Emotet Malware Document links/IOCs for 09/13/18 as of 09/13/18 23:59
Notes and Credits now at the bottom Follow me on twitter @jroosen for more updates.
Epoch 1 Document/Downloader links seen for 09/13/18
Seen only in .doc attachments.
Epoch 2 Document/Downloader links seen for 09/13/18
http://110.164.86.203/wp-content/uploads/3SFQJLDG/identity/Commercial/
http://198.61.187.137/project/86AYMJ/com/Commercial/
http://1energy.sk/20QSVKI/SWIFT/US/
http://2x2print.com/404700RTYT/SEP/US/
http://abakus-biuro.net/8539JHLOM/PAYROLL/Business/
http://aile.pub/online.refund.Dvla.tax31000838/7GYOFZTT/PAYROLL/Personal/
http://alabd-group.com/77EKMMGZ/BIZ/Business/
http://alwaysaway.co.uk/doc/En/Paid-Invoices/
http://amanita.com.my/903XOZ/PAYMENT/Business/
http://apicecon.com.br/09012NQNFL/ACH/Smallbusiness/
http://ardan.net/766646CVIO/PAYMENT/Smallbusiness/
http://arianrayaneh.com/multimedia/4842RSTT/PAYROLL/Personal/
http://bangkoktailor.biz/87CJSYV/PAYROLL/Commercial/
http://bavmed.ru/DOC/US_us/Invoices-Overdue/
http://bfs-dc.com/91964Z/PAYMENT/Business/
http://bhgjxx.com/temp_6bd6c6c42b5ae81a4aa32aa263d99731/7351KFBDB/BIZ/Personal/
http://binfish.ru/Sep2018/US_us/Past-Due-Invoice/
http://blockcoin.co.in/files/EN_en/Paid-Invoice/
http://bramlvx.com/544VXZXGHZ/PAYROLL/US/
http://byacademy.fr/8706937YGVMNXM/PAYMENT/Smallbusiness/
http://callansweringservicesoftware.com/Download/US/Service-Report-40234/
http://casellamoving.com/69VQINXXJO/PAYROLL/Smallbusiness/
http://challengerballtournament.com/418416IFUJ/biz/Personal/
http://cleverspain.com/9QJAAPWCD/PAYROLL/US/
http://collaborativeeconomyconference.com/55887OPVDW/oamo/Smallbusiness/
http://cqfsbj.cn/8440684LVDKMWSR/PAYMENT/Commercial/
http://cuentocontigo.net/5647VKHPSPV/SWIFT/Commercial/
http://damiro.de/8EXFB/SWIFT/Smallbusiness/
http://dansha-solutions.com/7574AFQXZHK/PAYMENT/Smallbusiness/
http://daveandbrian.com/535287ONSAJHOA/identity/Smallbusiness/
http://demicolon.com/dvrguru_revoerror/image/53LA/SWIFT/Business/
http://demo.5v13.com/7498QLQMJLSN/SWIFT/US/
http://demo1.lineabove.com/789075RLRZBZFZ/oamo/Personal/
http://downinthecountry.com/048XUQTPIV/identity/Personal/
http://duanvinhomeshanoi.net/000NAIDPEJ/BIZ/Smallbusiness/
http://duratransgroup.com/1721558FYLUIW/BIZ/US/
http://egomall.net/537173GAPZ/ACH/Personal/
http://elidefire.my/9367677BZCEQILW/PAYROLL/Business/
http://europroject.ro/3482AE/PAYROLL/Business/
http://exxot.com/47BSUIJP/SEP/Smallbusiness/
http://faratfilm.pl/86NH/PAYMENT/Business/
http://farmasi.uin-malang.ac.id/wp-content/935ACFZSO/identity/Commercial/
http://farozyapidenetim.com/907041JXJMTHC/identity/Commercial/
http://fluorescent.cc/default/En/Outstanding-Invoices/
http://folio101.com/29859NATGFOHJ/PAYROLL/Commercial/
http://furnfeathers.co.uk/5IUIMNRBK/PAYMENT/US/
http://g7wenden.de/Document/En/Document-needed/
http://grupoembatec.com/4166240YQ/WIRE/US/
http://hotelnoraipro.com/7932969XCYUKCM/PAYMENT/US/
http://httpyiwujiadianweixiu.xyz/Corporation/En/Service-Invoice/
http://imcfilmproduction.com/319952SLB/WIRE/Commercial/
http://ingebo.cl/Document/EN_en/Inv-566468-PO-8B393306/
http://ingridkaslik.com/48NJTKNT/SEP/Commercial/
http://inmayjose.es/614K/SEP/US/
http://jealousproductions.co.uk/6JHJYPMY/PAYROLL/Business/
http://jtjdoprava.sk/146FEIYQZ/PAYMENT/Business/
http://jxbaohusan.com/408019WUPITIGG/PAYROLL/Personal/
http://karkasdom.dp.ua/7705752ZMA/BIZ/Personal/
http://kdsk.ru/823VOKKH/identity/Commercial/
http://kpopstarz.kienthucsong.info/Corporation/EN_en/Outstanding-Invoices/
http://krasrazvitie.ru/3870029HXHQBIM/PAYMENT/Personal/
http://kuganha.com/3365EPXTN/PAYROLL/Business/
http://lauraolmedilla.com/doc/En/Sales-Invoice/
http://leedye.com/6NP/PAYMENT/Personal/
http://leulocati.com/297WQR/BIZ/Commercial/
http://loristjohns.dabdemo.com/default/US_us/8-Past-Due-Invoices/
http://lulagraysalon.com/220695DTM/PAYMENT/Smallbusiness/
http://madarpoligrafia.pl/DOC/En_us/FILE/US_us/Scan/
http://mail.vivafascino.com/470MXIBGD/SWIFT/Business/
http://mainpartners.eu/6287508P/oamo/US/
http://making-money-today.club/8827362NKRM/com/US/
http://maxi-kuhni.ru/579653B/SWIFT/Commercial/
http://med-up.pl/INFO/EN_en/Invoice-for-e/w-09/12/2018/
http://mobileappo.com/LLC/En_us/Invoice/
http://momentsindigital.com/8EGAAMVT/PAYMENT/Business/
http://myafyanow.com/4YWMKOO/PAYROLL/Smallbusiness/
http://mywholebody.net/Document/En_us/ACH-form/
http://navyugenergy.com/wp-content/uploads/9OAXTTZV/SWIFT/Personal/
http://newsite.iscapp.com/8973101JF/PAYMENT/Smallbusiness/
http://nisho.us/23375MIQP/WIRE/Commercial/
http://plasdo.com/MNXfUEtpo/702DXQ/PAYROLL/Commercial/
http://premiereplasticsurgerylasvegas.com/0WBBL/WIRE/Commercial/
http://prideagricintegratedfarms.com.ng/Sep2018/EN_en/Service-Invoice/
http://prova.upyourfile.net/xerox/En_us/Need-to-send-the-attachment/
http://ruralinnovationfund.varadev.com/5VSQTTY/ACH/Business/
http://sellitti.com/8063779O/PAYROLL/US/
http://sernet.com.ar/doc/En_us/Invoice-for-x/b-09/12/2018/
http://signaturestairs.co.uk/984987KRRLUM/SEP/Personal/
http://slajf.com/files/galeria/4614PZOJAL/SWIFT/Personal/
http://soloanimal.com/55549LFBVBNXQ/PAYROLL/Business/
http://soo.sg/epigami.com/blog/wp-content/uploads/2013/0931016LMVHF/com/US/
http://stoobb.nl/default/EN_en/Inv-28167-PO-5S286034/
http://summerlandrockers.org.au/0277YRFNQ/PAYMENT/Commercial/
http://suportec.pt/files/US/Need-to-send-the-attachment/
http://theme.colourspray.net/6220KZTRUR/PAYMENT/Personal/
http://thepinkonionusa.com/249J/PAYMENT/Smallbusiness/
http://tienphongmientrung.com/5408919R/PAYROLL/Business/
http://valenciahillscondo.com/9694129WNFY/SWIFT/Business/
http://valletbearings.com/831652JSXS/com/Commercial/
http://versusgas.com/00BRSU/identity/Smallbusiness/
http://versusgas.com/Sep2018/US_us/Open-Past-Due-Orders/
http://vinastone.com/994WFILE/58AKWKTYMF/WIRE/Smallbusiness/
http://vinmeconline.com/4TE/PAYMENT/Business/
http://vong.info/wvvw/5FM/SWIFT/Business/
http://webhall.com.br/526319JZGQK/SWIFT/Commercial/
http://website.vtoc.vn/demo/hailoc/wp-snapshots/087849VTPT/com/Business/
http://www.africimmo.com/886MIF/SWIFT/Personal/
http://www.demicolon.com/dvrguru_revoerror/image/53LA/SWIFT/Business/
http://www.duanvinhomeshanoi.net/000NAIDPEJ/BIZ/Smallbusiness/
http://www.insurance4beauticians.com/Download/En_us/Summit-Companies-Invoice-9782424/
http://www.mainpartners.eu/6287508P/oamo/US/
http://www.offshoretraining.pl/0550248TOU/SEP/Commercial/
http://www.teateaexpress.co.uk/9080980KHKLW/PAYROLL/Business/
http://xn--b1axgdf5j.xn--j1amh/671GOTAHY/PAYMENT/Commercial/
http://xuatbangiadinh.vn/588261LQO/PAYMENT/Personal/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2018-09-13 16:15:00
SHA256:
8b3e7b0cd5c83967782bb2aa41996b97e8badd89b43171a48e7b28f94f443c7c
76b69f93b5532b1d050b38537035eee5c1aae94690d716aa96a1b926c36e6816
9a719afc937416f57b260e195384cb89fd72388fb25afe7e392063e5d06d4696
http://familiekoning.net/Sw51duCIY
http://website.vtoc.vn/demo/hailoc/wp-snapshots/JeHXbk6WzM
http://librusfan.ru/271vNHA
http://tomas.datanom.fi/testlab/VJ1t3ol
http://altarfx.com/8Es5z7sVJL
Creation Time 2018-09-13 10:03:00
SHA256:
a254a407abb8e029d07a538acf703751acbe62ebd16b5001fc781bab0d07307c
e269c50894d6177cfdad365f0ef6b4f9753a27d7aa912a42b992e21b0cd029ac
10acf1385e8fbb1bfb62041a7effd5a755f816d55f35fd48a28203b0adbc76c1
0b13d542741a96fcba31522717d8909559db32df07032a6e8b4f151a80ac69dd
ddf54839be09c9dabb116921834b583b81c427a7578af5d423b38b499c51454c
d35026ff318ef7be4b398c9b42734cdfba5e99252dfdc29b4a4e52f4e9e642b1
21609da4c930bbe91ac12d4d9710407594ec0b36d2eac3d441fde2657fc70f08
7747b7f224ff3188820d3695073df34915d7f41cabe71a118abf491758ca414f
bbf6f733ffdbb38d83a68f2af2d158b7e641200223ef65a3d8248ea631906e76
51ec5de264d2103209bd33cbd5ddea9341ab298f5f89d801eed00459e21a2c9d
e0e221ef3acebbc414fbc3d15d41d87695a42a2aa7db051af76ad793a0f31b05
e90cb759ba47ff925aa1aef820bed3cb4c11c225ef436f313c1b0029879af433
http://vladetel.org/iDFxArAC
http://vgd.vg/7MN5ZO8D
http://madisonda.com/7klY6V30Z
http://detss.com/3SHTOtr
http://btesh.net/pQvrfzK
Creation Time 2018-09-12 21:06:00
SHA256:
a06bc650b069bbc9c3e5cc234acc67e7ab22e38746120eaaf7be7d0bcfebc42f
2a8c2ebeed73c172d347af258a0ade7ebc73d29897797d25f9c6259cdfeff059
6b1af34b51c15c8736ae891ca2e037bc118e531f72cf3917e2b4e37ed14e461d
3f4d0ab5723f2200e245b149d8e8ee9665d3d0a7868ce938061f197429999153
b967b161ca4f18a30268ef7f6dff604d93edc59367ee7bab5e81360748a9732f
http://taltus.co.uk/EP4L639
http://quintacasagrande.com/EJSAsCD
http://glswp31.sprintsoft.ro/Y3IzCHzqIb
http://vkontekste.net/f1OSAuOu5S
http://dovgun.com/x7tDH1jMd9
SHA256s for Epoch 1 Payload EXEs seen on 09/13/18
a74967811f710d6c2d2d6d2e061e14d9bbf6e61646ecd580715ad40088e3dea7
5ed869578abcc9f9e4983adc3482394f231b2144a36a34be75694f4280fa4581
fcb4ddb8e1a15cdb0029274c93838971d854ef88507e00a47c9a75af47b33b81
82e4585f249339dd5a4a38b526e705d8b5a23a51bc2ea4fd2f9bcd979bef8f7e
2a24d5d2fb44adb3eeb4d2d5d031ebef0c43f316922e186eaf12a852ea8dcd60
78cab845b041d60868a8da045da24e4325001869e10b0cd1390c541a3a05e50a
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2018-09-13 22:24:00
SHA256:
bb96154cb4c626418818c1159dd38038fc88261375c76c321cb90e0382618356
d8d62e64a5af68e3aa0844b8556577e12634a6570948a4cbd98ceaad7731d1ad
6521ea29a65d135ae2979e8ffcbaf70089ffb260de6f6558db1ebf8294106d80
c3f2233ec52a49433a093f5e83ea01228c7088ead6cef9b914543b2268085bc6
83a36e458172a563eed121b9423f7f255b5cacd96a323086484a193a92131a94
f298f4c8151700d3be8c7b0176abbe3f53a1651fa682e647c27cf6b5092dc5fe
9349ca5c47141bc0277a0dd9f25c5767e7d6378057c985488ccd3b4b552a25da
a5207d69b06370cac30aa2f58046957fd42810ca4efd0b67dcd8f05f9179e7c4
07cfea6b95c5394dabb083033dad126eaee6c553e015c00960f8f329d64807a5
27795a1f8929bda0569f58f10730b59ea02c13f276b55a2b8cf8b0af68ba9f9c
9e1aa204229316126c9c36888efe8116c383ee37e7ca858fcfc52eeb33e6ec01
9abdce46e8797388d7fb880707085b2d43fba6f67e68bda260379f6f8e66d619
56be3018493c1b5f47eddfbd3ae3309607dfe38aef9a20f75835acac73dd082b
da31738c4b7beaa1cfa7a0a8c47344fafc434416811e1ea12a725bcb10679090
04fc0253af169117c8ff80e1cab523aaf9b974d9dda2ffd17cc50c515fed1226
3db7160117739cd1ea76bcb1b53457c840f029a46a8fedfe33757953d01e71cd
91b105504038a4b273df18623e4de9eae1d98f1ae9a219d46d8f942689776d19
4bbb79a95ba782a7367045789b6859f2913d8ae965209fd1829fd2206da1a73a
68b01d54c485e4de4b6aa0d992b19f0eff0ec43ca876faff5626a67085135d57
476d751d78531b1edc5d777e514c2b1a8d50914ec76f7f16ad68bfec66784f15
http://gawus.com/klRialoB
http://connecteur.apps-dev.fr/H1
http://alliance-rnd.com/hYXxoC
http://artwellness.net/j
http://wiratechmesin.com/X
Creation Time 2018-09-13 20:12:00
SHA256:
79eb8ce2f6e869a1583b04fe69318a6d7d125022d96b5ee2e02adb27c9b09bbd
e2b32187eeb3cd795da983342d10d6fef613e3363531444ae0ac5cab34553d5b
37f1ef7cba41c87894336943d3df8f77c799c8e0a913724372fee51b3b2f1359
4872f6d67a370ffaf1a8757a7d7eaa576b017d6a41ffdaee1e540359d80fb113
0916518b86d9538eba1f68130f630b27c21d7a6c8f4f2d419d1f26b470fc757f
8b808398cdf8bcb4dd059f8ae734fe5239594105ad4faacd6af89cf2bff68f32
http://kaijiang001.com/xxwBiLY
http://ericsweredoski.com/C
http://www.tri-solve.com/4ZO
http://onlinelegalsoftware.com/RPtWwdec
http://www.ultigamer.com/wp-admin/includes/d
Creation Time 2018-09-13 14:57:00
SHA256:
1b1ca3aea7d761a91bb5dd9ac97b353320d065e08717fcabe0805eb0d9938c1b
824cb5f6f65d9e89f3fa79881bb8d41dd01089c25650eab57529c31eab46e798
8216b9bc7350597d772829a02f9ceaff4518c500f53588e88968c3ce21e0e9af
62d1d44a050ece5500a42b4a07dff0a7d11993f0469df963941313100020e962
0a35426736c00f1093d093059da49ac42b23113ea8019bcacf6769d5227dc795
5eb986d05ad832897acbc13e870ee4f2971f1901374615a41ee2f5f5fe91d68f
1c84d3a7b02bd30a0884d5a0ff5840f77490945045ae7b8055d408e8ec6de8ab
94cfd057c941845ed5bacf9290f6bd2f79311ed8fe0c9207ff13526df0efc7d0
1e87808f2a505c93cf95345d43b97124d655eb080d1263b785e08d3fe0bf206c
e65548a144aeee2445a1ace2d57cb61582e904de973258056b6c4d55132a6343
80f27d7dfd3852253c47a67f11ee4cea9bb12a5370955ab32161bff0b189bb14
9955c6478408b2946ef1a557151fa68e28515bf07c1db05d0628963eea640141
d4ed9ec5c2d5b17b5b2b28955c7dc1125a3376ea8e11d09a58f25d2ecdf6cfbb
a7c54acf17f914288c551a6899259791047fec21d9705a7585be988227189837
1936f0ec1ecf544285fc94a531e77e608a3abe0eaab1d19632f247c7ba5acf7e
59651746ec22f0186a7ddaf454b1b858bf07b5197b411d7c485a9d6800db8e2b
0b3a20990ab9038b3964eb55717f1a15c25354a97945e2bbbee47995d5a233c1
d108c4d7f9196112cb655063e9c3587380428deb543953be6250799355ed99ef
4f3b20b026bdadbc5b9744834db42bf6858f4a238068f44f335967461755578a
http://dbsunstyle.ru/U2MAj
http://valorpositivo.com/10Zu2p4
http://institutodeidiomas.ulp.edu.ar/wp-content/uploads/5k0l
http://atklogistic.ru/jB75CAA
http://itray.co.kr/wp-content/B6b2J
Creation Time 2018-09-13 10:11:00
SHA256:
6207c24972e68133a2f34cac9e49035ae0dbece716af77006626d2232c2260f3
ae14cb3d22626f71614f9c25c082d9165b1d8726943364c72b1ca1ec2641fc6f
5abafc4436cabaf8688ceb4cfc2a2c3f2b1ae06a34ffb9ecfe8ea5e06bc6d065
745f36d617fcc238ba47e7046463b4486a48512ef12c1a27b9d6314d7b7bce35
9fc740bc37aa0b29f27885daa6ee480a58aee5526710a5f99239b8921a159bc7
8ec0d258429998102d6974937b6acbb31005a714c65b96349883e76f7fefe822
ea6090949f3c83cfd7091a3c0f96fd2ee79b10ea297f7cb8c67e218afe5ecdc3
d28441e57833bfbbe1460f784f48ab2f8d6bc8d7478795f6ff64b5c1dd7ccafb
9df9d4884b2500037994a989411328a95a3cf5147b31477c5f01d71933fc3d6d
c7874af7335c770faff29f4a78bd24092079ace115e3dc2fd7f498f361c3295c
d4104c8b0ded4e59f51d21fc38de99fb4aef4da6f6e216b4b631f0da3253363c
5b13e439c9bc2479ec8aaaeabc516377178fdeafff910e94ec586e6b665aa031
0432b3023902e6923a125718c35108cdd55b58ddf985e3cc7efb5a4b79e1c208
f704486b7acbe5a1bb8ebf08b81f2eca9ac98abb6a27c7e35bcfcfbc57e5d901
764122c8c7d3c80f2c4c5c812333b6d804683a90cd5c6ffe28d36e6bbd2ac90e
84705ead26ec41c8839f764d5534c666bb58078c55ab7c066cfc95db51023176
79e206f16b62c3727b50f8c02c461d794e8be5c0af2eb4be3d9eeca92ae7ded7
54d028fa1a679a62c8353bc90b03821e20892e399c11755a8d3243efa92027fb
ee21e25fc479e08e637097ccd6469ee63f0970e139a3f3da675d1042fefbfd33
4c254727bf72c8de54c7a1554e6d6afeaea1ce89f7279e15005b5ff034881c8d
ce7524428873a974c4fa9784f493cddcf68e440b8305f2efb8dbc6d8994e60b7
http://newspectiveaddress.com/rOTph
http://lariotgrill.com/2z8FmXgi
http://akgemc.com/fsHYxx
http://webartikelbaru.web.id/3ykDP
http://artikeltentangwanita.com/L8097n
Creation Time 2018-09-12 19:47:00
SHA256:
8870a62f875161882a0c93807ccc85209554a068953ae16190484414b427b173
97c417918368f2b12dd4f531d6038f0f9b30c6a902fd17d43f6873f679cf1b11
2397e53241fe62832871bf56898653b33f4e416772ef5e36e674f082b3172328
0f27215d431683ca9e12bc565504b524a386c4815d19c60070205280676ef292
30594291490a1928a7bf89f633c88b3e8bb41c4ae795156309a0f076652d072c
bdfb9ea5785db7461ad1c99e51e3e40b7e64329af163fcbe9ed2801feac887e7
9f2b391d98faa49081c4d876e166d99dd7130764ddc8e9a6bf2c23a15ad2837b
d60b8789a0fbcd9209a9bba2a830e597282207641f479d9abe6f6607b4eeb256
dafe595d8dc3cf275a9d6bea2e5151d40480a2d4b0e6c020b8065fe1a7972c80
eeee3eda1a4e448a8909834a595467eaf54e5b161192168172057b0e2426b3d0
0e27e6f4d8da29d389fa3beecd8126d0b11698262a1c828d1dce799a274c3d29
83cc9bcaed258c00f23162e6cb665b456627869187fd543a49787808a1247127
91ce571ce305b5ec80a29d34599b3eb6c197ecd668e4daa3907115a56dcbd986
7f3e9c4a40ec41639e6c8d9db032229d6c58002874ed5d4cdc5fd03e622d25ed
1316c887d94e24f942b882ecbe7314ef4746e2800122b27bb0086e8aacbb8b00
5c5cd138b91a3d2baa90a02319e99a8a8804e4a08b2ffe6c57350cdc9a434734
1fdf0df4133e95138d2df0a009a4ae8224192758ed904b2628ae83a21411f70d
7dfa2a928330bcb0f33f6d4c5d97a88237f33bdf80efd982ef13b3fe1d964b5e
feae1530ee01928ffa77b463da09e66f74220772ee2678e8047869a3145868b5
55c2cb81ad2856f39d7ebb41b399900e073fb98afeddbc5efb4f2842d429bcbc
db5230bcc93d32f53678e4d45233561b27d5ad42aaa74f8edf3352220bd8523f
879d69ece9f3af526b2c17a21f0894ad06e7760a4d015b06f59a27579918edd8
2f832c6ae5974b67d30fd1125a5298047179d68d2fd9bf3e988f8bdcda63762d
48a5d05b5f703d2e64f35ddf18f1dc8ecfcbe71305cb0ac6324860bc01bb0d41
aa44a4b26f945e7204d6ee644a5cde053dc131b4f05f007de58ebf2fa180a90f
da2a56412ba9240e01d478074dfee4cd0ef92d0d8d1d2b42b01411212c2e6e83
c64c8cb54c57849ca6c0d5a741e0726e4337b3df8dbd389e912c9a7899e3b311
3c6ca8020f39b252aa19db566ce0c87559ab1ec0784415815d4aabe9262ce501
e9465d59e1b17072a433ac9f3e0db2eaf49afda401f0cd41e340eb084d99ac9f
aa2161d4e4cda6b43839cc8d34aa992e38458c4a5702abd784dd9ae3a8832efd
40be53a0bb0ca1a290e96aebb2c6cd2317cea1fae4028e59229fc877fb4a6895
d88af38c197e419d5c43ea5338ba41d7f77d6c9e5f4b7d5cb013670d28f06d6c
f3458f43aa17ab5f31e01e807e13595696e918d53358ea85daa93c274a35a1a7
39e528ba3723a89b1abfd4ea526e999e1819878f825741f2aac35707ba3cda4e
fdd4bdf80d2ed4dcc5eda75437173016e2f67a405cb2bf15b728052de2ac08ea
b3e3f957528379284a50d3c3efe1acb675266f10f52b3e4c98e29ed1124435d3
e6a578c89917327adb9fcd46a34823c0f2b34ec26d7e0bcdd08f2fdd0b3e534a
d255e74d39fb90e116b46e8ae8a9285ebf292696285a84be8fb17bf3891a2da4
a35039516c11525f68fad74dd01d54e3169855a1508abf923455ef469166e722
9b88ff4c7a6c39af6293e1b5a8002b9f56f2621d2dfdf33d55b5e1d7794511de
a12728a25409259b1e7c50f3e7a3bbb6b9b428a67ad778970e8137f02218e2cf
2ac61b1ec360650ca38fb547d208e345f7abfc93d3ad8413bcaa21aadddce806
9dcfac123de75bcfc9f7c7583b6592522dbc3f8cf4a09cd0f29708255ec19e47
9455157454afce9ad1650f3c80c80ecc9654616e37235302df6c7610bd3e57c2
751b6ae3eef95b7b8ea335f62aaeb43851b59dc13c4eacfb962545666d156164
a3fb9df5e722abe9b8ae3e3ca64379da758492cd5b9ce43ddbe29b41178b6d66
http://mooremakeup.com/k
http://crossroadstamp.com/0
http://ntsuporte.com.br/kl5
http://oooka.biz/RaQOFhRM
http://parusalon.ru/idb
SHA256s for Epoch 2 Payload EXEs seen on 09/12/18
214d0fede2c22de3a9e8803ceaf6ff520a5e6ee24d29dd54d0be664c32be42fc
f797a8568c12e957271041dbb846f00945b4b734c2d8fec2d584da1a5746dea3
69bdc32fab30602af0d819e4961e7d1e909dce4fe653278dc2e9c80c66f993f4
5870b8085afcf093a83add8e93cb632783f0b25eb443c51475b57ca2ff90e1a4
5b91f4f734c4bc4873766a9d537cc9ce9682596e54ef51597fedfa82b0dd8d37
Trickbot 825fd92d285d77a6184f447337bac2386ffa94e321de018fb86b0fcd615daee4
330a58a04a5aef9c8f511a4eb55adf4bedcd3143a35b94c201cc88fd1b9a990d
74e426f6b6a5657d937e78bac99afeec3bc3e8870248dbd3de33340cb39e59a4
Epoch 1 C2s by port
+
indicates new/returned since last posting
20:
- 108.53.148.199
- 70.184.148.77
+22:
- 72.50.72.164
+53:
- 201.244.125.210
80:
- 181.123.205.219
- 189.151.46.3
- 200.105.149.226 37.120.175.15
- 96.242.246.128
- 96.245.253.186
443: 198.199.185.25 49.212.135.76
4143: 217.13.106.203
7080: 139.162.237.94
- 87.114.250.38
8080: 104.236.25.85 133.242.208.183 139.59.242.76 178.63.118.195
- 190.189.12.16 203.198.129.4 210.2.86.94
- 220.253.68.95
- 71.45.208.246
8090:
- 98.229.127.243
8443:
- 69.70.248.98
50000:
- 96.23.80.242
Epoch 2 C2s by port
+
indicates new/returned since last posting
20:
- 74.196.132.156
80:
- 177.230.98.10
- 187.177.53.149
- 189.131.48.195
- 199.48.135.55
- 201.146.20.110
- 201.163.74.202
- 64.194.68.19
443: 106.187.52.135 118.244.214.210 138.201.197.13 153.122.38.158 185.97.32.6 199.119.78.9 199.119.78.23 211.115.111.19
- 68.15.57.174 95.141.175.240
465:
- 162.154.32.144
995:
- 64.250.162.198
4143: 222.214.218.192
8080:
- 115.47.147.24 146.185.170.222 157.7.164.23
- 190.6.195.244 69.198.17.7
- 76.70.25.209 78.47.182.42 84.200.106.120
8081: 62.75.143.128
Credits and Notes Section
Updated 7/13/18 WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
What is Epoch 1 and Epoch 2? Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.
Community Lists
Credits
(OC and combination work) Doc DL URLs - @unixronin, @ps66uk, @avman1995, @dms1899, @Bitterman59, @pollo290987, @James_inthe_box, @malware_traffic C2 info - @pollo290987, @unixronin Payloads - @AmirRedh, @unixronin, @ps66uk, @pollo290987, @James_inthe_box, @dms1899 @MalSpamHunter, @Bitterman59, @malware_traffic
Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
Very special thanks to @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
Daily Log
Turns out I tripped the spam filter on Github and my account was flagged for manual review and that was the real issue. It was reenabled this morning quickly after explaining the issue to support. Good experience with support so far and night and day compared to Failbin.
Today I saw few more Doc attachments from epoch2 and most of them were in english this time. There was not the volume we had previous days and it seemed liked activity was backing off today. Also there was a change in the VBA macro obfuscation that @unixronin documented in his post: https://pastebin.com/jsKUQ9QA
It is worth noting that this week we have seen both epoch 1 and 2 dropping Trickbot. If you run the payloads near 5-8am EDT for a significant amount of minutes, you will likely get Trickbot it seems.
Not much else to speak of so far and we will see what tomorrow brings.
Sandbox 09/13/18
(all with fakenet and MITM unless spam/secondary infection) Epoch 1 deploying Trickbot at 06:39 https://app.any.run/tasks/fd35ae0e-21cf-4b5e-8697-b92e3023be88 Epoch 2 deploying Trickbot at 05:30 https://app.any.run/tasks/de3a7c15-bf5e-4eb0-bd9c-f6528c2387f8
Epoch 1 C2 run as of 09/14 at 00:30 https://app.any.run/tasks/4c91df1f-37e9-4383-b0b4-b1fbec507d18 Epoch 2 C2 run as of 09/13 at 23:15 https://app.any.run/tasks/afe1515a-7f87-4386-b779-644c4185b33a