Daily Emotet IoCs and Notes for 11/19/18

Nov 19, 2018

Emotet Malware Document links/IOCs for 11/19/18 as of 11/19/18 23:59 EST

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.

Epoch 1 Document/Downloader links seen for 11/19/18


Only seen in attachments

Epoch 2 Document/Downloader links seen for 11/19/18


Only seen in attachments

Epoch 1 Payloads by Document SHA256 - All Times UTC

Creation Time	2018-11-19 17:21:00
XMLDOC
SHA256:
2fb01d93fbff78008f597084e792a0c3d0a675e7d6d5cbe952dd2eb796be9b35
a2ca0688682318db6036a696e1c3a1b6d5a058a951458885105e2cf2cd96e6fd
15df0b4f9a51fff1753c0240e8e5c47c78ad68a017a5870b96c4949314e5700b
4ed27b4710e7912a199f52bfa043b0f2ffe77644228e2e6e347422ec664321be
2d480c9e74417a12a6e407c0ca9a15361544a62328f1bfec3fca5e8a5701cff4
ed642de0c3636ede6a55294dd38d44a91ca69b07f9ce5d11cfbcf5f84b32aa2f
	
http://raidking.com/a0pbDSCu
http://madisonda.com/zofBoIdrX1
http://boxofgiggles.com/JDKBKAac8m
http://carminewarren.com/D7kEg2A3a
http://chefshots.com/21dJDQqroG

Creation Time	2018-11-19 12:34:00
XMLDOC 
SHA256:
06b7dcb5a08ed82a6182ad36c7e35ae3d81ad9b6fe6ca680fb04c238c4c65174
0e03f25f622017458c02de65506b8e8fb42b62bf6e401823867cd9598f830250
e249871dff11114bc166a106bfb84b8200386d6eb53a204dc402f8e391b4e0cb
6f40e6fa47c82a19f556de2a19f79949f38371cd2f02b979036ef0e9921aa1dc
53010428dcb615ea663dc71c94868974f71cb38cf9646f05b9747d7606a3a1ec
5a9a02e35e618cd4e54116d4a92b740a8d5ad4e02ee448f58b94e33b26c6fde2
e31e48715cdec9520b292f45f809f1040bd6c9aaf230beaaa6d2912733c8efe9
82f879769ae7ac5be14de12680cb00cfab9d0501cf9679b546c9e6dcb3a5f870
ba45c8e23b292c5c5e4a40718e46c46e85b353315fccd1a10bdad854963c0c4b
373d40fedd7b44f123f9bdbac7be2598bcabe1cfec11791baae70b22f65e09ab
c45876f102c3436bb84c0905a95982d61eaad021e0f29eb9791b8b26c2fdc5dc
ed68ff1f66adf3a2b69b29e1f9174bd4e1ae1d60c05e44cf2d5bf77590f50786
73f54165a886082848f4e903aeae4b3bc6e0ac9aac180fabb20dca282c9dd18d
da7e56efabcc602eb0433d106dcbf706bb8d1928a5ac630734f74fded213a52b

http://bemnyc.com/dFl8aeN
http://tvaradze.com/8Z3cdkK
http://mentoryourmind.org/orfhuwL
http://bahiacreativa.com/Z24ooLp
http://chang.be/BF0i0qax

Creation Time	2018-11-19 07:17:00
SHA256:
fb7c94c5187c9cfb500d3554ee5ea5d51c75fc699364b4d9365e536a2321c59e
2017ed5ba4ad868d7325c77e2e1b87625fcd2b420146c42b50c6f0737f7b40b5
ebaeb179b91c4bb35e5fbd029b55a9425c081135fdcfa13bbf5ead072310b757
1809d070547dfddda20ad67acb32d55b65b6b62c00c77c0090606f4e7356fa95
16a1a45ee762aefab076fef422c7e7dde26791a531b3b8e4b7de6968fb1fa9fa
261832542d9fdf9d5f5b523ea2f0b5a6ae12ddc40739c60256bb54fa0373500f
435b707d9b14de859e01476b418ea1e56262277edf9f980b828c9489bdbdebb9
46819021cf11604da2240763620d47492dd6d0f6e5103f64dc616cf4f8628f7e
4801b845b3e986617ef5f41382094a43223d66d8f30366068b69c3a59c73ab6a
4d6874175b6fa46ebfc4e2df06ba471d2290513cd24f952c72cc5cc7fb6328bf
65834d309b7d978ec597583cd17b84e379209958f3994db8f6d23bebfcfb5183
7ae989a41b2d755e371aeabafebe3a65d057ac643a38fcdcfa8bede5d88c4b3f
930e4bbf5a41283c58e62a2da96a70bae8675682209ba8763b64db0fc7a45d1d
a6f350ff28df3501d6881453ae86256f3a34675bb28fa82dfdf78d54e466e960
a9031614b3b509be6e44db4d9dbc521c346401f6c03c9528a1d7def65a3fafa2
b54dae472899a9c47fa0643d1cb52066b42e37d7c6f57e05bd6ec46bfb02a6f2
b6694e812727571c12786cdf30cebdee42abdd2c632890a1c9b5786431170751
b6e1d4a705866c14bf4c2e99c70790e61dc8760cb9372ca102714f4a1a4a5182
b77fb5bf6e83e05a6773c37278e05c32f0b8f4b7f8e8a7ac3f736038dca1e398
b7d529e8a412b5b680f36c64ed2c7e9f34f8106bb83ddccdec82337120726d36
bda3d03369583f1250a4d356c0eac039510812a75ea4aee6ad625027e148529d
d00063f815c605e57cd99bdef5bfd5ff3e0cbc70b582c8d204b13ce02956312d
db01515862588c44816315ac14af0da7ce8248b38330216eae431dbab17e5784
de2b59b8b849b5aeec6b4a50279164a86b1519a79ca86a67653aa28505d820f9
e098e6c647b20a0bc48aee7ce9b07ac5fbc22e664937ec9a454d1429ca35a2ad
e6880f16c7189cdaacbd379e0d031cf8367969d067e2a82d1a9ed1c8ab57a0ba
ed9df1625c1d981fe54490fab7934be36322e4c5c88a19f4c244307df2523e52

http://sociallysavvyseo.com/1aLTOhZ
http://dsltech.co.uk/qzLNSSy5Cs
http://djwesz.nl/wp-admin/WKI4GGr
http://altarfx.com/DNyqFMi
http://malchiki-po-vyzovu-moskva.company/4EGgJcfEnq

Creation Time 	2018-11-19 06:24:00
XMLDOC
SHA256:
228f9e81f87ba88bebb76cf16ee4dcddc41d6cce6a512deca4485f7b31575789
bf75b55c2eaf64be3ea8ecd1994b7bf40d200b12d44585ee79a3019cf728c22a
cda3f074d11d2b9a97ab20f0ee1b651e99b22dc571ce1135c90a31dc6703a3a9
e8c891110705b388677c4b4d689451c8606d107aececfc6109fcdd771b25d4c4
8acb36973c43412fc63d31fe5eac97dc6f1fe950f3332ea76c29834407b65870

http://agrarszakkepzes.hu/635pywApth
http://afan.xin/GOQ5ytgvwU
http://dingesgang.com/bvOuLZu
http://charliefox.com.br/eiKMths
http://casellamoving.com/m7GTLj59x7


Creation Time	2018-11-16 07:15:00
XMLDOC
SHA256:
37e4a6a266f2c2605e8b5c8923512fde8518b3a36fadac8128c15dcf1aa4dd6d
8bcdc278707c53497f146ee2cc2af30d40286dd80a6a121e12d0061bcd03d623
27576e6f18fb9c9663eb357842e88aa3b74ef31fe5180adad88d3b5bd7c6dc38
20a4c61fec6ae8bba9f1786df3b86523bd386e8bef2f10f36c1604f84d19985e
0fea9493bca1e9de525fe88f1fc4af2e96ac8a4c8af5672e2ff662b54c0f8f20
ba157ba0994e2444f188a09b6ceea2e09c5b62389c95290a6df2b1529240b3d3
3a063820969e256ec22f1902e525b7a213b5369cf58d8771f0919fcaa8fa5812
a704880a99b479a9799568b3a1456fe6c001dfdc6233ed879ea5de799ee52537
a61047f684c5772806033775df6ab6d0422f1dc509119b385a85ffcc56f18a21
dc127c32edb79c56838d0179bd1498d7602a50ceb31788a1463a6965d2ed05df
bd505787b525737b9d58d4e1b4869b3888c2d795130e06394e91724a09add75b
5ee44dfcb471c309ec89cccfce684c84cfda6e00d34e2fef5a17427bde20c24f
15abae263dc4f8ae8278c5f00f60cb3261d9e7419448cf3485f4f712007ccf5c
8365c999ca47fbe8e44def24c5ef86bb0d92f808920c4080ffc706e658813df1
35ffe21822ad03da46056caa576a600c1885ef11a27a8177ab186b8d277bca13
67296941ea18e73e60ea2e56e9dcd8472c993bfcd023a0598d3c8cfb3c3e046d
dda4bccc7b698fd678c09fb3c12d51deeade7dfcafd46529e72d09280850053c
755dc52de078a8309e6616c4e39a5f4f9a466bbe820b9dafd6287baf9888c35a
520bf78227eac603c7a8617f4a30e002eb52d0beae1a8729f2d798d50d70af13
395bfdc55697262ee496958f08d19eaab29d89103cdfcba0b7571b97ba52dcc7
941ba25219414c2472096a6b2ad56b4cae8eb97329ab737e13712c1676c8a408
f8f1f89bc64d6319e9b1c24c52119dcb67787039a161258b993e6103690e1024
976e8ff2664dc89aec8f8f1a93c5a2b6a566525e50589dc971db7d7cc749452f
2658d4bc307d03c4bd95bd0b974247dc79eb2cc0692fa256a960b526b6263503
7ccfb6433cc7b3173250028d08719efd1cbe5e556cc284f73a4f88c7aae4b008
b2da18b67f24e82ac7ba4275d1250067c0a383794765478872fc7c88181a4669
9c6cac3cd16e10a7f2a0dfc33f615af0a5e2cadf04926a9d9133c4266c4eac54
fff3df15dbfea7d55d8daf7d7c3b62a3bc2d4bf99124b2d55a64970328fbb9ed
d9b5f54f56381c97b2bcd160123d88d8f5b7d184fa7cdc0d0128818a6009b22e
fb420d73b608d2699efee4a7e499b09277b26647e798db341384ede517a66121
6195196c46c199f782c906cf8bbfd89e24ee3c77dcd4648675cf0dc30bacedef
8e9772b8950e3d63282ba467527ef49f4e34c1126075a4dcf99afd5bd51a95aa
e82e63174ceb1b5e089ac40ac42ee7c61354e56328a341a669c7dac2107c5f74
40f1af996654635cfd14735903e7416cdb02b1884148c60e8bf27b77432f79a2
0190578680e963ac41ca3e4cbb2632ec296a5c41437a0219f2cc7ce7508cb4f6
0ad6aecac61dd4ab06186b4bef4f4ad40d82765dec58f699dc60374ca5cf2731
e9d2eb9b6e20426564d038ef0890e4c34caf394b59ed8fef0c295778d4d5aa13
a9a12a20bdab5835a97c213a6098b6b0890d476665ca5503c8c6963bcc1b20ea

http://danzarspiritandtruth.com/J7B5TiAIp
http://littlepeonyphotos.ru/jPGDyvIm
http://iuyouth.hcmiu.edu.vn/mVayv0I7S
http://exploraverde.co/mmR4TaGu8
http://turkaline.com/zGiFH0X

SHA256s for Epoch 1 Payload EXEs seen on 11/17-19/18

6cb78851cdb9f44c2fecf2d64f95bce9ee6ef3bf392b93cb61065e470d9baeaf
59ab1823d235bdc8974f0d96f16b65d8f5cb2801d4ea5c2df28b2d77ef20ac2f
e00cd6e2a69ab6d8478951333fce0d834d5bf350a4add1bc11c7c209e002520b
4f76e48778c0f46e36edab97446d6b8d6ad794a8443c3cc9201b8bdbb431f871
20b32132cacf4c8e83a126638587c3dc9309d5c571a48da44a5ecc776b44ff9f
0f1633ce585e1a186c8e26cf45a8fffd3398b4ab8a2fcded976be132728f66d6
dc83a705268bb57693cf7de43533fa70c4f5ade6262d5f52e76c2743b0696c6d
251be6e47569c7a2b9290bef261164c85189b39063ee971419586e9aa4a67205
04b2ce48ef8b216422a4d113bba1e4515c3f28a60d7f5de0ef3e827278c382ec
a788946eabd1751b42ef5c56078b16fef162e3529676b00c67b92057acbcb34f
28d880cdbcb9af15c6d397fbe516988744b977b6c8acc9aa8318a861073c1a4f
a1930b4a3adbb28ae10bd3a05fb263a1af274f68017008c6e710ba42391a6d47
e8c2273f61be24f631ddf6f54cd9cc16b313167114dcf73d4eb5e5ab97ded4f7
e9771c9581b5a7dc78cf6461b2d719ec7b6a59681803ac9d10c0a95243cb0a5b
13944d91c46a1a8c4fa33befd4dd0fddbbc85359f9a788bb9a7a2c1c088e59da
f38cb05a4fd7ed21136b8b9a107c49f061a09bb87dfd32342cc98991fd92643a
45ce20227f72fe3d91f5a22af0addb8fcd0f8b2fda089d3056eeb279405bf7dc
9ef865d7c069a827327e7c8548c0390246db82b95ddf0c2946ff63447faf001e
7bb4afae2085002f3653140763dd55d162d951548fca9276bf76187150b6ba0e
9fbea1b7de9b759f1783e07fa641e21219f0452d20bd34bdad756617640b07ec
641964495ace4965299cc2202d7c6e02b849bb73c30c1b27a47abb180ee54b52
35c681cef7ad0447c56227a2b0578c8336fb155199bcff93d055aeb57834de11
a20c297ed81247dd17eb8962625f2c365d0325e2221a7f881d2e09b05dafb765
c2a3ba598f7ccc5146bd4952c2b25c61f4a985086ac170eb37acd33a1ebff7bd
dd2f241d3fba2b177a1572463a34b14c9bd7243e9699cff36d9f9c3e5481a829
cb11852f2f524df96d80702e2f71d1a892443a4d69e4369784cc5c1c4ab40f20
fe52b82db11daf91242771ed3d98cdeeb211543dd328a1729e573678fa8eb1a3
d90cfa8f46086fe6de3995be591d4ac94021b4ad10b17e1a423a6b9d0bbd9992
bba26a6938bc20057586893f6df10eb567218339771a1f28775ea320af743595
2f6e9ea5e392ffe8192518fbf3ecfe18884554e085f6c4a4cbe381648d05de48
a997fcb119eb322501063e01d8d82edeb10d06ed48831c0f8cefb23d6b46bb20
38e9150955fafd39e05fda216f4e402bb31ab18d41a79deb16086e4b1d78da2f
f6a5c678e0de9f0d36a9f0a89ee3d40079751e6f0972cd132f740018221149f5
82f34a9cd9d00eb2441cc935932862d1ae4669e89c991e231b5168e2b7f6e006
c37cb52960698a7e227a4498680bd8f9b6dcda11bc75e9fb6da87d4c47747d34
58f6cc66b069535d02bd727c1a3bb3e6da692cf39f4935195d3adc4f14848692
e006e40e32e7b8bcf22090581bfa3084ea4c8ebb301df59a952117514d2f6b3b
65359e6fefd7851c355ef8d3887ec1804ed1f6ce5a6e3c4b713a67563d6566ed
93583cb965e14d370b6d377c702fde40d5434ccb28e0f819996e933de551068c
d07b3439d80244b6e746b88355e761718e66e5ea8094a1cbc1bb49a3dfc69e0e
1d281cc63f541d0e4fada32a5ca3b8b709b87ba43035d73404fe3f415c240120

Epoch 2 Payloads by Document SHA256 - All Times UTC

Creation Time 	2018-11-19 19:07:00
XMLDOC
SHA256:

d7c08bec13b8979c93e616ca8df77a05949f078a301a7c21262966d6f82e558b
a7c95fcd2da53fd88ced59433678e3e7693b96acd8465b3caa8671a7ef734a0c
f6de34555a7876ee0ffc633c80f69c9570ed6a54091ec73337b6e82f1b318489
655c96dd7124f7753b1e8883b09bad52579ea80ec3501fb3fbd03898af648220
6fc89e2eb682164b84388feb55df28cc50d8e687fd9a16422543823a25df9479
12834e9dd32a265282b1c81b2dbadf729da386c5097d1615b49c0df423478041
7b5540a249fba413bd79bf3a38a1c89a9ca0c42cd4174362b03b682dac02631a
30517521843f607d8e32d21138eaf2f573195e331c6bfe774483d5ddd5d8d68c
d1185545330753574ad44e41257f1af7288b3d2a046b20f687947a71134ada9a
a7b4498557d3fdbc932b30a28f76c636bc13b0a018b4af9bceff6e3685063822
1231fa7dba90002601f0b354bf3f260cc1be7100e1814145c5c1733cb24dbc66
fdfff9b94fec660dfbca1760a57c2d24a3f919732ad511a8ab825c1e06b2d09f
cea456847df639b63c3321efe53cca4476e0b4c104286cae3004661bfa341cdb
3489c6338c3d47fa15ee66d3f8261902b1f5854919aa8f7dd9abe4100c7de3ad
ca80577adc758630a38e7d8f46a3e9b3ebb2ad325c3125d609c7c664928791b8
0657c890948cfd44536dd73e68762e627df031b6e9dda04b1957e0f3aa2d2902

http://polyblow.com.br/8EPM4dA
http://insumex.com.mx/Xsjzfd
http://astro-icsa.ru/suDm
http://localbusinesspromotion.co.uk/59her
http://ezpullonline.com/I5LPXtPU

Creation Time 	2018-11-19 13:54:00

SHA256:
0dd63006ea9f148c7a310fc7677d3da51d9b677dc99d6ab84f902c41b36fec95
461b04edac1f434ff9507841f9f2fe85e61e8f64f8783ea98d3309b8504c6ec7
ec24a6879b82fe861d0910bae6c6c1238969964d948a50a5f15ba89777697d0c
173a80b786405212d15fb951581988a21455c6f48e61c5b243c8b0348dd7a703
51f464f7878a562ea9f80c6517c9930af92a25ad150456153cdf266d30673582

http://compassionatecarejupiter.com/hKN
http://psychologylibs.ru/e
http://www.test.mira-mila.ru/JTSpbl
http://www.hmm.mdit.a2hosted.com/Z5NUDDEy
http://www.mtsoft.com.tr/8C


Creation Time 	2018-11-19 12:18:00
SHA256:
6aa96a2fb2e8753e0334aad29dbf0f03b26009bd2c8c415a7855b4fe293a6b2d

http://www.baangcreativa.net/Qa
http://www.ccash.xyz/orwhJc0G
http://www.biz-shop.pro/mEZcNad
http://www.bani.biz-shop.pro/F6
http://www.carbonlooptechnologies.com/LPPaE6


Creation Time 	2018-11-16 08:24:00
XMLDOC#1
SHA256:
c54691bf3bb0ba740dda5cd0bcd08864d993b12819367675aa060ccb3edaced6
3a2389933a0b7e3e30717ef26ebe91f80fe9bab5604aff6285c21bfaa8a82616
649e67f86adcacc3122e01bb922af166f6c15dd727e7acaf7bcefb9810739fb4
19213f80e098af4f1da68a1df8b02a7c69536ccd59bdcd91791e6e8bd35cbc42
44d416539a88d32b88b56bd1ca9971837e880c76920a66ffeb9180c129f311ca
f08ff9def79af3b6c55eec77bdcc84e960a6598fca61403654f8a5db7d1a9d53
13b88d23baf0c3e8b26c42a734380a1a641896525f58fb4b6abff56b50b6a7a0
19025978d414b88abe5076710ba22d817262e0298bf2aa2067f99aacd3e08d79
070017ea838d8bad049be0ef169144f217b8915d3ae3dfdaeb49bf54e7a99673
c40220609fe9243f4ae7334d68af1c78ca962c16ba31786376714d8f09f51abc
24b02da8a5e17fe76c52ad6d7770950cdc9b5624a8bb86e3d3ff78161a4d47de
cc9f8f129b777797ba97e0bcb3ef058595cd2a86f2d70de6f49eed2bd398f846
e9c9fde1bee4259954e72418b1a7d4f8f4000821619d493e576c5de8c541b1cc
d62f08070a80b34e6bf1576da765c355e338fdd43a758abbb7bbe69b3be18dfe
5ca01978541c728af07c7b24d963fd7b5564e29c4f3fab5470473ea12c2e4490
557fa52bd3a82cf97414e245bca68bb82ba94ee476892a0cca07cf31c0910000
ee231ec1b1a7b466c14caf84c16f0082087a8f535c92fb569edee8d24d7eb259
11f8bfb11fde6c3b1e80b3f6b65e46dd7f85c7769bc22d7683029fd4575f0e86
4fd7e9145910ee3defca0d64c41d8221adc276f33918b40a5e64b462bf11ccc4
86a53374a481baae7e79a5c7be1cc8d805a34491eba329e3b7a93cb0194f5c0b
ab72a7960a264d98d08d150eff6fdac84616263d7a5673cff78bcf03af18a365
ef5f5330857998a1f5da41dca3109a1d8d0c0c6afbc0f819e40c85b8c85d93d9
d50e354a279cd5f01401e7b865aa6540a6b380b7d50830a356eb60d69a9c7d9a
c0aa98249d0c18a8264e76e4dfd99bb59f01dd1a2e5217cbfb7529cf96182e4b
8b6275dfa5ebef21b71d0a9319f044281bb4e8e6058e841577c0584fc63fc894
f6e5cb71509406d2921bba207062bd5eaaf282dfd459a85b7f6808091a0e4930
236108be4043b581cc0733f04d8c79b10eca03d7f412e026937202890bba26ba
b976b0160e0ee5ab1cb0d1a5766fed531085c1e653d6b825036a6366c6da709a
40600d37ed15514c91b7bf6ff7ff00f522d628d3435474f5685427a7eee5f488
8bde9744b622b8ca0b02433871415235353d4e2967df598d362252fe1ed8a2ec
e97714ead69be593bf66caa9cf1d8b05d18bdbeedb1619b44109e69447d83ab9
df61fe9a88f41078a691f3fcf308def6f1bd1a3d2122ea8575beb1cf90b17246
1def0b700057e0c127102af0474b74123b55a2a87ce602434912516c199277b6
df29d09811f55a5db80f41b073a5e08028917ec9acd5174249ce68d508e5f7e3
88670fb96c6a147ff18ee7cbfbb1dc79f687f41e651ac1768d58b11d2beda14c
4dbdb4947af6455e05ae2a73449f1f9207a9119d6d1499d1c256cdd756808cf9

http://translampung.com/xkIJX5Lp
http://hobokendoulas.com/lmTIr
http://clinicanatur.com.br/rM
http://mausha.ru/4ncahc
http://candrac-von-hainrich.de/0Sk7c2za

SHA256s for Epoch 2 Payload EXEs seen on 11/17-19/18

7366ca030b0c795fec9fb7c6795453420c13916d020ef0138a517c4a23bc8953
7499e9415ff5f417b19b9863b97abcb02beee537e98abe627a148166971d124f
a8a5506d22225a9365ccfd3cb4a88336c5fdd2759b4a4b37e86fc6552a34b352
a3037dc430714b2da5271b410080a34e18caa19c3fb99bfbc3d2e340fc6ba84d
a72608959bda8002bb98c1f9c1230099cc9482cf0233896c1e121eab88d94bad
710e1e8ca717e27ebdfeecf7fd289bd903cbba40920a3de25fc7d70eca5cdc04
eab77a7ac78940ee1c2ccd360ca535aaebc451b09f6fd48818b6f821464f34fd
fde65b1f5e219c6abcc1ee4453c0164eeea85ebd8b98a6f3cfbd6bdb8541fe96
30c5a925fe1637fa83b5a79d4d000f4ce8d6ba56bc19bead6f3f1c031c453469
f6959d135e69cba179b2a967424700cd9d9baa5f5996ecb55e5b1aa21601e9aa
40d6292449d5650a11a5125ec64c1f1e24391a29fdfe02ae36b404f8f8cefda1
0b5a4de83152f2faf695af427331187a73e81e88aa9e0d08f6438334406dd706
5fb037f09a0b7770c0f7f268cfc075a5917be50c4cebb5f162d02fa083fc161a
37eda753b8e0ab8e30b5d75c73463758549a4bf8f136908002d8951a6c56c400
a9c659c02b2269c16b75a438639cab4eedecbb77b1887fe4907f0049ed009559
3a96d377ee06dd0bec12b0b5d5c7b05f396b19d72181219a6a351cfac41cf145
7546085309de536c0998cac17c4760e8ea8a17f341dde484fa467e7b02d9c57e
48484577137035235cd15a58783d98a8423eabefdbabe64bfe76f86b4453eb83	
320ef6793a60f219e8e0a4e036bf278a127a4b430d1528e14cc35230402c82fc
a8f27205435ee2261e4d833f69cbbab52d9c80464a74a0014320dab9b40a64ce
8b0c7d28545905f3615f6806c05bfb538f152f8de421eeba98debf091f71eed9
2f36a61359f39abef46367292fee0c70efb2f04b93eee3cb700054c0818ce21d
88017bfa3f7c1d2139381df2f76730aa66e092738416495be13db1ad5b7c7a61
be1e745280e85850af5b3bddecef912612ca56c1a6aea83fbc483f1fc52ea3f1
d9e0241a05d935d46be3ed894918116b31aeb0d3dd11dc842a140186c75a5dd9	
2860fda7b0a48c02c1ff60dc212443ae39b8df6634b811df94c43f798d7c83b1
05913f75de1b00b781963345b3d23c33d6bc28fb9eb9fee7d18cdd85fff78dde
f745490a7fca09f8fdf059c17f383c5e7f4f73e147760eabaa17916c21b8f6c0
41578848c1683c5a59f3edaa1f9e24140bc80f7923739b5dea87228b3d340694
0f0d1fcb68a10a2369b412c5ae2fa11608f751d3b47b91284df0c83495c1a1c7
77b6edf61bd563f4867641fc648771516bea350364b58f49023a14a28b677daf
1f9618281b5f9eb15eb33e2d78ba3068110588ae5f05c4207ade8f2ab09fe1d7
a7ce456fe20c1d68c3069c327b802b21122602a77839679e93f749eac63d1b32

Epoch 1 C2s

(Port is 80 unless noted)

34.98.47
242.208.183:8080
59.242.76:8080
65.76.245:443
227.213.173:8080
242.103.80
143.208.106:8090
170.212.29
39.66.26:990
1.6.67:443
146.1.36
64.69.115:443
113.233.4
145.67.134:443
16.177.117
180.96.117:8080
189.16.174:8080
155.90.90:7080
199.185.25:443
2.86.72:8080
2.86.94:8080
123.212.188:8080
14.176.17
120.97.51:8080
254.203.51:8080
120.175.15
212.135.76:443
9.128.163:8080
87.40.115
79.6.38:8080
198.17.20:8080
68.30.48:443
136.248.12:8080
144.133.221

Spam/Stealer C2s


Pending

Epoch 2 C2s

(Port is 80 unless noted)

42.161.20
161.174.36:8080
71.233.127:443
174.172.246:990
162.151.141:8080
139.247.220
122.38.158:443
255.130.181:8090
167.68.21
167.68.21:8090
210.51.222:8080
176.94.236:7080
20.104.238:8080
170.145.155:8080
236.60.24:7080
74.58.47:443
115.111.19:443
13.106.160:7080
214.218.192:4143
123.3.54:443
163.76.187:8080
23.101.26:8090
230.147.179:8080
35.242.34:7080
38.246.111
205.149.117:443
198.17.7:8080
164.196.212:8080
254.24.122
143.211.18:8080
188.59.144
7.10.106:7080
222.124.62:8080
200.106.120:8080
105.71.247
74.59.162:443
141.175.240:443
115.74.17:8080
142.208.27:443

Epoch 2 - Spam/Stealer C2s


76.73.213.148:8090

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
 
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!

What is Epoch 1 and Epoch 2?
Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.

Community Lists

https://pastebin.com/nQCKLvLk - @James_inthe_box/@fewatoms
https://pastebin.com/yHm0UdGx - @pollo290987
https://pastebin.com/XaKddL3W - @ps66uk
https://pastebin.com/n9ZcnufX - @executemalware

https://github.com/saurabhsha/Emotet/tree/master/templates - @SaurabhSha15 Epoch 1 Spam Templates

Credits

(OC and combination work)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini
C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic, @0xtadavie, @devnullnoop 
Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic, @Bitterman59, @devnullnoop, @executemalware, @Bauldini
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop 

Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!

Daily Log

Today was an interesting day and we had XML type docs at first and then it changed over to normal Word Docs briefly on E1 and then back to XML again. It looks like they are working on moving everything over to the XML type documents. So far we have not seen any new URLs for document downloads. I did get a great deal of attachments from both E1 and E2 in various languages. I saw it start in Spanish and then go to French and then end the day in English. We will see what tomorrow brings.

Sandbox 11/19/18

(all with fakenet and MITM unless spam/secondary infection)

Epoch 1 C2 run at 17:01 https://app.any.run/tasks/d8ed5b16-634e-4a89-b650-4ba5e3a0fd01

Epoch 2 C2 run at 17:09 https://app.any.run/tasks/721b3a64-e294-4c87-84e6-5ab4a7927b2f