Daily Emotet IoCs and Notes for 02/18/19

Emotet Malware Document links/IOCs for 02/18/19 as of 02/18/19 23:59 EST

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://104.198.73.104/De_de/BYLZNG4781296/Rechnungs-docs/Fakturierung/
http://128.199.68.28/DE/GHQQAE4843885/GER/RECHNUNG/
http://13.233.173.191/wp-content/BXROAQEY9168432/gescanntes-Dokument/DETAILS/
http://130.211.205.139/CPCVVB7382198/gescanntes-Dokument/DOC-Dokument/
http://159.65.147.40/De_de/CUHHAUAPJV7448870/Rechnungs-Details/Fakturierung/
http://159.65.65.213/Februar2019/LWCXWKUNAK6379960/GER/DOC/
http://159.65.83.246/FZGYPXJMA2476395/Rechnungskorrektur/DOC/
http://159.89.167.92/De_de/EHRMQNRQUL2815951/Rechnung/Hilfestellung/
http://179.191.88.69/WJTTRDL1480899/gescanntes-Dokument/FORM/
http://188.131.164.117/Februar2019/JDNQVNEO7659282/Bestellungen/Rechnungsanschrift/
http://35.176.197.139/de_DE/GHDPILMPSQ4188201/DE/DETAILS/
http://35.184.197.183/Februar2019/XCBJBUPQD4995786/Rechnungs-Details/DETAILS/
http://35.190.186.53/De/SKTAPCYQTR6199495/Scan/Rechnungsanschrift/
http://35.247.37.148/DE_de/BGIVSWSI9094709/Rech/Rechnungszahlung/
http://37.139.27.218/DE/BDMYARSBK2827816/Rechnungs-docs/Hilfestellung/
http://52.15.227.66/DE_de/MGDEZR5274786/Scan/FORM/
http://52.202.101.89/Februar2019/WKSJVQLYO7325225/Rechnungs/RECHNUNG/
http://52.66.236.210/de_DE/TAWMOAUYM5676668/Rechnungs/RECH/
http://54.164.84.17/De/ZEDLYG0772400/GER/FORM/
http://54.175.140.118/Februar2019/NFZJSULXU2729511/DE_de/Zahlungserinnerung/
http://78.207.210.11/@eaDir/Februar2019/XQCNETYKHN1099130/Rechnungs-Details/Zahlungserinnerung/
http://81.56.198.200/DE_de/AGWKTL2505139/Dokumente/DOC-Dokument/
http://admin.staging.buildsmart.io/DE_de/WUWKARPH2053485/GER/DETAILS/
http://agilife.pl/Februar2019/OTFLSOJ5769126/Rechnungskorrektur/Rechnungsanschrift/
http://awcq60100.com/Februar2019/ABLZOCK6541214/Rech/DETAILS/
http://bonex.it/DE/HFAPEFIFHT3691281/Rech/Fakturierung/
http://botmechanic.io/DE_de/BJAWTAW9909728/de/Rechnungszahlung/
http://burodetuin.nl/cgi-bin/Februar2019/UQSXLKW5998846/de/DOC/
http://cild.edu.vn/De_de/NATLJPVGX8112407/DE/Zahlung/
http://cityofpossibilities.org/THRQDXFN7136849/DE_de/RECH/
http://detsad-kr.ru/DE/WJKDVRPDX2185849/GER/Fakturierung/
http://distribuidorajb.com.ar/DE/SEZCOUTDJ0398039/Rechnungs/Rechnungsanschrift/
http://distro.attaqwapreneur.com/Februar2019/MAHFTTWU4194090/Scan/Rechnungsanschrift/
http://dverliga.ru/De/AICQOQUE6714139/Rechnungskorrektur/Zahlung/
http://ejder.com.tr/DE/ZQNHKR1331264/Dokumente/RECHNUNG/
http://fiat-fullback.ru/DE/BBTYHM4047363/Rechnung/Zahlungserinnerung/
http://frog.cl/DE/TKOQRFP7767529/Rechnungskorrektur/RECHNUNG/
http://fwpanels.com/de_DE/XTCQHGI2765105/gescanntes-Dokument/Hilfestellung/
http://hipecard.yazdvip.ir/DE/SMLBOT6236729/Scan/FORM/
http://kynanggiaotiepungxu.edu.vn/de_DE/BUSGNCMNM5925190/Bestellungen/Zahlungserinnerung/
http://mantoerika.yazdvip.ir/DE_de/WEQPIZLBHX6750052/Rechnungs/DOC/
http://missionautosalesinc.com/secure.myaccount.resourses.com/
http://mostkuafor.com/DE/EDHANN2408104/gescanntes-Dokument/DOC-Dokument/
http://mrm.lt/De_de/YLOAYY5488013/Rechnung/Rechnungszahlung/
http://newsmediainvestigasi.com/DE_de/MAXFHCKAR7348726/Rech/DETAILS/
http://nexusinfor.com/De_de/SBBHOFYW9696888/Bestellungen/Hilfestellung/
http://noithatchungcudep.info/secure.myaccount.send.net/
http://northcityspb.ru/MRFFHCACQ9991599/GER/Zahlungserinnerung/
http://satellit-group.ru/DE_de/VECMWQG0468271/DE_de/Fakturierung/
http://spb0969.ru/DE_de/NTXNDMPDA8611041/de/DOC/
http://supportabc.xyz/De/RKJYJMUOS8480718/Dokumente/Zahlung/
http://techboy.vn/verif.myacc.send.com/
http://tych.pe/MXKHPBKMDT1868929/Rechnungs-Details/DOC/
http://venta72.ru/SGRKGTJD9577207/Rechnungskorrektur/RECH/
http://weiweinote.com/LTBKFA0017321/DE/DOC/
http://wp.berbahku.id.or.id/de_DE/UFEKRWODEJ5915731/Rechnungskorrektur/DETAILS/
http://www.aemo-mecanique-usinage.fr/BWYBZL6197494/Rechnungs/DOC-Dokument/
http://xn--90achbqoo0ahef9czcb.xn--p1ai/De/GMDUJUPLUH2801383/Rechnungs-docs/Fakturierung/
http://xn----dtbicbmcv0cdfeb.xn--p1ai/de_DE/QAPGQSYCC2946215/Scan/Fakturierung/
http://yushifandb.co.th/De_de/TMJSLPUHS2572234/Rechnung/RECH/
http://zprb.ru/De_de/XEUWGET8456947/Rechnungs/RECHNUNG/
https://agilife.pl/Februar2019/OTFLSOJ5769126/Rechnungskorrektur/Rechnungsanschrift/
https://cairnterrier.in.ua/DE/XINLADBU3186389/Rechnung/Rechnungszahlung/


http://103.11.22.51/wp-content/uploads/De_de/MFNCUOH4242924/Rechnungs/Fakturierung/
http://104.155.134.95/de_DE/PHRJHNS1706006/Bestellungen/RECHNUNG/
http://119.254.12.142/De_de/UDUAGTZ8720587/Rechnungskorrektur/Zahlungserinnerung/
http://128.199.172.4/DE_de/SBWMHZD3362582/DE/RECHNUNG/
http://128.199.207.179/De_de/XAQWGLP5525711/DE/Rechnungszahlung/
http://13.126.28.98/de_DE/ERVBUB9959354/Rechnungskorrektur/Zahlung/
http://13.239.63.5/De_de/PTHJMWEKE6025428/gescanntes-Dokument/Rechnungszahlung/
http://132.145.153.89/de_DE/USZFAV9571004/Rechnungs-Details/Hilfestellung/
http://138.197.72.9/De_de/DAWSAA4214739/DE/DOC-Dokument/
http://139.59.130.73/Februar2019/GOQXXVYNC1427879/Rechnung/DETAILS/
http://139.59.182.250/DE_de/YEMZQWL7122420/DE_de/DETAILS/
http://139.59.6.216/De/MOKKBK2937470/de/FORM/
http://159.203.101.9/de_DE/XNTTSEBRUB9943814/Scan/DOC/
http://159.65.142.218/wp-admin/De_de/LBYFVB4427436/Bestellungen/DOC-Dokument/
http://159.65.146.232/De_de/JVKBEGN3447167/Rechnungs-docs/RECH/
http://159.89.153.180/Februar2019/KIGORQGG3636393/Rechnungs-Details/Rechnungsanschrift/
http://160.16.198.220/De/AQUUZPMII3442933/Rechnungs/Fakturierung/
http://162.243.254.239/wordpress/JKMTGSV2656883/DE/FORM/
http://167.99.10.129/De/TWVNEO1831802/GER/DOC/
http://178.128.54.239/DE_de/LVDCUAUGYB6443381/de/DETAILS/
http://178.236.210.22/DE_de/VXLQHV3545501/Rechnungskorrektur/DOC-Dokument/
http://178.62.102.110/Februar2019/AUNPVURZA9802560/Rechnung/RECHNUNG/
http://178.62.213.188/DE_de/VLETOOSN3411887/Rechnung/Rechnungszahlung/
http://178.62.233.192/DE/IIGBOEF2759358/Rechnungs/RECH/
http://18.218.56.72/wp-content/Februar2019/MCUQNVLYB6133013/GER/Zahlungserinnerung/
http://193.77.216.20/jwzedo5/Februar2019/UGSIRFQS9041754/Bestellungen/DETAILS/
http://1lorawicz.pl/plan/DE/CUAOQJEB9148804/Rechnung/DOC-Dokument/
http://204.48.21.209/De/LTJPKWLIQJ3955553/Scan/Rechnungszahlung/
http://206.189.154.46/De_de/IOYGXFOS4586915/Rechnungs-Details/RECHNUNG/
http://206.189.45.178/wp-content/uploads/de_DE/BUEBJWJE6755100/Rechnungs-docs/Fakturierung/
http://207.154.223.104/De/MUDMLVMRE9635299/Dokumente/Zahlungserinnerung/
http://211.238.147.196/@eaDir/DE/FSGARB7511034/Dokumente/DETAILS/
http://3.92.174.100/DE_de/LKYFRY3430810/Rechnungs/Hilfestellung/
http://35.202.250.4/DE_de/CUEXGZE7905319/Rechnungs/DOC-Dokument/
http://35.204.88.6/De_de/QNXXBL2550799/DE/Zahlung/
http://35.232.73.116/DE/DSWTSAJ2444068/Rechnungs/Zahlung/
http://52.63.119.3/DE/WJVLFQXIL7243103/Scan/FORM/
http://54.153.245.124/DE_de/JHKUWXVZVW5112482/Dokumente/DOC/
http://54.250.159.171/ITYUILQHPS2527864/de/Zahlung/
http://82.253.156.136/wordpress/Februar2019/RXZOTII4866226/GER/Rechnungszahlung/
http://alainghazal.com/Februar2019/PYORQFTPOS2153499/Rechnung/RECHNUNG/
http://allaboutpoolsnbuilder.com/Februar2019/PKATHTY6838758/Rechnung/Zahlung/
http://aplikasipln.fharhanamrin.rantauengineering.com/FOHTDRF5995383/Scan/Fakturierung/
http://barabooseniorhigh.com/DE_de/LUECCPG5866963/Rechnungskorrektur/Hilfestellung/
http://beheshtimaal.com/KWHUYEGC0155327/Rechnungs/RECHNUNG/
http://buonbantenmien.com/3/JWRWSGF6549672/Scan/RECH/
http://carolechabrand.it/de_DE/GSEPXGJ2403092/Rechnungs-Details/DOC/
http://cashin.ca/Februar2019/SPGLYDBXW6053074/de/DOC-Dokument/
http://decorinfo.ru/De/JKDLFMSWI8662303/DE/Zahlungserinnerung/
http://eosago99.com/PSAMJW1792232/Rechnung/Rechnungsanschrift/
http://ewan-eg.com/de_DE/HIUDFO6011424/Rech/Zahlung/
http://eyestopper.ru/TKYVBPI8437659/de/Hilfestellung/
http://further.tv/DE_de/LGYBBUEKN1115866/Rech/DETAILS/
http://galeriakolash.com.ve/De/PECCOV0210662/DE/Zahlung/
http://galeriakolash.galeriacollage.com.ve/De/NHZOESIUOR0344688/Rechnungs-Details/DOC-Dokument/
http://galinakulesh.ru/De/ANKKROCDIT2353710/Rechnung/DOC/
http://groundswellfilms.org/DE/IRWIOMG1185760/Rechnungskorrektur/DETAILS/
http://helpdesk.lesitedemamsp.fr/de_DE/WQBBQPHN1301557/Rechnung/DOC/
http://hifucancertreatment.com/wp-content/uploads/de_DE/BSRXYIQAH6181297/Rechnungs/FORM/
http://hourofcode.cn/De_de/WMUPSXLK9917373/Rechnungskorrektur/Zahlungserinnerung/
http://idecor.ge/DE/XMMMRMPJZ4243628/Rechnungs/Zahlungserinnerung/
http://ingramjapan.com/De_de/FCDVLUUVGM0238569/Rechnung/RECHNUNG/
http://ipnat.ru/De_de/IFNOTCYMM5341168/Rechnungs-docs/Rechnungsanschrift/
http://istratrans.ru/De_de/NLYWTFWPQI5623799/DE_de/RECH/
http://kanyambu35.co.ke/De/CLWCXLVHSR8056391/Dokumente/DOC-Dokument/
http://karditsa.org/DE/MXIESK6756803/Rechnungs-Details/Zahlungserinnerung/
http://karkw.org/de_DE/QMICAF5230385/Dokumente/Rechnungsanschrift/
http://kgr.kirov.spb.ru/ZYYQSI0013717/Bestellungen/DETAILS/
http://khobep.com/de_DE/DDJRDCWEP8029756/DE/Rechnungsanschrift/
http://kostrzewapr.pl/css/de_DE/TDXIKZH6760304/Rechnungskorrektur/Rechnungsanschrift/
http://krisen.ca/De/ZVHWKN4733448/Rechnungs/DETAILS/
http://kymviet.vn/DE/EZDLUNRUN6131816/Rechnungs-Details/DOC/
http://kynangbanhang.edu.vn/De/LIQUOO0102956/Scan/DOC-Dokument/
http://laylalanemusic.com/Februar2019/HYBBPW0603269/Scan/Fakturierung/
http://liketop.tk/de_DE/WGWLYMN2720375/Rechnungskorrektur/DETAILS/
http://lionabrasives.ru/de_DE/BFYMRX9182365/de/DOC/
http://matongcaocap.vn/FUFGICJN7853536/DE_de/DETAILS/
http://mirkma.ru/de_DE/VVOLSVIL9729357/Dokumente/RECHNUNG/
http://napier.eu/De/WHRKVNO6175983/de/DETAILS/
http://noithatshop.vn/De_de/XRCCGFKM2305539/gescanntes-Dokument/Rechnungszahlung/
http://portriverhotel.com/css/dinpro/En/YFtq-11q_xCwzU-Rq/
http://print.abcreative.com/De/SONZEYFXJ6721894/Bestellungen/DETAILS/
http://stemcoderacademy.com/DE/VQUILFX0406115/Dokumente/Fakturierung/
http://tekirmak.com.tr/De/KCRBCU2888095/Bestellungen/RECH/
http://testcrowd.nl/DE/LYKRPNFHZ3597305/Rechnungs/Zahlung/
http://thales-las.cfdt-fgmm.fr/cgi-bin/de_DE/HGBRXR0176258/Rechnung/FORM/
http://trandinhtuan.edu.vn/De_de/NISYRS5770062/Rech/FORM/
http://truenorthtimber.com/de_DE/GDWQWYRJ1104890/Rechnungs-Details/RECH/
http://webnuskin.com/de_DE/LVUAKDIXT4378740/Rechnungskorrektur/Zahlung/
http://weresolve.ca/de_DE/QPTCOWC0822892/Rechnung/RECH/
http://wordpress-219768-716732.cloudwaysapps.com/De_de/QGMZIZ7416457/Scan/FORM/
http://wpdemo.wctravel.com.au/de_DE/KSJTVKDT4906944/Rechnungs/RECH/
http://www.cbmagency.com/de_DE/QBSGHSS9028403/Rechnung/DETAILS/
http://www.difalabarghoo.ir/De_de/UMKZAQYHN9698380/Rechnungs-Details/RECH/
http://www.dkstudy.com/Februar2019/VTDXDMEZW2724842/Dokumente/DOC/
http://xn----7sbb4abj9beddh.xn--p1ai/NTBKZKEVG2036428/GER/Fakturierung/
https://carolechabrand.it/de_DE/GSEPXGJ2403092/Rechnungs-Details/DOC/
https://lun.otrweb.ru/De/ZXNGMWN0894915/Rechnungskorrektur/DOC/
https://noithatshop.vn/De_de/XRCCGFKM2305539/gescanntes-Dokument/Rechnungszahlung/
https://tischer.ro/de_DE/IIYPFPERH0105487/DE_de/Fakturierung/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-02-18 18:54:00	(DOC Based - ENG - Unzoomed Indigo/White)
SHA256:
3b81a6184ce2017074d8c94ade45c371c220366419298aa65012d180f871b694
4362000df249ba4e48f665758841249f6cb213654de7b91c8edd00e28ab654e4
a2c1f7aae555ab418f17ae41731c9d31d90e39c9f8a5432f0c571b7115eb4800
c8e3d3f791f1d149f60e5a68fe1b1e01f45ba9f9b2085fcee7541d625e2a5d18
c3fadecfd5653fc05a791e6c9062a3a59329e33a48e77a5cc735364d01724485
4a5fe09fd3f776a86ecdbfdd0c6fe9abfd962a16444ec8bdd2dd03704fbdac6d
8522b822e93f7750895192ecc2744c9d57cbaa2092a49995c2436e20a4becf82
8c1014a7146825699082898e9e410e4688baeb4dbc86989541a6377994a6996a
fd9c717c8349d58257717d05a764b81b81de8c6d475267a1659b065d74bc8e57
f39200b358da45b38abf8ac8928393bd15e2aa98f597e969401515a299e6473a
2cc2fbcac3c4262c49e3ad49903d4e9ebc5fbaaf9a2ad65ff53f808380b70a12
36a10ae120c5f992c9791ce301c7ad1bd6adb39a96ff78e4a9d15bd46f76d866
0f25037f951fd8f0f1c2f4b94ec84d3aa8daa3f7d5774056136769ecb800dc6e
89d61e33ab819e39299ed9c566756456c0b41453709ebcfc0cef19b42017b644
335b40ff58a6cf92f16ad95349e2cb9dc42d71654cebaff642fbbc168749bf26
915328625c1a42adeb1bd8c6305d4b93a2a3f652fc635f31f21555aa5d003a17
94d5bfa9a461d2a11cc9e56b38febd9c3073cf66098db078fa000995754d09f5
20d423e1f46d22c1053227ba3be6628c75e1065b698202b21825869147aa30ec
069185a0da074e0ece155c5cda364e5092b2573131fdc2c95002b18c44937a1d
cf567994cb7b1ff5df6cd35d4d14b6eaa91510494d3c84890d92502c7b77d3f4
106b4d87576a07cc74f8ba9519d9730b50dc7309e69d0e7764822af981d98e61
9d9220fc117afe407cf46164624a275f181cac8f4601abb44b6491ee2bb8e87a
c0806a25e475218e8f10ff200b7c7d8db7717649fe24a5f2fe42e377ecb00eae
51f8683c6eed0994818e4c409a4208c0885edcb4815e85f7a0804d14de46cb88
2ee653e0f34bbcf45c9ffa11d530ee6428d284183f0ba10d8f70f1cb370e0d5e

http://mediarox.com/nozFMMKz6j/
http://bobvr.com/ciww6cO/
http://clipestan.com/mJPjii8pE/
http://ulco.tv/1v7wu20/
http://keshtafzoon.com/h6HzOs2uog/

Creation Time	2019-02-18 14:23:00 (Attachment Only Doc - Eng - Unzoomed Indgo/White)
SHA256:
9e17edb77fd3577752dfbe1cf620166845c80ad7f3e92531d2795e8c81043dce
bc088045f8df0ec71576d5477c67b08e89ea13d899b25551a85adc8f805db672
7f3543a745ae3840da1ee4f03f4ca111d6530806ab0c07fabd5ffd02dc678d73
88cd332b15627991a0e6f7a580a9580b8d30c9fa083aeb80dc2354e940f716b5
a42697283e06bddba5f1ce5cddf7033c19b611f3169ba134d2a1f0781611d68f
bdfb3964a30b73108f8a2af6c99acdc4a092a6ab46006d300f02b541ca22b217
62417bd47b26b8e0b1883bbde76ef5501c2fe61ebe6ae3266cb5289aafafa324

http://139.59.64.173/GNsd8HGbEt/
http://118.25.176.38/spLxFZDWCy/
http://13.233.31.203/pNuYMISS/
http://allens.youcheckit.ca/yVxEv19/
http://13.126.61.11/7yxtlsVP/

Creation Time	2019-02-18 10:15:00 (DOC Based - ENG - Unzoomed Indigo/White)
SHA256:
9327123f9bf1a583efe9ecae72802c0707f0992e8443633b24d17d0277a08c9a
4db8c7a64afa55409a39042cd1ba8561230da23185f0b62a6e2243ad3efef4be
cc2ca1d0f51e45f8c49e709add3452d84db22a415bfe06f059169fb4f0b01c86
728ac6a6ecc8cb0ad93c31e9ebaf1693fe82875f1112151e6ae08c26bb723d07
ecb3d2f8fbf5ca7a38e9dd018c3004c734ace8863bca8daf0a902fb249fa376f
f2c0f1ec9013ae3baca86e3f15f5983b80c848ab422949d52fd8f9f6d7123fb8
b047d63eaabc2cf33fd6bf7a49d0139297f187031731e53e08211e097e512ee1
4b9905dadf4bb37fdca57b47c5ee0369405c8141b8e521bdd55da9a5349a328e
aa6b8c7b973b399e4f97c49c7ef5220e17cec0866dbe4848517268a743655040
0f3476de027b81a6adcaa1292e94ffa25b5f885d858c5f308f96e16d67f23eb7
a8828feed177a0befa7ece8b0117a4353ecbcedeabb956b64d440c3722e1b314
ef630241e2ae54cd95e605ee352385172ba6b8955a662f0364ae0dab16ac7db3
c312058ec1d7c3f314a94b6e0afac2f384460cbb76a78c573ce94ae87aeda5f1
074efc192d48350c8a51391ac76d7677eee8c8bb964434b4e66632fca344d0a4
6abf3e704bfcb0abba645a48479ae42a3ff566be8b743c544b1116f22aa1a134
555f375a68280e8741675857cf6e3620ce754acd058377a65b93640911ab4ec5
fe38b34fcf9a39f3f5e382c53148a210c63f45d5185f6f353390f9d21bb12d8b
e6c61d411dabfb3a2abd81ea36cd40138c8c48a18b832580ac6d5d60c2366a82
553ee2ce6d47e651311ef3474dd28614352e96299a05e960920bf5d33de1c0ca
10c67c350aeaaec9a1de095dfb31aac0fc72afab36f9e8390005a5ba4748d2b1
7279c31b5e13aee7d9e0240495ab1ea5bc7b141ea5fbc3c1db3ef13e6968bc4e
798de37142e18c06bb76958382e3708505a2e47fecd2679851f4b0b1e8c687a3
a27a49dcf93b29865290b7e3301bec0cd3210158dc8f1521c6ab7c370c1b7e5a
64092e6d7d199e295f371f250a5c54a140e65a4e34f8e50c1a2f7fb7e4ed644f
c87e195036157d7a628ab1c6a99248d88d2fd128bc2d4853f9eb7a6070ad04f9
6271e9f0a1f2d4bbd6c6fef2b7823aa180ab68eb93676a33f55088deb8169746
4be4a46ef25e71de87371345da22d043385a72a479adf2ed56326cd69b2d500d
923895d1e2d057846792929ae2ff2e9925b91b2c908693347308e8423c48e642
9fe817eb63df61efdbb8c94488f81ac251643dc4209c07356b353f86eac7a16b

http://bazee365.com/v59HxZy/
http://giancarloraso.com/xwSiP547/
http://13.233.183.227/5VfqqsmV/
http://128.199.187.124/v35hrbFz/
http://104.223.40.40/8CqRIJhG4/

Creation Time	2019-02-15 19:58:00 (XML Based - ENG - Off-Center - Light Blue White)
SHA256:
578109d64ed9c185e12a5d4c83f3059c34cf1ea61cb77e4ec1174fc25d186153
45afc9f4d53e3fbff96f519bd65b02a363a211883f528affadefa2e52f082ae1
69e06a409da3594ed4c019fde55ea24dfbcaa0fcb0c565ad67045a9e95e4818f
01b02b129fd2922c3f95341380a56f59d8d66cc1182e1e8806905bd98bc7cae6
c848b029189f309e69a7f761d8d444c90c51554539556bb3980273fa7d77a12a
4dc383917b808055b3f576594ea71fabdd1841eacc252aac3976dba7abc8e351
7a05499c076f56bfa443af34459ee61e06057d5f33aa3e7d16687347b0208a7d
c51e3d1c6f2b10da70fa41348cf2ffe32d9b867bf113b550d9cf00e1ad03d3ad
ad646e6a26b647c69c4b917b20f9335dead13f9d24cf79b920014e2a90985934
ce954101718414a6515eb603c2a09e99631cdd1e4acdb33cf73fdc13d441daa1
64ff57f6b7796927713bfdf8140757b4248e0c0972126b0cce662ebbfc8de9c8
616f316670f9fcaf0f768b829a51c7289b390da7a90ae3856333d2c6e5219140
af22751ee222f7fec37e1630103aae36c78ca3a91f7bb98e080960d92e678b07
c956ef818390cb2697c089e1eb8fd0e002201a2e2735b2b286e42cfe155b0a8e
67c0bda6446b4138ae36e17b5e72ee8c851fc6e8e4b4061403086c503738d1a5
96f13308155b96a6f917b12b813b34b0575e30016d080cb5175920a11538fe8f
e8a365e79f424b70afaf0d814137e62ee618d7886f90f14013d8cd9367cd3a33
317ef73ee5154bd08d6594b2ec0ad0e1aca1afae8fb2b2cb2cb14d780d3daa20
22ae5c6e60f38d6c1a03b80f03a48b4a40c0e8f20805a105ef69e6b01f07b45e
f9d014f5a743c882181dba1fb4076fd6def1f781916b07dae29f7c462e86b041
f803f65f511bfbdd34e622c08cf3d3ce5fe8d8a3921a2f9e469a3a25f5177436
1b0e74a2428e0658349b91bdfa1faf0aa268ead29a31d6f664f2b0dadfb9a29c
1a6342aa6a54cf5fadfce1d87f53798968f7c1a9cab190f9a72f28a2de876813
80a07cb0ec7e186a444c9848f53909e96de63eb4083b4a764b2654b9d661cf35
d0fb8300180c5ab257a79b5cd5bcaff81a2ecf535c067913bffe59477bfb0036
8b5c1d8ba88f090f1cf161a918b08e550e0d9efc0a59a26311b5d37420cf9474
d4984651bbc1b31745ba052b58e4a28779a041e902dad1a7dbcee466ca32a629
270a6a024f528ca7aaf896af939d722ceca1801460af7e7851b441f4ec990cae
a98d0840d8e56233527d8a6bc89f5131655cfc6bad53c64703c54347d0e51650
7c7137011ffde45351b95b324cfa5302ffc580721672e88c79cddf62ddeb10e9
0f7774ccc170235a1b006fd4395166a7786b0e8f9f4a87e20568bb317909cec5
b1f8014308b3d44eea52d71078b4d8d8c00bc77a39e90dcf85453f5220d65577
e48ebb4422f4feaf82849e16b561e151426d8f9de7281f60dc81ea7206ffdeeb
66e662873a8192d26208880fdb622e8d7774bf6670e90a4db92a0745bf376ef4
f231ed302b729be363c90c6d2e1759ed55eba9a10cc89c34d2224eb6f69f9968
318339f86a202cdaac198784651b9be4915fdeefa9fbeefe75f94babfe6c038d
efdc800a7bea01fe83523a9136685a053c61db0287571e0d012b018f0e3aa6b5
795232ca3eaf96e9f9de4e70eb39ac64df94c420e0f836f09b80713af626084a

http://rhlnetwork.com/uuf31PTan3/
http://eventcherry.com/EPRpYDL/
http://themodellabel.com/QByaBRWa/
http://128.199.172.4/J1EuGgi0sx/
http://207.154.223.104/sycTwoHI4/

SHA256s for Epoch 1 Payload EXEs seen on 02/15-18/19


46808114a806dacec162366d36206a5f3e425dfb61cd1d6bf5a1f4c0c5e91363
cdb6dc50d0517c13b1095e7e82f7e6d9e33dbf12672f6e7ed3fdc8be6a8323cf
a84ae4bc1a6fa76a67dd6995bd469e41f6446fb21fcc20d67746bb04d7f7abfd
6b410b75b456ea12c18acac5c89f31c9b07e59896613110319ff796368aa6144
b373d06a65e65b3565d92e062ad5e52d317069da13ca70e09074e9caf8498714
544db4789f522ec9f08dfb0e33224a3dd6c8bbe6f3fa7c8bef659403bbb96576
9381b2d75175c7395c277f83b5a3573d4704168890ccf16e4feafab943f0ea1b
b4dad139fdba8fc54f1ff643430fdef27ee4ce51b3e326f610dc5abbd4dcc64a
d00d62fa995facc808f552a1deb3e13f21a59e89946dff8aebd4b0f25f21b859
c17d275d7f5ce7bd03a39a31394b9787c57ad731d39ead52b2d339966cfb5846
1d3dd85f2301227dbe75341bcaac27befbfa6b69aa6ff3048088cd1efba17291
8b77167c3e564c5aa43c37773d51ad4700642bf6a54ba3f1065f4f3314b11816
b16fb2215235cdaa02f7f66fa9e711739b6fd5f73c4796330436bb8c9dc2dc5a
015f83eff8d862d994a08f37bfb4699be86a7e8d465099596454638031d2d4e0
4057b05c514362abdf70559761f2da4a31ed049b746053898eebbb1f55d077c1
01da7bbc931a6172b0ec7b97735e8cdcde2581e9ded992fce201d76517fcad0d
77f3f096bc7cdd196d7cf9cbf92b0319929efa2802845d5574ac66f694e4c3a6
c84aff2215c1e48cc94cf4be565f36cf7cfdf4bd62b8d2fcf4f5da3302d497da
18899a91a5b65012a7b8f60917a2abd1c11132951d1d8cf884e2d9b927c1a337
55a3258c1a2be0d5cc4925eca482237206c28c2b375f2d7727d4e1b9c020caae
5f061017bfe9869f3d386649773ea3c88d2e9e4e4074487bf94d3ce6f7c5152b
fed0cfcc60897e8b59670b63d911c4c8ec5ca7f134bd11ccc11f52d507cc9a48
cd8a017f7b1838619dcbe44127b259f7d72c9bd05d8135be612c55322dad899a
f0b1efed74269ae08e2c6416a8b05a953f1f21e87ae84d776338373c27c7bad4
e4e4ed3d6288ace0a684f7e6fe12ea951257d5be11aa5fe15bc0ab6fd457f5dd
fd10b6e6a4f13b699fdb1c2d601aa11fcfd9c24679321f19d0c23a8b5adebb7a
7ae5d64627fe55da97d982f55f9a42f23d8821dcc6de00341494aa4ae3bd15c4
8f58b91ac8ecebb19e23dbd5b8ccd2dec28f155de7f29906867dd06dce506d69

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-02-18 18:44:00	(DOC Based - ENG - Unzoomed Indigo/White)
SHA256:
4bc0ebf4e04816770e0176a8f1ba04404a6d8b09150d21bcfaf3387ffed06606
ead6c49ec05dba34fa1c58c16a3dcb0e9c3e88691484e2342f08d4e771067299
0349453748c3c3fe4631e5c17665a702f7ca1ba8cc2c7508a91d686e17d41098
ea023e24f29e18264371462259890bd180aa09750a269a88bbc63d3da9afbf06
6f52cc28f5b7d356b6a0876f2d4c2fc0696030a17be6d57be4e7e3fba07cd9d3
1c34eb54a94f3345af1c8834a4800acd656f25efe3b671ea1d015d2580065235
4562e65b2403fa04415f430187c09746fde41f570aa8740ec7402a17b7715510
7e7d214153af23923f9b130a044a9134f0168005495d59354f5179b5336846ef
4392d56f6bda858b04d0a4cfe1112fba4a80c56bd916618b804e02b703465dea
c0bf04a6c64c8f49e02154e39d8955df3f31753d29448e74524dc59be5da0027
fc35dac8265fee007fc1ee7006d322c8d35922133235641a5f45afb43b2ac123
c535ec10efe8d02a81a11b74ad99db24757eccb6dd6754f6740989bcab3c5e95
a669d932abcd7f26520d30e00454181a843f5508e589b92b5b3ca482d39b518c
a09c3994381170f1617a543772fae618a6189aa4b39836accea08bc253b51d2f
bcfdfdd35de7480138580a5682fad18d187988e7950acb9d9e8ed4597a88938b
91dca635727dd1e0ddb5ac65c13c6febaba75ef30cc5dafb804eabf13a12cd38
ae93a9504c927d519d64ce6863ea63a9fe1b6d6c89f195c8076b3f4a003e5c3f
88863e1d3d557ee78bf2b3463bbb321241c85dc98dab599f15f7ea138ce88eb3
ad850a4f112e44061a48f9dbf4a3eb1e9862e15c1707157f6f235a3a37b56977
b64b748acd4e8f68f52265b45208deb68082482d538e73c2feb9bcf3245e0531
3c752d39725f5e49b65d57292fd3ffa472f8fce3417e5f2fd1e617b6d5ee4814
7cd801017bc12a450adade03af17c6673e45b29aa796071b3969eb3227900032
ba5f4cf8e85a0010fc33022e6c32c49dc5c1abc4d776f1e8ac8d5374dbd6fde0
f4fe9493460e5392b666177032780d2cbfe9f0b9a8547c9805a02b2f24f1fd9d
0946a30abd52ef463b6a390efba6595d2a7917df95d3739df77e3ca57d1ecc8b

http://serhatevren.godohosting.com/postureview/5Dh6609/
http://mak-sports.kz/NhsgZulkV4l2Xmd9/
http://cngda.tw/sYnlclNQk_k/
http://demo.liuzhixiong.top/l3z2JeDP/75NVhl2Eh7p_z9Qg1a11d/
http://embrava.eu/8z6qORzu/

Creation Time	2019-02-18 15:26:00	(DOC Based - ENG - Unzoomed Indigo/White)
SHA256:
b93c3fb02d9c19f6713e50182b4314e9ba58335471692d895400967146ad7f62
0a091593757cd2d16b4ca2ed1806b73f1222f4367d6d78e0df8ee98c247ef1f6
95752e532069069044d9698b009ed535e76e5cbff27c97eae8900401c356972b
ecdd3d89feb4d8293e35ce74751f13b477410bef9f1187a2c1141e2a41d8aeaa
2c4e81086a66b36a10f9f68fa97d8afd4f44f99b6b3015c168e31704006d61a0
69c671f831350e0bbe67380f2fe91561dbabec89d5dd4ec9d9de25c07d73bf0a
d7d25612960118eb311c2c86193e3c4f41d1924640a6458fd7d24b84e1884be6
0966f1271c4cdd0f66bca3520ffe406d4ba14aaa06a7b14aa505c78958fead20
52a1a1863cc969cd93d48371e9d24e59cb691a8442477a4d8b1c25c51e71eb13
8534f2b175d35171ec2b01b22f001808e2781980de552ecc830b1cc21fdd0890
7e99837960820dcc7b4951c6aacd3f9ab692744a3eb2302992cea8908bf0702d
c70695255812827df20d94628798e650dfd13d97423b85eebdf401ac1f4de20d
ee1ff0182bc19d430e12a8c88b8a9216e9dc41c8bd055f8d633e4cca8910dff0
a2433c8330b53367c141db68212f3124e317a356f9749429a9ebdff0258f2d02
0b6003563af9034d9a22f96adb0559f04b3753d0d4d9e6e76dd49504a427317e
27b0bd35f9ee7752e45d40707a3a777d20c8563e7067007101ec8de9d1c271da
7c6a02a0103d4e4c2f129ba65123d40f740e71160eaefda43e83ce5e9d5ae6a9
265a6869c2a2f0b3f35b316eda5e78492ae2a574530c39a1673845245a342d67
97dd1f132ad86b0e77f401be2d6837f86c0148c3ac3c0a9c1e864cc1ec4b1367
7701b8f968a514855a7d5fc3cfc808b10740a52ef3eb50cab1d63d242f17eeab
d5bb7e88819c34201dc60d6e5d1c5f996912da15858150d7b2e58835145b6613
ce52297ecfa43e2037c8c3e766c996ac0699a49b86142963e315f07b87e5cd54
031ea47fb91a8493c6db77073bae2815a4b0b7a2c29fbab50d719bf5bc311dee
ccabeb049a502669840889f0deb0290a4b25bb46fc78c2cba581abc56abcaafe
50e4b5836ca54dfab84057364aa97005407a31ab85246d8c5e2c31a4246f8604
dd5dfce28a80c5539d96c685ab3457f8dacd40cd4eb616268914861242ead8ab
327c64ca7348a0e2e4651a332776d10216cd77f77761766a12094cabe446ca4d
2a1ca1f2eb72dd935b9ae4594eb332d9ee7363b70f1fa40e6b3a1a4dbdb44e1f

http://tolstyakitut.ru/o0ElrRO0W3YrOg/
http://tattoolabmaxakula.kz/7644n6N6iKSe/
http://www.timothymills.org.uk/E0oKOa0DyCN6/
http://navigatorpojizni.ru/ZrEoOhqkHHmLY_OnadByEhs/
http://fenichka.ru/nh7sQadFRxH9/

Creation Time	2019-02-18 08:21:00 (DOC Based - ENG - Unzoomed Indigo/White)
SHA256:
2dda30d522c1b72d38f8609a3bde18de25aa57ad7ba7d90cffdfc0db5cf6e977
a7ce8b9bba9d84d7de6962015db1570c899c6992eb6de6ce21ccd17ea7fb0751
380111d3408eed7a855ef759d4304570286eb4478d35b0ad1f35cb17b853b353
966f140946cf716697fdf17810b05a50a6141ea10a16a87136f18cad063f017a
ebc532cdc9efeb2d1cc69c05df9cb8eda527dbff807c3e4f28d78883c60d1640
f3766de981afc0094e4612818e204d70beea730a9ede6174dc07a8f32cc92932
1328ac0cb151437871e7f39f72b20c13fb9fc292adb78054f30a8f958404e4c6
d838f3722647cf9a8729ce91a19b10ddf0db61da173593e75fe8e6d8eda7ef55
04f224b5481bfce2fffc81b988cd4b29dde212a1a542b6180a72400ef1d4b506
955bdc9464d21e2fea34bfa53bd601ea1becc630f8d5d54e47ebc286dbee4163
9038fb2028a55402c5dc3ca642d549423d57f0f272561151890d2e0a7c2020fa
57759d00713be2f0231595b5eb6afbe268895f7e0c9de5130c357b5f5f4621bf
1caa72377c62835653e1c1b062e418c62b689f8b6e600b739201a1300bae1bf5
329d3a228e0f1dc6ec487e04691fd956ff0342642728e4162bbefe7d023c7566
55a56fe6c486efccba6fbbdfdd5df7f30ffd0a64b4a0482a40b17c62ffcc1ee2
035a31f3e89f09e7a56b2b7ed29da67281fb6a2f565db4ef8c3e50687ad2f238
c3fcf10e8e956c1eda86f8ce64ba60dcdf799f0e029e4c74281e2648fbb68229

http://masjidsolar.nl/xMPn6P4SWc_Nor4jjjBg/
http://zolotoykluch69.ru/bzdDJhsZP/
http://mask.studio/Kv0yxkyQ34/
http://saleswork.nl/Hb48aHy9VnAy8/
http://clashofclansgems.nl/we0vzgRVrBht_n0msiZXJ/

Creation Time	2019-02-15 20:27:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
93675c4b5af94b1e065b31addd0b6aa99be51dc902896560a62bd8d87c30a9f5
4da1cf7ad1505f830de348c2e6b3e887dc9df100039666b3c94df38d9e9f132a
8082c4f56f1918bfc374e99f7c752084dd98802c32221a58c0bdab89fdec712a
59b25e2756ec3e2c0a30d5c82fddad232d138fc27c598287160b58dd185e22f0
2b2d6fc4b2c2c1cc7f3437a68ea4a53c86fe3fd59086844a45a178a7d66eb9db
8c1e2c45a9542ca5afd84eb96fd60498c3d8cf5b245b7be245a855fe671cfa8d
b7842825b5309e80b93452d0302d812f5ae4db552dfb9ee859065ee878c661f9
3536690140c70bc0d34f1e54ccc3e19529febe0ecac53120b7603688e8afe67b
e3034c6b354ef2e988570aa8a3852edf69d9b5106655b0416f8c695745dee1bb
3d2a105015f76f25982e4b7525df9ff95d0fcb9e6030d20a0de31435be09be3a
dee7a035c13d11cd62b85e03e430784c8bc82675c8c5bff1e2414f92d9cccfec
7ffd4fe72e26e0697e50febd61eeb68a8ac2082f6647804ff218e7e53a158559
13d37c13ebe92f998138f4953ef9fa3487ee94337ff3c6a7f618e01f2f9121c0
28c9ea98543527cd59aded6410c1540de3e092658690eb6911e18d22ffc46c5e
fad9aa6519064347dfcd23a81b2e6d3130ed8cb28a28f864c21f7816ed922e8c
7dbe3fa34f083a40aa32362e54ab0c7daa2a640c2a34d95fd931c40417a95198
469313aebde6e553b5075a77503377b1b336466fbc8d5ae410793434a552ff2c
17710c1404357c70866616eb1175eaaf5a5b48fc21e5c4f07700c890610741fb
2d16e7c225fbf5166db769a0edb7d3ef2815ed9402687d85e4934f28f8f5c01a
9904915a0e2796c3cc33ff1698cb4db6e66cbb12de617d5f4cda222e549928c4

http://tellusvillas.com/l2BOnRc5q_pGXL6RE/
http://markkellylive.com.au/nzB1yr7bR8Jf_VXGMg/
http://195.88.208.202/GkR3jnNg/
http://138.197.72.9/5jEtWZHLS/
http://13.126.61.11/qpA8kpDj8_rp/

SHA256s for Epoch 2 Payload EXEs seen on 02/15-18/19


dfdaf3779f2be13c800bb3bb43e48a40c9c3dc4904471fbcdebb055dc621dfda
9a9eea500032b90d1e81ab867b6caa52b8cd3aa1fffd8819be147e61bf85af31
364d2a2d5f0da46ba889333ee7d3691d3a81cc690d30ddfd2a2374ba5afa2255
8a8b8095a0c6fb729338c8c476b6f2fc2caac15c77702d254c1614ba000ecc18
8da48899852a94fd11aedefd26ce8798278cae2ded960f95c5821392fa09e65e
f5c71a543d2d460aad11e09e9c60f2e6f08b4fdba44d0eefd5cc5355fc4723dd
edd83fa37a15535f80474933779e557811bdb4cf3617c9be4ab5ab3765d85cf9
f8cf3687e565d1afae731cd04e8db7cd31d07dd3d3444fc0776ea407e54cf0f9
c2e5a2b4ee295bdc133e8292d1f8293b2c1607ec390c3f993f1c1d93b49d3132
01b0007288f99523404d70dcba0e7b02569f1ba8417aacbcc02245a916f93f40
ea89e3691ccf870e0caa693237b66651bae097e877eb58a6587c1ea4ccfa9b50
32a5eeb6bff6b9ca43bce1f55556520dc7d00f09f813a177bd47215be087a266
26b6de5fb056c5e1d843a7907198ed22668aa2b39a49c336d247c17130119fd0
00c781bca14cbdb159d5cb744424e276210477b61397dfe6bce0dc3385d1427c
5791632648e3e754dc312d30a0333333c460ba4c1487e6dd7689b513ff617ef6
7e86db8250f6d09ee52a43193fc7ad273d54aedf7bf35ee0ef66f8ebf6009c7c
2d5ed25787db07b723fb4efc961f8af9b8370bff87aab74414b2b1d3d7ecf45a
ff5d4155fadae2f47d965fe88c40646c9f95c506880ad1c49ef3f596f816133f
37a5d4455f20268ec789f79b65ad4698904464787974e548ff5060fd263fbe8d
407024d5e90c03e52fadbe6c39194789a41146b0525dcb83738ffbe9bd223768
d99aecf7efc03c48cf453b3dd4bf3a9b0354f53500aa4898db2d76ac20b6073a
98edd17e7d9fd81f5a9901f798e07a1551ce5560f4913a5ad44c8d334ac98a27
16c93d09c97e91d93c84457beb3f80ca32162470fb1c3d0172d0fea1ecc914a4
e4301c935a41da05a611b4512b46c712af2effbbbb5109cf45fd275ebe60fa2f
6c183cf32126483c718fb6f7e0b786ded6b49e02d9b096ffc436b540b7c95409
a6d0246b6dcfa90d726ec70bbafdb698f379a52727517f05971bf7a37a82fb3c
02fdb56573b8915d070e00f1246e7fdce4c76033dd50d1bfebbbfafacbf7003b
2db67f4216d02d6c9b2ed89ad66d4a8b55a96fcb531da9a51c569e9fa899195c
4f775d983e96bbede94d8805fe4113a9d24e5475cac0860f0691fa9f9920176c
c8dd1801b00290747ecb6a33e3450e164b699a941e167ed21e7f012a293d6fac
74f41a998fb71f4352f3db8b0b9a747ec1f90be88fc5a3a6069864e9d4b3b7d4
7a40f325178af1ab386adbf4e38a8ca751bcf36683069059aaaadb3ef9083754
2b9f0eed613b7c8b1ecfc2c8c26832454656009d30e923db6c5be4974c049de2
99507611167da5bca060933f3089b3e87e559d7536549e13c8d9871a46cb3745
cb034ce1960b508b94a5896f8760b11a67eb9e978eda6c4113a90972f5020421
39fa76e67f64e98772315b9388f3180c5ace09db02590a10165c85117700a2d3
346db89a71e9af19079148c3da2c16115ecbabccd92bea954a533a64b8f47fd6
946cc1ffb15fcfa2ef68d41b324c1ef191f3e88aeaf3457dbfa3ded2e5e63d3e
37b6b81a62ffa02f034e31acebe66f07a9bb15fc9b52030f473363398368b705
49c81713eb9df8d8ed2be5ecc61a1cb7328a5c0873132663623c3d8782d46ebc
e9ba0c851f951fcf2a5dbab4bb98cbb77b6dbf4e35c8f6f293084496ded94ceb
8ba0114f87e18fa38a9700471363d6a71bf421bab76d7945214b19c6bd08f581
481b9ebb307c62af10a106f1db98ec2061e84886d5be0b30d9ac31b44b686297
ca6d0f21d5296c5aec857fc31d9a7754e2d5a29358a9485ec66f0b5256e40868
69e9ea2dd6487b4c040996fbf3423e3e6f85ef8b38332ad6a1d42a566955301a
1bf957fa8308d292e02c3ae41c8f4c05c737f4547443fe79d1abc4c94e2a906b
12106ff6f6bccdc6010afbd538683e95cac68895392736f6de8782f1874362ce
3ddef7b8f343adc8329992e77e4db864f8280079ced5b568439aab1b8d5d0637
0e84c39c9834b9576abe0cd4ac217b458114e3cae1aae02e8635f777ef58e829
6904d1cbef391cba695a60fe12938a62b6115f1ebcf5fcdc1430714d13fcf6ac
998e3fc9e299169673b7343471b28e784978ef6c6a61b4c80c1aa1e6a9d18828
fcbd6d030ca2af04b048b074b53213e08f024169acc8f25febec0416456f52a9
036bbabddd5839622989c37533d8e515064a68709e2cff7465fef14359481af4
70fa304db9ca1b2e55f417b6ce543330d3d50e9e1e6a394a49a7d9b6f1df8138
09abaeedacdb461055b081ca3aab1e414a66ad10e9175bf593c4969c8c663600
26f21796ba7b4221db302b6659d9ff1122907b68a9a5df1d715e0d1dc7bc6e97
4cea9443e5637bb1eff5d9d52fdb4f899cd57856c53af3b0872acfd2dfcbea26
13321c3594f36934de0ef980a69c17452e64dce253cebf5888f7eba3b86c013f

Epoch 1 C2s


109.104.79.48:8080
12.6.183.21:8080
138.68.139.199:443
144.76.117.247:8080
159.65.76.245:443
162.247.42.61:80
165.227.213.173:8080
168.226.35.218:80
179.62.48.123:143
181.15.224.57:80
181.56.165.97:53
185.86.148.222:8080
186.15.180.71:443
186.4.127.72:995
186.72.205.234:22
189.173.176.115:443
189.251.40.71:8080
190.117.226.104:8080
192.155.90.90:7080
192.163.199.254:8080
200.114.142.15:80
201.124.46.8:8080
201.183.238.18:443
201.212.113.14:50000
201.217.133.34:80
208.180.246.147:80
209.159.244.240:443
210.2.86.72:8080
219.94.254.93:8080
23.254.203.51:8080
24.194.252.25:80
5.9.128.163:8080
51.255.50.164:8080
51.77.109.100:80
66.209.69.165:443
69.163.33.82:8080
70.167.72.96:143
70.24.147.245:443
71.40.213.82:8080
72.47.248.48:8080
74.45.170.110:80
76.94.36.57:80
80.15.172.81:50000
88.225.226.91:443
90.63.245.70:8080
92.48.118.27:8080
98.121.75.14:80
98.238.127.216:21
	

Spam/Stealer C2s


104.236.185.25:8080
212.112.113.235
216.98.148.157:8080
50.116.63.8:7080
73.185.42.52:8080

Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


100.35.190.8:443
104.228.227.210:80
12.195.47.98:7080
129.24.37.8:443
133.242.164.31:7080
138.201.140.110:8080
153.121.36.202:7080
155.186.224.38:443
173.255.196.209:8080
173.255.250.241:443
178.62.37.188:443
181.1.124.16:8080
184.54.110.31:990
189.131.93.44:990
190.114.242.130:20
204.197.152.162:8090
208.78.100.202:8080
211.115.111.19:443
216.201.162.158:20
217.13.106.160:7080
24.155.49.236:8080
24.185.185.187:443
24.227.158.234:21
24.228.124.151:7080
38.27.109.250:21
45.123.3.54:443
45.63.17.206:8080
5.230.147.179:8080
50.31.0.160:8080
50.93.34.66:443
62.75.187.192:8080
62.75.191.231:8080
63.227.80.10:8080
66.216.234.131:443
67.205.149.117:443
67.249.245.159:443
67.254.13.154:80
69.198.17.7:8080
75.99.7.18:8443
76.94.226.173:20
79.75.233.224:21
82.14.53.90:22
83.222.124.62:8080
87.106.210.123:80
94.76.200.114:8080
95.10.12.151:80
96.47.92.60:443
96.60.95.245:53
98.0.245.234:22
98.31.4.186:21

Epoch 2 - Spam/Stealer C2s


198.199.96.164:443
198.58.114.91:4143
66.38.64.143

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?

 
What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.

I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
entity/group. Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
in maldocs on Epoch 2 at any time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
have a document hosted on host.tld/B.
- The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


- @pollo290987
https://otx.alienvault.com/pulse/5c6affbf0cd6c22d6964a3ce/ - @SecSome

Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
@Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
@shotgunner101, @HerbieZimmerman, @Outkast_TI

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
@gorimpthon, @Racco42, @Jan0fficial

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
@malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
@OguzhanTopgul, @HerbieZimmerman

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
and @Virustotal for providing services/software no charge to this cause!

Daily Log


Received only about 3 malspams today. Seemed like folks outside of the USA received a lot more today. This was noted by some of us here:

https://twitter.com/executemalware/status/1097620707213799425

@ps66uk received a large of amount of malspam for his environment yesterday. Here is his report:

https://twitter.com/ps66uk/status/1097602363714613248

This may be due to President's Day or perhaps a shift in targeting. Hard to say for sure. 2 of the 3 malspams I got were in Spanish also.
All of them were attachments and either DOC or PDF attachments. There seemed to be a heavy push for German URLs lately but oddly I did not
notice any German malspam. @certbund did and reported on it here:
https://twitter.com/certbund/status/1097484685993799680

There was also O2 invoice malspam and banking account suspended pdf templates in use. Oddly I saw a Santander Bank
version and I never saw this bank being targeted before.

Spamming stopped at about 23:00UTC for bot botnets. Oddly Binary distro stopped around the same time. Not sure if it is a break time or if they
are going to fire it all back up in a few hours. Time will tell. 


E1 C2s are the same as 2/15/18s report. - Recorded above.
E2 C2s changed but the count is still the same. Recorded above.

Tune in tomorrow for a break time update or spam restart.

TT

Sandbox 02/18/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-02-19 at 05:00 UTC -  https://cape.contextis.com/analysis/38199/


Epoch 2 C2 run on 2019-02-19 at 05:00 UTC - https://cape.contextis.com/analysis/38198/