Daily Emotet IoCs and Notes for 11/16/18

Emotet Malware Document links/IOCs for 11/16/18 as of 11/16/18 20:15 EST

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://anyes.com.cn/En_us/Clients/11_18/
http://beeallinone.co.uk/3380963DGTXFP/En_us/Payments/112018/
http://bepdepvn.com/blog/cache/En_us/Information/11_18/
http://bizi-ss.com/EN_US/Clients_Messages/112018/
http://cameracity.vn/wp-includes/US/Attachments/11_18/
http://chemclass.ru/En_us/Payments/11_18/
http://cof.philanthropyroundtable.org/En_us/Clients_transactions/11_18/
http://colexpresscargo.com/En_us/Messages/11_18/
http://collectania.dev.tuut.com.br/US/Attachments/11_18/
http://comvidanova.com.br/En_us/ACH/2018-11/
http://costcllc.com/wp-admin/css/US/Attachments/11_18/
http://ctb.kiev.ua/EN_US/Messages/11_18/
http://danzarspiritandtruth.com/J7B5TiAIp/
http://demak.grasindotravel.co.id/EN_US/Details/2018-11/
http://dingesgang.com/En_us/Transactions-details/2018-11/
http://familybusinessesofamerica.com/En_us/Messages/2018-11/
http://fenicerosa.com/US/Transactions/112018/
http://feragrup.com/En_us/Documents/11_18/
http://firsteliteconstruction.co.uk/En_us/Payments/112018/
http://foxyco.pinkjacketclients.com/wp-content/uploads/US/Transactions/11_18/
http://fullstacks.cn/En_us/Clients_information/2018-11/
http://hockeystickz.com/EN_US/Attachments/112018/
http://ingadream.ru/US/Clients/112018/
http://interieurbouwburgum.nl/EN_US/Clients_transactions/11_18/
http://jimmysbait.haroocreative.com/US/Clients_transactions/112018/
http://kammello.com.br/US/Clients_Messages/112018/
http://lensajalanjalan.com/EN_US/Messages/11_18/
http://lsa.dev.tuut.com.br/En_us/Clients_Messages/2018-11/
http://m3produtora.com/US/Messages/112018/
http://mahdavischool.org/int/myp/En_us/Documents/2018-11/
http://maipiu.com.ar/US/Messages/112018/
http://mandrillapp.com/track/click/30970997/foxyco.pinkjacketclients.com?p=eyJzIjoiVWxQTl9oRkVGYTFRT1hSdkxTN1lsNFByM3R3IiwidiI6MSwicCI6IntcInVcIjozMDk3MDk5NyxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZm94eWNvLnBpbmtqYWNrZXRjbGllbnRzLmNvbVxcXC93cC1jb250ZW50XFxcL3VwbG9hZHNcXFwvVVNcXFwvVHJhbnNhY3Rpb25zXFxcLzExXzE4XCIsXCJpZFwiOlwiYzRmYzJmYTVlYjY0NDY0Mjk0ZDViZDMwOWU5NTBiZjdcIixcInVybF9pZHNcIjpbXCJkY2Q2MjJjZGZhYTMyY2FjMTNkZTYyMzFiNTY3MGZjYTRhNWRiMjJhXCJdfSJ9/
http://maxairhvacs.com/EN_US/Clients_transactions/2018-11/
http://microjobengine.info/US/Transactions/2018-11/
http://nhpetsave.com/En_us/Clients_information/2018-11/
http://old.klinika-kostka.com/EN_US/Transactions/11_18/
http://peconashville.com/US/Documents/112018/
http://phamfruits.com/EN_US/Attachments/112018/
http://pleaseyoursoul.com/En_us/Clients_transactions/2018-11/
http://powerandlighting.com.au/US/Transactions-details/2018-11/
http://retro-jordans-for-sale.com/En_us/Payments/11_18/
http://roadmap-itconsulting.com/EN_US/Payments/2018-11/
http://sharpdeanne.com/En_us/Clients_information/11_18/
http://snb.pinkjacketclients.com/wp-content/uploads/EN_US/Documents/2018-11/
http://steelbarsshop.com/EN_US/Details/11_18/
http://testing.nudev.net/US/Clients_Messages/2018-11/
http://thenewerabeauty.com/En_us/Clients_information/112018/
http://thucphamdouong.com/En_us/Transactions/112018/
http://tidevalet.com/En_us/ACH/11_18/
http://trainchange.com/wp-content/uploads/2018/05/US/Details/11_18/
http://ulukantasarim.com/wp-admin/EN_US/Documents/2018-11/
http://uniquefabsystems.com/EN_US/Information/112018/
http://web.smakristen1sltg.sch.id/En_us/Clients/112018/
http://www.comvidanova.com.br/En_us/ACH/2018-11/
http://www.fuyaoglass52.ru/EN_US/Clients_transactions/112018/
http://www.maxairhvacs.com/EN_US/Clients_transactions/2018-11/
http://www.myhscnow.com/oldsite/EN_US/Transaction_details/2018-11/
https://mandrillapp.com/track/click/30970997/ulukantasarim.com?p=eyJzIjoiM1pKUjdiRV9oZ1BFS0JIdlpuUlUxNkdYZXBNIiwidiI6MSwicCI6IntcInVcIjozMDk3MDk5NyxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvdWx1a2FudGFzYXJpbS5jb21cXFwvd3AtYWRtaW5cXFwvRU5fVVNcXFwvRG9jdW1lbnRzXFxcLzIwMTgtMTFcIixcImlkXCI6XCI5ZTM5NmNkOTgzOGM0NTY1OTg5NzYwNTYzZGUwOWQxNFwiLFwidXJsX2lkc1wiOltcImJkZWUyMjhhNzZkZjQ5NmJkN2EyYzE3YzBjYjQzOTgxOGIwZTQzNTJcIl19In0/
https://mandrillapp.com/track/click/30970997/ulukantasarim.com?p=eyJzIjoiQXdVNkI5OTM4ekFKNGVXR0ZfQ0x1U1cwYm80IiwidiI6MSwicCI6IntcInVcIjozMDk3MDk5NyxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvdWx1a2FudGFzYXJpbS5jb21cXFwvd3AtYWRtaW5cXFwvRU5fVVNcXFwvRG9jdW1lbnRzXFxcLzIwMTgtMTFcIixcImlkXCI6XCIzMjNjYzk4YjJlNWQ0YzI1YjdmZjMyN2NjODZiMWU4ZVwiLFwidXJsX2lkc1wiOltcImJkZWUyMjhhNzZkZjQ5NmJkN2EyYzE3YzBjYjQzOTgxOGIwZTQzNTJcIl19In0/
https://tidevalet.com/En_us/ACH/11_18/
https://u6737826.ct.sendgrid.net/wf/click?upn=H1Xa28swUaaGX9BoBDACI97paSJ5dkYQkb3jsn9q8-2Ft2gpfURkptrqi4Eefw-2BqDkQkD5sCSc98XxawsXEHdOVLlHUpEcMdTNKdXfSpC1Xac-3D_Qhlm6hnITaFiQZ9pXsnyXOCjej8n5RRBHNyV7ZkxzMmzFaf5TlbdlMTS3i-2B3j-2BnsFLfI86ylfW5jm-2BWoT5bFpQ4f00Ye3XiAM7dhpUPJ2IChfubCttHD-2B1bV0u5vPzbupqkzTcRCZheljSSZLOG6-2BbwYngtdk9GeIAGWLprBi15cLHRqfDmyNScyG5ImWPsJvoADBALgaWOiyX3fqFzYoz5gzqIKjKNpjuJ3AiizhtQ-3D/
https://u6737826.ct.sendgrid.net/wf/click?upn=oLhrFbX8Xk2mNAhWz055fSSC4PUkq-2F264MX25iNC472h4QKP3MwIw6yFxtRaXQbzfs-2FFVBh-2BPySq1ckUP6MEbg-3D-3D_KRPuvzqjLT6qGCo4MQVqXBMAy78vTPcEMQjr74liq6vNX5PK7pQ7kzT0iA-2BRCp6-2B6T0iA0kJ3ucrvTP6SXm5mysYVlzDdqJYcRBSsBvIoUtgoDVwf5o7XL7WKtEc-2Fcw7-2B52fltWHxwNWnREQxHsk8cqcADZaQPui7Y7VWknyypcoejbf-2BU82b7gaHHTo0BwKlliW4aSaWEpp7HoGmbw-2BXVC1WP6of7qsyseJ3imhkU8-3D/



http://149.56.100.86/4WTO/ACH/US/
http://belivre.com.br/MDlGbxgOc0KVEy/biz/200-Jahre/
http://blog.doutorresolve.com.br/070FIQPZCAF/identity/Commercial/
http://blog.emporioazuki.com.br/wp-content/345701MOYNK/oamo/US/
http://blogbbw.net/9338LHHZRLT/identity/Commercial/
http://bo2.co.id/rU4Ri56QYW6qq0d/de/IhreSparkasse/
http://bryansk-agro.com/INFO/US_us/ACH-form/
http://canhoquan8.com.vn/invoices/Download/EN_en/Question/
http://cemul.com.br/epTpCnF560pJWc/biz/IhreSparkasse/
http://civciv.com.tr/BSLX30hCPA/SEP/IhreSparkasse/
http://clock.noixun.com/3sSnQZuzXGQtlC0VBs/SEP/PrivateBanking/
http://crosslife.life/4u9OiQmv5I36f30twZ/de_DE/Firmenkunden/
http://db-service.nl/6MyQxaNOxarz/de/Service-Center/
http://djwesz.nl/wp-admin/KnVDlamF7LhGC2/de_DE/200-Jahre/
http://emilyxu.com/sNIROv3ip2ia7Rw/de/Service-Center/
http://ethiccert.com/kLoOxGyVq2q9PcPP9Qih/de/200-Jahre/
http://fepestalozzies.com.br/QrIQTbQ6sXDw/biz/PrivateBanking/
http://fesya2020.com/v7pUQ4iIXKUkfVP0XQ/biz/Privatkunden/
http://ftk-toys.ru/Download/En/Paid-Invoice-Credit-Card-Receipt/
http://futuregarage.com.br/PnD1PFPBpHVQcTof/SWIFT/IhreSparkasse/
http://hellodocumentary.com/lF0TC8S7s4MiW/de_DE/IhreSparkasse/
http://ia.amu.edu.pl/sites/US/Invoice-for-x/l-11/15/2018/
http://idico-idi.com.vn/FvqbbgGBouRNzZWN6yK0/BIZ/IhreSparkasse/
http://illyance-com.changeprohosting.com/scan/US/Need-to-send-the-attachment/
http://imetrade.com/sites/En/Invoice-1578738/
http://informasi.smapluspgri.sch.id/t7QKZrlelL9bkEc3y/de_DE/PrivateBanking/
http://iphonelock.ir/image/756o59An8/SWIFT/Firmenkunden/
http://keymailuk.com/155653WIUJR/PAYROLL/Business/
http://kreatec.pl/doc/US_us/Invoice-Number-05854/
http://luattruongthanh.com/UIBT0XlVEkepddBSb7/BIZ/200-Jahre/
http://lunixes.myjino.ru/EatgmSU1HjCcx8t/SEP/Privatkunden/
http://mils-group.com/InKygLLQKII4q8vBnnPB/SEP/IhreSparkasse/
http://mrlupoapparel.com/Kw6kWYu/BIZ/PrivateBanking/
http://munimafil.cl/51945NIYCGP/PAYROLL/US/
http://newsletter.trangtienplaza.vn/HpQOqlEsd/DE/200-Jahre/
http://ninetygrime.kolegajualan.com/813CNZP/com/US/
http://philadelphia.life/Download/US_us/Invoice-Number-80110/
http://pornbeam.com/0BJAI/com/Personal/
http://robotop.cn/JXfeXa9x8FkmTWSOU/SEP/PrivateBanking/
http://rozdroza.com/Download/US_us/Past-Due-Invoice/
http://sadathoseyni.ir/d5HrsC7s/de_DE/Privatkunden/
http://sainashabake.com/wp-content/Download/EN_en/Invoice/
http://scafrica.org/gKOXH0pMzc4TqI3iUvrk/SWIFT/Firmenkunden/
http://secretariaextension.unt.edu.ar/wp-content/00002/default/US/Invoice/
http://sightspansecurity.com/Az8bhPsa0/BIZ/PrivateBanking/
http://sparklecreations.net/psUblOaGWD9K80mRY2/biz/Privatkunden/
http://stonestruestory.org/default/US_us/Invoice-for-x/a-11/15/2018/
http://talk-academy.jp/sitemaps/XtQPUozg/biz/Privatkunden/
http://test.sies.uz/CfvkfFAyLUhzYqZN7B70/SEPA/PrivateBanking/
http://therogers.foundation/THowiMnr1tixNH/BIZ/200-Jahre/
http://tomas.datanom.fi/ovning/mVsTs3tq5q1/de_DE/Privatkunden/
http://toramanlar.com.tr/in1GL1p17oohyWIs9A6c/SWIFT/200-Jahre/
http://www.altitudpublicidad.com/6yjbblsXYsGC0iXpZuV/de_DE/PrivateBanking/
http://www.cervejariaburgman.com.br/xboB2kqUj9iGHbTSAU/SEPA/Firmenkunden/
http://www.civciv.com.tr/BSLX30hCPA/SEP/IhreSparkasse/
http://www.emilyxu.com/sNIROv3ip2ia7Rw/de/Service-Center/
http://www.etcnbusiness.com/xerox/En_us/Past-Due-Invoices/
http://www.fesya2020.com/v7pUQ4iIXKUkfVP0XQ/biz/Privatkunden/
http://www.premiumtravel.com.ar/files/0MccETNYoFhU/DE/IhreSparkasse/
http://www.roma.edu.uy/863893JPT/SWIFT/Personal/
http://www.secretariaextension.unt.edu.ar/wp-content/00002/default/US/Invoice/
http://www.soldeyanahuara.com/Nov2018/En/Invoice-for-i/q-11/15/2018/
http://xianjiaopi.com/6kYDYzhpWoYLQ67g/BIZ/IhreSparkasse/
http://xwnmt.mjt.lu/lnk/AMsAAB9iAeoAAAAAAAAAAACrBTwAAAAAKs8AAAAAAAytrwBb7YEDOqblPtIXSlyDpQWA71IrEAAMrHU/1/RHRUDyugjQK_odEvIt7HUQ/aHR0cDovL3d3dy5jaXZjaXYuY29tLnRyL0JTTFgzMGhDUEEvU0VQL0locmVTcGFya2Fzc2U/
https://sightspansecurity.com/Az8bhPsa0/BIZ/PrivateBanking/

Epoch 1 Payloads by Document SHA256 - All Times UTC


XMLDOC #1
SHA256:

37e4a6a266f2c2605e8b5c8923512fde8518b3a36fadac8128c15dcf1aa4dd6d
8bcdc278707c53497f146ee2cc2af30d40286dd80a6a121e12d0061bcd03d623
27576e6f18fb9c9663eb357842e88aa3b74ef31fe5180adad88d3b5bd7c6dc38
20a4c61fec6ae8bba9f1786df3b86523bd386e8bef2f10f36c1604f84d19985e
0fea9493bca1e9de525fe88f1fc4af2e96ac8a4c8af5672e2ff662b54c0f8f20
ba157ba0994e2444f188a09b6ceea2e09c5b62389c95290a6df2b1529240b3d3
3a063820969e256ec22f1902e525b7a213b5369cf58d8771f0919fcaa8fa5812
a704880a99b479a9799568b3a1456fe6c001dfdc6233ed879ea5de799ee52537
a61047f684c5772806033775df6ab6d0422f1dc509119b385a85ffcc56f18a21
dc127c32edb79c56838d0179bd1498d7602a50ceb31788a1463a6965d2ed05df
bd505787b525737b9d58d4e1b4869b3888c2d795130e06394e91724a09add75b
5ee44dfcb471c309ec89cccfce684c84cfda6e00d34e2fef5a17427bde20c24f
15abae263dc4f8ae8278c5f00f60cb3261d9e7419448cf3485f4f712007ccf5c
8365c999ca47fbe8e44def24c5ef86bb0d92f808920c4080ffc706e658813df1
35ffe21822ad03da46056caa576a600c1885ef11a27a8177ab186b8d277bca13
67296941ea18e73e60ea2e56e9dcd8472c993bfcd023a0598d3c8cfb3c3e046d
dda4bccc7b698fd678c09fb3c12d51deeade7dfcafd46529e72d09280850053c
755dc52de078a8309e6616c4e39a5f4f9a466bbe820b9dafd6287baf9888c35a
520bf78227eac603c7a8617f4a30e002eb52d0beae1a8729f2d798d50d70af13
395bfdc55697262ee496958f08d19eaab29d89103cdfcba0b7571b97ba52dcc7
941ba25219414c2472096a6b2ad56b4cae8eb97329ab737e13712c1676c8a408
f8f1f89bc64d6319e9b1c24c52119dcb67787039a161258b993e6103690e1024
976e8ff2664dc89aec8f8f1a93c5a2b6a566525e50589dc971db7d7cc749452f
2658d4bc307d03c4bd95bd0b974247dc79eb2cc0692fa256a960b526b6263503
7ccfb6433cc7b3173250028d08719efd1cbe5e556cc284f73a4f88c7aae4b008
b2da18b67f24e82ac7ba4275d1250067c0a383794765478872fc7c88181a4669
9c6cac3cd16e10a7f2a0dfc33f615af0a5e2cadf04926a9d9133c4266c4eac54
fff3df15dbfea7d55d8daf7d7c3b62a3bc2d4bf99124b2d55a64970328fbb9ed
d9b5f54f56381c97b2bcd160123d88d8f5b7d184fa7cdc0d0128818a6009b22e
fb420d73b608d2699efee4a7e499b09277b26647e798db341384ede517a66121
6195196c46c199f782c906cf8bbfd89e24ee3c77dcd4648675cf0dc30bacedef
8e9772b8950e3d63282ba467527ef49f4e34c1126075a4dcf99afd5bd51a95aa
e82e63174ceb1b5e089ac40ac42ee7c61354e56328a341a669c7dac2107c5f74
40f1af996654635cfd14735903e7416cdb02b1884148c60e8bf27b77432f79a2
0190578680e963ac41ca3e4cbb2632ec296a5c41437a0219f2cc7ce7508cb4f6
0ad6aecac61dd4ab06186b4bef4f4ad40d82765dec58f699dc60374ca5cf2731
e9d2eb9b6e20426564d038ef0890e4c34caf394b59ed8fef0c295778d4d5aa13
a9a12a20bdab5835a97c213a6098b6b0890d476665ca5503c8c6963bcc1b20ea

http://danzarspiritandtruth.com/J7B5TiAIp
http://littlepeonyphotos.ru/jPGDyvIm
http://iuyouth.hcmiu.edu.vn/mVayv0I7S
http://exploraverde.co/mmR4TaGu8
http://turkaline.com/zGiFH0X


Creation Time	2018-11-15 22:05:00
SHA256:

cf53fd4d67bef004c93368ab5b0a206187c3e46607a103e2fe17107da84b3f6a
9d4905adc3c14c146d32935b4ea815e28e6333053a70a29516cc323946124b0f
8e57c4cc83559c365ee46a558904127bd85f6d392ea649b580f4077150bb7253
b93d852cbad5b45c5e38b447371a30314f949d50a4db59f21eb6c2ee96fb76df
c9dbc841e4ad55c500cccaf4526ef40e5c07179f1579d2a5f199ef52144caa20
2e766404c50addd67ef227c566ce09080620b4630c9de43a78502606ae6e282c
0a07cfc820b9ff728dabb39d8295ce0efbb5390f86d1cd525879b64b56231aac
fe8791466fb95687af0a22e54bd41686212f460e22adfc0c1220e4357fc0aede
607bf98cf99248435354e37b1826396d7fe5d9bdf1d27cd1c5e913c1c598549d
9e8098ed6d4a17fb640a9068c44c670025de86caabdd7124907651cd728312d8
3441768a349c268fc2e3b1c79bf3766e64961968719a7943ab5bbe79671cae09
9517fae7fb661f1c34b5499b69f4838059b66dea8126b492f3b9ef04a52b0803
136ad986a085a7ac59c2bdea852972f44849d1f92264e88b3a59ba31df143771
3362541fcaaa8c2dcb5848d27131fa7259eac27292f3371d5868ceddaaffcda6
f993072f8898b05733d624e3c1b22eca89f7b608d072b44d1d14a88a7bfe08b8
f26e16e76f58ac05c4b6c80efd54a0da2de37bd3e2a3740e8b35f46d29b4bc0a
01da5a902c26bf9aaf5b73f1b12d9ace6721f49e011c1746da4a856e2ee20315
65172c366059deb25a4ea09c26cf37d4a870bdad43f56d5592ab92a8418857dc
20e97dffcff662d414b1e0ad3cbe47e97860b7c4e26b29bc4ed61f0b1fcce885
6ca42a163a039f3411dc3fc5bc2382d48f32572467bb7ef244fb3d1a1a69493f
ff717fe800f0aaf182856e2f7cfda5ec0744d0f5f591fce6e6b07e67aecd8bcc
12eeb4d6ed06fdaa609b2bedb2c8433c5c1426cf8fec63aa0d9b62d53857656a
0a3f0bb71442c58ff7d83f42d4c17eaa6467048f9c551ae535ab7fdde93650c8
998fb9878f825f3aa38297930beac11b076339c96812040ff62788a2563b92db
51727a94ebd0dc8d24fd8ab602220aa6a6fe07cb1ed02ac4b2cd98cd5ba59d4f
f1382e5aeddb48d826dcceb204f89ca2ad31a7fe154e4f1f02c9834c1b8fcfce
0062692aa2341873911a34738d654dc2ef985620a3dc3b5b7a0733d531fe2038
d69bc7713fe495449f2bb2226bb31389770b440f1d41c3f9403a2df05faa6dc8
c7dbfe7d2affb758415490da2290fde971f62951a6d6752bc3e78292d38ea482
12f9a8c99798490cf35deaf4a33c1396fa295baa43703c09899a8c30c3e5a9d4
5940a3f8afdb1d51e9ca63cba202df83692eb72e6150924cfd646a3ad2989d9a
91a575480936b96e59c0d962f4517ab8e6382f1deffb2eec1dcc375fd493f67c
66f52e6d43a9e5384411876a95a7914320958148bac2eb5d563b8ffb1dd8a87c
fd83a337f59204f26517ca8e46cffdb57bb1743da265f5e7459c2687678c35cd
079bcf1087e9dd2e1d63d15a784ee36aab95bf09c0f57c1ccdf69ef2348ea77b
0bd37ceff94394828645a0cb4d43e363b1e12c516164d42187c2c1641bfa268d
e8fc7a19173e02d73d01499cc380b243023e9bec54627134f2614fbc6f377525
f18c95a5bf0b5d1367554a8985194f12070ae1a08ae72db9376652818a14f8b9
36e4e66491a3a766c20092065b29b120760c13558f0ccf039068215e938a0eb3

http://thienuyscit.com/Y6Kp3Cv
http://fashionandhomestyle.com/tyoinvur/wtuds/3HjqiOIHre
http://bnsgroupbd.com/KPGAeXAeEc
http://icart.lk/C5YbDhP
http://osadchy.co.il/8Y1DRnG

SHA256s for Epoch 1 Payload EXEs seen on 11/16/18


1d281cc63f541d0e4fada32a5ca3b8b709b87ba43035d73404fe3f415c240120
d338bd5aed2a7b77b24d8ce18dfbe284fb89f689ffa5f4820816f7fa9faf57bf
5e3ed3858cf90b346967c4c69ba1ab53b6b1633fd2c38ef8f5a002cf4cc95e26
dc45b0a2b4139c893013430c69a9ea98d9f6cf51114d73dcc7915f87be01ba13
95f33ec8115346b3cc2206125b265640c9df439275d4694b05de7d61c4c3cedb
f06cfb0c36c80ea07dd9c32a3699f13d93a1a7fc82c103a4616df0a7f4bc5178
9f263a519e67eeb69e0270ee552d2530c6818cb07acd177ef2f70df3961ebddb
2e0641942d6fc929de566aa2e26dfde004aef3183c598067aa7771f8f8962259
30981f7a34b7422835ce0c54d28a61e0310241537a9dfffc50c19b5d405d60be
5da79f958a46ad62eb7ffdadd29b44a81a8fdbb243d39a7d4c6948fef69535cb
5fd9b2a31081565d067b7b16af24086c7b55a61436534a173f5e0876c3fddcc1
8af75ae426649248db8d5256080ed49c6acac97369c2e54c18fdf3dba6ed48a0
3587864c0c84971905409aeebc8b2e45ae6581e5be921166ab35401609d51987
21648f0511fe64d2ab48ce3c75b2d24d8624029a366b15761e3021154f860e25
ff508fd55d7bc936b50ecdd95e0959a6bce331bc07285223761bce478b655d8c
0c606ad3dea1c20c6e9b5e74e10b3b3129b52726d1726fb97fc42c784402150b
2c8076719203f013ff22e9b695d7f9972b744373fb9204901d6807f06c72300b
9861c3a5d4d35304e6dbdc538f8830ad38057e418c9a4f26f3d2a019099929eb
d21b8a6d9728a4d0d51ab4219e0d11b092a7fa7d2fdfdacb51ada72e585a228f
c3df510d3489fa56c0f41dcc47724cb16b85f82842bba8a5c3bbb9567bf11ae9
a8ff234a3ecffb97c41715bf387bbe0bab3121723d9a9ec2ba997711ef3c8c8b
e17f0c87819a6dfeb0fe2fe261faaa5fdbafdf0e8dc7a78a3264152439295b55
5f8aee58ec2f1342e84ed02d276c4369b1c2359a5e57ead9269bc6fa5d67ce59


Epoch 2 Payloads by Document SHA256 - All Times UTC


XMLDOC#1
SHA256:
c54691bf3bb0ba740dda5cd0bcd08864d993b12819367675aa060ccb3edaced6
3a2389933a0b7e3e30717ef26ebe91f80fe9bab5604aff6285c21bfaa8a82616
649e67f86adcacc3122e01bb922af166f6c15dd727e7acaf7bcefb9810739fb4
19213f80e098af4f1da68a1df8b02a7c69536ccd59bdcd91791e6e8bd35cbc42
44d416539a88d32b88b56bd1ca9971837e880c76920a66ffeb9180c129f311ca
f08ff9def79af3b6c55eec77bdcc84e960a6598fca61403654f8a5db7d1a9d53
13b88d23baf0c3e8b26c42a734380a1a641896525f58fb4b6abff56b50b6a7a0
19025978d414b88abe5076710ba22d817262e0298bf2aa2067f99aacd3e08d79
070017ea838d8bad049be0ef169144f217b8915d3ae3dfdaeb49bf54e7a99673
c40220609fe9243f4ae7334d68af1c78ca962c16ba31786376714d8f09f51abc
24b02da8a5e17fe76c52ad6d7770950cdc9b5624a8bb86e3d3ff78161a4d47de
cc9f8f129b777797ba97e0bcb3ef058595cd2a86f2d70de6f49eed2bd398f846
e9c9fde1bee4259954e72418b1a7d4f8f4000821619d493e576c5de8c541b1cc
d62f08070a80b34e6bf1576da765c355e338fdd43a758abbb7bbe69b3be18dfe
5ca01978541c728af07c7b24d963fd7b5564e29c4f3fab5470473ea12c2e4490
557fa52bd3a82cf97414e245bca68bb82ba94ee476892a0cca07cf31c0910000
ee231ec1b1a7b466c14caf84c16f0082087a8f535c92fb569edee8d24d7eb259
11f8bfb11fde6c3b1e80b3f6b65e46dd7f85c7769bc22d7683029fd4575f0e86
4fd7e9145910ee3defca0d64c41d8221adc276f33918b40a5e64b462bf11ccc4
86a53374a481baae7e79a5c7be1cc8d805a34491eba329e3b7a93cb0194f5c0b
ab72a7960a264d98d08d150eff6fdac84616263d7a5673cff78bcf03af18a365
ef5f5330857998a1f5da41dca3109a1d8d0c0c6afbc0f819e40c85b8c85d93d9
d50e354a279cd5f01401e7b865aa6540a6b380b7d50830a356eb60d69a9c7d9a
c0aa98249d0c18a8264e76e4dfd99bb59f01dd1a2e5217cbfb7529cf96182e4b
8b6275dfa5ebef21b71d0a9319f044281bb4e8e6058e841577c0584fc63fc894
f6e5cb71509406d2921bba207062bd5eaaf282dfd459a85b7f6808091a0e4930
236108be4043b581cc0733f04d8c79b10eca03d7f412e026937202890bba26ba
b976b0160e0ee5ab1cb0d1a5766fed531085c1e653d6b825036a6366c6da709a
40600d37ed15514c91b7bf6ff7ff00f522d628d3435474f5685427a7eee5f488
8bde9744b622b8ca0b02433871415235353d4e2967df598d362252fe1ed8a2ec
e97714ead69be593bf66caa9cf1d8b05d18bdbeedb1619b44109e69447d83ab9
df61fe9a88f41078a691f3fcf308def6f1bd1a3d2122ea8575beb1cf90b17246
1def0b700057e0c127102af0474b74123b55a2a87ce602434912516c199277b6
df29d09811f55a5db80f41b073a5e08028917ec9acd5174249ce68d508e5f7e3
88670fb96c6a147ff18ee7cbfbb1dc79f687f41e651ac1768d58b11d2beda14c
4dbdb4947af6455e05ae2a73449f1f9207a9119d6d1499d1c256cdd756808cf9

http://translampung.com/xkIJX5Lp
http://hobokendoulas.com/lmTIr
http://clinicanatur.com.br/rM
http://mausha.ru/4ncahc
http://candrac-von-hainrich.de/0Sk7c2za

Creation Time	2018-11-15 22:42:00
SHA256:
43bdf562f469b70a4d337142d9503a7b2e5e7a81e1647f97c5328b5198cf6bed
fce3560a40bd632aaeccb2658066aab4737d28d5a6b701156d46578e30bdc6ac
cac8797b1a587c042ddad1ce6c6395ce4ac9fc8f8e8b0f65e999300c779b04b9
8185ebcabc7146b18a6f410e596573f6d5559df036eabec6bbffd513733cf7c2
334fe6a12800a53df5e8c474d3dd7d6a5ce91698a0703d836ce8e5c5691abbe3
5588be0ea293db7c26ea234c1ee37ea9a025a48f883d9a29b094a73fe5b2d48d
f577a5f71a7ebe76f652e3413f940946c7e36337aa42ddd721a7082dc8ed1a29
2223d4d40ae5d7fe91affc5c29333c8df6be3ce273fe5c40bb552e15978b4ae1
30a7835244127aa4d9124165deadf804ee8eceb9f198df1e54039f4f4ddda325
b87856e3d03b9b163a9262113988e66213684e1f9e9c868f462532238074a188
f7e9983692269d65dbd4a637227a02ed528b14127601e697b7fb0ec711023d74
060155b495382977556d17a0ecc3074f942f0eb627b88716d063ef19cab4b1bd
ec8b59ad568b285811d1989ceeab85594856b861c7ae788ef271ee7e667450c5
83c754680591d1f2ff16643c5c8a5e6f4cc646b99bcb131644307703385d9e50
bcdcb2b516359792811d1e9658d9afb8ec04b2237b721fe0bae702cdb747989b
3e2d011bc7ded9700450ce42d0d64615f509591e08430175808066e793032968
9f16bcd8cd354edddfc3d3e06ec42cc5cafb000251ca007b2b65bd48866d45da

http://kharkiv.biz.ua/hPpD
http://onurinanli.com/TCL8aQrA
http://www.tweetowoo.com/Lhy4sym
http://klimahavalandirma.com.tr/0
http://www.brenterprise.info/hCF


SHA256s for Epoch 2 Payload EXEs seen on 11/16/18


a7ce456fe20c1d68c3069c327b802b21122602a77839679e93f749eac63d1b32
e671aee31a5e21e0578759ea80083d85bfbde90244226343acb77f9c0b732280
87663e18edf0074c82b33f7d5f7bc1580ef14a057f95a7db773887cc923a5a71
0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
3c4f49fade1589c9b44b32e5efd63869edc4abafb91dfd4ced6a7f5fe7dc0fc3
d1ebaf5ab31847fabf30c4d02eee75c1a802ac6ec4b4043399a28fb547fb2e9c
83b6e8ca90bcaff74e109b867d9e31a657d8015ec7733759dd535c3a089089c3
b0fa533a2a45663b80ad5a2f576ae0f00dadbe3fee66881412ef0b206fd86a44
8f6e7e358d0a505169e783a6fb4260ca922010b83291cd5e1babe0c6fff55154
96d4695afbbe4603899855c7bedae3b0f3a8c588aaead22218b123e7d601d52f
67ed978f7a978600672e2ac354df240ef85d13ea3d894157db9e8e34763a92b5
74e8a217b50a39a02dcee7613bfd7896e794a1e15a860d3cc9c817953acbfe16
527a1a863dd2bfc1e131d2206e4249f2de3f9da4d25d2cd0ced9cc66542b30f3
3012dbd0203a0a13090926f000a4661c4e2aa0c6b47dcd9bb3285d895ff462c6
6fddddf493c63d0124850739181c5d77fe3d579eb418dbbd6151baf0e22d6fca
ad556ea60288dd4700614906a868bbf2684d6bc33286a35725bb86dd652b0e75
e093f6c3768000ec9e5314025eb778b215af31a862d5007b4c8d04fc89c295a3
36e197d3a1a85f1085e6b8e9359cd3374ec1488c001952b8db5fe8463112fbb6
4e3a6744e7b6efefec233af1db03d0ff5fbd7ff1532e45f8c4098c92eb810f86
4816fe4420c648ea3c1e10bfebe02568cf87200a5b45873dc8efbc69e3e143cd
1fb86365f6729042c5bdce56c5c8c3bfb622ebbd10433b289e5c45b4bc925af9
ae61c51f312dd9713a6dc8a586343e4af98c13882765419a1c2943e0a0578b91

Epoch 1 C2s

(Port is 80 unless noted)

109.228.9.122:8080
133.242.208.183:8080
137.103.118.195
139.59.242.76:8080
159.65.76.245:443
165.227.213.173:8080
169.1.71.44
174.126.163.111
181.10.19.178:443
189.162.221.160:990
190.27.97.65:8443
190.47.217.253:8443
192.155.90.90:7080
198.199.185.25:443
199.71.229.6:8080
201.231.78.22
201.236.67.58
205.144.211.94:7080
208.185.128.234:8080
210.2.86.72:8080
210.2.86.94:8080
23.254.203.51:8080
24.232.200.64:443
37.120.175.15
47.190.14.57:8080
49.212.135.76:443
5.9.128.163:8080
64.250.212.160
69.198.17.20:8080
72.46.151.196
81.130.191.202:7080
84.93.152.69:8080
95.50.45.218

Spam/Stealer C2s


Pending

Epoch 2 C2s

(Port is 80 unless noted)

107.13.144.134
110.143.57.109
115.71.233.127:443
125.99.106.226
139.162.151.141:8080
153.101.7.207:8443
153.122.38.158:443
190.186.70.202:8090
192.24.7.148
211.115.111.19:443
217.13.106.160:7080
217.174.206.181:443
222.214.218.192:4143
24.223.109.139:443
24.76.123.171:443
38.140.147.42
41.220.0.26
45.123.3.54:443
46.163.76.187:8080
47.189.188.195
5.230.147.179:8080
5.35.242.34:7080
54.37.23.118
64.19.32.70:443
67.205.149.117:443
69.198.17.7:8080
70.27.207.164:7080
75.112.62.42
77.85.44.164:443
78.187.72.87
78.47.182.42:8080
80.130.108.23:443
81.7.10.106:7080
83.222.124.62:8080
84.200.106.120:8080
85.105.250.128:443
95.141.175.240:443
98.142.208.27:443
99.199.195.235:50000

Epoch 2 - Spam/Stealer C2s


76.73.213.148:8090

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
 
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!

What is Epoch 1 and Epoch 2?
Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.

Community Lists


https://pastebin.com/gUQfHNzH - @James_inthe_box/@fewatoms
 - @pollo290987
https://pastebin.com/BrTDgriz - @ps66uk
 - @executemalware

https://github.com/saurabhsha/Emotet/tree/master/templates - @SaurabhSha15 Epoch 1 Spam Templates



Credits

(OC and combination work)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini
C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic, @0xtadavie, @devnullnoop 
Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic, @Bitterman59, @devnullnoop, @executemalware, @Bauldini
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop 

Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!

Daily Log


Looks like we were not the only ones launching something new of late and today the Emotet gang decided to release a new XML document format. This changes the game a bit but there was only one payload set all day on each botnet.  They seem to be  having some difficulty with the implementation of this and some of the distro sites are not updating the maldocs sequentially or in order. Some of the docs were even malformed and did not open because they were corrupt.  

Most of the links reported above are actually older links from yesterday and most have now died. 

Next week could be interesting if they decide to use this tactic again.  Until then.



Sandbox 11/16/18

(all with fakenet and MITM unless spam/secondary infection)

Epoch 1 C2 run at 19:54EST https://app.any.run/tasks/f80236ab-a327-47cf-a84e-ec841483e470
Epoch 2 C2 run at 20:03EST https://app.any.run/tasks/45fa4867-9309-403b-bf38-4df64633cd41