Daily Emotet IoCs and Notes for 12/04/18

Emotet Malware Document links/IOCs for 12/04/18 as of 12/05/18 03:00 EST

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


Seen only in attachments


http://4glory.net/LQBXBQ9696784/Bestellungen/Fakturierung/
http://6.u0141023.z8.ru/default/gescanntes-Dokument/Zahlungserinnerung/Rechnung-RDT-30-77665/
http://8.u0141023.z8.ru/qf9ra64OI927/SEPA/PrivateBanking/
http://aapnnihotel.in/Dec2018/EN_en/Past-Due-Invoices/
http://adap.davaocity.gov.ph/wp-content/Document/En_us/Invoice-for-p/k-12/05/2018/
http://adnetss.com/newsletter/En_us/Inv-802984-PO-6R398656/
http://aist-it.com/y6zORQh2aXC85gQr7sl/SEP/Firmenkunden/
http://alexzstroy.ru/bg8vrj7Qd0QDeh2djj/SEPA/200-Jahre/
http://alphaterapi.no/Download/EN_en/Invoice-for-h/c-12/04/2018/
http://amaisdesign.com.br/sites/EN_en/Past-Due-Invoice/
http://amerpoint.nichost.ru/Dec2018/Rechnungs-docs/Zahlungserinnerung/RechnungScan-GC-89-62429/
http://apa-pentru-sanatate.ro/DOC/En_us/Overdue-payment/
http://ars-internationals.com/INFO/EN_en/Invoice-7592660/
http://article.suipianny.com/sites/Rech/Zahlungserinnerung/Ihre-Rechnung-vom-03.12.2018-FUF-29-01455/
http://artst12345.nichost.ru/scan/US_us/ACH-form/
http://auladebajavision.com/TxbhlTlxU9R/de_DE/IhreSparkasse/
http://aupa.xyz/Download/US/Paid-Invoice-Credit-Card-Receipt/
http://autobike.tw/Dec2018/En_us/Past-Due-Invoices/
http://ballzing.com/LLC/EN_en/Invoice/
http://banatuzep.hu/DOC/EN_en/Paid-Invoice-Credit-Card-Receipt/
http://beldverkom.ru/files/Rech/Hilfestellung/IhreRechnung-WLF-29-71660/
http://bemnyc.com/default/DE_de/Fakturierung/Fakturierung-PM-30-73789/
http://bemsar.tevci.org/files/Scan/DETAILS/Rech-IES-22-82270/
http://bics.ch/DOC/US/Document-needed/
http://bigbluefoto.dk/sites/En/Outstanding-Invoices/
http://billfritzjr.com/FILE/En_us/Invoice-78263967-December/
http://bobvr.com/ZHHqaH8Y25QgOjKfK9iG/SEPA/PrivateBanking/
http://bookyogatrip.com/sites/En_us/Overdue-payment/
http://bratech.co.jp/lpo/m/mfp/tmp/doc/En_us/Invoice-for-you/
http://bygbaby.com/Dec2018/Rechnung/FORM/Zahlung-bequem-per-Rechnung-EW-33-86356/
http://bzztcommunicatie.nl/files/Rechnung/DOC-Dokument/in-Rechnung-gestellt-ATK-15-20482/
http://candbs.co.uk/INFO/En_us/Invoice-6731448-December/
http://canetafixa.com.br/xerox/US_us/Past-Due-Invoice/
http://caprius.com.br/INFO/US_us/Past-Due-Invoices/
http://car.gamereview.co/DOC/En_us/Invoice-58457792-December/
http://carlost.ru/wp-content/uploads/Download/EN_en/Important-Please-Read/
http://casadeigarei.com/Corporation/EN_en/Invoice-receipt/
http://catairdrones.com/default/EN_en/Sales-Invoice/
http://chang.be/xerox/US_us/Past-Due-Invoices/
http://cherdavis.com/Corporation/US/Paid-Invoices/
http://chicagofrozenfreight.com/PKWASSZ5649559/Rech/RECH/
http://classicmovies.org/Document/En_us/5-Past-Due-Invoices/
http://cooperpeople.com.br/Corporation/En/Invoices-Overdue/
http://coreykeith.com/fancyladcakes/DOC/US/Outstanding-Invoices/
http://cremantwine.dk/LLC/En_us/ACH-form/
http://criabrasilmoda.com.br/Document/US_us/Question/
http://customedia.es/MefIQTWSID/DE/Service-Center/
http://deguia.net/Download/En_us/Scan/
http://delphinum.com/sites/En_us/Document-needed/
http://denisewyatt.com/CXSDSXV2476722/DE_de/Zahlungserinnerung/
http://djunreal.co.uk/LLC/EN_en/Open-invoices/
http://domainerelaxmeuse.be/scan/US/Open-Past-Due-Orders/
http://dovgun.com/www/www/www/www/golesson/itAjzdUjNE14pHx/SWIFT/PrivateBanking/
http://drajna.ro/554YWMTAF/VNTPIDVR5660013/Rechnung/RECH/
http://drapart.org/Download/US/Paid-Invoice-Credit-Card-Receipt/
http://ecoinyourlife.com/HAZPVID4080141/gescanntes-Dokument/DOC/
http://ecoplast.com.br/PxM20gzmmTA/DE/IhreSparkasse/
http://ellajanelane.com/xphPvmXOzwPSMv/biz/Service-Center/
http://emmedier.com/LGLTTP7431218/Rechnungskorrektur/Fakturierung/
http://eogurgaon.com/wp-content/uploads/2018/suCm0BRFlDQXEh/DE/IhreSparkasse/
http://eugenebackyardfarmer.com/newsletter/En/Paid-Invoice/
http://firstmutualholdings.com/INFO/En/Invoice/
http://floramatic.com/MOyfn6l/BIZ/200-Jahre/
http://fourtechindustries.com/files/EN_en/Open-invoices/
http://freemindphotography.com/Document/EN_en/ACH-form/
http://fusionlimited.com/FCOWALDBJA3052297/Scan/DOC/
http://gd-consultants.com/sites/Rechnungs-Details/Rechnungszahlung/Unsere-Rechnung-vom-03-Dezember-AT-17-84116/
http://germafrica.co.za/Dec2018/En/Invoice-Corrections-for-56/85/
http://ghoulash.com/RWNTFUJNZ4562177/gescanntes-Dokument/RECHNUNG/
http://greenhell.de/DOC/US/Paid-Invoices/
http://greenplastic.com/COUMDPOY6611872/Rechnung/DOC-Dokument/
http://gueben.es/wp-admin/files/US_us/Invoice/
http://henrijacobs.nl/DOC/US_us/Paid-Invoices/
http://hongshen.cl/FILE/EN_en/Service-Invoice/
http://iantdbrasil.com.br/ASHMID5300975/DE/Zahlung/
http://incandisco.co.uk/OlIcF1wJ5PATck/SEPA/Service-Center/
http://inspirefit.net/default/Rechnung/DETAILS/Rechnungszahlung-ATE-07-96028/
http://interciencia.es/Dec2018/En/ACH-form/
http://itelligent.nl/HVCDDCWSCY6948898/DE_de/RECHNUNG/
http://janec.nl/INFO/US/Invoice-receipt/
http://jgtraducciones.com.ar/Uw5cgLMgPRo1f7YFT/biz/PrivateBanking/
http://jjtphoto.com/scan/En/Paid-Invoice-Credit-Card-Receipt/
http://jllesur.fr/FILE/US_us/Service-Report-59220/
http://johnnycrap.com/doc/En_us/Paid-Invoices/
http://jointhegoodcampaign.com/Dec2018/En_us/Invoices-Overdue/
http://jomjomstudio.com/xerox/En_us/Open-Past-Due-Orders/
http://jscarline.dk/FUTJKILCA1099911/Rechnungs/DOC/
http://kitsuneconsulting.com.au/DOC/En/Past-Due-Invoices/
http://lauren-winter.com/o4tv5W/SWIFT/PrivateBanking/
http://link2u.nl/aEyTXITYb/DE/IhreSparkasse/
http://mcfunkypants.com/XRUTFCXTBO4152244/DE/Zahlung/
http://mfpvision.com/JAvml8Enmk6CO2ypHt/de_DE/200-Jahre/
http://miamijouvert.com/Dec2018/Rechnungs/Rechnungsanschrift/Rechnungskorrektur-RNV-07-86865/
http://miracle-house.ru/SlXHLuE2fF8pz5L/SWIFT/Firmenkunden/
http://mmcrts.com/default/En_us/Past-Due-Invoices/
http://momentsindigital.com/Dec2018/En_us/Overdue-payment/
http://nesstrike.com.ve/5MQxX115CFjIlNmVi/DE/Firmenkunden/
http://ngayhoivieclam.uet.vnu.edu.vn/wp-content/newsletter/US_us/New-order/
http://nklj.com/Download/US_us/Open-Past-Due-Orders/
http://paiian.com/web/site/sites/EN_en/Invoices-attached/
http://phantasy-ent.com/Document/US_us/Invoice-Corrections-for-35/85/
http://pnnpartner.com/scan/En_us/Question/
http://popmedia.es/DOC/US_us/Invoices-Overdue/
http://ptgut.co.id/Corporation/EN_en/999-88-805311-816-999-88-805311-384/
http://radiotaxilaguna.com/Corporation/En_us/Invoices-Overdue/
http://robwalls.com/Download/US/157-77-230948-569-157-77-230948-159/
http://shreeconstructions.co.in/Download/En_us/Overdue-payment/
http://standart-uk.ru/GKHSlFLfymNBHFExf/SWIFT/IhreSparkasse/
http://stars-castle.ir/D9eJIDLdIfWz46y/de_DE/IhreSparkasse/
http://stijnbiemans.nl/FILE/US/Outstanding-Invoices/
http://strike3productions.com/Dec2018/US/Invoice-receipt/
http://stuartmeharg.ie/DOC/En_us/Invoice-for-c/e-12/03/2018/
http://talentokate.com/files/EN_en/Invoice-92337002-December/
http://thelivingstonfamily.net/Download/En_us/New-order/
http://thepcgeek.co.uk/Dec2018/US/Document-needed/
http://theshowzone.com/doc/EN_en/ACH-form/
http://thoribella.com/newsletter/EN_en/Invoice/
http://tomiauto.com/INFO/EN_en/Summit-Companies-Invoice-9352872/
http://tom-steed.com/pYP5mhsWm/SEP/PrivateBanking/
http://tracychilders.com/sites/EN_en/Invoice-73731254/
http://triton.fi/files/En_us/Past-Due-Invoice/
http://twilm.com/doc/En_us/311-04-066942-345-311-04-066942-793/
http://ulukantasarim.com/DOC/EN_en/Inv-254759-PO-6T573963/
http://ulushaber.com/Dec2018/En/Outstanding-Invoices/
http://uncommon-connectedness.com/sites/En_us/Inv-421288-PO-1S399610/
http://usjack.com/LLC/EN_en/Invoice/
http://van-stratum.co.uk/FILE/US_us/Important-Please-Read/
http://veloway.de/UGXRRZE5315973/Rechnungs-Details/Zahlungserinnerung/
http://venusnevele.be/LLC/En/Outstanding-Invoices/
http://vitaliberatatraining.com/files/DE/DOC-Dokument/Zahlungserinnerung-vom-Dezember-QJD-60-56842/
http://viveteria.com/Dec2018/EN_en/Important-Please-Read/
http://wb0rur.com/Corporation/En/Document-needed/
http://weisbergweb.com/newsletter/US_us/Outstanding-Invoices/
http://welikeinc.com/default/En_us/Outstanding-Invoices/
http://welovecreative.co.nz/files/En/Invoice-11126369/
http://wessexproductions.co.uk/Download/EN_en/Service-Invoice/
http://wheenk.com/Dec2018/EN_en/Invoices-attached/
http://winnieobrien.com/Corporation/En/Question/
http://wpthemes.com/Corporation/En/Need-to-send-the-attachment/
http://wssports.msolsales3.com/mWAne5A/BIZ/Firmenkunden/
http://www.eogurgaon.com/wp-content/uploads/2018/suCm0BRFlDQXEh/DE/IhreSparkasse/
http://www.flod.it/R20BWuS6uusvKQiMyg/de_DE/Firmenkunden/
http://www.floramatic.com/MOyfn6l/BIZ/200-Jahre/
http://www.standart-uk.ru/GKHSlFLfymNBHFExf/SWIFT/IhreSparkasse/
http://www.vanmook.net/DOC/US/Paid-Invoices/
http://www.xn-----6kcabnyujk3amba3araccbdbrg.xn--p1ai/LLC/US_us/Scan/
http://xn--80akackgdchp7bcf0au.xn--p1ai/xerox/US_us/Invoice-for-you/
http://ziplabs.com.au/scan/En_us/Past-Due-Invoices/
http://zoox.com.br/scan/En/Sales-Invoice/
http://zuix.com/sites/EN_en/Document-needed/
https://customedia.es/MefIQTWSID/DE/Service-Center/
https://linkprotect.cudasvc.com/url?a=http://jjtphoto.com/scan/En/Paid-Invoice-Credit-Card-Receipt&c=E1kdscu_HtZUKrwdqG6JtlMHpCotINShSNi9rsD0PAS48TwGCMDvBq_Rt4pnC7A7Flr2w8Gd5oaYq6uppJ4cAo4itbtg08zCkapgjMpgnKTYBUeJk2k_VqSA&typo=1/
https://mandrillapp.com/track/click/30505209/beldverkom.ru?p=eyJzIjoiYkFKOG5UY3B1dE9DWlQtYzJUV2RKSWR2b29rIiwidiI6MSwicCI6IntcInVcIjozMDUwNTIwOSxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvYmVsZHZlcmtvbS5ydVxcXC9maWxlc1xcXC9SZWNoXFxcL0hpbGZlc3RlbGx1bmdcXFwvSWhyZVJlY2hudW5nLVdMRi0yOS03MTY2MFwiLFwiaWRcIjpcIjIwY2QyYmQyMTNlYzQ5NjA5ZWQ3M2NmNTllNGIxOTVlXCIsXCJ1cmxfaWRzXCI6W1wiMjRiMmY3MjQzNWI1MTJlMmE0NzFmZWYwYjQxODk1NzkyN2JhYTAxM1wiXX0ifQ/
https://u6324807.ct.sendgrid.net/wf/click?upn=ly7UXgXaeimPbZsgG0IGfA4Gp-2F0y2BjEz71uop0ADWm4sJj9VLAfeMZqrCigJ9zhACm8gfoEwj7H9C1fHOnN1gahdVghjKXeSnhL0U07q7m7TUiPv-2F99LLgd7S97lZRP_AO5cZBV72ZdqzJJf8-2F84EljVPBh6lSVyw5gtTUjsuV3fr2rbxgW69kp3KVS2vQoWtrHEi7oMxrzOdFESfRJ6dI1U7Cq7150wR7vovormd3jxjHb1WzL7IBccXFT4Agi3xQp-2BMoa3l9S2teVA5Qr0b4Pm8U5z-2B2t9Y16k1glzbn8EXavh-2FCpknlYMRYyU-2FG4ouSLnHHY1sbBleX65jKydaiJW-2FAgdtSQrUpJiOS3VPBA-3/
https://u6324807.ct.sendgrid.net/wf/click?upn=ly7UXgXaeimPbZsgG0IGfA4Gp-2F0y2BjEz71uop0ADWm4sJj9VLAfeMZqrCigJ9zhACm8gfoEwj7H9C1fHOnN1gahdVghjKXeSnhL0U07q7m7TUiPv-2F99LLgd7S97lZRP_AO5cZBV72ZdqzJJf8-2F84EljVPBh6lSVyw5gtTUjsuV3fr2rbxgW69kp3KVS2vQoWtrHEi7oMxrzOdFESfRJ6dI1U7Cq7150wR7vovormd3jxjHb1WzL7IBccXFT4Agi3xQp-2BMoa3l9S2teVA5Qr0b4Pm8U5z-2B2t9Y16k1glzbn8EXavh-2FCpknlYMRYyU-2FG4ouSLnHHY1sbBleX65jKydaiJW-2FAgdtSQrUpJiOS3VPBA-3D/
https://www.vdvlugt.org/UJXLQT2997047/Rechnungs-docs/FORM/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2018-12-04 18:07:00
SHA256:
0240922debb14053fc978bf6e8ed23a3a79f367fee8183aaf76b2f1cb2940bfe
20c4ab220a6e9a1b41d8f4d75040fcbdc5c8440abc32b58513cfc33cd880f90e
087f5cff93ddadf780e152419bacabdcdc05c5a9ce47fa0be058444612abc555
355663cd9955b2c14c45eb91805108b3621a8be1c6681a114e4dcdb2e6a478f5
151cde8a554f1cc37ca9f7fad78b6bd2456dc12e16091a915d766ae3a2957d51
98941e259acb8a7684c9a545244e6a6e736736846cd704816191697e89f4104d
1468378a284cff0fa215b1ef6e6ba66aa1a09795f39fef8b70d59bb7c4cdebed
030429dd11765a00d02791b52745c2d4056d0a395cd2b9e1ca5dc82b898a7ffa
a5fe92fa737e509da2cf0a3651759d2c8e3198aeb9e8af8c3e314220bc16700b
318b2536e691b1caf549b136cb47792573150cdd06300892ab65715c39d1c085
d6f2a2b18a5c9e2f66a0e8993b191a01b8f5b3e7c2f9d5ca42f5ddc7326c112b

http://instramate.com/ww0jK9l/
http://www.fortifi.com/bECoyZ4dr
http://investnova.info/KIiXwzraOC
http://iberias.ge/PFGbVX0Nl
http://feezell.com/4EHCqazUz

Creation Time	2018-12-04 16:15:00
SHA256:
db338642e22ec027e5c5d2a17c303e1d0249691f0765db5990846a2a7c7560da
49de2a15277ff734a48b6aeeb4cd982df1b3aacc57d26b09a0e505ea8ccf722f
60f7de9c0f5caf7249b20d2f859521bfc42aa3a844b2bb8a8fbf5390c28b272c

http://enginesofmischief.com/s9F9LmE7J
http://eurofreight-eg.com/bbbsF9Xl
http://fotofranan.es/8VdAYUW6iz
http://fixxo.nl/rIeCFphB
http://fourniers.org/p7Vx1Agnd

Creation Time	2018-12-04 12:10:00
SHA256:
fbbda68936bee284500f2408bf276047d67387740295b59f80f446fdb870ef5d
6bb3777ca15f9d47122d8fa1373f508c9555a921beb96c2739ca49c0d131fc09
a601e1e3793fc5d15f5f94c3c9cf375539f73a2ce81a3fbb7622a9cd29e414d1
c06c3d98327788d05d972dd39c6cfe60b0f909a93c78293a066cd490b943c6ed
a32a0481b51ec5eed9b5fbda8bbb75d9961f3f80ede0ddf2a53c51551b785eb4
7adce67e64f12ec6f6d31a9b22d71efb2b80f8e1a393dfa0e019e4a83685312f
86ad213a90fe3939097bd5935e55716e446b46abbb7cabda947fed6cf425d8fe
387e03869a62784eb53603b6e7573f4fe8930d819f6478e03710289ded680f7a
290914255930eadd803345fc08adb15f03a4e933800f9b44d80996d99d414575
396fae960954d74702de42a5baf5741b2c96394f566e6db1d0d7d724f6947fb2
4c234c866de8009eac767354f8792f41bfb7c8290f24ad6da3e99310cde1051a
5766de93dd25e4a2fd1adfd3c410ccecc0e5977cbb3fdba96efde8426974cb58
928df5b064ab37ff5b2b3e3a2a04b114d7d2ff001a2047252569dbed87a23cab

http://vcube-vvp.com/0Tfl6UZQ
http://closhlab.com/bQh2tz4
http://dekormc.pl/pub/H0eeOPRkwr
http://careerzinn.in/nl8cpNgBAl
http://broganfamily.org/IXzUnQA0Q

Creation Time	2018-12-04 06:23:00
SHA256:
d81218a5e7afa320581200f9ffe298b0a4a4a1d5e9b65a6ae0c9549c0e4ed1f4
7b57097a8d99ebb1747bb0d82eb3d05e5c789de36fb41a498677e97294d3e81e
190909f149e56d1245b11d4469c98e453ce833455347bf52d18b3f53daf19a27
21ae38e02a3a39b9f68ff6f02639bb7f153f78601d307d1677b11e456948c365
2cdb399a511cbf9ed3f66dfa014285094a5ec76afb0289834a549f5c8dc6cba1
3754a10232f47e851379e03902593fd028e4377b9c5cf17c26d7f0335ed767d7
4444e02fa99fea7c4895628dda08fd3dadb3a50a1088ef089086ad3942b728c0
50ed17afa06f9b6dba821cf6f287cd7b6719cdc33d41dd92e2e09b6dce098f28
54ef22c534a4ea59da79b70f5d1a20991bee0d28fa2b261e2d7b6f1f1fffa762
55baec235c14026fd722b74834752e23f349e313e10bda5d3f02dcf8cd3d26ea
7a7b2a607fa197f552e6318ea241d35ca940288418bb7b7ca165af34f42c9229
7f03f729e0786b17f637b3e8458e4a20f328ce770985c2504d88ce914e8b0c93
bfbff39af9042e38033572b11e69be8bea082582a19c986e70519b1b91cb0764
caf68d9e8dbae8a7c5066130a542d2963911ac0e96f3f620b903cb78639a2408
d2d5950fa3f78f6a0b4b8de3be9ebb8c03a7bab4e33b95b63d02ac82b02fabfc
d757b7954bbc570fe19ab1ea593fffb3b492e69c15232e2329134a1b01bc29e0

http://byciara.com/0i3BgTG
http://burnbrighter.com/mQ5tBipU
http://chainboy.com/ZE67diCLv
http://aural6.net/yobZPsMLA
http://tecnauto.com/UMTE5JuqX

Creation Time	2018-12-03 20:34:00
SHA256:
03b24630e9e79be05affc5f6910630569883bcf02733f22a01e6d09b17a276db
221d89e7a6c1bc535c65eddbf42992184ab698f14356ff9fdc5e6759d6bd76f4
2d7ea58785c42e13abb77114114da079aecd7a2f6708c76086f307258d1841c1
7b2d840c0f915b9b42ee40e956cef23c3f2a9165707e8c87dc1baebc39da9db0
7d73db8774f64300e16a05b8d28f486a2e2eacdf5794f1c9ca5af1d9425ed6fd
8832e6837d59e4d8498bdf26dbe833911414612f3d94d9665905da9b26991b02
8ed4c9eead201ad13cfd087e582e17bb2b89933d45637e0e7d5193440ba224fb
9ea01b4b3641f8e7d86bb31ec0d994d03072797059e317acf80dffaa4a3f97db
a5db3fd587729d2be9a04ff8e4cf4438bc8323e8b0383c53879f2b528a08b20c
aad8afe082e56efc149eadef30e381a19bba21f3f037c4c6303c78d8140162e9
ad6d656fb97b8cd9898435c2f7e558c6b2bbbc271aadf61f0f10cd3145c72bb5
d127599b5e472df4a7e39ffcff9a07fa6614ff9c119845935211900494ea5086
dbadffde7ffaa435e8f83223d6cb5e640915b3c8b4858763d287e617eb9bb965
e8d8fd0c610c6c8af0c2d8b1a6d00aa6a8c9a160b4bcdef6da66f1d2f50e0392
f2cd8bef58c8344686fa0337d693701bb39a0f49e0ee129e2df92ce239784ceb
f41c1bbd4ec969737b351f7e3d6c8cfa7181e0dc7395e510c91575f4b32f305a
f8835a5b3f24f9d13a584ecfa64b2066589bdc936545b9492bf60b73bbf8d733
f897b5dfad611232b7f12a67a92555a57d62d709acf66c1fc1bb3ee73072a1de
29275579b47d8bd4101283b651e6035af4c9f5466756f6981353fdf670a47bc9
d65a223cb68f95c6811eaa77fb2e3b374b69423b6b3942ec5e390b905b2429fb
b9780d2951bba0e871622b66193763b9de4d9d3c5f5bab87b653c34bba2d9ce3

http://holhaug.com/YeIyfdUcBo
http://brkini.net/o8MS8X4
http://adsmith.in/9zPcEumvy1
http://ipekasansor.com/74SanEK0OG
http://gapsystem.com.ar/7qNiy0g

SHA256s for Epoch 1 Payload EXEs seen on 12/01-03/18


aec1445a53f1332af15e4af584f218292423da8d68cff5034fba6794b7c7a44d
15a257385d041e82dbb6b52b627505109fcd1987f7732fbdbf1f1807a9e22aff
d72f481173a93e60a7061030a4701a480f87e6ec368ac4b195b0ef3524302100
a331ac03ac0ec5f0736870846b394bd85ea27ffc694a9e1aa36ee8d377995312
75b1557c0c44c83de440e0a2896300f64d04c54e5a8b3af433e4999581f8735d
49d58625bf25c6fa923c2ac75b64c52eff8a72b99ae5409683d145239dd0dbbf
a6492280560d012bf18891908b905f993b231cde63a1311ede6d59a61371a34f

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2018-12-04 22:37:00
SHA256:
7f90717c695ae45e1873478e2028a6b4f6773f75380644212729061d896306af
b1db273a6fe252dc51921e07eb20c7f816a60a064d15d212fe3f09816e15b4b3
f62ecc2e9eba0279371a45bc245972cbf5b530f69913182f394f36aa5a5aacdf
8b9d5b9de38bfaf6145baba12a67a1619b9f8ce763e0ec65c4548c19611b4848
c7562f8a5e354e2ee898d2052ac3bfb69e428b0945fb6755acee8c0405b5b3ff
83439bfd61469c264d13f68b2c9c66c1b705af17c9c4310c52dfead7d14a4120
3b188cb427c1e4d250a5a26b5a26dd98ae13d001550973d23cd6cb7daf8bdbd2
d8426d6e3b139db1bb2138e2a5a069b35a95c1c6aade5a268832cc22e489f995
563262ad37e4753c7aea049fdc55ecf1a09cb11f98b209aad5e737e5b524a3f5
e2aa803105b9ceb5e48e918c10283811fe33b26a06dbe1ac49d1757185e4c0d4
d189008b6eaef02c3c409bc7757ed247ac031ef372beb830828ee429adc8dacc
8f65dc3068be3457c1e2825298e7bdc6a85339d8a7ea5887f080bb21b661fc1a
1810863a184a900ebfd24c94f4008ecae4c9ff4549d18af97ebb5d5e4ff877e3
c83cd281b9996bbbf3e9f7ad578d9a30656914f23fab1bf4c697853df10c1c95
1a013c1434a8fedd69bed89e000ab7593c76fd2db761bc72291a0d9746b335dc
23fcdb9c26aeaff325af270d526f38fff1056eee137a2009fb5799f088fa3512
4ee8e43085eaef3a6b0c2a69a161ca5f6ee547d8a31d2980f1ddd50a88673a45
82cdb896f4ee4912a94cd3c24146d165aecabe9c46761bd27cbcad9fb6f61fb6
8a50345d8bef4cc3e948b2f70c5d8071036c13b7f3274cb92759ed856f0c6b7f
3d9487cc7732d051f1881b5aef6f8fb8023e151b8db6928f23cf47926d949a96
ec31014553a2384f9263ccc2b2ddbb6f423220cba59c5238161addda0ce4489e
6f7ad2fd7623d93eebd6863feb0b9afe643f5b002d6b23ef0aac858ae28cefe0
c9723c18b3c3b72933826cf7dfa00ae770cb33083fcd9edb81e54c6331295334
ff05ea98435cb0f859f8ca17d5a0c5e9bd19baf041bc2cbf1fb6d14de8e3409f
8c6335e77f9efe52e6ba1240e52d9aa6b92efff1541a961a19cd8438de87e599
aa68bc2f86d55475153c1c0a4069c2001aca05d8b854caf40e2822ee19b39195
0e12bbdd59bcd12a9dd6605a27e7832f8ff38a5efd369d75060eab295887d1dc
4e8431f0402f2f8d7d58be6e4b310510388503b3c3b467c80f64961939380c7f
6649e73aa07b03757530960d62ed58c59474b99c8a32af740040c9bf98ca9bea
d265dc3ce29a72f61d27c99f48d1d1aaa8b1841f2977e138b9de92600fbada30
a3b9881069116923dd2db9989dda3200449df097cf6dc262da23c4b42e3d9749
3e177c5219d14c8f2b2884ce26ad99126bc21d9c0e3e4b92727dc9cd6c4f13e3
8d7461a6fd99620563543c558f4bd64c063e454384956a6c96b3d3ce45b8f52c
c9fb2fad50c2ec088fdca9d597f06e6173f56fff2b68ebe02865ab8c96ffb68b
7d17d6e9ca0e3c2798fca5f9370a3ca7a1f73b14305bfde914b33317a64ac2d1
7ca9b88850897a30d513d67427cf6edc5f7117bbc3aab650a588d3659fd1340a
8e9b897a041c9b5629c236d75f29acaa3daeab323864c6f91c3070ac8f1df409
93ff01284f8ad43f3f5c70474524f3f59dd32d1aeda8a89a4b0e267509c6283b
d629705ff58b9674a204315fa0a6d92afb3a9d64e595b4cf0c6d4f00f173d493
ba72dcc2217870b876d7a047c2e612be57d358013d87c344ed1e7e4dbd890bb0

http://isds.com.mx/7b6
http://itbparnamirim.org/fj
http://websitedesigngarden.com/k7Xp
http://hoxen.net/h6T6
http://www.ideimperiet.com/0hP

Creation Time	2018-12-04 19:48:00
SHA256:
6b78b3d5b508b5d2f64620c4f29fbe35ec976e856bedd079ffc3d1f35a115948
1b1d25c3375467e5bda525fc3f0d1bc7b7956bcc65c04ced4304e0525a1b25ad
af384bfc22f593d9ba2a77241f0ac970012a865288f43a626e1b20904f867a21
2ce39d51904a377d45c4ee88aaf67f647d9b26e7f61dd4aaf8850ec616906c69
16517d63733adb68c81b4ff9a3d7ccad00c32aac2c36b0a5e8bdbbbf41782ad3
150f0192bec8294121ceaf7c03dd3fba482ff912ce3081d52d459ea31b88b152
25da4d296ac13c9ba9bb4fb62b9a54385c917a548a33bf37ea36b823c0cedf6c
3b005d61ac9eaf399b8bf7c5d24b56ee6120cb4944f84bdedf1ccb97fe4289fa
1578faac907f7ed59d1168d19cf71dd017f451b2131f20fa3eb42fe6d1b13c59
218217319880debcbdbb43b02b44f8b37397f5695a0b8e79e0e156b4189d96e7
7acb9507ec76e6428adc9ea4410ab357f9094141f699c27a35b1fb1bcbc1d10d
4f0a6a377085179b99ad14ec5a8ccbbd9c0b42230ed54eef3591049ee2d17b7e
101bfda69811ce4e43b7ebe4d2a62f9dd3b03927cbeee59d7cdec29746287368
7d035fb0bcaf4bb082b4baa943fbf640499924178020b781dbd664300244c77e

http://misico.com/qvHOFFLG
http://hoxen.net/h6T6
http://minet.nl/2Pwo
http://www.ideimperiet.com/0hP
http://huishuren.nu/gPd1W

Creation Time	2018-12-04 17:12:00
SHA256:
8d8ff323599233d132d77e5ae75ecd50d5dbf3f0ce750e7c3d07ba5c579e574b
0bc5c58e628682b967121a44acc10149b10123ca7c463d8022e2ea68426426f3
9ce08f6727a6cc2eba821a4876eff14143704772f4bbcdbabdf2810479996830
bbe21c9f89321b730c84d93a658fa127180461d43964f522beb72fa59a31af19
6ca2cc3ed432d9df2b8febde6803866313ba59aad66931fe9d96f74e05134885
0b2b4ef20579d63f9e27769ae384b132140b2449b042df0a58248e35f5183d3b
7d9c1db0c4dcc76ea51fb79f47022d0c9e8472dee945f3c008a58003be85927a
146e71b5b88ad01740f2f27886f34331033fd2d7bce145e0a7d832b3283c1faa
38ae5b6151f55550e03c5355c02250014b942f4c7440e0d30de35b7de3568c4a
c3b7531e2b04969f22565ef821a8000d9475ab4c338f092dff342bc6d3f22375
e2e4ae4c6c9ba761b0b68d0660e1c90b455119538d1c05b665bbd249f8763fdb
377054048be0cd5b797abad2fc50ee967e8943f9aabc14aa0549ab9906a37fd3
b6344a5eeb760b648e7b641e2c165c8e95a0b8f287e0a4d818a650ac8258a170
0bac2ab443df3066a11e9c41d24b72caae7841ab1b3e935c5e3b2e40d4b2cda9

http://icaninfotech.com/vyMc0pgx
http://highamnet.co.uk/gZ9
http://henneli.com/7BsUXXJr
http://heke.net/csn
http://guiler.net/cxf

Creation Time	2018-12-04 14:35:00
SHA256:
074cb06cc568f50e5f766b8787ef17bf87cee44e0bb21bd07f05a917e53010eb
0650d6c6b29f4276f0eb1e00f93f60efb4ccea01563242abec3e85dfe775ea4d
7549f1311157ee5f8300ce83074589b76bf08fce802bb8ee55d1a1626455dc4e
7884ce53d227958d1a8d04fb83a2f6dd7fac10df0e19d76580f4bcc6b93c9118
e8a0d3983cca801dc6e49658e7aa7ea199a6a84232baee2d8543c5c49c64cd49
e7ab2f918c92f255e167491b2f78da7ecd73d90cc358627bfc7feb0e6909eb5d
d0901990ef66685fc8d060323479148cdb2e38e221836494170368b2beceb390
5dbfda54ccfc3d400b1bf24d15f7f2d97fc708c546f7d8ac5ed46dd6d7d14fc5
6a6ae114fbf614fc2f11f43bd222d41f51453f0b79bb23d50e4af1c7cb380e66
ffa301ebf4507deb9693666b84774be51263be93dbd1c85b93364271b92f49eb
be9d4d35ad42b518974535c6882de45d2d244e13c80945efff4333125c87caa2
319056e9457285e15a52fd9154026ba79dfeb680a25152f6e316d4b5fc6b20f0
2cd64f0306bf4cd99b9413ca6484fe4772a9d068dff58fbe0d7790bf2adca41e

http://feaservice.com/0xlXjXH
http://exotechfm.com.au/1mllu0
http://g-s-m.dk/z
http://gentesanluis.com/dzC7aX
http://fundamental-learning.com/54Rizs

Creation Time	2018-12-04 12:54:00
SHA256:
c7ebf0d2f9703bf38b378f48c09495db0c916a88687c722d48d95f5893612f7d
5eb7d3aeee5ebed0d4f8535350ad25c88a91010e7e6cee6877fb840173046b40
962ff19f56b94669106e2eb69ef717e0a590591608370c41b239a0649d19cfb2
2455688f6143f2a448e4290d42ad2ec8127b239392d84a2487fd175a34b81c7f
2706f32f91b678e5597b793c9087ccc06825f9a99fb5babc3f413a04f6d01ef3
06132dd35f879ce9935e0c8a47a1fcb7169b05a86d7f9c5291a614e0a0848467
9dac7aa1a05d4a87ef8db17cdf59a3f5e1dd6d0862588d79f62d3194a3bb5826
570e385acd37ae6c7131be5658075be78bb8b9e71792ec7f25366cf126bda56b
13245d8c8f52e12a3d3477f0f1e4312e98cc616b3055ea02584c3182d36d4fe8
9e5183984ccdba29856877f2fc2721b59769561e260f88923f36210700676e58

http://alistairmccoy.co.uk/0R
http://erinkveld.eu/tKlZyU
http://dentaware.com/PbF
http://havmore.in/UXxra
http://aphn.org/zTADPIb

Creation Time	2018-12-04 07:15:00
SHA256:
f5abc12da196850236b5a32fe7c2b36143b95aebe1faeea4494f4a3722d29ff7
18bd164483ff99c90968e530f927042201765d4c106f17475b11ec34d83753b7
d32e9cb49b1222f665e97a5714a348615d291e0ae8ec96411948bf4d55e26241
50e95922d46925b6500b2e0bbb3862c0c694f9f777374a8dc676c8c1f02fa6bf
157e9bcfa35350d073d25833d629f7da0de1d38464e4be905699282eff3a816f
9df69119644fe42b643d8e6b8e3aa2abe9935bba4a5302908f2abcaaaa038e6c
cd3188f23ce398c50c2e6852c363e5f5baa8ec701e1d2742eb42d47c01a18579
7c5554bfb7c1a05b60b8e757cd3108cd48d57b424c58137a91c51fffb20ec20a
985fe8dafa1c1d51b24fc75079a040c6647a8abbc064d7bd7f4137ea0a0966b2
a8e0d72f2894d5bc41746099789d743330c9eff33b12e4424693739a2e252053
e7aaf552984f5b0612f5e613fde402cb04962e468ce4cb949931aaf21d86a833
2c17b11fe1b6849a1bf587caae0584d1fd89ecf9f75898cc83684c41da90b3ac
1b390aa7c1cb74b4a4fb2c4cd5f8f68b0537fed853b6873dd5f0bed424231890
5aa6983bc50985285d634d6622ab67dc3a3e18a55688308b859d93a116938553
b41b3d870a1619c06aa83689160097241be52705c580f4f5f2b3eb8c6e0c29fd
7ae2688239a0d8cf45d2f1e1dbed6f098c5dc24e087a4aaab5245c504ea8309f
09d1c10ad5428d2674399f87af6c2804858c9ff0d09f43ab45a1248c7930896c
e8d33d65d17fac405522e38458c1a28f5ed207b816c61a9453e9e54da28cf94e
ae17d4e7bf4eadc4fc27490bc70dfc28ebe148a0b0684915cd41fa0e6edab494
4fd253e3055fad5a280c0e262f13b676acb7791f22c3b1d44bce689e4eec4dec
b68093d0e5c20ed7bde466053b7b75496b7ec1e40ea917c5f4bcff6b6dd4f0a2
b060aae9fa5b55bc47a7ac1e1f870a788f74cc7d39c851933eee4020cd5b09b9
a361b9f7b4db3b33f8585e4e317c3c7f468d0f6931ae324350d4c3b874920b68
2150a328e3864f8593e8c528d87f8740b78b44159bdd49d1f84877dcba706d1f
a202231754cf06cce4e27f60a6e64988c3aca08af4fb8e0b7a8b10bf06613dbe
09ecbdad6102a62eeef161b7912c0e58fa4dd292b8532498739e71939d77bc8f
2dc672be23d164a415f13438948a4cae02ea046d562042ae9cda8d460b0e239f

http://baatzconsulting.com/PlKd
http://alistairmccoy.co.uk/2szNjQzX
http://havmore.in/UXxra
http://4theweb.co.uk/_-hacked/7M
http://zakopanedomki.com.pl/wt9

Creation Time	2018-12-03 19:53:00
SHA256:
8b54b8a02ba6694582ac54cd344a7dbb4b02136014c5209624ac41ff291dc576
64f1a84680f2f3b499a152b479b7f69bcdc81a7b9fd709fd21a39188d9f3a707
7c1a7415b4c4122bfbed5417a31b0f2eaec57dcb8f091006e04ed14e03271252
2220c137e8708af16c8d37f60c0be7bfb4517e5b8dd4f55a1fc1d2bf0cef58ce
67cb109e92cae47b1f38bf3706ef9a5adf6edc9c23d153cf0941fa5ca34e4818
adfb710c592110317732a8b3acd0dcbca244d3c4f3c785a8172b561c972edbb1
0c54828759801c0e2aec283e257511cc2c5aea7252773d2550c7f2eadcbe03d8
bdb02db6a3d1419f1fc0fc72ff00ba23ed08a0e822a50c4f8aad978c9d2e2f18
b37b02b2c5854fcf1670b09c12706362c968a8341784cb494796721366387675
351d53bb48c90d80ef48b6b7ca66f74c64c0ea73185fffc511359f5a157bc27c
c7e09c947e908544f58f65330c5511697d169fbe5dcb3354ac62373f4d66819e
08c334538c1d8483fc0fc37f9a81c67c837e6b327557ced37152a0c5d7fb33cc
722c2ae97884b8c82859ce8a90acd658a5ae8c73906a8ce26946fdf1cd49ba68
6589101edb9273b5526c1642e745f25d393f0d9614ac17ae12dc5e60104300a2
d1d2fcd7a9436eac527244ef1f961ae833e27ea681cf14ca44ad16da882363cb
9577732e1477f1e784cebe7be44b82a2ab511a4ce815117c7b2ebdd9b4c722fb
d2e2ecb3ebd48406b09a9b22913ac2c20bc89a6ad31eb17784aa827536ebc45a
158d254575b4677c4405b109f51678a5a9a5d811f9610a04970a7f00bd2a7d68
f460fb68790333081cb9ebdced7ca1f36144abfeb359d5fdd9205f5a861c4536
f57e60b6bc7fec5b08e3e1be80dfa44c0004e0e06b65fd2ce1b90b3f632ae499
a8aa42bf1b4ba50a0c7cf41eb35627dcf82c701e4d6f873d14ae6ae66ec6b640
ae86e74807fbe60a0b39c73e66d1f617e1c39a93132d74137c815bc242bf5f20
f1b1ad7d1c02d1e8e174f27503e49498e8bb9a384db51a3da448828988902474
f6cdf4424893c95b6a7ff751b3ced66fde51570a4a5ce991fed991e72d7e101b
0de9c66debee0562a2f663ed240125f16b24476488c8cb23bfc390f86925d70f
f25bab93a7f34ac3dc013a3b68cca17f1f8dfd0471debc891f6849c96e2b48c7
e71b0afd6f5ce7b8f1900cfa8053b24dbce937379364c9317f869cce6526243e
a8e15069dd0ac4f71f5c7eae7e08eaacadaf097ec5c612d887977b27c34a7279
7ce84fd6881827aaa34eee91fd53503be38aea8c912acef8c3eb2033a9e45a79
7fc3a3593f075abe63a5b022dfeea43d470064eb957dc395d848f12186f1eae0
acac3528bf78c29f1b34c6a0ed3e7594605ec7be9df139b51d1fa7530410b86a
37a70884e8a8edd506b31eddf63a48a92861fcd94a6437a059529d9d74fa205b
d121229a4845d13e38bc0005746eec99e76214fd35e2410d7a50bfe6fb656d16
089620edf95f01432f8aacc372c5b5ae54629e6361e9a254cbd7552106728374
bce15065d15bcbd2fb71fc0a977f53a0286429798315fdd7fab157cbdd09c3de
417dd98735f3e7a07e2611899c8aa00f0b53c55759caceb2d9f975ac1c6445cb
d6ae81c694620c5510e723ff0bda8fbec8dda57f4c1e0e3d5532d12fabe8354b
9493af6bf8e24480e655ef90207a2a262eef9695af701af246dc8cb6e1dfbf13
9531fcec943eca9182b83bec54ed6cacb631f050d273689d5cf27be1519a9620
36d48ea2a03af8dbeb06e11ed6db3961dd1b11a2c9bf04cc889a91966e353b68
0a76a73d2fd1c99feefd8b257166a7c4aced0367e4b86c0176381a7f7a3f8117

http://gmsmed.com/p
http://hoardingsuk.com/Kv
http://echoz.net/WSS
http://eibtech.com/kNLSCHYq
http://aquatroarquitetura.com.br/pqFhOq

SHA256s for Epoch 2 Payload EXEs seen on 12/01-03/18


02fa70156914f4897ae3b044a0f09e547c96c713fabf455bcb32ec4098a90d8c
bdec6a1b8e17e049eb5ee4c0c376268a42dfd507d58989fdd7125c7f7f3e0a2d
c3906de4b1dcbc1788aaff2b57f30a0e52bcd2e99a200b07ccc58c6e2932a65d
5f7d4d6f0ef872a8e15fdb854ac18c03da32437e66705af80ec1da46ff152a8b
a6fed4207cd1530aa27c5192ea69716f8c5da24c781d3a27eba510265d667b08
14228af808c89b5e1fe2229e512bd036e33fbabea3b2a90ba8f884fe8c6c7357
c51587ad830e0cc48025326d2ba96ef7aecbc285eb6ecfcd1493a4afafcb4ee2
ee366b1fd2fc8dff6fcdc14465a93dae337a63ab20f9986bffcfeb1baaa128ea
07baa082e448f0128eb16debf40a212952840f696bba8dc0ea325d9b2def4067
4b413ada5421ee20a80fcfba005dd64d01a91c1a1aaf6148f9486a8304045851

Epoch 1 C2s

(Port is 80 unless noted)

109.104.79.48:8080
109.170.203.154
115.88.75.245
119.196.94.222:8080
133.242.208.183:8080
138.68.139.199:443
142.129.161.136
144.76.117.247:8080
159.65.76.245:443
165.227.213.173:8080
170.84.133.72:7080
181.118.206.6:443
181.165.31.120:443
186.109.81.97:8080
186.136.75.37
186.66.12.10:7080
190.220.69.69:990
190.92.123.178:443
192.155.90.90:7080
192.237.251.185:8080
198.199.185.25:443
210.2.86.72:8080
210.2.86.94:8080
213.159.215.1:7080
213.16.213.197:443
216.146.254.225:8443
219.94.254.93:8080
23.254.203.51:8080
24.85.236.47
37.187.150.39:443
47.180.65.61
49.212.135.76:443
5.9.128.163:8080
69.198.17.20:8080
79.77.53.46:7080
80.249.176.206
92.48.118.27:8080
96.240.18.23

Spam/Stealer C2s


181.225.227.251
192.237.251.185
206.81.7.25
71.58.165.119

Epoch 2 C2s

(Port is 80 unless noted)

100.7.75.236
114.55.106.210:443
115.71.233.127:443
123.51.98.27:50000
128.234.190.116:8090
160.7.252.246
165.227.191.145:8080
169.0.105.26:990
173.17.134.231:8080
185.20.104.238:8080
186.68.82.19
187.137.103.63:8080
189.180.51.94:990
189.253.110.230:443
190.108.228.43:990
190.18.217.94:8080
190.72.60.232:8090
198.74.58.47:443
211.115.111.19:443
216.164.125.225:8080
217.13.106.160:7080
45.123.3.54:443
46.163.76.187:8080
5.230.147.179:8080
5.35.242.34:7080
50.79.146.13:50000
54.39.179.152
67.205.149.117:443
69.198.17.7:8080
78.186.23.245
81.7.10.106:7080
83.222.124.62:8080
84.200.106.120:8080
85.106.1.166:50000
91.236.245.65:8080
95.141.175.240:443
98.142.208.27:443
98.6.40.86:7080
98.6.40.86:8080

Epoch 2 - Spam/Stealer C2s


104.174.150.202
139.162.157.8
24.35.180.220

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture: https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list. I am providing them for your benefit in case you want to parse them to be sure.
 
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!

What is Epoch 1 and Epoch 2?
Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now. Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change payloads every 3-6 hours now and hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100% sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch as far as I have seen.

Community Lists


https://pastebin.com/YFjCxv1A - @executemalware
https://pastebin.com/Px32BnFH - @James_inthe_box
https://pastebin.com/11pn54uH - @pollo290987

Credits

(OC and combination work)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon
C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @Techhelplistcom, @pollo290987, @malware_traffic, @0xtadavie, @devnullnoop, @gorimpthon
Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop 

Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!

Daily Log


Seeing a new template today first seen by @jcarndt. https://twitter.com/jcarndt/status/1069954920441413632

 This was see on E1 and is just a redo of the light blue with navy blue and white text. Pollo made a funny picture based on this:

https://pbs.twimg.com/media/Dtls84rUwAAZjEO.jpg:large

Lots of IRS based attachment spam for tax transcripts/etc and it seemed to be coming from both botnets as far as I can tell. I also saw a lot of French/German/Spanish and other templates being sent. 

E1 is still attachments only which is fine by me because all attachments are blocked at the gateway if they have macros.  

E2 had a lot of different URLs again today for spam but was also doing attachments as well.



Sandbox 12/04/18

(all with fakenet and MITM unless spam/secondary infection)

Epoch 1 C2 run at 17:00 on 12/04/18 https://app.any.run/tasks/c52af36f-841b-4060-b073-4ad4ac51b47f
Epoch 2 C2 run at 17:06 on 12/04/18 
https://app.any.run/tasks/5f1a62ec-f620-41dd-810c-b50e982020bc