Emotet Malware Document links/IOCs for 12/21/18 as of 12/21/18 20:59 EST
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 12/21/18
http://365shopdirect.com/Attachments/122018/
http://arbey.com.tr/Amazon/En_us/Attachments/2018-12/
http://austeenyaar.com/AMAZON/Orders_details/122018/
http://bloodybits.com/Clients/12_18/
http://chaos-mediadesign.com/demo/administrator/Amazon/EN_US/Clients_information/122018/
http://durax.com.br/Amazon/Information/12_18/
http://evitagavriil-art.gr/Clients/2018-12/
http://farmasiteam.com/Amazon/En_us/Payments_details/2018-12/
http://hubgeorgia.com/Amazon/Information/122018/
http://isn.hk/Clients_transactions/2018-12/
http://loveyourdress.co.za/Amazon/Payments/122018/
http://marisel.com.ua/Attachments/12_18/
http://pure-in.ru/Messages/12_18/
http://sahinbakalit.com/Amazon/En_us/Transactions-details/2018-12/
http://sarangdhokevents.com/AMAZON/Transactions-details/12_18/
http://teising.de/Transaction_details/12_18/
http://www.ahnnr.com/Messages/122018/
http://www.fortifi.com/Clients/122018/
http://www.jconventioncenterandresorts.com/Amazon/Information/122018/
http://www.kahkow.com/Clients_Messages/2018-12/
http://www.rosscan.info/Amazon/En_us/Transactions/122018/
http://www.sahinbakalit.com/Amazon/En_us/Transactions-details/2018-12/
Epoch 2 Document/Downloader links seen for 12/21/18
http://35.227.184.106/JTSj-mmC2_JGpLvX-fH0/57582/SurveyQuestionsUS/Invoice-91790108/
http://catairdrones.com/de_DE/ISSCFZHJWO7942759/de/Rechnungsanschrift/
http://leonardokubrick.com/wmegk-p4o_XyKAlVVwC-2GB/invoices/38612/6990/En/Invoice-Number-72827/
http://marisel.com.ua/siDco-8sU_bqYF-xc/ACH/PaymentInfo/US/Paid-Invoice-Credit-Card-Receipt/
http://mavitec.es/TlNxe-Od_FYMO-c5/ZS91/invoicing/En_us/Companies-Invoice-1220317/
http://nar.mn/wp-content/cache/HWGn-FB0_pBSSRTy-MSg/invoices/2472/33043/En_us/Open-invoices/
http://omhr.ro/jmPJ-fYUr_gUeVq-1uw/INV/452395FORPO/26336495984/EN_en/Past-Due-Invoices/
http://pclite.cl/iDDsw-kcGb_XLo-Kdb/invoices/44445/31507/En/Question/
http://pravokd.ru/UAQmQ-AG2Da_yLIbNo-iYA/INV/8501169FORPO/3632845162/US/Past-Due-Invoices/
http://radiospach.cl/PZjuE-HDNO_t-yK/ACH/PaymentAdvice/EN_en/Inv-13937-PO-6G798119//
http://richardstupart.com/EtWA-tFv_FlAuhl-oA/A196/invoicing/En_us/Sales-Invoice/
http://soundofhabib.com/XYog-8k_mS-au1/US_us/Past-Due-Invoices/
http://steveparker.co.uk/YAQg-yJuF_WRdzGVIcP-Az6/PaymentStatus/US/Scan/
http://take-one2.com/wNOqk-Lc_JcvB-eGu/Invoice/5156794/US_us/Invoice-for-you/
http://tallerderotulacion.com/components/KPGR-gikd_qkKZk-iW/0930602/SurveyQuestionsEN_en/Overdue-payment/
http://tortugadatacorp.com/NmlRA-Gz9_e-MM/invoices/11194/1103/US/5-Past-Due-Invoices/
http://track.wizkidhosting.com/track/click/30927887/tunerg.com?p=eyJzIjoiWlFHZm1KcFAzRTVJVzZBaU5UakhSRlZKblgwIiwidiI6MSwicCI6IntcInVcIjozMDkyNzg4NyxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvdHVuZXJnLmNvbVxcXC9IVnhwZy1nek9hel9Vb0lULThwXFxcL0lOVk9JQ0VcXFwvRU5fZW5cXFwvQUNILWZvcm1cIixcImlkXCI6XCJiYTk2ODc1NTlhZmU0NjJmOTUxZjZkZWNjMDI1NzQ1MFwiLFwidXJsX2lkc1wiOltcIjVmODMxZjFhMmI2ZmNiYzQxZTZjZGY3YWVmZmIyMTU2MWYwODY0MDNcIl19In0/
http://twelvestone.nl/ecTz-EC_mY-wWd/INVOICE/EN_en/Invoice-Number-09961/
http://vulpineproductions.be/@eaDir/@tmp/cKCFm-VKQ_zNuXTmYEy-Api/Ref/81773754US_us/064-09-589759-602-064-09-589759-837/
http://waus.net/rgNJ-ff_PbvhN-48/INVOICE/EN_en/Scan/
http://wowter.com/TOxXV-Nu_QWErG-DJ/ACH/PaymentAdvice/US/386-30-431475-701-386-30-431475-312/
http://www.blueorangegroup.pl/testerrorpage/hkuR-icC_NjoedM-BV/ACH/PaymentInfo/En_us/Document-needed/
http://www.congtydulichtrongnuoc.com/selib-pmt_PaxQp-b94/ACH/PaymentInfo/En_us/Need-to-send-the-attachment/
http://www.erhansarac.com/DqDO-duM_PJIK-I1d/Ref/27022076En/Invoice-Number-365080/
http://www.hlxmzsyzx.com/xzPEz-Y9mt_XBmWpkXR-jgx/invoices/00738/98639/US_us/Service-Invoice/
http://www.hochwertige-markise.com/YfbU-m9Kcm_rnyX-vZ/PaymentStatus/EN_en/Invoice-76081840/
http://www.humpty-dumpty.ru/eKzv-rWKh6_J-nhy/ACH/PaymentAdvice/En/Invoices-attached/
http://www.lagis.com.tw/ktPF-Fc8Pm_heXXiUK-HWE/OO15/invoicing/En_us/Document-needed//
http://www.pnhcenter.com/mKck-X92E_Wt-zf/INVOICE/En/Scan/
http://www.quicktryk.dk/eUvB-5wdp_FZSBXOJv-p5g/6832291/SurveyQuestionsEN_en/Paid-Invoice/
http://www.salamouna.cz/cache/niNIE-awk_uIjdCfidW-dl/InvoiceCodeChanges/US_us/9-Past-Due-Invoices//
http://www.tdi.com.mx/DyDEV-Rb3_eB-PT/PaymentStatus/EN_en/Invoice/
http://www.web.pa-cirebon.go.id/TWdx-tD4F_RCEDSV-ybD/Inv/92735415712/US_us/Document-needed/
http://xn--d1ahebikdfcgr7jsa.xn--p1ai/oLwpB-108_w-NA/INVOICE/US_us/Sales-Invoice/
http://zoox.com.br/EIZk-qw3_xmVDwjV-zh/PaymentStatus/US/Scan/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2018-12-21 19:55:00 (ENG - Orange/White)
SHA256:
d3f548873cd89fcc313ba5a9e96dee8db036abe4d9ff816b445f43155f4b7881
260a4507d7a46f89c2ae55be63a685b803831a06428570174fcc5c12593d58d6
f14a570b12976ae6d1cf4fc49d10a73d0e5c36080cc19cb0e31557c84b5da200
1031ebef9f16394fc6a8e0aa02c24a88ac3df48a1a9252287a33ab2258d7079a
cec08c6f60e5f326bedd25a5067ea8b7ee127ea169b0edb80f1b9e791e5cd4af
f8a181d2b0f93db3599d95ffb6fad6aee68eafd7b873eb8969ec26b922231aab
cb391dd9de9c0758b86f6bd84b10fa7446561e570b8bf827dd3effcd1d7d7b43
40dd7573e5275fc1281dc959124e546ecf7de5843ee73729b6f3f0c772101f0f
3b48f1d1797a93a86b7dd5ca39ca8062581f14a80c82bf766d9d2eae7d81c39c
2c6f26bece77e3e5fe1001c16edc5ef3f164683e361c4d9096ba75ed4a4b06fe
53ec84dc9666216325bbf3e6c312d303abeee040c3fd37baa739dd3877a7ee1f
370bfb5fbe974eb83fa4c937dd72ebb30d3e580cc687691564031b55bdd838a7
636394bc192d7411dbf9344d1753a4209fc9261aa8380c81626d8b28554a7559
4e4e36a9d903a3b2a6947cdcd2654728101cd9ba0cf29fa58dfcab35d44c08a1
ed19896ace63da87efb9197691481855921d1779dbf02b3c94bda0ade6755e37
e64ff731da7be728952b7e74db5db8b754273ba39144ad21a8186409f9e56157
6f2a1dbaa9edae6273edd049ac13ee0d710fcf2239ae10c58e7a0db5db252559
f206e947af634dc6968783c758e3e670976fe6523e1075427bd6f8c78b38932b
6ac0b4a2e03193143b06f190f42c0965be6d1c748dc957b7958aa8fb073e597a
162c0bc0f6881c3c59b1678d6e75bbbd9152a95371c3b514f4d070205fdf233c
9bea6cf518d59a6806574cf3fc0d807693f4008df8d466f8ea8716deee8b0571
a8f464917420a78c8afd764a6282efd02e9d2a9632fb2be9f54914d5ae62f3b8
6241e1210d32c053727b414270829b31fc55a784288d0fb732009f9802543f5f
35c794f21e78ecc266d39078c221f63252dd403af44211a93aac561d1a8eb677
6db07d9c3445f48645d51ac8a3c87e563da5da988835a8c0de4a8a401b7e0660
cc067240cd823bc4e747cf98048a6ddccb869c31902189d8427f5694fc76fe18
842c8be67c3d655d777b697b9a8242030f72f63818ed4693ccde914e1df5e830
a7fe18191234ce11ae76a701d6c61c8e106233bc616a0a580ceb209d5d611a34
http://johnnycrap.com/ho1ph0njd/
http://kids-education-support.com/LRl15CY/
http://tortugadatacorp.com/K3Y7idp/
http://realitycomputers.nl/CX2ibxR5r4/
http://jaspinformatica.com/sdL8s7hg/
Creation Time 2018-12-21 15:23:00 (ENG - Orange/White)
SHA256:
c423ec19fc58c1bbda4317daf5f3afcaba2f7398296341a942ae934e1f2f0836
1d343c5557b13b9898f7caf297797c598d07fab66427bf873b34cad7d18987ee
00b1efd822d7e2470c808eb052fd11861c8a887821715da6bda8fa706c7831fc
ce73418919bd91848ea8ef2aa3a4312f9d3cc9843bb6dbfe80a3246976682e2e
fdb5f7d26dc146d632d2b0e5c6039226bf131663c657d3f5f6cc785673ff2e60
52f8ed13288414715268d7d4856187ac41dcd5c08cb00df58c655b595a0051d6
f82f69651317e46174785fd5aca9f88f5e85f689617584b87f3aa0d0e70d185e
f4874204b84484fcc4c16013bd2072a7f437faea21ecd6a1739590eae9df8138
773bd15d27edb4004924f7a3e5f966847fc60bce818b7b546f8748319aeb4a6c
e594eaf499cbf9fe89982d47d1b9e592f85fc6f857e1546ca62ac966e040ccf5
e056424e90aba0614acf749b03a7001a0e57427e8dd49c6fd84ca854f7f48cc8
30f637b77cb9c77d3f06927ea55122575910d0fd56192ec0de44dc834bcf2fe5
248e6a6cc7935a0934b4eda0ad30ae9cb8f79ab4e850f450365f28ade9833990
d3ded21db7fafc82d5ef4557560a53d960b2fd8f0055ac21b487d9204a8d192e
e07774741415ba9cc3f1df731a625adf48b25f474d4104f074d36903f41d6846
24b740495d703a4540794f07b62fe1f8be858b38600192eb5f289c5f7055b119
2f4013fa43986e9f4d9348bb143a97f472d0f36d595afa8f4bb33a3922e5420f
508f9d3e514333ceff94b8f1de4f5d5d639fb952eed6033cd031ef349ce3145f
b52e6d829959931b2a084ec34d0476119c59849a49175a1fe95ec5d7948cce73
e2c2430d4d6edade84c8abedf5855d27247d1378f2b85d43561009704835d8c9
4d58a905abe2b96a45724b4657f14ae499dc9829b32b94ee8e9fe482aa89dcfe
57b0a093137784584e7c1a998d552876df74af0ec8a00a0b8526891f8c470cec
http://antigua.aguilarnoticias.com/8ol4F4p/
http://prosolutionplusdiscount.com/gEEsqX5mU/
http://bunonartcrafts.com/6jUhzQa/
http://regenerationcongo.com/NVRODt7/
http://ghoulash.com/oHusH3kaO/
Creation Time 2018-12-21 11:02:00 (ENG - Orange/White)
SHA256:
adfbb7696bb0cf47efa5c805bb45ebb3f062f7c20cd87e01bd783c82119265d9
0641fda9dfe5906460a0f15f4a10fdb636e7ec17aba651cf25ddf404cf04383a
ccdc6d3b7d4c37b351ae521679d0accbcaf9d71453df094a0651944a9fa2187c
48b3075b281cafa8d1cc3d8f09baaf26f567e6734fcea9309dab93460623e760
02976f5be40c1a85da13d923da98d935bd980a8f02cb1fc6106d3ee1ba8865d4
2d5f1cbe450545edabd3016706513ef0ad9dbf2753eddfdc3a3ba52107105f86
959f75d7ea524a3188332944129eb090c7e91a00547f41f638c03d9ec6f1d336
74ac53ced51c3d824186714dbe4431d2c9821479588def9cde766fd72aaa6719
73432898a243b9fc2c57f687e41c250fc177fc8e508823f2f47703ef55b90450
9158440e3223b37e3369d5251e67ad7a215f0ce64c4008e5ba2c80c7d612a3f0
58920b10b34928db438824695fdbd9cc4e2f18091da412fe8ebd7828b5fd07b9
9959e3f47f7a25bd7a66138a0ea5a47f07d594c47539c83343c46dc8c2ee0830
0cf923ddff2ecab62e97924e164dec20b0522e6856cf1c71753561bf76a1e169
a198e729fa0ea5f5e9a18b7f783628d4b35471d4ed03538f5ab1a35aa527e2f8
9736b5f3717c819ae79ce88bcdf96b86ca6f98e32d2ca86da81dbfac01c7836e
d05269541be58bf8eebf8c606c31e7e6540b3850356bab25d0001555e9a2bde5
52c5ab04b3eb8845b54cfd44a5ad99ef26f54e8bde5fc9fdc076e09d3ad7a692
a61ce12cd466c62e72456c1fe8f09696c9852638e9eaf46980e4d964176b59f6
f78cbbb9f88b79e8dc73e6c4fc0c130b853c64debaa1bc1fc79deee00a3041fc
b216c239d60ba68defc3025b3202806f7baac1955bbe553c835dfb9bc30eb7a3
ee05b5adc243f2080c564a4b0e4d85884f983509e12c045ee00d7e123ac16475
fdf29f56e08dbd0d5e7cf7503726f8c2c9498844009d729db7afcf3655c95fa3
66ff4239c19e427600af0afcb4ce05e88833a0520ef0922de0978fdbdaea67fd
http://repigroup.com/qGTNnS7Dxg/
http://www.albertorigoni.com/GOzX4Wqn3/
http://panjabi.net/8UA8WL8HFk/
http://sharnagati.com/8Tt4AwK/
http://www.a2zonlyservices.com/LpspdMHcE/
Creation Time 2018-12-20 21:11:00 (ENG - Orange/White)
SHA256:
9211a77dd37798e12f65e2f756636771d2760e2cced9b5fade11d3757163406f
d0af2fd3d62e4aa670362627ac41e480edc0c60526272ad7bdc86003afc82edf
a9eb9429255f9bc08a42d9338cac1a0f7b39080d3ea71601e5e4f9dfabf0f0db
9673e78c25f462a3c4340b91a52d110c3d0d8156ae9af190a3c02f4eebc7faf6
b2992cbcc3cacf6879aa1a9bcc9fe8c0d62b5326d8b4f40bd5f2979a261e12ef
cfdc83712416cc863020d02d6bc376d84b37d633c189d9cc2de0ce56ac272b78
a2afeea69b4512f2b36bb04ecb5d9ef6596080658b241878ca308c6f170ea8b7
12b8759f5de691c764682703c684931e7cf48ee7be91963ede1421fe604b91b7
129ee00c04a6b2e6231b9919178841242df101184be88afba0441c5bb0b8c39c
cfd51380b31b90b97dfaf68c7e1273190a2660538f659ea0d6dc1ef8099cca7f
084ee3a04abaaf15cbdec12f7f74ae8e4670db840f24e8a3335ce1a9f6d07cb7
fda7c4bf9f6053900b268a13d7d089f4dc91ad53bdf90fd7c183c7fb5ac647ca
9c36dcd976f7167af5b0a197114cb824f6e09b2770e4f7a643bc368d709e13fd
ffcfab023c2e4bc0e8f73abbe10671c6e1b7c1f96f4c64c87cbbdf819086ff37
b261d4912b35aec439dde627bb74a93b5fc9c5609616af27eb5a4d788244517f
8a45b84314bf4b90f4698c52e12e3b13898aa6b71f7675c9a340994e80986baf
84b2b8a7808685f8ace5993465b893c81a056d4b0088de6864df7bdc8d472374
1626546d6d1339b0c1ceef2bc4bc5c0d7b25c920e74cb2f32b8acbc7dbc054ca
e9e6e5ed891e794a600a883c825e34c88906edd919b3718791607459a25c722b
12958b7c4df703e4b97f42cf70e953b571319072fede31af366e60dc5dfc4c5d
http://www.jamimpressions.com/jkcsJpq/
http://www.drquiropractico.com/iKGPMCf/
http://leptokurtosis.com/NE1a7l8aSX/
http://jongewolf.nl/LWhD42m/
http://www.digicontrol.info/PIjj96R/
SHA256s for Epoch 1 Payload EXEs seen on 12/21/18
b60c0c2050d1f99ef73709f977a213a30b6e02a79c7a22515f848c1702c9edff
81ad767c0bb07f494a86946dd03354291c99a6738ca60dbc7b6a8c5bbff9e018
365ffded0b619f3d82cdf1ac95f173ff02eac76e17c96d84a4b2ae26decc9589
4d697ea021cccaa12eb646e9f9473185963b4cc7b231bcb31ccf88e5dc98d411
75f91225a75ba85ed6fb9bab8eb0c06643303b88b4133bcbc6614e3a867550fb
9a69dac8ab50d75261cd3f1f177fae018618bfad54b3c7651ffdce1d23bb9249
6aeb014b2c07a0a524e77169c9adf25108b2e5ee288d29b7deb81e8278c9d3a0
0ed118eb81e33d2700fa0eda970557174e17149187a1cb3988cf80afdd856ac6
05c1cf43e85cc064de597a3b3550031ed4b885d9dd2567a2ae3f15586174fcdc
2110817bc2d85cb8f681bf3831f4bee41724fa8fada7fd62879dbdbf3432c858
35a94428fb8536debd31cd1bf1bcfa9044ba8188507db8149e17778d18aac7b5
Epoch 2 Payloads by Document SHA256 - All Times
Creation Time 2018-12-21 14:47:00 (ENG - Orange/White)
SHA256:
6214312f0e1b3de943c4e703c5036b673590a8a4f8c4a62058a5f303f42a4fde
e3f500e590bdfd9d6de59581e1b80b88989a3589eca06a02aae4c42e2e845b0c
2899fe1b0bc184ad656ecbe7619569fc5aafcd628e985ea444638b0661cf14a6
31a628d2c61b6fe6f17bf40dddebbec4817108dd96840c7d02771d06d8bfc1ca
ded67710f3ca9395bcd8bfa2f777c03827fb32372cbbd6d60d173ee8e0ce84e2
63a49e706185b9977204b76a4878dacd7326da7b7c908548d834c0271fa331f3
815d87cb86cd3e0ffc8067c7e78b0b814b00dccc3492fce37ab05bcadc7c3a47
cb82db6cb71cafdf3bc45d56b6dc61538e375e6d43a5313bffd7cc5305c2b859
82caa7d820043fcd36aa204e9b29bcc46f6cf17a71e227a9328dde3447a87eb9
e8c0db162bc9beb8f576674590c01becb12764cd6c26a294ab20e4229b05ef43
ae5a7abe72014cbbdfb20e5eec9596f55063aad43a995f0c636c3a0d9f3b71b7
df836c71c7719a0346c0b160ecd7ef92f5c0a35b59c4ff72b8d095c8c127a26b
598c877c5d2f1701704c027c2f9d4a1954c0c0cdd223244549678039b8757eb9
8dcd62ec023f71d6e17b6a1a2673502cdd64d191152cc7222a3025e979f223b9
6493525cb545a5cf0d5f133e879d38edb725dc631f1b50789df352d861bbf5b8
93ba212387e1bd370dc3c3363e9e6394dd432e6adda57a5f6ad556d5a664f78c
523b8855fc3a19261a1fbb7ef36dbc039fff0943158a7a706d1c75c45ae8dd17
38fbe9d4bb98010783125a1a1686a70f863bf50dd7e4f6ad7251e08ca186f810
8ac7e39bbf842d7efa2565edbc55cfb858f25a2c0554cdc7ea8a247c5340ef70
7425fa87a17a3c42f070a494df1a31414a8737e2f1401c097ab915a5d5e7996b
f43aeb9334ea9ac3c5d96f953824d0e9e38ec46e0d9a7fbdf50b79e6830a3393
8cd52f27b42d99270ad570bb0c8ed8a45846e94f246f0027721caf6b35110d4d
e3665f93b867e3f3cf544bf93a9f598e546dd8c878c61012d2632592bd0b04d6
4b4014bd957fd90821e7dd2bb940cb0ae565b257cb58bfc473b256d30f5cc207
7dfa8b0828289a2378326f02cc6dcddc4972f7cfd885777a5690de5c44d01482
167aa92b953e437c96c43db26fce8477d5e0c72f80dff97a77c722086f604304
364670db6b44db7f6e965865d58d1276ac002e7f6bd4e98535c3669875eb9f58
a38db7e90d48c8ccf574d330966ebfb3e3f81378b827adcb5609f000f14320c8
949798295be1058debf08978833f8c07b541948757b9768b3b42617ba1cd4216
f49369b45b060f01d18039662ed87503f42ce7b4230ec38220f4a77bb788d016
50eb62c1daedc46bc33abace5a7fae2be6ae2c82bba9f926823d5a8976808d3f
1e8f1a7b257ed2bec73f5ccc84fbd3f4147248f7195044bf8572aa5c2a978b72
c487b27617f4c7d2da63e39277c2902e7d43720d4f19fd2877f84d5dfe4c60c0
dd5981475e3a4e3a1ce5eefe98427cfaf44c4691ac958c914d479408994780a5
58dbf8880efdf2c2c5f002c2fb3a3a7330fa88d5f490fefff3786e9e4525d228
0fd92c81376c606642ce8534f107e2166a92a698aa1727662872bb9e89773ab0
c322687669b20c5cc87f5103cd041090164ecb3b36d77cb38d531d9eb81bcaba
4aa608f0f3cb2f84b6d68ef82c495d4ffcd88e34d290fdb1241da80fdc7a541f
e88c2b2a2df124144ac5204b46773cd3513da174ab4f2453fbf76649021a5360
http://www.babykamerstore.nl/sites/KNm53A_pCL6/
http://therxreview.com/MUK31q_7UQ3sIR/
http://patrickhouston.com/jV6_760ojdF6_OchIfohV4/
http://greenplastic.com/MQg_ii3OMw/
http://ulukantasarim.com/wp-admin/images/EjaF9S_6xQfPevy/
Creation Time 2018-12-21 10:43:00 (ENG - Orange/White)
SHA256:
e7a11d0332ead7829f544c1679a3aa58f0d6f0f53e30bee44d2ad25aca063c1f
7330403e09a3369dd291f8cf4182e5fd100a9cd90e51cca3920c62402b928f6b
fc6c04091a900d908bc0df5c6dd7f7f99f3d6e70f739ca6c23dff33f44436b45
ae7a68bf11276c53ce4ff9679b9864ae2618a57071d233df3a74f654da3396da
0df2b8cf1205c4b1cd2e6bdcdf217cf4c1029b33c0a3623a9c0d4b3743c1da9b
2ebdd6bca298d3b3684ef4daee7030803bd772583bf4af8ad9af34e7e9e4bf33
81e21bfe4fe30a13eb31afdc0a88c28bcaebaa02906bc024a23419072f3ac897
1c1bccebfb1bddc65fde79ee9a5c5b3c8641b33e68348fcf2972ddadcea2c3b7
06164f4e857de5c121ce9e1ab6ce78b63cc1e966729d7cbb6df6154b1a713ac0
c396d6091533739d5bc6194e3512dc0738bdae45d8fded551763ce4cccbd0b1e
8cb013f184ccd2f550ff94ad7181da7e355466a70e63d3ea10a4c5844f3b18cc
06de1b4184bc72dd89b65295bf150fb6a1a4db552f9e01fc3e909ccd591398ca
df9e6657ed8a6504819678ff2c3453c7ce0b9ac40f79f633d1f8985647a3713b
0f19e20671a0fc6f0640e53a904aeac4d2083a7d40ae36f8b313203a1f8621b4
bae1d4bc9d17b509679c741ac0b7a88b28a46886869556077b2dac1feb14653d
a485cf5940121bd9dcd0ac830cd416b10782eae8b1fbcee9e1a41aa41ffd46a9
d2bbabcfbbd1459291c0e7f5b35b743491ef30984a5394548f92b4ad8e3f71c6
2f413a01315d8404ea122998168bb74035dca36cf0972e83ebd0b6b80258a7cc
e81bc64c5093239840c0f427ad288cbaa039feb2a5c7a69a29940731bf3ab0b2
043d57e557fcd49c3543b30b1183e4b8ae5c3037b9154ccd8b65fe6ca658024b
a1b6ba620e6dae846af5bbd471ed8c5cb84abb122d262a330e8550032e6b90fa
0bd04d9cd2f1d0e40cf1dcd16784fa3765b17a450d1001313693e7a97a963977
8cda5262e237f579523baa57470d6d97159096c678e2d7bf31c08f15081b141b
0a29be2888d9f34c85dc70522c8f7bb46a7c504f3343a4023a1ae8b95619cf65
6eaa3124eefa8eaac9a12b09037f398b37e6fbe3e3867e996ddf70b4f6ed555a
4e3f2a410ee352327ac3538061d9bc4b5af82bdc3e9a93d8aeac58f1e87bf360
http://piaskowy.net/5mD_SdRlm/
http://mnatura.com/Du9pVA_A8dSa/
http://psselection.com/Xy3X_WqACDpF_KJ0XZeSz/
http://mattayom31.go.th/yExlfqs_KsH5Qa_OOjpUGFN/
http://www.iain-padangsidimpuan.ac.id/OnNFZqQ_Un4xy2/
Creation Time 2018-12-20 21:01:00 (ENG - Orange/White)
SHA256:
539304f5371e263c73240dafd270fc82baf06b3fa02d8bff6b7f46bc67daee69
29cfa5450e654f50e4c77ee77d7d78d0e508b6446f3a6ff77098ab2eee4384f7
7effac6ad5b903509394be751e664a3145e5a5138da06d1786782a72be25a5eb
94bc64c71cbade3ef7e0e54fb6315de33b0e69f80919c6e1b3bb2b5e6dd9a520
5cad192a789f67750bc61c85746ffefacd9a1084e64e877b19761d8af3e01417
e75eabba5ecd2843cb70935d7d6ad7045e031f57b52f4bdf5fe04f136d91ea8d
55e27dcdc88b4893ae66fede8c55ddd8f08bf8e88aa94d1b0deb24ec0dc725a2
4a848d3552f9e5c102a5beb770d727704969dc2049b7ffa2714c03106148a4f4
1169f807bf0cbe61c389f603b23fb24a73ef5a6cf0330bae86f5a7864fab9009
b3a07fe6e8deec0a4bb72cd33320cd3e22f13d46fe4d2928dd439adcdebea3c7
35d69c999becbfbaf3563c934a851c9e90e1850e07506dc011f851447aa3dce1
d9e32bb26bff81b53df36f9f48345895b2e2c06c30fd467f2c0c964243e5c3f9
bccddf643a7199aa666fae5d914cba3c86f31be9ed7828966d5d855b9e0ef104
d4098a04301f6d45aeabed3dec3d069765696d91c213b2854a01a1cf9a77b37c
0e2a18b41184c5fe2f6d9e5205303252c7ae9dad15b1e50774f2e384eb527682
d45f9ddfbbc675327f076622560f042b8494e35b2dfb1dd2a4371fca28541149
8f568a553084056ba2d6c4458f6f81cca2ce02de0d02cbb36a82056b6d895d5b
13843568dc3110ae29d47b8be9617e00947ec81223863635e5056432062bbe1c
b735583152efdced23807557da718b60e97ab851b7624cf3c56ae57d86d0c81f
0d7ce957161761ac2c9701e881d7a959ecec0780a87562fa72c83d2f84ad2d51
90c8b32c4a85e61c97e87cf9387459ccf7061f3f6ecfc37fc003ef2650fe335e
577645fca0ef79af624a81df5cdae08b09a469695219331361a3afd54c0f2d7e
39223a9cee974527c8538ff76f9df28d50218c4b080cde7249d2b3fee7e6710b
2d7b47002f9f7efc12d19365812e0f6d24cf855e63e1a08112126048711706e2
2dc727a19af157fddc015a1a4ea42abfc09dd7a70040a1da7965a4ce6b3baedf
2ac3a26272f2af4119c21f5ea362f26d3fd59d64e822b05a8ab816c352287da8
4d1a0829f456f4be6c5cf565ddd53106275453946eaedd061d83c7f082121742
38dcc5d86e63914b92409e6d8600220df667fedfdc7edac19dd9ef0bcd3648fa
0b7b3a60bb3152fd226cee774f56e7ace901916ecd8ec25065d65ac52ee05cf4
b25ecf33d6b74d68aa611b9b7371ae4a9a2179c9c91851b7d7a9e293cc3b6df7
9ed11279e4650bc7f72b554339510c611fe59003caf9ca90071bb82afa12341d
3eca7c19d9dce371da73440abaa0b049673097cf6dd9450cf827c0866e97b888
ce2ff6082923aebde2294e0a3996d0048a61a637720f573af55bc192b0b28702
2bc19f1a55b61ebc203dbda2b2aab16e0b47508db2f868532c9b44e1555a9019
906665d6af42fb730c729a933d75ccc250858151217c4fced238e6024c6ccea2
ef8cd8c96f4ce08a00b941b4fe9406f82e3f8cd086095b8dfb422ec882e14262
http://mateada.com.br/QhfFhFQ_zNExADgg5_Mu/
http://maravilhapremoldados.com.br/2uWA_hP27E_Lw/
http://mirabaimusic.com/WOB7_WHSHgQ2R/
http://matildeberk.com/tsUM_qYOdl_u/
http://www.liguebretagnebillard.fr/images/I8pMpF_UxLT0e/
SHA256s for Epoch 2 Payload EXEs seen on 12/21/18
4d24cbc221e28bb26dcaac147609a418c851a5fd370e73b18dbd4a4ec2790a32
230af628190f7701688a4b8cf85137e7df2bdb359d04c62d90afa34a2c787795
389233b7a0b0e3b88760a0ea0cad23fe2b5dbe3ac7173e8a11334ce151afbb8e
0f1fcb9cd1e9a374625f438a9d1632cc14579c181a35976976e8553f4658d064
df0858310afd27e363b5693b771c2b340573653be0e9e58ef96230ee4e52e869
c218ebea3772470070a6c753f981c3b0d7997c6ee661e123d641cb56ba692589
4ec8b3c100e08136d5236b2fb83327f194c31545314b2cc5e054c6e19564bc0e
5c7798cf6b688983f60cec868618a2bbd475a56fd1b48ac43582b6b952afc58e
eb88147837641246529896d7f6c65de310de322cc63d73b960851822b48f724c
1a262bdf115e40b68a80167c5e495a2073bc25be0eaa84cd15db79bec5ca883f
118312a0748df9a77b779f32d9e9ab5d1fc67ea264afd0a87197ba0471e9ae2b
8839351222a86c28156f5f977352caba743bf15c2102d3fb0202e86f7dc1cb26
479f85cfc21121d8c4d37d79e497bf16c69055baede06627fa309926278b283a
762a04b710d6f1944928aed847cbefb1dee3eab7dd49e9d87fd0492a8d6cc20b
b6a0d5f05544a17a80a7f9fcc643646ce8d800980c91d157fb90819b8bf49fb6
Epoch 1 C2s
(Port is 80 unless noted)
1.22.119.250
105.225.76.76:22
109.104.79.48:8080
133.242.208.183:8080
138.68.139.199:443
144.76.117.247:8080
159.65.76.245:443
165.227.213.173:8080
177.226.75.31:443
177.231.56.40
177.240.208.251
177.242.215.230:7080
177.243.144.248:465
181.168.80.87:8080
181.63.199.17:7080
185.86.148.222:8080
186.176.140.255
186.177.126.252:8080
186.3.223.3:443
186.4.4.161:53
187.131.47.157:465
187.150.211.115:20
187.153.105.212:465
187.241.18.251:8080
187.243.70.172:8080
187.250.133.125:22
189.157.57.135:22
189.163.1.225:20
189.205.249.209:20
189.218.186.138
189.222.245.247
189.225.148.250:8080
189.226.214.129:8080
189.253.56.145:465
190.117.161.108:465
190.130.152.209
190.146.169.53:20
190.182.134.41:8080
190.240.175.190
191.103.109.235:990
192.155.90.90:7080
197.211.244.219:465
198.61.196.18:8080
200.115.53.210
200.124.225.32
200.194.14.232:20
201.102.7.208:8443
201.110.250.76:53
201.248.199.100:443
210.2.86.72:8080
213.14.139.81:20
219.94.254.93:8080
23.254.203.51:8080
49.212.135.76:443
5.9.128.163:8080
70.80.135.35:8443
84.173.140.231:443
87.225.109.55:8090
92.48.118.27:8080
Spam/Stealer C2s
Pending
Epoch 2 C2s
(Port is 80 unless noted)
105.228.147.223:465
115.71.233.127:443
169.1.71.215:465
173.255.196.209:8080
176.192.20.62:8080
177.225.150.89:443
178.254.31.162:8080
179.32.192.202:20
179.50.131.35:443
181.48.22.219:53
182.191.119.91:20
185.20.104.238:8080
186.114.143.12:990
186.136.29.143:8443
186.159.122.233:995
186.170.25.122:20
186.33.185.229:8080
186.4.172.5:20
186.82.11.76
187.148.160.52:7080
187.163.183.194:20
187.193.117.191:50000
189.131.47.159:995
189.189.79.143:443
190.100.239.58
190.75.47.24:465
198.74.58.47:443
200.124.27.202:8443
201.238.171.6:465
201.97.99.39:53
211.115.111.19:443
217.13.106.160:7080
217.165.124.206:465
27.100.25.74:443
45.123.3.54:443
5.230.147.179:8080
54.38.247.98:465
63.143.74.70
67.205.149.117:443
69.195.223.154:7080
69.198.17.7:8080
70.178.189.123:443
70.45.60.142:995
75.99.13.124:7080
83.222.124.62:8080
86.98.53.59:8443
88.247.76.191:8080
91.236.245.65:8080
95.141.175.240:443
95.70.224.237:8090
98.142.208.27:443
Epoch 2 - Spam/Stealer C2s
192.186.96.123:8080
205.186.154.130:8080
212.227.135.224:8080
221.158.167.47
64.228.75.36:8090
80.209.143.171
95.210.114.148:443
Credits and Notes Section
Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
UPDATED (08/31/18): Epoch 1 is back! For several days in a row it has been on the scene!
What is Epoch 1 and Epoch 2?
Epoch 1 and 2 are two distinct chains of payloads that I have been tracking for a couple weeks now.
Epoch 2 is currently the larger group of hosts and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing version
of Emotet that tended to change the hash of the document every 45-60 minutes sometimes has new payloads that fast also. Epoch 1 seems to change
payloads every 3-6 hours now and payload hashes change sometimes as fast as 1 hour. Epoch 1 may now be the development chain but I am not 100%
sure what they are up to. Checking either epoch host at a point in time will deliver a document that has payloads that are different than the
other epoch. That means epoch 1 may have payloads of a,b,c,d,e and epoch 2 will then have z,y,x,w,v. Sites sometimes move from one epoch to the
other but I have never seen the same exact directory go from one epoch to the other. It always a new directory for the change in epoch
as far as I have seen.
Community Lists
https://pastebin.com/NG3Ljrwx - @James_inthe_box\@fewatoms
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
@Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey
C2 info - @unixronin, @MalwareTechBlog, @ps66uk, @JayTHL, @pollo290987, @malware_traffic, @0xtadavie, @devnullnoop, @gorimpthon,
@Racco42
Payloads - @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987, @malware_traffic, @JayTHL,
@Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @2sec4u, @unixronin, @pollo290987/@ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
Very special thanks to @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch and @Virustotal!
Daily Log
Got a lot of attachments today and very little in the way of URLs. Things died out after 2 updates of hashes today on E2 and E1 went for 3 but is dying out now.
It did manage to send 225 Christmas Cards(English and Spanish) though before doing so.
I am calling it until next week. We may see some action on Monday but nothing may happen until the 26th now. The two botnets may be adding so many C2s lately
so they dont fall apart over the holiday without updates but your guess is as good as mine. See ya next week.
Happy Holidays Everyone :)
Sandbox 12/19-20/18
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run at 20:50 https://app.any.run/tasks/68ecb317-001c-4237-97fd-5c245fd6b729
Epoch 2 C2 run at 20:40 https://app.any.run/tasks/3afe2c09-93f2-4b98-8ac6-85454f38a77b