b495ce072434238db872d2f4af1aacda4583576b
  273. 3a22fb2c842e56dc3bce6b2ea7f7eee6fda07a68d542bbeae3059fefa6ed27e1
  274. 722f1234448bb1756544c9b61ddae1829134731de31ed16e54842c72cc9fd3c6
  275. 3490f4c0522d06d3fceedd84920bdae86bfdefd9f5995219b7c84c0be12f37e1
  276. 3df5e6915056af103cdffb5bf845336b12798fd0aa010a512e6557bcc340a118
  277. 7e77cbc873b85b0a48bf6848bcc59564a994eb2fe10e03108c95a7e48a954035
  278. 639a5e2086390ae97b7c357352e6c706e0a6be7408b94c3d1e4ba79aad0bc85b
  279. b62fcf446710d4584e59fb71e9556e195cf92a3bb0c564da33fec66d7dd80bc5
  280. ee2bbe2398be8a1732c0afc318b797f192ce898982bff1b109005615588facb0
  281. a6a7e85b14e8c9f713e137d0ff25c317c9b03f2faa318887ecccdba35a218e50
  282. b6f2b2fd09ddc60aac8d831089cc795a89ea9fcd327ef0c0e244265e08c0dab4
  283. 31b6fb3332cc66ce65b07f9803a691e67c93af69f74fe6c79544de6eac1a9996
  284. fc5dcdf60de72fa175a2529c258e45afb03dedb49a96f5bcd193cb68f6120238
  285. 586565ae3e4751477cbb19135ffab89d02f2de932bb77a59009000672e6b3945
  286. 1b417c8693cb6c87f66449d8b3568303c04c271ce07c6a3cb122cd624d0de792
  287. 1e8325f75937204cc15a413a8874f129b49eefbd85d5ddbd4013b8504c6c17a8
  288. 488eaf94609fd5a4105cd48360a2a37d59efc02ddce170c6ae312458731f5bd1
  289. d7cb4f3e58f564bba980815fce1e6cae010cab30638d028e43a6adc0763eed91
  290. e9fdba4382a2401b79ff09a4c6bb0f7cabbcf5c26a4363e527420c62191c69b7
  291. 9da72cf02c4d74d6ff982fcbd033a33408b84c6e48eca6d6a67d513802cefc70
  292. 364380c995984d34adc0fea4efab2601fd7401e0c348d1a894a7c53cc5283660
  293. dcef61e02d4af1155f1081acecf3c501f8988034640f121fb2e6b4b530462a28
  294.  
  295. http://pratidiner-bangladesh.com/wp-content/2l94/
  296. http://videomarketing.tk/cgi-bin/f64/
  297. http://unecentro.com.br/wp-includes/slv024/
  298. http://xefordthudo.net/wp-includes/r32/
  299. http://yksdilkursu.com/wp-content/pdj8j370375/
  300.  
  301. Creation Time 2019-05-09 11:14:00 (DOC Based - ENG - 365 Blue Box)
  302. SHA256:
  303. 0c470962be755e8d25e3e1722b5d643378b132152a01cd629a5386743c5f08cd
  304. 41b8384af5c547b0a5bbbf091674adcc921a7e4ae960303173ea386afe03779e
  305. dd0496cf5a8bd0744f5cd64c3b886458d8f04839942ec6fae00fd3e8caffbc76
  306. 7888e4a67408760a88e861df4d847ec6046e2cdcd79f2b50363052f9e8991662
  307. 48073d90b9b806781d4a630f00b826d4b7db93cd8f9a20628b1116d1d7b2e767
  308. 57463ef0c4c3341850d7e1b20c3334272634aeb273cad46c152430aa2aaa968d
  309. 7a4a6d20d7182ae8fe399bdbf8666859ce17f9386c0749f01bed3cd1b59faaeb
  310. da969d200542c082c6a559149284b9312e1639bc29dd88fff0d96c00d35790d0
  311. 967f80d566c190ada88e9f01cbd84c64b7bb212f98cd3595013f1c29270f5fd5
  312. cb83f2e76898c01f037f3aa2b7654aff70d5013bb4ab4555bbc48b99ec6a1806
  313. 532ea3b4899e091c2a86572fed8abad320bc39d19140fa16048e247cf420bbb7
  314. 41489a879fd53a40b3d060a5fb4ec36937d3321ee459fe720390d287ea58fa7d
  315. e95616c22503fe7f84323a32c515af7337ae7c0228e1586dbf733095e0b47f5b
  316. 7b2a247b0795daef379fc1b70b393f417aa3be424bf361d457f71697d6fb8e11
  317. 9e7b202a58053aa9fbf4f984e592c112f29f1455e6d9c9af04fc2f1aceeedccf
  318. 956c19e0dd393521fa91985730dc2eb073632079fb941a8825a44f1c7cd2824b
  319. a3f4f7391f4d09975b378a2089c1a63e3824b5766277bc0d262da81072e786d3
  320. 0f329103ef6825196acaae362b9e2c353145da8a42cc58e9dda80107e18ea174
  321. 009ea90907aae8733c32bf15699327f8b375c1c7e7e7d84b3d03427d0a849e76
  322. 94bce68dfa8599a8c5a0e9b5bf3916b22b8c707f7c9252bc7457ffd0182e7974
  323. 0ceb403c18afd9af6c1ca2d1adcbb28d4b004c7a8b4cb4cf09d4df9b161d0bf7
  324. 222b6cfb6da080cb57f9deafba537a51a827a28b84072cfc330359cd2a23b402
  325. 199822f950c138b3092a83389352eb1a13ccd08eb32ac7606bcebfd5e3f93121
  326. 818577a2a00cba154e6780bf94bcc99e25404c9d040d5435c2cf2e43b0167547
  327. e9db7090bfba4b054bbcee481ca8c27eb198f5da5b4cec938dccd0cb763bbfba
  328. 139cbc96d5b04d68b2093ec38913bd874eb8aac98ba77bb8c477d674397e2630
  329. f4b5f1b49592d374b83f84813b5561a69a9bab361d8588ce69221a3adba4530c
  330. f25ef6f7473023004f61661a56cbf8c87f866daad7d9964b8e96c340ae50fd63
  331. ea4e66b2909a5d81a59ee187f53b3c6213618a027cc13de77ef7c5943cdfb1eb
  332. 97b3e25e36bbaa072db286d9df19c84e83473e67eb4e3adb57a4f7e27c073746
  333. 8a1d531407d160a135c9fa2c3b9e816b18224ed8965fa40fc7c1aae1d048ee14
  334. 4af4f3ef1f7e9ae77b4458cf87cf522c05d37126d673fb2dbc1b13e5b6de5afa
  335. ea9f8dc56a1976c705ee69983ed7e27deb144af457c2bbd0e7f18dcbc1af6177
  336. 0364106f429dae1c3f8df37c9afbf7ba2200b2e576b885addea8c0f343ceb9c3
  337. fbb1b03020b493b393df538ef49a95ea5fcdf2822e5f7f2a1698fc10c9c649e4
  338. 95be8ff0f8351962d0051cac6f5c20316f5c71d0f509e723853840fb1d2334a5
  339. bd9819955632dc018455e88c08b49d04c5ab14c4082235b061cb622d0df4de57
  340. e973853ebfcb0a181457503d5e00102f03e14645a61de6af19bdd3f65d276642
  341. e3bc59d05a7ba6df64fee0506941476625320977dbff79ce44e017c65548562b
  342.  
  343. http://prolinebracing.com/wp-content/3w83dfn374/3w83dfn374/
  344. https://primenewsoverseas.com/ritncz/896441/
  345. http://reioutsourcing.com/wp-content/fk448/
  346. http://bucuresti.andreea-escort.com/wp-includes/nyg9271/
  347. http://steptobetter.com/cgi-bin/9lw4sk37969/
  348.  
  349.  
  350. Creation Time 2019-05-09 06:32:00 (DOC Based - ENG - 365 Blue Box)
  351. SHA256:
  352. fef404ee68be30509878086f1c4e15e77a186de69b833e452948b9a5768762c5
  353. f7c92215e24f6c32fe5c637970762a4a129dd6f834a9c56a01032fbe211d2f95
  354. d5251409a95077da941c2eeb67c9db988728ef44c7abfc5002beb2f31c8faccd
  355. 6f107a2b3091f6e5678d48a6593436b4ec045873162d55ff042adfba6e4da2c8
  356. 044ea4f3825bb6a71ed97b82629f96c52b74c2c537ea5492bd363f3ec335dcb9
  357. 6afbf63f5d9aa9c4fe49b5ef5c12e2419de703bcdc76b10028081c36bf2c58ec
  358. 99d00c9d2dce8b924c90ffaa8b310aeafa46d3fbbd4e4dbc2d14f90965698bf9
  359. 5caa49ddfddb003df74d7ac801bca13d248c5e22abb009864c154b966dc1607c
  360. f2608ee69eb369599dc93776ddd0382abce5f19f98dbeb52f3a506664ae15450
  361. bc559e68fe910495a8c7fd3c6ff467d3fda3435b4b065b3a0e63711e2b782cf8
  362. 62c91dc911e61db5c2f9c9e1cb43996a0ea40ebbf92ef1a1a7959a161c577d0f
  363. dfbb046ce3a129d416fc31f23b0d66097132cb33fbc522187df01b73ee66776a
  364. f25f3572afede6a42c4e76e53087a89883e98c761e4bb2cb0d86a120966fe75a
  365. b46a2fd77986ed2c4f9b185a88b15c652bf25f56fada73d9ef0ab46daf109b12
  366. 9b36777e0ce27291b2c0aaa9cde7b9fdc7c144301bc087288cf328cbbc0df612
  367. 7d021c19daeae859bd97c13a29b02fdeea6803a9844dde1e411065b5e4d6d811
  368. 604a85fac22c26ed9dbc45f647f3dcaabe71b5b8a169da9f4d68b4f82dae871c
  369. 6016d312f4db8bf21fd3b16398cba94c1bcf7ff981251b6e7911eaa85beb3c09
  370. 2561b769bc47fe1b61e539615c4341bd23e0a116c7b099620fd297fcb14f2442
  371. 7aa83b54bd472bff5b45e539b93451e396125c936e3288f49e884b36106a3f28
  372. 853cb83c8365fecad6156a41c113a3824d10c43fc61eb5ad8378c97afe0ba3b8
  373. 46a9428d98f9b74d0d3077f0197d940e4434ccd9943f35467933678e783a9d8a
  374. e35f6558376d76709faf77746a03f9a08b620636997cf7578b9de8a29d1ca63d
  375. 56c6205d55b9c7b49eaf85e70900d94d5757a78402ccd39b1bd03b0fa009b463
  376. 0db2072a0719d15f514b5fd212ab9444912e69e6336783343a992a194f236383
  377. 561d1a382bafa9c2ed99605400273c001bd1be6cb2335076bb4842c5dfb5f755
  378.  
  379. https://wihanstudio.com/wp-admin/7gi8/
  380. https://harite-argan.onlyoneif.com/wp-includes/276/
  381. https://ustamservis.net/yedek/z1j96362/
  382. http://villagestudio.net/wp-admin/kncexj504681/
  383. http://www.miandevelopers.com/blogs/yc6030/
  384.  
  385. Creation Time 2019-05-08 18:15 (From ZIP - JS Based - Fake Error)
  386. SHA256:
  387. 783cf5eff1762ca544ba31f17f2100c4ab413aae319384039a2290a231d2cb12
  388.  
  389. http://top5khampha.com/wp-admin/285909/
  390. http://sgtechgulf.com/demo/pl87/
  391. http://garagesilencieuxselect.com/engl/s61/
  392. http://akuseruseisyun.net/2018Photo/zz2s31f1293/
  393. http://agnicreative.com/428QGSAYD/cj2636/
  394.  
  395. ```
  396. #### SHA256s for Epoch 1 Payload EXEs seen on 05/09/19 ####
  397. ```
  398.  
  399. c76c559138a026d74b20fa90a27b5bdcbd4ad2b422799dba7e9fcf70d7f0891c
  400. 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414
  401. e559b4080e3c5cd36d39c09be75e564583725f18b4c371f1d8e5dfc6abafda81
  402. 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a
  403. 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de
  404. ff285e00a0c9f0b48dcb563b2ecf8156ba4034810568dc5f7eaae1fcb0163b53
  405. 745fe226be4ec3cea112abb0455d2da5957af23cb1481b518ccd454f2a6e6ee7
  406. 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049
  407. 84f3cd582367e1945f471d97996d2fb0f28e0b8acec72dcdea961b2ddd0d33e3
  408. a0ae2bf733e45af7cb267b52f2acd02da324b182a84e53503b8ed3acd6aef04a
  409. 30cce5b7db8b9516704bd5ae74e857f39512c3025e63ba1cad2b86b2af587c81
  410. 8f432d0dd6980f430f912f4b2a5a3083ae00e5dc0ae227b4cf8cf175e37b60b2
  411. 6e7f5408b7781299ddbf351e87dd708529f2d65eabb933e5375e02074096b90b
  412. 3fa944f361933476934813f97b0a5e1718c25a619739b8880e1133fe36f00c50
  413. c649de592d65792dd0005f457282328ab7a8edff0ce3fb6d2e80d8e1e190e593
  414. 04dfcd4ab4212a4a5b9314d9409ea19c643570572b0036a6e42c0b8124f6dacd
  415. 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3
  416. 8671e06d80a4a0d415a991336fd4d1a8e0b436795aa92446024b94217c5ade16
  417. db68ce6c26b0f1dead656ca23d8b3596755bc0229d55dc9a46e2a94879fd6913
  418. 9f5c217a5675d86d9a54872953334c80517e080cb6e9580077543d9c9e21dc14
  419. 4f7030bc36fadc922603070dc1cfe18bbd7de66ab3577c00bde49b99eb296fe3
  420. 3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31
  421. d2e112a1d9f4f9c5a8e171435c770fce9f0bca559f44c6a480b2f31c01899e97
  422. f1501a38109f806e0d0fb55361eef79e0074b4c6c636102bfd37988f8c0cf7b1
  423. fe7fa17ce51607e9f830bfe81350a551c1bf7c2a13dfcb8bb34a25b00b1bbd4d
  424. ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0
  425. 6cdda0b52c114b779331f90b51f40bc0784a669281d7557356a6ebd76e4e0040
  426. 55805ce5fb76da618bdabac972c59390d15b872e9a401a0dd4e2b3f1b61bc458
  427. e39c765737c3df6c4de24cc7b9243aadea575c07d5ae81a52cfc9f652bc1a0b9
  428. 38fc7394bbb415b43673166d69206333c150e23f6b9fa92ca9da48f26d7d6b9e
  429. 9166e6e4ef1884c24a0b0972fb214d42da692048e90996481017a7a00881b67a
  430. 3dcfdf41f8a42f11201c56a44873b9c1b8fcb676b48d69ea0178ea66fc9cd7fa
  431. 9e39b9ac8a9cbcf2812712721bdfe0bc32ecc8c6c08616a00bab6dd69aa075d2
  432. 18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891
  433. df8c30d18c869eb0686c92da421db02af673bd326b83b118745f61bb8ab39e33
  434. 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf
  435. 31b5725ee2bcf56a5d8fc973b1afda81af373131df9e4e56707b407f40b6fdb8
  436. 2db51ad624239421ceffb9dd45c898ed1f64f0316e6ddd43e276c7c1ba7f97a2
  437. bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636
  438. 8b8416fae1cc885453fca2fc5c75576c1a847f0e777845f531ef9e5a7c990e2f
  439. dc1f72dfdc516379ba2d1cee97f30d5625b11ac8d506515418f21516e369165f
  440. 655be7fe2d6df5f7f6e3508b29bf93bff619f8b791fa3579201cf85d0b6f6206
  441. a7b0de137be6b6d9781442863b9f1d64f7dca35b6fd3d51c0de63e098b71d24d
  442. 4344b71e75aa89b2eb269c20f97a7bf91a527a3b2a3d7fe6f5aea0164b36a454
  443. 5a95643eff566e655c27cb7f8e37d4e4c3608fff711a4987033b2fe25bca5f8f
  444. 609c99057404d89c125590f1febd30ff2f48b633158461a1d2d024f2af9fbbfb
  445. 787886310ca4878e27d0265c8b92b72815df34f65bf84fd594283810da858d7d
  446. 7ed0f2dd345574c60835da6dd0312823fc3e86851006211f6a9203614ee93907
  447. a2d3f294a45ef75e634b018623fd8269e0ecfb58742648cb5fa3b379b85bc5fd
  448. 738563252e06801fa79207d33f6d431f16c341f8519d1b850130628f7b80d974
  449. f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656
  450. fcbb4f917b7e4c714cc5e5b1e6f00dfd73004e6cfff915a9d18c9106af2138c6
  451. aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48
  452. f47aa9597beaef527cd5ba9d00a9dcb9fb0d2633ab46fd345136469772c9c6d0
  453. c2cab7857feed340c99ad0db2a33ca12170a10b39094eb34289f2ba660f89280
  454. c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9
  455. cf7ff1424a3932a012546909b262ca0fdc20289e09a96ead064fabba58cc6246
  456. a195d31134fbe0ce7f592dc7e5b6ab3d8c819ef2da4e8d0d1253dcf954881f7c
  457. a05c2e598f4a32c8a38699ed5c4be8921c1664841365a0f2e1cb580cb124ec00
  458. 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866
  459. af50c77e63620eccb3be78fce0ed3de6bf9aa6812fbd7e503e6488abddf31a4b
  460. edd618c5755dea812662db45c19b693d3583797260e268744abaed84aaa9c15b
  461.  
  462. ```
  463. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  464. ```
  465.  
  466. Creation Time 2019-05-09 20:30 (From ZIP - JS Based - Fake Error)
  467. SHA256:
  468. 8997170c64dd6443cff779a0e4f1809a61cffcebff642324fde8c60c874f7175
  469.  
  470. https://www.raum-zeit.de/vhjb/fPOAURnL/
  471. http://wandererplanners.com/example/7x5sp750eb_rwr3i-95041763/
  472. http://www.dreamvision.bg/wp-admin/xQqEPheE/
  473. http://www.guitarraclasicamadrid.com/newsite/mwaJJrIq/
  474. http://www.guzelsozler.org/wp-includes/ecmv_2en3a-3/
  475.  
  476. Creation Time 2019-05-09 18:15 (From ZIP - JS Based - Fake Error)
  477. SHA256:
  478. 57a72f954d3e60f379a0061a0dadb6ee8e207fca6ecb814a22303861db16e80a
  479.  
  480. http://www.jonahsminecraft.com/wp-admin/jyznHtWONp/
  481. http://www.mnlandscapes.rebeccasilus.com/wp-content/ilsszm3_3plvp7c-6353143887/
  482. http://www.nishaoba.com/cgi-bin/HpRusvXKK/
  483. https://vlxdhoangmai.com.vn/wp-admin/kfMNdVaIkT/
  484. https://blog.8500km.com/demo/u42o_oahjzvg-2201864671/
  485.  
  486. Creation Time 2019-05-09 17:25:00
  487. SHA256:
  488. 910247ecda78de818f15cba45c23da517c0e62305a70deb1e5e2072695ffffc2
  489.  
  490. http://www.koouoo.com/wp-content/uUKkAZxRU/
  491. https://www.wmzwq.cn/blog/u63z2_hbljf2m-6/
  492. https://www.senoriales.com/build/oINRyvkQp/
  493. http://ascadolodge.com/uyossuey2i/t430nc0u2_bjz6l96bor-33730/
  494. http://detectivedeempresas.com.ar/wp-content/ohDeuIkqa/
  495.  
  496. Creation Time 2019-05-09 13:05 (From ZIP - JS Based - Fake Error)
  497. SHA256:
  498. a50c34ec2a8ff9e9571438ee7fe3740787bad8102dbd52ba0c6766278f137d73
  499.  
  500. http://cdentairebeauharnois.infosignuat.com/wp-includes/gnq80h5p2_i8td4uev-6473162096/
  501. http://tranthachcaothainguyen.com/cgi-bin/t03m_atjf1-08389/
  502. http://ambangnetwork.com.my/content/mKROiltk/
  503. http://cursos.procaphair.com.br/wp-includes/SRiTcnlW/
  504. http://villacastello.ch/wp-content1/om3ox_pcxjsh-962459268/
  505.  
  506. Creation Time 2019-05-09 07:20 (From ZIP - JS Based - Fake Error)
  507. SHA256:
  508. 08324ad1663b948f09fa5c46383575683088ba414169958d1c6230ce336015ae
  509.  
  510. https://www.vanisoftware.com/api/public/qkQTUbJo/
  511. https://w3webinfotech.com/mailer/5m1h70n4iq_x9l8v-669876/
  512. http://verandatente.com/wp-admin/ywc1cps_k2laigb-6589897852/
  513. http://fakeface.sakura.ne.jp/1341398/kmKAYjvjsh/
  514. http://worldgenerator.su/wp-admin/xaqg_t9c9ungut-04/
  515.  
  516.  
  517. Creation Time 2019-05-08 23:25 (From ZIP - JS Based - Fake Error)
  518. SHA256:
  519. 7af96357f43ad572524ce419cf7cd6c720543ee930a83b9b7d8e7d02a9484b76
  520.  
  521. http://misenar.com/hiddencreekhoney/xMOtBGSC/
  522. http://mvid.com/index_htm_files/bw5fb_s9rd37p9w-117/
  523. http://warwickvalleyliving.com/includes/HrQZWAsb/
  524. http://zahrahenna.com.sg/wp-includes/7uf4_hgpra-18/
  525. http://samegrelorm.ge/wp-content/qZxIbhPt/
  526.  
  527. ```
  528. #### SHA256s for Epoch 2 Payload EXEs seen on 05/09/19 ####
  529. ```
  530.  
  531. 28095ce9155442f4ad52b8bee5b6fb39991f80a1dcde899080c10caf990e2878
  532. 06d345a301ab85d79d760347292e27c4e17813e32aa759cf857eb45529f4484b
  533. a97d32df06be601b56b006660641178fbd76eb6db845fc07938f1bffe7eae0b0
  534. 184bfb0e5755dfef3bf312f8f63dbcb6be84add414d92573d8768a19421a54b1
  535. a35d421e8209cb1a3a2c05e30de0257e1c53d6172bb0a11e60483e9861733e38
  536. 8969dca612861b4bc5a54bc8933a66ac6c1d18119b5e3b049bc0ef18de63affc
  537. c9ee222a07fafb89b202fe835f68fcfc61d10a9de274b2f22224f74adedda056
  538. 632add6786d8cffb853133793f47e470a9fc58841bd0bf861c708c422059d16e
  539. 6fa41fc7e267e3c866075fc609720cbda6ccc7518969dbabc95b13af77897e6f
  540. 8d374256ae48c52b899f97a78a2540c5c7840da4ca9b97929fceda324c19c29a
  541. a818c7aa7c60b8b1606f4a76c0a4caf40e634c9d7aca35537cec97704fe0987a
  542. be1642aa490e9fa2baad0336321170417cb3780bdf54c217e405970479454b38
  543. 4b840a3197e7fb558886ca20e5a65c490971ef0f627fe3a2eb863a64e690c7f9
  544. 6a3176d9317699f432dfc2bb74a806e24478b96b92ab7b6ab65f2822067227eb
  545. 697ef4e2f1795d59239ba475a57bf209d8e6208be4a3faf17fcda2587db928d2
  546. 28294d61d0212f8975a051f9771219428ea417514d8e3cf0335d8397f8d0ccd0
  547. e2585cea149940163e63731254f8bee5cb6922daadf8118b9318570ee3b12c3b
  548. fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab
  549. 916f5b0785416635c6444fb87e60e6b1fdddb0e66e4f78a9e553865da5b8691c
  550. 4cc041c99e1aaaaa14f27a05d41cb7f08cd90825c77278c55399dcb998079069
  551. 2be2676e2302fb660a508e710bf46b7989936cd4aa80cdcfbaa9b804ea78bc4f
  552. 22e0c2586450a72a1de0fbf24d43cd3b85170bcf6888327d612f507e1e640a76
  553. 9578d5f5daa62f117a069a914a777d806674af58d94178861668da41434dd389
  554. 7d5b7886f9e4fd811d1a1c067d5f10ae90b82cdbe3f59b26dcd3d201b9c23da4
  555. 7922f49799e8596f75f341f219d3810dbbdd5ba5ad86294ddd54c0494d36290d
  556. ccb591c5e3bc5d47f5fe284a598a041eaabb047894aa1e69e68192ba9c219fc7
  557. 3e2dae5e78d59265b7eec1caa98309128ffaa8f3e219f26e6ec9153db0339bca
  558. 14021051b908685c5737eaf84fe86fe1058532856d211790f35397ac84b58251
  559. 5a3388dc4a2b5b132850ae9e1811520001b9b0aff61365ca4245d8528f538bf7
  560. 713670267908c86a5c1edd04589b09d963598adb63c4ea679a48501c3d6a24ed
  561. ecc20130fa43c385ad969474c84a6982ca1daa88531bc90398f2376db156eab3
  562. d514654cd7adcdc87764b36dd1b8f54657def49aec73e9e11872bebb7b2a33c6
  563. 5758f0bef3b99e0d6037f43300e5c38e769d3f722769854dd8757002ff6e8b44
  564. 95be8d0f323725e9dcd17e97fa94998fc2198a025e9f9ee5f5e190ded3beeeb6
  565. 7e950ff011a7daa63762951967bf5473406888a4f6d6a0a5dbc71028f67d4226
  566. f3255d9406a5ab67a44c6a673c284d319fd3fdf9194a262979c9bbbf27456139
  567. b9460d675fa479872d10238b2174ffdc960526f2dd4a572ea7a61912c4472cec
  568. d786ec200d03d8d1c00ec45d35d55f67ab164ff0dd27889d29dad7d96a5fc754
  569. 1b1d08ba5c9ab42ea4473383c30651c7283aca95e6bde0aa6c613a4eb9ba014b
  570. 0f4b6a5286dba7188a268b15055a33a8a5638d3982722ab2e36538d98ec84172
  571. bb1f2c57a1a32342c6190cf79e199c6d6f08c0a2172ebc43b904263dd5944ecf
  572. 6adb07d116e75b80c1548f078fda6cf6a62ce52aa0b575c2cada9d95b34c230c
  573. 4ee99c137d2d9a57d8d8c4dd72d506ec88d64ddc52752cae0e2b8cfc58119980
  574. af58798ff787aa99c08d586ab9bcc267cffa32a86c3e62061e9996f684f5fef7
  575. d80b4a5441fb29a2cb45d437423d84ded8b3d57dff7bb884ab501acf11fe71c0
  576. f2a3f3883311334f400df3b559e12fed6dd23fe84a0d4d455a8d074cdb1b0a2c
  577. 0edd0fd6fcc05383bf72832512f1bc7b362917b99c99d3657889d4f9e9f3ace0
  578. bc7d1b5270c9f01237f87b6b98996b247ba961ef9842b4643ec8e581af83bfee
  579.  
  580. ```
  581. #### Epoch 1 C2s ####
  582. ```
  583.  
  584. 103.201.150.209:80
  585. 103.213.212.42:443
  586. 105.224.171.102:80
  587. 107.159.94.183:8080
  588. 109.104.79.48:8080
  589. 109.73.52.242:8080
  590. 111.67.12.221:8080
  591. 115.132.227.247:443
  592. 159.69.211.211:8080
  593. 175.107.200.27:443
  594. 181.110.239.26:80
  595. 181.143.101.18:8080
  596. 181.15.243.22:80
  597. 181.16.127.226:443
  598. 181.199.151.19:80
  599. 181.29.101.13:80
  600. 181.30.126.66:80
  601. 181.39.134.122:80
  602. 185.86.148.222:8080
  603. 185.94.252.27:443
  604. 186.139.160.193:8080
  605. 186.150.97.69:8080
  606. 187.188.166.192:80
  607. 189.196.140.187:80
  608. 189.213.208.168:21
  609. 190.117.206.153:443
  610. 190.147.116.32:21
  611. 190.171.230.41:80
  612. 190.180.52.146:20
  613. 190.85.206.228:80
  614. 192.155.90.90:7080
  615. 196.6.112.70:443
  616. 197.89.138.225:443
  617. 200.107.105.16:465
  618. 200.127.0.8:80
  619. 200.28.131.215:443
  620. 200.45.57.96:143
  621. 200.58.171.51:80
  622. 200.59.189.217:80
  623. 201.217.67.3:80
  624. 201.251.229.37:80
  625. 203.25.159.3:8080
  626. 213.172.88.13:80
  627. 216.98.148.136:4143
  628. 217.199.175.216:8080
  629. 218.161.88.253:8080
  630. 219.94.254.93:8080
  631. 23.254.203.51:8080
  632. 37.59.1.74:8080
  633. 38.143.223.215:8080
  634. 43.229.62.186:8080
  635. 51.255.50.164:8080
  636. 62.75.143.100:7080
  637. 66.209.69.165:443
  638. 66.228.45.129:8080
  639. 69.163.33.82:8080
  640. 72.47.248.48:8080
  641. 81.183.213.36:80
  642. 81.3.6.78:7080
  643. 82.226.163.9:80
  644. 83.110.195.120:443
  645. 85.132.96.242:80
  646. 89.134.144.41:8080
  647. 91.205.215.57:7080
  648. 91.83.93.124:7080
  649.  
  650.  
  651. ```
  652. #### Epoch 1 - Spam/Stealer C2s ####
  653. ```
  654.  
  655. 61.92.159.208:8080
  656. 104.236.185.25:8080
  657. 50.116.63.9:7080
  658.  
  659. ```
  660. #### Current Epoch 1 RSA Public Key ####
  661. ```
  662.  
  663.  
  664. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  665.  
  666. ```
  667. #### Epoch 2 C2s ####
  668. ```
  669.  
  670. 103.255.150.84:80
  671. 103.53.44.20:80
  672. 119.155.153.14:21
  673. 133.242.156.30:7080
  674. 136.243.177.26:8080
  675. 138.201.140.110:8080
  676. 144.202.9.18:8080
  677. 147.135.210.39:8080
  678. 148.244.114.49:7080
  679. 149.167.86.174:990
  680. 149.255.56.242:8080
  681. 162.243.125.212:8080
  682. 167.114.210.191:8080
  683. 169.239.182.217:8080
  684. 173.255.196.209:8080
  685. 174.93.130.148:8443
  686. 175.100.138.82:22
  687. 177.230.108.144:22
  688. 177.242.202.30:8080
  689. 177.242.214.30:80
  690. 177.246.193.139:20
  691. 178.152.78.149:20
  692. 178.62.37.188:443
  693. 178.79.161.166:443
  694. 179.14.2.75:21
  695. 180.150.87.75:22
  696. 181.63.2.226:8080
  697. 182.176.132.213:8090
  698. 182.176.94.236:80
  699. 182.188.47.206:990
  700. 183.82.100.135:80
  701. 183.82.110.170:53
  702. 186.113.19.171:80
  703. 186.4.167.166:80
  704. 186.4.234.27:443
  705. 187.189.195.208:8443
  706. 187.192.147.246:21
  707. 188.138.91.26:7080
  708. 189.209.217.49:80
  709. 190.112.228.47:443
  710. 190.145.67.134:8090
  711. 190.25.255.98:443
  712. 190.25.255.98:80
  713. 190.53.135.159:21
  714. 190.72.136.214:465
  715. 2.50.4.159:443
  716. 2.50.52.255:20
  717. 200.21.90.6:80
  718. 201.199.89.223:8443
  719. 201.220.152.101:80
  720. 201.231.44.78:80
  721. 201.238.152.20:465
  722. 201.97.131.88:143
  723. 206.212.248.178:8080
  724. 208.78.100.202:8080
  725. 211.252.7.11:993
  726. 211.63.71.72:8080
  727. 212.22.215.140:80
  728. 213.14.166.152:990
  729. 216.98.148.156:8080
  730. 217.13.106.160:7080
  731. 217.199.175.217:8080
  732. 222.214.218.136:4143
  733. 24.139.205.186:8080
  734. 41.169.20.147:143
  735. 41.220.119.246:80
  736. 45.123.3.54:443
  737. 45.33.49.124:443
  738. 50.31.0.160:8080
  739. 50.99.132.7:465
  740. 59.103.164.174:80
  741. 62.75.146.221:7080
  742. 62.75.187.192:8080
  743. 64.13.225.150:8080
  744. 66.84.11.168:8080
  745. 68.52.43.253:80
  746. 69.45.19.145:8080
  747. 73.49.109.200:443
  748. 77.56.253.112:80
  749. 78.100.187.118:80
  750. 78.186.5.109:443
  751. 78.189.173.217:143
  752. 84.241.10.111:53
  753. 85.104.59.244:20
  754. 86.122.149.86:8080
  755. 87.106.139.101:8080
  756. 87.106.23.241:8080
  757. 88.21.212.13:8080
  758. 91.205.215.66:8080
  759. 92.154.101.154:50000
  760. 94.130.35.140:443
  761. 94.14.58.32:80
  762. 94.76.200.114:8080
  763. 95.128.43.213:8080
  764. 98.144.73.193:80
  765.  
  766. ```
  767. #### Epoch 2 - Spam/Stealer C2s ####
  768. ```
  769.  
  770. 198.58.114.91:4143
  771. 213.136.86.219:7080
  772. 91.205.215.10:7080
  773.  
  774. ```
  775. #### Current Epoch 2 RSA Public Key ####
  776. ```
  777.  
  778. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  779.  
  780. ```
  781. #### Credits and Notes Section ####
  782. ```
  783.  
  784. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  785. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  786. https://pastebin.com/u/jroosen
  787.  
  788. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  789. I am providing them for your benefit in case you want to parse them to be sure.
  790.  
  791. ```
  792. #### What is Epoch 1 and Epoch 2? ####
  793. ```
  794.  
  795. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  796.  
  797. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  798. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  799. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  800. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  801. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  802. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  803. time period.
  804. Here are some observations I have noted since I have been watching these botnets:
  805.  
  806. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  807. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  808. being delivered in maldocs on Epoch 2 at any one time.
  809. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  810. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  811. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  812. Monday morning/Sunday night.
  813. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  814. Epoch 2 may have a document hosted on host.tld/B.
  815. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  816. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  817. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  818. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  819. - C2s are never shared between Epochs/Botnets.
  820. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  821. via C2 to stay ahead of AV defs.
  822. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  823. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  824. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  825. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  826. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  827. spam template, word template, document type and even payload.
  828.  
  829. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  830.  
  831. ```
  832. #### Community Lists ####
  833. ```
  834.  
  835. https://pastebin.com/DScpq6uD - @ps66uk
  836.  
  837. ```
  838. #### Credits ####
  839. ```
  840. (OC from @JRoosen and/or combination work of the following)
  841.  
  842. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  843. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  844. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  845.  
  846. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  847. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  848.  
  849. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  850. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  851. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  852.  
  853. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  854.  
  855. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  856. helping out with this!
  857.  
  858. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  859. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  860. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  861.  
  862. ```
  863. #### Daily Log 05-09-19 ####
  864. ```
  865.  
  866. General News:
  867.  
  868. Today was an odd day for Emotet. It seems like the Emotet gang decided to just send DOC attachments on E1. I received about 17 today
  869. any they were all generic templates. @ps66uk received a good deal of reply-chain emails today, 13 in total. He also received
  870. primarily attachments as well. E2 seemed to be ZIP/JS all day long. We also noticed that some of the tier 1 distro sites on E2
  871. seemed to get taken over by TDS scripting and start forwarding traffic instead of give out Emotet ZIP/JSes. Most of the traffic
  872. seems to go to https://sd5doozry8.com/ykwnsxwz29?key=(MD5). Either someone compromised their shells on these T1s and took them over
  873. or they shut down E2 distro. Most sites are going to this now and then eventually redirecting to http://terraclicks.com/whatever/.
  874.  
  875.  
  876. In other news:
  877.  
  878. If you didnt already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  879. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  880. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  881. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  882. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  883. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  884. https://twitter.com/JayTHL/status/1126204098670411779
  885.  
  886. @JayTHL had a nice review of our data last night again:
  887.  
  888. https://twitter.com/JayTHL/status/1126349407325126656
  889.  
  890. Email Template Report:
  891.  
  892. With the increase in reply-chain malspam, we noticed today that some of the emails that were being replied to were newer than previous
  893. runs. They may have taken more exfiltrated data gathered over the past few months and started to use this data now to make templates.
  894. Mail from Feb and March of 2019 were used today in the reply chains. All of the reply-chains I heard about today were E1 and DOC
  895. attachment based.
  896.  
  897. @ps66uk reported on what he received here:
  898. https://twitter.com/ps66uk/status/1126600455264641024
  899.  
  900. I personally received 17 or so generic E1 malspams with attachments of docs.
  901.  
  902. @executemalware also saw a good deal of attachment emails also:
  903.  
  904. https://twitter.com/executemalware/status/1126656035484327936
  905.  
  906. Review:
  907. What we know about the threaded templates/reply chain:(changes are marked with *)
  908.  
  909. - Emails are sourced from once (or still) compromised users all over the world.
  910. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  911. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  912. back as far as June 2018.
  913. - Now on E1 and E2.
  914. - Now seeing German based templates that are essentially the same thing but in German.
  915. - The injected reply is usually prefaced with the following:
  916. "Attached is your confidential docs."
  917. "Attached please find the wire transfer form."
  918. "Thank you for your help. Please see the attached."
  919. "Load instructions attached"
  920. "A printer friendly attachment is now included with each email."
  921. "Click on the attachment to open or save the printer friendly version of your report."
  922. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  923. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  924. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  925. - These templates are pretty limited in run and not very numerous.
  926.  
  927. Link Regex Report:
  928.  
  929. Regex directory patterns - Nothing new since yesterday. These 6 were active today:
  930. * indicates updated or very active. Yes you want to take out the * in front because it doesnt belong in the actual Regex. :)
  931.  
  932. E1
  933. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  934. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  935. \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-59\-]){6,7}\/
  936.  
  937. E2
  938. *https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  939. *https?:\/\/.+?\/(assets|blogs|cgi-bin|demo|direc|Document|DOC|esp|FILE|INC|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Scan|sites|test|themes|uploads|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,30})\/(\"|\n)
  940. *https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  941.  
  942. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  943.  
  944. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
  945.  
  946. Payloads Report:
  947.  
  948. As previously stated, E1 was DOCs all day and attachments. The distro side was updating also until the final quintets
  949. of the day which came in a ZIP/JS that did not show up on distro.
  950.  
  951. Loaders for E1 started out as being seldomly updated and then moved to be updating quicker and quicker in distro by 1730UTC.
  952. Currently they are hashbusting every 15 minutes.
  953.  
  954. E2 was all ZIP/JS all day. It seems like links were the primary method of distribution though and there were few if any
  955. attachments seen.
  956.  
  957. Loaders on E2 pretty much mirrored E1. They also started updating faster as of 1730UTC and are hashbusting every 10-15 now
  958. as well.
  959.  
  960. C2 Report: C2 Combos continue to climb higher and higher on E2 now at a record 95!
  961.  
  962. C2s DID change for E1 and increased from 57 to 65 combos in total. - recorded above
  963. C2s DID change for E2 and increased from 91 to 95 combos in total. - recorded above
  964.  
  965. Closing:
  966.  
  967. Ivan is up to something with all the C2s going higher and higher lately. I never saw 95 before in one exe. Seems like there is
  968. prep for a major change coming. We are due for one because last year around this time they took a break and came back swinging
  969. by the end of May. We will see what Failure Friday brings us from the Ivan and the Emoboys.
  970.  
  971. TT
  972.  
  973. ```
  974. #### Sandbox 05/09/19 ####
  975. (all with fakenet and MITM unless spam/secondary infection)
  976. ```
  977.  
  978. Epoch 1 C2 run on 2019-05-10 at 01:45 UTC - https://cape.contextis.com/analysis/72669/
  979.  
  980. ```
  981.  
  982. ```
  983.  
  984. Epoch 2 C2 run on 2019-05-10 at 01:45 UTC - https://cape.contextis.com/analysis/72671/
  985.  
  986. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!