API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/02/11

jroosen
Feb 11th, 2019
4,762
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 64.57 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 02/11/19 as of 02/12/19 00:40 EST ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4. #### Epoch 1 Document/Downloader links seen for 02/11/19 ####
  5. ```
  6.  
  7. http://103.11.22.51/wp-content/uploads/trust.accs.send.biz/
  8. http://104.155.134.95/verif.myacc.docs.net/
  9. http://104.155.65.6/Telekom/Rechnung/01_19/
  10. http://104.211.226.28/secure.myacc.send.net/
  11. http://104.223.40.40/trust.myaccount.send.net/
  12. http://10xtask.com/secure.accs.docs.biz/
  13. http://114.34.129.103/trust.accs.docs.net/
  14. http://128.199.187.124/trust.myacc.resourses.net/
  15. http://13.112.69.225/wp-content/verif.myaccount.resourses.net/
  16. http://13.125.133.209/trust.myaccount.resourses.biz/
  17. http://13.233.183.227/verif.accounts.docs.net/
  18. http://13.233.22.226/trust.accounts.docs.com/
  19. http://13.233.6.83/verif.myacc.resourses.biz/
  20. http://13.52.34.29/Telekom/Transaktion/012019/
  21. http://13.68.200.170/trust.accs.docs.net/
  22. http://13.92.177.54/secure.accs.send.net/
  23. http://130.211.121.110/Telekom/RechnungOnline/012019/
  24. http://130.211.205.139/verif.accounts.resourses.biz/
  25. http://132.145.153.89/trust.accs.send.net/
  26. http://159.203.98.17/secure.myaccount.docs.biz/
  27. http://159.65.146.232/secure.myacc.send.net/
  28. http://159.65.83.246/Telekom/Transaktion/012019/
  29. http://159.89.107.36/secure.myaccount.resourses.biz/
  30. http://159.89.153.180/trust.myaccount.send.com/
  31. http://160.16.198.220/sec.accounts.send.com/
  32. http://178.128.54.239/sec.accs.docs.com/
  33. http://178.172.201.42/secure.myaccount.send.biz/
  34. http://178.62.213.188/Telekom/Rechnungen/012019/
  35. http://18.188.113.212/Telekom/Rechnungen/012019/
  36. http://18.217.211.183/wordpress/trust.accs.send.biz/
  37. http://18.218.56.72/wp-content/secure.myacc.send.net/
  38. http://18.222.169.76/verif.myaccount.send.com/
  39. http://18.223.125.61/secure.accs.resourses.net/
  40. http://188.131.164.117/trust.myacc.resourses.net/
  41. http://191.252.102.167/wp-content/uploads/sec.accs.send.biz/
  42. http://195.88.208.202/verif.myaccount.resourses.com/
  43. http://1lorawicz.pl/plan/med.microsoft.net/agr/event-uat/gtDlnph6D/gtDlnph6D/
  44. http://204.93.160.43/Telekom/RechnungOnline/012019/
  45. http://206.189.154.46/secure.accs.resourses.biz/
  46. http://206.189.45.178/wp-content/uploads/Telekom/RechnungOnline/012019/
  47. http://211.238.147.196/@eaDir/secure.myacc.resourses.net/
  48. http://217.107.219.34/ms.microsoft.com/api/drm/fsfxcD5GKKd/fsfxcD5GKKd/
  49. http://220.230.116.97/sec.accounts.docs.net/
  50. http://23.235.202.43/secure.myacc.resourses.com/
  51. http://3.16.186.154/Telekom/Rechnungen/012019/
  52. http://35.154.50.228/sec.myaccount.resourses.biz/
  53. http://35.184.197.183/Telekom/Rechnung/012019/
  54. http://35.196.135.186/wordpress/Telekom/Transaktion/012019/
  55. http://35.200.161.87/Telekom/RechnungOnline/012019/
  56. http://35.247.37.148/Telekom/Transaktion/012019/
  57. http://37.139.27.218/sec.accs.resourses.net/
  58. http://37.139.27.218/sec.accs.resourses.net/\/
  59. http://46.101.52.174/secure.accs.send.com/
  60. http://51.77.192.138/sec.myaccount.resourses.com/
  61. http://52.15.227.66/Telekom/RechnungOnline/012019/
  62. http://52.202.101.89/trust.accounts.send.net/
  63. http://52.205.176.136/verif.accounts.docs.com/
  64. http://52.211.179.190/Telekom/Rechnungen/012019/
  65. http://52.52.3.72/wp-content/uploads/sec.accs.send.net/
  66. http://52.89.55.218/wp-content/Telekom/Rechnungen/012019/
  67. http://54.165.253.1/Telekom/Transaktion/012019/
  68. http://54.202.85.204/trust.accs.docs.net/
  69. http://54.234.174.153/sec.accs.resourses.biz/
  70. http://67.209.114.215/Telekom/RechnungOnline/012019/
  71. http://73.114.227.141/verif.accs.docs.biz/
  72. http://78.207.210.11/@eaDir/secure.myaccount.send.net/
  73. http://81.56.198.200/Telekom/Rechnungen/01_19/
  74. http://82.196.10.146/trust.accs.send.biz/
  75. http://84.28.185.76/wordpress/verif.accounts.send.net/
  76. http://85.115.23.247/wp-content/uploads/verif.accs.send.biz/
  77. http://89.98.154.157/@eaDir/trust.myaccount.resourses.com/
  78. http://91.89.196.92/wordpress/sec.accs.docs.com/
  79. http://95.177.143.55/wp-content/sec.myacc.docs.net/
  80. http://999.co.id/med.ms.net/med/event-uat/M1a22AL8NQdO/M1a22AL8NQdO/
  81. http://aca.natterbase.com/secure.accs.send.net/
  82. http://accessequipmentcapital.ca/verif.accs.resourses.net/
  83. http://adbord.com/css/sec.accs.send.biz/
  84. http://afshari.yazdvip.ir/verif.myacc.resourses.biz/
  85. http://allopizzanuit.fr/mm.microsoft.ms/med/event/dNhfd4yt/dNhfd4yt/
  86. http://ameen-brothers.com/sec.accs.docs.net/
  87. http://angullar.com.br/trust.myacc.docs.com/
  88. http://azs-service.victoria-makeup.kz/Telekom/Transaktion/01_19/
  89. http://bachhoatructuyen.com.vn/trust.accs.resourses.net/
  90. http://batdongsanphonoi.vn/sec.accounts.send.net/
  91. http://beautyandbrainsmagazine.site/trust.accs.docs.net/
  92. http://bem.unimal.ac.id/verif.myacc.resourses.com/
  93. http://billfritzjr.com/verif.accs.docs.com/
  94. http://bornkickers.kounterdev.com/wp-content/uploads/secure.myacc.docs.net/
  95. http://buonbantenmien.com/mmed.ms.com/med/sid/GNcmTlno/GNcmTlno/
  96. http://cafevanuhm.nl/verif.accs.docs.net/
  97. http://camilanjadoel.com/trust.accounts.resourses.com/
  98. http://cangol.com/wp-content/secure.accounts.docs.net/
  99. http://carpediemdiamond.com/verif.accounts.resourses.net/
  100. http://cassie.magixcreative.io/med.microsoft.ms/cha/sid/KMHoRSfBNo0/KMHoRSfBNo0/
  101. http://cild.edu.vn/med.microsoft.com/cha/drm/VDzJNeiePGK746/VDzJNeiePGK746/
  102. http://cliqcares.cliq.com/ms.microsoft.com/agr/sid/j2C3NWCtZ/j2C3NWCtZ/
  103. http://cocukajanslari.com/sec.accounts.docs.net/
  104. http://costaricalawfirm.com/sec.accounts.docs.net/
  105. http://decowelder.ru/sec.myaccount.docs.biz/
  106. http://demo.pifasoft.cn/trust.myaccount.send.biz/
  107. http://dentistmomma.com/sec.accounts.resourses.com/
  108. http://dijitalkalkinma.org/ms.microsoft.com/app/event/H44YTow9oO/H44YTow9oO/
  109. http://dijitalthink.com/med.microsoft.ms/agr/sid/YjV0pOXhYYv1F/YjV0pOXhYYv1F/
  110. http://dwdsystem.home.pl/css/secure.accounts.send.net/
  111. http://ec2-18-218-56-72.us-east-2.compute.amazonaws.com/wp-content/secure.myacc.send.net/
  112. http://edax.com.pl/verif.myacc.resourses.biz/
  113. http://emae26.ru/sec.accs.docs.net/
  114. http://espacotieli.com.br/trust.accounts.resourses.net/
  115. http://evilearsa.com/mm.microsoft.com/cha/uat/6Xghh8Y9g/6Xghh8Y9g/
  116. http://freestreetgist.com/secure.myaccount.docs.biz/
  117. http://gamesportal-gp.tk/sec.accounts.docs.biz/
  118. http://ghost-transport.pl/secure.accounts.send.biz/
  119. http://hopi.hopto.org/trust.accounts.docs.biz/
  120. http://htnieuw.hazenbergtimmerwerken.nl/secure.myaccount.resourses.com/
  121. http://industrid3.nusch.id/sec.myacc.resourses.net/
  122. http://inhouse.fitser.com/BigImageAustralia/html/verif.accs.send.net/
  123. http://irtk.kz/secure.myaccount.resourses.net/
  124. http://isr.hr/secure.accounts.docs.com/
  125. http://karditsa.org/Telekom/Transaktion/01_19/
  126. http://kchina.org/sec.myaccount.resourses.com/
  127. http://kevinwest.net/secure.myacc.docs.biz/
  128. http://khaledlakmes.com/mm.microsoft.com/med/drm/2QPwFELb/2QPwFELb/
  129. http://kianafrooz.com/trust.myaccount.send.com/
  130. http://kicksonfire.xyz/verif.accounts.resourses.com/
  131. http://krisen.ca/Telekom/Transaktion/012019/
  132. http://lanco-flower.ir/verif.myacc.docs.com/
  133. http://learntowinn.entero.in/secure.myacc.docs.biz/
  134. http://libertycastle.com.pk/sec.myaccount.resourses.net/
  135. http://live.bhavishyagyan.com/sec.accounts.docs.com/
  136. http://madbiker.com.au/Telekom/Transaktion/01_19/
  137. http://mangorestaurant.com.np/trust.accs.docs.biz/
  138. http://matongcaocap.vn/mm.microsoft.ms/app/event/a2BuqXiW/a2BuqXiW/
  139. http://mayphatrasua.com/verif.myacc.docs.com/
  140. http://mediarox.com/sec.accs.docs.net/
  141. http://merebleke.com/sec.myacc.send.biz/
  142. http://miracleitsolution.com/sec.myacc.resourses.biz/
  143. http://mlasuka.dothome.co.kr/verif.accounts.send.net/
  144. http://mobyset-service.ru/ms.microsoft.ms/med/uat/MyhwLYHynV7338/MyhwLYHynV7338/
  145. http://molly.thememove.com/verif.myaccount.resourses.net/
  146. http://myloglogistica.com.br/verif.myaccount.send.biz/
  147. http://myshopify.win/sec.myaccount.resourses.biz/
  148. http://narendar.online/secure.accounts.resourses.com/
  149. http://nt-kmv.ru/trust.accs.docs.net/
  150. http://okna-lik.kz/wp-content/uploads/sec.myaccount.send.biz/
  151. http://ordiroi.palab.info/Telekom/Rechnungen/01_19/
  152. http://ortotomsk.ru/trust.accs.docs.biz/
  153. http://otojack.co.id/wp-content/uploads/sec.myacc.docs.net/
  154. http://print.abcreative.com/Telekom/Transaktion/012019/
  155. http://rubylux.vn/secure.accounts.resourses.net/
  156. http://saleswork.nl/verif.accounts.resourses.com/
  157. http://sieure.asia/secure.myaccount.docs.biz/
  158. http://testcrowd.nl/mm.microsoft.net/api/drm/U3P8hEjuEZXecO/U3P8hEjuEZXecO/
  159. http://thehotellock.com/Telekom/Transaktion/012019/
  160. http://tomren.ch/secure.accounts.docs.com/
  161. http://urgny.com/backend/p/secure.myaccount.docs.net/
  162. http://vieclam.f5mobile.vn/med.microsoft.net/api/drm/ZPnmc58dAzsXuB/ZPnmc58dAzsXuB/
  163. http://viticomvietnam.com/secure.accounts.send.biz/
  164. http://www.forodigitalpyme.es/sec.accs.docs.biz/
  165. http://www.mardaschaves.com.br/trust.accs.resourses.com/
  166. http://www.seksmag.nl/sec.accs.docs.net/
  167. http://www.traktorski-deli.si/verif.myacc.docs.net/
  168. http://xn-----6kcaceef5cqa0cjf2aojdi1c8h.xn--p1ai/verif.myaccount.docs.biz/
  169. http://xn----7sbabegkij8byaeq9c3hpc.xn--p1ai/verif.myaccount.resourses.biz/
  170. http://xn-----9kccsa1afbhzcgd9a1ay5l.xn--p1ai/verif.accounts.resourses.com/
  171. http://xn-----clcb5aki4ab6afi7g.xn--p1ai/med.microsoft.net/cha/uat/ynpJhqL5GW/ynpJhqL5GW/
  172. http://zolotoykluch69.ru/Telekom/RechnungOnline/01_19/
  173. https://tischer.ro/trust.myacc.resourses.com/
  174.  
  175. ```
  176. #### Epoch 2 Document/Downloader links seen for 02/11/19 ####
  177. ```
  178.  
  179. http://104.198.73.104/En_us/Invoice_Notice/tLUhB-5w3_UmSk-WmN/
  180. http://104.248.140.207/download/72250613818/TnHN-lj_Yzxg-V4/
  181. http://115.66.127.67/download/aDPLm-tqNX_xcoeRtq-rz/
  182. http://119.254.12.142/En/llc/UjBO-7i5MH_rh-hch/
  183. http://128.199.172.4/US/Invoice_number/946924058146/omHD-D8Zh_S-xw/
  184. http://13.233.31.203/En_us/corporation/Invoice_number/FcgF-sTeGi_PbAm-l0/
  185. http://13.239.63.5/company/Invoice/MItGR-BX_YOeO-dF/
  186. http://139.180.213.48/En/company/MLSD-5n8_NW-aGk/
  187. http://139.59.130.73/DE_de/QRPTYCKAS2952593/Bestellungen/Hilfestellung/
  188. http://139.59.6.216/xerox/Copy_Invoice/71723785755653/htJHM-sg_BZ-FL/
  189. http://140.227.27.252/wp-content/file/Invoice_Notice/Maad-ZTqtr_r-sL/
  190. http://158.69.135.116/scan/VGIy-LJJq_rtJTwGJ-loZ/
  191. http://159.65.142.218/wp-admin/llc/04418048552093/nUfSR-uftR_NvMPXE-JKX/
  192. http://159.65.147.40/info/iUQY-5T_DXgr-a8s/
  193. http://159.65.65.213/file/Ryzo-3h_qp-jAt/
  194. http://159.89.167.92/llc/New_invoice/57979132/ukUI-Avt_NXbMuPG-0I/
  195. http://162.243.254.239/quoteandbuy/EN_en/scan/kgsnn-f3J_CVs-RJ/
  196. http://173.45.124.227/US/document/LMzly-2CWE_sGDVC-Xt/
  197. http://176.32.32.140/De/AFCXKM3339855/de/Zahlung/
  198. http://178.62.233.192/Februar2019/KMANGTNNIX4458863/Dokumente/FORM/
  199. http://179.191.88.69/De/WVHQJHGVLK3054354/Rechnungs/RECH/
  200. http://18.217.96.49/En/scan/Invoice_number/fbSY-qCQP7_FTpCVWEhg-ip/
  201. http://18.221.1.168/En_us/Inv/70722042/TxlW-3bBd_Azwqu-AXb/
  202. http://18.223.20.43/US/llc/Copy_Invoice/202956035/wyZr-NIkXO_dEpTjku-0i/
  203. http://188.192.104.226/wordpress/US_us/corporation/New_invoice/RVzv-BRhZ_cdjkq-9E/
  204. http://192.241.145.236/US/New_invoice/ZoRXj-H1k08_v-ty/
  205. http://193.77.216.20/En_us/39503764151217/GIBs-qatn_wDpNVKcp-oZ/
  206. http://194.58.106.244/US_us/doc/DIpu-awo_KK-PS/
  207. http://204.48.21.209/US_us/file/9953721/mOaj-POrQ5_FtPW-2r/
  208. http://207.148.31.160/doc/Invoice_Notice/xJkcH-pXzw_ikv-yP/
  209. http://211.20.204.164/EN_en/document/Invoice/lXKc-EXZ_YnnTIO-1pt/
  210. http://212.47.233.25/wordpress/wp-content/De/YTELMXMCAN5556140/Bestellungen/FORM/
  211. http://3.120.147.8/info/gLfY-53_Rjy-2Ms/
  212. http://3.dohodtut.ru/En/86756718/xcwcO-tzz6_fGPD-h9c/
  213. http://3.parconfreiwald.ro/US_us/doc/bNab-nR54_DwB-LN/
  214. http://31.6.70.84/download/Inv/021844391348889/lldpM-cB_M-XWm/
  215. http://34.201.148.147/download/Inv/rwUu-GoD8Y_YsGNacwnq-Wi1/
  216. http://34.208.141.93/De_de/XEIDPHLAKZ2568324/Bestellungen/RECHNUNG/
  217. http://34.220.101.62/lbnc-u6oJR_H-Bv/
  218. http://34.242.220.49/DE/VJRCDGL1534972/DE_de/Zahlung/
  219. http://35.165.83.118/wp-content/US_us/file/Invoice_number/387848224/mvrU-f28_sdBifmQ-65z/
  220. http://35.170.104.162/DE/PJXLIBNDUK7169850/Bestellungen/RECHNUNG/
  221. http://35.170.159.212/YBSRIT8577582/Rechnungs/DOC-Dokument/
  222. http://35.176.197.139/KqrEF-qna_v-ehL/
  223. http://35.190.186.53/EN_en/doc/Copy_Invoice/Nebk-gt3_ZZV-Ok/
  224. http://35.193.106.214/wordpress/wp-content/En_us/download/Invoice_number/LsPHz-QZw_sT-x7/
  225. http://35.202.250.4/document/Invoice_Notice/pnDo-aHDN_HzaHfarw-RWS/
  226. http://35.204.88.6/EN_en/llc/Inv/pGzEf-am_UQMBer-Wx/
  227. http://35.226.135.179/wp-content/uploads/DE_de/YXLDBCWE5819265/Rechnungs-docs/Zahlung/
  228. http://40.117.254.165/llc/lLotL-gYw_VcoeSlLq-vv/
  229. http://40.84.134.182/DE/FBLDHRLRQ6013107/Dokumente/DETAILS/
  230. http://4drakona.ru/EN_en/company/Copy_Invoice/slub-i50fk_ROme-bHu/
  231. http://52.196.225.91/wordpress/US_us/document/aTUC-RQb_nAQiekDLJ-wbj/
  232. http://52.236.174.152/doc/New_invoice/OwcFW-cQVA_RD-lXj/
  233. http://52.63.119.3/En_us/doc/Invoice_Notice/1095987397054/IIPw-Eoa_M-au9/
  234. http://52.63.71.120/US_us/corporation/Invoice_number/45951863/OtwFS-R2FA_ZrXS-v72/
  235. http://52.66.236.210/HQHGLKQXFF6297535/DE_de/DOC/
  236. http://54.146.46.168/Februar2019/JYZTXITFS1861033/DE_de/RECH/
  237. http://54.153.245.124/En_us/Copy_Invoice/YhNNA-ZeEBY_ek-JfG/
  238. http://54.224.240.34/Februar2019/FDJASWPO8400835/DE/RECHNUNG/
  239. http://54.250.159.171/En_us/2446830/NqWP-TQObp_cgfZBBxnl-NP/
  240. http://54.38.35.144/US_us/llc/BRBk-OHo0r_GrEJNw-lH/
  241. http://62.141.55.98/wp/DE_de/WLSEDHREWI0259028/Rechnung/Zahlungserinnerung/
  242. http://66.42.78.2/En_us/CneA-P3sTk_OsvoGAV-kC/
  243. http://8.29.139.221/DE/WJUMGPF5102068/Rechnungs/Zahlung/
  244. http://85.171.136.37/@eaDir/Februar2019/RTDIFLHMQ2752834/Rechnungs-docs/FORM/
  245. http://86.91.10.91/wordpress/DE_de/LXPDQSKNC6740889/de/Hilfestellung/
  246. http://91.208.94.170/DE_de/FLTSRU3564963/Scan/Fakturierung/
  247. http://93.55.194.160/wordpress/En/doc/Invoice_number/57791191801009/BwiT-OTs_oE-v0B/
  248. http://94.177.233.190/wp/US/info/Invoice_Notice/3027157/EHLwm-zES_OWAjyir-lO/
  249. http://94.24.72.63/EN_en/download/Invoice_number/dXtC-6zt8U_bkifOk-zE/
  250. http://aaajd.org/Februar2019/CBVOOSD3555792/DE/DOC/
  251. http://abiataltib.ml/download/Invoice_number/fTvp-N8mZ_rD-PM/
  252. http://ablades.ru/de_DE/UNREEK1803477/Rechnung/Hilfestellung/
  253. http://acenationalevent.ft.unand.ac.id/de_DE/FTDAUCXZOI0278000/DE_de/Zahlung/
  254. http://adsdemo.techflirt.com/info/Inv/42931369754/hvJbI-MOe_mc-B4Q/
  255. http://adwitiyagroup.com/wp-admin/meta/DE_de/ZZSCTX6579890/Rechnungs-docs/Fakturierung/
  256. http://agemars.dev.kubeitalia.it/DE_de/REPPSOOF3613334/DE_de/Zahlung/
  257. http://aktemuryonetim.com/US/New_invoice/cACMi-GX_XtDB-Cme/
  258. http://alainghazal.com/De_de/XPXTELNF7478951/Rechnungs-Details/Hilfestellung/
  259. http://alfaelegancedesign.ro/US/scan/New_invoice/2395250479/IKSi-iG40_eGodEyK-6jC/
  260. http://all4office.ba/de_DE/GYPYCONFA0209810/DE/Rechnungsanschrift/
  261. http://allens.youcheckit.ca/de_DE/RUJARNHQD3830836/Scan/Fakturierung/
  262. http://barabooseniorhigh.com/De/PJCLEXQXV7099833/DE/Rechnungsanschrift/
  263. http://bazee365.com/company/New_invoice/70094947/sbbKq-Ks_m-ba/
  264. http://betal-urfo.ru/En/doc/New_invoice/6392833/DUzfI-eB5_TtHqt-Mu3/
  265. http://blogg.postvaxel.se/En/xerox/Invoice/ukyF-v2RRD_bSBA-Mzw/
  266. http://bobvr.com/document/Invoice_Notice/zgboA-Gd_vF-3TX/
  267. http://botmechanic.io/document/Invoice/122815139860138/VZKR-YLT_syeTcnx-6gX/
  268. http://brams.dothome.co.kr/file/New_invoice/CvpE-cw8_C-QSn/
  269. http://bristols6.wiserobot.space/US/info/Copy_Invoice/fvFD-GI5_WdvezJX-EJ/
  270. http://buybywe.com/US/file/Copy_Invoice/cnEr-yAEr_DVdVpnpt-cw/
  271. http://bynana.nl/US_us/scan/Copy_Invoice/95731481431/uTpS-lza_PGJHjEAIM-O1e/
  272. http://carolechabrand.it/De/YVXSXFZUG5485891/Rechnungs/DETAILS/
  273. http://casadevacantadml.com/scan/855790484907301/tHasY-A32_Pbtx-3u/
  274. http://casagres.com/US_us/file/724137876/gxrV-tqFi_qpgzcTH-mJ/
  275. http://celtis.company/En/doc/New_invoice/SqOe-3pcD1_ckvrT-H6I/
  276. http://clashofclansgems.nl/EN_en/Invoice_Notice/SerL-RiKTU_yYS-pb/
  277. http://comfome.co.mz/EN_en/Invoice_Notice/jJieg-RcvH9_Z-fi/
  278. http://daliomixa.com/En/info/Copy_Invoice/TwxDm-3K_fno-bf/
  279. http://danceacademyvolos.gr/US/scan/zvLFs-xT_r-RG/
  280. http://daotaokynang.org/DE_de/KBQKRIYL9699105/Rechnung/DOC-Dokument/
  281. http://davieshall.ilovesurreybc.ca/document/Invoice_Notice/NWJM-Y5eC_tKcB-iHI/
  282. http://deltaviptemizlik.com/En/doc/Invoice/gKZT-cvd1_b-CD/
  283. http://demo.evthemes.info/Invoice_Notice/qPBHn-RG7_oEZrS-XOb/
  284. http://deolia.ru/EN_en/xerox/New_invoice/atAzQ-hx4X_hqTiKHnRZ-sCd/
  285. http://devdatta.pacenashik.com/corporation/Invoice_number/hvCZ-55Ajt_TDw-Blv/
  286. http://dizinler.site/wp-admin/css/OWTfx-83Ei_cnaBwr-gK/
  287. http://drawme.lakbay.lk/Invoice_number/Tqdo-ko_rFB-oge/
  288. http://drnilton.com.br/document/tSyDD-ucWo_PspeK-uX/
  289. http://ds415p.com/@eaDir/En/company/Inv/GYqLj-d1_iLh-0kp/
  290. http://emrecengiz.com.tr/US/info/Invoice_number/IbLME-Ef_nReeMdyRQ-fKP/
  291. http://enh31.com/US/xerox/Copy_Invoice/gfmB-fmFX_mxliUHWNR-j43/
  292. http://equiestetic.pt/info/IyiO-Zkky2_JYvy-oY/
  293. http://essentialbusinessfunding.com/corporation/Invoice_number/Qrvf-bdQm_LKmIw-t9/
  294. http://excelroofing.avyatech.com/EN_en/file/Invoice/vaPX-HA_yLRaI-Zg/
  295. http://f1security.co.kr/US_us/file/Invoice_Notice/iWCwf-za4Pw_JfAsMTcx-s3/
  296. http://femconsult.ru/En/Invoice_number/063685399/qxHOA-o2_J-e5/
  297. http://ffi.vn/En_us/info/80073723569480/erNce-0I6_XVuhNGDLI-HMs/
  298. http://firemaplegames.com/De_de/CPGSWSMGUE9554639/Rechnung/Zahlung/
  299. http://fupfa.org/En_us/llc/Invoice/KJpLI-eW_hmKUEBia-yO7/
  300. http://fwpanels.com/US_us/Inv/66003684747228/DYmql-cT_UAJ-Ta5/
  301. http://goldengatetoiit.co.in/info/Invoice_number/59727250562939/VvbSI-kHc_R-eRo/
  302. http://groundswellfilms.org/DE_de/YXIQUN9237211/Rechnung/Zahlung/
  303. http://hashtagvietnam.com/DE_de/KKGVUSCF9898646/Dokumente/DOC/
  304. http://heizungsnotdienst-sofort.de/EN_en/corporation/Invoice_number/yGZFx-vqMMX_LKDVl-PP/
  305. http://hifucancertreatment.com/wp-content/uploads/EN_en/scan/waVr-0A_mVwcJ-SBz/
  306. http://hiqpropertysolutions.co.uk/US_us/corporation/oriCO-qNozz_kFBOxwYQ-eJ/
  307. http://historymo.ru/Invoice/MfNCa-nD7_N-Tr/
  308. http://horse-moskva.ru/US_us/document/Invoice_Notice/hkuP-IVis_SdfMs-wH/
  309. http://hotstar.me/wp-content/US/xerox/Inv/rUkDi-zs2V_OoWR-A35/
  310. http://hourofcode.cn/Februar2019/DCQNRBNEW4900728/Rechnungs-Details/Rechnungsanschrift/
  311. http://hscadc.com/US_us/doc/Invoice_Notice/wyxWN-2KEMt_YIonte-3N/
  312. http://ilo-drink.nl/EN_en/info/pWfOb-1qXcq_led-5HG/
  313. http://inverglen.com/company/aquh-onA_FIq-SB/
  314. http://jaspinformatica.com/qlpN-ih_jedKZH-Lf/
  315. http://jerko.novi-net.net/mama-malog-zmaja/wp-includes/Invoice/pmst-TtZj2_wZnyKXk-qaM/
  316. http://jiodiscount.com/US_us/doc/Invoice/umtP-mURI5_hHuYA-LeM/
  317. http://keelsoft.com/De_de/ICFWUMMN2168085/Rechnungs-Details/RECHNUNG/
  318. http://khzwl.ir/US/Inv/NNnML-VGRZ2_FV-P7E/
  319. http://kirstenborum.com/De_de/AQEZDTZY5928523/Bestellungen/RECH/
  320. http://kynangbanhang.edu.vn/DE_de/TKZKFDJNB0748079/GER/DOC/
  321. http://labuzzance.com/tZUFj-zD_QJJyi-gFL/
  322. http://lacledudestin.fr/llc/New_invoice/YvZWZ-4myR_URIud-Mj/
  323. http://ladyswellns.ie/En/corporation/Invoice/rlkRd-h4IK_IHJKIDvp-Dz/
  324. http://laylalanemusic.com/DE_de/RUZGCWIJQ3806584/Rechnungs-Details/DOC/
  325. http://liketop.tk/En_us/company/Invoice/BQmyd-d9RPL_gl-vyM/
  326. http://linkyou.khaledahmed.tk/file/scPI-3BBhz_vxAUAq-He8/
  327. http://livrocolapso.com.br/27500173682/VgYx-XHoe_oJkoY-syL/
  328. http://lmgprophesy.com/US_us/doc/lLHhS-P7t_HnVOY-0Q/
  329. http://madrastrends.com/EN_en/scan/VBbW-YgV1_FlHNc-Ka/
  330. http://mainissue.in/US_us/corporation/Inv/nSBpr-KM7_ng-Mb/
  331. http://manhphu.xyz/DE_de/NKNFYK7660981/gescanntes-Dokument/DETAILS/
  332. http://masjidsolar.nl/EN_en/Invoice_Notice/DzYtu-X4_BQETXE-016/
  333. http://mechanicsthatcometoyou.com/US/Invoice/pSuh-S6pH_O-LFB/
  334. http://methodofsolutions.com/corporation/Inv/Rzztj-Rq_lH-iF/
  335. http://mingroups.vn/En_us/info/Copy_Invoice/klAn-W0Im_ADL-ua/
  336. http://mipec-city-view.com/En/Inv/ltPry-JR_WKit-phA/
  337. http://modernitiveconstruction.palab.info/DE_de/CBHSVLM4774839/Rechnung/DETAILS/
  338. http://mpo.firstideasolutions.in/fAdqt-eXyR_iI-Nr/
  339. http://mswnetworks.nl/En/info/Invoice/dWax-sV0_DjQksCeOP-mRl/
  340. http://nami.com.uy/EN_en/info/Fexg-bK8R_jmz-F93/
  341. http://namirest.ir/cgi-bin/QOBHBWHZ9443410/de/Fakturierung/
  342. http://nanya-tlm.half-straw.com/En_us/document/8250362786601/dKyvQ-l1s7_lAKNvE-EX/
  343. http://napier.eu/UAMDDBYBAV4874596/Rechnung/RECHNUNG/
  344. http://navigatorpojizni.ru/En_us/scan/Invoice_number/AqRSh-ppQ_rWAw-J67/
  345. http://newsmediainvestigasi.com/US_us/doc/73649729271/vVPuj-SSs_I-2q/
  346. http://nightonline.ru/images/scan/tScs-t0_T-P7N/
  347. http://nikastroi.ru/de_DE/OPFGKIYNOF9358268/Rechnungs/DOC-Dokument/
  348. http://nmsr.info/DE/QBMHTO7082820/Rechnungs-Details/Rechnungsanschrift/
  349. http://noithatshop.vn/En_us/corporation/04378129/baVj-GT2gt_lRS-YX/
  350. http://northcityspb.ru/US/file/rmBC-p9VRf_WQGMLLRO-HX/
  351. http://nosomosgenios.com/de_DE/DQABDHY5919940/Rechnungskorrektur/DOC-Dokument/
  352. http://noticias.verdes.com/En/scan/Invoice_number/3001419550/KyKap-9RH_erLdo-G4/
  353. http://nova-cloud.it/US_us/scan/Invoice_Notice/kipI-4v_jsOoO-PF/
  354. http://nvcsps.com/En_us/corporation/Copy_Invoice/VrFM-KaQqe_A-J0Z/
  355. http://omiddesign.ir/download/MLXy-9Y128_bkgOzFD-vGB/
  356. http://plugelectro4you.com/de_DE/UMNJTDP6323223/DE_de/DOC/
  357. http://port-vostochny.ru/Februar2019/TYPXGG4494638/gescanntes-Dokument/Rechnungszahlung/
  358. http://produccion.sanmartindelosandes.gov.ar/wp-content/uploads/En/download/Copy_Invoice/Ihpyw-WoX_N-lRv/
  359. http://produccion.sanmartindelosandes.gov.ar/wp-content/uploads/En/download/Copy_Invoice/Ihpyw-WoX_N-lRv//
  360. http://pujcovnazakom.cz/de_DE/NVCSPV3179180/de/Rechnungsanschrift/
  361. http://pusqik.iainbengkulu.ac.id/wp-content/uploads/2018/Februar2019/RSZYYF2029609/Rechnungs/DOC-Dokument/
  362. http://selfsufficientpatriot.com/Februar2019/ZSKBRNXTYU7358528/Rechnung/Hilfestellung/
  363. http://sosh47.citycheb.ru/doc/Copy_Invoice/Pkfr-iv7o_LCHUmkmlU-r6T/
  364. http://spb0969.ru/doc/New_invoice/wvGr-kpaPN_J-krC/
  365. http://sugarconcentrates.com/En/file/Inv/7230677278/xQRl-myZ_k-tf/
  366. http://thefragrancefreeshop.com/de_DE/HKIJWU9413394/gescanntes-Dokument/Fakturierung/
  367. http://trandinhtuan.edu.vn/DE/SNDLABM5014270/DE/RECHNUNG/
  368. http://truenorthtimber.com/DE/IPOXYGSBR5170225/Bestellungen/Rechnungszahlung/
  369. http://vergnanoshop.ru/En/llc/Invoice/ObtUT-vsvfP_cWxkFTiT-fJ/
  370. http://web55.s162.goserver.host/DE/IZCMWPOIQ1294729/GER/RECHNUNG/
  371. http://weresolve.ca/En_us/company/New_invoice/CbbT-bb9Ql_urEa-Ahe/
  372. http://www.anvd.ne/wp-content/corporation/UwlGE-b50Lg_Kv-lj/
  373. http://www.mpo.firstideasolutions.in/EN_en/xerox/Invoice/ZBwt-ES_vkvEYNM-le/
  374. http://www.scypwx.com/Februar2019/JYRRAWDRTK9273103/Rechnungs-docs/DOC-Dokument/
  375. http://xethugomrac.com.vn/US/scan/455647198/QYLlT-SXPf_AZVdTSwC-rR/
  376. http://xn----7sbhaobqpf0albbckrilel.xn--p1ai/De_de/CYHKZADNDR7551727/Rechnungs/Hilfestellung/
  377. http://xn--90aeb9ae9a.xn--p1ai/En_us/company/86292351/tppR-Ssdb_SxULZKP-76/
  378. http://xn----dtbicbmcv0cdfeb.xn--p1ai/DE/UOIGXDS7797753/Rechnungs/FORM/
  379. http://x-soft.tomsk.ru/US_us/document/Inv/edrFY-9l_UJZVmSeTe-iA/
  380. https://misophoniatreatment.com/Februar2019/JOQMQNSY7255255/Bestellungen/Rechnungszahlung/
  381. https://noithatshop.vn/En_us/corporation/04378129/baVj-GT2gt_lRS-YX/
  382.  
  383.  
  384. ```
  385. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  386. ```
  387.  
  388. Creation Time 2019-02-11 22:05:00 (XML Based - ENG - Off-Center Light Blue/White)
  389. SHA256:
  390. f1955fee93d9bc4e5911eb5744c452de74a0ac75639c178bac0ae4a33932cbb4
  391. 2653431c554fc8f7e95c4ffee39297c6608b564df9a02bfed65c2380e75a30af
  392. 7189f117a1fbc4ee9d9bd61270fa4e61da7502ae94e32bfb3be6bf77b27a9c28
  393. 63fa99785856e6660f75519e8d9ddc46cd7a3616625182d5b08e0306e64e0405
  394. b2650164aaf6f72b5fe4b12ec5a1b6fc0a4655ffed06488f9871aab068599945
  395. 32521609ae00f63202449b0ee69bebc73308f9799bcb4b257dc8847efc508fe3
  396. 406c40303d418ee6b2ff61301532d451ab00fb5d644968d46498296268f5ee11
  397. c1021e32f0c5c1faa5cef5828c72dcf1157a93c4fa83f94228e37b55ddc49ca9
  398. 6c26b4d79020ebb8153df783d36010f8b5e1fd3f76baf1a3e3c0f08d6f11b756
  399. 7254929e5c4e13882ab0964aba39e3bfd1ff3b60b29efc4f13fc92b568c53a6e
  400. e59ed25746b3cb969a3c002003a22c7a216322bba8c967d79a3ffb0463f2fd90
  401. 5acdd8044287ccf56da2c17461257d54e31b6df03fc9bb3ba0a2a4e20468731a
  402. 275e761bfcb70339ab38973e4c0595fd6e2e5f1a0b87102ae1277c5b00a476b1
  403. c6ae823e7874e134cb64857b9d5ffc1786f2033582238085ade72b1be67ff6f9
  404. 9f48c4e1cb954501e9363a4f38fd7216c72079e38c2d42e39c1790aabcaff564
  405. b708e0ef4541dbc50a5360b6da580434dc397506e86f2e7b045cb61577182d8d
  406. b18a9b23703bc3ed5661f230932a8ac20a6308cf99c85049763a95c0ffce39d0
  407. 41a1c941755c81a840d3c4a441d3889e5919671320a08865600ccfd385c54d90
  408. d37f447bd0e9197bbbfc47fedf58260b23ff701686b8c63222cbeee503e2ed8c
  409. bf955effdc5f182cbaeab37fb2b3632bc31af648a13a554df1e342486d431126
  410. 5a6f992c582b01c8ecf2db9b23e717b8cc43ca32c0459133d84e9168744fdab8
  411. 6354726563e8997b451f44f44abe1a074ba551fdc5a2d397dad2c19ecc8c2b64
  412. 5ddd222002563ef79cdb6516b5853c5010edccefe8e9302c8070a0082982a4ca
  413. ce66eb4a3aaefd514d9ea842f41c1162a686cbd141fc6fa7078476fa58378f9b
  414. 25f4e1372cbec634c012d01b481d90f7c6ac71ba6c931318e7e6f6975c155eb6
  415. 9ea05b312e68099c4adf672f151b4c7a1a97017ddb5762b165c873dd2789a099
  416. fe297945fd02b6ce9bf4acc5f7f06e1055fb8b524731bb322acccb32034aa6c6
  417.  
  418. http://jejakdesa.com/VLHgib2Jc/
  419. http://ergunhks.com/YnaC64FW0/
  420. http://54.164.84.17/9e1S9ff/
  421. http://45.33.94.177/live/lib/xwXZdEcb/
  422. http://54.175.140.118/7JJ1OGEAp/
  423.  
  424. Creation Time 2019-02-11 18:40:00 (XML Based - ENG - Off-Center Light Blue/White)
  425. SHA256:
  426. 2760060f62b22f4bcfe399dbaf589691c598a5088ea5c51fb3fdd5615bd6296f
  427. e40f53407ccc5b46e6194a2a15730713622a728af927236621521812b304ecc0
  428. d70f203edb13a412b0702067ec1b9e21d6584b91cf5293aa4cd4fe09abcd0aba
  429. 48c342683ca28f1ace1cf0827c498b7aa8d88953aa4489ca5c3ab03849d32c42
  430. 6a36257623e8a7c547d88590e3cddf724666e169199e970e98a792e77c67ec34
  431. 1228e215453b97a1f79b82fc8cee9e16e713c5ad01e4d663c0a3b0775d6a1564
  432. 373da2f853ce6d55ea270340ab9e99d25ba26c800fd3d282d0377ee4d00b4dcd
  433. 583f6b9da985c910212fe57e9ebb11cb5750dd0d0e2cb95ddd4c96ac63e39274
  434. af094099f4359ee787bca1e8e5c27a1643b88307f1c36e50c81b9778f41ed2c6
  435. 66084fa20640d1c10567169d3a883e53cdaafb03872178295aad8da233fa8433
  436. 1c41851b054e1cb9624145b270234bc27093bc438b0f16a91c499d251eaca155
  437. 60e094729775ec6e8c1d68f385dd34b667a7fa21ebf65ecb335e5ab8f1715911
  438. 1b6e879aaaf204422f5b32df37df00f9fb7debb4e68ba919552dac1445d7c761
  439. 0cf3c2fab123fd2daf1c7feb361f61c89ef9f50e687c101046286cf773df30fa
  440. 56927eed89db12632e5fec23fdcebbd025813d02c07b23370c44791d61c5ba20
  441. 26acf6a0d47b5f7011a5b00afc4ecdfec3ad070f30b1b5d3dc404486d1e89a77
  442. 2849806e6b46be00a540a8ddef903d802ca1b19bcd42ea7e405bcb95baa70d6c
  443.  
  444. http://mesqen.eruapp.com/MVQI9xyqm/
  445. http://63.34.12.228/0XJHDqJq3/
  446. http://3.112.13.31/xktH3R1/
  447. http://190.164.186.104/PNNakLQ9C/
  448. http://141.136.47.32/c5pNnVVa/
  449.  
  450. Creation Time 2019-02-11 15:19:00 (XML Based - ENG - Off-Center Light Blue/White)
  451. SHA256:
  452. 48d8d2ce9f4f148f78725ddaf04b402d07a0da26283c87a5372749bcfe4406ae
  453. dbf07f95be7218813b4f2de9b0826199a3e2dbee6b9b798149d90c5e7ba9b447
  454. 8ccc0aa2b190443ad2255a54bb1c106e05f9857c5d873b146fb12b77ddd46afd
  455. ce23e01d2791e97f7189b92458127daff0563cff9024e045bc58ff7515363691
  456. 39e2dbcfc5608646db511466ae7b9844e0046ced5223c451b9ca08bec5a6fd71
  457. 3ce4c579d699174e6215ff7d1b0646dc9e4e79b2264ba4f0688c32056fb0d663
  458. 352f741b98a484519bfe22a419973472d3fdeb366ca6475b7ab7c6ae1de204c6
  459. d76efacc6963d5dcdfdb90c299513f4760faaf80512c093aad5ae5371ad1748f
  460. fe40691fbbf582f933db399349e0fed2faefc3cc3e9282973ec8d5c2db1e8742
  461. 6a529b72242844e7610342dcfe56df19b47539f2d5fa538564fee28d42a020a3
  462. 0e0e0ecea23a4ee1428a5ba80c34296c4c9fb642067372aa8fb329412678ff0a
  463. 8bf60dc788db3167a0b40c540d17e56197648531f6b72e2cb0d27c08dc82f1c1
  464. 76195945b3b9c1b4cb69fc602cb1d1540b4ea4328ceea839d2629a10ecfdc88d
  465. e4e7fc5ab1ec9e6f87420dcf36eae98723b80293c45c66e84d65e4d11fcf5b99
  466. 3471582a09077dec970eda662005a40ea7db82904cfb812b7afd9529cf77a335
  467. ec09c09c0729c9044703d642389aadba745d437bd08f1b56932461977cd79a40
  468. c1515ecc5349a92e92773e8c3aaced5e2b7851fe3408f65208a5b41ae397dc38
  469.  
  470. http://31.131.24.153/eYXaJRMd/
  471. http://40.69.23.131/8oyfkox0mn/
  472. http://160.20.145.103/sfcdcCBM/
  473. http://204.27.61.244/GWrMNkk/
  474. http://3.92.174.100/FV5nbvVP/
  475.  
  476.  
  477. Creation Time 2019-02-11 12:38:00 (XML Based - ENG - Off-Center Light Blue/White)
  478. SHA256:
  479. 7f9aa84b2ffffeb96280334f64671dd08ea0faafabf462dbf70518a61c5f8544
  480. e13babd1e53721acb90fa0f134b29470282b7d3685b41cfa6c9d13123f9faa45
  481. aa0c5dc08e256d9310f85c72fde5de8cd455e0fc08db1e40311f461feb289399
  482. efd66172be299c9a3049fb1a5040d6dbac9baaab0f39ea04a30250100dea111a
  483. 47d01d20eede3200c4c7b1eca9aa4b6e241f9c2109459bfe3ec5863d4c525274
  484. 3728c6c05f179eb6eab5ec125c060a8f40d0c818638b6a6eea52a1e07c5ab7fa
  485. 24ff7e7679d2f190c3c108da9e66364c461a31d3546b8ec922381f752c5c492b
  486. 31e15e74600dd9f43f3d3864cb8841d7bb431168519262680fcb68345a9658f8
  487.  
  488.  
  489. http://www.prowidor.com/KY5VHstRW/
  490. http://altuntuval.com/n4jkQZWtK/
  491. http://wordpress-219768-716732.cloudwaysapps.com/EcUKpEfiLX/
  492. http://maxtraidingru.437.com1.ru/NaOnFCqNz/
  493. http://mskhistory.ru/sAZpJs8/
  494.  
  495. Creation Time 2019-02-11 07:32:00 (XML Based - ENG - Unzoomed Indigo/White)
  496. SHA256:
  497. 8f52e9e5c3a5a2e2f8a760f848723d42c4ef646cbd401f2674e44cf6cb43f296
  498. c3ac44c47b53961d13b5c47d4a0d17103f375e32e84d3557f7f1797abd1b4603
  499. 3bcca13de9f113a22475035e2db4552d5dc991f3bffdc88449711c0e0da2617d
  500. 9e1ce64f841d557add8ac365f1a3b3afa23c6028de67b3f639c22d5ec9790918
  501. d0461bd5b8430cb91b6c62a3dbeb501aa9c9cb78e74df1d12a1203990d424c85
  502.  
  503. http://psi_test.farseasty.com/9SS7j51q/
  504. http://justclickmedia.com/QoXFah5/
  505. http://glorialoring.com/0Y7w7txDEV/
  506. http://apotheek-vollenhove.nl/As9y4JR/
  507. http://symbisystems.com/CJtfk01xF/
  508.  
  509. Creation Time 2019-02-08 21:27:00 (XML Based - ENG - Unzoomed Indigo/White)
  510. SHA256:
  511. 12cf31e593657b5f42e34bc27611aaa106111fd71f53a641439e9ca53368044d
  512.  
  513. 876757f926ebbc606d38d9d524ffe557641ada8d67776b1614974ba0af7968b3
  514. 8c89fd278b1bc80637dcb145cd16fd480993ca1acc003f332dc8d32b8fbe6de0
  515. 8482cc4515759e035a96a55f79dd88d6fbec02f95246cbc998f984a24cb0d74b
  516. cd230f6ec25bd1bea3ad61fc5dcaeb0b7fffcd9371bf2862e8cf5ca31ec3f9bb
  517. 6b68c1eebeda558ff3418a9ee080e13de076110a84773083106f35bfb2855f0a
  518. 497e91ff0154fd3409326b39ef22b821b64520d577532022615de6bf16a960d4
  519. 140d2bd852b23fb9eafbe3f04e760e7dc96feef3457dba9d04dde149d1ee1e7c
  520. 2bbac0f3303d8d12d43478df8424e46ed9d0aa37ef1969f3126f5ee2f85a31da
  521. 8d2082c7298f51f2bc085c213f6d765a6dfa26970bcf652adc70df81ebbb4ccb
  522. ca2553cc6adce02837314ac54bb9dd5ce4d978d77a54e7f2215cd63b0fe0c094
  523. aaee786cf4ce9fc28eaacc5c45201ef843f82bd7b9561a67cc8d8b33b2abc6bf
  524. ef4b0e67aad7e1bf66a23275e81b287a1cc9a44f3b950550b90f1616ce92d52f
  525. 1e81c630ad6fa728f446248edbd64b00750db64db41bddeb2026c0c3570e9d66
  526. 09afcdf44b7254db4f1a778fa185d5d34e71edc01f50111a3b0638389475030e
  527. ee86d4db327bd87030dfb23aa42fda8670cca93b45711cba5b23eb0cd656e252
  528. 097e336d5980f598cef71338b39530c1f4c0d8fffaa06b899387d922aeda2989
  529. 2bf6d166f09ae6ecbc12b1910a0e743ee16010482fdbbdd7451e7c99c0655660
  530. 87efbc05aa4f29d37f6433c0b65f9a760454ee55677db6c87a162bfea06cd290
  531. b589bc5fbfc0571745594f0927474ce5b9bd87ac900208b2cf519268dacde67e
  532. d2054751a3dc210775edcf73321c4266813a792efa7120d280f8169b9333ad3b
  533. d1f7708667dcd58a505715534a5da4e30f5237e53d1a0cdcd3140e6fc5a37d5a
  534. 1acdb3a017c42c2191874b6aa1f303ddb746c79fd912272612ccc88fece1c81f
  535. 216854d923133f557c3048ca6117286b6e3a9af4f29d66277ad5cba21ee8d272
  536. b83d55667b81b0162fd2b4b0e3209f9ab578ee17adec4efe1010eeee38291e88
  537. f680475ce8219655d320e34e9d463265d1f0240a7d85b375155463fa4524124d
  538. 8a79dd702e2c6edbc3df12e4f3e51cace3e9f780fe588e9662105f1b81865cdd
  539. 0c8d48e195c73ae9be821f522a2c183abab15c3f53d92a539896c03b61e4ef71
  540. 12cf31e593657b5f42e34bc27611aaa106111fd71f53a641439e9ca53368044d
  541. 068834797ad9eebecb50b995dcc8196e28818c7e98b48d01f431376640222cc7
  542. f691184ff87a713eddb08a404967dc209468fcefd9310a5f107351d3d35de490
  543. 0b3a99c780df4682db7851abf73a14eb620dfbf34a0ea85ff19daedd0811ec4d
  544. 64b3a341cff75904f232e88025905341cd275450812ddc2902c9319b446d8b19
  545. 00a307cbdf431b1f4eeb82d7876e2c31ef74427b465090699ae7925e66e24fb5
  546. 09b69d46f51082b9d6d1c7990de8a4490fe9a787dac785434c9fe937951d4ae2
  547. 81f7a251cb7918c5f30284b0bbbddbb92e913c18c8b50c79aee9c3e5fd04f082
  548. 851eb205f74663a82e8d6a1abd8484c3011190f499121422ab0d83baf0d6aab9
  549. 24a9c5358e799cfd2b373c73900e6d4a9ae31225f4d0285d4840c2d8f825f226
  550. ab44ad02cac27ec6991cdfb530a0db6979b83c9443320e8875c65ba77f1e8c53
  551.  
  552. http://livingsolitude.com/HQfhNP5I/
  553. http://jaspinformatica.com/gVPsV0PSRS
  554. http://idigito.net/2Fo72TiZJ/
  555. http://bezoekbosnie.nl/LVyQeXtWu/
  556. http://www.elracosecret.com/rb3xRdch/
  557.  
  558. ```
  559. #### SHA256s for Epoch 1 Payload EXEs seen on 02/09-11/19 ####
  560. ```
  561.  
  562. b9edd830ae324a87bc2317129a6103fa815c1085db1e88bd9813c881e678c864
  563. 6d29a93aa58cd0b8bbb9eb8e7ef013897762ac74b6e22064df6c73ce143b67c7
  564. c8a306e1bad8c3d7dd20b9f4c2d33cf8959680688964f59fb353af25917c342c
  565. a226f16c1cac5c6939d9ff9086881577e1956b6328e195dea5b9503a921c8004
  566. 4b6054d74f509ab06e8f8cdae79d8928ffd1d8228e7ea3bd3a4ba801ec5d2b8e
  567. 679f096ee77a815f3e2c5e12472d017fd5555afff1751e79a1f7e57d6c8672d0
  568. b218b43a9046b765fbe0595809f483d3b1537c7d353da93bf0a746af020d92fc
  569. a39ec1243e8010301a27e424cf0a1d7347f5c101cbc7752bcafe6999315439ab
  570. 90dde05cd23b54f54437acc2e532fa6901e9edce1d9fd9ef1a90a356d527648a
  571. c79b2d24112b19afb39303ae4512b0f1e01a0c252ec8a498ef3eb354433d2987
  572. 4a2b2437814089607b287659cca2f9d82d5b7e3b5bd745f0c1c225cffd3dd83b
  573. 029ef70ab5c37ef58de609e8deff3bd88c1a5be5fceceedfa045e71958786605
  574. 795296fb97c6e1cc22303e2a4eda5f01c58578c1c1c67351ecc41f39c1f933a2
  575. da98ac0ecc67b3827e4cb9f03ce07bfd34fa1d4038fd948251e2ae9b26346dd7
  576. 1303b0c13c92b3e003b1e4616e12f27172484dc508babc8bf119ee9948de3dcb
  577. 84546e47b85fd87267b672770b48b873a2e57ff217353fda254289bfa0925a00
  578. f9604051cf7518348b294c2afdc47d786cac4f51d503b26f0731dc7deee72369
  579. 3db236ca9a611d3437fb14ad8cc7dcb7adf76fa23f031587961ddd55edb44d3d
  580. eec863deb57e555328d5328797ebf75653e6b538feb312f2b7dec65e98dee65e
  581. 99ca32a28dae0bb3b53bb74472131c78764b40cb5b328b44a5e30ad32d52b69e
  582. 183f046759e549ccb25a01fb3b6dc7239a3505d3225a3330d5b3d8065092492b
  583. 566dee1cba4ace45c2bde14598f455283762c7386db1d3312cee113521456b97
  584. d761759e69528528755f3a18677796e8eb077e36277998a21e023771a0694a06
  585. 91db0dd9a5b8897230394f2cf2fa8b511380e596aab95f5f0847ad24dc071b0b
  586. 1705a269f1cef8f7b04bd17080ea4a9bb5b04ace04267fa097aad01e905b6ea6
  587. eaf53d9daef9be6e98cf55efa802fb4228275225a20003839d7c6badf854f1e1
  588. 4493bb15f9a1cfb38eb163ddc7df44e71617b39945f09193a9771234c58f3004
  589. 2e43c62a901551968765411ee91eace2b0a7c85229c3d5ae32417f48d467f261
  590. c4f65f09aafdcef2eafd05e12e3bfa85085a0e165216c623f94731c6a406fa1d
  591. 5eebfab74a4c839d683a7ed2ece2b567fe3db42ef4b505e3f68a1331faab5642
  592. 12a8883030f5bbfafb5112292349eedc7a687b61334480361c081f6f1991aec8
  593. 11bd364518cf991584bece2bd58b4ad28fe415a40249618bead56f78132865e8
  594. c07a6845026eb334ff24509b91cd9c87bbc2808d2072b46511c8886954657153
  595. 209da6e2af178abf8d53275dbd50b8d091e42c95f53ce909611dbed15beb2da8
  596. 9b92009b8c263859a154afa34952fd43ea31b5a947a6d5ed9a13ccf2f8662eeb
  597. 84cbe9fbebbf8e4d963541d103e27908059460c5b4f4b7e5c9ec685d72b12e45
  598. 1241fdd8588b85e3f75b86083754d6425e32783f70bfdd7350a5b448541bee84
  599. 79b428caabad8f43b282d7c24411a5cc6dbe2cac8110595b578303af060c6108
  600. e418eb242bfde6597bf6378a8f610f4c297f0d0406ed61752ec5c58722b17db2
  601. c552cf91b8859efbd218753dc485022b61ee78bf3bdbdb8e7b6a41974e7e58dd
  602. b1d99cc01346eac6d8b4d66fe63c4614b35a1eba2380b0ca672de64b827681e7
  603. f59786188cd7179139849991d5fe4ad0a3689158b1706d9917bb90a0b4c7d249
  604. 6917e177a790610e67766b1fd62abc640a85e7352b89232492db18609b328157
  605. a6a3125b81a8da9e6e94a2bbe7b4e9f11178c9fcbf112174499ef34fcf65ec2a
  606. dc3783400ae33aea21d92f0e9e99592643fae67272affc66ff3c56c97bc96b52
  607. dc616144e885396946120f350c4deb41f741e404d4e5ed4f3478c3f71fb5a0cf
  608. 15b7fc59dd349c271097bd647db724cdac8164a53bd21d3a30492fb10f9e7cd3
  609. 6794e5a2f936c31d5b160f20387900cc30a3887d291baca52b65e17bfa86e4c6
  610. ead359bbec96959cd707070eea5c09773dd797419b872aaec05c626b08b8c570
  611. 03b27236a1275af297015ff9399d75a6b9d6dd4809bd5c99babe5694ab397f45
  612. 29155c27e11ba84a2fbfa36909bc23b4cab078f81f5f7f57c64fe8d768b8be02
  613. 0394eae92d7d42d75058f5b2b9dec66aab74ac2ffbd269f805ba694089c24567
  614. 0faf44385cb61312f4272a34e366fdb2e9b84e4bcde7b58e582646e213c1a374
  615. 873145e5ba21b516593bfb2ba6d5b91c6c4986e683eaaeac607f104be5d209ce
  616. 728d04112dd8f7623fce970a8df62dc54c3e1355e1cabe65d5fe3f67d7723a17
  617. e7fe4c03da8733370a5b0d790716125f1699e29cf4207a036a2b5a0c9a1aa872
  618. 43d54688debe1f171a7615edcd4344aeb968f90cbb232610678d584d8fb6547e
  619. fec64207915cdb938906059189c9b8180d71bf88b567b0c0d0d83e54e98c20e2
  620. 813ab300f766fcdc1f5aa84edd132666ac14b342f15a0f10d448a3172dc99dbf
  621. ae97906c6defee8413b619a42e198937eb4fc484bbe402bb7f7c92c99f55c9ab
  622. 63f1ffbf5a3f8081c645d70796139e4277233dc62a04cbfe511d7a8365887bd1
  623. c5b84d1b94982b814a792b753cd26f598c833f4d1293b6e6ab09591d8db70112
  624. 63c4743247dff56afe4e601d698e3598283f2da813aa4edca2d8c594279fe0bb
  625. ff42ca352f8ad63819d58e4c1b82edca6a130e53f5229c83abf612c77c7b29dc
  626. b29d491a9134b2daa3e7a4bf216acb6b9dfe3e7f415659473f83314299375c87
  627. 6ff0adf08a21c28aeafb8f11c4f5acf24e6970eda8e160d95936b1c3a63a60b5
  628. 38c1f44498cde82cb6d8ed6f0b1615d4499262a482696a2baa5388573e4aba39
  629. a1098147dc8cbd0f8d64fb00f3474e6c66cedd44a3b8ec460c50dbbd14c945b2
  630. 68d2708493776f2ecea87b2922fe8d2b6b7e56f745847957883363e4fa4b5166
  631. 6c39c2f68e9b6460e231225b1398cb7fc1265d14e446a58864d899f7bd442d4b
  632. 6891d0d4f234be37df89482404cdfdbb4251d8177fac017e8ef381806b8f69d6
  633. e71b2ab602fa1644371a7f667b3f31279c59e9c4b37c76fd55628da2e4a1a739
  634. 6015df19d3d079343e97166ecfcd59fcd569d7dbc921617aa14982e9f8a4df83
  635. ac48f9454bd10349e30161a946272267aaa3423cc8b8148193c607536cc1f44f
  636. f522818f3fbbf1f0182b4d793b6c0a31d0ea8f1005e651cb1d4b0277e4a5f6fc
  637. 982eb23f7b0570389af6b2a603edeef7e762c724063d4e31f0e9b99fa432d96e
  638. 722626dd7e84bab37bc16b0d91f8df5dd27437ccf70a2d02c6a8400639ce2ae0
  639. 175d1b583abd562b2fd693c82f592142c25e6c5c626680964a6a131a6f982e97
  640. 9157f0b8aba739ed504eea52ea170404740cd5ceb1a1083cf0a5e9bb80b726e6
  641. bd2dc7203d51f4f2c513f8c540dbd299da3e63dc5b4c337863ac56669c2927b9
  642. 77c2ef801b911ccfa7bee3480c1d287600b657757ad0b3d9f9c6ed110d5dd7f6
  643. f72b7d57c56553ea373e1b3dc5b775f05c6d6651ec775e3d95e4db489dfad389
  644. bfc0283b95d143160c27a912920297cd88e1aaa07bf3c83a9ff28ecc80c4c644
  645. 9a791c6da1dff2ae52b656ae4d27d74ba960af81055cad3374ee6a103733b65f
  646. 9172b42d0e74bd991f06537f3f553a67ae8577a018f032a455d160ec0c047f3b
  647. dd1d4c752288d13cdc7cc1613bba3ac2daa7387ef18d9422e97de59a6a7e06df
  648. ff0f0fe67e2d77f808f9dfda5da4d3e9309c43f0181b2366ef5bf11c0cb4c52d
  649. a64e1e71f9467912542a13c607a87426c651991854748b1fa80e8909228d4437
  650. c1b8175d273e0adcb61925a46e829cef90291a44c5a7a86c82a05dc42f0ae73d
  651. 05e89ef27ed9a99a9a2859ae313c18194b1cd9f94a8c4205ea81fe1f1adfa3da
  652. b073af60abc0662910206848516b2feca2fb16e943ce9856baf2ee9616017ad2
  653. 7190f500e69f040e96ffa3a69e6fc2fe79cb8d3b12662689056af9be321cd742
  654. cd8a4b2c3c4495543909f85961a3a6c4b0f17b464a7966c1f9d4dca93bcf010f
  655. 8ba0aca05f5f1b96d30ae8a672470d01edf79a36f992aef81250acb811e7577e
  656. d2ba4389be24d0659c4575b787b1db657eff3d56ee53f30d72f60d51f6554494
  657. 48c81f72eb82fa9ec702445484d636454d734e0f2cbcf11b0eeea781343c11c6
  658. 516ca76fdaf309c6bfde86818a55db81d5f5109f2fa11bc9dfbe30fcdbb64031
  659. 76a62e034ff27bd2912b70e7653a8e02fdd61cbc866e6643c1a7b312a941d597
  660. 23333c31aa8103f981c5c2195c766222c53218fbfe48793126c32aad0c272783
  661.  
  662. ```
  663. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  664. ```
  665.  
  666. Creation Time 2019-02-11 20:26:00 (XML Based - ENG - Unzoomed Indigo/White)
  667. SHA256:
  668. ace857699dce507a7afe07c9b447d5f7d684460d35e99298c6394dd069fdce92
  669. 2ba6f47f151c07271ead628a00573aa85ddcb4ce1e2058bf5db6da352ca2b0c0
  670. f19b42db9431e852438587806a3245d0c008e977c3e32f284c5e914cc7a1c4ee
  671. 322ab486dc0396b0d90fd30f579487e71330778d839a32a5c74b59a580f9fb9c
  672. 2a22d6133c9722f3c8bc22989cdc67bcaa4d081739d137bbdb211f14460e5113
  673. 7c88696e5791acf0f93a9c56dbc624ba75d30646a10c26814ee7da6715bf02db
  674. d17acde75ae2560a1f80c718e57423ec68ba13c09e8385353bbf6e4633aad7a7
  675. 03952cd76cb868d0f23fef1b33cbc9e3e7871ae39893569a41b0549e95a71276
  676. ba3c789ebe9a1f94a8ee83b0e127f1d2659e627b8ad63214d03692b60901640a
  677. 2781daaf0d72a42fffc28793dbaed78e9c7df97b342406eabea69532274e0c98
  678. 4a8bb9d6db463eb2bd29137005dbbf52650fdf6e4fe53910d800db9e091697e9
  679. b512f47e2fa25638b3ecb8e18f832fb198dc42257ad8a67e27c6c23b9ee33740
  680. 5cf352b52c4e5ea601e3a5d3635baf0672f4597adde4424a11e8a69fa254f5de
  681. 2d8980e0bc9e39b6494ce52ca130c15ecde7ad428200e271b607af9dfa88da02
  682. 3e88bb0b6d561e92b62e773f1b26740a4e3acfe936ecf105c3b1e516f0e63486
  683. 15f90b490df222a36c3566ad4895befb2bc62782e471fd1d5e0267be99b83b2b
  684. 62abb3e0501213ead06b9bb14456ae32b462f728492ad673031eb76f82abd947
  685. c3d5cc485f5846410332d2dd7c68aa0ffc32748e1ff0a0dda6604b02084da360
  686. c21c9c123e502d5356d7af1a81f3ba3bcfe93209a9ffb7b16e2334b87730d9b8
  687. a3cc3a8cc9de4d1b921d23425a289cd85ae07088a55a617a25fcb54f2ec0908b
  688. b05dab8ce4e21ec035844ff2b22093153e5a9e09faaafcd0724e0ab133e7cf22
  689. fa576257dd49739553b4e8b44d7a78e583592d131f7dc319f634897b24989232
  690. d617bec09613f35b200d825df21d1fdf5e8f7e8bfe8cdbded7728013468e0ad8
  691. 89a6bc1186075f9172ab14359dff9a4421d86bb452e846933b11369a46bce185
  692. df98a630be3db6e7c02645e30f833e8099f021ad6ec54b6a43d3e25dfd6f19dc
  693. 9414679bd8f2f0be79b5e4fb7f1f412c07bd7ee0b6b09bcc34e8eda48e51026a
  694. 573535084604b0b83c8f96541e6f360de8be4443c04238484ef8013ff536f381
  695. 1d76c053f2cef763987de94d262b794b5fa0540feb9f6bbd841739236138ccdb
  696. 21c6ca0ab11cb70de291b3c0f719ea6e9b5c70297391a4148b06bf66c77c53c9
  697. d1df17ec2fd32b9514f8874aab3bf4591d00bd30cd084cace80b1c5d1c6d2d6d
  698. c2e213a80dfeaaf750018ddf39b66dae659e800efe560f60df5cdf5d673b6d1e
  699. c7097928addfc7675046920ce43325d4317023671bb9921d2f87a113f0728ff7
  700. 7c63ca32aa91ee7480e3b29cc4e63cca1f71daf286c2259c9d23a98155064a22
  701. 59e64306690434e2986ac60b1df54b8f9f393722d73d4cc64f1589ba370b056f
  702. 8e0c5ea52d143274ed4ba08d7c7629f0b6ba35867b1be32aa39cf5043c4a3c18
  703. 9bf32e93c608d19900dcb98418558bbc1efb8000371446c9b3624fd7e9e39114
  704. 5d5ba9f5bd3057f7501e53f61e8308d09eab9dbe2fb75ff4f3be5d4b97847263
  705.  
  706. http://45.77.244.93/bfObwxpm11Sjv6S/
  707. http://45.32.82.29/G2UAYAIo5zKs4El4D/
  708. http://188.166.161.57/CBpZUIRi2j/
  709. http://13.58.52.117/BBvNV0vvgoectW/
  710. http://104.248.66.24/bXkPxtnIYTR_yd7/
  711.  
  712. Creation Time 2019-02-11 15:09:00 (XML Based - ENG - Unzoomed Indigo/White)
  713. SHA256:
  714. 47a1b83d1eb6b9bed860b7f2c12679a4fdd8d3c067fd35960a57c41d566c78d6
  715. 4c1c56bde40e88eb6c18e59119548f37f1546fd0705d5ced00e0574283b9848d
  716. e4afb3aa366aa0e697c67b1a5ef950cdd5237bc3d6b4e3c6d50c6eeb87f1519d
  717. f3ccf8ce8ff7386022e858466899407a8d426d3d6240c90277c5584ebeba5a2f
  718. 0326a97197cb921ee1dc3c98aef3eb55237a248e9a6f2b73fdf5c1a30e732f0f
  719. f2feb1a4e591a2cd0200909bb6ef6c9640e739f043e5ab1c8f3e061d47e21ca1
  720. 5aa756caaf652db7e3fd210d747e3b707109250be6c6ee4bc7d59cfed36e905d
  721. 35659cc974e742d9d1a884cf4fd8183741b8f9f2f3b15723f971cfa662ba9055
  722. 4588a9558423fa2642056dd4d70b3f5b240422b6a3d6d07447dae2cd407e8038
  723. 7a2cfa1c9cf0809d7798256e0056098a12e8c4e4857f132170bdb3fa151bc3e7
  724. adf829de459655d8ed5ff10aa2d49bc45e059b6bd16564522442c92adb6a3cf6
  725. 101f4cb92a14ec64e6644a1859c429c4a06e9b3b30b783a6cdf8ab37306d2a93
  726. 6c978d820911669b4b00a5c9216785bb1322a8f86d85f04f0af41e6c21c04058
  727. 5bee70325eba14e5693c6ee994186c66fb460bc04a5dfccb56eda3b5f5488b7e
  728. d21b3686c2a747965f4318403b54d044749cff79785c8c6428c5f204790d3041
  729. 05919c6605a91f25c145bc7e10e5d19e59300520b3071c780bee8dd2a68b04b3
  730. 7d4e3e8180c4ac7f5276d6c82bee3d48bc723813c00429b7ceabe2c52cc27eb2
  731. 67d61a98699495d3b3b3ff3fc9e152523c2288e8951d6bbc665671d4f5e1dce3
  732. 58f1428946246a2d964f304ab60a6410d2c107bb65ed24734674bbc2915197c2
  733. 38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0
  734. 212c5b2a5b059683e08f535aeb9c4ab7ae2a6f844b84d61c493a5cc3788fc50d
  735.  
  736. http://104.198.17.119/h0Ya3P8r0O_cG/
  737. http://178.159.38.201/wcbrQ8LRfb_7pKaOP9z/
  738. http://118.25.176.38/bmNCKBx/
  739. http://178.236.210.22/tKMrxvGkHP/
  740. http://128.199.207.179/d6JEQSR1V2hkqXqT1/
  741.  
  742.  
  743. Creation Time 2019-02-11 13:01:00 (XML Based - ENG - Unzoomed Indigo/White)
  744. SHA256:
  745. 6e927c5d6fa40f1dcd1a2de07aeb18c9468f72308cc039e83ed24c3405b01acf
  746. 33b1006e66da703bc812ecde9d309190e6ff8a0476d423c45de05e236a357d93
  747. a418442135c3ff6db4a8b1be74b8efb1797a9f983f62efda4f937a0e0d971f61
  748.  
  749. http://13.126.61.22/ZersFqNzy4Dr/
  750. http://139.59.64.173/hSQpezoBAp/
  751. http://13.126.61.11/TTLDQc4Su4n/
  752. http://138.197.72.9/vRoDcTOZS_qq4qSrbs/
  753. http://207.154.223.104/ooDtybmXDTDVP_Iv/
  754.  
  755. Creation Time 2019-02-11 08:13:00 (XML Based - ENG - Unzoomed Indigo/White)
  756. SHA256:
  757. 024733144341126a04610c276ab04356cfa2cc7eb50401b6818ada0b6b09f0a6
  758. 26d3c4f085cb36ea6c3073cdc7bd23d9bbd8c08d4c25823f981d256e78856f8b
  759. 0e9dd72bdd4e07746b29a3401b55da5aadaac85a34a5dcd170e82bb5238844b8
  760. f565d48c0e009732ef3c6e22e0ffcf5ae82c5dcaed1bd7f103e1c23dedd3695f
  761. 360db0786b5a1be871c327a6ae2d949fb05e02b8054d47b7b3f71bd6d926a04d
  762. 7ee7937c9de0f91ea56c8e6eb07a2cfc3189b0dae801ee47e205f53c0f90b16a
  763. 72e9c76cc8eaf062bc6464aaa26c220c842c900faab93a661e2551866d25a9c3
  764. 509407b3e175c723b7f7e42d297a4df98cf1ce4caf4b9a04d7bfdeeea44ec367
  765. 06c42235a3ff621a78a0825032ef9df39f25a6a1608a32881a151519f97556e8
  766. 000baf1efbd0dc7e573c779362f769ab452d20b16223a044e0ab6b55e4298ea6
  767. 2b7ae3407d29c271431a2c36b97e4ff532b683308a41cae4c6a8d16de83da8b7
  768. 594f2c1ee8be8a60c490defb7d9697f84b591d021d77b0d5462499485cd24dbf
  769. bf5303b663caee6f75adb0cdfcbe16408842aebcd440bd808f27d7cab46965b3
  770. 6ffa77a8fabcbdec2199abd48a9674ded43cfe9fe1fd318f1054244ab699cf15
  771.  
  772. http://mask.studio/YekA282vrXrdhU/
  773. http://fenichka.ru/gxbQ7eOunffJ/
  774. http://206.189.68.184/8nQyj8ifKmYc/
  775. http://thales-las.cfdt-fgmm.fr/cgi-bin/maGRA8iYgDCPMG/
  776. http://prosperity-student.co.uk/ml2NQffoMmyJs6J/
  777.  
  778.  
  779.  
  780. Creation Time 2019-02-08 21:40:00 (XML Based - ENG - Unzoomed Indigo/White)
  781. SHA256:
  782. 53b0784f219135bc4164dc3b89f39b421863e7282c50d1955b13dd559cfa3370
  783. 2111a1ccf0e73693691a57b360a21c9e92415afd68ed86123751b2093d3cd9b9
  784. 849c9bf1a99a6ed85308b27e32c6922fcd8f864df7357931816ffa64923fa122
  785. 53ce0f6be71bc7077be95dbfdd4c1fe292391f24fc627f8597c3e3d6772a6048
  786. 65bebf4b60bfcdca77338d02c016cc297fb0bd2c080a0aa3ff40179851033a6f
  787. 1fdb1acd778c65c05ddd1f224613f15e2367cbd67a2b6ce4453fefb041012de6
  788. af1789e75efb958c0d2d22736622f7e1d4f1c6e9645ae5ff1c2a59c3e9a57dc0
  789. 3ab802b97cedc7fe56cbc95082d62917ac883a5967a33a9c0870dfd653b44ea0
  790. d8edaec331a06e54c0a7e7d51c52ed8909dae5eb4e774cf74032970c01d1de87
  791. 6f03b408d13644eb4d4f17eba0fb92c2905c5becc4fcba53b6bc8c9565c1af22
  792. 75de8f9b05a31f1860373c8ffa8693e75dabbeef303e849a396a185a8a456ad2
  793. 2cb235472f7a97d7cbe568447fa64642bf6416acf472ddc1311e6308a16517bd
  794. 6f5e2f7c534be44b36c0df06a0bbcafbf72fa633e33998627ae6e6268dde555d
  795. e498bbbaace6d88007445f3abdc8f182f935ec9343ddff7eed415e39371de588
  796. 5ce42f9ec479887f89000027b43800f9e03c5e5c760193650b5e22279e6a686d
  797. f33d027db4224495d2b000f2423f8007522eff8ef6f56258f7bcf693cd594f5f
  798. 352992986122ae1cc776ac7389078cce9222a0adc94ddb743e3ee75a4061bf71
  799. 05087b11e21dc5cb318f9b35b448ae12b1351073c6169554a075f09f382483e8
  800. 9ff87a941dbf2cfad7db031df098fa77cf93049caae866b2a4aba50d55417a63
  801. e5ec0e796556497b8bea0d2597525960353082c43ed18845e53c20cdf1882f3b
  802. 826e4b469d1429ad9c749f13a72592df849100013833edc1b3ee7e262df0c0b2
  803. 3ddcf50d3509de0997bb9ccc10436515430bbb2137fa71193400becd4ea2ebd2
  804. da35afa07bb858c6c00129a6f1e87e1f36220026084c760e2044a5198ce625b3
  805. 561acf43c7b8cce4f658d839455eab514366b01ae71b50a78ca8a4bc6ef40b41
  806. 53b0784f219135bc4164dc3b89f39b421863e7282c50d1955b13dd559cfa3370
  807. f13447be887a74fed191acefbc945c099aa73130446de9af9e1d4714b7dc34a0
  808. 3d576a11e841ec17ee0c551f770e9da07aabb8b22acdfa61310bfaf216b3b3c6
  809. c3fddf89da39bf8c0acd65edb6d068bdd663a725192e4807a8f7209aff19ebe4
  810. 811126499ee7c0eb20ee02abd98cc569daa5d5b68b8391a37dbf689d4be7b18a
  811. 12b7d14c5b2b2f9b418cc581e13ba1826ab44366a2655cf9ee2bcf244efcf47e
  812. 9ca10c1a8fe0d766be4e2bed6df8c03178c921ee39c007033e06808ed26415f1
  813. 4aae6398e602432c0a2063c9e399ee6894043e0dc9825ecd8fdcd5476aa044c3
  814. 4dd107d93426f7e933b112bde796ee356aa33ffb5f18541b012490ecb9686091
  815. 4783732fb6d276b20218cd6283226e5cf8ce076b3f460e6cc1bb94e86a5a4f52
  816. ae0edfbcc844571f275cf2d5aa93c07ee037e3bd8a3edcde5c708539e17fdeea
  817. 82e8a2b710ce805f532515cdf211482c3190fc9ecc83275349921d3377967249
  818. 3cccf50c378af6ef6675b1ac148b82c3ad750e71f3082cf3d907d88d59239f4d
  819. 48026c404114797c99095bb105e7f3d52a7215ca9596e49fbed6f8501d9b5c41
  820. 22ad45aaf536a845812fa0fc7ff45223fff0f635d38babe7611cfbd567b5322d
  821. 140e58203051b22e1234e698b04c446a2ff4e6c04a5d2886fc2a462b5b9a6c58
  822.  
  823. http://kurzal.ru/wordpress/wp-content/uploads/czt7YdTi3rZV_pa7/
  824. http://labterpadu.ulm.ac.id/77gLl6H6qP/
  825. http://duken.kz/SOHMlMvz/
  826. http://compex-online.ru/1v3PpPJA6C/
  827. http://marketingonline.vn/wp-admin/SojclY7Rslabm_423l6/
  828.  
  829.  
  830. ```
  831. #### SHA256s for Epoch 2 Payload EXEs seen on 02/11/19 ####
  832. ```
  833.  
  834. 91f97bc5e179a2333b0ad62f3a58ee218ea5c158560fb9d658b2900a6884083d
  835. 6fe6f639f3dcf9f3053c315b483e8a22a67fbce8c357fda695c48cbde0750d0f
  836. 7617fa1febbd7a84d93de644288d4b957564439fecf78129ccd4507ce700225e
  837. 8310915ca0c10ae366bb3f9c0d31b926bb2e7eccd071944c12e69dbcd6fdb3b0
  838. 73e8b1ee6e4bccb4b7e1b8099af7f157da57820f4fce27a5cb9cd76319544b87
  839. 6437286daeea3a7f959ccd3c86ed42eadd1a32f374fccddbb76e429ee216a1e2
  840. 2b4b07af8d3baa6d5d37491584915fb1a1e186bbb482639eb987342d730acdd6
  841. 7f214b366480cc854522b65c72009dec5230a2115695eee9849d0eccdc7364a8
  842. 76e35f30c5e4a8e6953a275f6c9c958e44ba5d73d69b50eefadf2baec9456ff2
  843. d4cbf0525ae98bc6bbbe051dee25f4f68760b57238dfd7e1671b90c255d8f321
  844. 0b83e28dc6b41dec8320492270eafa2819b4d00128058d7842e3b8cb5830eb1e
  845. d5cb1a67ec286e5e2527ef477ab2bef6b5c8f8c4c505e880c902192334259211
  846. ae82146b684c3775d2230b4f8d2f0023857bce13de1592955202d88a8230fb67
  847. 7a0fac493843ee87530389fb351e64ec3c4c880c00ea0b463bfa10e4cff08c18
  848. 634c933493f0d325226f4ac4b7d64592d632b48d2cf4e97d941af824edd17fe1
  849. 80723e4f7b74c43331eb0ebe35676245835bfcaa7fa379132568dce3c57e2005
  850. 23738255c3d4918a661c43556c6fd48d3efa9cf7fb589328bb3907d28dd41a63
  851. 9043fd4c227b7427f597987fafc3dd327247431ddec91ee3e49df668e7698dc6
  852. 2a8b1deb299fc384d45ce73666e863eec7ba4f872aed6e316b2eff22d1e8c745
  853. 90e298609a5c138baca2f102773c2617766ec708b9b28d5e76eeccca9bd3c006
  854. ddd922bce427da64152d2deabc6033715ae89301707c9075905aa89c177427e3
  855. 6f3423d4e498f456cffaf91734a422c6c6c4b0677bb457042154cdb9fc12b3fb
  856. 1a8e426fa5bb80f768026bc4298f2017a38d91fdf7b32f8f864daa17d33f8be5
  857. 72334c3b573d4b297186de624434bbbce1bd193ae1aa8e3a8e0b86ca11dcd5a1
  858. 22470bb9bd2c2c1f1d37368f4d372222d5e974ae986d605ec29c1671e91b4d6b
  859. 5b6e177a2b83fd7911564148c0e1b36afd310b7475ff4c2785c672e57cc0f100
  860. ded2a3733f0ee49ecb6c1d1cd221502d94bf341f7b1bd7690831035583fdbbe7
  861. 8a68a6709de4989bab760b3f725d1ed33f464cdae9c61d0de2f6fae26c878364
  862. 8ead46e11e457800b9f170fffcd12c7178fcdda58ef3e8a22b87ce154d0ad4f5
  863. 4a77c9d0a798b84d9626430e261a881ae01458c71f65b8cdd0e4502502ef462b
  864. af261303deaf4fbbb111c36c3018dbfe585c2fe6b8f71b60d29387d71b4ababb
  865. a90e5aab8e947e23a968671249de8f8e4f78cbe455fe6064ea19485cffa67bae
  866. f56524dc4ab7d4b46ee9ffa452ab5265e6d0cdf92f85f7ef5ccdba4c92afab9e
  867. 7bc081cc47271a2f0667086136db097818137ebce748eebe0f23735a89779b59
  868. 0838647780c03d934a82e0500b763ce35dc096507f0ff3a43720322427d98e67
  869. 1e6e9b5e4b3b1130d8794b085ab6ce38a953398896f70b2b57b04f908d4a0646
  870. 37e48d55537e225ef8e8465bc17fbb32b2fa22155be196d1b8151f7c37558dfa
  871. 7fe19a3a886b4bcfea8e6f4438c431a78a74e16510eafeb474fbe03008bcd965
  872. 9b0243a2793d3eb0c81ba4cf5a019755f4be863ead401f075fd6b85e57fb09fb
  873. 1ca928fecfc462080a03c628099342946af856b54fb256456af885416a4f6c48
  874. a74e72946dbb83966c7c7e313e9cc4760d86d0fbc134d5d4243a65addab00631
  875. c1c456a1eb782e9c664b338d000425e0146f452af5b19da280a36114a3c02332
  876. 809a70270ff774dd0e226324e7f31a613aaab06a1f4bc710252f7a0a94bc862f
  877. 3a2986667036c20a3bbe16c3c98db4dac6f0c8273c90de8cdcd6dff1c00d1ffb
  878. 78c9172f24f8f59a1e32465ec1e58c56b064228b76b7794315d176bca29e487a
  879. 94f330c1464d1ec8b0fd3d46ef0a1937abf5ebcdb8285aff485d8518b4357f07
  880. 0024324486a88ace4c745f14d85d394f080672271ec86758ddd94b390ca55e83
  881. 1e20ee24f349409127e0dff0013d5ecc1fefa1c6c1531f8286e073a5ff475426
  882. 4e6ac53d3a4ace20679a56c7e59b60e88c01f7a62798d52ce52b4af909bef96f
  883. c09def3a304741651e4cc6a625a3feded17f1377d66784170c6b220210904065
  884. 4f157791dda926849ed59f9473f346152b3a1f721f0772bf7477e41364e0ea55
  885. 3fd22a3e2c4f0d69c02e73e7467c23fbb29288a7f646743ce3adc05d8d9d577a
  886. 8c631027fb066a52f5c4783d592d12db35ea6c21199b459618ef56941a75b3ef
  887. 0b77c0580aef1fa1d816745909b77393f0dbbaeeba652f454228c8c1786e1ff8
  888. 29f0213365e3b3ecca991e26bd3cd6bb1ee3e68579d2a71e1a365b552725f458
  889. a1534d89374f61438e2b5c31bb9eb43f1e5998f07c6742084b9a5882993df2df
  890. e905c70ed7080026b719887fbc103d77b2e14f96833fbe241286855a1bd1dd82
  891. 932897d0082912cf4a6516cffaeddb9df2414d415dc841f79d4e9c466268b1f5
  892. 329c9ff28e363a087753c416b6d9d7fecc64127c98c875c3683bd0d084ebc9fe
  893. adb6c1ef0b90201c42d934fcc27d683e0f0df7d65bbaff16cc570e39009af60b
  894. 1a748bd574b248e84cb0b74a4af84cbbeceb9b38419ffaef3f755bc96819f190
  895. a62e46265182b97c7ac92e354d73eaa2a64c8230659b060b6148b443894f259d
  896. 09ee64eab7082f31aa4fd0ea9a8053d0e1485b20441ca4c62a1d02fa74d79da6
  897. a3bc551bf88c5c2fbd1071195010b39f5ea434e9a739d6573552592d2e0f5639
  898. f68465bf15bb4cb19c19d6dde0add47101eeebfcba5b904b641223cd91a31773
  899. 8f7c46ee4bf42c97a94fafa3dee3b69de5c4ecb39e74c74f374e61878bf93082
  900. 4bfc1b10343c9740552f6f96e181ad7a2394fc2e2d4c1b8ed67a88ea0f9069a5
  901. f34d7a089baac01119caaa6b97efbafed560919d80b7b6278cb82d02b33c008f
  902. b819cd3df3353e482807e7f1f15027d46fc10d4d423c5296c82252575d14fbdc
  903. 77dc86c2a5eb02d79f2fd666910e81682271da5bde71ba5a6fbbbf19c864d202
  904. 73df05b89cace48c4338cc9ae4d9d64d96e73d31b54972c5b3463739f8fb2272
  905. 7112c2967141ffd3ebd36a6a7c4949b845082bcbc695636527d238aad540a207
  906. c8eea6868ab99178a12160fd39283d51796c81923e5745be2379ede6dcc5f104
  907. 9d5d203ccbb7cc392f400d9e56de267d0fbcd413f9f401387bd23413000ea217
  908. 1b4ef666de3574c0eefea55c4f247aedd62f2f9ca5be9d734f3d6230acfebf88
  909. a68d59403a166232d7c69125ac33ab1377d86fc083829798636320943e18423d
  910. ae20504e6fcab7ebe3f0231f8f3361d762ff27bb6b5ca475d3b051f6c7a1411f
  911. ddef78b220ecb7aebb87719d870da12c4fb8bb20fcff75a117d7010ebd33cbfa
  912. 949fd11cdde24a261f3524115e8fa1251a099bcbaf5b2a0dc2bbda8f354102c6
  913. d4d8a8041f83ec0918aa5edbeba350a77caa367de584c4d7043ab517c441e518
  914. fb38fc661f5820ebd64aee096c5048d2ccd5a3a72a71bdb02fab71129fca436e
  915. 164bb683430a827f158ebc1c08d7906d2e29a99f7c722807340c902dddc4b817
  916. c1cd377420fe4446d2b17f4f52a49c374de7e11a897dd47a3135c50bd9f57f61
  917. 61821dc1dbe8e8e2c0ddec4f38656e5ce730ed5363d4836912c539f72494c1b3
  918. f3a1f700a24e75ec6349ed14814ce1fbeedd9dde25df3e97eead16c344a58cd9
  919. 80c97ed9af1b384ecef1faffb14c565b972f4397666da21484902aaaa2275709
  920. face11cb17a829f57724e785d82da0a66440ba7602b825b9a7a10be84b933f10
  921. d471ed2d00609932e6c6424484bd132429a29da9660efa5e94e5218f0b813d89
  922. 85ee364b165dd7932f30e22a49488469a23450ed9bef790897d641bbe2c82ea6
  923. 9c79465559d60015d67668edb538bed10e4373daf6fee8455b54b8999a9dabcb
  924. 82f9b2ddffdbfcb9c62f10966a18a44acbefc54d4704ddc9133e58913cdfbeef
  925. 1c713c57a798dc61edaf456613d2054622953f8cdec4914130b44e8804e24cb3
  926. 5bacd66639f463a44b41241b45c747fec11c1307c4d103e1fa82fc1d9b426fc7
  927. 556be9d0efd9bdccd689c7ec6732b1562bc121cb70902456909e94aae4a68488
  928. ad63d65f4ae2334a3da25c67e8c1415d02b75afb7caf7e9d1481231920e20017
  929. 584cf07b725f65230f9a1bc877d61e1142ad50956635a798f92e8d998f26e419
  930. b4961f5ea2b77c8c620a833a106f5d76611767b01172b92aecdf32e3c4620109
  931. cc79082a92729cd222e51a0f8ccb55bfb53e90127d5047fb42d9df9971387452
  932. 03ae00f9fec44e8a68cf1fa1ef776935c4a82646489ffa868c271e5546dab58f
  933. 7f1d02fb84dbff903dfa62b97f565f28960cb4078113bf592615297f124b9c75
  934. 5cac6d9ab4d8decab0275d0bfe2207e340e389b713ee15217cb94f4ed6cae24c
  935. 2047b8f96d307f441af098dca5b39f4854acfd08907cefbd83753f350b43b88a
  936. 873e5002d3736017f50a3766aaaa768824e0671657a2f8e10ceb66782106d456
  937.  
  938. ```
  939. #### Epoch 1 C2s ####
  940. ```
  941.  
  942. 104.200.80.44:20
  943. 109.104.79.48:8080
  944. 116.58.87.8:80
  945. 117.218.253.157:8080
  946. 117.4.245.5:21
  947. 12.6.183.21:8080
  948. 138.68.139.199:443
  949. 144.76.117.247:8080
  950. 159.65.76.245:443
  951. 165.227.213.173:8080
  952. 181.164.25.28:443
  953. 181.56.165.97:53
  954. 185.86.148.222:8080
  955. 186.4.127.72:995
  956. 186.72.205.234:22
  957. 187.145.0.129:7080
  958. 187.146.255.151:8443
  959. 187.149.41.221:8080
  960. 189.154.100.228:443
  961. 189.170.39.188:8080
  962. 189.173.176.115:443
  963. 190.117.226.104:8080
  964. 190.182.161.7:8080
  965. 190.186.110.202:22
  966. 190.248.133.18:443
  967. 192.155.90.90:7080
  968. 192.163.199.254:8080
  969. 197.83.251.252:22
  970. 201.143.10.67:143
  971. 201.156.42.238:443
  972. 201.203.187.56:465
  973. 201.239.126.253:21
  974. 208.189.3.60:53
  975. 209.243.21.172:22
  976. 210.2.86.72:8080
  977. 219.94.254.93:8080
  978. 23.254.203.51:8080
  979. 24.194.252.25:80
  980. 47.157.230.41:8080
  981. 5.9.128.163:8080
  982. 51.255.50.164:8080
  983. 66.209.69.165:443
  984. 66.228.228.211:143
  985. 69.163.33.82:8080
  986. 69.170.237.82:20
  987. 70.30.252.174:8090
  988. 72.47.248.48:8080
  989. 73.141.99.157:21
  990. 74.45.170.110:80
  991. 74.62.52.222:20
  992. 75.110.229.201:443
  993. 92.48.118.27:8080
  994. 97.121.198.2:8080
  995. 98.238.127.216:21
  996.  
  997. ```
  998. #### Spam/Stealer C2s ####
  999. ```
  1000.  
  1001. 104.236.185.25:8080
  1002. 181.169.2.89:8080
  1003. 181.58.30.155
  1004. 198.58.114.91:4143
  1005. 216.98.148.157:8080
  1006. 31.167.70.26:8080
  1007. 64.178.246.207:8080
  1008. 73.83.148.166:443
  1009. 74.57.246.27:8080
  1010.  
  1011. ```
  1012. #### Current Epoch 1 RSA Public Key ####
  1013. ```
  1014.  
  1015. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  1016.  
  1017. ```
  1018. #### Epoch 2 C2s ####
  1019. ```
  1020.  
  1021. 100.35.190.8:443
  1022. 107.13.149.212:8443
  1023. 108.190.34.69:20
  1024. 115.71.233.127:443
  1025. 133.242.164.31:7080
  1026. 153.121.36.202:7080
  1027. 169.0.85.74:465
  1028. 169.57.61.42:80
  1029. 173.255.196.209:8080
  1030. 174.79.240.46:8080
  1031. 174.80.166.76:21
  1032. 174.96.7.155:80
  1033. 178.62.37.188:443
  1034. 184.186.222.145:8443
  1035. 186.3.223.3:995
  1036. 187.151.226.219:465
  1037. 189.163.137.10:20
  1038. 189.225.165.11:995
  1039. 190.114.242.130:20
  1040. 190.40.100.7:8080
  1041. 198.74.58.47:443
  1042. 208.107.52.29:80
  1043. 208.78.100.202:8080
  1044. 211.115.111.19:443
  1045. 217.13.106.160:7080
  1046. 24.173.121.154:993
  1047. 24.227.158.234:21
  1048. 24.228.124.151:7080
  1049. 45.123.3.54:443
  1050. 45.63.17.206:8080
  1051. 5.230.147.179:8080
  1052. 50.31.0.160:8080
  1053. 50.80.9.93:143
  1054. 50.93.34.66:443
  1055. 61.69.20.54:22
  1056. 62.75.187.192:8080
  1057. 62.75.191.231:8080
  1058. 64.87.26.16:80
  1059. 66.57.212.114:50000
  1060. 67.205.149.117:443
  1061. 68.192.249.20:143
  1062. 69.198.17.7:8080
  1063. 70.55.70.230:7080
  1064. 71.167.42.74:53
  1065. 71.7.15.240:22
  1066. 73.119.47.209:22
  1067. 75.101.48.184:995
  1068. 76.94.226.173:20
  1069. 83.222.124.62:8080
  1070. 87.106.210.123:80
  1071. 94.76.200.114:8080
  1072. 96.234.162.118:22
  1073. 97.100.88.65:80
  1074.  
  1075. ```
  1076. #### Epoch 2 - Spam/Stealer C2s ####
  1077. ```
  1078.  
  1079. 31.167.70.26:8080
  1080. 64.178.246.207:8080
  1081. 73.83.148.166:443
  1082.  
  1083. ```
  1084. #### Current Epoch 2 RSA Public Key ####
  1085. ```
  1086.  
  1087. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  1088.  
  1089. ```
  1090. #### Credits and Notes Section ####
  1091. ```
  1092. Updated 7/13/18
  1093. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  1094. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  1095. https://pastebin.com/u/jroosen
  1096.  
  1097. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  1098. I am providing them for your benefit in case you want to parse them to be sure.
  1099.  
  1100. ```
  1101. #### What is Epoch 1 and Epoch 2? ####
  1102. ```
  1103.  
  1104. What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.
  1105.  
  1106. I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
  1107. communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
  1108. version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
  1109. C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
  1110. entity/group. Here are some observations I have noted since I have been watching these botnets:
  1111.  
  1112. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
  1113. document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
  1114. in maldocs on Epoch 2 at any time.
  1115. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  1116. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  1117. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
  1118. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
  1119. have a document hosted on host.tld/B.
  1120. - The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
  1121. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  1122. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  1123. - C2s are never shared between Epochs/Botnets.
  1124. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
  1125. of AV defs.
  1126. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  1127. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  1128. - The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.
  1129.  
  1130. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  1131.  
  1132. ```
  1133. #### Community Lists ####
  1134. ```
  1135. https://pastebin.com/b91Lkcbu - @Jan0fficial
  1136. https://twitter.com/James_inthe_box/status/1095015199382204416
  1137. https://pastebin.com/ntgAHqLK - @pollo290987
  1138. https://otx.alienvault.com/pulse/5c620447cdc7d83b7dcafed9/ - @SecSome
  1139.  
  1140. ```
  1141. #### Credits ####
  1142. ```
  1143. (OC from @JRoosen and/or combination work of the following)
  1144.  
  1145. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
  1146. @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
  1147. @shotgunner101, @HerbieZimmerman, @Outkast_TI
  1148.  
  1149. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
  1150. @gorimpthon, @Racco42, @Jan0fficial
  1151.  
  1152. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
  1153. @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
  1154. @OguzhanTopgul, @HerbieZimmerman
  1155.  
  1156. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  1157.  
  1158. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
  1159.  
  1160. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  1161. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
  1162. and @Virustotal for providing services/software no charge to this cause!
  1163.  
  1164. ```
  1165. #### Daily Log ####
  1166. ```
  1167.  
  1168. Well today was interesting, I topped 300+ malspams and I was pretty damn busy doing dayjob stuff. There were some interesting changes today,
  1169. IPs were used in URLs instead of FQDNs for the download URLs and eventhe payload URLs. This seems like the start of another long list where
  1170. you sort the numbers to the top and then start using things in order...
  1171.  
  1172. If so this is going to be a long week with many new URLs thrown at us. So as predicted, we got more of these PDF attachments with banking
  1173. accounts being "suspended" but we also got a couple new templates today. One was concerning Microsoft accounts and was sent primarily to
  1174. GER/DE and was covered by CERTBund:
  1175.  
  1176. https://twitter.com/certbund/status/1094895999347249152
  1177.  
  1178. Interesting tactic on that one ^
  1179.  
  1180.  
  1181. We also got another new one which @ps66uk saw first this morning for invoices in HTML that we call the purple button.
  1182. (Picture will be attached to the report on Twitter) https://twitter.com/ps66uk/status/1094957953910743041
  1183. This template was the most common one I received by far and I did not expect that. It was just from E1 from what I could tell.
  1184. Most of the purple button templates had a subject from the following list:
  1185.  
  1186. Bill "Spoofed Full Name"
  1187. Bill from "Spoofed Full Name"
  1188. last bill
  1189. last bill from "Spoofed Full Name"
  1190. last invoice
  1191. "Victim Full Name" Bill "Spoofed Full Name"
  1192. "Victim Full Name" Bill from "Spoofed Full Name"
  1193. "Victim Full Name" Invoice
  1194. "Victim Full Name" Invoice from "Spoofed Full Name"
  1195. "Victim Full Name" new bill "Spoofed Full Name"
  1196. "Victim Full Name" new invoice "Spoofed Full Name"
  1197. "Victim Full Name" new invoice
  1198.  
  1199. You get the point.
  1200. @ps66uk also reported the patterns to the URLs: https://twitter.com/ps66uk/status/1094966716340285440
  1201.  
  1202. That is all of the URLs seem to be include the following type of directory structure which mimics another Domain.TLD type structure:
  1203.  
  1204. sec.accs.resourses.biz/
  1205. sec.accs.docs.com/
  1206. sec.myaccount.resourses.com/
  1207. secure.accs.docs.biz/
  1208. secure.accs.send.com/
  1209. secure.accs.resourses.biz/
  1210. secure.accounts.docs.net/
  1211. secure.accounts.send.net/
  1212. secure.myacc.docs.net/
  1213. secure.myaccount.send.net/
  1214. trust.accs.send.net/
  1215. trust.myacc.resourses.net/
  1216. trust.myaccount.resourses.com/
  1217. trust.myaccount.send.com/
  1218. verif.accs.docs.biz/
  1219. verif.accs.docs.net/
  1220. verif.myacc.docs.com/
  1221. verif.accounts.resourses.com/
  1222.  
  1223. Basically always that pattern of starting with (sec, secure, trust, verif)
  1224. then (accs, accounts, myacc, myaccount)
  1225. then (docs, resources, send)
  1226. and lastly (.biz, .com, .net)
  1227.  
  1228. Additionally, I did get a couple of Spanish based attachment based malspams for invoices. Most spamming was done after 13:30 EST.
  1229.  
  1230.  
  1231. C2s changed for both E1 and E2 but the keys remained the same. We are now down to 54 combos and 53 combos on each respectively. This is more
  1232. like the historic counts of tier 1 C2 hosts.
  1233.  
  1234. That is about it for today. Until tomorrow for more FUn from Emotet.
  1235.  
  1236. ```
  1237. #### Sandbox 02/11/19 ####
  1238. (all with fakenet and MITM unless spam/secondary infection)
  1239. ```
  1240.  
  1241. Epoch 1 C2 run on 2019-02-12 at 04:30 - https://cape.contextis.com/analysis/36480/
  1242.  
  1243. ```
  1244.  
  1245. ```
  1246.  
  1247. Epoch 2 C2 run on 2019-02-12 at 04:30 - https://cape.contextis.com/analysis/36479/
  1248.  
  1249. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!