Daily Emotet IoCs and Notes for 09/12/18

Sep 12, 2018

Emotet Malware Document links/IOCs for 09/12/18 as of 09/12/18 23:59

Notes and Credits now at the bottom Follow me on twitter @jroosen for more updates.

Epoch 1 Document/Downloader links seen for 09/12/18

Seen only in .doc attachments.

Epoch 2 Document/Downloader links seen for 09/12/18

http://110.164.86.203/wp-content/uploads/0761DHP/PAYMENT/US/
http://163.21.209.5/wordpress/1LWOMWN/identity/Smallbusiness/
http://165.227.81.93/blog/wp-content/uploads/default/US/Invoices-Overdue/
http://184.154.53.181/chatlocaly/errors/Download/En/Past-Due-Invoices/
http://198.61.187.137/project/86AYMJ/com/Commercial/
http://1eight1.com/FILE/US_us/Overdue-payment/
http://1energy.sk/20QSVKI/SWIFT/US/
http://222bonus.com/wp-content/FILE/En_us/Overdue-payment/
http://27.54.168.101/5915546MBYGT/PAYMENT/Commercial/
http://429days.com/2PSYKZBR/com/Commercial/
http://51.254.121.123/wp-content/5905CTXPPYP/SWIFT/Personal/
http://7continents7lawns.com/DOC/En_us/Open-invoices/
http://87records.com.br/91EPYGLMXV/PAYMENT/Smallbusiness/
http://a1parts.com.ua/INFO/En/Invoice/
http://abakus-biuro.net/8539JHLOM/PAYROLL/Business/
http://act5.ebimarketing.com/default/US/Summit-Companies-Invoice-63286874/
http://acttech.com.my/doc/US_us/Open-Past-Due-Orders/
http://adamello-presanella.ru/newsletter/EN_en/Important-Please-Read/
http://ahlatours.com/default/En_us/Invoice-94301693/
http://alabd-group.com/77EKMMGZ/BIZ/Business/
http://alcorio.ro/wp-content/uploads/DOC/En/Invoice-98576467-September/
http://aleem.alabdulbasith.com/Download/US/Important-Please-Read/
http://alimegastores.com/9ARETZ/PAY/Commercial/
http://allseasons-investments.com/wp-content/20494BPVOIW/com/Business/
http://allstateelectrical.contractors/24XMG/WIRE/Personal/
http://altunsut.com.tr/tyoinvur/6373GHJYR/BIZ/Commercial/
http://amanita.com.my/903XOZ/PAYMENT/Business/
http://amerikavizeservisi.com/023326D/WIRE/Personal/
http://andrewmiller.com.au/Download/EN_en/Invoice-8197421-September/
http://apicecon.com.br/09012NQNFL/ACH/Smallbusiness/
http://apotheekgids.org/57K/PAY/US/
http://arc-360.com/56YLXPRT/PAYROLL/US/
http://archibaldknoxforum.com/Sep2018/US/Service-Report-2768/
http://arimmo.ch/761800OVDDCF/PAYMENT/Smallbusiness/
http://artzvuk.by/2019440EDSMJIND/SEP/Personal/
http://ashtangafor.life/Document/En/ACH-form/
http://asmo.media/1ws85l32virusdie/6KSQF/PAYMENT/Personal/
http://astro-lab.club/default/US_us/Document-needed/
http://astrologija.dreamhosters.com/41ENWF/SWIFT/Business/
http://astroxh.ru/1Z/ACH/US/
http://atmah.org/9463908S/oamo/US/
http://atuare.com.br/9MXRHKNX/com/Personal/
http://auditorium.codeworks.org.uk/assets/uploads/customer_services/8915/6345_ACC34826.doc/
http://avuctekintekstil.com/7ETZ/Corporation/US_us/Scan/
http://awfinanse.pl/463233E/PAYMENT/Smallbusiness/
http://barcsikhus.hu/73329WKLNWTBH/ACH/Commercial/
http://basscoastphotos.com/wp-content/847839TOA/SWIFT/US/
http://bastom58.ru/3F/biz/Personal/
http://beavercreeklaw.com/newsletter/En_us/Outstanding-Invoices/
http://belief-systems.com/5477HRV/oamo/US/
http://bestarter.kz/FILE/EN_en/Past-Due-Invoices/
http://bestbestbags.com/INFO/En/Open-Past-Due-Orders/
http://bettercallplumber.com/xerox/US_us/Past-Due-Invoices/
http://bhbeautyempire.com/374767LDJFRE/SWIFT/US/
http://bhgjxx.com/temp_6bd6c6c42b5ae81a4aa32aa263d99731/7351KFBDB/BIZ/Personal/
http://bhullar.info/sites/En/Invoice-4578572-September/
http://bics.ch/51MXXAO/PAYROLL/Smallbusiness/
http://bigdatastudies.com/053NLCLX/SEP/Personal/
http://binar48.ru/1314ZVRVCBWY/BIZ/Smallbusiness/
http://bkad.gunungkidulkab.go.id/VnfZvuJfgB/biz/Firmenkunden/
http://blockcoin.co.in/files/EN_en/Paid-Invoice/
http://blogdasjujubetes.com.br/wp-content/uploads/471558JTYBQ/SWIFT/Smallbusiness/
http://bookcup.ir/DOC/En/New-order/
http://brighteducationc.com/Document/En_us/Open-invoices/
http://btc4cash.eu/sites/US/Open-invoices/
http://buysmartwebmall.com/8020058XKC/oamo/Business/
http://bwphoto.asia/99XKM/BIZ/Smallbusiness/
http://byacademy.fr/8706937YGVMNXM/PAYMENT/Smallbusiness/
http://byacademy.fr/9VPE/com/Personal/
http://bytosti.cz/4683176OKAZJNAX/BIZ/US/
http://camerathongminh.com.vn/Download/EN_en/Invoice-Number-09577/
http://canadary.com/9UWEP/PAYROLL/Commercial/
http://capstonetech.co.zw/9118156LB/PAY/US/
http://casellamoving.com/69VQINXXJO/PAYROLL/Smallbusiness/
http://casellamoving.com/828UQSWURTS/PAYMENT/Business/
http://casinoolimp.online/6JW/BIZ/Smallbusiness/
http://ccoolmedia.com/scan/US_us/Invoice-0367553/
http://cdlingju.com/67785EJHHZSI/PAY/Smallbusiness/
http://cdoconsult.com.br/4314WNYRN/SWIFT/US/
http://cfarchitecture.be/doc/US_us/Document-needed/
http://charliefox.com.br/files/En/Invoice-62297068-September/
http://chatteriedebalmoral.ch/893DMYCN/PAYMENT/Commercial/
http://chiconovaesimoveis.com.br/scan/US_us/Service-Report-24109/
http://chudnemjedlom.sk/Download/En_us/Question/
http://club-gallery.ru/LLC/US_us/Important-Please-Read/
http://co.houseoftara.com/3OSOWCNIV/PAY/Commercial/
http://coconutfarmers.com/LLC/US_us/Document-needed/
http://cokhivantiendung.com/DOC/En_us/Past-Due-Invoice/
http://colonialcrossfit.com/default/US/Past-Due-Invoice/
http://comagape.com/doc/En_us/Past-Due-Invoices/
http://covitourperu.com/LLC/US_us/Scan/
http://cqfsbj.cn/825512D/SWIFT/Commercial/
http://cqfsbj.cn/8440684LVDKMWSR/PAYMENT/Commercial/
http://criamaiscomunicacao.com.br/Download/EN_en/Paid-Invoice/
http://cronolux.com.br/2KFUN/PAYMENT/Personal/
http://cryptoanswer.com/27483PTZTMM/com/Personal/
http://csnserver.com/78T/PAYROLL/Personal/
http://custommedia-wp.nl/43OVUPZAI/PAY/Personal/
http://cxacf.ru/files/En/Past-Due-Invoice/
http://dahampa.com/Sep2018/EN_en/Invoices-attached/
http://danivanov.ru/35109I/ACH/Business/
http://dantist.org.ua/4074ME/PAYROLL/Commercial/
http://dar-fortuna.ru/FILE/En/Invoice-receipt/
http://darkmedia.devarts.pro/149RFTXRFG/com/Commercial/
http://dat24h.vip/newsletter/US_us/Sales-Invoice/
http://daveandbrian.com/535287ONSAJHOA/identity/Smallbusiness/
http://deal4you.at/2ITS/biz/Personal/
http://deanhopkins.co.uk/kanboard/data/773AR/identity/Commercial/
http://decisionquotient.org/865440JMX/identity/Smallbusiness/
http://deepgrey.com.au/FILE/US_us/Scan/
http://dek-kam.ru/0V/identity/US/
http://demo.5v13.com/7498QLQMJLSN/SWIFT/US/
http://demo.kanapebudapest.hu/55RT/com/US/
http://derysh.zzz.com.ua/Corporation/US_us/Important-Please-Read/
http://designloftinteriors.in/700Q/PAYMENT/Business/
http://desnmsp.com/files/EN_en/Invoice-Number-96181/
http://dezicake.com/wp-content/default/US_us/Past-Due-Invoice/
http://diaoc365.xyz/Document/US_us/Invoice-receipt/
http://dogtrainingbytiffany.com/doc/US_us/Paid-Invoices/
http://dogulabs.com/wp-includes/095921VEAMBR/BIZ/Smallbusiness/
http://dolhun.pl/pub/9ETNH/SEP/Business/
http://downinthecountry.com/048XUQTPIV/identity/Personal/
http://drtarunaggarwal.com/6733LMINTZN/SEP/Personal/
http://dshshare.ca/7BK/biz/Business/
http://duratransgroup.com/1721558FYLUIW/BIZ/US)/
http://duratransgroup.com/1721558FYLUIW/BIZ/US/
http://duratransgroup.com/Sep2018/US_us/Service-Invoice/
http://e.vouch.pk/wp-admin/239RI/PAYMENT/Smallbusiness/
http://ecol.ru/61988T/oamo/Business/
http://egomall.net/4YM/WIRE/Personal/
http://egomall.net/537173GAPZ/ACH/Personal/
http://emulsiflex.com/536770UMYTU/identity/Commercial/
http://english315portal.endlesss.io/9436OJ/com/Commercial/
http://envirotrim.net/087YY/SWIFT/Personal/
http://ermolding.com/wp-content/themes/566840TLPFKCG/ACH/US/
http://eticaretvitrini.com/INFO/US/Paid-Invoice-Credit-Card-Receipt/
http://eu-easy.com/xerox/EN_en/Paid-Invoices/
http://europroject.ro/3482AE/PAYROLL/Business/
http://exxot.com/47BSUIJP/SEP/Smallbusiness/
http://familyservicekent.com/wordpress/DOC/US_us/Invoice-Number-02163/
http://farmasi.uin-malang.ac.id/wp-content/935ACFZSO/identity/Commercial/
http://farozyapidenetim.com/newsletter/En_us/Past-Due-Invoices/
http://fendy.lightux.com/xerox/En/Invoice-Number-92147/
http://first-base-online.co.uk/424231YHO/BIZ/Smallbusiness/
http://fischbach-miller.sk/89HOMPMON/BIZ/Business/
http://flmagro.com/7pwp/0559KNEY/749SKGNNGJU/PAY/Personal/
http://fluorescent.cc/default/En/Outstanding-Invoices/
http://fluorescent.cc/wp-admin/sites/En/Service-Invoice/
http://folio101.com/newsletter/US/Paid-Invoices/
http://fourtion.com/Corporation/US/Service-Report-4465/
http://gabrielamenna.com/0CVAM/PAYMENT/Commercial/
http://gawus.com/05455FFIBFLPC/biz/Personal/
http://gcare-support.com/868441AWKW/PAY/US/
http://glswp31.sprintsoft.ro/Download/US_us/Invoice-3258944-September/
http://goosenet.de/47932HWFD/com/US/
http://grandautosalon.pl/Sep2018/US/Invoices-Overdue/
http://halenessfitness.com/05522KF/biz/Smallbusiness/
http://harkav.com/Document/En/Paid-Invoices/
http://heartseasealpacas.com/sites/En_us/Open-invoices/
http://henkterharmsel.nl/758080GYOSZHU/BIZ/Personal/
http://himlamriversidequan7.com/117424AYBP/PAY/Business/
http://hometgarsdev.popcorn-communication.com/38685RNHJ/oamo/Smallbusiness/
http://httpyiwujiadianweixiu.xyz/Corporation/En/Service-Invoice/
http://iberias.ge/0494665UVH/SWIFT/Business/
http://illdy.azteam.vn/3286139ZJAW/BIZ/Personal/
http://imcfilmproduction.com/319952SLB/WIRE/Commercial/
http://infratecweb.com.br/43RERKZFLU/oamo/Smallbusiness/
http://ingebo.cl/Document/EN_en/Inv-566468-PO-8B393306/
http://inmayjose.es/614K/SEP/US/
http://insurance4beauticians.com/Download/En_us/Summit-Companies-Invoice-9782424/
http://iswebteam.net/logon/xerox/EN_en/Service-Invoice/
http://jealousproductions.co.uk/6JHJYPMY/PAYROLL/Business/
http://jedecouvrelemaroc.com/6W/identity/Personal/
http://jeffchays.com/6944883PG/PAYMENT/US/
http://jmchairrestorationcenter.com/15254M/PAYROLL/Business/
http://joanperis.com/5GBOQYPC/identity/Personal/
http://jpro.jiwa-nala.org/4500035AMYJWZTL/ACH/Personal/
http://jtjdoprava.sk/146FEIYQZ/PAYMENT/Business/
http://kalashabake.ir/wp-snapshots/86NLOCD/oamo/Personal/
http://karen-group.com/wp-admin/css/83758BIOC/SWIFT/US/
http://karkasdom.dp.ua/7705752ZMA/BIZ/Personal/
http://karrikaluze.eus/Corporation/US/New-order/
http://kegnat.de/xerox/EN_en/Past-Due-Invoices/
http://kerasova-photo.ru/files/US_us/Need-to-send-the-attachment/
http://kidclassifieds.com/Amazon.co.uk.i3iJFJEMFkfiu3FE/files/US/Sales-Invoice/
http://kidstoysdirect.com.au/newsletter/EN_en/Summit-Companies-Invoice-1580353/
http://kitesurfintl.com/INFO/US/Outstanding-Invoices/
http://kjmblog.com/scan/US/Service-Invoice/
http://koeriersverzekering.com/5FFSSH/PAY/Business/
http://kpopstarz.kienthucsong.info/Corporation/EN_en/Outstanding-Invoices/
http://krednow.ru/3430K/SEP/US/
http://krever.jp/INFO/En/Invoice-Number-223202/
http://laschuk.com.br/default/EN_en/Invoice-4673713/
http://lauraolmedilla.com/default/US_us/Overdue-payment/
http://lauraolmedilla.com/doc/En/Sales-Invoice/
http://lesbouchesrient.com/logsite/95595GWHQCYE/SEP/Commercial/
http://lonestarcustompainting.com/94QVMW/SWIFT/Business/
http://loristjohns.dabdemo.com/default/US_us/8-Past-Due-Invoices/
http://louisianacraneandelectrical.com/7427815GWAM/identity/Smallbusiness/
http://lunacine.com/xerox/US_us/Outstanding-Invoices/
http://madarpoligrafia.pl/DOC/En_us/FILE/US_us/Scan/
http://mahs.edu.bd/1454FRXJTTBF/PAY/Personal/
http://mainpartners.eu/6287508P/oamo/US/
http://meriglobal.org/files/EN_en/0-Past-Due-Invoices/
http://m-finance.it/552CRLEXNUC/WIRE/US/
http://mfronza.com.br/doc/En_us/Invoices-attached/
http://micheleverdi.com/45TXATCO/SEP/Business/
http://michiganbusiness.us/Sep2018/En_us/Important-Please-Read/
http://mirmat.pl/Download/US_us/Scan/
http://mobileappo.com/20934JVH/PAYROLL/Commercial/
http://mobileappo.com/LLC/En_us/Invoice/
http://modern-surveyor.ru/14927ZYYYKD/com/US/
http://momentsindigital.com/FILE/En_us/Important-Please-Read/
http://mrlupoapparel.com/LLC/US_us/Past-Due-Invoice/
http://myonlineshopping1.tk/Download/En/New-order/
http://mywholebody.net/Document/En_us/ACH-form/
http://navyugenergy.com/wp-content/uploads/9OAXTTZV/SWIFT/Personal/
http://nestoroeat.com/31549DR/SEP/Business/
http://neuroinnovacion.com.ar/files/En_us/Invoices-attached/
http://new.umeonline.it/newsletter/US_us/Need-to-send-the-attachment/
http://news.lwinmoenaing.me/newsletter/US/963-66-995275-530-963-66-995275-027/
http://nhakhoaxuanhuong.com.vn/864QETBV/PAYMENT/Commercial/
http://nisho.us/23375MIQP/WIRE/Commercial/
http://nz.dilmah.com/0060JJJURNP/biz/Commercial/
http://ocs1.nack.co/xerox/US/Invoice-receipt/
http://olasen.com/90891IARRTC/ACH/Personal/
http://old.gkinfotechs.com/85TFYMLM/oamo/Commercial/
http://old.klinika-kostka.com/1610731QDVCBL/PAYMENT/Commercial/
http://omnigroupcapital.com/68614AGLFCUU/PAYROLL/Business/
http://onlinelegalsoftware.com/689852STNH/identity/Commercial/
http://ottokunefe.com/61270VTBXKHC/PAYROLL/Personal/
http://page3.jmendezleiva.cl/FILE/En_us/Paid-Invoice-Credit-Card-Receipt/
http://patrickhouston.com/default/En/Need-to-send-the-attachment/
http://peekaboorevue.com/9410156DHJJMGZ/identity/US/
http://plasdo.com/MNXfUEtpo/702DXQ/PAYROLL/Commercial/
http://pmg.com.mm/80HOGPAYJE/ACH/US/
http://polus-holoda.info/Corporation/US_us/Document-needed/
http://popup.hu/files/EN_en/Inv-97667-PO-6F412670/
http://premiereplasticsurgerylasvegas.com/0WBBL/WIRE/Commercial/
http://prideagricintegratedfarms.com.ng/Sep2018/EN_en/Service-Invoice/
http://prijzen-dakkapel.nl/2460722J/identity/Commercial/
http://puuf.it/877727FMFMYWED/SWIFT/Commercial/
http://rakkhakaboch.armletbd.com/doc/En/Important-Please-Read/
http://reallyrenewable.co.uk/newsletter/US/ACH-form/
http://regionsnews.net/4784302ADSLDP/PAY/Personal/
http://remcuahaiduong.com/46LV/ACH/US/
http://rethinkpylons.org/Document/EN_en/Scan/
http://revlink.eu/8705BN/SWIFT/Commercial/
http://romancech.com/DOC/EN_en/Service-Invoice/
http://royalhijyen.com/454104INO/SWIFT/Commercial/
http://ruforum.uonbi.ac.ke/wp-content/uploads/INFO/En_us/Invoice-Number-078426/
http://ruralinnovationfund.varadev.com/5VSQTTY/ACH/Business/
http://saidilrizamuda.com/49759AQ/identity/Smallbusiness/
http://sdorf.com.br/711KWHVREX/PAYROLL/Personal/
http://seetec.com.br/626GZ/WIRE/Business/
http://shksh5.uz/Download/En_us/Invoice-48955782-September/
http://skilldealer.fr/9993BNOADR/ACH/US/
http://skin-care.nu/LLC/US_us/Summit-Companies-Invoice-12234954/
http://smartbuildsgroup.com/4UHLKT/biz/Business./
http://smartbuildsgroup.com/4UHLKT/biz/Business/
http://snydyl.com/255JG/PAY/Smallbusiness/
http://soldeyanahuara.com/4369LXGEEQQ/biz/Commercial/
http://sourcingpropertyuk.co.uk/7SRPERLUF/PAY/US/
http://southwoodpharmacy.com/677752ZMQAIX/WIRE/US/
http://sparq.co.nz/Download/US_us/Invoice-Number-77852/
http://spotbuytool.com/49024K/WIRE/US/
http://spvgas.com/81PB/identity/Personal/
http://staffingandleasing.com/7759932SH/oamo/Personal/
http://staplesoflifephotography.com/Corporation/En/Paid-Invoice-Credit-Card-Receipt/
http://starbrightautodetail.com/xerox/En/Paid-Invoice/
http://stoobb.nl/default/EN_en/Inv-28167-PO-5S286034/
http://sumitengineers.com/wp-content/595047KSD/ACH/Commercial/
http://suportec.pt/files/US/Need-to-send-the-attachment/
http://tawgih.aswu.edu.eg/5ODZCLM/WIRE/Commercial/
http://tbilisitimes.ge/6UA/oamo/US/
http://tbnsa.org/Sep2018/En/Paid-Invoice-Credit-Card-Receipt/
http://team-booking.apstrix.com/2VT/ACH/Commercial/
http://test.sies.uz/80C/biz/Commercial/
http://tests4.webbuilding.lv/0TXN/SWIFT/Business/
http://tgrp.sk/93348JZDBO/biz/Business/
http://themazurekteam.com/157GZJKXIV/PAYMENT/Smallbusiness/
http://themetropalms.in/Sep2018/US_us/Outstanding-Invoices/
http://thewallstreetgeek.com/DOC/EN_en/Outstanding-Invoices/
http://thewarriorsbaseball.com/INFO/EN_en/Inv-96728-PO-3O152026/
http://tippyandfriends.com/7TJAY/SEP/Business/
http://tomas.datanom.fi/testlab/338OXHSDP/biz/Smallbusiness/
http://tresillosmunoz.com/Corporation/En_us/Invoice/
http://tsal.com/loggers/2LJFV/PAYROLL/Smallbusiness/
http://ultren.info/LLC/US_us/Scan/
http://upnews18.com/scan/US/Invoice-for-m/x-09/11/2018/
http://valletbearings.com/831652JSXS/com/Commercial/
http://viapixel.com.br/2YJEGEVR/com/Business/
http://vinastone.com/2033798ELGVT/PAYMENT/Smallbusiness/
http://vinastone.com/994WFILE/58AKWKTYMF/WIRE/Smallbusiness/
http://vinmeconline.com/4TE/PAYMENT/Business/
http://vivafascino.com/561726FWKRGK/identity/Commercial/
http://vivafascino.com/newsletter/En/Outstanding-Invoices/
http://voogorn.ru/79898JUCJLH/SWIFT/Smallbusiness/
http://webhall.com.br/526319JZGQK/SWIFT/Commercial/
http://website.vtoc.vn/demo/hailoc/wp-snapshots/087849VTPT/com/Business/
http://wiratechmesin.com/sitemaps/27WBKUAI/BIZ/Personal/
http://wosa3d.com/Document/En/Invoice/
http://www.alefbookstores.com/default/EN_en/Outstanding-Invoices/
http://www.cairdeas.nl/doc/EN_en/Invoice-for-t/c-09/10/2018/
http://www.capreve.jp/21871GEA/ACH/Smallbusiness/
http://www.capreve.jp/xerox/En_us/Service-Invoice/
http://www.demicolon.com/dvrguru_revoerror/image/3930OUOELXK/com/Business/
http://www.designloftinteriors.in/700Q/PAYMENT/Business/
http://www.duanvinhomeshanoi.net/000NAIDPEJ/BIZ/Smallbusiness/
http://www.duratransgroup.com/1721558FYLUIW/BIZ/US/
http://www.httpyiwujiadianweixiu.xyz/Corporation/En/Service-Invoice/
http://www.insurance4beauticians.com/Download/En_us/Summit-Companies-Invoice-9782424/
http://www.jeffchays.com/6944883PG/PAYMENT/US/
http://www.mainpartners.eu/6287508P/oamo/US/
http://www.offshoretraining.pl/0550248TOU/SEP/Commercial/
http://www.pbc-berlin.com/xerox/EN_en/New-order/
http://www.plasdo.com/MNXfUEtpo/702DXQ/PAYROLL/Commercial/
http://www.risehe.com/WrHXrtrbxy6/de_DE/Firmenkunden/
http://www.ultigamer.com/wp-admin/includes/448770WLY/SEP/US/
http://www.valletbearings.com/831652JSXS/com/Commercial/
http://www.vcorset.com/wp-content/uploads/78478OXGW/BIZ/Smallbusiness/
http://www.waterland.com.hk/wp-content/plugins/21310LHNDQZ/identity/Commercial/
http://xn--45-6kcu4a2ao6f.xn--p1ai/wp-content/uploads/4989ZWRASPVA/SEP/Commercial/
http://zingland.vn/22777LBKMVR/PAYROLL/Business/
https://artzvuk.by/2019440EDSMJIND/SEP/Personal/
https://english315portal.endlesss.io/9436OJ/com/Commercial/
https://mainpartners.eu/6287508P/oamo/US/
https://vpnetcanada.com/INFO/US_us/Past-Due-Invoice/
https://www.bonzi.top/orlclsi/5928813DKD/1R/BIZ/Smallbusiness/

Epoch 1 Payloads by Document SHA256 - All Times UTC

Creation Time	2018-09-12 21:06:00
SHA256:
b967b161ca4f18a30268ef7f6dff604d93edc59367ee7bab5e81360748a9732f

http://taltus.co.uk/EP4L639
http://quintacasagrande.com/EJSAsCD
http://glswp31.sprintsoft.ro/Y3IzCHzqIb
http://vkontekste.net/f1OSAuOu5S
http://dovgun.com/x7tDH1jMd9

Creation Time	2018-09-12 16:55:00
SHA256:
240f85aa177a0ec1f16c7e86326cc09953641d5385ed5c39f5f6f27a5585f770
6a03b9ed143a171a18c087593804061cc7eb88a82ed64e947a37c6efc36be406
01a68b8869e9d72741dc55778cc7ccb07acf17a2fca3a9cf5a6b31413698088e
7a03aa9bf35aec2750ef2ea9ec75f6e8b5b7a49553b57004660c3677461bc7f1
11e12b3207c64301a9532612d442b6468f6c34d42cf7fc5de22c3313912047a7
2351598d75870d936f52288878e96468f97dc33a02e305073dfca70978b3a636
1be0707d52727c44d553e64a3f64309fa6b1ef8aac3507e31425b36dc0b6181f
4c89e4a8b98b38cc796ec00968febea223ca8c1cc0153fa9f5af1f2f0fc43daf
7a03aa9bf35aec2750ef2ea9ec75f6e8b5b7a49553b57004660c3677461bc7f1
92a725692661c20840f83f3a200d0ffb4707bb3ad9a41c83ef2e8fd912b163ae
14e8602089a06999f80362bbd0b65e94c666a82dc40463a38ed379cd456e57a0
3952c32c81275d4d264260063953230308876991fa50897971a893a5d6790570

http://harryliwen.net/KJRC3aWl
http://mrhanhphuc.com/HZggbn9vNI
http://ncsquared.com/wdzR5yn
http://nfog2018.dk/rTp7euMEO
http://mins-tech.com/xYUEJJDX8


Creation Time	2018-09-12 11:21:00
SHA256: 
f9205e07ea1887e1efbcd8436df1b6af57d0ba406b1c3addf8a4b1442bb979c5
49b89046962b80083d433396f1e069ccc530cd2ace2abd5f670ba0a3bbc3ac0c
709e202524de6305706e984035dbf596cb0b478c9364769ce734ee89b1ab327d
38780d5a0483f92e4fa10b2808f082fc85d7a38c6ddc38107baa90b9826d13d6
4c89e4a8b98b38cc796ec00968febea223ca8c1cc0153fa9f5af1f2f0fc43daf
4483a23c9280db9cf387333329d3642fb7e4fda42bbab04d6eaa192f0d7e4432
ba673554954f68f6e73d1b293237458779a542b50f8d95484a4a210ce6e143f8
f50bb9016594fb50a95ae5c04b93b5f01cf1c5f971064f0486289896203a6b13
b24e5fc79d00c6b4b2e7e0ca859636a6f76c1050cd32311b3db47b9d6bc75604
cd45828496de040a399d1a630dea388c8a3f0255e228e2213b10525e82cb96c3
09ddcaf365bf71ac688ed48ba253623f2ec1256127bc9c3df2a70892311b73e6

http://magint.ir/Ejy2uvx9vH
http://comeuroconcept.fr/k2XqNXlObx
http://4theweb.co.uk/wwvvv/3POxuQf2CA
http://spectrumbookslimited.com/6oXMsLDIiz
http://raidking.com/1qhwBAcqzv

Creation Time	2018-09-12 06:40:00
SHA256:
3a5bef57c8c6060963780a8b15568d8ea42cbb3ae885bbb7d5450ee7244b6394
c9907d3edf517277ddb6e5c2eed1c41f133256220ea76bd67609f125eda77a49
0e355bfd009fefe9ba4de41c20c7cbbf44c9bccb97441009f209684a0040127b
909046589fa7a942128f8d13c6f87630951d91dda52a66a06d7b9f9b04e3f6e6
3ebbdd8e803dc3dc1451fdb272fecb7ee4e080461fb3c1142df8a051f5767c61
02297e6945ed126114da44bf020f774aa0f10862166b16b89a23daae3ff60e56

http://3mchinhhang.com/CfXgRewmf
http://buladoremedio.com/t0GvzVYf
http://sagarpaints.com/AMtppDHuZ
http://tikimi.net.vn/XXAtkDi
http://360trips.pk/7wXfDqSc

Creation Time	2018-09-11 21:22:00
SHA256:
b7c206428106b9b986e2e72129a94ed77c42cec020f3b2529accd5472de230e1
42b6c861f47e1fcb5d8afca56545164e81371cc300d54cf8c62c3a6873599c3f

http://amniyatgostariranian.ir/AXW3D0wiK
http://burnettfarm.com/Atqc5S1J6
http://scotiaglenvilledentalcenter.com/rN8GRvV
http://server.livehostingbd.com/6845EO/PAYMENT/4U5EP4FXkf
http://georgia-trv.com/ksiJX8HB

Creation Time	2018-09-11 17:07:00
SHA256:
ca793861d5dd04d92427208fd690888136e387a87043737348e44ae58a48d1cd
ca4670d0083c6a16ff9c12422ad00299481fbe0c77eb472f6dcb15f01a6f8d8a
33b8ad7806dc48670245763175cf42d187fd70177eadee94ad6cee89ac3cd3bd
a1363e7683fd50126a612eae55128ce487d86fe13121b1afc48c5bb0a43f86a7
d1fff9ef8380885bb06a1983b8b7d11f6fe3ac92f8bbafff515bb8be5d42e94c
46b16dcd72c03e7ad082fe809fae8c46b240a321cba512d81ea12c06709e70f9

http://darularqamtamil.com/GdCiOm2eg
http://be-modern.ru/p4IzR2T
http://antunezshop.es/ROOJZIh4TW
http://88-w.com/2wfNIkX
http://cinephilia.site/euUQe7E

SHA256s for Epoch 1 Payload EXEs seen on 09/12/18

78cab845b041d60868a8da045da24e4325001869e10b0cd1390c541a3a05e50a
340bb7b4e5f330ad42b43e9de18cf022426bf57b124505f330ac74f7aac11b08
2361529901c112d32820e7cebfac7a7b331e9b813cd2172fd7cab4d24507bdb4
076e8ad159d8bacb34a1583ac256ce241cae859d1081bdb66edcf32c763b35b7
bca62ef55eacb2967d37e215750aefa1046fe44b835f5fa983f9d88593e7b149
13ae4280dbd5181e1b8661cc2eeeaf0428237237c65ea260bb87b037ab6770e3
6bf0e33039d941ec51bb9ea49153256acad062d7cf8f1d3150c29e8b1d89311a
11979f97d187449e8290d173093a03364d5759723df72f33edb5d0f7b52cbd8b
9ceb075be5d0698533a02169fb974a7dc6feff846cc4caa8e27d83263b67a559
68518dca9efc8a8099e07e4828f1fdef0268846c76beae8cc4043f5beb99251d
fcb4ddb8e1a15cdb0029274c93838971d854ef88507e00a47c9a75af47b33b81

Epoch 2 Payloads by Document SHA256 - All Times UTC

Creation Time	2018-09-12 19:47:00
SHA256:
dafe595d8dc3cf275a9d6bea2e5151d40480a2d4b0e6c020b8065fe1a7972c80
eeee3eda1a4e448a8909834a595467eaf54e5b161192168172057b0e2426b3d0
0e27e6f4d8da29d389fa3beecd8126d0b11698262a1c828d1dce799a274c3d29
83cc9bcaed258c00f23162e6cb665b456627869187fd543a49787808a1247127
91ce571ce305b5ec80a29d34599b3eb6c197ecd668e4daa3907115a56dcbd986
7f3e9c4a40ec41639e6c8d9db032229d6c58002874ed5d4cdc5fd03e622d25ed
1316c887d94e24f942b882ecbe7314ef4746e2800122b27bb0086e8aacbb8b00
5c5cd138b91a3d2baa90a02319e99a8a8804e4a08b2ffe6c57350cdc9a434734
1fdf0df4133e95138d2df0a009a4ae8224192758ed904b2628ae83a21411f70d
7dfa2a928330bcb0f33f6d4c5d97a88237f33bdf80efd982ef13b3fe1d964b5e
feae1530ee01928ffa77b463da09e66f74220772ee2678e8047869a3145868b5
55c2cb81ad2856f39d7ebb41b399900e073fb98afeddbc5efb4f2842d429bcbc
db5230bcc93d32f53678e4d45233561b27d5ad42aaa74f8edf3352220bd8523f
879d69ece9f3af526b2c17a21f0894ad06e7760a4d015b06f59a27579918edd8
2f832c6ae5974b67d30fd1125a5298047179d68d2fd9bf3e988f8bdcda63762d
48a5d05b5f703d2e64f35ddf18f1dc8ecfcbe71305cb0ac6324860bc01bb0d41
aa44a4b26f945e7204d6ee644a5cde053dc131b4f05f007de58ebf2fa180a90f
da2a56412ba9240e01d478074dfee4cd0ef92d0d8d1d2b42b01411212c2e6e83
c64c8cb54c57849ca6c0d5a741e0726e4337b3df8dbd389e912c9a7899e3b311
3c6ca8020f39b252aa19db566ce0c87559ab1ec0784415815d4aabe9262ce501
e9465d59e1b17072a433ac9f3e0db2eaf49afda401f0cd41e340eb084d99ac9f
aa2161d4e4cda6b43839cc8d34aa992e38458c4a5702abd784dd9ae3a8832efd
40be53a0bb0ca1a290e96aebb2c6cd2317cea1fae4028e59229fc877fb4a6895
d88af38c197e419d5c43ea5338ba41d7f77d6c9e5f4b7d5cb013670d28f06d6c
f3458f43aa17ab5f31e01e807e13595696e918d53358ea85daa93c274a35a1a7
39e528ba3723a89b1abfd4ea526e999e1819878f825741f2aac35707ba3cda4e
fdd4bdf80d2ed4dcc5eda75437173016e2f67a405cb2bf15b728052de2ac08ea
b3e3f957528379284a50d3c3efe1acb675266f10f52b3e4c98e29ed1124435d3
e6a578c89917327adb9fcd46a34823c0f2b34ec26d7e0bcdd08f2fdd0b3e534a
d255e74d39fb90e116b46e8ae8a9285ebf292696285a84be8fb17bf3891a2da4
a35039516c11525f68fad74dd01d54e3169855a1508abf923455ef469166e722
9b88ff4c7a6c39af6293e1b5a8002b9f56f2621d2dfdf33d55b5e1d7794511de
a12728a25409259b1e7c50f3e7a3bbb6b9b428a67ad778970e8137f02218e2cf
2ac61b1ec360650ca38fb547d208e345f7abfc93d3ad8413bcaa21aadddce806
9dcfac123de75bcfc9f7c7583b6592522dbc3f8cf4a09cd0f29708255ec19e47
9455157454afce9ad1650f3c80c80ecc9654616e37235302df6c7610bd3e57c2
751b6ae3eef95b7b8ea335f62aaeb43851b59dc13c4eacfb962545666d156164
a3fb9df5e722abe9b8ae3e3ca64379da758492cd5b9ce43ddbe29b41178b6d66

http://mooremakeup.com/k
http://crossroadstamp.com/0
http://ntsuporte.com.br/kl5
http://oooka.biz/RaQOFhRM
http://parusalon.ru/idb

Creation Time	2018-09-12 15:52:00
SHA256:
eabb02e2198c7641bf9d3f8c1e1a467f5a7c55cfd6516f39078a2528083daefa
9115ac3af709e3d318f6ffe826b06d6c5a168b9e336501d78f0513bc8e00b0c5
9bf0d95cb5f73ff4945a61379a9d058f520376aacd4eae89d82165c1e67c35c9
5c8c43924bfce2c270f21a55435cff7e8a76bcb1c7397448ebf20d9edc3c6c25
e274124db72deb51fd883c15cf0d353b60ed648d56f50b118ee622ddc51e2e30
1cd647e17b39af655bb2fe1d63ba1284929be47fdd5f1e0735b45f7c4f0257a8
502bc483bb83c26f81f2358f9099718f0e609c1082453e1c5cf809e53377aabb
6583948d04750caadcf2ab881c6716462bbd118b688d8a196ec05ea6f53636c5
a20a75e15847da4cc1b2dc4833b21146beaa9dbf52507205c1e89195370ecc20
b04371bf7bf9ed2794817ef07385f4e8fa33b8cab7f56d627adf74a9d7b02b6b
eb5c928c86adb2f412fbaa52986047b40a55a9c7ec32fc55516568267fe9a19c
b23c9c045dfd423c771a2912ea236b4f7de5eaef15e34c1161733675b2681795
5f19a72d9e9523669e23b9baed8d9cfacf444a4e059c8f2c196d295383ed5d6a
ed63bc2a9f676ebc2a695681cd8a952ec5167ccde77740c7f17d2f2598de835f
80484d93a308a4fbfbf92b91ff6604e7e99d6e67f9a237bf8553c56e85431664
907aeb750eb680cb57c7e93fdb76af114de2bcd12fb4ea47af5e76e755f832c9
961a7252c607c4675cfda69848006780ee9886b7d011c30cbe4aaae3b244abb3
793c11f8dde9cc717571324875788285d9b67844c9aebcdd0cf603be5ea94400
2ee2361e8140918fd961e95b6ec1aa94f520a4f3c36b420d51b467dd2f1ac5a1
e21e15fcc682b629e7c9c80829e332f6cc3204b2c333499f9378681bd26196c8
db1988719d61ba11b8ca8eb6cfc0da3954f20ffaea774b545f55e14bbc18b395
952bd6e8068598e0b3d66e769b462f79190a379add9b0eef26c8eccec6153a12

http://knightsofacademia.com/TtHVXp
http://muake.com/Cw8MhRxr
http://mirvkartinkah.ru/VDs0
http://metromowing.net/Gslc6ae
http://mkf24.ru/0k

Creation Time	2018-09-12 11:14:00
SHA256:
044a2b9e6a0be09bc6585ad92d9d6a7e01dc1f2c1fc3515e9d9c01ccc13d2c3c
dada5516d0aef7eaeda59fdcec58d6f1fdee81fe6f0e788b7de7520179509b7b
b2440b1d075a8403727ed2bcf1d83efe634fa0ffd82741f790236e84255a32d8
780d9ad9aa868306545a76bd777668496644b2beb55ae8d334c5f3d296c61c1c
047a324e6a663a9eb38e4f59f69e48fa52a869fc800fee6641a4dfc09af65db0
ea8dba08b3a950db78076bf7bcd42dd9410ab5b87a344cf4051c5fb072dac165
4bed35a9bb290c3f8cc8fe5f9e07c2564df7d05339c4e014d9f841596a8ab589
2ceb81f9c7601592ac7b99888c1c7611f0cb9053aed8a7a9306078f4c1d9fb92
27b1c48e85c13f3657f2e2a9cc66f88c19da1d0897f6fa70ef973a29d927c3c9
0200b4306f5988c16ae8c9396c637b2c1568f6ce0171208d38fb8e16b7f50467
8ef9d93170ffa2038bf90f10704e6a6f4f6e7b11442ae6a19c668196aaa1d0b3
e3b917f7df6c946754d2ff47da033ae3b6788ed08cfda5955fa47fd9ea9312e1
b832ec000e0e2eb79cf090b1c550f7a6482c03fdb4adeaee4f1c9eafe2f34868
ffd1ca4e1fe3148d5e376c0468074b84bf8d8d52e83d8331ec8ffc462c992731
3b2b671c4a8bc6b89c34645e7e0c8fa04133c933d2770397390b8cdcb77bb6bd
54e448e8162a08a86c0f12ef53c2febba5fde9f382dfda1b7013f2ca5c7bda7f
022592898ba39fa243f35d8d338b5b0fc33c7d31af97b109bb04077c25a6e511
199352fd1f41003a32397df2ce3d2b380f14b3f316c85041e9abddcff7b7c0bd
789e53d308553907756b35d0321d1780906ffc0c6f9dec5462dc4be7823762a4
afa502ea96e7e238f51169686f05d29d2603e3a80f4d677ba90d293a5ff5a3d3
980595ba0f4687c8c114bedcdefc993f4d92ba183865ec263a71892737f317da
eeb70ff1aa4477c325260f569e35fb22cb0cf1fa2da11d1508db12f4f84987b8
874c4105a4609af1cac382c4f8b299da6c1628871ec0f3e80f48cc6962dae534
d4482c6be7b3208e3668f55f40b2207dfe7acd33c26f93e7100757827eafe66f
729a8c95dc8106fcd1372c21f5e6d159efaa86e355c3e9be61016be362776dad

http://moblemanmohamad.com/2z
http://marocshirts.site/WaJ
http://kursy.shop/7
http://kroha-vanna.ru/I
http://karpiel.info.pl/QS6o3Vr

Creation Time	2018-09-12 08:05:00
SHA256:
70f4f95d8befcc6b01038fe7d0eadadd264129968ec3d4030b4e5ec6d977cb7d
4e12f2597757d29a510136a07205cab71f04755e39063e13de5ecacc6dad0bd3
59ac6505cea405fd6c04a5cbd1ef44c159fc45fdb772e139f7f1c9ae0b363896
3b9269f1eb707652e13e3276fb33b1ef53973751b113b586fbd70cb956bfdf3d
f952901dfa32add94627681807947af4f5ad77ae9527e6f9d1d3af0327f565e1
45e6801b648955d542caf84c8ad986accb763e7b768acd7de07b78ccf56207cd
a1cbeb26b1fc114888a3bc7bb0f5b20cbfc5176d05cf6f558e64ebd222f7f779
1858e2a692ef2d989e4cc717bb602057d9fb6d6bf7b65af08260f6a3cb39eff9
b916b14fde0e06e50cacca99605db7008f90b01ad4203b396abf717cc3fbeaef
bf4347f058fbff52cb765801ca395209ebdbee4777bc66e0007b6d4e1ffd3ad1
807bc05260e732d186ab6cfe1c32cea2d4a8909ed942de1331b1c056b4a5b02a
0f1e90309f97a71f9c247608eb7ca2e555917e17f162e340ad6e774c18fb1080

http://mail-grouping.com/17
http://kasrasanatsepahan.com/zQEEvR
http://kosmetologkiev.com.ua/9HUeW
http://www.kidsnow.at/baDO2
http://leblogdubilandecompetences.com/EJ0elmK

Creation Time	2018-09-12 00:25:00
SHA256:
0fc829670e8ddcd6df974c9972671f835426fa1aa21cd00f2e631e49e709d6c1
afe32f5b56c78dc442d9ed60dcc5864a79aa7815e405441190fc56d5b5ebc2a5
61817cc3deff084dd278fc56e6f1af60a2ebc99674724702354aaecbab9d5a62
4347877239da5fe006f753c414f2bf8233bb99a53c693b2d4c5ac313fc27c520
7e965a456c81c968a556ce3bfb04c4a3531dc9675e986fd3bed9d8754fb30c8b
28ddfb66016f4afaa3c5b6747d72aa74a1f656ffcf005afad189224612fd7a5c
5b3c3f51194f2dea28d90851907f7b9cd196fd9b6d71947fa887009a78979be3
e44ad7d54c33963149c77ee31940482540e8ec955cd9077aefdf938ba5c6c933
f1e3ddd28a2200347dd2d366ac744affdd44178624e8ea0b9f893403faa03407
0fb330d00d617fa4d1346aad04d9737107859fa00b99f82289b308ee1da8adfd
4608081124b344ef507249229619af7a618eff762fce719a89e9f82a9e2b023b
0d05e6c0df71189a5a6399281af155418a24fb20d7cb857799795db44f73eba1
853d14eeef037c34cafb7897787c46c5a10505965d526094f7f3a4fe4207d3cf
b5c23400535462b3b18d2edd237d29b3edcee5d0e297236d40edd09fa5aafc55
4a1940aba467e741a2e6bebb602ea77ba0d07a0bf1040a9ee589da19032a2deb
9a0afd9d6c8c67be53217bbf1486d8e634327a5b26d28ceb4c91dd490e55f842
3de86dfea08f36349a4818c01bacf3c4f6426bff6157088ca95c04c26a4d7c24
4a603770fdf4fe1588ed81139b8d4b8940290b7b4f6e3e824f5f946882bd03e7
055db0508235a00ecc6986f08b083dbd713bfcb53aa215f992523875acb831fb
a4447d6d2ac0b8948372c72077fe25133ddac2a70ea0e63519fbd2cb2f7f0fd5
eaaad8afbef1ee4ff3504f7600e05b96ecaf6243a7f84b9275ccc2d614029508
fd9b1e990e1d888bdfea261eef75fbfec27bf3c4da6c8e15fda706d385856d3c
0fadfcd8426fd505d0b55063146a5974a98d2b20b46449b524e8fc46eba269be
56909393c31c3ddbbfab543b2dcff52b8fd737cd9f79a29829a324d9a64a4567
a54a293305406aeab591e4d52f3d81b8c2418e495b19c11f563904250d8bc602
4f0461ea89a0bb3f0329c03e6831ef2f1f6869b1b378256bad935c1c7f2ce2ab
57cb872f380fa2170f964b97d570886c882960a48e8f0703118cd8af36fc854a
79f6df4e559168cb01c4c221a78020e15a88f3d1012afc536bf607b2a58e0e93
9eba4c5cfe88bc983ef0b52e9a18bf359fe3f454baebecf21eddb413be9e07f5
837b1bab4d16e230828f00777601104c39e7ada681d446ed8665323ade4d349b
6d76d354048e5121dc488c597ef5bb292f63390b161b73dba50f84e3e115dc2c
0953c77f94f2b2a224fcbb9e4e32fc7bac365417a78a8d7827b9dbe438145cef
834d2c131a08577c53405dfccfa2f79d14cc1423a2ca55eb708c7e7876bd0872
2e820c0764fe84c5ea317b3915d13c787bfaa22a741dc603c350936fee6cbecd
94df0548c49c02344e33f971d5b03449afc8d9423c0ce84590101cfe0014633d
4a5950051634af4f757fbb6a4e4e0aecf593b3c89836f8aff8596e3032fe1fe5
9285b946e5be77cb3359a9d2d31324dd983a24253a526ff7fb2ced6538ff730c
8f4b1b076edab90802283484a6378f7dc82a42d60ddca4b2a122bdd1bcc7a48d
cca72ae0ad9a300fa65ab0365218bc38d3ef6b12ab58c41b412ce7718643a75e
a46b7526e3f1d05479321bdafe16bea5b614b53aef8731c43bac26ae0d596b32

http://3l-labs.com/uWZUE3
http://goldsellingsuccess.com/E
http://hotellaspalmashmo.com/AyBl
http://heritage-contractors.net/RcZVm
http://euro-kwiat.pl/2q1TT

SHA256s for Epoch 2 Payload EXEs seen on 09/12/18

74e426f6b6a5657d937e78bac99afeec3bc3e8870248dbd3de33340cb39e59a4
8fe07bed8ebc43bf188282d2db7a0044855d88a8695a72507165a05479189465
Trickbot ae30387d627548d906dda271843482beb92df4053a765bfb50cef3c3fc13375d
fd9f05ef88e39f448ca590e116841f2ba04b0403a1dce2d7874fe72f07d79d5b
6f1a1528f048916d8de6c0b3c7475aaab36f42bca415a1f04d48e229542c78cd
4f0e15ef963334fd112ccf2f24702e0eaa71a002da81d5663e5c8ec59d18d6a5
87458125a55b3783ef76701a2dcbea766dc8bbd2768cf89c5f170ca4149f8bfc
b8d53325f6e9192830b26695b637b2942dbd2063b801e6882aabeafb94807874
56da7f3aa2f8f0cc77653779eedcc10250409e4d16833c553c81470c6ade4126
3ecaf3b7fb4b7ad7815c609e4cc5799fb22bd2d6b1a1313b8e5ef6bb3f9af100

Epoch 1 C2s by port

* indicates new/returned since last posting

*20:

108.173.55.25
108.174.19.26

80:

108.6.20.101
181.29.143.88
189.189.179.66
196.210.11.146
201.183.237.116 37.120.175.15
47.187.147.117
68.37.194.102
72.214.82.107

443: 198.199.185.25 49.212.135.76

*465:

201.137.234.2

4143: 217.13.106.203

7080: 139.162.237.94

8080: 104.236.25.85 133.242.208.183 139.59.242.76 178.63.118.195

186.4.4.140
190.92.39.2 203.198.129.4 210.2.86.94
63.153.27.53
86.135.9.120

8090:

86.135.9.120

8443:

190.12.34.162

50000:

187.192.140.245

Epoch 2 C2s by port

* indicates new/returned since last posting

*20:

181.67.220.53
183.82.112.28
84.201.226.251

*22:

50.84.241.38

80:

107.181.1.242
165.255.152.160
184.66.172.184
184.88.53.40
186.177.160.221
206.162.235.123
47.196.182.124
50.38.226.31
75.135.65.169
98.195.248.98

443: 106.187.52.135 118.244.214.210 138.201.197.13 153.122.38.158 185.97.32.6 199.119.78.9 199.119.78.23

201.145.148.145
201.152.10.14 211.115.111.19 95.141.175.240

*465:

47.217.99.132

*995:

66.222.104.80

4143: 222.214.218.192

*7080:

204.184.24.210

8080:

110.142.233.42 146.185.170.222 157.7.164.23 69.198.17.7
71.172.252.50 78.47.182.42 84.200.106.120

8081: 62.75.143.128

8443:

118.189.9.243
186.70.66.20

Credits and Notes Section

Updated 7/13/18 WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen

NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.

UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!

What is Epoch 1 and Epoch 2? Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.

Community Lists

https://pastebin.com/N6LrwQBm - @ps66uk https://pastebin.com/298XVqRi - @pollo290987

Credits

(OC and combination work) Doc DL URLs - @unixronin, @ps66uk, @avman1995, @dms1899, @Bitterman59, @pollo290987, @James_inthe_box, @malware_traffic C2 info - @pollo290987, @unixronin Payloads - @AmirRedh, @unixronin, @ps66uk, @pollo290987, @James_inthe_box, @dms1899 @MalSpamHunter, @Bitterman59, @malware_traffic

Special thanks to @unixronin, @pollo290987/@ps66uk for creating scripts and helping me out with all of this! Very special thanks to @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!

Daily Log

We are going to try some new stuff soon with getting this info out. I got a several hundred malspams today with some in French and some in Spanish and even others in English. All of them were attached docs and E2 as much as I could tell. Honestly it is pretty dumb because nothing gets through the smtp gateway when it has a macro. Hoping to have time to share some samples tomorrow.

Sandbox 09/12/18

(all with fakenet and MITM unless spam/secondary infection) Epoch 2 deploying Trickbot around 06:38 - https://app.any.run/tasks/26021a01-6159-464b-ad7c-dd74373b7c47

Epoch 1 C2 run as of 09/12/18 at 23:45 https://app.any.run/tasks/7e4e19ca-3fa3-4b39-bfed-dcf761dc0b2a Epoch 2 C2 run as of 09/12/18 at 22:14 https://app.any.run/tasks/57ae42fe-3e3a-4b14-bc47-fc85bdd8f9a0