Daily Emotet IoCs and Notes for 11/12/18

Emotet Malware Document links/IOCs for 11/12/18 as of 11/12/18 23:59 EST

Notes and Credits now at the bottom Follow me on twitter @jroosen for more updates.


Seen only in attachments today.


http://128.199.223.4/51MG/oamo/Smallbusiness/
http://153.126.197.101/WltxzbAkLT/de/Service-Center/
http://184.154.53.181/chatlocaly_live/8824H/WIRE/Commercial/
http://1stniag.com/i8IGzz/SWIFT/PrivateBanking/
http://afan.xin/A6qpY0G/
http://akademiya-snov.ru/4LoEOSs4HE4bkaWcoMMo/SWIFT/IhreSparkasse/
http://albertacareers.com/0Nmtw/
http://alkazan.ru/83832LZQ/com/Personal/
http://alliance-rnd.com/QhJl8nQ4/SEP/IhreSparkasse/
http://altaredlife.com/954675G/com/US/
http://altarfx.com/hEEYJq5ERA/
http://anyes.com.cn/28UKARLIFN/PAY/Smallbusiness/
http://arbaniwisata.com/wp-admin/DKKBEUPW/de/IhreSparkasse/
http://artpowerlist.com/bS1bZHvr/
http://artzkaypharmacy.com.au/zNY1qCETQqcfglg/SEP/200-Jahre/
http://ashtangafor.life/ftx8UtMemcl/
http://astro-icsa.ru/S3L820b9YmqG/de_DE/IhreSparkasse/
http://automation-magazine.be/7iOPTHf/
http://b2streeteats.com/E5yC0sw59X4PFh0/SEP/Service-Center/
http://bandarbola.net/4KMA/PAYMENT/Personal/
http://bezrukfamily.ru/vjIUIkAuXx/biz/PrivateBanking/
http://blackdesign.com.sg/uQ5rguYN2BRT4nSs/de_DE/Privatkunden/
http://bo2.co.id/qIWAwHyATEm/SEPA/200-Jahre/
http://bolumutluturizm.com/281165HZ/oamo/Smallbusiness/
http://branfinancial.com/18F/com/US/
http://carisga.com/HvvLztIB32R/
http://casellamoving.com/096498ODHDZMH/PAYROLL/US/
http://charliefox.com.br/pM99Ir8db/
http://chefshots.com/JuODcIg0eD/
http://chstarkeco.com/tcndvtp/
http://cidadeempreendedora.org.br/wp-content/upgrade/4x25/
http://cine80.co.kr/wvw/8132AHNYO/SWIFT/Smallbusiness/
http://cleaningprof.ru/LrwpWB5/
http://clickdeal.us/0bfubJVeEEEn6vOdLA/SEPA/200-Jahre/
http://clubcoras.com/649BRQJNXK/SEP/Smallbusiness/
http://cuoichutchoi.net/wp-content/uploads/Wj22J2Jc/DE/IhreSparkasse/
http://custommedia-wp.nl/76EWKFESY/PAY/Personal/
http://cyannamercury.com/81MQIQV/ACH/Smallbusiness/
http://davidjarnstrom.com/I2XUphxVvDb2xe9ai1x/de/Privatkunden/
http://djeffries.com/nanawlotfy0QauuHFd/biz/Service-Center/
http://dorsetcateringservices.co.uk/8wIxtQ3k8lRj6x/SEP/Privatkunden/
http://dzunnuroin.org/eXWGz2nzw4/
http://easterbrookhauling.com/335888FAWKB/SWIFT/Business/
http://emilyxu.com/cxDjtxJd/DE/Privatkunden/
http://emilyxu.com/Ww5xbKnM/
http://enginesofmischief.com/BFwVHW1VL0/
http://espaceurbain.com/nvW27loez/
http://fepestalozzies.com.br/WhP/
http://fire42.com/4327973OZXPQOK/SEP/Personal/
http://futuregarage.com.br/VeOy/
http://fyzika.unipo.sk/site/9YDvpp4U7/SWIFT/Service-Center/
http://gsverwelius.nl/4LHTYE/BIZ/US/
http://gueben.es/pr7RRYlowjIMG/de_DE/Service-Center/
http://hciot.net/9DRVed/
http://hoookmoney.com/GUzrooM93/
http://ibws.ca/4KixZknmCW3lpvozCbC/de/200-Jahre/
http://iclikoftesiparisalinir.com/AiF52tK6sNenhTpK/SEP/PrivateBanking/
http://ifcingenieria.cl/QpX8It/BIZ/Firmenkunden/
http://ihaveanidea.org/wwvvv/6lnQfZWB/biz/Service-Center/
http://inpiniti.com/backup/xe/9Gp4sQ/
http://investicon.in/wp-content/plugins/workfence/509DNAHXVHH/PAYMENT/US/
http://ism.bao.ac.cn/astro/HI/QsKELH3tY/
http://jfogal.com/Nq2XVe/SEPA/200-Jahre/
http://kiramarch.com/3701776GNOAGJ/PAYMENT/Business/
http://lead.vision/mobile/iIxAKt7/SWIFT/Firmenkunden/
http://lesbonsbras.com/lvBULCE1tNq/
http://lightforthezulunation.org/e3vGL2kw4Lzjox/biz/Firmenkunden/
http://loei.drr.go.th/wp-content/0052962DKCBVSK/identity/Commercial/
http://mils-group.com/026486HXNFQVR/biz/Personal/
http://mydatawise.com/wp-content/uploads/2016/12/BAeCW5sUgN2TkwrNA/DE/200-Jahre/
http://nuomed.com/9573VBA/PAY/Commercial/
http://nutrilatina.com.br/349A/biz/Business/
http://peacesprit.ir/G2S/
http://peconashville.com/Jng07/
http://pensionhinterhofer.at/8L8XXmpEWyq5/biz/Service-Center/
http://phaimanhdanong.com/multimedia/5946442WZKHBOLP/SEP/US/
http://pibuilding.com/38F/com/Business/
http://plco.my/v1/wp-content/uploads/2015/5i4ny1v/SWIFT/IhreSparkasse/
http://pornbeam.com/GjI/
http://prevlimp.com.br/kaualqc/
http://priscawrites.com/77nYljPIJ6A/
http://property.saiberwebsitefactory.com/7Ka7SNYsz8Kj22B7Vx/de/IhreSparkasse/
http://rainbow-logistic.com/6246439MYD/oamo/US/
http://sahinhurdageridonusum.net/TgG4eSEmkXVUzmdpwXs/de/IhreSparkasse/
http://samdog.ru/uuqFH8yY7L4S/biz/Privatkunden/
http://setembroamarelo.org.br/BBJCFeEOS/
http://shoppingcartsavings.com/w2AH/
http://sightspansecurity.com/iGpKASJxRnXI5S/SEP/Firmenkunden/
http://smartcare.com.tr/gssJT5/
http://sparklecreations.net/XpdQgE1/
http://sprolf.ru/stats/wNtgzKkzWYN/
http://starbrightautodetail.com/RPsmsYBsBI/SWIFT/Firmenkunden/
http://tempodecelebrar.org.br/54120MIAYQL/SWIFT/US/
http://tiegy.vip/IGnx/
http://touchandlearn.pt/wp-content/uploads/88441QUBZUNWV/com/Personal/
http://u2434969.ct.sendgrid.net/wf/click?upn=WD6m8SjAakLxmIWnIo-2Bhx28pOEn7kpWTh16DjNMnBiRHrm-2B-2FIa2rYjV8DOgZNp6r_uX-2B-2FOWVk0wQO-2FiLAN-2FRXf4GdZ40wtMzyBkhASagjL9D5FcYhIkjq3YH7jPizD6wnjNDf8tOowyhY4CuijpI-2Bq3qQa1jiifRbj-2F2vfqwupVGQA5tYyQPKQOSDHJOh7WwIUs7S6p5esx-2BNv-2FyIg1dj5YRP1Tm9wbsG8F5DuO-2FrkAJ1Ib1u0QF9rfZvPcxp8zF9K7Na-2BDFCIsOxe-2BYMzlVRmppUjrKWN7Rxp2WDzunTYaE-3D/
http://volminpetshop.com/ZvZIN6MqIGJHlYKKvZ5g/SEP/Privatkunden/
http://womendrivers.be/Hc91Q4/
http://www.anyes.com.cn/28UKARLIFN/PAY/Smallbusiness/
http://www.brownfields.fr/64812BX/SEP/US/
http://www.c-t.in.ua/28064NUTYG/identity/US/
http://www.emilyxu.com/cxDjtxJd/DE/Privatkunden/
http://www.espaceurbain.com/nvW27loez/
http://www.estelleappiah.com/oldsite-06-08-2015/files/MLgFnnx4jSdVtsQYU/biz/IhreSparkasse/
http://www.finacore.com/finuzs/zKtmyxlI5il/de/Privatkunden/
http://www.fire42.com/4327973OZXPQOK/SEP/Personal/
http://www.greaterhopeinc.org/wp-content/plugins/disable-xml-rpc/tthCo0yb/
http://www.knofoto.ru/89637AZAH/SEP/Smallbusiness/
http://www.meico.com.co/wp-content/plugins/wp-mail-smtp/33NGYR/identity/Smallbusiness/
http://www.pensionhinterhofer.at/8L8XXmpEWyq5/biz/Service-Center/
http://www.priscawrites.com/77nYljPIJ6A/
http://www.property.saiberwebsitefactory.com/7Ka7SNYsz8Kj22B7Vx/de/IhreSparkasse/
http://www.rainbow-logistic.com/6246439MYD/oamo/US/
http://www.remnanttabernacle7thday.com/050143ZVEWD/WIRE/Smallbusiness/
http://www.sahinhurdageridonusum.net/TgG4eSEmkXVUzmdpwXs/de/IhreSparkasse/
http://www.servicios-marlens.com/JLjrMR35bxEBuSFxrC/SEPA/Privatkunden/
http://www.setembroamarelo.org.br/BBJCFeEOS/
http://www.swiftsgroup.com/HUrWpAv4H/SEP/Service-Center/
http://www.tempodecelebrar.org.br/54120MIAYQL/SWIFT/US/
http://www.xianjiaopi.com/41964H/PAY/US/
http://www.youngprosperity.uk/3KKHCPBLX/BIZ/Personal/
http://www.zerenprofessional.com/4408FKJYPIRL/SEP/Business/
http://xianjiaopi.com/41964H/PAY/US/
http://xn--80agpqajcme4aij.xn--p1ai/FOFWzv/de/200-Jahre/
http://yogahuongthaogovap.com/6057WU/SWIFT/Personal/
http://zerenprofessional.com/4408FKJYPIRL/SEP/Business/
https://sightspansecurity.com/iGpKASJxRnXI5S/SEP/Firmenkunden/
https://www.linktub.com/blog/wp-content/004444BN/com/Business/


Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2018-11-12 14:10:00
SHA256:
7e91f80158c95301ead0ca00670b08f779ad7dad64dfa9a8ed21dbae605ba91e
80b25f3052802119817ccb8b0a15aefa52485b3b99b1996000ebd04f3c071a8f
78fc9d35b602ff002a3363743a7dd0b7d2876e2ec25c8bf31fdf87cf8199e150
8ef793a7c87ec400d106aa3385af8f413522fd4b4e2f0f1aad52b35bade07ad1
100a98213947da106c51757b676ea1ff3a23150f91031e19f1994fe4547a8db4
98563e495f2c0f84e5f4cb7cb19a7a8a2db7a5fae7ca7253073e9e7b860f00ed
19faa831843fe9d0a0f4f541bbb3eaff8ad4e6ae316d987849d86efd16d42785
b8bcef645661675753323ff06f16653d9bf6b6ceb5d25cada7e0aa0b0707024b
d86047a5f809aefe38d835820c3a15813c3061fa56678861bb580ee9b7bf6d36
41d2cc831c4578c754cb7aca8dc9d6e4acfe9898d3071c0c1961149cf586c4c1
a32532f815ea7ae8804038c2393104a380d23daec7e03c995405f9c903f13e21
bccdf1c448b608748a40b308bcb14d1b3ca5435c9f0f2c2b1223b74c55cfeea0
7ac091dce2259fe7adf3956754f90952a982e7891a70444a58f7f7477652a9b8
9cf8530b347f0dd634479684e0f330d59373150abe39dca1685e33d870548b2f

http://art-n-couture.com/xZEenLet93
http://cargomax.ru/jGudFrU
http://localbusinesspromotion.co.uk/yYdR0Jizzd
http://iepedacitodecielo.edu.co/9ToeEUowUq
http://ecconom.ru/sIjHq7jPz

Creation Time	2018-11-12 12:12:00
SHA256:
ebd56cd4e9581928a9657ab0805e6bf58a33622f2c4cf70e1cb6361988334d87
ae8960693865378d55c423f6672be7b4072a81d3e7d7aed4519d957af7cc7f1d
24a699f1ef1dbbdb252dc104dc6c81f6cb9fc0eba5201f6f62e1db9417959fb5
8039cc157c4e9043521973fed5b0fe6ad374874063ebee389060272f61024da3
0aa5b664836abfc5633f099b6a2d4a10238f3543b9080e2ce03d87f7f7a2cc46
f84828f24b41b1e31dceb503c8b5be9735b5a4d103dbc37290224abf039895c9
674048dfd6cd66bc97e37da931b62bfb2a3bd42582ff06abfe5544197ce95e01
3ce11966d323a73df1d1bbb846c101a4a9559aa0625bbb29feed4cc18ca3de31
18bf984f55b165527e4fa212bb339890259e44f6356bd8df712ba324c19874d0

http://corporaciondelsur.com.pe/1QByaBRWa
http://colexpresscargo.com/HIpFeRI
http://www.alefbookstores.com/sources/Fix-Serialization/PXjjiWaEs7
http://farmasi.uin-malang.ac.id/wp-content/Corporation/nEpAliJu
http://notehashtom.ir/SuZ3ZRA4oZ


Creation Time	2018-11-12 06:51:00
SHA256:
027d6f2b4bc11d28a48b0bd3550087152254c183aaf286747fb18dfb3a51ca36
00c15191a6b0287e751a559404a2bc1a86e532be083be0df5d79208c7a8c7e61
0320a350baad80e7a1da5ab9e488a0336a5550df7078d33c8f9d3db73554ffd4
cd387e08af744a7b34100e5ba973ed4fb9cef280a67b9d37842810bb33f1dfcd
13493c5f407db0e350e4744ac1ef7e5d80ec31d5ac1c46fe86d193a40c224fa5
dc5dbab105130d0cedbbdf896a9acabbf7cda11bd0e6a5ca977c255ea237d01a
8c49c48ce95d4ffd779fdec270c31353d48ac9a7aa43fefb01b4794f66f8c753
89f87059cb0edb9cffe4024b060b862857353610060da300e50a26e300d4064a
be4383ba12cfc53157ab0c06fc82cc4e6f2c06791d2956662066f4ee20ec6a65
206fa60af0695d3e772281efa1bde2fee2467ac331f09184b51e42b53f413ee3
b259d230dd06ed375083ad050b58555696808dfa304b73c4c54539bc7356646c
d1fd5301faa9c42ac954dfdbf5bd4d79a8d569845ff174c08bbcdc3b0d76176f
f91f519042e41a3d45673e5453f6e50f21be1249d3de3ee1ff3a7615d7153569
e71c58384f3d35dbc2bfd647701704392a25331da4735330bf491859226150d7
1cd066fe0c1850c6c6a2224f8ab83a2e8e2c92879593a6e69f78eb6a201a3833
25f3b9269c0ae16484ac39c4ab6681c38ed11ce2e701134bd3cfb5162ca0e351
d82ba127cff3fe9821e8bbfb6f10d92d003dc3b4cf5603d3d4531c898f5e957f
5c99cc9a34e814271cbfc3ce712d6b17e088a75a77c33f8977d192052fdff1e1
4ad00030e2a5eb460dafd3d67b4b3dde0217b41d7be539e2750e54c71044e88c
530b895be44227056042b67fe40cd0f6d63882db4e32cd3aa3e5ca417e85341f
3aef7760eb31349fbfdae042b70e46fef5b1d34206dd5e8ecfd58617117f4e18
dc5dbab105130d0cedbbdf896a9acabbf7cda11bd0e6a5ca977c255ea237d01a
f91f519042e41a3d45673e5453f6e50f21be1249d3de3ee1ff3a7615d7153569

http://craniofacialhealth.com/fkwoBvLXu9
http://duwon.net/wpp-app/zZIi80jKEg
http://cipherme.pl/data/FUqfiGggE
http://malchiki-po-vyzovu-moskva.company/fyxuFQjT
http://dingesgang.com/kAMzVfDDiX

Creation Time	2018-11-09 18:07:00
SHA256:

50c676adf299edbde321c0096e99083e08e1ae91df7366335ee39bcdfe0b3eb6
bacd0feab2312a783f219045ef46024d70574472d1c889f15fce0cbf770cea3c
41a904f0fbccb3384f0cac45c44dd11428abb34f6c3280ec24b8c9cdc180c2b9
f07be30c7f7158311ebad7481f2a5cc2e3f2a97a80b68882f727a0ece5356668
b71815756b88a2e0c9c7b004e107b895ead2eff1d73e3a4b5d7d4b1eb12c7225
f07be30c7f7158311ebad7481f2a5cc2e3f2a97a80b68882f727a0ece5356668
6302b23972429a2fd75705e224d169c71a4a59df752c984d1eed43ed1beb41e7
3644fd75e652a808372e09b32395f172632a06117c248701b9dcac5f68967ba0
ece24a26bcc9b8eb48eb48d0c5a3821b4fb6ece24aef0e17690a836a00c85071
4dc58d8a9d531d6650c8c4f5236605595022f87ba327dd4b3ccdf89932776f9f
658d0c4dea0fe47073e784d48e50ba50a43acf7e13a6fefc53e16348ddf708c4
3f7e00128a56edd2f1c5159e27a742bca3afa43b4df51e98051407d47222adb3
e415285547b44e4c391e76cf7122d094aca76c176d50439db7456b03e8601ed8
529d965c488e76d4c953c2772866009408f4cda5d069834e952390d0ee1d1b14
e0696ce9076cdb95138378ca834b2a4dd3beff3cb9a529f2c699487e8422da93
bd892d5a35092ffcca4f14d3c467f5e14bc2636f5c7feac3858f24ef6dd81bb1
24bc2e1fe2f6d4768f5ef9e2982a539290f10500af5199733ca5f6e39fb6b2a2
0e14de0cf8314c7c7791afd6ea3cb6e93c87776a5ab9d72a46a741c2c804d065
096ff7b5371783b0d7f93e477ea863c482807f5089aeef3a35ab8b677eeab8b5
b647598931786993a66fdbc4c4dbe21bf5d7feb6c6a349163caef05d16c23284
ddddba1fffd42658980e91aa75f601e109ad6786a4c4d5408ee3f6aaed25687e
e48951bbd45f27ddc8d80fb4871b8ff1109750f614162ed8a5156ea44161c42b
61c06b883139a56a3433666b20ed219ef341fd15da51c4170af7cbeb3c093847
8245a3d0ef72f8cb79ab05dfe880ece3c425f73b9f2a5a40ff7410bd217b2525
202c46e5c4897d4b1fb0092c054665e9457244ab0e943fcb021ac70ab284ea25
2c00d3903ab5e63b983c370ec5ac1d9d57c879e1b7c818418e26a93977c00b46
e575e7efe1f1c2189b0025724cd0c80a8acddf8ad3ee04f164b70d10ef83d775
c60a396da8a15b041b850f54e80cf4432664406c6cb918f1511e81cbf5f45b55
2a6f5b16270c746dc621181648f046351cd4bd530619aa1a7d22d87b31690f1a
f3ab41e8eebf32bb1b014c11c6b71a64c82b59913f212a1bef752876cbb6cd8d
61ac14386e8fb3fba567170423b6e4158cba55c9f8b707a3a0e0b94b8faf5c5f
092a4d2638cd50d4290e30875dc0769fa1219573be4f615b3c4b5305baf8b589
09e1282c6be3bcbff501ab61fafd5b2781f3466cbdda64e286e411524bbbe6c0
e87652f1eeaf4496ff576ae06ec66feb42e1d8c3cba5cf5175ac04f4ca54862c
411eccdac0a23ed022ec8d9206efccac918d6596a2c7bd421a9dfa4da6c602de
a7784acee6777868e3d3555385efd6878a8a974ab3bdd1796cb4a4da328ef603
ed88d61390f8b51cda145e7f36802456f297e1df16a7803e933fbbcdf08ec630
d47ba3cea7d409cd559a3cb23fb0983f07038de80f962a524b2ee8ca4039e335
3bb1ebde30c0794930024aa5b71e2d4337673286bda99ee255dd893895a813b6
aebe05677da5435e100109e49957ec683928dcae691967674f0abf7bae621198
e4dc7c3d436b7322c5fc187309e00c88ec489634d7c0b6a46076bf9a18943f38
c5341933a665c348d38b9c9ebec287c91415b3e394cfdafa0b225caf246acad0
78dabb6827653439c6834f24802c396712b4c1288d409d909a897c69b466c0cd
754d508c6b6734a9816b7a65b65c85de9749353f92507edb7565c2d74a9891c0
8df14e82f725030a9f600a52590e785dadac72a798370ce97cdb9ae797f245b9
f0610a8edcb9b5c65adc14a5dd599cec787300de7f0f32f88018ebbc8f13dea5
bacd0feab2312a783f219045ef46024d70574472d1c889f15fce0cbf770cea3c
cd387e08af744a7b34100e5ba973ed4fb9cef280a67b9d37842810bb33f1dfcd

http://cine80.co.kr/wvw/qhKE5rlkR
http://listyourhomes.ca/o5qDsWBe
http://hire-van.com/6dusyh9w3
http://icxturkey.com/nE2YMAjUK
http://spolarich.com/vlJ2o3k2h7

SHA256s for Epoch 1 Payload EXEs seen on 11/12/18


87fc0dee854353956b960abb4b33c41a6fb6891771b6ef802c76c21ec90d5560
d51654c87bd3c174edd9f37eb7787a4cd28db6e2693bc095b733565c74bddb30
fbb66cf213577543c63fcf6313ef1624b8c3a1cfb0b9c126c8e6ce1d8bbef637
024b1a684f1e7d8a1a8518667f6b435ffbd3a0cf4153706e0b58a95be4789c30
c68e6004cad1b002cfc72545500d02101fa0dade4fa6c49a6eadca3b5d205ee1
b872fe751d88003049800a3c4c8501dea57c519b50681b76ea17fbf8e308a1a1
1971ab01ce8279ef1c8e856bf98efcbfae9b912bf9c9fb1c02c55a6e77af6943
08498aff8b1444740acf5c6010aee0f1f88dd772dfb02ec17955a3fc03413cd2
16975a4c86fd50de556e030aed32982b8b838d0ae81148e79c13e493556cd1fa
3a6099334bf6bda6d5b6fe5a131f13e825413d30fecd1153c1938534c40233a4
6d32333d54d4027283f0b36ddcfe07c743f65cd895d89f8c81be3f69b55d7fc8
d205a47860df3e2e1b7041536c06fc31987832ba55cf9e83cf7ef462fae657f0
0ca3c475c855acc7a87d56f3573197b3208d88cb82a146de063948e2c2951e54
9dab300149701ac8ba9d9846f1cdcb8807737fae52521bffe583fd8da41fc244
22a056350131d4ff6d3136c7e3916842cb8675ee0dcc2f3f9b9fc075c5ffaea4
42ad25e4228adea451c4403647c5f22571b4f3578703ffcbbe658aeb6284a044
b3cfeb3fe9b3ee4f19f331520f5d26c20e1e79bcf07025bc2d29f17c41bf8a31
012b6af1171875d1572f8ee83ea03908b29c86a679f4e306fcc014683ba177eb
f2f2c3cf58d4e6f5337110b9e2254ea4aa2bd6c494f3b7bb0bb5dc91b1f396be
2feac6dd70cdbe8ea2b1eb4b0e30a723b649b9459a6d2fc29ba43eee60618c65
36b78c253ee38cc28c4b3b52e7ec900935ec114d297f8065f94950521453fcb0
86ad8a885023f69ac0c5151c7b91d03c0d326762210680835f05c4528e1530d7
1b062e206bb6a08d2143a9899d5593cb3c9788d16643255774db9be0cc6d6f47	
374b9181498e0bb1c83f04d8e2f7b0ae2e36557a20ddd8aaf90526f339ec037d
e177cd3e91b4995d4fb6fc35a7c3f9a5471e0ec0a118294f2a86077a695b84ec
c0568df972d8f1190b87e964653a7c91d1c43cc0a458542b2222b2b06c4ad1e7

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2018-11-12 23:04:00
SHA256:
b482750de54ae5c8dd12466bf6e7edb219ba31bc2655e5e988fcc491548e4f37
cc4b92e40ce2beab7cf1dbedf349f086d01facb7b31e94f43ac698e7e5367473
c8929d08c03d7f37876f3c4ff4c03f074fecb820c32128053f5fec703346b581
d368043860eabbddbce883260d1618d8101dceb24acdeaf3ba20d2771f662947
ef7bc8427d82a575c156b8d97abce626eac79d3a94eb278c5366e85f488ef5a4
5ffe52f6fad30c9ccf60a3591005c4234de45fc436e15849940a13bde7bb5976
d1c6188521225562b06ba5290035762b80029dbb755eaa25111aa566d33bfbac
209a3123b5471578764fce10acaa32d756eef90b714dcf08a151cf7b34ad9ec9
c8da434a07842e6510350492b22ed4c21d240a6206b188173378e20f094ddf26
d98fbb3ba2795c9b6805e6ff8928851fa91ce1f2d8fcfabe8a2a7d90c8bd1be1
bd237f5779a828b32e043c01a3d5f594e8fd011a2a7f821405413424b4212967
4f33224b115ae763c2aa706285794e00b6a533e772c7c4b1a8659e66b93bdd18
4b692b65dd5f6d598c74bd66d4e9dcdf3d5988d6373b86c3bada40887f9c8695
96dce57a5e98241c81a0db6ba55e1fc48a3fffb94e7c9fcbae407da6333691db
8e2c674d5a60c109d834d7b6b17a54bd5b5723d7d4ef3d7a6d7aee5eab19c691
78ff07fb1e00a6d4e172ff58159bbaddb6e13533ebde5e4cbb90c3dac6dbef99
8194b42405a1d1b7dc93e6ef023f880dfa17673d4d6025abe760bb375c663232
ba13597fc3d25a4cb41dbc951eb964d904a7a1b4a84fa86db954df34246e2a91
0d5385ae8d4c190a20e29a12285f698e0a9e3d21920c6195fa1ab0668e3b8382

http://evelin.ru/I
http://sharpdeanne.com/28IqWw2
http://hotelmarina.es/wp-content/uploads/hDDPC2X
http://waraboo.com/0ne6CK
http://www.vcorset.com/wp-content/uploads/hJwC

Creation Time	2018-11-12 14:19:00
SHA256:
5976a28f50397e9f51f2ee1a3497b84e8463e1037511163e061db0f4c317b3cf
000f046e17c9a6cc862317b31086536259a8fbf2c57c1f86b265b34d0753a7be
ab4f7bbc45ae09e391300d3ade17f5c5e78500b80f7c03c3e7a132e0067c384f
09ebe4229a74cdb1212671e6391742cc6bee387bf14da02974b07857b27f9223
24dc86372862dcd9b299641dad0f6cd15511c3f6c980e6a56cc59d3d370d624c
f47f72f78711d3e125d5b81d5f433475a6c749aa724e19e25377ee3e83ff4a6c
b63716b9867c4e1971283b7c40dfa292a2410e306c8723289782734a33045975
937d826ba193a208703ed45e106fcb209c67ae35dae3dd8a89e1bc3d993054de
63a73b84e7fc8b9186f39f3b6547f50baec847bd24dd32f4d16a67bce2578eb4
af1157f55684417e8ab8dc19d1e9c82f75e557f45c715d154e6fcb4c07708232
1a70791298a6b6b3ecc40411a3ee36d772f361ba013f8f370728d7675013ea5c
688f9ec6d11d53ef3f6a6818ad4394ca9a0d16209613102fb410d2ead2af4fde
9b15b95ee29ae9aa97ce1481d8bd100e46c592873e7cab75a4b9f77cda971567
7262fb51c55d35b37d85c8b277f0ff4d5106997f353b80437481be493a3d29d7
1b07b8b8c36516ec2d22adb6709c135945bac8146fdb5d6b9176d4297398a555
fdecdb8602da48e8465dd0d671cf2ab3839c6b1b9b3d7882d99ca58649f4041d
aa81107c2ac11fdd51c9d3f7b5394404da9b0e775b16a9cca3594054ae43d8d3
825aab833d7c78ab55a9ad425c5647d974df52d7914ae09d5db79aa257d69fbd
17eb678603ea1d5deb22b5b78a9f5cb35f99e76eb050b2b0aa694d2f1752e8e5
296796f57daad9809af40db04a3cb0db196851635165ba24ab1be13364f73bb6
4e81e26d2f9890177682aade53633231af6fa981b67aa7d602d592419174ccbf
9f4e7eb67cd075f68e6b9bb6eb8a656927a4032af21be47da164ca2d2497861c
3b94f8981168e6a4bfac95b1d2b663bf30989f102bb1535d30d94f60ed4cba1f
0265718745cd6e6b2da26571014210fc08cee1325f19e30c451cc109897e36cf

http://timlinger.com/nmw
http://vinastone.com/57qt1
http://www.ultigamer.com/wp-admin/includes/mg96
http://kafkeer.net/9EBEL
http://montegrappa.com.pa/7

Creation Time	2018-11-12 06:41:00
SHA256:
d4f6c03368bfb08b2a2930dca629a7f690ccf95f8cca4b2d4bc885952f7e5d09
5c14e778674ea86a463b7cf7dc6c6fdad4b0f1b08d32bda783ca7daffc238b92
247ea956c58ff9e48f481e438b185ff69e4ecbfb7da0839ffacb3afde4ca5bc6
563dc866333dc5953875d421f189704ece453d0e6ec1e91c775010eb91da4219
95c3e87047347bf0023c2b94bdc936aba53357dcffe87af35558d107875b336a
76d19789c592b01f61f62c447c8274a6511f80c32c87e068161fe1de1fafe620
42e713e46dbc93170ae2513db3d5dd169552df74d9c042ef98564f666fe0e88d
4f7d8adea816a1ea0482aeaf412220ce1c32bc07c951642f9a709d4f5ae783c3
a2fe86aa7a04b821714dcb568fc03743286c5dd96f9e00bb79c9e61148a34914

http://canetafixa.com.br/3uo7M
http://bahiacreativa.com/Oe03Kk
http://chang.be/sTb96Tu
http://sociallysavvyseo.com/PGEjLjV
http://mwhite.ru/gMIk68B

Creation Time	2018-11-09 18:52:00
SHA256:
1ff637a9451257756be5fac3f6efb6b0bf9eaec211a42e8efb7aff4cb81e2d9d
65e4c3c3407f22722aeb6b0e477027e01aa381d83209f713b48f8b4f738528f9
098d6038e8b59721602a7bfd9152453bf3d9257df414003b8c50d068f97ac207
2524c4b4ead1dd6420d45f3b59906b0e851255f3f9af39fb87b1c8e5a16feca7
bb8b1015af59a4ac23cc19ddd51fe4437028d4aef23b13484700c5b89c606959
03a7c4581a72d0f080c746994f55736acf03f6b79397cf576778df85919af811
c2585bae2dac84cee1bda745ce8af73f80a19e3d02895a47daf8f13044834528
2c5168724b9a53a2020d66a4b7d1504927ff0cc8906811ba070872c7608542a3
316230bb4423d41b6a9389ea2c0739435c24d825ffa154aded8b45c6a4b99066
a1e08faddbbadcb8406e32fdc8d0481d1d18e98614a95b12e1e05a3756a93db3
c14d850583a6639992b787c908e057831a421020c237d2f65263231cf67e914f
2800a054245bb1509fa3ffd520c36930c2159817672baa971edb483e236571b8
0810677192b7593a24cb1f2d37776e8efd35744011202c2c1b7ef9993e20c2b3
d4fa5731ce21528b250eb6a8977552fc94bce3b788d0ec9ac17a4f6b9f8def56
d91ff0cd76c06541bab56234e077270923ef40347dcabc7c112097d3a8a9c676
a80a36860e0284a3ce86961a93b05c481e488aeb605efb20a687451ac045ed71
7e2d23d535b635620e24f4abf1017c536413f77ca8546493a2b9ae25f11f86eb
c7b873f47121ae24b337de9306be4c80d2a6fbac23b14e6a695d0b50edba0cb7
af161af031a1e5984bea359097dc06aaa0b8fc335b7451ec2dda60ad3e3f2f3d
01e850c472afd03b8855f4b8a44715df7fd402284a620e89056ace9ccaf89317
32fa3beb69c70126e8b45276e8e7e13194d1b7e6407958bbb560ac0be3a94e1e
d749daf6d0ed6d955787d059ae1d580a0e8975d8dea0bd666635cb3b4b859d49
c3868b64ecf539e28b8804e2faa4f91756d3d1d9ec46695253422fefa346a924
7fd8c48fbd029f40fb5b536d24d059fc37788aa2f2b93b5b5a7b49221d61f5ae
148a38244907c004618b5a212ef9a21f10ecb68ea8ae3c30a2bcd4a33f83eca7
9803d459845d0c4968e8b717cf9345da56ba8c15d16eada35701d43a9134d89d
9988c4bbb8322e6e7371a313ee3940a396588381022f75344d02b78edbd5a331
4e142e3a6aadf1564f3ab92fccbe5ef3055f48f6dc0946fa5f67acc4d696b7fc
41b799e51f36ec8737f53173e27c0ff5ba9b167df0fc1e474956373808bfa72f
4b6c410f19b0aaf157167476564aa47d55f0503428ecc53f4229781a36d82737
99c52c18e6812d56b4766477e7d228a9005f4c20ab4336ac297f3c267f35a3d2
613e1d5d00c2a221ff43d4a6599736275c7b70bbd8046fa3c8674a47952bf0ba
98b203a052aa0e7d018ea8cf5936d0c82fb7bfc759b97fb49f085232db5b996c
8fc87d3eca17358f80bceada2227d139aad685ad0874af2beb5ea897cec61d45
eded1980695bbcbbfb137a944752dfd7f3c89311e8b2b748abde96b4c28c240f
f1d0a88d3502a917ad8dd9fb365438681cb25b67a1f4570d924a1a927504175f
e734827369a818fecf638043f51a21f7825160213983b90561db2222ccbcdb8b
caf792cb34bef4fffe1cbb21f7cdd268772c6174f1a84507a60858e8bd32a07e
f6db8b732e8ec59b1ea982878f9ac9671c82ec6c224f973f299cdfba4f058af3
005dd718153018dc308c9ddf9e8b539dda41db1b07be284bad5adda272bebc9c
18d275e6a111d57526605000b1f370ee3e6bc22ef1cb2c9622c565e81c60a9d2
eb0f200eee9ea5371278ed9a03d9b3ff643dc9d046531f8fcf1c7c53233c8051
24db39195a2185eb8f504fc8d2c445b9219c041c2285b2c2e13ec20258300acf
f998d64130c771c729dddb768306109547298ae7268b2155a7b2f528fe773374
848ff9c6222e3252ccab94e45a93361572224ea3a4139fd647518c1185fdf2bf

http://www.coronatec.com.br/wp-content/W
http://inpolitics.ro/66e
http://trackprint.ru/zxNBPM
http://moscowvorota.ru/7
http://dkv.fikom.budiluhur.ac.id/TSFMf

SHA256s for Epoch 2 Payload EXEs seen on 11/12/18


adaae52fde585129bef12c1be7237322393d7fc662072392c9ea53370bd0c9c7
315481f2ddfe81a456f6fa1e9497ecf3eb3f806035e63ffcc996cce49f7ae5ba
8a08d166de154bb0fc1f8967e5cd532c8e220467e3c500c26e80678c89ce4999
fd3ee5fa7e2c489f4c8ff9f7b0c9231eb3295af7ac79e963d2942fbc60891bc0
69e731afb5f27668b3a77e19a15e62cce84e623404077a8563fcf61450d8b741
683536b72bb8e19e95a70164ad30bc466d229ed08f91b004e2d8c412a76ec969
4057b70900b2582d2d125b4a74e84445d64e2965089c690c83dd8ae65bd696f7
e0a91ef1163a5b241a43116923091295163c45186ee731530044515f6c72badb
6a5a61dadd6c32095ca3450ece4524005929b0a33c4547e27112645274667364
f9e0158d37835149d21c303a2b026244cdb9e7525bf13f8396c6f0533a5ed742
22fde26923b51c9cabb3c0dba1e96fde89ef6c48c22b239ba7dc6729698a6776
300995b9221564e67d78542dbd0672d5e0968546076bc3739bda7e85f3ab5bbf
5e897e9ff1e94f0591f9b27e0a5fd61234fc271935a52f0fd8e741986e879d19
9fca55e2fcd021e35a1aee454a50244e7233eb7468c2305093964c8a822a20dc
ebecb74b4fc9dd33d0fbea870741ea8e7d02f98de8ef5da3490716aa4976238b
ed2f7f6a4c1ebc811a61a38f2b8f81e1561bd90e5cd628cf090e463dbe2cef9e
bce8362f7dc2583eba7ece0ea01d9130634f1f84a1f6ab4a508666b215204c08
3c81807a2358dcbb9c613893c9e326bc112873f76ad2bded5cf83a4c03dd4445
63f4506d521941471b109b59761d3f1708f8742eeaa9a1426799fdeeec2fd0e1
2a1a0800059944c4976934d54c1daddbe9cf90a01b68a67a7679b03b6bda16e0
6a788cb527821b5780e61425f680c5b13aa5ba75b52536c7ae8c1aefe711cdde
be2031651fe7d2b573cd5f083f3b661ce28346e9c078a8497574f96307739263


Epoch 1 C2s

(Port is 80 unless noted)

104.5.49.54:8443
107.10.139.119:443
118.69.186.155:8080
133.242.208.183:8080
139.59.242.76:8080
148.69.94.166:50000
159.65.76.245:443
165.227.213.173:8080
181.229.155.11
181.27.126.228:990
186.15.60.167:443
187.163.174.149:8080
187.163.49.123:8090
187.207.72.201:443
189.130.50.85
192.155.90.90:7080
198.199.185.25:443
207.255.59.231:443
210.2.86.72:8080
210.2.86.94:8080
216.176.21.143
216.251.1.1
23.254.203.51:8080
37.120.175.15
49.212.135.76:443
5.32.65.50:8080
5.9.128.163:8080
50.21.147.8:8090
67.237.41.34:8443
69.198.17.20:8080
70.60.50.60:8080
77.44.98.67:8080
96.246.206.16


Spam/Stealer C2s


Pending

Epoch 2 C2s

(Port is 80 unless noted)

105.247.100.215:7080
115.71.233.127:443
120.150.206.156
139.162.151.141:8080
153.122.38.158:443
172.248.199.224:990
173.34.90.245:443
200.194.26.234:443
206.174.187.58
208.180.149.228
211.115.111.19:443
217.13.106.160:7080
217.174.206.181:443
222.214.218.192:4143
24.206.17.102:8080
24.67.53.23
41.215.127.30:990
45.123.3.54:443
46.163.76.187:8080
5.230.147.179:8080
64.183.104.2
67.205.149.117:443
67.43.253.189:8080
69.198.17.7:8080
69.8.25.109:443
70.77.68.255
72.26.54.182:8080
72.84.82.20
73.57.148.230:443
78.47.182.42:8080
79.78.142.70:8080
81.7.10.106:7080
83.222.124.62:8080
84.200.106.120:8080
86.98.71.86:7080
93.109.229.250:8080
95.141.175.240:443
98.142.208.27:443
 

Epoch 2 - Spam/Stealer C2s


Pending

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
 
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!

What is Epoch 1 and Epoch 2?
Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.

Community Lists


https://pastebin.com/D6hMvKpq - @James_inthe_box
https://pastebin.com/hQ94LGUR - @pollo290987
https://pastebin.com/Vx2z799s - @ps66uk
https://pastebin.com/pWEkryKf - @executemalware
https://pastebin.com/yW3ULXVb - @SaurabhSha15 Epoch 1 Spam Templates
https://pastebin.com/k9FXzQBW - @SaurabhSha15 Epoch 1 Spam Templates
https://pastebin.com/kN2Ggx8E - @SaurabhSha15 Epoch 1 Spam Templates
https://pastebin.com/aHg0rUEt - @SaurabhSha15 Epoch 1 Spam Templates
https://pastebin.com/pdE1aRks - @SaurabhSha15 Epoch 1 Spam Templates
https://pastebin.com/dFwBD3Ec - @SaurabhSha15 Epoch 1 Spam Templates
https://pastebin.com/PjKjd8CK - @SaurabhSha15 Epoch 1 Spam Templates
https://pastebin.com/dZrpEiN0 - @SaurabhSha15 Epoch 1 Spam Templates

Credits

(OC and combination work)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie, @Bitterman59, @devnullnoop 
C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic, @0xtadavie, @devnullnoop 
Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic, @Bitterman59, @devnullnoop, @executemalware
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop 

Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!

Daily Log


Saw a lot of goofball templates I have not seen in awhile today. Also it seemed like E2 went down for a short period in the afternoon. As a result we only have a few payload quintets instead of the typical array on a Monday. As noted by @ps66uk,
https://twitter.com/ps66uk/status/1061960866738987010 we had some O2 billing templates used. E1 was all attachments today and just straight doc attachments. I noticed German language in the morning and then it changed over to Spanish and then French in the afternoon. It seems like they are going after a wider audience.

If you find any E1 URLs for downloading the maldocs, please send them to me at @jroosen. - Thanks


Sandbox 11/12/18

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 E2 run at 23:36 https://app.any.run/tasks/2051ec30-dc0e-45e2-8c3c-47a71f0188b1

Epoch 2 E2 run at 23:56 https://app.any.run/tasks/2f8eaacb-81f3-431e-8625-e87904db93e0

```