Daily Emotet IoCs and Notes for 11/06/18

Emotet Malware Document links/IOCs for 11/06/18 as of 11/06/18 23:59 EST

Notes and Credits now at the bottom Follow me on twitter @jroosen for more updates.


http://153.126.197.101/En_us/Documents/112018/
http://209.97.182.51/EN_US/Details/2018-11/
http://209.97.186.248/En_us/Payments/11_18/
http://3kepito.hu/En_us/Details/11_18/
http://aborto-embarazo.com/EN_US/Transaction_details/112018/
http://alliance-rnd.com/EN_US/Attachments/112018/
http://alumni.poltekba.ac.id/US/Transaction_details/2018-11/
http://amnisopes.com/En_us/Information/112018/
http://appafoodiz.com/En_us/Clients_transactions/2018-11/
http://azatamartik.org/US/Information/2018-11/
http://bandarbola.net/US/Clients_transactions/2018-11/
http://binckom-ricoh-liege.be/EN_US/Payments/11_18/
http://blueboxxinterior.com/US/Attachments/11_18/
http://camlikkamping.com/SpryAssets/En_us/Information/112018/
http://centomilla.hu/US/Transaction_details/112018/
http://cine80.co.kr/wvw/US/Clients_information/2018-11/
http://clabels.pt/EN_US/Clients_information/2018-11/
http://corporaciondelsur.com.pe/US/Transaction_details/2018-11/
http://cressy27.com/En_us/Documents/2018-11/
http://curatioconsulting.com/US/ACH/112018/
http://dietmantra.org/En_us/Clients_information/11_18/
http://digirising.com/En_us/Transactions-details/11_18/
http://divineempowerment.co.uk/En_us/ACH/2018-11/
http://dmas.es/US/Details/11_18/
http://ezset.vn/wp-content/uploads/EN_US/Transactions/112018/
http://familybusinessesofamerica.com/EN_US/Attachments/112018/
http://fert.es/EN_US/Clients_information/112018/
http://fincabonanzaquindio.com/En_us/Transaction_details/11_18/
http://forzashowband.com/EN_US/Clients/2018-11/
http://georgew.com.br/US/Information/112018/
http://gnhe.bt/US/Documents/112018/
http://goodday.life/US/Information/112018/
http://graywhalefoundation.org/US/Transactions-details/112018/
http://hartmannbossen.dk/En_us/Attachments/11_18/
http://hawaiikaigolf.com/US/Clients/112018/
http://hirewordpressgurus.com/EN_US/Transaction_details/112018/
http://hsrventures.com/En_us/Clients_transactions/112018/
http://i4c.com.br/US/Transactions/2018-11/
http://icbccaps.com/En_us/ACH/112018/
http://ichangevn.org/EN_US/Transactions/112018/
http://lagrandetournee.fr/archive/leblog/wp-content/EN_US/Attachments/2018-11/
http://lemar.home.pl/manager/En_us/Transactions-details/112018/
http://mohandes724.com/En_us/Details/2018-11/
http://mydatawise.com/wp-content/uploads/2016/12/EN_US/Attachments/11_18/
http://nemanischool.com/US/Clients/11_18/
http://numidiatalent.com/EN_US/Payments/112018/
http://okrenviewhotel.com/En_us/Details/11_18/
http://planosdesaudebrasilia.net.br/EN_US/Documents/112018/
http://riverwalkmb.com/US/Attachments/2018-11/
http://smartalec.org/wp-content/uploads/En_us/Documents/11_18/
http://sociallysavvyseo.com/US/Payments/11_18/
http://sparklecreations.net/US/Clients/11_18/
http://testingweb.in/En_us/Clients_transactions/11_18/
http://tomas.datanom.fi/ovning/US/Payments/112018/
http://valerialoromilan.com/En_us/Payments/2018-11/
http://waraboo.com/EN_US/Payments/11_18/
http://waverunnerball.com/EN_US/Payments/11_18/
http://www.anyes.com.cn/En_us/Payments/112018/
http://www.binckom-ricoh-liege.be/EN_US/Payments/11_18/
http://www.centomilla.hu/US/Transaction_details/112018/
http://www.civciv.com.tr/US/Transactions/112018/
http://www.dtoneycpa.com/En_us/Clients/2018-11/
http://www.fire42.com/US/Clients/112018/
http://www.fromjoy.fr/EN_US/Clients_transactions/112018/
http://www.gurkerwirt.at/En_us/Payments/112018/
http://www.jaonangnoy.com/US/Attachments/11_18/
http://www.nemanischool.com/US/Clients/11_18/
http://www.planosdesaudebrasilia.net.br/EN_US/Documents/112018/
http://www.prochembio.com.ar/EN_US/Information/2018-11/
http://www.tempodecelebrar.org.br/En_us/Clients_transactions/11_18/
http://www.tntnation.com/EN_US/Transactions/2018-11/
http://www.waverunnerball.com/EN_US/Payments/11_18/
http://www.youngprosperity.uk/US/Transactions-details/2018-11/
http://xn----8sbapodaesd1agaqpl1cf4s.xn--p1ai/EN_US/Transactions/2018-11/
https://waraboo.com/EN_US/Payments/11_18/
https://www.paubox.com/attachment/M2D0xhRbJVUZ2LT87q5lmA&5db6745f7437225b8ff3ffaae6cacafc/


http://128.199.223.4/996383R/SWIFT/Personal/
http://18.188.218.228/upload/candidateattachments/036VBQEL/com/Personal/
http://18.219.13.62/08RN/oamo/Smallbusiness/
http://209.97.181.170/Nov2018/En/Outstanding-Invoices/
http://209.97.182.137/doc/En_us/New-order/
http://209.97.188.186/2Q/SWIFT/US/
http://35.167.6.44/0455GPLCNXSV/PAY/Commercial/
http://40.114.217.184/988338DUAZJ/oamo/Smallbusiness/
http://777ton.ru/DOC/US_us/Scan/
http://adsdeedee.com/1358285S/BIZ/Smallbusiness/
http://advantechnologies.com/5075217PMV/BIZ/Commercial/
http://aes.co.th/web/wp-content/upgrade/newsletter/US/Inv-867015-PO-5O966375/
http://afan.xin/2610121O/w3KIL5BQMJQWmVS37I/Jly2jVS/SEP/Firmenkunden/
http://ailes.vn/5536114OBQ/SEP/Business/
http://alakhbar-usa.com/xerox/En_us/Inv-27037-PO-3Q297161/
http://altaredlife.com/logssite/INFO/US_us/Question/
http://april-photography.com/229643LMFKOQF/PAYROLL/Personal/
http://aquastor.ru/18FLK/BIZ/US/
http://athena-finance.com/LLC/En_us/Invoice/
http://bemnyc.com/Nov2018/US/Past-Due-Invoices/
http://benchmarkiso.com/24IYXQCHNP/biz/US/
http://bezrukfamily.ru/398TOJXVGT/com/Smallbusiness/
http://bgtest.vedel-oesterby.dk/3810430RP/PAYROLL/Commercial/
http://bigbubble.info/32XKCQYQ/SEP/US/
http://bioneshan.ir/MS0aZikP55Hi8kfX/biz/Privatkunden/
http://blogforprofits.com/files/En_us/Paid-Invoices/
http://bobfeick.com/INFO/En_us/Paid-Invoice-Credit-Card-Receipt/
http://borggini.com/11XW/SEP/Smallbusiness/
http://brasileirinhabeauty.com.br/Document/En_us/Invoice-for-s/o-11/05/2018/
http://brazilianbuttaugmentation.net/11997OLJVY/BIZ/Business/
http://cabdjw.gov.cn/wp-includes/2021ACJTULJK/SWIFT/US/
http://calenco.ir/sites/En_us/Paid-Invoices/
http://canetafixa.com.br/8TKX/SEP/Smallbusiness/
http://carminewarren.com/newsletter/US_us/Invoice-Corrections-for-15/54/
http://casavells.com/6369PUAVMCH/BIZ/Personal/
http://c-dole.com/9771DRBLPRX/biz/Smallbusiness/
http://centr-maximum.ru/49DHSEJUEJ/SEP/US/
http://cheapnikeairmaxshoes-online.com/Eri8G1MTcmqDYNau9Plb/SWIFT/200-Jahre/
http://chefshots.com/57953PMYDYHBV/SWIFT/Commercial/
http://chstarkeco.com/Document/EN_en/1-Past-Due-Invoices/
http://colexpresscargo.com/8303LYBIHV/com/Business/
http://conceptsacademy.co.in/wp-content/uploads/2018/files/US/024-13-180753-957-024-13-180753-943/
http://cosmoservicios.cl/Download/US/Invoice-Number-67833/
http://cursosmedicos.com.br/pi2x3B4MLstgwrSVLk/SEP/Firmenkunden/
http://dentistry-cosmetic.ir/5762663XNMS/identity/Commercial/
http://deus-ruiz.com/7751085UPWUEEEA/BIZ/Smallbusiness/
http://djlilmic.com/84025BMQKXYDV/BIZ/Personal/
http://dssa.ch/xerox/US_us/Service-Report-06000/
http://eam-med.com/yu1NGEY29TZ9v/BIZ/Service-Center/
http://easywork360.com/pNUp6fELQp2eSJv2GQ6/biz/Firmenkunden/
http://elfgrtrading.com/sites/En_us/Summit-Companies-Invoice-0759166/
http://emilyxu.com/847XLUFEIHG/BIZ/Personal/
http://envidefenders.net/89B/com/Business/
http://espaceurbain.com/79XH/oamo/US/
http://exclusiv-residence.ro/78PHBVLIA/oamo/Smallbusiness/
http://fantastika.in.ua/3616974KVTNZUT/PAYMENT/Commercial/
http://fastdelivery8v.com/716494BTDDV/SWIFT/Smallbusiness/
http://fd-interior.com/sitefiles/032ODAQQ/oamo/Commercial/
http://felipeuchoa.com.br/wp-content/uploads/DOC/US_us/Invoice-receipt/
http://fglab.com.br/LLC/En_us/New-order/
http://fmlatina.net/scan/En_us/3-Past-Due-Invoices/
http://foreverprotect.uk/7062223E/PAYROLL/Smallbusiness/
http://fredrikcarlen.com/WcYVPCmr6qHsIKRrn/SEP/IhreSparkasse/
http://garamaproperty.com/scan/En_us/Sales-Invoice/
http://garrystutz.top/440371CWSRU/ACH/Personal/
http://gauravmusic.in/613H/com/Personal/
http://gazpart.ru/fxUPCDLOlifGsHAlT/de/Privatkunden/
http://giacongkhuynut.com/wp-admin/1TGZ/oamo/Commercial/
http://gilmarnazareno.com.br/BhWwli/BIZ/Service-Center/
http://gondan.thinkaweb.com/xza7raHUtzHwrvhbldQ/BIZ/Service-Center/
http://gotoestonia.ru/88665UFDWWT/PAY/Business/
http://governmentexamresult.com/Document/US/Sales-Invoice/
http://gpschool.in/wp-content/346733I/ACH/Smallbusiness/
http://greaterhopeinc.org/wp-content/6710TTJVC/SEP/Commercial/
http://greenamazontoursperu.com/LLC/EN_en/Open-Past-Due-Orders/
http://grille-tech.com/hj4M3FfcISLL6fdUo/BIZ/Privatkunden/
http://groupesival.com/Nov2018/En_us/Overdue-payment/
http://gsverwelius.nl/2961970VYBAPQ/oamo/US/
http://gueben.es/INFO/EN_en/Document-needed/
http://gularte.com.br/modmyford/DOC/En/Invoices-attached/
http://gundemhaber.org/3499016Z/oamo/US/
http://hanastudio.tk/files/US/Paid-Invoice-Credit-Card-Receipt/
http://happymodernhouse.com/cIucgAvsM3Q7ldKovgT/DE/PrivateBanking/
http://heheszki.online/files/En_us/Paid-Invoice-Credit-Card-Receipt/
http://help-win.ru/2272LXO/ACH/US/
http://hexadevelopers.com/Download/US_us/Past-Due-Invoice/
http://hockeystickz.com/100NOCQ/SEP/Smallbusiness/
http://homebakerz.com.au/hG5sm76mEjQMCzGLn/SWIFT/PrivateBanking/
http://hoookmoney.com/9063846YAEJLLUZ/biz/Commercial/
http://iberias.ge/25TS/WIRE/Business/
http://ibws.ca/347GS/ACH/Commercial/
http://ifcingenieria.cl/1OYWTTSOC/PAYMENT/Smallbusiness/
http://imefer.com.br/96500B/identity/Smallbusiness/
http://imperialdayspa.com/Nov2018/EN_en/Overdue-payment/
http://indoqualitycleaning.com/58G/BIZ/Commercial/
http://inpiniti.com/backup/xe/6BQBQHMJ/com/US/
http://inter-tractor.fi/9312XDBPPZGY/BIZ/Personal/
http://joghataisalam.ir/76077JBG/PAYMENT/Personal/
http://jurist29.ru/2J/SWIFT/Commercial/
http://kamadecor.ru/JDv1aZ5Q/DE/Firmenkunden/
http://kensummers911burnsurvivor.com/79JGIBTBMB/PAYROLL/Commercial/
http://legal-world.su/qmB9mXRB/de_DE/200-Jahre/
http://lesbonsbras.com/1492174TEPTU/PAYROLL/Commercial/
http://lmetallurg.ru/831063SSI/identity/Business/
http://luchars.com/3317479BDHAUO/WIRE/Commercial/
http://machupicchureps.com/scan/En/Open-Past-Due-Orders/
http://mactransport.ca/552558KI/PAYROLL/Personal/
http://madartracking.com/285921AC/com/Business/
http://maggiegriffindesign.com/712QQL/ACH/Commercial)/
http://maggiegriffindesign.com/712QQL/ACH/Commercial/
http://martabadias.com/8481483FGDDG/PAYROLL/Commercial/
http://meleyrodri.com/xdYdvDnPM24m9e/de/IhreSparkasse/
http://netsupmali.com/231VVBNBMY/com/US/
http://nga.no/91985U/biz/Personal/
http://nikbox.ru/24926SQ/identity/Commercial/
http://nordengineering.ru/7749U/oamo/Personal/
http://nutdelden.nl/6WDMMPBQ/ACH/Personal/
http://nutrilatina.com.br/files/En_us/Sales-Invoice/
http://onlinetabeeb.com/27DMOI/WIRE/US/
http://pandastorm.com/wp-content/uploads/63BFZTHGNX/com/Commercial/
http://paulapin.com.br/FFxqsP1wKhDLi5H/biz/200-Jahre/
http://peacesprit.ir/2130268ZJWCL/PAYMENT/Commercial/
http://peconashville.com/INFO/En_us/Service-Report-20333/
http://pibuilding.com/6547LNPZL/PAYROLL/Commercial/
http://pirilax.su/6ZW/PAYROLL/Commercial/
http://piros85.hu/6638ISU/SEP/Business/
http://pornbeam.com/eVsCvwP/4AY/8QVYJ/PAYROLL/Business/
http://prevlimp.com.br/4569987JLJMY/PAYROLL/Business/
http://protech.mn/oIud4R2yII/SWIFT/Firmenkunden/
http://prva-gradanska-posmrtna-pripomoc.hr/0599AOLG/PAYROLL/Commercial/
http://raeesp.com/hUc77ZvQQxq/de/Privatkunden/
http://reklame.ru/7665310VEYLGBNW/biz/Business/
http://restaurant-intim-brasov.ro/21681UE/WIRE/Smallbusiness/
http://retailtechexpo.cn/en/wp-content/wp-rocket-config/scan/US_us/Scan/
http://rovesnikmuz.ru/3963XAZVJJ/PAY/Smallbusiness/
http://sightspansecurity.com/2116087XSAIUMSI/ACH/Personal/
http://skyhouse.ir/8515XOEI/oamo/US/
http://smartcare.com.tr/smartcarecoaching/1ZAAIZGLH/SWIFT/Personal/
http://speakwrite.edu.pe/language/scan/En_us/Need-to-send-the-attachment/
http://sprolf.ru/1155670A/BIZ/Smallbusiness/
http://stroy-naveka.ru/6181613DOWZ/PAY/Personal/
http://studio-olesia-knyazeva.ru/535HUDQ/ACH/Personal/
http://swiftsgroup.com/default/En/Outstanding-Invoices/
http://terapibermainpelanginarwastu.com/bcmK7ucEF/biz/Service-Center/
http://test.vic-pro.com/newsletter/EN_en/Outstanding-Invoices/
http://theitalianaccountant.com/7C/oamo/Personal/
http://torneighistorics.cat/INFO/EN_en/Invoice-Number-85412/
http://transfer-factori.ru/o2l5v5kAY72hVnEmB44c/biz/Service-Center/
http://ultigamer.com/wp-admin/includes/INFO/US/Important-Please-Read/
http://volminpetshop.com/16BEVDPAK/PAYMENT/Personal/
http://womendrivers.be/scan/US_us/Open-Past-Due-Orders/
http://www.24complex.ru/2AYX/com/Commercial/
http://www.aquastor.ru/18FLK/BIZ/US/
http://www.athena-finance.com/LLC/En_us/Invoice/
http://www.buthimisrael.ru/5IDQWZFO/com/US/
http://www.cabdjw.gov.cn/wp-includes/2021ACJTULJK/SWIFT/US/
http://www.conceptsacademy.co.in/wp-content/uploads/2018/files/US/024-13-180753-957-024-13-180753-943/
http://www.cursosmedicos.com.br/pi2x3B4MLstgwrSVLk/SEP/Firmenkunden/
http://www.dermainstant.com/dkH4TT2/BIZ/PrivateBanking/
http://www.eam-med.com/yu1NGEY29TZ9v/BIZ/Service-Center/
http://www.elieng.com/3494990NHWRR/com/Personal/
http://www.emens.at/787PUJDLOM/com/Personal/
http://www.espaceurbain.com/79XH/oamo/US)/
http://www.espaceurbain.com/79XH/oamo/US/
http://www.fmlatina.net/scan/En_us/3-Past-Due-Invoices/
http://www.greaterhopeinc.org/wp-content/6710TTJVC/SEP/Commercial/
http://www.greenamazontoursperu.com/LLC/EN_en/Open-Past-Due-Orders/
http://www.iclikoftesiparisalinir.com/99284VBA/PAYROLL/Smallbusiness/
http://www.inac-americas.com/21M/PAY/US/
http://www.machupicchureps.com/scan/En/Open-Past-Due-Orders/
http://www.maggiegriffindesign.com/712QQL/ACH/Commercial/
http://www.maxarcondicionado.com.br/4934C/PAY/Personal/
http://www.niveltopografia.com.br/7QVJKHH/SEP/US/
http://www.norraphotographer.com/43922MJRWD/ACH/US/
http://www.nttdelhi.com/183028NJREXDX/identity/Smallbusiness/
http://www.nutdelden.nl/6WDMMPBQ/ACH/Personal/
http://www.reklame.ru/7665310VEYLGBNW/biz/Business/
http://www.sahinhurdageridonusum.net/96399M/SWIFT/Business/
http://www.stetechnologies.com/wp-content/cache/ZHbvccwmX5lYfLWJ/SEP/Service-Center/
http://www.tangfuzi.com/562498CHTL/biz/Business/
http://www.torneighistorics.cat/INFO/EN_en/Invoice-Number-85412/
http://www.villaviola.be/xerox/En_us/Invoices-attached/
http://www.westvolusiaaudubon.org/2018885SXG/PAYROLL/Personal/
http://xn--80agpqajcme4aij.xn--p1ai/51TFMV/ACH/Smallbusiness/
http://xn-----8kcbcubc0cfh6a2am9f7cg.xn--p1ai/815734WLPDJ/biz/Personal/
http://xn----8sbgfx0akenvq.xn--p1ai/uIC8n4Y9j/DE/IhreSparkasse/
http://xn----gtbreobjp7byc.xn--p1ai/32NNLUEIY/com/Commercial/
http://yasinau.ru/0KMBMkQMMptet4/de/Privatkunden/
http://yogahuongthaogovap.com/default/En_us/Paid-Invoice/
http://zakazroom.ru/932634Y/identity/Personal/
http://zalco.nl/76BWXKGCT/PAY/Business/
https://sightspansecurity.com/2116087XSAIUMSI/ACH/Personal/
https://www.espaceurbain.com/79XH/oamo/US/
https://www.retailtechexpo.cn/en/wp-content/wp-rocket-config/scan/US_us/Scan/

Epoch 1 Payloads by Document SHA256 - All Times UTC

Creation Time	2018-11-06 17:33:00
SHA256:
45650e8a960d610cce0124776a014e860aa1d01c9c5f74f92c999976429e259f
7832be1f190f86bb0ee10f4eea5972c6931b447d80983ec2b2a0e276838e324c
e6f52b35e880dd7f6b1940b5af97d2775d0cb85ae2a819b38f83d870cd2308ba
f8048acff43553ce49cd28393b4b6449ed82a480c2093541306d4b75947e9f77
2209389b1a6c9be3206f4578da7f9dab11c4384227b1f36095d2200f03000cba
0f758da68c34348b2b926b711918d5311e3f8243df01f2ed473f79ac66f07cde
e5a2b993060b7a4bc7f9c2da1498cbc5e9f6e3b93079a07f25e4ab40acd62445
bf7b2f5dcced88e0f79b4041eb4a449c2e1f223054f4b14914bbca628d135814
09bb722313812eb3aadf644562a7ae013de4f1ff00a9253c8b181bedb5d8c54c
5699d6b894cbf2bc6c8a30575854846e04b7514c266b8037f15b1fad089370cc
a2cfe0a6a9efbd8d2fba5992d12574ed4e26ed7346a45db4269d6b219873897c
7b24f8e0b67e19bb4939ccb4bcc81c897070610fbf2fc6bd7d94be2f563ca56d
fccf6e8860f97417952aaff7af7eaae91e2424e0aa3747ffc6fdf7dd41041492
2a8d5590f2965daecbac994cb7a924f070935eae7b1c8ce11d6ebe10c9b2c9bc
fc777827faaa77903a896ae493cb0f45feb0deb17ea41b4cd32acbf3e60bfdf8
0ea9a88103b0effa133f71b10b6ae760def5107936ebabee47f33b2205944853
f8461516223d2de5298d0f6b00face6855d9801b7b970c91dfc62e9545361b1d
ab77205ab22b935037165edc9c77372e0c9273dfa72094ac30dacb0af72465e5
6eb412246c1d0c24ff6e359da8111e85c5d8ac34324c41df40143e6d39bfd322
5eda0e9970f72b80e97c9f7c79472b752faed3abd1b05555d442c34339bdddc9
72b838f86c915c645ca505f7e9506c916fe66052e358a37e7b70b3e0a14ba5db
fc048b04dc8a13fba792e2caa5b50f5fe95c5d78855c74cbc5c93fdf0d398853
c730fca41b5fe4bf1bda93f3563fd802ebea62b92dce0be1601feba8139f61a5
783825e7ea9bdd6f15c533185ecf4b2056cae76b806253f13d6362d180d3674d
528ea86eaf014de4edf23460006f8cdff14824296552cf2f9db3d1ad03a2880f
ecd992117410d1a83ae3acca3499415387d7f3f73125de93c61c55426c2c36a8
ef51d764bb7d2e0b15bc2c001b63db7577246d2c6c7fa287b4ef982bda4610a7
f0378cf2b4d5016d2931722a2f7dbbf30bc34f98a21b94762a161dbb1d5fa4d9
2aba409bab2990d7e48372698f361ce745b77b1b69924f14e3d713cfedf5c497
917f3a7ce76bc19f628d4f15de93147b1dc1f475d26e67085b3ea03d603816c9
fccd13c75a41121cde11d2d6643089dd9a7c097c5aa4c5e9bf888d6fca694e8f
2bfdcf011abdd59343167efccf9a944fd9ca41f78f8802d8fe0d817d05ae96fb
528f46d8484d438cdbfb0e5140122317b2f72293850cfc94bf9e7ab1e901543a
3e4744aad12831952cc8fa7bcdefef0c5594010f91e02843b232d52772ec797b

http://www.seosyd.com/IyThn3I
http://www.upex.ee/vqUuJ3B7
http://micheleverdi.com/Fbestfz
http://www.prevencionplus.com/BuLyc2HKL
http://www.gerrithamann.de/hP2IldM


Creation Time	2018-11-06 12:14:00
SHA256:
5b6d92d12aff287be100d03c749868023ce041947083cd237ac809e70324bf76
28c927a1bcb0453325d8c3d4f4be7fcf565b5e1f2b38321c7012b8b143737760
0e529fbf1b19867f025bafe10e1b6d919f96c235a5b1d4b2630defd37e0b059c
f591fe50ed671cb92859369dea1cf0e0f51965eabe2c139b9d93b889ccd1749e
66e20ffae1ae2325189a1d9001805db595e78b9c9681537c04f2376adb533661
6927bae59fc2addc669073d78eadeb3878e9f0dbab6ff5fe222090da657464dc
21a52f2daad62f5cae0bb5307cc1d52cc0ada69ab05c0bafb0b543a74d012976
7c0fb0e2bcd06fc2182b48d3833173c373fc000ad30c9006e9ead9ec1a6f26fd
55214485f2764ae0adb59fd389ff95bf20a1291ad54ba98881997c7ae4716061
4862ce1febc9746994796ede4ec763b77112fde15e63eeff5e1056cbec55adf4
7518d74731ef4228fed406da147af8b2ce100fa3b1d2933a54d91e8bce2b8080
97fa0ddb8049cb8ca5facc4b7d4e8a5e9915ea71a9deb093e58150d330d2eb0d
f440ad6d7cf089d4e9d71a06071813b72058752fd040715cfe99670905cf56d9
466b840d60b7dd96ae9b1187dfa7339f25392c10186089b53d2d2b71a6c16c28
f6d638dd8ea4635946281194e134ae22ae83480509a0452c034fc311f64476bc
044b7048aebce568762a0a0f98181d7f4d28101a92ded2b6463094fda655f981
518b13f6ba63ea1a958fe82f06581710a8ad9d88fff4396500be1f21e678330c
ca605d2aeb1c108fa55608919a5bb42458e75d4a9577ba8bde7c85fc984fb9ab
9701e37bb027630b41a06173fc09559fafc2d4af177b8e136b92bbe5d9df8a85

http://gpa.com.pt/omklzG2kK
http://learn.jerryxu.cn/crgc24d
http://sleepybearcreations.com/5nUucV3v
http://fyzika.unipo.sk/data/geo/agent/wav/MrPZyYA
http://lovalledor.cl/5JU7HH8s3T


Creation Time	2018-11-06 07:12:00
SHA256:

ffa274f2e3086a6ee4fbb8cacfa7f2e28026362481109ee0f88141016d51bbbb
fc00f0139b9835c7b72841bd06ca0120318ad55919fa0884210a518a2d7b5a12
7d03334036e5a48abfbc9dd2515681f7e3cbfa2c759eaff88b0778d41d4c78ac
70d980bae5eb71b069fe599e8c0001cbec2adb33f8639a410fb5cf4f9f1fcc51
1aa38e81fe2944358f41c7afa56a4aacbdf1bc6933951219a168f49b3f64c498
de47d7b61f56889d3bd15e9e4e36b93e8c19951c04fe0975ba89969ace416d97
fd947e4c169446cc1ec53d13e84b982656abeb6d65e62bed201853c7dac3c8da
520448446a35e32feba462972df1edacb841ff07ef7c2ace9e1ab8092da753c0
32ca9ab3327d56b270d052f8aafd32674bdae5898d9d1f5946cbf2fd6215560d

http://stupenikms.ru/DYCUAgOYO
http://www.hunkeler.ru/E4L4Aymxd
http://superpipe.ru/5Or9I6A
http://hleshutters.nl/wl3QcsjZPi
http://royalsecurityinc.com/K87nKS9K

Creation Time	2018-11-05 22:29:00
SHA256:

843c1fe674b3e9eb335d85a912cc6d60b6078ab5c37c42cecdf685251fd49dd9
cab23263b362fa91defea23ddd7eb031ea3628d729bb69a52b83b82271c6c805
439262713d5bd769aa57b0583345c282559d8df97e55bcd1cc8f333610ee9d8c
b09973ba175d1aa3c0cc9d5b984efebc5eb4d1ec7158fb9a07aa922c49a7e5e6
ad3781adce18959a883e43e6d3d03a264388f9c8bf99df96cda11131a63371f9
963a56189aa5044872c4098de4887037aa41382d0019085fd1ce308b851a7033
8056c7745ea48a8f0063f86a68fd2b31c1f508ae4c01dda615934f99ce0bd769
7bc72a8b1db7005daa42ad4ba06c4626876b489f89394e9acd445c6383ea0922

http://keywestartistmarket.com/OaM1uBg
http://cadenas.com.br/30A6rlp
http://krmar.ru/9qiWCR4b
http://shababazm.com/v675zUP
http://andrzejsmiech.com/UZpCXUkk

SHA256s for Epoch 1 Payload EXEs seen on 11/06/18

1a7bd1d94378d796c1ea205c34f6406729965cada3c5f83dce6222f905e5f025
d24c71e51f0e0db98f27dfc859f87cceb22d8228d8c5d4fff5e915181784550a
87d0b764f2670d2373470d8becad7f26301e206f00b5f35391ab4a38e94ec524
b56785cb168999551833be9e89d3fa131a2673ce64a8d2db7dbbc600e14e0073
81cdab5150543a94cfe38434940903a7f8a8a58274a59c53fe40106ebe02bed0
90f34dea4e15702a4f7769a9dd661af25715f4448e18e79f4427ecdea4331338
c590250012f3ea11a27cad255522f5d27ca078798851a7e3981631d503cd130c
eb91d1056887455568ddb81e366ca7f1e7cb6a3aed7f2864b90757c4915bfe99
cd3f1e29307c19ef820c5bae4adbac58f3992ee59f25d101362c7643afafb28d
8c5efb398abacf6d2a98d1a5cd7c9145b558a88e3e8ba376f23943d38a7e531f
378169933c79fcd1f58730af2f0f6bd2d1c7d7191bb1997aedd128d902f038a3
3cd191b9e8bf6b7c0850f801888be51eb151555a4a4f17b241ceddfc023912c3
fc827cc316bed89bc28ca909640814eaa241c03a9d1286dc6b8f7d645ff72f36
b019488ac710d8529377c9b3bfc2c8d0d6444b73bf44b9f95174645163836f60
8218646258f86c30feed2278629ac747102c9f91b6442d465669eb4aade9f827
3f9d6c29995dbc28b91e0d30b63cfb7f7cf42d050949355b0b62293b76327568

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2018-11-06 19:20:00
SHA256:
97b5a25165f733e18bf609d53984da8b9c4524865e8e61f1b85a443f25f374be
d5a2d34055ddffb6827ae9596ae9bceb2aa7d87254b2de62404599d75ebb85a7
8453e878ce6bc76e7686926b12b50a20657b030e1124ad4b52eee0d74536e3cc
7030c828dd867b95a703b7f9a907dbb73129aca61443cab322bf349364d22a57
52d2660da6963b3f30e2d42170257f18bfe7af907fe3c92363ab926b05097b1e
fbe06d6ab0c7f51d6bd4bc7302e838b3cfc04c908e6cb550877c07e98b3424eb
d880ebb69507040f4364a0ffc83d3a2bd3247f58d3fc66dff4fb5856a3b1be7e
cc019445a847194ba9af1abc5ce8ac6e1d8969b46a0bfdb4fff156c0439b4b12
586c7ae16b9bbfd9655231ed6416600d76c0db8e0650ea0a21d9e6a05c8d8294
51e8f00319fd4f24c840e2b8c8855f1f8a8d5806be105fb9040fb7575bf064b3
7441ec0f0db8f7db606140517b40788104a7eb9788de91618fbc1277f6e4d4df
acfd3ae8a5156bb1e5ab9f15ad07c73ea3a43c4f32dee58563de17b77a4fc50e
5775997c046aa2ba7f88285d9e68915c265c9f7f04d56e8987e31709090fac59
acbfed57344f9bcebb4712130b7efb867414d89c5420f579078243d1ba2bbd39
a2d3cf5a52f68bef7c70bf0286e9b3729e64ed39b875211703379a0521a63bec
be470261b8a800d616e7431cfa19a7169af85cf3d72b9404d155b01cf3963fab
2915847ba2b75613731a4347ef26e570e12eb291179a9d443f11c25650f0c039
71c96ede6066def5a81251fd76a39b74d2f6b268d6bbf2cac3255be2abaa9289
76ddd79d0ee84395b6feb5a11b97af610346b95ccd8f4b9a1a2ffd46d3f0e24c
e38417b58ac64880ae35cacfc0216ea1fb6577ea61237b8f84bcd08322fd3cc1
a57ec44befb98c0a79a4f316eeaad585bf83f0340763e22aabbe1bcb66c18eeb
6c5fa6dbb4d3b436f61c6f55b792d51351648ff69f9caae03067e1599eae8b6b
b2083f4c9ffeccb9abebb739293877d837bf3798be6c561c39100bd16cf81efa
fa8d74fd624429673b565817a1021760bb3b9d95f3b7cf741c17bdb5f8f1ee2b
a115b0eeb6527050edbd441afba9a8dc3237c82be6eac4db81090db2fb8880b4
66fd6339638f280f98e02cf821a1fc069a8e0cff13716b67e97ff3e8ecec5dbe
4cca8f36876f82b661b852af672e1c1ef5532332e1ff25330f23f5a2a67bfb2f
b06a4f267be67f77e37a04048feac97d246056bdd57d2f01526f3c61b4e8452f
e751449a27a5840aecae530d79ed9de9f619011b85e065006d3ccf5f7b960695
89f2c5213e8fed1e628b77431a7a6a9f1c8774f0b5094cd7ad36cd00a8232532
21f622fe3e566c416ff9dbc1f1115479f62d775874d499483d17b985fa010317
892322fa46219b23d697ff2df2ee1d9322cbe6499d9988c28ea4f376f730a1d9
f7f58c2113080189274f86dde4ebcd84244f6755b2e481768d3b997b03d54518
3a8c93b83bbf3a15771881a49594ad822947aee3cc5010f92817b02db7b3a54f
1d18f8373f77316785103fd94a1fa8356c3c893ece2e142f5353c31313bf9e37
898cf085d16a517fe2f9cb983d1416fd086a0e0134dbf92d8495b85e38d13d66
3e6c364249d83bd61ca09e3a5d21cfcd8dd496b47368eb3a917d0f5791380b64
50f6c2118d67cc12d8d3251a8359060177533ea8e27feba90309759ceaee0e64
8c6d0d5f165f75dd9b9a50af6aad7981363b9fdbe699db6421b45edfe7a97151

http://www.sudanhelp.org/8MLtpx
http://feratotogaz.com/QC
http://cyannamercury.com/CBx
http://ashtangafor.life/N09JBN
http://www.alefbookstores.com/hxk

Creation Time	2018-11-06 16:30:00
SHA256:
c0925e5df3f38cebd4b5c70881c25a101df534b5550a39fe5236ad64405af561
33cde00081dbb52156426258a38818e3c17c8b69d46cbc896c2e7a36fcb235fb
bbe8b316ebc6624cf8622fca02a6f5897154bdbf4d5e4906478a9c461ca27acc
6bd1a5474c7b5b3c83ebe0842d9d5c11c6cfb4ed25c861638cf7bcdf0008a4f9
26d9e5bccb00fdf3f959521a89021b53bac51cf61457797cfa00684066bfa5b9
2aae3b2ea5fd11a738deb6a5f33f7f59d1e206752fce6562d50d524c9bf5d84a
7a9d8a428e660b6a5286d2a82c4ab8173854eb2ad8954e56be4461fff2661957
9b8a09edc2047197401eb6e861b9ba72c50df6e41281991b94a62ea14c587533
2a413afb27d86d256919dfafd86f72599e5024168eccaaa0679b10e33c5dc2fe
ab40aab6f396a90a30381bed89ce12247d5fd19872dc8e72bafbd30fd4792393
5df271b09f9c20cc60e1f79852ac5ef3bb1c62bec166571ba790885c9aceba97
538010603cebfacc989f766cbcfdd88378447ea60aefb1fb90c0675491c1a667
d595161eb3de5e292317eeede2376bf4c64adee1b998f1525463a18308affba7
972485bd096b2334ad1c84a3332f6cf57b3a62bdd95cac2aa09eb26e1f0f08fd
57e7691cc420ca05ad240b5c426596953232f4d1517facb25717293fada2462c
a800c30c82a66750cdf1566e9dd71f66e1a5088fe14c0207d2146fc4cbad86a5
e1fb08b72f7c381c6599365f0fe14d972d373cc2a3d1d84df4ef7720d2ce7ef4
e38363ff1c2888447115008ec84227212814c26d1b183fee071d03186599b2fc

http://ampdist.com/AEZf
http://aldo.jplms.com.au/eWykVvYj
http://colombiaagro.com.co/EZLOpSOF
http://www.sastudio.co/AU4fI
http://mabnanirou.com/oG

Creation Time	2018-11-06 11:56:00
SHA256:
2ee6bea3c759dfb82e373bc39c4c7727ab0fff582b60c0308ce64c4d9b44343e
39b664c0a66bd1ba471dc56ebf1874f5fdb100c1c1d073ddd7e72fbb3b5aaeb0
4c31192025d56bbbcaf32f9682dbc1c089d077b621af79c64b5d77c997188b13
ba7831ef4351d22ebf58c8fb80b5dcf5bcfb5538359f89078681f3e940408f4e
4e27800f1daaf78f092ee393e00037ce2d19a94a901362e2e57f84d22575264b
aa0c7c934be1a9c95e64571030471dfe732049b23f5623bc1ab4defc6914dd03
41f1d8d35ad8ef07e6528886081ed4ec7cfbf156ff7a791720a2e4e497e5a138
4dcd10383a894b466726e89a81bee82cb6c8cb7ef50c288e6aa177ffb2fbf367
4b79531c9d9535c1d742ce507428929b98ae1b4bdf759b0c60280b00f99c6ca1
aa658cf9a05090d916e3097d2537bc04252cab539dd72d6325f06ced60cfdf65
9cf9fd4d74877643ff00b1f85e91fc8cce2ce2a0371f50f6ed80ac686547ad59
f486dca2a2004fb6aa8d16e446f002983e3bcb935269b1f8029c64e67d854a5d
8af710a9c25e7e66a52d4eed35f6f6a2b86264bbf8b446d45f44f50121a2c767
42a94da72f7b97475490d2f94e8dd70a3dd7b588abb35b1e7117bd7ea222c3e9
7dea873846f6abbcadb1bee7bc97daba8dbb54da74e3ab429c60611a1d0204bd
e5945fa407c5ff63afca3200368fc64abdb3c8e46350d9c038ee7a2073b8eed0
c3be1905b25964d488e5ce44eb4331b44058c01e640aeafdac4b571191289e63
10d13d95c03cc3f6db0b17c47dcccd5c7da63983542511ae33fdbca278a42837
b03108166a830ac4264d69783fea22b969def845534af6657a31c0fe1f0269b6
453788934caed42fcd69131a9ce250509356b66e10cffb8d218ec2be49f2b10d
33e3447fff8de6a489bbbf5998b25de0fd71b7067db9efb02d867674b4d24755
c8745c4ba4a1c2121ab50355cc3672a748632a563e08da319b7cf6f740a7732c
e4847906283f4facfaa7e97f2304935851223b5bd5c3dc0eb70fcdbd92733efd
dc0b8731ceef54a88e6c1a8691f9b54d9b614e12ec83deb12c67ee6e83d8ac6f
1e105f89b77b13224ae58aa6445dd71df058da1358adc73d9548abaae9cf1f77

http://www.seo1mexico.com/12vRC
http://budapest-masszazs.hu/MFX
http://alhussainchargha.com/jBVBSY
http://bryanwester.com/q
http://taman-anapa.ru/rV


Creation Time	2018-11-06 07:28:00
SHA256:
2dd9484a7b521cbdfb77d26863fc67bdea234f66befd60a2ee00735b6d4c6c08
0aac66343b6e0923ecf7fdf14c99ed56557949a6d479572bd9acd429c718bd6f
835217857e80d8fa5dc4f0a7e59929f0748c95d74ef1425894b318ef6fd64399
979c712852c28cb82eda6d455cd9b7018e74472b870e6e3c7e1f0e099c0c3fc1
7f90b3bc9f642d709dfe59e46d67fbf0edae0e26e0557d675b6bc9da88c43bf4
e19acf70c55d1ffbaf537fd805130b69b5ad36af8f3693aa464a76225c5c0b4f
289ff481ee3c6ea9a4e57f2357fbb6397545100f7bbfcb9da48eeb2b017d7fee
b981d5c4180256aa5450577e47c95084a84d79584724c67c43ef969ccb59889a
a7de9ed974abfd4d93f8cf037d0e6d035bd4857430c71e8cbe7fb3672055f680
478a4f3e712a05cf7999d9db7f2d6e3734d01730b36a9f35810a6061b00d2ec2
8fb19a8b4d3544b396605aef6ec5e950a3635954ebae721771d50f2aa5995887
76c9b03cdb23b13a6d400a012ac406d712f8e35edc65cf7b048c5127f9c9487c
7afb25cd37cadc4480d26467d717237aa2aae36466e13548759c9d9223addfdf
19115d137ec794ccc0d03636c70882b41dbc1872d970a658ecb5174f5fd1d2ff
63be98c985bfdc3c4b5f9ddc206f453182ca4725e656835d0c658199e5a7a502
39a36eee98f1e55f71b6bf80e9c87f4f9c1683c45739075dcc5241e2e98bb600
57d24769c8dd4ea3ef673402fc8768d27f9d231ef22baf1d42dd648e8859b554
8279c5956229bfa0e605b5ac01315c6b587d8357521c446a28bd2a4fc586adf3
f8c1e544f298f714f071b36262027cae19e281f4b380eb4ebe30f7c4f7ea42c3
d66c21e2f60e2d27d3120457f9985791253e4e67df66a0f7efda961788005c06
444395b7f0e4ad2a8198985ee21da7432ed44121b967d4b29451578dcfcc7c00
9ebf11efb2594bd785f454b247e63d75b19e74f98d067212c061426d4acb7ab6
ec22bd3966afd6ddf48953d3beca24239ed30b96d67a99a4b67978a3c1282241
5270089bbf7892059f2f48241c615d3f0ed0346e4d1ad202fcdddda91f820448
e541e579f09e65eb3b8a1a1f1fdc3d8b91cc9ee48ebeb76b951feedd05086a7f
a34af059f4aaf179eff5dbb0d4d251b30de849bd933636117c1ac3b38d31e039
0a5bbf5ce342db273b6f97e1cfb311ef7b67a46c3c1e9730a54aec51955d46f4


http://www.sicfms.com/sybnoK9
http://blog.comjagat.com/wp-content/mWdx
http://1412studiodm.com/xGDA0q
http://staging.bridgecode.co.uk/wQr0hzU
http://lipetsk-pivo.ru/h

Creation Time	2018-11-05 17:18:00 
SHA256:

f3e187ebd0be4413d9495345935aeb63a025bb299c63b24787188a71003e5a5b
0acd52e7f92f125d8fec5d78db296ee3c88079456dfb66b84fa92be944dc1293
4dfb9830a14e1e92ca88b40189fb05be60a42be886c9ca1cd2f6a3f5f09e0208
680d56d915ec028d4d0e33cd63e90f58c1f67c4e8b92d11eabf2576702d5b3bd
d997af80a0b2cea354d82735f28b04fb6f40ec6a687b4616cbc03230c7319ad3
6c9f60643913ae688fc163d8e09a71268c0bd527ca5e9330c163108aafac5944
26fba2bd9792cbe6aa14f3baa9a2ffb57344d7348805648a53dcf92644a8b973
f43ced0de6dce1c3fcf386cb7bd4e0d787d64983f0d2bb236311605402ba74a9
e78f28580ea5e79a33be5ba93c71e2c66528812db3580a3e39f3f652ecaaa858
18c74f2852985acd6a5b35d21d12e8e852d54003b4e5d3714243e045969c434f
af3fea36a05c59c3670d5fe58a4d679c3e089ceb8be39c92663c3401ce8784eb
87b5210624989f6ff74bb9a07083aeab116ba3e179db099f768982ac1dbbb5b8
5d3e5a9b7730bd40f0cd4392367744bb7a3ddefd3b316d603e56369a7813ee68
3cebbd85235c819ec92210572035f2973b54740f306b8b0607e03c84eb7b0914
9827a577b252a3417174e8177592785515f22b9bca4d435a2206e512a2ced3fd
3ebc758a0186db99545ab2614b2a96544ab4509bf7d24c8d11dca06b2d17adbd
943aa71f481cb0a3af7e24e2be09298ed6c98235b4d1cfb89979339c8bad8085
42df2ceda548dbd95ed4cf8176dfb8817e7350ea9b296adb33a3e6c3f2fb272e
11d52b1ee5c330911ed98ba86a4560c67cba2bd70427c8d33a0b793ddeb5c11e
9bd34506cacf57f6329a6b5530684822d50d03a26e6105d217220e46297bf84c
687d3887779bf147f8ab6637c28f76559f3a1cbe0899cfa07d0ac33733fc74efc
1a4dc5022a6b5296fe5d03597782a985bd721e3651b010c06b9be205b5c9f97d
fc4fa944b430fb0c175ab12d9bb776819f04d29c4a371baa243af0d7e7ab267b
7ae43402b33483d995f4c64940500a3cd508a22e4e2ae9c70ead3f9fd6396bc7
8560ed53158f7c2f7931ee6e95abcbf0325d117b039d96f9ebc2e7971c22a151
8393f02d75dd065203874f01ad54ccaa767603b63d5a2faf77d3a55c17a6b4bc
1f5e9f1c173cc8611a5d34e801c0a26ce7365cb1c7b660bcd88816153b76d467
c2470c1b4e9e97fa1820f29ca1dece3f99e154c6cd695d1e6f89e12425eb3a4f
7575b3de182b5ad8b92eabad4f5307e27280729f81ab692d20633dac2f786d8c
e7dcbaaec834d3b3accd527299f71fd1056b9b88e5156d83ec6e928d13872177
51cd6bdb18da6dc94549e067b04e727b9e947f2f189f5c27da67eb56f77c5f54
2210bb4262bd6f02c2c1b836ea7372c28b35f7e31d81dcf4749fbd4fe71676fb
9aee83d453ff3ce67e771d3b417ec0e29c1104a3e6b035088b8e799557049c3c
853d3351d23e0de67958a4669d628444c1a15d4de4de4f114f8db90689a2d715

http://tlextreme.com/orsOyz
http://vanherreweghen.be/I
http://www.camenisch-software.ch/ynlTz
http://sh2017.chancemkt.com/Vg07
http://www.tzen2.com/wp-content/8xR

SHA256s for Epoch 2 Payload EXEs seen on 11/06/18

17e7bf03e3086fa6a5fa57ea19aab34192c108748c2a4330becad3df74708480
4c73853ad007cd1f9abc36a7cf56512c3b1f6bbeb2b8ef55851103d4d3ae24fc
02a698e544ca96939af98b8119afb3fa7e75e3c31d068a5c0f12c0284f5e9cc6
d0914246549b38e743f7cc224b7bd260d72ec43045737213cd40428c8b4d373b
ab58170c362d0328d8d32d4dceb4625262e6721a048c3f7fce17b67848489380
b09604a17acbe8f6e5cdee9611264019b935a979729925b280b4f8746479ff1a
16852568b0f20d941f5c3c8372e92d8644d59dd636c75b7334aed58a7feaf634
27075cbcb2ad6543172cd7f4baebc58e7dce91f2b005612907accd61ab55d6ef
39dc4fc2f891f3c32db972843a3e174466dfeaf4d8d0b7c885c45768b25988c5
d5214ba8776bbd56d3ca52060e32a99733699f003a95d4d12fbff7f45fb45930
6cf81b6151884f0ee568082fde3304409f966498ed10895e552e8b3304f3a9d8
fa29ad78db0a1ccb8ffc4bff6afc1c69b8a6dda5335d9e9b9081506d754477ae
8d724db3a3def2f4148331f11703e5ae7717952acfae2a064f5279b4c952fb32
10a02d3fea79599ab6fa9a8518045cc41b5fb50c57c01f69242b8bdb4b79d8c8


Epoch 1 C2s

(Port is 80 unless noted)

128.193.56.169:443
133.242.208.183:8080
139.59.242.76:8080
148.103.7.242:7080
159.65.76.245:443
165.227.213.173:8080
186.10.17.186:443
186.20.217.236
190.124.166.113:8080
190.17.44.48
190.90.100.228:8080
192.155.90.90:7080
198.199.185.25:443
200.21.90.6:8080
201.111.74.224:7080
210.2.86.72:8080
210.2.86.94:8080
213.48.239.192
217.35.82.190:7080
23.254.203.51:8080
24.117.165.162:50000
24.37.218.86
37.120.175.15
45.73.110.62:8080
47.225.131.10
47.34.43.223
49.212.135.76:443
5.9.128.163:8080
69.198.17.20:8080
76.65.166.252:7080
81.20.87.205:443
81.214.108.10:443
90.75.137.228:50000

Spam/Stealer C2s


47.157.181.81:443
24.161.14.157:443


Epoch 2 C2s

(Port is 80 unless noted)
 
104.205.121.6:8090
115.71.233.127:443
136.56.103.201
139.162.151.141:8080
149.167.86.174:990
153.122.38.158:443
160.2.24.88:990
174.55.139.78
174.70.176.45:8080
182.180.77.215
189.190.61.232
190.92.37.171:7080
199.188.66.157:8080
200.194.26.234:443
211.115.111.19:443
217.13.106.160:7080
217.174.206.181:443
222.214.218.192:4143
24.59.228.182
39.112.243.65
45.123.3.54:443
45.42.31.50
45.59.204.133
46.163.76.187:8080
5.230.147.179:8080
67.177.71.77
67.205.149.117:443
69.198.17.7:8080
70.50.196.234:8080
72.73.221.66
73.31.237.56:443
75.128.237.42
78.47.182.42:8080
81.7.10.106:7080
83.222.124.62:8080
84.200.106.120:8080
95.141.175.240:443
98.102.182.2:8443
98.142.208.27:443

 

Epoch 2 - Spam/Stealer C2s

50.100.215.149:50000
70.62.224.226
202.175.188.154:8443

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
 
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!

What is Epoch 1 and Epoch 2?
Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.

Community Lists


https://pastebin.com/qmAFpWnB - @James_inthe_box
https://pastebin.com/H8Yy07eC - @ps66uk
https://pastebin.com/m35BucVQ - @pollo290987
https://pastebin.com/q85x4edf - @unixronin


Credits

(OC and combination work)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie
C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic
Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic

Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!

Daily Log


Saw some German language body malspam early this morning EST and then there was a gradual switchover to English. I am also seeing E1 sending links now.

17:00 - updated C2s for both networks. E1 was basically the same as last night.

Saw evidence today of E1 dropping IcedID and E2 dropping trickbot. Seems like we are up to the old tricks again. This was seen by a few different people including @malware_traffic, @malwaretechblog, @0xtadavie, @pollo290987 and @bry_campbell among others. Here are some of the posts about it:

https://twitter.com/malware_traffic/status/1060036757784276992
https://twitter.com/pollo290987/status/1060013334957879301
https://twitter.com/MalwareTechBlog/status/1059846207235739648
https://twitter.com/pollo290987/status/1059823559294492673
https://twitter.com/0xtadavie/status/1059806577040019456


@0xtadavie also had some templates out there shared for emotet spam: https://pastebin.com/RgjnPCDv

23:59- found all I can. I am out of time, till tomorrow.

Sandbox 11/06/18

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 Run as of

Epoch 2 C2 Run as of

```