API tools faq
paste
Advertisement
ps66uk

#Emotet Malware IoCs 2019/05/22

ps66uk
May 22nd, 2019
3,448
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 48.29 KB | None | 0 0
raw download clone embed print report
  1. ---
  2. layout: post
  3. title: "Daily Emotet IoCs and Notes for 05/22/19"
  4. date: 2019-05-22 23:59 +0100
  5. categories: emotet
  6. ---
  7.  
  8. ## Emotet Malware Document links/IOCs for 05/22/19 as of 05/23/19 01:00 BST ##
  9. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  10.  
  11.  
  12. #### Epoch 1 Document/Downloader links seen for 05/22/19 ####
  13. ```
  14.  
  15. <none>
  16.  
  17.  
  18. ```
  19. #### Epoch 2 Document/Downloader links seen for 05/22/19 ####
  20. ```
  21.  
  22. http://912graphics.com/cgi-bin/btqbghdo7eu6ykg0zzxjohdj7_j9gac5n-2948099525/
  23. http://abasindia.in/abasindia.in/esp/6hwetspeul_kwr9c-534709159/
  24. http://adminwhiz.ca/FTPwhiz/Inf/wp263xuemluf2emkg_2sizfv716-508435817400199/
  25. http://advokat-kov.ru/new/Document/dcm61tc0sudmm5n860qu1ra_ubwtq8m-5670754007/
  26. http://aepas.preview.otimaideia.com.br/sitemaps39/FILE/k3glm3eya9l7l1245w7_ve4o4i2kub-791240567641/
  27. http://akihi.net/BBS/omra-4vws5-ilkw/
  28. http://aktpl.com/wp-includes/f8kqjc4-rsaxk-cgivh/
  29. http://akustikteknoloji.com/wp-admin/l6m1sf-stcv2-grcqogh/
  30. http://alageum.chook.kz/wp-content/uploads/Scan/04263hkou_u9q456yn8-3307251785606/
  31. http://alviero.uz/cpjmcl/3fk1i-9ouoku-gnwynzb/
  32. http://a-machinery.com/wp-admin/lm/DCeoUZSsPFAvW/
  33. http://anandashramdharwad.org/wp-snapshots/Dane/wd133auy3i4rvwlj9ad2hxeje89n_0uxwore-71451636434549/
  34. http://anase.org/wp-content/Pages/iq89n0t5_yfxzp-070843819/
  35. http://andiyoutubehoroscopes.com/andiyout/Scan/CPUuchUCXboMrGmXncnZmoG/
  36. http://andrewcowan.net/acarollingflux/Scan/xioJdygMwFaQjGCm/
  37. http://aphaym.mg/wordpress/16qx5-bwtc2-hqlrdq/
  38. http://arenda-kvartir1.ru/wp-snapshots/5i1wnk6ynhyac4uitpf5wah3k_dibtc4hz1-535202973328823/
  39. http://argelenriquez.xyz/wptest/FILE/gam68eftfn_d00hakm7-560075114955/
  40. http://armangroup.co.mz/cgi-bin/qwg1pzboo_82qzv-2025021034/
  41. http://aromakampung.sg/wp-content/plugins/t07gk-nggyy-hbixoj/
  42. http://ashtonestatesales.com/wp-content/FILE/XSEeXsiKgesWVVbyPwkg/
  43. http://autopartkhojasteh.com/wp-includes/Scan/ngmPyVMSp/
  44. http://avogrow.theartistryonline.com/wp-includes/parts_service/vJsPLNoxzZ/
  45. http://azialux.kz/wp-admin/Document/hBSGYXiQuhZNCZWNGADLyUqOrWb/
  46. http://b118group.com/wp/b0gk3v7xqs_8737y8-565189409480/
  47. http://bantaythanky.com/wp/11fnt-sp4l9-ezgehs/
  48. http://batdongsanminhmanh.com/wp-content/uploads/Plik/VSHZLPQDixgGn/
  49. http://becangi.com/wp-admin/INC/d6dh9kl448mk_4mb0h-53994848536/
  50. http://belefool.com/wp-content/uploads/LLC/bCtPpekdShLtaC/
  51. http://bermad.com.cn/home/9nibz-zd5ej-ihnkvx/
  52. http://besttasimacilik.com.tr/wp-content/uploads/paclm/ik1nuin2bodn5sokuoq163wvnib_c25w154c7-29637355/
  53. http://big-media-agency.com/wp-includes/1bmh0-1wl5ylq-khdk/
  54. http://biyoistatistikdoktoru.com/wp-content/0094ofi-io04bs-wgexsrj/
  55. http://blear-eyed-brooms.000webhostapp.com/wp-admin/Pages/OeOSRwcCGbdNGU/
  56. http://blog.desaifinancial.in/ayku/DJwNTeDQKyWPUdjQMxaIcGOzlqItg/
  57. http://blog.freelancerjabed.info/wp-admin/Pages/pri0l3la50d5tkcdhq85rjgw_i3rp54wj7e-4993076059209/
  58. http://blog.steadfast-inc.com/wp-content/plugins/rn5ap-e14r9gk-phlrvkk/
  59. http://blog.tactfudosan.com/wordpress/Document/KAsyYWOZLfoEhvrJgr/
  60. http://blog.vdiec.com/decr/parts_service/yngqXIJyMXhxx/
  61. http://bluedream-yachting.com/wp-admin/vaiGCvqryBYApy/
  62. http://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
  63. http://brandv.co/wp-content/Dok/irhiBRwxsekjmud/
  64. http://brothersecurityservice.com/wp-admin/mfUDRirEjW/
  65. http://burnsingwithcuriosity.com/cgi-bin/INC/1xqvdb763uvtzwu349vebrtnp3_bcs7d6sa-6949087959318/
  66. http://butusman.com/wp-admin/k58c2qdrhlmgx6pemkmukshyv2d_ul6kvocn-7320054397/
  67. http://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
  68. http://canexkhalij.com/wp-admin/flmk-j60qd-nfgi/
  69. http://capitalrealestate.us/wp-includes/Dok/eCkXzUNUUE/
  70. http://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
  71. http://cervezaviejozorro.cl/wp-admin/oHaQSUUsjVLnDzWl/
  72. http://chinmayacorp.com/COPYRIGHT/Plik/tjDkGOTPHOJ/
  73. http://chirurgien-ophtalmo-retine.fr/wp-admin/Scan/trrMBcbN/
  74. http://choppervare.com/cgi-bin/DOC/drg4m5vxpcfywbnz27e3dk3i64_bczwjw9wc-2738669697621/
  75. http://cielecka.pl/ilum.pl/Document/f7djienirh5otecveisehl6oi_tn22d-108070575/
  76. http://ckducare.000webhostapp.com/wp-admin/Scan/5ud5olfz4pdeonnw3mwscmtv45pem_ooyxum0sim-86928003777707/
  77. http://claudiofortes.cf/wp-admin/INF/99bz625ov9xnxa73iw5ts8k_c0u6ej9t-10372410101921/
  78. http://clemssystems.com.ng/yq8k/INC/KFTMFXZnDdOdWJObOFR/
  79. http://collegenimahiti.000webhostapp.com/wp-admin/6n4ot21314pu5tsm36ixv_pivxj-920042969907751/
  80. http://comfortune.ga/wp-includes/CDiKJIqrrasuuyvPXzAxzTslGaor/
  81. http://comparethegym.ae/ix5d/lm/owTmAlmpdwgAbo/
  82. http://contabilidaderesulte.com.br/wp-admin/kni8-pb8mm98-nkvy/
  83. http://coronadobaptistchurch.org/wp-includes/paclm/nrzbbwc9xordu0f1pojvw03um0v42_ucm04gi-866893424118465/
  84. http://crsigns.co.uk/wp-includes/rncjoymd9s61_ahrbb-46845098052870/
  85. http://customerexperience.ro/wp-includes/hldwv-e0bpj-rgncodb/
  86. http://dag.gog.pk/wp-includes/PLIK/wndpifvajs/
  87. http://dagensbedste.dk/wp-admin/a4w8jh5b870y_t5gsx-257010676523772/
  88. http://daiva.com.co/emails/Document/bw5po1ozmh2r0z5owi9us8wt_ymc7fm3j4-053391687420294/
  89. http://daizys.nl/BKP-06-05-019/sites/HxflDlFmdMdWWyqIrRZHCGWSE/
  90. http://daukhop.vn/wp-admin/1qmm-r3jsnz2-rhuiuk/
  91. http://dautuchotuonglai.com.vn/wp-admin/INC/BfIZxUTbYJSczHludhsI/
  92. http://debt-claim-services.co.uk/cgi-bin/LLC/rux1s5iuafykkesz_so553d-241708188510/
  93. http://deloka.my/wp-content/Pages/BHoLKHEEzsBppqaw/
  94. http://delpiero.co.il/cgi-bin/ilay1-yhgkz-fafc/
  95. http://desakarangsalam.web.id/wp-content/DOK/oHcAwygNzrFXMTggaIEwfIrPwvAm/
  96. http://dev.jornaljoca.com.br/wp-content/DOC/mhlToggdmOelq/
  97. http://devex-sa.com/wp-content/Plik/GsnjjHFSvdvyDynczMNprPFvE/
  98. http://devicesherpa.com/myideaspace/Pages/EjDvGgmSvoLIMszpcxYnSGufqJFnKd/
  99. http://diarioprimeraplana.com.mx/wp-admin/04t8ju-5o1m33-exgwn/
  100. http://doktorkuzov70.ru/wp-admin/lm/pWlwuTNLdPqUsQFQhCGXOjbTYiA/
  101. http://dronint.com/wp-admin/tt4up7x-989rvv-uykocm/
  102. http://drronaktamaddon.com/wp-content/ehRbHRjV/
  103. http://duwon.net/wpp-app/co8s3b-3tkel3v-sgew/
  104. http://eduhac.com/wp-admin/images/g1ud-o5fp16y-pjli/
  105. http://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
  106. http://efectycredit.com/wp-content/DOK/vKZOtZchsJDeURCXeOiJPzXmiUqvJ/
  107. http://eforce.tech/js/paclm/JyqBFUXLTqSEbiKEKWnJhfJgoVQy/
  108. http://elkanis-agribusinessblog.com.ng/wp/3cmbi-x5jm69e-wbhvq/
  109. http://enagob.edu.pe/nuget/paclm/kJuICGVyMYgfXdmZKmwaFxmEAtXxtg/
  110. http://enough-total.000webhostapp.com/wp-admin/kxfg-k8qdfcx-arflk/
  111. http://eventoscuatrocisnes.com/wp-admin/bk1y8-da27aau-mihm/
  112. http://evertonholidays.com/scriptsl/qgeqpwa-pyklahz-omiv/
  113. http://exenture.net/mySHiT/mhv8eiw14_tj1q863agg-191035311473/
  114. http://facilitatorab.se/wp-admin/parts_service/2sph9zeseuj_64tfhx-477071956224/
  115. http://faitpourvous.events/wp-content/INC/TTfxuKeCwofCEaUzO/
  116. http://ffks.000webhostapp.com/wp-admin/parts_service/dsnJvyGhKdsLcOtZbfePXXgUQH/
  117. http://fills.info/d907-e9y5h-tahwufs/
  118. http://findingnewideas.org.uk/cgi-bin/UStbIcFkcJrtfiuNXoJDtCv/
  119. http://fireprotectionservicespennsylvania.review/wp-content/k3nlc-jupmj-vxzwydm/
  120. http://fistikcioglubaklava.com/wp-includes/Pages/t86be67lfct1lphce0y35owzeex_eibdqp4a-75517397247565/
  121. http://fmrocket.com/videos/LLC/0stmtt12lk6i_6o672jh-87180076241910/
  122. http://fruityloopes.com/y1gu/DOC/qaFYCquJoKIruSbVe/
  123. http://fruityloopes.com/y1gu/jkguf1v12u4g7baqith_ql4anwu-8243966045/
  124. http://fullbrookpropertymaintenance.com/cgi-bin/INC/VdbRlcMXAahNVZWzxhkVrxXseHz/
  125. http://funstreaming.com.ar/tfqm/oqencdjmns5f7tp3ikzm_w6w2dt-00320923/
  126. http://futar.com.sg/ua6v/RqntgBGrOoJWRY/
  127. http://garage-ucg.com/_mm/cshqzve-2wrp3b6-acmsyoc/
  128. http://garcia-automotive.com/cgi-bin/DOC/pu9vwnscivzgukyhspe3ft_qo138-653083382197992/
  129. http://getthemoneyoudeserve.com/hqje/Dok/Dok/WxNZJciQJjMrvBZDLAuzVxVvQzZle/
  130. http://ghalishoei-sadat-co.ir/wp-admin/Document/rvijlwz0ao2_3ygg04u-978780209/
  131. http://gincegeorge.me/zohoverify/lm/cGjGowhRdXomItNGGrpWhnsKlE/
  132. http://gippybuy.com/wp-includes/FILE/lxCYKjIWySUcfCpxQNjXgcPwXDJ/
  133. http://gippybuy.com/wp-includes/Pages/hEuUkRuYQxxArvHnFAPlqIoGIur/
  134. http://gite-la-gerbiere.fr/lib/bf1vgc-kym3vl-moyonq/
  135. http://goiania.crjesquadrias.com.br/wp-includes/nn7pi7-qe6s3-xrbwyzi/
  136. http://gookheejeon.com/wp-admin/adOoxfZdVaWxDYAxewUEvaAXVSlq/
  137. http://graminea.or.id/cgi-bin/esp/dRfhYjIAqKiRZKZtpFcXvsFYUD/
  138. http://greencampus.uho.ac.id/wp-content/uploads/vyeow9-3fruh-vbno/
  139. http://gsci.com.ar/wp-includes/INC/HyaYAZGAmCkf/
  140. http://gsonlinetutorial.com/wp-admin/esp/0b7zui7jrxatdonyxq_h6s674bv4l-53317765/
  141. http://guidafinanziamentieuropei.it/dup-installer/esp/whISpSbNpvwrdNdxBlTfEMDIUKOs/
  142. http://gundemakcaabat.com/wp-admin/Document/aqbkYzDOGmjmqgxLcMTuqlwdQD/
  143. http://halcelemates.com.ng/cgi-bin/qspgn-miqx4yz-hudi/
  144. http://haovok.com/wp-content/uploads/2019/i6pygi1-skve9j1-upduf/
  145. http://haovok.com/wp-content/uploads/2019/vy24ysx-hdhlv8k-nyuqxqd/
  146. http://happyfava.com/dir/esp/iNOXWgcVt/
  147. http://iamzb.com/aspnet_client/system_web/c0rft63-7sh4lwp-rskuhl/
  148. http://iglesiafiladelfiaacacias.com/page/HTfCpMVS/
  149. http://imutainteractive.com/wp-includes/INC/155k0ttqr8ciq5r8l5aoba_fmm0p2lmad-53909543/
  150. http://infinityemploymentbd.com/wp/Scan/aMZEgzihsheikhQt/
  151. http://infornetperu.com/lu/LLC/30cs9lyi_3uw9n9shy-300171220267/
  152. http://insumosviltre.com.ar/u8gc/sites/FvvYLOXYXrVRhPxeh/
  153. http://interfaithtour.fr/wp-admin/DOC/vFNrkuSrSJWZXqotVXAiXSFVoLrRQW/
  154. http://internetlink.com.mx/wp/FILE/rpvni8o8ixy9gf19yk1j0sy6tixd_y4teg7cp-03364579593295/
  155. http://investigadoresforenses-abcjuris.com/investigadorprivadocol/LLC/wnvdtp0fvtqeqfr07_9wk9z8hdg-9774323084502/
  156. http://ipdesign.pt/wp-content/8j81y6r-r7axbj-coot/
  157. http://itcshop.com.ng/fasttrackcash/Inf/qrjYUODRuCg/
  158. http://itsport.com.tw/wp-includes/tb772-fm7fc2i-kbma/
  159. http://itspread.com/wp-admin/s5gththeb3jzugrp7d7264mv1cmn_wzhdhk-141554396139/
  160. http://jadniger.org/wp-includes/paclm/c8m862xiyir2_ym66xlzy66-958949335448/
  161. http://jamesapeh.com.ng/wp/eyxyf3-9d4um6a-lfzpg/
  162. http://javed.co.uk/wp-admin/f3pafo-bac855-vrgxw/
  163. http://jbwedding.co.za/css/FILE/SaPFfQtlFZJECcGrhoUf/
  164. http://jimmybuysnj.com/wp-admin/esp/LklfpxlbkrTmrEOkOCwCxFU/
  165. http://jpf.gux.cl/wp-admin/INC/MpmODMxpbkCWOyVKLxDhwhvJS/
  166. http://karfage.com/wp-admin/Document/jmdx0e1xj8zxl816v7_mt7rs0ko5n-2520672951711/
  167. http://kgdotcom.my/wp-content/e6k9v2v6m0_tfl09azf-288153120/
  168. http://kirsehirhabernet.com/wp-content/whe1oko-qo2xalu-gxhy/
  169. http://kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
  170. http://krasotatver.ru/wp-admin/n53x-uxotfh-dxkbol/
  171. http://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
  172. http://kujuaid.net/2006/9cs63i4-rbynm-zrnxuqw/
  173. http://kursy-bhp-sieradz.pl/pub/yNaZxTKeQhen/
  174. http://kvarta-m.by/wp-content/sites/2qrpxbme9doffpx_y3k8qho-62455126/
  175. http://lab-quality.com/wp-includes/549lfpr-f98te73-fkqna/
  176. http://lastminutelollipop.com/wp-admin/INC/s48v4ay1b83tko_a2sdiq6-250133534/
  177. http://latharajnikanth.com/wp-content/ip941a-mhhvzkg-nqvu/
  178. http://lattsat.com/wp-content/Dok/vwisslxkuj346_qmqo2hd-35239670846925/
  179. http://lattsat.com/wp-content/Plik/fHjKQJZyGBYi/
  180. http://leafdesign.jp/GeneratedItems/DOC/t4rctymlnwd8jq10qdwf27udc_7bn8s-199027770/
  181. http://lejintian.cn/wp-admin/bmyd-j0qwdr-gwyynxv/
  182. http://lekei.ca/ecard/images/css/parts_service/y5ut8akutvb3d35tipvisdkntq91_afo5x-4801493307/
  183. http://lenakelly.club/wp-admin/Scan/h0p8st2x_tfea8781jh-87256711114643/
  184. http://lesantivirus.net/css/esp/LvxnSHShDjxTiArIvTtXhDOGX/
  185. http://lethalvapor.com/wp-includes/Document/rnmlh8px977vnnfx2vh91w0ly_xv1zfv1u-211030730398/
  186. http://letsgetmarriedincancun.com/test/INC/om431kwu9f9lktdyxlwi53n7cjt_bzxl2uwe-60603529/
  187. http://lettingagents.ie/wp-content/DOC/rcMMNiQczAxwuYartonRNNYs/
  188. http://levlingroup.lk/wp-content/Dane/6soj5ufahhsapar_9jblw-454100381/
  189. http://likenow.tv/wp-admin/cxm7ml-y58qiv-jvoxx/
  190. http://lizerubens.be/wp-admin/parts_service/IWuXVRHMja/
  191. http://lnemacs.com/updatecoreo/paclm/QOqcLyIDnqskRUPrQtAY/
  192. http://longokura.com/wp-includes/Pages/RphdkFQwbj/
  193. http://luisromero.es/cafe/LLC/d02zuso2z3r0o07_uge4o-3011321187376/
  194. http://luxconstruction.mackmckie.me/cgi-bin/LLC/jbiat3az5san8nte6g_mhl1i2rv-47824935/
  195. http://m360.com.my/wp-admin/Scan/bl6t3xmtnxp5_kvd8qmqr-27289998/
  196. http://madadeno.ir/wp-includes/sites/jXQiJlbvPcXbdcs/
  197. http://mads.sch.id/wp-content/parts_service/3wo7vkgksrl1t69eg_5im6m3f9tg-42974848/
  198. http://magashazi.hu/INC/esp/rmzjki9yesu_yx2g0dj-342207971900237/
  199. http://maloninc.com/archive/lienu7-gmeqaps-nrnqb/
  200. http://marbellastreaming.com/admin/3b1zwi824hbk1pe2coubcbob_5nlp4bh-14804269498/
  201. http://marketvisionind.com/audio/LLC/NnTDpHFO/
  202. http://mattshortland.com/ozXYuMOiYlguFF/
  203. http://maxclub777.net/wp-includes/DOK/NeTNKZbxTjwnZGPFKgnFUE/
  204. http://mceltarf.dz/myadmin/ubqurxc-xeeevz-mhjc/
  205. http://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
  206. http://melondisc.co.th/47bd/atyb-h8smk3-qvbbwsh/
  207. http://met.fte.kmutnb.ac.th/wp-admin/Pages/fVKkQSBOWqfaVgeYfc/
  208. http://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
  209. http://moldremovaldir.com/best/8ft6n2w-hqjrn-caiwqm/
  210. http://moneytechtips.com/wp-includes/INC/x3jljjt5pv2xsk54ht6xuz_bhyy9j85-80814893493/
  211. http://montblancflowers.com/wp-content/tf6ckfg-ghc27bk-dhhntp/
  212. http://moonrecruitmentvillage.com/wp-admin/9x3x-oyts12-liikd/
  213. http://mountainliondesign-test.website/rw_common/YbzIImVOaXACsGOMrtVSKz/
  214. http://mtaconsulting.com/wp-content/Pages/ntq8h5pnhzsb_c98jimy0lh-77243452881/
  215. http://mtiv.tj/wp-content/nWsAmPhSCGRxCkul/
  216. http://mulinari.med.br/homologacao/wp-content/uploads/GASKiDOUtm/
  217. http://mundilacteossas.com/wp-admin/LLC/zQIvJnoBbDqGjNAtL/
  218. http://myofficeplus.com/Document/zJLRnsotorjEVuGxH/
  219. http://nananan.co.th/73gs/8ufrwi8k79qba9_fng6dj9tfa-71843557574/
  220. http://neroendustri.com/newsite/paclm/zBnRsoeRelvSSzDQY/
  221. http://nesz.pl/wordpress/INC/ANriQsjbziNXmV/
  222. http://nexxtrip.cl/cgi-bin/lm/ndIBdwpr/
  223. http://ninhodosanimais.com.br/wp-admin/2r5n-hqg5fh-riwe/
  224. http://nullscar.com.br/omie/b52m-u6ot4mf-tuqwlx/
  225. http://oluomorichie.com/wp-admin/DOK/XXPfafoWRfW/
  226. http://onspot.cl/wp/j78xx2x2owt_q7a06elrq-774494616/
  227. http://osarofc.com/wp-content/0svg-ykzyl-eczxl/
  228. http://panoulemn.ro/wp-content/svr8-32xrbd-dshc/
  229. http://pizzazz.ru/wp-admin/Scan/5hpna2lpwd_r2dwasxgvq-6559306636/
  230. http://pmalyshev.ru/wp-admin/FILE/x54foocsocq3hddk_c3e68-88316015852100/
  231. http://pmcroadtechnology.com/wp-includes/ni1c-puehy4-zndbzhd/
  232. http://primequest.com.ua/wp-includes/4p5xbv-jex7v6-evllpi/
  233. http://projectart.ir/wp-content/paclm/yi9sjlid2dxskcniejn_9nvvw-6815945564444/
  234. http://ptmaxnitronmotorsport.com/cgi-bin/bmqo-xe8up-eatgpa/
  235. http://qwelaproducts.co.za/wp/voo74gu-yc23wv6-eysshi/
  236. http://rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
  237. http://radioadrogue.com/aqfwbl/YZIqAgjU/
  238. http://ramun.ch/infa/FILE/lJvrIxQuUlhOCEvbCUdnSfzGi/
  239. http://renzofurniture.ir/wp-admin/INC/PDnMsAipIbB/
  240. http://ritabrandao.pt/wp-content/FILE/rv3671gktceb56tdvm54_99kkrf0-9165464795292/
  241. http://roksolana.zp.ua/wp-includes/kx00t6d-5422i8-cxamni/
  242. http://saqibtech.com/wp-content/FILE/FyUsnIIrhCONkybLjlpbbLMyQVRP/
  243. http://scglobal.co.th/e-catalogue/oynn-6tut6-amuq/
  244. http://seabird.com.ph/html5lightbox/e49fc-v1zh9o-zrdsp/
  245. http://seabird.com.ph/html5lightbox/logfUpNJxBMfNmqqdJJuKcPcEL/
  246. http://seawala.pk/cgi-bin/KKYAANCjmiqCUrNNQEAPSuJdpYh/
  247. http://securityforlife.com.br/_cgi-bin/DOK/yo9v46cpwpb622gwhz02hmotlj_vw8pt1jcd-33987972053498/
  248. http://seedsforgrowth.nl/wp-includes/esp/jtsgbd09x6g9a9n1ry8n_vfkyadx-291552001/
  249. http://seinstore.com/wp-includes/DANE/NfgqqdBiEYp/
  250. http://serviglob.cl/font-awesome/parts_service/mvaBWgPnYrIzFPsgTLTrWMCiAtts/
  251. http://sevcik.us/joomla/Pages/BJRkGLcR/
  252. http://sharefun.ml/wp-admin/DANE/vd1cdbgz7mnj9_36bk62eyjb-71539944554342/
  253. http://simplyposh.lk/cgi-bin/parts_service/2slfgy0xpwfl_21v8v4d-25529912/
  254. http://sixforty.de/c64/FILE/lut3h769xlmtnq_hqa8xily6-898889278/
  255. http://smtcompany.ir/wp-content/n12fs-6uqrpc-ycufaw/
  256. http://snowballnaturals.com/cgi-bin/gsai-g663ics-kgisfcn/
  257. http://sonettmsk.ru/wp-admin/Document/hmnuuf6ci8rei8inp1prmcr_xy3q1ung-031833449/
  258. http://songdung.vn/4d4ixle/zxkthq-p764b-mmzxllf/
  259. http://sportconcept.kz/wordpress/Dane/ljoyrx0ovv2g7q03z4adoej8nr_ti0ubu1-800295552059/
  260. http://steventoddart.com/cgi-bin/78djj4-9rsc3m6-rwtqz/
  261. http://studyvisitsettle.ca/s/Document/FOuCfnukwiN/
  262. http://tallerhtml.tk/wp-admin/lm/obJIKreXKnbmiCAqIvgDmwrnEARfzs/
  263. http://tapainteriordesigns.co.za/js/paclm/f59az7ec1ftp79sepit23j7pw1r6_hua0xatzt8-63502829111491/
  264. http://tasaico.net.pe/wp/wp-content/uploads/WLXIZaRbRtGbdykWHcwDgNKSKDKHvO/
  265. http://tbwysx.cn/build/9631pb-3ndkdr6-ieae/
  266. http://teknisi-it.id/COPYRIGHT/FILE/VppKShnPdkhRjUEXEeooCIIAhwbUDA/
  267. http://thebohosalon.in/public_html/Document/kegbgaLopcnDGa/
  268. http://thedigitaluno.com/blogs/aofbjr-30puh-wtnj/
  269. http://thetradingwithtoptrader.com/wp/DOC/iKnzUzCRoUntYcAH/
  270. http://todoparatuviaje.store/wp-content/CQOTCMVl/
  271. http://tomferryconsulting.com/wp-content/cnwiw-i2fsk-tzmtgjr/
  272. http://travel2njoy.com/wp-admin/30f8i-871i1f1-hcbtiyx/
  273. http://tubestore.com.br/wp-content/parts_service/JaZIaGTfYtKNzOswSdcU/
  274. http://turbinadordemidias.com.br/wp-content/tzb3f68et95zngff1cm7ev_7b14q45-05068827162/
  275. http://tvizle.in/wp-admin/LLC/0mjlyjsehvj_x3d3otv7i4-637796888994/
  276. http://ucuzwebtasarimi.xyz/wp-includes/0awyfdk-54zmh5p-ufgi/
  277. http://verleene.be/agenda/cache/INC/nuTUJrgYgHHqLKfrvAvxVFyrnnE/
  278. http://voctech-resources.com/cgi-bin/FILE/7fzk5nby5x2e_5yrjh-693123319/
  279. http://volvocoupebertoneregister.nl/triwj2kd/woYbRUZsZYEsnWauxYCtGSWLePo/
  280. http://warwickvalleyliving.com/images/classes/89ofu-pyt3kp6-ucnuue/
  281. http://webcluetech.com/wp-includes/3bjy-4vzysw7-yjxie/
  282. http://wellyoumust.ru/wp-admin/cNhHhYXeJmFRpNzCUwAef/
  283. http://wissenschaftsnacht-halle.de/wp-content/xjlz-4juvm-zwsthxz/
  284. http://woowomg.com/khaledsa/jAsnuCHUbpWhsLLQCOi/
  285. http://wordpress-58925-804720.cloudwaysapps.com/wp-includes/vxaum-du53ari-hkostid/
  286. http://www.adil-darugar.fr/wp-admin/Scan/trrMBcbN/
  287. http://www.emindset.com.co/wp-admin/parts_service/k643udn122tvap73j0xdsn_1cvw8bd-74328776554/
  288. http://www.exportcommunity.in/banner/esp/e27v1im65y_45yc9-15416019/
  289. http://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
  290. http://www.rabotkerk.be/cgi-bin/jt2ly-82r1t-uawc/
  291. http://yourquotes.in/wp-admin/tzvn5-ywu35-wrts/
  292. http://zmzyw.cn/wp-admin/14um7-j6xw9-ajewrom/
  293. https://akihi.net/BBS/omra-4vws5-ilkw/
  294. https://aomori.vn/wp-admin/DOC/zxzCxTPsyJh/
  295. https://autopozicovna.tatrycarsrent.sk/wp-content/paclm/pBxgohpddwhIKxx/
  296. https://belefool.com/wp-content/uploads/LLC/bCtPpekdShLtaC/
  297. https://blog.hubhound.me/wp-includes/WrfsBthXYJYJuRCKNQFgCHKHK/
  298. https://bmeinc.com/wp-content/t0wunqu-izvvlvm-cqxnq/
  299. https://buspariwisatamalang.com/wp-admin/esp/EyLdMLpEgUvMNY/
  300. https://butusman.com/wp-admin/k58c2qdrhlmgx6pemkmukshyv2d_ul6kvocn-7320054397/
  301. https://buxton-inf.derbyshire.sch.uk/wp-content/d3q7i2h-uf2cg-etdwftf/
  302. https://centredentairedouville.com/wp-includes/Document/zw020kmf76b9mjrb_75xfiu-31033395686/
  303. https://citadelhub.tech/wp-content/DOC/BCmXbZUbKSwinOE/
  304. https://comunicaagencia.com/js/parts_service/LPAeCNHZLBwMaGqBwvcFAE/
  305. https://dam.moe/2.71828/LLC/uVVGZnBsblXI/
  306. https://dctuktarov.ru/tour/xgp0-hydrip1-qfwbiro/
  307. https://derivativespro.in/backup-1feb19/cgi-bin/Pages/zGAnWERZxR/
  308. https://devondale.com.cn/wp-includes/INF/jWRjbiclkKDiXnZwONRgt/
  309. https://eduhac.com/wp-admin/images/g1ud-o5fp16y-pjli/
  310. https://eeda.tn/wp-content/languages/qrx8t-enc1iw2-tlpfv/
  311. https://enthuseclasses.in/wp-admin/HkKkjVlyCfvnHt/
  312. https://firebrandland.com/networko/2r0w3u9-i66ao-kazyoo/
  313. https://goldadvice.co.il/wp-content/Pages/QyVxlNNVCsFxGcXIWbOaE/
  314. https://govtnokriwala.com/wp-admin/dkr3-fabebci-fdrfxpx/
  315. https://hudlit.me/dblr/Dane/KjZcayDuvMuD/
  316. https://instrukcja-ppoz.pl/wordpress/bkrp50n6ykdygn3s_kqboj-845329891893/
  317. https://intranet.exclaim-inc.info/wp-content/nqni0ey-tntbns-yhjzd/
  318. https://karfage.com/wp-admin/Document/jmdx0e1xj8zxl816v7_mt7rs0ko5n-2520672951711/
  319. https://kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
  320. https://ksicardo.com/travel/86xczz-ky8hi-fbwoyt/
  321. https://lcwk.ru/fknddnf/Scan/XuBrPCGWHaSMmShYp/
  322. https://lincolnlogenterprises.com/wp-content/xr99-tjh9srp-bkvnygo/
  323. https://lizeyu.ml/wp-admin/FILE/bWfKSWFqUeJTwFqIgEh/
  324. https://megfigyel.hu/hirlevel/kj8ce-szyqbse-iinoje/
  325. https://mjc-arts-blagnac.com/wp-content/Document/qein18j18_d9y843jj7-3116175961/
  326. https://odan.ir/7an4/esp/7q889n6ki6qwhpwrha5_q2g4whkw-58969967783/
  327. https://osbornindonesia.co.id/css/dpAYZvtNbkcGpRRRstnKbcaWdpxb/
  328. https://palpalko.com/wp-content/PLIK/4j436nf4j226po8e3kj2e1_uqpzzh2u-91311114/
  329. https://passeslemoh.com/css/b1lq3-ijq61-iyfqivt/
  330. https://psonlinestore.ga/wp-admin/DtWsAYTjOlWcLYFpjAD/
  331. https://ranmureed.com/sitemaps/Document/5jpoottfjh_1lwuyyh0sc-8774635682241/
  332. https://sacmsgmgw001a.delta.org/enduser/classify_url.html?url=bcj4vOoPS8B46Ud6gJMEtrSVpbK6kvOhzNoTP1Nkc9akCYldm5ysiiV042Pg5WhS/
  333. https://softproductionafrica.com/css/JIZfCBlDHLNX/
  334. https://thadinnoo.co/wp-includes/paclm/end1pfmm5dj9x84bmha4ntl43_n1kg9ewm3-17387884/
  335. https://thebohosalon.in/public_html/Document/kegbgaLopcnDGa/
  336. https://thebookshelfoperation.com/wp-includes/INF/eTuFMwBOYU/
  337. https://tvbgm.com/z9iy/LLC/3t032ows8wgeicwgtdqde0j80_wwjooui-305983706/
  338. https://vibetronic.id/wp-admin/DANE/hndYqQzGILvs/
  339. https://vir-mdf.com/wp-content/gqq0c6-791he-uwwvjsp/
  340. https://www.abcmobile.net/wp-content/2s3wrs-3znevfi-nomou/
  341. https://www.analyze-it.co.za/cgi-bin/dj5iwbw-uyhhd-jococw/
  342. https://www.kleine-gruesse.de/wp-includes/Document/laWittBVpszALuZbTWOvWHRk/
  343. https://www.plasticoilmachinery.com/wp-includes/LLC/LBreSGrImLHpkX/
  344. https://www.serviciotecnico247.com/wp-includes/oe16m-a5n1gw-abwq/
  345. https://www.trisor.co.il/wp-admin/Document/xtegdkjor4_baf24c0nh-87455861262108/
  346. https://xn--80ajcz5a1dp.xn--p1ai/wp-admin/lkISomoYZxPvHsgtW/
  347. https://xn--mgbaam5axqmf2i.com/wp-includes/WkHkkYHtTjiBrdXdTop/
  348.  
  349.  
  350. ```
  351. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  352. ```
  353.  
  354. Creation Time 2019:05:22 13:11:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  355. SHA256:
  356. 5bbc60af9eae648eb013e8bad1670024a910a7003e854e153ea42a399afd9093
  357. a9968745261fb8c9c5574f66590d0ff545be0981fb26be8734e14b4a303ce153
  358. 7894f001da838633a033931a8cf63e5cde71ec0c0cd28e939a61eb8d77914d67
  359. 14186a938e80f4039364ce0e2a46f8c8ce0f9a759ec3d3e0fd128c6445f74241
  360. bfb13aaf67ce07a6d6da90b75d0d94c61e2fbdeefa6c3b31919a2c3a98e8a9f0
  361. 59ed5135eb63464c4124e4d29c848e489d865ffbffeb72cf481ed18a848d8d05
  362. a2502aeef4f497e302f784184aefe125b00d99d3bf7aa0f443401db417c5aac6
  363. 944d3852a927765c4cd481d6dda5e18499d227df1286faf11b5ac7c37cdf4648
  364. 0e6ec9b2a4af087921a9a83f9be065787bc15be6e5fa929ac7e62eefc9974234
  365. 5c6dda4043ea4d59774f210040efe698d5dd7b2c057d9c16c36006f7a57d1662
  366. bc505dff0510b1e53e6b0b929af243ddb54768585ac2ab2df59f76a985193544
  367.  
  368. http://bettyazari.com/wp-content/a2n7832/
  369. http://fitnescook.com/wp-content/whqc35928/
  370. http://tengfeiwanka.com/wp-admin/yq3g23/
  371. http://aspectivesolutions.com/wp-admin/02518/
  372. http://makanankhasjogya.000webhostapp.com/wp-admin/74vz03/
  373.  
  374.  
  375. Creation Time 2019:05:22 06:53:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  376. SHA256:
  377. 32a4d94ca2cb0c1bfc58f430b284a6ab5d8a546cce895168869becc07a2acc8b
  378. 83e24dc1f53a38710485d2303112af5ed9c08930b8e6703b670d4732e2c9bf78
  379. 2a96b59d5580a21a8c3095d14352911013228c2ba0ee8b659594a3bfef6d838a
  380. 036c09c4c019924d80a611fdc7c45ba7fc42011e51625df84c68804929f5cafb
  381. ca27619a190bbe232696929880994888240c89538c478d060a0d28218ddbeab5
  382. 626b76832c929a86747ae5d2a08d4d36e2bacb5927202003a122713e0af4295c
  383. 9012ac6ca24e62a1e077e177bb72023075fe8c94c323d4270521a360c17344ae
  384. f83848cbc704282bf17ecf6e8c1fbde49f010883ca923a3333e42fe164db8f4a
  385. bb830747974f802f8a1e1ca5337dc00da19c9d9a794bd778280c62ecacb5fb5a
  386. 30553a88d1688b0f37d56292430ba6c6f6857bbf51eefd826f2177e8aa831129
  387. b2be3b2d5b3449baa0f95d86fcc1c0856892ff1481513b20c32692ebe5c6acec
  388. 8df7f5e62e0e9c4c344a7e5b32a70dcfbe0df40714e64b57bebb0347c4b34287
  389. 8d28efd9705ab2428ddf3849d61997ecb36258845ab01780d12ed36720f587c3
  390. 6ad55e778c0efdbdbfce66a2e6c169b6e065522192aa14cd5c9cfb33bdc5aa22
  391. 7045298176b89253117bb00553c3ab715526f4f769eb29c5b4a526ee8b7511b0
  392. ebe5444f3313d49f6bdb20961c156f678c2a7431b59bc1c4fc77e5deb2c11db2
  393. 51cd505fedac9c4f9e549893f2c81e04ada0930da3779324a9a17096b2443eb3
  394. dd98275a714d904c399b904056f61a03c8a5582ffe6fe97ce6f4a956373fb112
  395. 363236f78952e0c75f0c281be23b8a9436a6ab88a5de20c084d439ac0e4ad732
  396.  
  397. http://sweethsu.com/wp-admin/tvkoq27476/
  398. http://erpahome.com/wp-snapshots/y141/
  399. http://belediyedanismanlik.net/wp-admin/123231/
  400. https://evoyageofdiscovery.com/api/pqq56666/
  401. http://shefieldbdc.com/language/xbcx526/
  402.  
  403.  
  404. Creation Time 2019:05:21 20:50:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  405. SHA256:
  406. 0bfb10f8a7f307acfc02e4b4e50300ef56a2e0924bae9fb7e11ff5e997e744ba
  407. 3c7e66a09848644901d84d62e4c569c4f0c032924e8e775e11216380dc368bac
  408. 8d4be846c45d4e6ea2ed710a554ef5cbb860a2521ef6f49ebc7071d7781b7ad0
  409. 824b0924020c4a8bb64da30771c6b5c2a55030d7d1ce9c2856918eca681ccda9
  410.  
  411. http://lonnieruiz.com/wp-admin/u69w0989/
  412. http://lemp.johntool.com/wp-content/plugins/bg7936/
  413. http://99cleaningsolutions.com/wp-admin/l58sn0441/
  414. http://baiventura.000webhostapp.com/dup-installer/sd5659/
  415. http://adiasta.xyz/test/xkz69825/
  416.  
  417.  
  418. ```
  419. #### SHA256s for Epoch 1 Payload EXEs seen on 05/22/19 ####
  420. ```
  421.  
  422. 9bb7d877cdc2bc15c5da38357ae0e5ad6ed4a107aff2efc84e3051ad4d35e6d5
  423. 9d182dd50a5cd39f46e4990719919093ed6586dcc63200c0f0e9fbd489be2e1c
  424. 5985b727eec004373746dbf53f04b9819394e9b7fdb2c5bdf2783c4712b33a6e
  425. 78136fbeba87899296ea4e981564c10af72865e34d9190c4a9feadc7821f8e62
  426. 45738932df4e44ad9ee8c33ff9e99b000793106655b223fb34e5b602b0b0d728
  427. ffc5278205aab993a9a84a324f938055840cfdd8ed286664d933c3c08e657b5b
  428. 82ea99e4a0acab8e68d9cddbf9d40cf88850ff7634356d71735fd9ffd488407f
  429. 6005ed8d5ad651cedbc6535b3b40cfc8e5849c471c69075813c670acb2f45aba
  430. e2e07ee7e51cc9197551ec302a67d231652ca3723d0ac8ec584f6eb49824c12d
  431. cc63c5a9bcc0a58b847da88e3321e2d744d5c3b025a5fbb2582fa3c4b2ac0cc3
  432. 11614e606eb10e7536528d852290fd8dae3e9d5a87280589124d670839910f05
  433. d9fff8540ea54f6568805050504294656659cd26922475a46d2f3f8b01b65037
  434. 0f8e75e6fd35e1c17265890664b2e42627932c4bb8853a1eeabd82753ec35be6
  435. f06b692b750fd4c9e14ba1b6e36cbe8fc42e296fe2199b5e02b8d57b474adbe8
  436. 1ba031ac763fb44b5ff895fc9c554f8035501f3e3d9b05913c394ae977074805
  437. 3e54747870a3c4387cd06b05289c63a3541064bbd779631e1f2429372fd5f131
  438. 5f2c4936aec619bba88f81a4845ccff44bed3ffa95683747b4a3f99c84035259
  439. c367719334095448aaebcfd689b9a3fe8e1f56187571d181fbf0952660b5dfea
  440.  
  441.  
  442. ```
  443. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  444. ```
  445.  
  446. Creation Time 2019:05:22 19:13:00 (DOC Based - ENG - 365 Blue Box)
  447. SHA256:
  448. 6673817be34aa5db84a05855fa2364f04239bcb39d1956c00586357bc2e96382
  449. 2d14bd85c6fd1feea0d4a0e311a7324a8bf56982e634a308503a2097e0c06c94
  450. db89dec155b9d6a15b00921017365cd4de80e86be4e15a2172d98eaf0111040f
  451. c6cd2e2606c1999ad49d94095b156f03e15e026b7a4564a9248c947dd78a2e53
  452. 07361938b338966720b62ffd3b02e5a956e6366404284322e59ef2d2bdd5f8a6
  453. bc10bba21cd71cbc9a1e94028675282a552870d81dc77d5f2703437ac4428f87
  454. 9de70af07f1659f32c9e7aeb00a61ba1b1ca8e7985f1d5a3cc4197f67e8675b6
  455. 458593ef82540d21c4b2068c2103f5b8f6209a55dc63d7657a6d99aedbe107a0
  456. e809d5a50a913e203d75b058361082b4de50e62b68f4f8a8dda875619d4ac4d4
  457. 2b5c4129990f703fbf68a173b09445b66ea27ce7fec7cb2e80fb40d0390404ae
  458. 8abe2662dd5b129ea1422b30d1e5f07b656201754d24376af623ac7e72e113e8
  459. d9638edf4e040ce7b7c3329579783522a9695dd60fc3a536acf2b78069c08c57
  460. d114e27589e87ca1abd0757a3d0fecc6969e6124a9a2cf04389e7238f3df50fb
  461. 9224f643b9c06ebfe97f10297a35066569748217b3ecb131cbdca9e5224857f1
  462. ab023ef17d1e240fa48ae909198065b48330d0bd40ad687f971d35687f5415b3
  463. 185cc9d3fdcc96a799dc9ab78d87dc42ee3997dbef325315adc75688fc465afc
  464. 26d7367b1d273cb322009012ddb87783848dd4fa735aa1f482da9c40441e835e
  465. 5d7bd5ab1f0ef9fe49f97b49fc955f64a9878fc341650143d572b24126f1284b
  466. be207e9ce717102ec7b8b0e875a8ac1b29243aebb6f1f80ba011b9bf4eee7e4e
  467. 58a34476d1ac56716c8f7f02a94b3e00871591d4dc99b0c138a239c04323464c
  468. 08b89f7dd8d503646629fb64a6aab677838de6c3b62eebcb5ca701d0ce0f6793
  469. 42a5cb1196d9ffe17bcb3df985a7897290344d65a54e7178b805dc2b6547c421
  470. 82fb17392854764e1237fa2c2158e60ca1447fb384592864ace3548612377ab8
  471. 74aa97646f1f0b7f8a3c26dd3030a1429ed3f1aee9f4a21367158e2e41ad5d66
  472. cf10a832675c6d6596534ee54d73881d982b386a32e95fe9d1d46705bad98c1f
  473. 6cac5ce5542f988279a978b5a2d6d359036c32f01d36c1a6f2c398af6b9ef0de
  474. a84d5eff1de58822b28a84cc3e06c9932b6dfe81c41c3112fe2fb1f6ec788b0e
  475. a92b26feb7e554da42fd70a1bd836ea90cfce2876a7688d60ffb8f87c8182262
  476.  
  477. s://atlanticsg.com/wp-includes/fsfrz22_mkp29qlby-69478/
  478. //eastpennlandscape.com/css/qhJUtdBFvM/
  479. //mcs-interiors.co.uk/cgi-bin/MUbadZUIXD/
  480. //laderajabugo.navicu.com/wp-admin/6ohv5j_6m40d-4652183/
  481. //banphongresort.com/wp-includes/8hxbg02o_wkpvf-27459009/
  482.  
  483.  
  484. Creation Time 2019:05:22 12:41:00 (DOC Based - ENG - 365 Blue Box)
  485. SHA256:
  486. 7d0923b53a0b3d5661862319bbe51c6966edab527975d5b042654c69e8bbe233
  487. 9d1d6d90d934526072ee9bfeef8c1ea19d783d6e577fd61d7388242a69d9cc81
  488. 4922a01a52b2531b2a806b3608fd3bc16375517019eb6d10e6cf8d24f8b611cf
  489. 3563cf7755d4fc579fbc7124d9c0b63f0a64d9c74189717bb8cfe5f9ff3c50a9
  490. a555a9d0758ad435ecc2961f33391773e16658a49eb0b70b09b854e4fcde4c90
  491. 021c8775cb0a7641fc8e4e2f896c0080ddd999d5d704727433aea7e6caded377
  492. 3ccabef2d6c5cd7bac2d3c7eb7914a66fe84ef59995e2d534762f404fe16a7f9
  493. 7dae05d83daa72f99809fb010a118480affc08180c4caa231c448cbc76195e86
  494. 13aad15c24356ec3b5cb5ba7b7dcd54de1fde823e2c7a3e32b692032b6f7f3f9
  495. 9070cd30f05d24c24a3ea40fdba3743fccde90535f10a4b68a6286976794c763
  496. 25f4071a90f7e80f134b0ba8fe760d6e9716190e05eb389d1e76afa1476b13ee
  497. dfed7ff20a5ecf046878559c3cbde3a9102561e02036e3fe49b09f3114fe8535
  498. d6aa469940aa1b2161eeb35f3dda539ea6cadafab50b5f783e2c80abb35388dd
  499. 74a01fc44c729346103906c6ad154d0b6617eb595881702731b77ada86d13965
  500. 170b532a9f1afdfdb29e89a41bb63b6f7c799c76fef06eda8fc283ba0baf0318
  501. 2848325093685db4a9222a0ff907cdc127ac2483e7abc00192c8d3bdef83ac38
  502. 71ebb8d941e8b8abb4219a3e40ff4c04760977c1f4f2ca1b0f6d541824a3c91b
  503. 22d13c4a74605f49a2c1eb270612a50655fb2693067baba87057baac352692b9
  504. 9b60ef100b2e896e00232f23b0bc861030aafa8aa1f3049d679c83c880d5407d
  505. 569e51ceba8d07fc9329ec070c9663d80643ef76e258d31857b341dc8d96e52a
  506. 037ff1bb690c72a42a37fcfa25ebaa25881027d45d4cc5c3e82e462142617233
  507. cf89b0cf6e83b1354124e7b2da2f11306dd9cdf1276287ba56c37a79e775b170
  508. 927deff64a1841190fc4e11a755533e328e2c297c1eb38d8046fe3558eb4c830
  509. f49a9b10834e1799012bca4fa68241610dec8511cea111dd800ce622845c6cc3
  510. 27d10f4db92ca2760b74a8fb2f639bd4e1d946f2cf483bb40100c22b89c6f596
  511. dbc12594f10de87e4ee5e876311eeb454af5376397687996ac39e9a9109db450
  512. 4c353f1f4ec36fa7484310e79946223864bb9d5df2e67828c311274a054b709f
  513. 54b3d3c0eb263341c6661773fc3b4024c1da398ca1b504eec9ced5a3ec568bf3
  514. 8add7cb7eaccc2e347554c7c6abd53ccbcaf03efda7d7836ed312665ce5d2420
  515. 685fd5bf746b549c5f8923979da08fd10d5f9c8161a76102fab84c4ab7d9a379
  516. 1faee1999ddc589c4f656b276971b51cb844d301d358733243a7f4500596c755
  517. 1f04abb7b0fec51e95372b420b3754d72e5b5ca295d4ac7f2a310c97fabb4f43
  518. 5ff9ec9edc11dcdcceb06effcdceb35198b633301602b60cc1624262e4aa1b04
  519. b40d0ea033292b780a5aafc16811b20547d28a7ec3ffd6dcd8c5a0a743a5af8e
  520. 0a953e06cd996b0ec44e0443a8779d82f3027c9b7732f01b4481fa59f1f29235
  521. 4f7f219d375bc3ebed80364b10d6a78ce2acb7a1557771a30e87e293b1a42793
  522. 64d37ef75692541b3c9238c0ba63ee7960e10d53cec6faf4c70dd8cb963ed0f3
  523. a02dabf98f62f9857ef4b5b539b45d489f20a37340b1e8b9533697e69e889546
  524. 7030efddb877d4a5fcd97afd7f7b794de9ae52a946df6b324c64fbc73d375cd5
  525.  
  526. http://rinkuglobalcare.com/wp-admin/p1m6c_2jkk5-96/
  527. http://gemsjewelbeads.com/installo/NIjIAMPn/
  528. http://norakayevents.com/wp-admin/zovwJcJUca/
  529. http://gamingistanbul.com/test/olk3b03f8r_uf3d6-144/
  530. http://miagoth.com/wp-content/TUBypthmA/
  531.  
  532.  
  533. Creation Time 2019:05:22 07:01:00 (DOC Based - ENG - 365 Blue Box)
  534. SHA256:
  535. 163eae697eb7cadb346c9c9b7f430a9a1b5859e9354415969a54565149811ae8
  536. d0cfe271eea78a3bbe2047fa874d1ef8d039e80fa807c3472e14ccbae30978a4
  537. c8679fdfa637e9cf7d7feb0d9eb3c5d149b63340405f1376257a14cfb63d5e84
  538. 6945f7a54982bfb544fb5d4a7f1541077ffa536c03c88916e2659581f4b8017d
  539. 492405dcd118bba267b935ccef1185b1c5f007af449356e2203305adf47bcddf
  540. 3ef652149252e4b78a215e5e770344f460bede3102cdf81444f2705ff00dba21
  541. fec5a94aae2700091554854953d1910c62fa7d2866c36c26bcc0c27cb332a139
  542. 5412ff7f58fd2443aa6b2376b4ee92ce7ff6bf323a7b9765ab6a466c5ee727b5
  543. ed219ca4af7d632aebb303a35c95fd1145abef46978e76d47b0211cd83117d61
  544. 4eb09dc9e8b2ed32ba925d517abbb495509d5e3be67f9167341dfb6c7bbca8fd
  545. fcf658c6fce6a1ce7c932f31271e2526a352f767e3fab54ef47830c71a894f83
  546. 0ecb1773e1ce0c7ac9f615ca1b23c6d762f3350b731b1aba29e7fbf48a7bef41
  547. f8788b9233d16b506545ebdfa0d3840d1d91b048915bb378a343206cb3181f63
  548. 775fba13019ab9aefb12ef07d5a81566a649d4513a5b718056b5c97562706375
  549. 616e7ddda333f01356670c259b4b7b0c284d814f7fcfacab358f7efc7067e11e
  550. 538efbd25e116841432c3143e5ebf0727d2f7ec8d8fe99bf35d90d6c90a79d0d
  551. da04060d26560c26772b15ecd9b471dd42da0faea141d6e0b43d76dab52fe674
  552. 741a1ec554f7f6aa8a3f2d98391ac1cbbbcc41a2d5baee77255cd40cdb4390cf
  553. 34a061f350cd94ccc7b0777129474bbe5f2dafd0fbea6f5c511b0d50d724e675
  554. 592fa05b9548b6e0fed37fbf7997119d96a43c4e1ad80ac7ceebcdf494707247
  555. ebf23688aa28e13ed8596867d3bfec5c617a3ce6d2175b3025a89564aac04bac
  556. fd8e5370aeb5d5df202fcb50ebfae41f870673cf7114c13d7e9946ad022ac960
  557. dcec12383d8ec6559e7c02dcc48c302861fb5537a843fb773380367e982ca16a
  558. c8dd1a9d10fd5087d9cc44390f189cffac8471ca84663917d258bf7367f43719
  559.  
  560. http://tan-shuai.com/wp-content/m6d71gnvv_5wuf035-3782344/
  561. http://rashhgames4u.000webhostapp.com/wp-admin/f09dmz1i98_gkhufhnf3-7958618171/
  562. http://bor-demir.com/cgi-bin/hlptlehdyU/
  563. http://klaryus.com.br/wp-includes/Requests/Zqeztqfe/
  564. https://theluxestudio.co.uk/wp-includes/pTxzfSBe/
  565.  
  566.  
  567. ```
  568. #### SHA256s for Epoch 2 Payload EXEs seen on 05/22/19 ####
  569. ```
  570.  
  571. 97aaeecf55e4995fbb328bca64132d92d84a4958ea103abb1a6cc6601d64b296
  572. 1b60ccba1bac0cd014d5d455ee26d2c5cd92bbbde65f08e431d706447ce914cb
  573. 2581abbab3d8cd60fe09001f80cd0f9d3ee4044c822f53c7868d3b7da4a0a642
  574. 415868c76e721280f899e448388c609aaeccb235ce8ea1f78f3005b0fc2e81a4
  575. aca96357234dcf7017b9d00e53770bbc7f2ace41fb781a4188f00d8bcf2543c1
  576. 946570083dbb0df724fe505e3ad215f965dc522bfb98dfbdfb5122a5d34892f8
  577. e813a46177316a2cf138ed72b28b8dc8623dbf0ebf58fc6f5d193a6b0d5d490a
  578. fde3ea03450436608203af9b1990791ea050d147b4c850bb8f5c9a48472ed1d4
  579. e33bcd1d55f0f36b7a4edc970a646812e7a30e44fa91aced5b0266ac837bc252
  580. bbb275b2e43dc30d9f0f0b96119b5ee4f3f571d38d53cc62a97b501d3b6f5a5c
  581. d2b76915f4418258d07e6d198de132de773a5111884304bc62247ca0a1a3396b
  582. 6a5f4314fae25728bce7014192df73160ed441f84c477030df42e612795a8b43
  583. e8fe78f126d28bf9b6edbdaf762f931dcfd7bbe4ce8b0f4cab9a7a7fae5de3d1
  584. a9bb203cf84e7cd1ca0d4407a7c2402cae5710ce91239b7d7727c118f287a701
  585. 55c94d2a503253c4c0ff765e25dbf120b310c35a94e2e349404eff7c992b14ce
  586. abbf21b7008d13900961a70d537ec5b0467acab40acadbed5b6dfd49347daa9b
  587. e42e7d46b97a81552cbec1b194e8c459fe5bc804b4891bcb7ca65eaffd30c6d2
  588. ddafd79e5c09c16c5b30b88e6abfb7459da36edf878ab4f73710eed58bc4852e
  589.  
  590.  
  591. ```
  592. #### Epoch 1 C2s ####
  593. ```
  594.  
  595. 103.201.150.209:80
  596. 105.224.171.102:80
  597. 109.104.79.48:8080
  598. 109.73.52.242:8080
  599. 111.67.12.221:8080
  600. 134.101.222.153:80
  601. 154.120.228.126:143
  602. 159.69.2.128:7080
  603. 163.18.23.242:80
  604. 175.107.200.27:443
  605. 181.110.239.26:80
  606. 181.143.101.18:8080
  607. 181.15.177.100:443
  608. 181.15.243.22:80
  609. 181.16.127.226:443
  610. 181.164.227.212:80
  611. 181.198.67.178:20
  612. 181.199.151.19:80
  613. 181.211.130.109:443
  614. 181.29.101.13:80
  615. 181.31.49.178:80
  616. 181.39.134.122:80
  617. 185.129.93.140:80
  618. 185.86.148.222:8080
  619. 185.94.252.27:443
  620. 186.71.75.2:80
  621. 187.178.9.19:20
  622. 187.188.166.192:80
  623. 187.190.237.104:8080
  624. 187.242.204.142:80
  625. 189.196.140.187:80
  626. 190.113.233.4:7080
  627. 190.117.206.153:443
  628. 190.123.35.82:50000
  629. 190.13.211.174:21
  630. 190.147.116.32:21
  631. 190.147.12.71:443
  632. 190.180.52.146:20
  633. 191.97.116.232:443
  634. 192.155.90.90:7080
  635. 196.6.112.70:443
  636. 200.107.105.16:465
  637. 200.127.0.8:80
  638. 200.28.131.215:443
  639. 200.32.61.210:8080
  640. 200.45.57.96:143
  641. 200.57.102.71:8443
  642. 200.58.171.51:80
  643. 200.80.198.34:80
  644. 201.251.229.37:80
  645. 203.25.159.3:8080
  646. 205.186.154.130:80
  647. 216.154.222.52:7080
  648. 216.98.148.136:4143
  649. 217.113.27.158:443
  650. 217.199.175.216:8080
  651. 217.92.171.167:53
  652. 218.161.88.253:8080
  653. 219.74.237.49:443
  654. 219.94.254.93:8080
  655. 23.254.203.51:8080
  656. 31.179.135.186:80
  657. 37.59.1.74:8080
  658. 43.229.62.186:8080
  659. 45.73.124.235:8080
  660. 46.249.204.99:8080
  661. 51.255.50.164:8080
  662. 62.75.143.100:7080
  663. 66.209.69.165:443
  664. 69.163.33.82:8080
  665. 72.47.248.48:8080
  666. 79.143.182.254:8080
  667. 80.0.106.83:80
  668. 81.143.213.156:7080
  669. 81.183.213.36:80
  670. 81.213.182.115:8443
  671. 81.3.6.78:7080
  672. 82.226.163.9:80
  673. 85.132.96.242:80
  674. 86.155.233.74:8080
  675. 89.134.144.41:8080
  676. 91.205.215.57:7080
  677. 91.83.93.124:7080
  678.  
  679.  
  680. ```
  681. #### Epoch 1 - Spam/Stealer C2s ####
  682. ```
  683.  
  684. <not updated>
  685. 61.92.159.208:8080
  686. 104.236.185.25:8080
  687. 50.116.63.9:7080
  688.  
  689.  
  690. ```
  691. #### Current Epoch 1 RSA Public Key ####
  692. ```
  693.  
  694. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  695.  
  696.  
  697. ```
  698. #### Epoch 2 C2s ####
  699. ```
  700.  
  701. 103.11.83.52:443
  702. 105.228.3.127:465
  703. 105.247.109.117:993
  704. 109.194.50.231:80
  705. 117.218.17.6:990
  706. 119.155.153.14:21
  707. 136.243.177.26:8080
  708. 138.201.140.110:8080
  709. 147.135.210.39:8080
  710. 162.243.125.212:8080
  711. 167.114.210.191:8080
  712. 169.239.182.217:8080
  713. 174.136.14.100:8080
  714. 174.96.5.251:465
  715. 175.100.138.82:22
  716. 177.230.108.144:22
  717. 177.242.202.30:8080
  718. 177.242.214.30:80
  719. 177.246.193.139:20
  720. 178.152.78.149:20
  721. 178.62.37.188:443
  722. 178.79.161.166:443
  723. 179.14.2.75:21
  724. 179.32.19.219:22
  725. 181.129.30.82:80
  726. 181.175.142.212:990
  727. 181.189.213.231:465
  728. 182.176.132.213:8090
  729. 182.176.94.236:20
  730. 183.82.100.135:80
  731. 183.82.110.170:53
  732. 186.113.19.171:80
  733. 186.19.202.88:21
  734. 186.31.189.232:143
  735. 186.4.167.166:80
  736. 186.4.234.27:443
  737. 187.177.154.167:990
  738. 187.189.195.208:8443
  739. 189.209.217.49:80
  740. 190.145.67.134:8090
  741. 190.25.255.98:443
  742. 190.25.255.98:80
  743. 190.53.135.159:21
  744. 190.72.136.214:465
  745. 191.92.69.115:80
  746. 200.21.90.6:80
  747. 200.85.46.122:80
  748. 201.199.89.223:8443
  749. 201.220.152.101:80
  750. 201.238.152.20:465
  751. 207.44.45.27:22
  752. 211.248.17.209:443
  753. 211.63.71.72:8080
  754. 216.98.148.156:8080
  755. 217.13.106.160:7080
  756. 222.214.218.136:4143
  757. 23.95.95.18:80
  758. 24.139.205.186:8080
  759. 41.220.119.246:80
  760. 45.123.3.54:443
  761. 45.33.49.124:443
  762. 46.100.165.6:53
  763. 46.105.131.87:80
  764. 50.31.0.160:8080
  765. 50.99.132.7:465
  766. 58.9.168.7:443
  767. 58.9.168.7:990
  768. 59.103.164.174:80
  769. 62.75.187.192:8080
  770. 64.13.225.150:8080
  771. 66.84.11.168:8080
  772. 69.251.12.43:80
  773. 69.45.19.145:8080
  774. 71.244.60.230:8080
  775. 73.189.66.63:80
  776. 74.207.227.96:443
  777. 77.56.253.112:80
  778. 78.186.5.109:443
  779. 78.188.7.213:8090
  780. 80.11.163.139:21
  781. 84.241.10.111:53
  782. 85.104.59.244:20
  783. 86.151.202.16:20
  784. 87.106.136.232:8080
  785. 87.106.139.101:8080
  786. 91.205.215.66:8080
  787. 92.154.101.154:50000
  788. 94.76.200.114:8080
  789. 95.128.43.213:8080
  790. 98.142.208.27:443
  791.  
  792.  
  793. ```
  794. #### Epoch 2 - Spam/Stealer C2s ####
  795. ```
  796.  
  797. <not updated>
  798. 198.58.114.91:4143
  799. 213.136.86.219:7080
  800. 91.205.215.10:7080
  801.  
  802.  
  803. ```
  804. #### Current Epoch 2 RSA Public Key ####
  805. ```
  806.  
  807. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  808.  
  809.  
  810. ```
  811. #### Credits and Notes Section ####
  812. ```
  813.  
  814. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  815. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  816. https://pastebin.com/u/jroosen
  817.  
  818. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  819. I am providing them for your benefit in case you want to parse them to be sure.
  820.  
  821. ```
  822. #### What is Epoch 1 and Epoch 2? ####
  823. ```
  824.  
  825. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  826.  
  827. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  828. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  829. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  830. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  831. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  832. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  833. time period.
  834. Here are some observations I have noted since I have been watching these botnets:
  835.  
  836. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  837. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  838. being delivered in maldocs on Epoch 2 at any one time.
  839. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  840. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  841. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  842. Monday morning/Sunday night.
  843. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  844. Epoch 2 may have a document hosted on host.tld/B.
  845. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  846. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  847. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  848. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  849. - C2s are never shared between Epochs/Botnets.
  850. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  851. via C2 to stay ahead of AV defs.
  852. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  853. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  854. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  855. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  856. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  857. spam template, word template, document type and even payload.
  858.  
  859. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  860.  
  861. ```
  862. #### Community Lists ####
  863. ```
  864.  
  865. <>
  866.  
  867.  
  868. ```
  869. #### Credits ####
  870. ```
  871. (OC from @JRoosen and/or combination work of the following)
  872.  
  873. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  874. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  875. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  876.  
  877. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  878. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  879.  
  880. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  881. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  882. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  883.  
  884. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  885.  
  886. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  887. helping out with this!
  888.  
  889. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  890. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  891. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  892.  
  893. ```
  894. #### Daily Log 05-22-19 ####
  895. ```
  896.  
  897. Again no sign of emotet to me today in UK.
  898.  
  899.  
  900. A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes
  901.  
  902.  
  903. General News:
  904.  
  905. #opendir are always worth investigating
  906. https://twitter.com/executemalware/status/1131324291730026498
  907.  
  908. @JayTHL urlhaus analysis
  909. https://twitter.com/JayTHL/status/1131049934264909826
  910.  
  911.  
  912. REVIEW:
  913. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  914. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  915. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  916. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  917. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  918. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  919. https://twitter.com/JayTHL/status/1126204098670411779
  920.  
  921. Email Template Report:
  922.  
  923. Generic templates on the most part, the usual body text listed below.
  924.  
  925. Review:
  926. What we know about the threaded templates/reply chain:(changes are marked with *)
  927.  
  928. - Emails are sourced from once (or still) compromised users all over the world.
  929. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  930. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  931. back as far as June 2018.
  932. - Now on E1 and E2.
  933. - Now seeing German based templates that are essentially the same thing but in German.
  934. - The injected reply is usually prefaced with the following:
  935. "Attached is your confidential docs."
  936. "Attached please find the wire transfer form."
  937. "Thank you for your help. Please see the attached."
  938. "Load instructions attached"
  939. "A printer friendly attachment is now included with each email."
  940. "Click on the attachment to open or save the printer friendly version of your report."
  941. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  942. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  943. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  944. - These templates are pretty limited in run and not very numerous.
  945.  
  946. Link Regex Report:
  947.  
  948. Regex directory patterns
  949.  
  950. E1
  951. *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
  952. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  953. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  954. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  955.  
  956. E2
  957. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  958. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  959. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  960.  
  961. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  962.  
  963. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
  964.  
  965.  
  966. Payloads Report:
  967.  
  968. E1 running as DOC attachment-only again; observed hashes (34) drawn from anyrun and hybridanalysis.
  969. Last known DOC was 2019:05:22 13:11:00
  970. Given there were 92 observed hashes in E2 DOC, there are likely additonal E1 hashes out there, and possibly an unknown set of EXE
  971.  
  972. E2 gave 320 URLs delivering 92 DOC hashes.
  973. Last known DOC was 2019:05:22 19:13:00
  974.  
  975. Back to multiple updates for both epoch EXE, early samples were 74k but switched to a mix of 109k and 161k at ~20:45 (E1) and ~21:40 (E2).
  976.  
  977. C2 Report:
  978.  
  979. C2 from E1 EXE gave 83 unique combos in total. - recorded above
  980. C2 from E2 EXE gave 90 unique combos in total. - recorded above
  981.  
  982. Thanks to @lazyactivist192 for the C2 runs
  983.  
  984.  
  985. Closing:
  986.  
  987. I am out of office for next couple of days but will get the key indicator lists together
  988. @ps66uk
  989.  
  990. TT
  991.  
  992. ```
  993. #### Sandbox 05/22/19 ####
  994. (all with fakenet and MITM unless spam/secondary infection)
  995. ```
  996.  
  997.  
  998.  
  999. ```
  1000.  
  1001. ```
  1002.  
  1003.  
  1004.  
  1005. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!